From 31b7c0551dfe2b8034fa8068191c87f66f29a6fc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 22 2005 19:28:03 +0000 Subject: add fc mls policy --- diff --git a/mls/COPYING b/mls/COPYING new file mode 100644 index 0000000..5b6e7c6 --- /dev/null +++ b/mls/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/mls/ChangeLog b/mls/ChangeLog new file mode 100644 index 0000000..a2f029b --- /dev/null +++ b/mls/ChangeLog @@ -0,0 +1,434 @@ +1.27.3 2005-11-17 + * Removed the seuser policy as suggested by Kevin Carr. + * Removed unnecessary allow rule concerning tmpfs_t in the squid + policy as suggested by Russell Coker. + * Merged a patch from Jonathan Kim which modified the restorecon policy + to use the secadmin attribute. + * Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd + policies. Added the unconfinedtrans attribute for domains that + can transistion to unconfined_t. Added httpd_enable_ftp_server, + allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp + booleans. Created a $1_disable_trans boolean used in the + init_service_domain macro to specify whether init should + transition to a new domain when executing. Included Chad Hanson's + patch which adds the mls* attributes to more domains and makes + other changes to support MLS. Included Russell Coker's patch + which makes many changes to the sendmail policy. Added rules to + allow initscripts to execute scripts that they generate. Added + dbus support to the named policy. Made other fixes and cleanups + to various policies including amanda, apache, bluetooth, pegasus, + postfix, pppd, and slapd. Removed sendmail policy from targeted. +1.27.2 2005-10-20 + * Merged patch from Chad Hanson. Modified MLS constraints. + Provided comments for the MLS attributes. + * Merged two patches from Thomas Bleher which made some minor + fixes and cleanups. + * Merged patches from Russell Coker. Added comments to some of the + MLS attributes. Added the secure_mode_insmod boolean to determine + whether the system permits loading policy, setting enforcing mode, + and changing boolean values. Made minor fixes for the cdrecord_domain + macro, application_domain, newrole_domain, and daemon_base_domain + macros. Added rules to allow the mail server to access the user + home directories in the targeted policy and allows the postfix + showq program to do DNS lookups. Minor fixes for the MCS + policy. Made other minor fixes and cleanups. + * Merged patch from Dan Walsh. Added opencd, pegasus, readahead, + and roundup policies. Created can_access_pty macro to handle pty + output. Created nsswithch_domain macro for domains using + nsswitch. Added mcs transition rules. Removed mqueue and added + capifs genfscon entries. Added dhcpd and pegasus ports. Added + domain transitions from login domains to pam_console and alsa + domains. Added rules to allow the httpd and squid domains to + relay more protocols. For the targeted policy, removed sysadm_r + role from unconfined_t. Made other fixes and cleanups. +1.27.1 2005-09-15 + * Merged small patches from Russell Coker for the apostrophe, + dhcpc, fsadm, and setfiles policy. + * Merged a patch from Russell Coker with some minor fixes to a + multitude of policy files. + * Merged patch from Dan Walsh from August 15th. Adds certwatch + policy. Adds mcs support to Makefile. Adds mcs file which + defines sensitivities and categories for the MSC policy. Creates + an authentication_domain macro in global_macros.te for domains + that use pam_authentication. Creates the anonymous_domain macro + so that the ftpd, rsync, httpd, and smbd domains can share the + ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to + start isolating individual ethernet devices. Changes vpnc from a + daemon to an application_domain. Adds audit_control capability to + crond_t. Adds dac_override and dac_read_search capabilities to + fsadm_t to allow the manipulation of removable media. Adds + read_sysctl macro to the base_passwd_domain macro. Adds rules to + allow alsa_t to communicate with userspace. Allows networkmanager + to communicate with isakmp_port and to use vpnc. For targeted + policy, removes transitions of sysadm_t to apm_t, backup_t, + bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t. + Makes other minor cleanups and fixes. + +1.26 2005-09-06 + * Updated version for release. + +1.25.4 2005-08-10 + * Merged small patches from Russell Coker for the restorecon, + kudzu, lvm, radvd, and spamassasin policies. + * Added fs_use_trans rule for mqueue from Mark Gebhart to support + the work he has done on providing SELinux support for mqueue. + * Merged a patch from Dan Walsh. Removes the user_can_mount + tunable. Adds disable_evolution_trans and disable_thunderbird_trans + booleans. Adds the nscd_client_domain attribute to insmod_t. + Removes the user_ping boolean from targeted policy. Adds + hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts. + Adds the isakmp_port for vpnc. Creates the pptp daemon domain. + Allows getty to run sbin_t for pppd. Allows initrc to write to + default_t for booting. Allows Hotplug_t sys_rawio for prism54 + card at boot. Other minor fixes. + +1.25.3 2005-07-18 + * Merged patch from Dan Walsh. Adds auth_bool attribute to allow + domains to have read access to shadow_t. Creates pppd_can_insmod + boolean to control the loading of modem kernel modules. Allows + nfs to export noexattrfile types. Allows unix_chpwd to access + cert files and random devices for encryption purposes. Other + minor cleanups and fixes. + +1.25.2 2005-07-11 + * Merged patch from Dan Walsh. Added allow_ptrace boolean to + allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the + audit_control and audit_write capabilities. Stops targeted policy + from transitioning from unconfined_t to netutils. Allows cupsd to + audit messages. Gives prelink the execheap, execmem, and execstack + permissions by default. Adds can_winbind boolean and functions to + better handle samba and winbind communications. Eliminates + allow_execmod checks around texrel_shlib_t libraries. Other minor + cleanups and fixes. + +1.25.1 2005-07-05 + * Moved role_tty_type_change, reach_sysadm, and priv_user macros + from user.te to user_macros.te as suggested by Steve. + * Modified admin_domain macro so autrace would work and removed + privuser attribute for dhcpc as suggested by Russell Coker. + * Merged rather large patch from Dan Walsh. Moves + targeted/strict/mls policies closer together. Adds local.te for + users to customize. Includes minor fixes to auditd, cups, + cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch + that defines all ports in network.te. Ports are always defined + now, no ifdefs are used in network.te. Also includes Ivan + Gyurdiev's user home directory policy patches. These patches add + alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs, + iceauth, orbit, and thunderbird policy. They create read_content, + write_trusted, and write_untrusted macros in content.te. They + create network_home, write_network_home, read_network_home, + base_domain_ro_access, home_domain_access, home_domain, and + home_domain_ro macros in home_macros.te. They also create + $3_read_content, $3_write_content, and write_untrusted booleans. + +1.24 2005-06-20 + * Updated version for release. + +1.23.18 2005-05-31 + * Merged minor fixes to pppd.fc and courier.te by Russell Coker. + * Removed devfsd policy as suggested by Russell Coker. + * Merged patch from Dan Walsh. Includes beginnings of Ivan + Gyurdiev's Font Config policy. Don't transition to fsadm_t from + unconfined_t (sysadm_t) in targeted policy. Add support for + debugfs in modutil. Allow automount to create and delete + directories in /root and /home dirs. Move can_ypbind to + chkpwd_macro.te. Allow useradd to create additional files and + types via the skell mechanism. Other minor cleanups and fixes. + +1.23.17 2005-05-23 + * Merged minor fixes by Petre Rodan to the daemontools, dante, + gpg, kerberos, and ucspi-tcp policies. + * Merged minor fixes by Russell Coker to the bluetooth, crond, + initrc, postfix, and udev policies. Modifies constraints so that + newaliases can be run. Modifies types.fc so that objects in + lost+found directories will not be relabled. + * Modified fc rules for nvidia. + * Added Chad Sellers policy for polyinstantiation support, which + creates the polydir, polyparent, and polymember attributes. Also + added the support_polyinstantiation tunable. + * Merged patch from Dan Walsh. Includes mount_point attribute, + read_font macros and some other policy fixes from Ivan Gyurdiev. + Adds privkmsg and secadmfile attributes and ddcprobe policy. + Removes the use_syslogng boolean. Many other minor fixes. + +1.23.16 2005-05-13 + * Added rdisc policy from Russell Coker. + * Merged minor fix to named policy by Petre Rodan. + * Merged minor fixes to policy from Russell Coker for kudzu, + named, screen, setfiles, telnet, and xdm. + * Merged minor fix to Makefile from Russell Coker. + +1.23.15 2005-05-06 + * Added tripwire and yam policy from David Hampton. + * Merged minor fixes to amavid and a clarification to the + httpdcontent attribute comments from David Hampton. + * Merged patch from Dan Walsh. Includes fixes for restorecon, + games, and postfix from Russell Coker. Adds support for debugfs. + Restores support for reiserfs. Allows udev to work with tmpfs_t + before /dev is labled. Removes transition from sysadm_t + (unconfined_t) to ifconfig_t for the targeted policy. Other minor + cleanups and fixes. + +1.23.14 2005-04-29 + * Added afs policy from Andrew Reisse. + * Merged patch from Lorenzo Hernández García-Hierro which defines + execstack and execheap permissions. The patch excludes these + permissions from general_domain_access and updates the macros for + X, legacy binaries, users, and unconfined domains. + * Added nlmsg_relay permisison where netlink_audit_socket class is + used. Added nlmsg_readpriv permission to auditd_t and auditctl_t. + * Merged some minor cleanups from Russell Coker and David Hampton. + * Merged patch from Dan Walsh. Many changes made to allow + targeted policy to run closer to strict and now almost all of + non-userspace is protected via SELinux. Kernel is now in + unconfined_domain for targeted and runs as root:system_r:kernel_t. + Added transitionbool to daemon_sub_domain, mainly to turn off + httpd_suexec transitioning. Implemented web_client_domain + name_connect rules. Added yp support for cups. Now the real + hotplug, udev, initial_sid_contexts are used for the targeted + policy. Other minor cleanups and fixes. Auditd fixes by Paul + Moore. + +1.23.13 2005-04-22 + * Merged more changes from Dan Walsh to initrc_t for removal of + unconfined_domain. + * Merged Dan Walsh's split of auditd policy into auditd_t for the + audit daemon and auditctl_t for the autoctl program. + * Added use of name_connect to uncond_can_ypbind macro by Dan + Walsh. + * Merged other cleanup and fixes by Dan Walsh. + +1.23.12 2005-04-20 + * Merged Dan Walsh's Netlink changes to handle new auditing pam + modules. + * Merged Dan Walsh's patch removing the sysadmfile attribute from + policy files to separate sysadm_t from secadm_t. + * Added CVS and uucpd policy from Dan Walsh. + * Cleanup by Dan Walsh to handle turning off unlimitedRC. + * Merged Russell Coker's fixes to ntpd, postgrey, and named + policy. + * Cleanup of chkpwd_domain and added permissions to su_domain + macro due to pam changes to support audit. + * Added nlmsg_relay and nlmsg_readpriv permissions to the + netlink_audit_socket class. + +1.23.11 2005-04-14 + * Merged Dan Walsh's separation of the security manager and system + administrator. + * Removed screensaver.te as suggested by Thomas Bleher + * Cleanup of typealiases that are no longer used by Thomas Bleher. + * Cleanup of fc files and additional rules for SuSE by Thomas + Bleher. + * Merged changes to auditd and named policy by Russell Coker. + * Merged MLS change from Darrel Goeddel to support the policy + hierarchy patch. + +1.23.10 2005-04-08 + * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te + +1.23.9 2005-04-07 + * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup + of x_client apps. + * Added dmidecode policy from Ivan Gyurdiev. + +1.23.8 2005-04-05 + * Added netlink_kobject_uevent_socket class. + * Removed empty files pump.te and pump.fc. + * Added NetworkManager policy from Dan Walsh. + * Merged Dan Walsh's major restructuring of Apache's policy. + +1.23.7 2005-04-04 + * Merged David Hampton's amavis and clamav cleanups. + * Added David Hampton's dcc, pyzor, and razor policy. + +1.23.6 2005-04-01 + * Merged cleanup of the Makefile and other stuff from Dan Walsh. + Dan's patch includes some desktop changes from Ivan Gyurdiev. + * Merged Thomas Bleher's patches which increase the usage of + lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to + DOMAIN_var_lib_t, and removes use of notdevfile_class_set where + possible. + * Merged Greg Norris's cleanup of fetchmail. + +1.23.5 2005-03-23 + * Added name_connect support from Dan Walsh. + * Added httpd_unconfined_t from Dan Walsh. + * Merged cleanup of assert.te to allow unresticted full access + from Dan Walsh. + +1.23.4 2005-03-21 + * Merged diffs from Dan Walsh: + * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan + Gyurdiev. + * Added syslogng support to syslog.te. + +1.23.3 2005-03-15 + * Added policy for nx_server from Thomas Bleher. + * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and + publicfile from Petre Rodan. + +1.23.2 2005-03-14 + * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's + gift policy. + * Made sysadm_r the first role for root, so root's home will be labled + as sysadm_home_dir_t instead of staff_home_dir_t. + * Modified fs_use and Makefile to reflect jfs now supporting security + xattrs. + +1.23.1 2005-03-10 + * Merged diffs from Dan Walsh. Dan's patch includes Ivan + Gyurdiev's cleanup of homedir macros and more extensive use of + read_sysctl() + +1.22 2005-03-09 + * Updated version for release. + +1.21 2005-02-24 + * Added secure_file_type attribute from Dan Walsh + * Added access_terminal() macro from Ivan Gyurdiev + * Updated capability access vector for audit capabilities. + * Added mlsconvert Makefile target to help generate MLS policies + (see selinux-doc/README.MLS for instructions). + * Changed policy Makefile to still generate policy.18 as well, + and use it for make load if the kernel doesn't support 19. + * Merged enhanced MLS support from Darrel Goeddel (TCS). + * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris. + * Merged man pages from Dan Walsh. + +1.20 2005-01-04 + * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and + Petre Rodan. + * Merged can_create() macro used for file_type_{,auto_}trans() + from Thomas Bleher. + * Merged dante and stunnel policy by Petre Rodan. + * Merged $1_file_type attribute from Thomas Bleher. + * Merged network_macros from Dan Walsh. + +1.18 2004-10-25 + * Merged diffs from Russell Coker and Dan Walsh. + * Merged mkflask and mkaccess_vector patches from Ulrich Drepper. + * Added reserved_port_t type and portcon entries to map all other + reserved ports to this type. + * Added distro_ prefix to distro tunables to avoid conflicts. + * Merged diffs from Russell Coker. + +1.16 2004-08-16 + * Added nscd definitions. + * Converted many tunables to policy booleans. + * Added crontab permission. + * Merged diffs from Dan Walsh. + This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well. + * Merged diffs from Russell Coker. + * Adjusted constraints for crond restart. + * Merged dbus/userspace object manager policy from Colin Walters. + * Merged dbus definitions from Matthew Rickard. + * Merged dnsmasq policy from Greg Norris. + * Merged gpg-agent policy from Thomas Bleher. + +1.14 2004-06-28 + * Removed vmware-config.pl from vmware.fc. + * Added crond entry to root_default_contexts. + * Merged patch from Dan Walsh. + * Merged mdadm and postfix changes from Colin Walters. + * Merged reiserfs and rpm changes from Russell Coker. + * Merged runaway .* glob fix from Valdis Kletnieks. + * Merged diff from Dan Walsh. + * Merged fine-grained netlink classes and permissions. + * Merged changes for new /etc/selinux layout. + * Changed mkaccess_vector.sh to provide stable order. + * Merged diff from Dan Walsh. + * Fix restorecon path in restorecon.fc. + * Merged pax class and access vector definition from Joshua Brindle. + +1.12 2004-05-12 + * Added targeted policy. + * Merged atd/at into crond/crontab domains. + * Exclude bind mounts from relabeling to avoid aliasing. + * Removed some obsolete types and remapped their initial SIDs to unlabeled. + * Added SE-X related security classes and policy framework. + * Added devnull initial SID and context. + * Merged diffs from Fedora policy. + +1.10 2004-04-07 + * Merged ipv6 support from James Morris of RedHat. + * Merged policy diffs from Dan Walsh. + * Updated call to genhomedircon to reflect new usage. + * Merged policy diffs from Dan Walsh and Russell Coker. + * Removed config-users and config-services per Dan's request. + +1.8 2004-03-09 + * Merged genhomedircon patch from Karl MacMillan of Tresys. + * Added restorecon domain. + * Added unconfined_domain macro. + * Added default_t for /.* file_contexts entry and replaced some + uses of file_t with default_t in the policy. + * Added su_restricted_domain() macro and use it for initrc_t. + * Merged policy diffs from Dan Walsh and Russell Coker. + These included a merge of an earlier patch by Chris PeBenito + to rename the etc types to be consistent with other types. + +1.6 2004-02-18 + * Merged xfs support from Chris PeBenito. + * Merged conditional rules for ping.te. + * Defined setbool permission, added can_setbool macro. + * Partial network policy cleanup. + * Merged with Russell Coker's policy. + * Renamed netscape macro and domain to mozilla and renamed + ipchains domain to iptables for consistency with Russell. + * Merged rhgb macro and domain from Russell Coker. + * Merged tunable.te from Russell Coker. + Only define direct_sysadm_daemon by default in our copy. + * Added rootok permission to passwd class. + * Merged Makefile change from Dan Walsh to generate /home + file_contexts entries for staff users. + * Added automatic role and domain transitions for init scripts and + daemons. Added an optional third argument (nosysadm) to + daemon_domain to omit the direct transition from sysadm_r when + the same executable is also used as an application, in which + case the daemon must be restarted via the init script to obtain + the proper security context. Added system_r to the authorized roles + for admin users at least until support for automatic user identity + transitions exist so that a transition to system_u can be provided + transparently. + * Added support to su domain for using pam_selinux. + Added entries to default_contexts for the su domains to + provide reasonable defaults. Removed user_su_t. + * Tighten restriction on user identity and role transitions in constraints. + * Merged macro for newrole-like domains from Russell Coker. + * Merged stub dbusd domain from Russell Coker. + * Merged stub prelink domain from Dan Walsh. + * Merged updated userhelper and config tool domains from Dan Walsh. + * Added send_msg/recv_msg permissions to can_network macro. + * Merged patch by Chris PeBenito for sshd subsystems. + * Merged patch by Chris PeBenito for passing class to var_run_domain. + * Merged patch by Yuichi Nakamura for append_log_domain macros. + * Merged patch by Chris PeBenito for rpc_pipefs labeling. + * Merged patch by Colin Walters to apply m4 once so that + source file info is preserved for checkpolicy. + +1.4 2003-12-01 + * Merged patches from Russell Coker. + * Revised networking permissions. + * Added new node_bind permission. + * Added new siginh, rlimitinh, and setrlimit permissions. + * Added proc_t:file read permission for new is_selinux_enabled logic. + * Added failsafe_context configuration file to appconfig. + * Moved newrules.pl to policycoreutils, renamed to audit2allow. + * Merged newrules.pl patch from Yuichi Nakamura. + +1.2 2003-09-30 + * More policy merging with Russell Coker. + * Transferred newrules.pl script from the old SELinux. + * Merged MLS configuration patch from Karl MacMillan of Tresys. + * Limit staff_t to reading /proc entries for unpriv_userdomain. + * Updated Makefile and spec file to allow non-root builds, + based on patch by Paul Nasrat. + +1.1 2003-08-13 + * Merged Makefile check-all and te-includes patches from Colin Walters. + * Merged x-debian-packages.patch from Colin Walters. + * Folded read permission into domain_trans. + +1.0 2003-07-11 + * Initial public release. + diff --git a/mls/Makefile b/mls/Makefile new file mode 100644 index 0000000..933e3d5 --- /dev/null +++ b/mls/Makefile @@ -0,0 +1,356 @@ +# +# Makefile for the security policy. +# +# Targets: +# +# install - compile and install the policy configuration, and context files. +# load - compile, install, and load the policy configuration. +# reload - compile, install, and load/reload the policy configuration. +# relabel - relabel filesystems based on the file contexts configuration. +# policy - compile the policy configuration locally for testing/development. +# +# The default target is 'install'. +# + +# Set to y if MLS is enabled in the policy. +MLS=y + +# Set to y if MCS is enabled in the policy +MCS=n + +FLASKDIR = flask/ +PREFIX = /usr +BINDIR = $(PREFIX)/bin +SBINDIR = $(PREFIX)/sbin +LOADPOLICY = $(SBINDIR)/load_policy +CHECKPOLICY = $(BINDIR)/checkpolicy +GENHOMEDIRCON = $(SBINDIR)/genhomedircon +SETFILES = $(SBINDIR)/setfiles +VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') +PREVERS := 20 +KERNVERS := $(shell cat /selinux/policyvers) +MLSENABLED := $(shell cat /selinux/mls) +POLICYVER := policy.$(VERS) +TOPDIR = $(DESTDIR)/etc/selinux +TYPE=mls + +INSTALLDIR = $(TOPDIR)/$(TYPE) +POLICYPATH = $(INSTALLDIR)/policy +SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users +CONTEXTPATH = $(INSTALLDIR)/contexts +LOADPATH = $(POLICYPATH)/$(POLICYVER) +FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template + +ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) +ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) +ALL_TYPES := $(wildcard types/*.te) +ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) +ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te +TE_RBAC_FILES := $(ALLTEFILES) rbac +ALL_TUNABLES := $(wildcard tunables/*.tun ) +USER_FILES := users +POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) +ifeq ($(MLS),y) +POLICYFILES += mls +CHECKPOLMLS += -M +endif +ifeq ($(MCS), y) +POLICYFILES += mcs +CHECKPOLMLS += -M +endif +DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts +POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) +POLICYFILES += $(USER_FILES) +POLICYFILES += constraints +POLICYFILES += $(DEFCONTEXTFILES) +CONTEXTFILES = $(DEFCONTEXTFILES) +POLICY_DIRS = domains domains/program domains/misc macros macros/program + +UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) + +FC = file_contexts/file_contexts +HOMEDIR_TEMPLATE = file_contexts/homedir_template +FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) +CONTEXTFILES += $(FCFILES) + +APPDIR=$(CONTEXTPATH) +APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media +CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media + +ROOTFILES = $(addprefix $(APPDIR)/users/,root) + +all: policy + +tmp/valid_fc: $(LOADPATH) $(FC) + @echo "Validating file contexts files ..." + $(SETFILES) -q -c $(LOADPATH) $(FC) + @touch tmp/valid_fc + +install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users + +$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf + @mkdir -p $(USERPATH) + @echo "# " > tmp/system.users + @echo "# Do not edit this file. " >> tmp/system.users + @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users + @echo "# Please edit local.users to make local changes." >> tmp/system.users + @echo "#" >> tmp/system.users + @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users + install -m 644 tmp/system.users $@ + +$(USERPATH)/local.users: local.users + @mkdir -p $(USERPATH) + install -b -m 644 $< $@ + +$(CONTEXTPATH)/files/media: appconfig/media + @mkdir -p $(CONTEXTPATH)/files/ + install -m 644 $< $@ + +$(APPDIR)/default_contexts: appconfig/default_contexts + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/removable_context: appconfig/removable_context + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/customizable_types: policy.conf + @mkdir -p $(APPDIR) + @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + install -m 644 tmp/customizable_types $@ + +$(APPDIR)/port_types: policy.conf + @mkdir -p $(APPDIR) + @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types + install -m 644 tmp/port_types $@ + +$(APPDIR)/default_type: appconfig/default_type + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/userhelper_context: appconfig/userhelper_context + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/initrc_context: appconfig/initrc_context + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/failsafe_context: appconfig/failsafe_context + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/dbus_contexts: appconfig/dbus_contexts + @mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/users/root: appconfig/root_default_contexts + @mkdir -p $(APPDIR)/users + install -m 644 $< $@ + +$(LOADPATH): policy.conf $(CHECKPOLICY) + @echo "Compiling policy ..." + @mkdir -p $(POLICYPATH) + $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf +ifneq ($(VERS),$(PREVERS)) + $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf +endif + +# Note: Can't use install, so not sure how to deal with mode, user, and group +# other than by default. + +policy: $(POLICYVER) + +$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) + $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf + @echo "Validating file contexts files ..." + $(SETFILES) -q -c $(POLICYVER) $(FC) + +reload tmp/load: $(LOADPATH) + @echo "Loading Policy ..." + $(LOADPOLICY) + touch tmp/load + +load: tmp/load $(FCPATH) + +enableaudit: policy.conf + grep -v dontaudit policy.conf > policy.audit + mv policy.audit policy.conf + +policy.conf: $(POLICYFILES) $(POLICY_DIRS) + @echo "Building policy.conf ..." + @mkdir -p tmp + m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp + @mv $@.tmp $@ + +install-src: + rm -rf $(SRCPATH)/policy.old + -mv $(SRCPATH)/policy $(SRCPATH)/policy.old + @mkdir -p $(SRCPATH)/policy + cp -R . $(SRCPATH)/policy + +tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program + @mkdir -p tmp + ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp + ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp + mv $@.tmp $@ + +FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';` + +checklabels: $(SETFILES) + $(SETFILES) -v -n $(FC) $(FILESYSTEMS) + +restorelabels: $(SETFILES) + $(SETFILES) -v $(FC) $(FILESYSTEMS) + +relabel: $(FC) $(SETFILES) + $(SETFILES) $(FC) $(FILESYSTEMS) + +file_contexts/misc: + @mkdir -p file_contexts/misc + +$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types + @echo "Installing file contexts files..." + @mkdir -p $(CONTEXTPATH)/files + install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) + install -m 644 $(FC) $(FCPATH) + @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) + +$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd + @echo "Building file contexts files..." + @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp + @grep -v -e HOME -e ROLE -e USER $@.tmp > $@ + @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE) + @-rm $@.tmp + +# Create a tags-file for the policy: +# we need exuberant ctags; unfortunately it is named differently on different distros, sigh... +pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs +CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme +ifeq ($(strip $(CTAGS)),) +CTAGS := $(call pathsearch,ctags) # suse naming scheme +endif + +tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) + @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) + @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ + --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ + --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ + --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ + --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ + --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ + +clean: + rm -f policy.conf $(POLICYVER) + rm -f tags + rm -f tmp/* + rm -f $(FC) + rm -f flask/*.h +# for the policy regression tester + find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ + +# Policy regression tester. +# Written by Colin Walters +cur_te = $(filter-out %/,$(subst /,/ ,$@)) + +TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) + +define compute_depends + export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') +endef + + +ifeq ($(TE_DEPENDS_DEFINED),) +ifeq ($(MAKECMDGOALS),check-all) + GENRULES := $(TESTED_TE_FILES) + export TE_DEPENDS_DEFINED := yes +else + # Handle the case where checkunused/blah.te is run directly. + ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) + GENRULES := $(TESTED_TE_FILES) + export TE_DEPENDS_DEFINED := yes + endif +endif +endif + +# Test for a new enough version of GNU Make. +$(eval have_eval := yes) +ifneq ($(GENRULES),) + ifeq ($(have_eval),) +$(error Need GNU Make 3.80 or better!) +Need GNU Make 3.80 or better + endif +endif +$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) + +PHONIES := + +define compute_presymlinks +PHONIES += presymlink/$(1) +presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) + @if ! test -L domains/program/$(1); then \ + cd domains/program && ln -s unused/$(1) .; \ + fi +endef + +# Compute dependencies. +$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) + +PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) +$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : + @$(MAKE) -s clean + +$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% + @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ + echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ + fi + @echo "Testing $(cur_te)..."; + @if ! make -s policy 1>/dev/null; then \ + echo "Testing $(cur_te)...FAILED"; \ + exit 1; \ + fi; + @echo "Testing $(cur_te)...success."; \ + +check-all: + @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ + $(MAKE) --no-print-directory $$goal; \ + done + +.PHONY: clean $(PHONIES) + +mlsconvert: + @for file in $(CONTEXTFILES); do \ + echo "Converting $$file"; \ + sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @for file in $(USER_FILES); do \ + echo "Converting $$file"; \ + sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts + @echo "Enabling MLS in the Makefile" + @sed "s/MLS=y/MLS=y/" Makefile > Makefile.new + @mv Makefile.new Makefile + @echo "Done" + +mcsconvert: + @for file in $(CONTEXTFILES); do \ + echo "Converting $$file"; \ + sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @for file in $(USER_FILES); do \ + echo "Converting $$file"; \ + sed -r -e 's/\;/ level s0 range s0;/' $$file | \ + sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \ + mv $$file.new $$file; \ + done + @echo "Enabling MCS in the Makefile" + @sed "s/MCS=n/MCS=y/" Makefile > Makefile.new + @mv Makefile.new Makefile + @echo "Done" + diff --git a/mls/README b/mls/README new file mode 100644 index 0000000..6818b66 --- /dev/null +++ b/mls/README @@ -0,0 +1,125 @@ +The Makefile targets are: +policy - compile the policy configuration. +install - compile and install the policy configuration. +load - compile, install, and load the policy configuration. +relabel - relabel the filesystem. +check-all - check individual additional policy files in domains/program/unused. +checkunused/FILE.te - check individual file FILE from domains/program/unused. + +If you have configured MLS into your module, then set MLS=y in the +Makefile prior to building the policy. Of course, you must have also +built checkpolicy with MLS enabled. + +Three of the configuration files are independent of the particular +security policy: +1) flask/security_classes - + This file has a simple declaration for each security class. + The corresponding symbol definitions are in the automatically + generated header file . + +2) flask/initial_sids - + This file has a simple declaration for each initial SID. + The corresponding symbol definitions are in the automatically + generated header file . + +3) access_vectors - + This file defines the access vectors. Common prefixes for + access vectors may be defined at the beginning of the file. + After the common prefixes are defined, an access vector + may be defined for each security class. + The corresponding symbol definitions are in the automatically + generated header file . + +In addition to being read by the security server, these configuration +files are used during the kernel build to automatically generate +symbol definitions used by the kernel for security classes, initial +SIDs and permissions. Since the symbol definitions generated from +these files are used during the kernel build, the values of existing +security classes and permissions may not be modified by load_policy. +However, new classes may be appended to the list of classes and new +permissions may be appended to the list of permissions associated with +each access vector definition. + +The policy-dependent configuration files are: +1) tmp/all.te - + This file defines the Type Enforcement (TE) configuration. + This file is automatically generated from a collection of files. + + The macros subdirectory contains a collection of m4 macro definitions + used by the TE configuration. The global_macros.te file contains global + macros used throughout the configuration for common groupings of classes + and permissions and for common sets of rules. The user_macros.te file + contains macros used in defining user domains. The admin_macros.te file + contains macros used in defining admin domains. The macros/program + subdirectory contains macros that are used to instantiate derived domains + for certain programs that encode information about both the calling user + domain and the program, permitting the policy to maintain separation + between different instances of the program. + + The types subdirectory contains several files with declarations for + general types (types not associated with a particular domain) and + some rules defining relationships among those types. Related types + are grouped together into each file in this directory, e.g. all + device type declarations are in the device.te file. + + The domains subdirectory contains several files and directories + with declarations and rules for each domain. User domains are defined in + user.te. Administrator domains are defined in admin.te. Domains for + specific programs, including both system daemons and other programs, are + in the .te files within the domains/program subdirectory. The domains/misc + subdirectory is for miscellaneous domains such as the kernel domain and + the kernel module loader domain. + + The assert.te file contains assertions that are checked after evaluating + the entire TE configuration. + +2) rbac - + This file defines the Role-Based Access Control (RBAC) configuration. + +3) mls - + This file defines the Multi-Level Security (MLS) configuration. + +4) users - + This file defines the users recognized by the security policy. + +5) constraints - + This file defines additional constraints on permissions + in the form of boolean expressions that must be satisfied in order + for specified permissions to be granted. These constraints + are used to further refine the type enforcement tables and + the role allow rules. Typically, these constraints are used + to restrict changes in user identity or role to certain domains. + +6) initial_sid_contexts - + This file defines the security context for each initial SID. + A security context consists of a user identity, a role, a type and + optionally a MLS range if the MLS policy is enabled. If left unspecified, + the high MLS level defaults to the low MLS level. The syntax of a valid + security context is: + + user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]] + +7) fs_use - + This file defines the labeling behavior for inodes in particular + filesystem types. + +8) genfs_contexts - + This file defines security contexts for files in filesystems that + cannot support persistent label mappings or use one of the fixed + labeling schemes specified in fs_use. + +8) net_contexts - + This file defines the security contexts of network objects + such as ports, interfaces, and nodes. + +9) file_contexts/{types.fc,program/*.fc} + These files define the security contexts for persistent files. + +It is possible to test the security server functions on a given policy +configuration by running the checkpolicy program with the -d option. +This program is built from the same sources as the security server +component of the kernel, so it may be used both to verify that a +policy configuration will load successfully and to determine how the +security server would respond if it were using that policy +configuration. A menu-based interface is provided for calling any of +the security server functions after the policy is loaded. diff --git a/mls/VERSION b/mls/VERSION new file mode 100644 index 0000000..3bae520 --- /dev/null +++ b/mls/VERSION @@ -0,0 +1 @@ +1.27.3 diff --git a/mls/appconfig/dbus_contexts b/mls/appconfig/dbus_contexts new file mode 100644 index 0000000..116e684 --- /dev/null +++ b/mls/appconfig/dbus_contexts @@ -0,0 +1,6 @@ + + + + + diff --git a/mls/appconfig/default_contexts b/mls/appconfig/default_contexts new file mode 100644 index 0000000..5024209 --- /dev/null +++ b/mls/appconfig/default_contexts @@ -0,0 +1,12 @@ +system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 +system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0 +system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 +staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 +user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/mls/appconfig/default_type b/mls/appconfig/default_type new file mode 100644 index 0000000..af878bd --- /dev/null +++ b/mls/appconfig/default_type @@ -0,0 +1,4 @@ +secadm_r:secadm_t +sysadm_r:sysadm_t +staff_r:staff_t +user_r:user_t diff --git a/mls/appconfig/failsafe_context b/mls/appconfig/failsafe_context new file mode 100644 index 0000000..999abd9 --- /dev/null +++ b/mls/appconfig/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t:s0 diff --git a/mls/appconfig/initrc_context b/mls/appconfig/initrc_context new file mode 100644 index 0000000..30ab971 --- /dev/null +++ b/mls/appconfig/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t:s0 diff --git a/mls/appconfig/media b/mls/appconfig/media new file mode 100644 index 0000000..81f3463 --- /dev/null +++ b/mls/appconfig/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t:s0 +floppy system_u:object_r:removable_device_t:s0 +disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/mls/appconfig/removable_context b/mls/appconfig/removable_context new file mode 100644 index 0000000..7fcc56e --- /dev/null +++ b/mls/appconfig/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t:s0 diff --git a/mls/appconfig/root_default_contexts b/mls/appconfig/root_default_contexts new file mode 100644 index 0000000..e9d95e8 --- /dev/null +++ b/mls/appconfig/root_default_contexts @@ -0,0 +1,9 @@ +system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/mls/appconfig/userhelper_context b/mls/appconfig/userhelper_context new file mode 100644 index 0000000..dc37a69 --- /dev/null +++ b/mls/appconfig/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t:s0 diff --git a/mls/assert.te b/mls/assert.te new file mode 100644 index 0000000..02b2878 --- /dev/null +++ b/mls/assert.te @@ -0,0 +1,156 @@ +############################## +# +# Assertions for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################## +# +# Access vector assertions. +# +# An access vector assertion specifies permissions that should not be in +# an access vector based on a source type, a target type, and a class. +# If any of the specified permissions are in the corresponding access +# vector, then the policy compiler will reject the policy configuration. +# Currently, there is only one kind of access vector assertion, neverallow, +# but support for the other kinds of vectors could be easily added. Access +# vector assertions use the same syntax as access vector rules. +# + +# +# Verify that every type that can be entered by +# a domain is also tagged as a domain. +# +neverallow domain ~domain:process { transition dyntransition }; + +# +# Verify that only the insmod_t and kernel_t domains +# have the sys_module capability. +# +neverallow {domain -privsysmod -unrestricted } self:capability sys_module; + +# +# Verify that executable types, the system dynamic loaders, and the +# system shared libraries can only be modified by administrators. +# +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename }; +neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto; + +# +# Verify that only appropriate domains can access /etc/shadow +neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr; +neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms; + +# +# Verify that only appropriate domains can write to /etc (IE mess with +# /etc/passwd) +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms; +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms; +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms }; + +# +# Verify that other system software can only be modified by administrators. +# +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; +neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename }; + +# +# Verify that only certain domains have access to the raw disk devices. +# +neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append }; + +# +# Verify that only the X server and klogd have access to memory devices. +# +neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append }; + +# +# Verify that only domains with the privlog attribute can actually syslog +# +neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append }; + +# +# Verify that /proc/kmsg is only accessible to klogd. +# +neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms; + +# +# Verify that /proc/kcore is inaccessible. +# + +neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; + +# +# Verify that sysctl variables are only changeable +# by initrc and administrators. +# +neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append }; +neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append }; +neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append }; + +# +# Verify that certain domains are limited to only being +# entered by their entrypoint types and to only executing +# the dynamic loader without a transition to another domain. +# + +define(`assert_execute', ` + ifelse($#, 0, , + $#, 1, + ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', + `assert_execute($1) assert_execute(shift($@))')') + +ifdef(`getty.te', `assert_execute(getty)') +ifdef(`klogd.te', `assert_execute(klogd)') +ifdef(`tcpd.te', `assert_execute(tcpd)') +ifdef(`portmap.te', `assert_execute(portmap)') +ifdef(`syslogd.te', `assert_execute(syslogd)') +ifdef(`rpcd.te', `assert_execute(rpcd)') +ifdef(`rlogind.te', `assert_execute(rlogind)') +ifdef(`ypbind.te', `assert_execute(ypbind)') +ifdef(`xfs.te', `assert_execute(xfs)') +ifdef(`gpm.te', `assert_execute(gpm)') +ifdef(`ifconfig.te', `assert_execute(ifconfig)') +ifdef(`iptables.te', `assert_execute(iptables)') + +ifdef(`login.te', ` +neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint; +neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans; +') + +# +# Verify that the passwd domain can only be entered by its +# entrypoint type and can only execute the dynamic loader +# and the ordinary passwd program without a transition to another domain. +# +ifdef(`passwd.te', ` +neverallow passwd_t ~passwd_exec_t:file entrypoint; +neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint; +neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans; +') + +# +# Verify that only the admin domains and initrc_t have setenforce. +# +neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce; + +# +# Verify that only the kernel and load_policy_t have load_policy. +# + +neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy; + +# +# for gross mistakes in policy +neverallow * domain:dir ~r_dir_perms; +neverallow * domain:file_class_set ~rw_file_perms; +neverallow { domain unlabeled_t } file_type:process *; +neverallow ~{ domain unlabeled_t } *:process *; diff --git a/mls/attrib.te b/mls/attrib.te new file mode 100644 index 0000000..44e2f70 --- /dev/null +++ b/mls/attrib.te @@ -0,0 +1,562 @@ +# +# Declarations for type attributes. +# + +# A type attribute can be used to identify a set of types with a similar +# property. Each type can have any number of attributes, and each +# attribute can be associated with any number of types. Attributes are +# explicitly declared here, and can then be associated with particular +# types in type declarations. Attribute names can then be used throughout +# the configuration to express the set of types that are associated with +# the attribute. Attributes have no implicit meaning to SELinux. The +# meaning of all attributes are completely defined through their +# usage within the configuration, but should be documented here as +# comments preceding the attribute declaration. + +##################### +# Attributes for MLS: +# + +# Common Terminology +# MLS Range: low-high +# low referred to as "Effective Sensitivity Label (SL)" +# high referred to as "Clearance SL" + + +# +# File System MLS attributes/privileges +# +# Grant MLS read access to files not dominated by the process Effective SL +attribute mlsfileread; +# Grant MLS read access to files dominated by the process Clearance SL +attribute mlsfilereadtoclr; +# Grant MLS write access to files not equal to the Effective SL +attribute mlsfilewrite; +# Grant MLS write access to files which dominate the process Effective SL +# and are dominated by the process Clearance SL +attribute mlsfilewritetoclr; +# Grant MLS ability to change file label to a new label which dominates +# the old label +attribute mlsfileupgrade; +# Grant MLS ability to change file label to a new label which is +# dominated by or incomparable to the old label +attribute mlsfiledowngrade; + +# +# Network MLS attributes/privileges +# +# Grant MLS read access to packets not dominated by the process Effective SL +attribute mlsnetread; +# Grant MLS read access to packets dominated by the process Clearance SL +attribute mlsnetreadtoclr; +# Grant MLS write access to packets not equal to the Effective SL +attribute mlsnetwrite; +# Grant MLS write access to packets which dominate the Effective SL +# and are dominated by the process Clearance SL +attribute mlsnetwritetoclr; +# Grant MLS read access to packets from hosts or interfaces which dominate +# or incomparable to the process Effective SL +attribute mlsnetrecvall; +# Grant MLS ability to change socket label to a new label which dominates +# the old label +attribute mlsnetupgrade; +# Grant MLS ability to change socket label to a new label which is +# dominated by or incomparable to the old label +attribute mlsnetdowngrade; + +# +# IPC MLS attributes/privileges +# +# Grant MLS read access to IPC objects not dominated by the process Effective SL +attribute mlsipcread; +# Grant MLS read access to IPC objects dominated by the process Clearance SL +attribute mlsipcreadtoclr; +# Grant MLS write access to IPC objects not equal to the process Effective SL +attribute mlsipcwrite; +# Grant MLS write access to IPC objects which dominate the process Effective SL +# and are dominated by the process Clearance SL +attribute mlsipcwritetoclr; + +# +# Process MLS attributes/privileges +# +# Grant MLS read access to processes not dominated by the process Effective SL +attribute mlsprocread; +# Grant MLS read access to processes dominated by the process Clearance SL +attribute mlsprocreadtoclr; +# Grant MLS write access to processes not equal to the Effective SL +attribute mlsprocwrite; +# Grant MLS write access to processes which dominate the process Effective SL +# and are dominated by the process Clearance SL +attribute mlsprocwritetoclr; +# Grant MLS ability to change Effective SL or Clearance SL of process to a +# label dominated by the Clearance SL +attribute mlsprocsetsl; + +# +# X Window MLS attributes/privileges +# +# Grant MLS read access to X objects not dominated by the process Effective SL +attribute mlsxwinread; +# Grant MLS read access to X objects dominated by the process Clearance SL +attribute mlsxwinreadtoclr; +# Grant MLS write access to X objects not equal to the process Effective SL +attribute mlsxwinwrite; +# Grant MLS write access to X objects which dominate the process Effective SL +# and are dominated by the process Clearance SL +attribute mlsxwinwritetoclr; +# Grant MLS read access to X properties not dominated by +# the process Effective SL +attribute mlsxwinreadproperty; +# Grant MLS write access to X properties not equal to the process Effective SL +attribute mlsxwinwriteproperty; +# Grant MLS read access to X colormaps not dominated by +# the process Effective SL +attribute mlsxwinreadcolormap; +# Grant MLS write access to X colormaps not equal to the process Effective SL +attribute mlsxwinwritecolormap; +# Grant MLS write access to X xinputs not equal to the process Effective SL +attribute mlsxwinwritexinput; + +# Grant MLS read/write access to objects which internally arbitrate MLS +attribute mlstrustedobject; + +# +# Both of the following attributes are needed for a range transition to succeed +# +# Grant ability for the current domain to change SL upon process transition +attribute privrangetrans; +# Grant ability for the new process domain to change SL upon process transition +attribute mlsrangetrans; + +######################### +# Attributes for domains: +# + +# The domain attribute identifies every type that can be +# assigned to a process. This attribute is used in TE rules +# that should be applied to all domains, e.g. permitting +# init to kill all processes. +attribute domain; + +# The daemon attribute identifies domains for system processes created via +# the daemon_domain, daemon_base_domain, and init_service_domain macros. +attribute daemon; + +# The privuser attribute identifies every domain that can +# change its SELinux user identity. This attribute is used +# in the constraints configuration. NOTE: This attribute +# is not required for domains that merely change the Linux +# uid attributes, only for domains that must change the +# SELinux user identity. Also note that this attribute makes +# no sense without the privrole attribute. +attribute privuser; + +# The privrole attribute identifies every domain that can +# change its SELinux role. This attribute is used in the +# constraints configuration. +attribute privrole; + +# The userspace_objmgr attribute identifies every domain +# which enforces its own policy. +attribute userspace_objmgr; + +# The priv_system_role attribute identifies every domain that can +# change role from a user role to system_r role, and identity from a user +# identity to system_u. It is used in the constraints configuration. +attribute priv_system_role; + +# The privowner attribute identifies every domain that can +# assign a different SELinux user identity to a file, or that +# can create a file with an identity that is not the same as the +# process identity. This attribute is used in the constraints +# configuration. +attribute privowner; + +# The privlog attribute identifies every domain that can +# communicate with syslogd through its Unix domain socket. +# There is an assertion that other domains can not do it, +# and an allow rule to permit it +attribute privlog; + +# The privmodule attribute identifies every domain that can run +# modprobe, there is an assertion that other domains can not do it, +# and an allow rule to permit it +attribute privmodule; + +# The privsysmod attribute identifies every domain that can have the +# sys_module capability +attribute privsysmod; + +# The privmem attribute identifies every domain that can +# access kernel memory devices. +# This attribute is used in the TE assertions to verify +# that such access is limited to domains that are explicitly +# tagged with this attribute. +attribute privmem; + +# The privkmsg attribute identifies every domain that can +# read kernel messages (/proc/kmsg) +# This attribute is used in the TE assertions to verify +# that such access is limited to domains that are explicitly +# tagged with this attribute. +attribute privkmsg; + +# The privfd attribute identifies every domain that should have +# file handles inherited widely (IE sshd_t and getty_t). +attribute privfd; + +# The privhome attribute identifies every domain that can create files under +# regular user home directories in the regular context (IE act on behalf of +# a user in writing regular files) +attribute privhome; + +# The auth attribute identifies every domain that needs +# to read /etc/shadow, and grants the permission. +attribute auth; + +# The auth_bool attribute identifies every domain that can +# read /etc/shadow if its boolean is set; +attribute auth_bool; + +# The auth_write attribute identifies every domain that can have write or +# relabel access to /etc/shadow, but does not grant it. +attribute auth_write; + +# The auth_chkpwd attribute identifies every system domain that can +# authenticate users by running unix_chkpwd +attribute auth_chkpwd; + +# The change_context attribute identifies setfiles_t, restorecon_t, and other +# system domains that change the context of most/all files on the system +attribute change_context; + +# The etc_writer attribute identifies every domain that can write to etc_t +attribute etc_writer; + +# The sysctl_kernel_writer attribute identifies domains that can write to +# sysctl_kernel_t, in addition the admin attribute is permitted write access +attribute sysctl_kernel_writer; + +# the sysctl_net_writer attribute identifies domains that can write to +# sysctl_net_t files. +attribute sysctl_net_writer; + +# The sysctl_type attribute identifies every type that is assigned +# to a sysctl entry. This can be used in allow rules to grant +# permissions to all sysctl entries without enumerating each individual +# type, but should be used with care. +attribute sysctl_type; + +# The admin attribute identifies every administrator domain. +# It is used in TE assertions when verifying that only administrator +# domains have certain permissions. +# This attribute is presently associated with sysadm_t and +# certain administrator utility domains. +# XXX The use of this attribute should be reviewed for consistency. +# XXX Might want to partition into several finer-grained attributes +# XXX used in different assertions within assert.te. +attribute admin; + +# The secadmin attribute identifies every security administrator domain. +# It is used in TE assertions when verifying that only administrator +# domains have certain permissions. +# This attribute is presently associated with sysadm_t and secadm_t +attribute secadmin; + +# The userdomain attribute identifies every user domain, presently +# user_t and sysadm_t. It is used in TE rules that should be applied +# to all user domains. +attribute userdomain; + +# for a small domain that can only be used for newrole +attribute user_mini_domain; + +# pty for the mini domain +attribute mini_pty_type; + +# pty created by a server such as sshd +attribute server_pty; + +# attribute for all non-administrative devpts types +attribute userpty_type; + +# The user_tty_type identifies every type for a tty or pty owned by an +# unpriviledged user +attribute user_tty_type; + +# The admin_tty_type identifies every type for a tty or pty owned by a +# priviledged user +attribute admin_tty_type; + +# The user_crond_domain attribute identifies every user_crond domain, presently +# user_crond_t and sysadm_crond_t. It is used in TE rules that should be +# applied to all user domains. +attribute user_crond_domain; + +# The unpriv_userdomain identifies non-administrative users (default user_t) +attribute unpriv_userdomain; + +# This attribute is for the main user home directory for unpriv users +attribute user_home_dir_type; + +# The gphdomain attribute identifies every gnome-pty-helper derived +# domain. It is used in TE rules to permit inheritance and use of +# descriptors created by these domains. +attribute gphdomain; + +# The fs_domain identifies every domain that may directly access a fixed disk +attribute fs_domain; + +# This attribute is for all domains for the userhelper program. +attribute userhelperdomain; + +############################ +# Attributes for file types: +# + +# The file_type attribute identifies all types assigned to files +# in persistent filesystems. It is used in TE rules to permit +# the association of all such file types with persistent filesystem +# types, and to permit certain domains to access all such types as +# appropriate. +attribute file_type; + +# The secure_file_type attribute identifies files +# which will be treated with a higer level of security. +# Most domains will be prevented from manipulating files in this domain +attribute secure_file_type; + +# The device_type attribute identifies all types assigned to device nodes +attribute device_type; + +# The proc_fs attribute identifies all types that may be assigned to +# files under /proc. +attribute proc_fs; + +# The dev_fs attribute identifies all types that may be assigned to +# files, sockets, or pipes under /dev. +attribute dev_fs; + +# The sysadmfile attribute identifies all types assigned to files +# that should be completely accessible to administrators. It is used +# in TE rules to grant such access for administrator domains. +attribute sysadmfile; + +# The secadmfile attribute identifies all types assigned to files +# that should be only accessible to security administrators. It is used +# in TE rules to grant such access for security administrator domains. +attribute secadmfile; + +# The fs_type attribute identifies all types assigned to filesystems +# (not limited to persistent filesystems). +# It is used in TE rules to permit certain domains to mount +# any filesystem and to permit most domains to obtain the +# overall filesystem statistics. +attribute fs_type; + +# The mount_point attribute identifies all types that can serve +# as a mount point (for the mount binary). It is used in the mount +# policy to grant mounton permission, and in other domains to grant +# getattr permission over all the mount points. +attribute mount_point; + +# The exec_type attribute identifies all types assigned +# to entrypoint executables for domains. This attribute is +# used in TE rules and assertions that should be applied to all +# such executables. +attribute exec_type; + +# The tmpfile attribute identifies all types assigned to temporary +# files. This attribute is used in TE rules to grant certain +# domains the ability to remove all such files (e.g. init, crond). +attribute tmpfile; + +# The user_tmpfile attribute identifies all types associated with temporary +# files for unpriv_userdomain domains. +attribute user_tmpfile; + +# for the user_xserver_tmp_t etc +attribute xserver_tmpfile; + +# The tmpfsfile attribute identifies all types defined for tmpfs +# type transitions. +# It is used in TE rules to grant certain domains the ability to +# access all such files. +attribute tmpfsfile; + +# The home_type attribute identifies all types assigned to home +# directories. This attribute is used in TE rules to grant certain +# domains the ability to access all home directory types. +attribute home_type; + +# This attribute is for the main user home directory /home/user, to +# distinguish it from sub-dirs. Often you want a process to be able to +# read the user home directory but not read the regular directories under it. +attribute home_dir_type; + +# The ttyfile attribute identifies all types assigned to ttys. +# It is used in TE rules to grant certain domains the ability to +# access all ttys. +attribute ttyfile; + +# The ptyfile attribute identifies all types assigned to ptys. +# It is used in TE rules to grant certain domains the ability to +# access all ptys. +attribute ptyfile; + +# The pidfile attribute identifies all types assigned to pid files. +# It is used in TE rules to grant certain domains the ability to +# access all such files. +attribute pidfile; + + +############################ +# Attributes for network types: +# + +# The socket_type attribute identifies all types assigned to +# kernel-created sockets. Ordinary sockets are assigned the +# domain of the creating process. +# XXX This attribute is unused. Remove? +attribute socket_type; + +# Identifies all types assigned to port numbers to control binding. +attribute port_type; + +# Identifies all types assigned to reserved port (<1024) numbers to control binding. +attribute reserved_port_type; + +# Identifies all types assigned to network interfaces to control +# operations on the interface (XXX obsolete, not supported via LSM) +# and to control traffic sent or received on the interface. +attribute netif_type; + +# Identifies all default types assigned to packets received +# on network interfaces. +attribute netmsg_type; + +# Identifies all types assigned to network nodes/hosts to control +# traffic sent to or received from the node. +attribute node_type; + +# Identifier for log files or directories that only exist for log files. +attribute logfile; + +# Identifier for lock files (/var/lock/*) or directories that only exist for +# lock files. +attribute lockfile; + + + +############################## +# Attributes for security policy types: +# + +# The login_contexts attribute idenitifies the files used +# to define default contexts for login types (e.g., login, cron). +attribute login_contexts; + +# Identifier for a domain used by "sendmail -t" (IE user_mail_t, +# sysadm_mail_t, etc) +attribute user_mail_domain; + +# Identifies domains that can transition to system_mail_t +attribute privmail; + +# Type for non-sysadm home directory +attribute user_home_type; + +# For domains that are part of a mail server and need to read user files and +# fifos, and inherit file handles to enable user email to get to the mail +# spool +attribute mta_user_agent; + +# For domains that are part of a mail server for delivering messages to the +# user +attribute mta_delivery_agent; + +# For domains that make outbound TCP port 25 connections to send mail from the +# mail server. +attribute mail_server_sender; + +# For a mail server process that takes TCP connections on port 25 +attribute mail_server_domain; + +# For web clients such as netscape and squid +attribute web_client_domain; + +# For X Window System server domains +attribute xserver; + +# For X Window System client domains +attribute xclient; + +# For X Window System protocol extensions +attribute xextension; + +# For X Window System property types +attribute xproperty; + +# +# For file systems that do not have extended attributes but need to be +# r/w by users +# +attribute noexattrfile; + +# +# For filetypes that the usercan read +# +attribute usercanread; + +# +# For serial devices +# +attribute serial_device; + +# Attribute to designate unrestricted access +attribute unrestricted; + +# Attribute to designate can transition to unconfined_t +attribute unconfinedtrans; + +# For clients of nscd. +attribute nscd_client_domain; + +# For clients of nscd that can use shmem interface. +attribute nscd_shmem_domain; + +# For labeling of content for httpd. This attribute is only used by +# the httpd_unified domain, which says treat all httpdcontent the +# same. If you want content to be served in a "non-unified" system +# you must specifically add "r_dir_file(httpd_t, your_content_t)" to +# your policy. +attribute httpdcontent; + +# For labeling of domains whos transition can be disabled +attribute transitionbool; + +# For labelling daemons that should not have a range transition to "s0" +# included in the daemon_base_domain macro +attribute no_daemon_range_trans; + +# For labeling of file_context domains which users can change files to rather +# then the default file context. These file_context can survive a relabeling +# of the file system. +attribute customizable; + +############################## +# Attributes for polyinstatiation support: +# + +# For labeling types that are to be polyinstantiated +attribute polydir; + +# And for labeling the parent directories of those polyinstantiated directories +# This is necessary for remounting the original in the parent to give +# security aware apps access +attribute polyparent; + +# And labeling for the member directories +attribute polymember; + diff --git a/mls/constraints b/mls/constraints new file mode 100644 index 0000000..46a9875 --- /dev/null +++ b/mls/constraints @@ -0,0 +1,83 @@ +# +# Define m4 macros for the constraints +# + +# +# Define the constraints +# +# constrain class_set perm_set expression ; +# +# validatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for validatetrans) +# | r3 op names (NOTE: this is only available for validatetrans) +# | t3 op names (NOTE: this is only available for validatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name# +# + +# +# Restrict the ability to transition to other users +# or roles to a few privileged types. +# + +constrain process transition + ( u1 == u2 or ( t1 == privuser and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) +') +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') + or (t1 == priv_system_role and u2 == system_u ) + ); + +constrain process transition + ( r1 == r2 or ( t1 == privrole and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and t2 == user_crond_domain) +') +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') +ifdef(`postfix.te', ` +ifdef(`direct_sysadm_daemon', + `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') +') + or (t1 == priv_system_role and r2 == system_r ) + ); + +constrain process dyntransition + ( u1 == u2 and r1 == r2); + +# +# Restrict the ability to label objects with other +# user identities to a few privileged types. +# + +constrain dir_file_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == privowner ); + +constrain socket_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == privowner ); diff --git a/mls/domains/admin.te b/mls/domains/admin.te new file mode 100644 index 0000000..464cc91 --- /dev/null +++ b/mls/domains/admin.te @@ -0,0 +1,43 @@ +#DESC Admin - Domains for administrators. +# +################################# + +# sysadm_t is the system administrator domain. +type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain +ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans') +; dnl end of sysadm_t type declaration + +allow privhome home_root_t:dir { getattr search }; + +# system_r is authorized for sysadm_t for single-user mode. +role system_r types sysadm_t; + +general_proc_read_access(sysadm_t) + +# sysadm_t is also granted permissions specific to administrator domains. +admin_domain(sysadm) + +# for su +allow sysadm_t userdomain:fd use; + +ifdef(`separate_secadm', `', ` +security_manager_domain(sysadm_t) +') + +# Add/remove user home directories +file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) + +limited_user_role(secadm) +typeattribute secadm_t admin; +role secadm_r types secadm_t; +security_manager_domain(secadm_t) +r_dir_file(secadm_t, { var_t var_log_t }) + +typeattribute secadm_tty_device_t admin_tty_type; +typeattribute secadm_devpts_t admin_tty_type; + +bool allow_ptrace false; + +if (allow_ptrace) { +can_ptrace(sysadm_t, domain) +} diff --git a/mls/domains/misc/auth-net.te b/mls/domains/misc/auth-net.te new file mode 100644 index 0000000..e954a9b --- /dev/null +++ b/mls/domains/misc/auth-net.te @@ -0,0 +1,3 @@ +#DESC Policy for using network servers for authenticating users (IE PAM-LDAP) + +can_network(auth) diff --git a/mls/domains/misc/fcron.te b/mls/domains/misc/fcron.te new file mode 100644 index 0000000..57209be --- /dev/null +++ b/mls/domains/misc/fcron.te @@ -0,0 +1,30 @@ +#DESC fcron - additions to cron policy for a more powerful cron program +# +# Domain for fcron, a more powerful cron program. +# +# Needs cron.te installed. +# +# Author: Russell Coker + +# Use capabilities. +allow crond_t self:capability { dac_override dac_read_search }; + +# differences between r_dir_perms and rw_dir_perms +allow crond_t cron_spool_t:dir { add_name remove_name write }; + +ifdef(`mta.te', ` +# not sure why we need write access, but Postfix does not work without it +# I will have to change fcron to avoid the need for this +allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr }; +') + +ifdef(`distro_debian', ` +can_exec(dpkg_t, crontab_exec_t) +file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file) +') + +rw_dir_create_file(crond_t, cron_spool_t) +can_setfscreate(crond_t) + +# for /var/run/fcron.fifo +file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file) diff --git a/mls/domains/misc/kernel.te b/mls/domains/misc/kernel.te new file mode 100644 index 0000000..5b13c0f --- /dev/null +++ b/mls/domains/misc/kernel.te @@ -0,0 +1,75 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################# +# +# Rules for the kernel_t domain. +# + +# +# kernel_t is the domain of kernel threads. +# It is also the target type when checking permissions in the system class. +# +type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; +role system_r types kernel_t; +general_domain_access(kernel_t) +general_proc_read_access(kernel_t) +base_file_read_access(kernel_t) +uses_shlib(kernel_t) +can_exec(kernel_t, shell_exec_t) + +# Use capabilities. +allow kernel_t self:capability *; + +r_dir_file(kernel_t, sysfs_t) +allow kernel_t { usbfs_t usbdevfs_t }:dir search; + +# Run init in the init_t domain. +domain_auto_trans(kernel_t, init_exec_t, init_t) + +ifdef(`mls_policy', ` +# run init with maximum MLS range +range_transition kernel_t init_exec_t s0 - s15:c0.c255; +') + +# Share state with the init process. +allow kernel_t init_t:process share; + +# Mount and unmount file systems. +allow kernel_t fs_type:filesystem mount_fs_perms; + +# Send signal to any process. +allow kernel_t domain:process signal; +allow kernel_t domain:dir search; + +# Access the console. +allow kernel_t device_t:dir search; +allow kernel_t console_device_t:chr_file rw_file_perms; + +# Access the initrd filesystem. +allow kernel_t file_t:chr_file rw_file_perms; +can_exec(kernel_t, file_t) +ifdef(`chroot.te', ` +can_exec(kernel_t, chroot_exec_t) +') +allow kernel_t self:capability sys_chroot; + +allow kernel_t { unlabeled_t root_t file_t }:dir mounton; +allow kernel_t unlabeled_t:fifo_file rw_file_perms; +allow kernel_t file_t:dir rw_dir_perms; +allow kernel_t file_t:blk_file create_file_perms; +allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; + +# Lookup the policy. +allow kernel_t policy_config_t:dir r_dir_perms; + +# Load the policy configuration. +can_loadpol(kernel_t) + +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +can_exec(kernel_t, bin_t) + +ifdef(`targeted_policy', ` +unconfined_domain(kernel_t) +') diff --git a/mls/domains/misc/local.te b/mls/domains/misc/local.te new file mode 100644 index 0000000..cedba3c --- /dev/null +++ b/mls/domains/misc/local.te @@ -0,0 +1,5 @@ +# Local customization of existing policy should be done in this file. +# If you are creating brand new policy for a new "target" domain, you +# need to create a type enforcement (.te) file in domains/program +# and a file context (.fc) file in file_context/program. + diff --git a/mls/domains/misc/startx.te b/mls/domains/misc/startx.te new file mode 100644 index 0000000..16c4910 --- /dev/null +++ b/mls/domains/misc/startx.te @@ -0,0 +1,7 @@ +#DESC startx - policy for running an X server from a user domain +# +# Author: Russell Coker +# + +# Everything is in the macro files + diff --git a/mls/domains/misc/userspace_objmgr.te b/mls/domains/misc/userspace_objmgr.te new file mode 100644 index 0000000..ae3b205 --- /dev/null +++ b/mls/domains/misc/userspace_objmgr.te @@ -0,0 +1,13 @@ +#DESC Userspace Object Managers +# +################################# + +# Get our own security context. +can_getcon(userspace_objmgr) +# Get security decisions via selinuxfs. +can_getsecurity(userspace_objmgr) +# Read /etc/selinux +r_dir_file(userspace_objmgr, { selinux_config_t default_context_t }) +# Receive notifications of policy reloads and enforcing status changes. +allow userspace_objmgr self:netlink_selinux_socket { create bind read }; + diff --git a/mls/domains/misc/xclient.te b/mls/domains/misc/xclient.te new file mode 100644 index 0000000..ae4552f --- /dev/null +++ b/mls/domains/misc/xclient.te @@ -0,0 +1,14 @@ +# +# Authors: Eamon Walsh +# + +####################################### +# +# Domains for the SELinux-enabled X Window System +# + +# +# Domain for all non-local X clients +# +type remote_xclient_t, domain; +in_user_role(remote_xclient_t) diff --git a/mls/domains/program/NetworkManager.te b/mls/domains/program/NetworkManager.te new file mode 100644 index 0000000..922b4f5 --- /dev/null +++ b/mls/domains/program/NetworkManager.te @@ -0,0 +1,122 @@ +#DESC NetworkManager - +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the NetworkManager_t domain. +# +# NetworkManager_t is the domain for the NetworkManager daemon. +# NetworkManager_exec_t is the type of the NetworkManager executable. +# +daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) + +can_network(NetworkManager_t) +allow NetworkManager_t port_type:tcp_socket name_connect; +allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; +allow NetworkManager_t dhcpc_t:process signal; + +can_ypbind(NetworkManager_t) +uses_shlib(NetworkManager_t) +allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; + +allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; + +allow NetworkManager_t self:process { setcap getsched }; +allow NetworkManager_t self:fifo_file rw_file_perms; +allow NetworkManager_t self:unix_dgram_socket create_socket_perms; +allow NetworkManager_t self:file { getattr read }; +allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; + + +# +# Communicate with Caching Name Server +# +ifdef(`named.te', ` +allow NetworkManager_t named_zone_t:dir search; +rw_dir_create_file(NetworkManager_t, named_cache_t) +domain_auto_trans(NetworkManager_t, named_exec_t, named_t) +allow named_t NetworkManager_t:udp_socket { read write }; +allow named_t NetworkManager_t:netlink_route_socket { read write }; +allow NetworkManager_t named_t:process signal; +allow named_t NetworkManager_t:packet_socket { read write }; +') + +allow NetworkManager_t selinux_config_t:dir search; +allow NetworkManager_t selinux_config_t:file { getattr read }; + +ifdef(`dbusd.te', ` +dbusd_client(system, NetworkManager) +allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow NetworkManager_t self:dbus send_msg; +ifdef(`hald.te', ` +allow NetworkManager_t hald_t:dbus send_msg; +allow hald_t NetworkManager_t:dbus send_msg; +') +allow NetworkManager_t initrc_t:dbus send_msg; +allow initrc_t NetworkManager_t:dbus send_msg; +ifdef(`targeted_policy', ` +allow NetworkManager_t unconfined_t:dbus send_msg; +allow unconfined_t NetworkManager_t:dbus send_msg; +') +allow NetworkManager_t userdomain:dbus send_msg; +allow userdomain NetworkManager_t:dbus send_msg; +') + +allow NetworkManager_t usr_t:file { getattr read }; + +ifdef(`ifconfig.te', ` +domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) +')dnl end if def ifconfig + +allow NetworkManager_t { sbin_t bin_t }:dir search; +allow NetworkManager_t bin_t:lnk_file read; +can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) + +# in /etc created by NetworkManager will be labelled net_conf_t. +file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) + +allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; +allow NetworkManager_t proc_t:file { getattr read }; +r_dir_file(NetworkManager_t, proc_net_t) + +allow NetworkManager_t { domain -unrestricted }:dir search; +allow NetworkManager_t { domain -unrestricted }:file { getattr read }; +dontaudit NetworkManager_t unrestricted:dir search; +dontaudit NetworkManager_t unrestricted:file { getattr read }; + +allow NetworkManager_t howl_t:process signal; +allow NetworkManager_t initrc_var_run_t:file { getattr read }; + +ifdef(`modutil.te', ` +if (!secure_mode_insmod) { +domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) +} +') + +allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; +# allow vpnc connections +allow NetworkManager_t self:rawip_socket create_socket_perms; +allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; + +domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) +domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) +ifdef(`vpnc.te', ` +domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) +') + +ifdef(`dhcpc.te', ` +allow NetworkManager_t dhcp_state_t:dir search; +allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; +') +allow NetworkManager_t var_lib_t:dir search; +dontaudit NetworkManager_t user_tty_type:chr_file { read write }; +dontaudit NetworkManager_t security_t:dir search; + +ifdef(`consoletype.te', ` +can_exec(NetworkManager_t, consoletype_exec_t) +') + diff --git a/mls/domains/program/acct.te b/mls/domains/program/acct.te new file mode 100644 index 0000000..bbb4fdc --- /dev/null +++ b/mls/domains/program/acct.te @@ -0,0 +1,66 @@ +#DESC Acct - BSD process accounting +# +# Author: Russell Coker +# X-Debian-Packages: acct +# + +################################# +# +# Rules for the acct_t domain. +# +# acct_exec_t is the type of the acct executable. +# +daemon_base_domain(acct) +ifdef(`crond.te', ` +system_crond_entry(acct_exec_t, acct_t) + +# for monthly cron job +file_type_auto_trans(acct_t, var_log_t, wtmp_t, file) +') + +# for SSP +allow acct_t urandom_device_t:chr_file read; + +type acct_data_t, file_type, logfile, sysadmfile; + +# not sure why we need this, the command "last" is reported as using it +dontaudit acct_t self:capability kill; + +# gzip needs chown capability for some reason +allow acct_t self:capability { chown fsetid sys_pacct }; + +allow acct_t var_t:dir { getattr search }; +rw_dir_create_file(acct_t, acct_data_t) + +can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t }) +allow acct_t { bin_t sbin_t }:dir search; +allow acct_t bin_t:lnk_file read; + +read_locale(acct_t) + +allow acct_t fs_t:filesystem getattr; + +allow acct_t self:unix_stream_socket create_socket_perms; + +allow acct_t self:fifo_file { read write getattr }; + +allow acct_t { self proc_t }:file { read getattr }; + +read_sysctl(acct_t) + +dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; + +# for nscd +dontaudit acct_t var_run_t:dir search; + + +allow acct_t devtty_t:chr_file { read write }; + +allow acct_t { etc_t etc_runtime_t }:file { read getattr }; + +ifdef(`logrotate.te', ` +domain_auto_trans(logrotate_t, acct_exec_t, acct_t) +rw_dir_create_file(logrotate_t, acct_data_t) +can_exec(logrotate_t, acct_data_t) +') + diff --git a/mls/domains/program/alsa.te b/mls/domains/program/alsa.te new file mode 100644 index 0000000..ab80475 --- /dev/null +++ b/mls/domains/program/alsa.te @@ -0,0 +1,24 @@ +#DESC ainit - configuration tool for ALSA +# +# Author: Dan Walsh +# +# +type alsa_t, domain, privlog, daemon; +type alsa_exec_t, file_type, sysadmfile, exec_type; +uses_shlib(alsa_t) +allow alsa_t { unpriv_userdomain self }:sem create_sem_perms; +allow alsa_t { unpriv_userdomain self }:shm create_shm_perms; +allow alsa_t self:unix_stream_socket create_stream_socket_perms; +allow alsa_t self:unix_dgram_socket create_socket_perms; +allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write }; +allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms }; + +type alsa_etc_rw_t, file_type, sysadmfile, usercanread; +rw_dir_create_file(alsa_t,alsa_etc_rw_t) +allow alsa_t self:capability { setgid setuid ipc_owner }; +dontaudit alsa_t self:capability sys_admin; +allow alsa_t devpts_t:chr_file { read write }; +allow alsa_t etc_t:file { getattr read }; +domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) +role system_r types alsa_t; +read_locale(alsa_t) diff --git a/mls/domains/program/amanda.te b/mls/domains/program/amanda.te new file mode 100644 index 0000000..4b63f5f --- /dev/null +++ b/mls/domains/program/amanda.te @@ -0,0 +1,284 @@ +#DESC Amanda - Automated backup program +# +# This policy file sets the rigths for amanda client started by inetd_t +# and amrecover +# +# X-Debian-Packages: amanda-common amanda-server +# Depends: inetd.te +# Author : Carsten Grohmann +# +# License : GPL +# +# last change: 27. August 2002 +# +# state : complete and tested +# +# Hints : +# - amanda.fc is the appendant file context file +# - If you use amrecover please extract the files and directories to the +# directory speficified in amanda.fc as type amanda_recover_dir_t. +# - The type amanda_user_exec_t is defined to label the files but not used. +# This configuration works only as an client and a amanda client does not need +# this programs. +# +# Enhancements/Corrections: +# - set tighter permissions to /bin/tar instead bin_t + +############################################################################## +# AMANDA CLIENT DECLARATIONS +############################################################################## + +# General declarations +###################### + +type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain; +role system_r types amanda_t; + +# type for the amanda executables +type amanda_exec_t, file_type, sysadmfile, exec_type; + +# type for the amanda executables started by inetd +type amanda_inetd_exec_t, file_type, sysadmfile, exec_type; + +# type for amanda configurations files +type amanda_config_t, file_type, sysadmfile; + +# type for files in /usr/lib/amanda +type amanda_usr_lib_t, file_type, sysadmfile; + +# type for all files in /var/lib/amanda +type amanda_var_lib_t, file_type, sysadmfile; + +# type for all files in /var/lib/amanda/gnutar-lists/ +type amanda_gnutarlists_t, file_type, sysadmfile; + +# type for user startable files +type amanda_user_exec_t, file_type, sysadmfile, exec_type; + +# type for same awk and other scripts +type amanda_script_exec_t, file_type, sysadmfile, exec_type; + +# type for the shell configuration files +type amanda_shellconfig_t, file_type, sysadmfile; + +tmp_domain(amanda) + +# type for /etc/amandates +type amanda_amandates_t, file_type, sysadmfile; + +# type for /etc/dumpdates +type amanda_dumpdates_t, file_type, sysadmfile; + +# type for amanda data +type amanda_data_t, file_type, sysadmfile; + +# Domain transitions +#################### + +domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) + + +################## +# File permissions +################## + +# configuration files -> read only +allow amanda_t amanda_config_t:file { getattr read }; + +# access to amanda_amandates_t +allow amanda_t amanda_amandates_t:file { getattr lock read write }; + +# access to amanda_dumpdates_t +allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; + +# access to amandas data structure +allow amanda_t amanda_data_t:dir { read search write }; +allow amanda_t amanda_data_t:file { read write }; + +# access to proc_t +allow amanda_t proc_t:file { getattr read }; + +# access to etc_t and similar +allow amanda_t etc_t:file { getattr read }; +allow amanda_t etc_runtime_t:file { getattr read }; + +# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) +rw_dir_create_file(amanda_t, amanda_gnutarlists_t) + +# access to device_t and similar +allow amanda_t devtty_t:chr_file { read write }; + +# access to fs_t +allow amanda_t fs_t:filesystem getattr; + +# access to sysctl_kernel_t ( proc/sys/kernel/* ) +read_sysctl(amanda_t) + +##################### +# process permissions +##################### + +# Allow to use shared libs +uses_shlib(amanda_t) + +# Allow to execute a amanda executable file +allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read }; + +# Allow to run a shell +allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read }; + +# access to bin_t (tar) +allow amanda_t bin_t:file { execute execute_no_trans }; + +allow amanda_t self:capability { chown dac_override setuid }; +allow amanda_t self:process { fork sigchld setpgid signal }; +allow amanda_t self:dir search; +allow amanda_t self:file { getattr read }; + + +################################### +# Network and process communication +################################### + +can_network_server(amanda_t); +can_ypbind(amanda_t); +can_exec(amanda_t, sbin_t); + +allow amanda_t self:fifo_file { getattr read write ioctl lock }; +allow amanda_t self:unix_stream_socket create_stream_socket_perms; +allow amanda_t self:unix_dgram_socket create_socket_perms; + + +########################## +# Communication with inetd +########################## + +allow amanda_t inetd_t:udp_socket { read write }; + + +################### +# inetd permissions +################### + +allow inetd_t amanda_usr_lib_t:dir search; + + +######################## +# Access to to save data +######################## + +# access to user_home_t +allow amanda_t user_home_type:file { getattr read }; + +############################################################################## +# AMANDA RECOVER DECLARATIONS +############################################################################## + + +# General declarations +###################### + +# type for amrecover +type amanda_recover_t, domain; +role sysadm_r types amanda_recover_t; +role system_r types amanda_recover_t; + +# exec types for amrecover +type amanda_recover_exec_t, file_type, sysadmfile, exec_type; + +# type for recover files ( restored data ) +type amanda_recover_dir_t, file_type, sysadmfile; +file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t) + +# domain transsition +domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t) + +# file type auto trans to write debug messages +file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) + + +# amanda recover process permissions +#################################### + +uses_shlib(amanda_recover_t) +allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; +allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; +can_exec(amanda_recover_t, shell_exec_t) +allow amanda_recover_t privfd:fd use; + + +# amrecover network and process communication +############################################# + +can_network(amanda_recover_t); +allow amanda_recover_t amanda_port_t:tcp_socket name_connect; +can_ypbind(amanda_recover_t); +read_locale(amanda_recover_t); + +allow amanda_recover_t self:fifo_file { getattr ioctl read write }; +allow amanda_recover_t self:unix_stream_socket { connect create read write }; +allow amanda_recover_t var_log_t:dir search; +rw_dir_create_file(amanda_recover_t, amanda_log_t) + +# amrecover file permissions +############################ + +# access to etc_t and similar +allow amanda_recover_t etc_t:dir search; +allow amanda_recover_t etc_t:file { getattr read }; +allow amanda_recover_t etc_runtime_t:file { getattr read }; + +# access to amanda_recover_dir_t +allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write }; +allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink }; + +# access to var_t and var_run_t +allow amanda_recover_t var_t:dir search; +allow amanda_recover_t var_run_t:dir search; + +# access to proc_t +allow amanda_recover_t proc_t:dir search; +allow amanda_recover_t proc_t:file { getattr read }; + +# access to sysctl_kernel_t +read_sysctl(amanda_recover_t) + +# access to dev_t and similar +allow amanda_recover_t device_t:dir search; +allow amanda_recover_t devtty_t:chr_file { read write }; +allow amanda_recover_t null_device_t:chr_file { getattr write }; + +# access to bin_t +allow amanda_recover_t bin_t:file { execute execute_no_trans }; + +# access to sysadm_home_t and sysadm_home_dir_t to start amrecover +# in the sysadm home directory +allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr }; + +# access to use sysadm_tty_device_t (/dev/tty?) +allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write }; + +# access to amanda_tmp_t and tmp_t +allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write }; +allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink }; +allow amanda_recover_t tmp_t:dir search; + +# +# Rules to allow amanda to be run as a service in xinetd +# +allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; + +#amanda needs to look at fs_type directories to decide whether it should backup +allow amanda_t { fs_type file_type }:dir {getattr read search }; +allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read }; +allow amanda_t device_type:{ blk_file chr_file } getattr; +allow amanda_t fixed_disk_device_t:blk_file read; +domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t) + +allow amanda_t file_type:sock_file getattr; +logdir_domain(amanda) + +dontaudit amanda_t proc_t:lnk_file read; +dontaudit amanda_t unlabeled_t:file getattr; +#amanda wants to check attributes on fifo_files +allow amanda_t file_type:fifo_file getattr; diff --git a/mls/domains/program/anaconda.te b/mls/domains/program/anaconda.te new file mode 100644 index 0000000..175947d --- /dev/null +++ b/mls/domains/program/anaconda.te @@ -0,0 +1,48 @@ +#DESC Anaconda - Red Hat Installation program +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the anaconda_t domain. +# +# anaconda_t is the domain of the installation program +# +type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer; +role system_r types anaconda_t; +unconfined_domain(anaconda_t) + +role system_r types ldconfig_t; +domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) + +# Run other rc scripts in the anaconda_t domain. +domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) + +ifdef(`dmesg.te', ` +domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) +') + +ifdef(`distro_redhat', ` +file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) +') + +ifdef(`rpm.te', ` +# Access /var/lib/rpm. +domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) +') + +file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) + +ifdef(`udev.te', ` +domain_auto_trans(anaconda_t, udev_exec_t, udev_t) +') + +ifdef(`ssh-agent.te', ` +role system_r types sysadm_ssh_agent_t; +domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) +') +ifdef(`passwd.te', ` +domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) +') diff --git a/mls/domains/program/apache.te b/mls/domains/program/apache.te new file mode 100644 index 0000000..1b9cab6 --- /dev/null +++ b/mls/domains/program/apache.te @@ -0,0 +1,415 @@ +#DESC Apache - Web server +# +# X-Debian-Packages: apache2-common apache +# +############################################################################### +# +# Policy file for running the Apache web server +# +# NOTES: +# This policy will work with SUEXEC enabled as part of the Apache +# configuration. However, the user CGI scripts will run under the +# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the +# of the creating user. +# +# The user CGI scripts must be labeled with the httpd_$1_script_exec_t +# type, and the directory containing the scripts should also be labeled +# with these types. This policy allows user_r role to perform that +# relabeling. If it is desired that only sysadm_r should be able to relabel +# the user CGI scripts, then relabel rule for user_r should be removed. +# +############################################################################### + +define(`httpd_home_dirs', ` +r_dir_file(httpd_t, $1) +r_dir_file(httpd_suexec_t, $1) +can_exec(httpd_suexec_t, $1) +') + +bool httpd_unified false; + +# Allow httpd to use built in scripting (usually php) +bool httpd_builtin_scripting false; + +# Allow httpd cgi support +bool httpd_enable_cgi false; + +# Allow httpd to read home directories +bool httpd_enable_homedirs false; + +# Run SSI execs in system CGI script domain. +bool httpd_ssi_exec false; + +# Allow http daemon to communicate with the TTY +bool httpd_tty_comm false; + +# Allow http daemon to tcp connect +bool httpd_can_network_connect false; + +######################################################### +# Apache types +######################################################### +# httpd_config_t is the type given to the configuration +# files for apache /etc/httpd/conf +# +type httpd_config_t, file_type, sysadmfile; + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache +# +type httpd_modules_t, file_type, sysadmfile; + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory +# +type httpd_cache_t, file_type, sysadmfile; + +# httpd_exec_t is the type give to the httpd executable. +# +daemon_domain(httpd, `, privmail, nscd_client_domain') + +append_logdir_domain(httpd) +#can read /etc/httpd/logs +allow httpd_t httpd_log_t:lnk_file read; + +# For /etc/init.d/apache2 reload +can_tcp_connect(httpd_t, httpd_t) + +can_tcp_connect(web_client_domain, httpd_t) + +can_exec(httpd_t, httpd_exec_t) +file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file) + +general_domain_access(httpd_t) + +allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; + +read_sysctl(httpd_t) + +allow httpd_t crypt_device_t:chr_file rw_file_perms; + +# for modules that want to access /etc/mtab and /proc/meminfo +allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; + +uses_shlib(httpd_t) +allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; +allow httpd_t usr_t:lnk_file { getattr read }; + +# for apache2 memory mapped files +var_lib_domain(httpd) + +# for tomcat +r_dir_file(httpd_t, var_lib_t) + +# execute perl +allow httpd_t { bin_t sbin_t }:dir r_dir_perms; +can_exec(httpd_t, { bin_t sbin_t }) +allow httpd_t bin_t:lnk_file read; + +######################################## +# Set up networking +######################################## + +can_network_server(httpd_t) +can_kerberos(httpd_t) +can_resolve(httpd_t) +nsswitch_domain(httpd_t) +allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; +# allow httpd to connect to mysql/posgresql +allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect; +# allow httpd to work as a relay +allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; + +if (httpd_can_network_connect) { +can_network_client(httpd_t) +allow httpd_t port_type:tcp_socket name_connect; +} + +########################################## +# Legacy: remove when it's fixed # +# Allow libphp5.so with text relocations # +########################################## +allow httpd_t texrel_shlib_t:file execmod; + +######################################### +# Allow httpd to search users directories +######################################### +allow httpd_t home_root_t:dir { getattr search }; +dontaudit httpd_t sysadm_home_dir_t:dir getattr; + +############################################################################ +# Allow the httpd_t the capability to bind to a port and various other stuff +############################################################################ +allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +dontaudit httpd_t self:capability net_admin; + +################################################# +# Allow the httpd_t to read the web servers config files +################################################### +r_dir_file(httpd_t, httpd_config_t) +# allow logrotate to read the config files for restart +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, httpd_config_t) +domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) +allow logrotate_t httpd_t:process signull; +') +r_dir_file(initrc_t, httpd_config_t) +################################################## + +############################### +# Allow httpd_t to put files in /var/cache/httpd etc +############################## +create_dir_file(httpd_t, httpd_cache_t) + +############################### +# Allow httpd_t to access the tmpfs file system +############################## +tmpfs_domain(httpd) + +##################### +# Allow httpd_t to access +# libraries for its modules +############################### +allow httpd_t httpd_modules_t:file rx_file_perms; +allow httpd_t httpd_modules_t:dir r_dir_perms; +allow httpd_t httpd_modules_t:lnk_file r_file_perms; + +###################################################################### +# Allow initrc_t to access the Apache modules directory. +###################################################################### +allow initrc_t httpd_modules_t:dir r_dir_perms; + +############################################## +# Allow httpd_t to have access to files +# such as nisswitch.conf +# need ioctl for php +############################################### +allow httpd_t etc_t:file { read getattr ioctl }; +allow httpd_t etc_t:lnk_file { getattr read }; + +# setup the system domain for system CGI scripts +apache_domain(sys) +dontaudit httpd_sys_script_t httpd_config_t:dir search; + +# Run SSI execs in system CGI script domain. +if (httpd_ssi_exec) { +domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) +} +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +################################################## +# +# PHP Directives +################################################## + +type httpd_php_exec_t, file_type, sysadmfile, exec_type; +type httpd_php_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) + +# The system role is authorized for this domain. +role system_r types httpd_php_t; + +general_domain_access(httpd_php_t) +uses_shlib(httpd_php_t) +can_exec(httpd_php_t, lib_t) + +# allow php to read and append to apache logfiles +allow httpd_php_t httpd_log_t:file ra_file_perms; + +# access to /tmp +tmp_domain(httpd) +tmp_domain(httpd_php) + +# Creation of lock files for apache2 +lock_domain(httpd) + +# Allow apache to used public_content_t +anonymous_domain(httpd) + +# connect to mysql +ifdef(`mysqld.te', ` +can_unix_connect(httpd_php_t, mysqld_t) +can_unix_connect(httpd_t, mysqld_t) +can_unix_connect(httpd_sys_script_t, mysqld_t) +allow httpd_php_t mysqld_var_run_t:dir search; +allow httpd_php_t mysqld_var_run_t:sock_file write; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; +allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; +') +allow httpd_t bin_t:dir search; +allow httpd_t sbin_t:dir search; +allow httpd_t httpd_log_t:dir remove_name; + +read_fonts(httpd_t) + +allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + +allow httpd_t autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs && httpd_enable_homedirs) { +httpd_home_dirs(nfs_t) +} +if (use_samba_home_dirs && httpd_enable_homedirs) { +httpd_home_dirs(cifs_t) +} + +# +# Allow users to mount additional directories as http_source +# +allow httpd_t mnt_t:dir r_dir_perms; + +ifdef(`targeted_policy', ` +domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t) +typealias httpd_sys_content_t alias httpd_user_content_t; +typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; + +if (httpd_enable_homedirs) { +allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search }; +} +') dnl targeted policy + +# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context +typealias httpd_sys_content_t alias httpd_sysadm_content_t; + +ifdef(`distro_redhat', ` +# +# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat +# This is a bug but it still exists in FC2 +# +typealias httpd_log_t alias httpd_runtime_t; +allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; +dontaudit httpd_t httpd_runtime_t:file ioctl; +') dnl distro_redhat +# +# Customer reported the following +# +ifdef(`snmpd.te', ` +dontaudit httpd_t snmpd_var_lib_t:dir search; +dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; +', ` +dontaudit httpd_t usr_t:dir write; +') + +application_domain(httpd_helper) +role system_r types httpd_helper_t; +domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) +allow httpd_helper_t httpd_config_t:file { getattr read }; +allow httpd_helper_t httpd_log_t:file { append }; + +######################################## +# When the admin starts the server, the server wants to access +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +################################################## + +if (httpd_tty_comm) { +allow { httpd_t httpd_helper_t } devpts_t:dir search; +ifdef(`targeted_policy', ` +allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms; +') +allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms; +} else { +dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; +} + +read_sysctl(httpd_sys_script_t) +allow httpd_sys_script_t var_lib_t:dir search; +dontaudit httpd_t selinux_config_t:dir search; +r_dir_file(httpd_t, cert_t) + +# +# unconfined domain for apache scripts. Only to be used as a last resort +# +type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; +type httpd_unconfined_script_t, domain, nscd_client_domain; +role system_r types httpd_unconfined_script_t; +unconfined_domain(httpd_unconfined_script_t) + +# The following are types for SUEXEC,which runs user scripts as their +# own user ID +# +daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool') +allow httpd_t httpd_suexec_exec_t:file { getattr read }; + +######################################################### +# Permissions for running child processes and scripts +########################################################## + +allow httpd_suexec_t self:capability { setuid setgid }; + +dontaudit httpd_suexec_t var_run_t:dir search; +allow httpd_suexec_t { var_t var_log_t }:dir search; +allow httpd_suexec_t home_root_t:dir search; + +allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; +allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; +allow httpd_suexec_t httpd_t:fifo_file getattr; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +allow httpd_suexec_t etc_t:file { getattr read }; +read_locale(httpd_suexec_t) +read_sysctl(httpd_suexec_t) +allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; + +# for shell scripts +allow httpd_suexec_t bin_t:dir search; +allow httpd_suexec_t bin_t:lnk_file read; +can_exec(httpd_suexec_t, { bin_t shell_exec_t }) + +if (httpd_can_network_connect) { +can_network(httpd_suexec_t) +allow httpd_suexec_t port_type:tcp_socket name_connect; +} + +can_ypbind(httpd_suexec_t) +allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; + +allow httpd_suexec_t autofs_t:dir { search getattr }; +tmp_domain(httpd_suexec) + +if (httpd_enable_cgi && httpd_unified) { +domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) +') +} +if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) { +domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) +create_dir_file(httpd_t, httpdcontent) +} +if (httpd_enable_cgi) { +domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) +domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) +allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; +allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; +} + +# +# Types for squirrelmail +# +type httpd_squirrelmail_t, file_type, sysadmfile; +create_dir_file(httpd_t, httpd_squirrelmail_t) +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +# File Type of squirrelmail attachments +type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; +allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; +create_dir_file(httpd_t, squirrelmail_spool_t) +r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) + +ifdef(`mta.te', ` +# apache should set close-on-exec +dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; +dontaudit system_mail_t httpd_log_t:file { append getattr }; +allow system_mail_t httpd_squirrelmail_t:file { append read }; +dontaudit system_mail_t httpd_t:tcp_socket { read write }; +') +bool httpd_enable_ftp_server false; +if (httpd_enable_ftp_server) { +allow httpd_t ftp_port_t:tcp_socket name_bind; +} + diff --git a/mls/domains/program/apmd.te b/mls/domains/program/apmd.te new file mode 100644 index 0000000..82b4a4d --- /dev/null +++ b/mls/domains/program/apmd.te @@ -0,0 +1,157 @@ +#DESC Apmd - Automatic Power Management daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: apmd +# + +################################# +# +# Rules for the apmd_t domain. +# +daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain') + +# for SSP +allow apmd_t urandom_device_t:chr_file read; + +type apm_t, domain, privlog; +type apm_exec_t, file_type, sysadmfile, exec_type; +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, apm_exec_t, apm_t) +') +uses_shlib(apm_t) +allow apm_t privfd:fd use; +allow apm_t admin_tty_type:chr_file rw_file_perms; +allow apm_t device_t:dir search; +allow apm_t self:capability { dac_override sys_admin }; +allow apm_t proc_t:dir search; +allow apm_t proc_t:file r_file_perms; +allow apm_t fs_t:filesystem getattr; +allow apm_t apm_bios_t:chr_file rw_file_perms; +role sysadm_r types apm_t; +role system_r types apm_t; + +allow apmd_t device_t:lnk_file read; +allow apmd_t proc_t:file { getattr read write }; +can_sysctl(apmd_t) +allow apmd_t sysfs_t:file write; + +allow apmd_t self:unix_dgram_socket create_socket_perms; +allow apmd_t self:unix_stream_socket create_stream_socket_perms; +allow apmd_t self:fifo_file rw_file_perms; +allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; +allow apmd_t etc_t:lnk_file read; + +# acpid wants a socket +file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) + +# acpid also has a logfile +log_domain(apmd) +tmp_domain(apmd) + +ifdef(`distro_suse', ` +var_lib_domain(apmd) +') + +allow apmd_t self:file { getattr read ioctl }; +allow apmd_t self:process getsession; + +# Use capabilities. +allow apmd_t self:capability { sys_admin sys_nice sys_time kill }; + +# controlling an orderly resume of PCMCIA requires creating device +# nodes 254,{0,1,2} for some reason. +allow apmd_t self:capability mknod; + +# Access /dev/apm_bios. +allow apmd_t apm_bios_t:chr_file rw_file_perms; + +# Run helper programs. +can_exec_any(apmd_t) + +# apmd calls hwclock.sh on suspend and resume +allow apmd_t clock_device_t:chr_file r_file_perms; +ifdef(`hwclock.te', ` +domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) +allow apmd_t adjtime_t:file rw_file_perms; +allow hwclock_t apmd_log_t:file append; +allow hwclock_t apmd_t:unix_stream_socket { read write }; +') + + +# to quiet fuser and ps +# setuid for fuser, dac* for ps +dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; +dontaudit apmd_t domain:socket_class_set getattr; +dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; +dontaudit apmd_t device_type:devfile_class_set getattr; +dontaudit apmd_t home_type:dir { search getattr }; +dontaudit apmd_t domain:key_socket getattr; +dontaudit apmd_t domain:dir search; + +ifdef(`distro_redhat', ` +can_exec(apmd_t, apmd_var_run_t) +# for /var/lock/subsys/network +lock_domain(apmd) + +# ifconfig_exec_t needs to be run in its own domain for Red Hat +ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') +ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') +ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') +', ` +# for ifconfig which is run all the time +dontaudit apmd_t sysctl_t:dir search; +') + +ifdef(`udev.te', ` +allow apmd_t udev_t:file { getattr read }; +allow apmd_t udev_t:lnk_file { getattr read }; +') +# +# apmd tells the machine to shutdown requires the following +# +allow apmd_t initctl_t:fifo_file write; +allow apmd_t initrc_var_run_t:file { read write lock }; + +# +# Allow it to run killof5 and pidof +# +typeattribute apmd_t unrestricted; +r_dir_file(apmd_t, domain) + +# Same for apm/acpid scripts +domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) +ifdef(`consoletype.te', ` +allow consoletype_t apmd_t:fd use; +allow consoletype_t apmd_t:fifo_file write; +') +ifdef(`mount.te', `allow mount_t apmd_t:fd use;') +ifdef(`crond.te', ` +domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) +allow apmd_t crond_t:fifo_file { getattr read write ioctl }; +') + +# for a find /dev operation that gets /dev/shm +dontaudit apmd_t tmpfs_t:dir r_dir_perms; +dontaudit apmd_t selinux_config_t:dir search; +allow apmd_t user_tty_type:chr_file rw_file_perms; +# Access /dev/apm_bios. +allow initrc_t apm_bios_t:chr_file { setattr getattr read }; + +ifdef(`logrotate.te', ` +allow apmd_t logrotate_t:fd use; +')dnl end if logrotate.te +allow apmd_t devpts_t:dir { getattr search }; +allow apmd_t security_t:dir search; +allow apmd_t usr_t:dir search; +r_dir_file(apmd_t, hwdata_t) +ifdef(`targeted_policy', ` +unconfined_domain(apmd_t) +') + +ifdef(`NetworkManager.te', ` +ifdef(`dbusd.te', ` +allow apmd_t NetworkManager_t:dbus send_msg; +allow NetworkManager_t apmd_t:dbus send_msg; +') +') diff --git a/mls/domains/program/arpwatch.te b/mls/domains/program/arpwatch.te new file mode 100644 index 0000000..3065800 --- /dev/null +++ b/mls/domains/program/arpwatch.te @@ -0,0 +1,48 @@ +#DESC arpwatch - keep track of ethernet/ip address pairings +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the arpwatch_t domain. +# +# arpwatch_exec_t is the type of the arpwatch executable. +# +daemon_domain(arpwatch, `, privmail') + +# for files created by arpwatch +type arpwatch_data_t, file_type, sysadmfile; +create_dir_file(arpwatch_t,arpwatch_data_t) +tmp_domain(arpwatch) + +allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; + +can_network_server(arpwatch_t) +allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; +allow arpwatch_t self:udp_socket create_socket_perms; +allow arpwatch_t self:unix_dgram_socket create_socket_perms; +allow arpwatch_t self:packet_socket create_socket_perms; +allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; + +allow arpwatch_t { sbin_t var_lib_t }:dir search; +allow arpwatch_t sbin_t:lnk_file read; +r_dir_file(arpwatch_t, etc_t) +r_dir_file(arpwatch_t, usr_t) +can_ypbind(arpwatch_t) + +ifdef(`qmail.te', ` +allow arpwatch_t bin_t:dir search; +') + +ifdef(`distro_gentoo', ` +allow initrc_t arpwatch_data_t:dir { add_name write }; +allow initrc_t arpwatch_data_t:file create; +')dnl end distro_gentoo + +# why is mail delivered to a directory of type arpwatch_data_t? +allow mta_delivery_agent arpwatch_data_t:dir search; +allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; +ifdef(`hide_broken_symptoms', ` +dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; +') diff --git a/mls/domains/program/auditd.te b/mls/domains/program/auditd.te new file mode 100644 index 0000000..69b105a --- /dev/null +++ b/mls/domains/program/auditd.te @@ -0,0 +1,76 @@ +#DESC auditd - System auditing daemon +# +# Authors: Colin Walters +# +# Some fixes by Paul Moore +# +define(`audit_manager_domain', ` +allow $1 auditd_etc_t:file rw_file_perms; +create_dir_file($1, auditd_log_t) +domain_auto_trans($1, auditctl_exec_t, auditctl_t) +') + +daemon_domain(auditd) + +ifdef(`mls_policy', ` +# run at the highest MLS level +typeattribute auditd_t mlsrangetrans; +range_transition initrc_t auditd_exec_t s15:c0.c255; +') + +allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditd_t self:unix_dgram_socket create_socket_perms; +allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; +allow auditd_t self:process setsched; +allow auditd_t self:file { getattr read write }; +allow auditd_t etc_t:file { getattr read }; + +# Do not use logdir_domain since this is a security file +type auditd_log_t, file_type, secure_file_type; +allow auditd_t var_log_t:dir search; +rw_dir_create_file(auditd_t, auditd_log_t) + +can_exec(auditd_t, init_exec_t) +allow auditd_t initctl_t:fifo_file write; + +ifdef(`targeted_policy', ` +dontaudit auditd_t unconfined_t:fifo_file read; +') + +type auditctl_t, domain, privlog; +type auditctl_exec_t, file_type, exec_type, sysadmfile; +uses_shlib(auditctl_t) +allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditctl_t self:capability { audit_write audit_control }; +allow auditctl_t etc_t:file { getattr read }; +allow auditctl_t admin_tty_type:chr_file rw_file_perms; + +type auditd_etc_t, file_type, secure_file_type; +allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms; +allow initrc_t auditd_etc_t:file r_file_perms; + +role secadm_r types auditctl_t; +role sysadm_r types auditctl_t; +audit_manager_domain(secadm_t) + +ifdef(`targeted_policy', `', ` +ifdef(`separate_secadm', `', ` +audit_manager_domain(sysadm_t) +') +') + +role system_r types auditctl_t; +domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t) + +dontaudit auditctl_t local_login_t:fd use; +allow auditctl_t proc_t:dir search; +allow auditctl_t sysctl_kernel_t:dir search; +allow auditctl_t sysctl_kernel_t:file { getattr read }; +dontaudit auditctl_t init_t:fd use; +allow auditctl_t initrc_devpts_t:chr_file { read write }; +allow auditctl_t privfd:fd use; + + +allow auditd_t sbin_t:dir search; +can_exec(auditd_t, sbin_t) +allow auditd_t self:fifo_file rw_file_perms; diff --git a/mls/domains/program/automount.te b/mls/domains/program/automount.te new file mode 100644 index 0000000..d1bb20e --- /dev/null +++ b/mls/domains/program/automount.te @@ -0,0 +1,79 @@ +#DESC Automount - Automount daemon +# +# Authors: Stephen Smalley +# Modified by Russell Coker +# X-Debian-Packages: amd am-utils autofs +# + +################################# +# +# Rules for the automount_t domain. +# +daemon_domain(automount) + +etc_domain(automount) + +# for SSP +allow automount_t urandom_device_t:chr_file read; + +# for if the mount point is not labelled +allow automount_t file_t:dir getattr; +allow automount_t default_t:dir getattr; + +allow automount_t autofs_t:dir { create_dir_perms ioctl }; +allow automount_t fs_type:dir getattr; + +allow automount_t { etc_t etc_runtime_t }:file { getattr read }; +allow automount_t proc_t:file { getattr read }; +allow automount_t self:process { getpgid setpgid setsched }; +allow automount_t self:capability { sys_nice dac_override }; +allow automount_t self:unix_stream_socket create_socket_perms; +allow automount_t self:unix_dgram_socket create_socket_perms; + +# because config files can be shell scripts +can_exec(automount_t, { etc_t automount_etc_t }) + +can_network_server(automount_t) +can_resolve(automount_t) +can_ypbind(automount_t) +can_ldap(automount_t) + +ifdef(`fsadm.te', ` +domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) +') + +lock_domain(automount) + +tmp_domain(automount) +allow automount_t self:fifo_file rw_file_perms; + +# Run mount in the mount_t domain. +domain_auto_trans(automount_t, mount_exec_t, mount_t) +allow mount_t autofs_t:dir { search mounton read }; +allow mount_t automount_tmp_t:dir mounton; + +ifdef(`apmd.te', +`domain_auto_trans(apmd_t, automount_exec_t, automount_t) +can_exec(automount_t, bin_t)') + +allow automount_t { bin_t sbin_t }:dir search; +can_exec(automount_t, mount_exec_t) +can_exec(automount_t, shell_exec_t) + +allow mount_t autofs_t:dir getattr; +dontaudit automount_t var_t:dir write; + +allow userdomain autofs_t:dir r_dir_perms; +allow kernel_t autofs_t:dir { getattr ioctl read search }; + +allow automount_t { boot_t home_root_t }:dir getattr; +allow automount_t mnt_t:dir { getattr search }; + +can_exec(initrc_t, automount_etc_t) + +# Allow automount to create and delete directories in / and /home +file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir) + +allow automount_t var_lib_t:dir search; +allow automount_t var_lib_nfs_t:dir search; + diff --git a/mls/domains/program/avahi.te b/mls/domains/program/avahi.te new file mode 100644 index 0000000..861559d --- /dev/null +++ b/mls/domains/program/avahi.te @@ -0,0 +1,31 @@ +#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture +# +# Author: Dan Walsh +# + +daemon_domain(avahi, `, privsysmod') +r_dir_file(avahi_t, proc_net_t) +can_network_server(avahi_t) +can_ypbind(avahi_t) +allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow avahi_t self:unix_dgram_socket create_socket_perms; +allow avahi_t self:capability { dac_override setgid chown kill setuid }; +allow avahi_t urandom_device_t:chr_file r_file_perms; +allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind; +allow avahi_t self:fifo_file { read write }; +allow avahi_t self:netlink_route_socket r_netlink_socket_perms; +allow avahi_t self:process setrlimit; +allow avahi_t etc_t:file { getattr read }; +allow avahi_t initrc_t:process { signal signull }; +allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow avahi_t avahi_var_run_t:dir setattr; +allow avahi_t avahi_var_run_t:sock_file create_file_perms; + +ifdef(`dbusd.te', ` +dbusd_client(system, avahi) +ifdef(`targeted_policy', ` +allow avahi_t unconfined_t:dbus send_msg; +allow unconfined_t avahi_t:dbus send_msg; +') +') + diff --git a/mls/domains/program/bluetooth.te b/mls/domains/program/bluetooth.te new file mode 100644 index 0000000..c6c5631 --- /dev/null +++ b/mls/domains/program/bluetooth.te @@ -0,0 +1,116 @@ +#DESC Bluetooth +# +# Authors: Dan Walsh +# RH-Packages: Bluetooth +# + +################################# +# +# Rules for the bluetooth_t domain. +# +daemon_domain(bluetooth) + +file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) +file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) + +tmp_domain(bluetooth) +var_lib_domain(bluetooth) + +# Use capabilities. +allow bluetooth_t self:file read; +allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; +allow bluetooth_t self:process getsched; +allow bluetooth_t proc_t:file { getattr read }; + +allow bluetooth_t self:shm create_shm_perms; + +lock_domain(bluetooth) + +# Use the network. +can_network(bluetooth_t) +can_ypbind(bluetooth_t) +ifdef(`dbusd.te', ` +dbusd_client(system, bluetooth) +allow bluetooth_t system_dbusd_t:dbus send_msg; +') +allow bluetooth_t self:socket create_stream_socket_perms; + +allow bluetooth_t self:unix_dgram_socket create_socket_perms; +allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; + +dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; + +# bluetooth_conf_t is the type of the /etc/bluetooth dir. +type bluetooth_conf_t, file_type, sysadmfile; +type bluetooth_conf_rw_t, file_type, sysadmfile; + +# Read /etc/bluetooth +allow bluetooth_t bluetooth_conf_t:dir search; +allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; +#/usr/sbin/hid2hci causes the following +allow initrc_t usbfs_t:file { getattr read }; +allow bluetooth_t usbfs_t:dir r_dir_perms; +allow bluetooth_t usbfs_t:file rw_file_perms; +allow bluetooth_t bin_t:dir search; +can_exec(bluetooth_t, { bin_t shell_exec_t }) +allow bluetooth_t bin_t:lnk_file read; + +#Handle bluetooth serial devices +allow bluetooth_t tty_device_t:chr_file rw_file_perms; +allow bluetooth_t self:fifo_file rw_file_perms; +allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(bluetooth_t, fonts_t) +allow bluetooth_t urandom_device_t:chr_file r_file_perms; +allow bluetooth_t usr_t:file { getattr read }; + +application_domain(bluetooth_helper, `, nscd_client_domain') +domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) +role system_r types bluetooth_helper_t; +read_locale(bluetooth_helper_t) +typeattribute bluetooth_helper_t unrestricted; +r_dir_file(bluetooth_helper_t, domain) +allow bluetooth_helper_t bin_t:dir { getattr search }; +can_exec(bluetooth_helper_t, { bin_t shell_exec_t }) +allow bluetooth_helper_t bin_t:lnk_file read; +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:fifo_file rw_file_perms; +allow bluetooth_helper_t self:process { fork getsched sigchld }; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(bluetooth_helper_t, fonts_t) +r_dir_file(bluetooth_helper_t, proc_t) +read_sysctl(bluetooth_helper_t) +allow bluetooth_helper_t tmp_t:dir search; +allow bluetooth_helper_t usr_t:file { getattr read }; +allow bluetooth_helper_t home_dir_type:dir search; +ifdef(`xserver.te', ` +allow bluetooth_helper_t xserver_log_t:dir search; +allow bluetooth_helper_t xserver_log_t:file { getattr read }; +') +ifdef(`targeted_policy', ` +allow bluetooth_helper_t tmp_t:sock_file { read write }; +allow bluetooth_helper_t tmpfs_t:file { read write }; +allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; +allow bluetooth_t unconfined_t:dbus send_msg; +allow unconfined_t bluetooth_t:dbus send_msg; +', ` +ifdef(`xdm.te', ` +allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; +') +allow bluetooth_t unpriv_userdomain:dbus send_msg; +allow unpriv_userdomain bluetooth_t:dbus send_msg; +') +allow bluetooth_helper_t bluetooth_t:socket { read write }; +allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms; +allow bluetooth_helper_t self:unix_stream_socket connectto; +tmp_domain(bluetooth_helper) +allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms; + +dontaudit bluetooth_helper_t default_t:dir { read search }; +dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write }; +dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms; +ifdef(`xserver.te', ` +allow bluetooth_helper_t xserver_log_t:dir search; +allow bluetooth_helper_t xserver_log_t:file { getattr read }; +') diff --git a/mls/domains/program/bonobo.te b/mls/domains/program/bonobo.te new file mode 100644 index 0000000..c23f1d2 --- /dev/null +++ b/mls/domains/program/bonobo.te @@ -0,0 +1,9 @@ +# DESC - Bonobo Activation Server +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type bonobo_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/bonobo_macros.te diff --git a/mls/domains/program/bootloader.te b/mls/domains/program/bootloader.te new file mode 100644 index 0000000..37e1c19 --- /dev/null +++ b/mls/domains/program/bootloader.te @@ -0,0 +1,167 @@ +#DESC Bootloader - Lilo boot loader/manager +# +# Author: Russell Coker +# X-Debian-Packages: lilo +# + +################################# +# +# Rules for the bootloader_t domain. +# +# bootloader_exec_t is the type of the bootloader executable. +# +type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin'); +type bootloader_exec_t, file_type, sysadmfile, exec_type; +etc_domain(bootloader) + +role sysadm_r types bootloader_t; +role system_r types bootloader_t; + +allow bootloader_t var_t:dir search; +create_append_log_file(bootloader_t, var_log_t) +allow bootloader_t var_log_t:file write; + +# for nscd +dontaudit bootloader_t var_run_t:dir search; + +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) +') +allow bootloader_t { initrc_t privfd }:fd use; + +tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file }) + +read_locale(bootloader_t) + +# for tune2fs +file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file) + +# for /vmlinuz sym link +allow bootloader_t root_t:lnk_file read; + +# lilo would need read access to get BIOS data +allow bootloader_t proc_kcore_t:file getattr; + +allow bootloader_t { etc_t device_t }:dir r_dir_perms; +allow bootloader_t etc_t:file r_file_perms; +allow bootloader_t etc_t:lnk_file read; +allow bootloader_t initctl_t:fifo_file getattr; +uses_shlib(bootloader_t) + +ifdef(`distro_debian', ` +allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; +allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; +allow bootloader_t boot_t:file relabelfrom; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; +allow bootloader_t usr_t:lnk_file read; +allow bootloader_t tmpfs_t:dir r_dir_perms; +allow bootloader_t initrc_var_run_t:dir r_dir_perms; +allow bootloader_t var_lib_t:dir search; +allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; +allow bootloader_t dpkg_var_lib_t:file { getattr read }; +# for /usr/share/initrd-tools/scripts +can_exec(bootloader_t, usr_t) +') + +allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; +dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms; +allow bootloader_t device_t:lnk_file { getattr read }; + +# LVM2 / Device Mapper's /dev/mapper/control +# maybe we should change the labeling for this +ifdef(`lvm.te', ` +allow bootloader_t lvm_control_t:chr_file rw_file_perms; +domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) +allow lvm_t bootloader_tmp_t:file rw_file_perms; +r_dir_file(bootloader_t, lvm_etc_t) +') + +# uncomment the following line if you use "lilo -p" +#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); + +can_exec_any(bootloader_t) +allow bootloader_t shell_exec_t:lnk_file read; +allow bootloader_t { bin_t sbin_t }:dir search; +allow bootloader_t { bin_t sbin_t }:lnk_file read; + +allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms; +allow bootloader_t modules_object_t:dir r_dir_perms; +ifdef(`distro_redhat', ` +allow bootloader_t modules_object_t:lnk_file { getattr read }; +') + +# for ldd +ifdef(`fsadm.te', ` +allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; +') +ifdef(`modutil.te', ` +allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans }; +') + +dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; + +allow bootloader_t boot_t:dir { create rw_dir_perms }; +allow bootloader_t boot_t:file create_file_perms; +allow bootloader_t boot_t:lnk_file create_lnk_perms; + +allow bootloader_t load_policy_exec_t:file { getattr read }; + +allow bootloader_t random_device_t:chr_file { getattr read }; + +ifdef(`distro_redhat', ` +# for mke2fs +domain_auto_trans(bootloader_t, mount_exec_t, mount_t); +allow mount_t bootloader_tmp_t:dir mounton; + +# new file system defaults to file_t, granting file_t access is still bad. +allow bootloader_t file_t:dir create_dir_perms; +allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; +allow bootloader_t file_t:lnk_file create_lnk_perms; +allow bootloader_t self:unix_stream_socket create_socket_perms; +allow bootloader_t boot_runtime_t:file { read getattr unlink }; + +# for memlock +allow bootloader_t zero_device_t:chr_file { getattr read }; +allow bootloader_t self:capability ipc_lock; +') + +allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; +# allow bootloader to get attributes of any device node +allow bootloader_t { device_type ttyfile }:chr_file getattr; +allow bootloader_t device_type:blk_file getattr; +dontaudit bootloader_t devpts_t:dir create_dir_perms; + +allow bootloader_t self:process { fork signal_perms }; +allow bootloader_t self:lnk_file read; +allow bootloader_t self:dir search; +allow bootloader_t self:file { getattr read }; +allow bootloader_t self:fifo_file rw_file_perms; + +allow bootloader_t fs_t:filesystem getattr; + +allow bootloader_t proc_t:dir { getattr search }; +allow bootloader_t proc_t:file r_file_perms; +allow bootloader_t proc_t:lnk_file { getattr read }; +allow bootloader_t proc_mdstat_t:file r_file_perms; +allow bootloader_t self:dir { getattr search read }; +read_sysctl(bootloader_t) +allow bootloader_t etc_runtime_t:file r_file_perms; + +allow bootloader_t devtty_t:chr_file rw_file_perms; +allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow bootloader_t initrc_t:fifo_file { read write }; + +# for reading BIOS data +allow bootloader_t memory_device_t:chr_file r_file_perms; + +allow bootloader_t policy_config_t:dir { search read }; +allow bootloader_t policy_config_t:file { getattr read }; + +allow bootloader_t lib_t:file { getattr read }; +allow bootloader_t sysfs_t:dir getattr; +allow bootloader_t urandom_device_t:chr_file read; +allow bootloader_t { usr_t var_t }:file { getattr read }; +r_dir_file(bootloader_t, src_t) +dontaudit bootloader_t selinux_config_t:dir search; +dontaudit bootloader_t sysctl_t:dir search; diff --git a/mls/domains/program/canna.te b/mls/domains/program/canna.te new file mode 100644 index 0000000..feb4e52 --- /dev/null +++ b/mls/domains/program/canna.te @@ -0,0 +1,46 @@ +#DESC canna - A Japanese character set input system. +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the canna_t domain. +# +daemon_domain(canna) + +file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file) + +logdir_domain(canna) +var_lib_domain(canna) + +allow canna_t self:capability { setgid setuid net_bind_service }; +allow canna_t tmp_t:dir { search }; +allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; +allow canna_t self:unix_dgram_socket create_stream_socket_perms; +allow canna_t etc_t:file { getattr read }; +allow canna_t usr_t:file { getattr read }; + +allow canna_t proc_t:file r_file_perms; +allow canna_t etc_runtime_t:file r_file_perms; +allow canna_t canna_var_lib_t:dir create; + +rw_dir_create_file(canna_t, canna_var_lib_t) + +can_network_tcp(canna_t) +allow canna_t port_type:tcp_socket name_connect; +can_ypbind(canna_t) + +allow userdomain canna_var_run_t:dir search; +allow userdomain canna_var_run_t:sock_file write; +can_unix_connect(userdomain, canna_t) + +ifdef(`i18n_input.te', ` +allow i18n_input_t canna_var_run_t:dir search; +allow i18n_input_t canna_var_run_t:sock_file write; +can_unix_connect(i18n_input_t, canna_t) +') + +dontaudit canna_t kernel_t:fd use; +dontaudit canna_t root_t:file read; diff --git a/mls/domains/program/cardmgr.te b/mls/domains/program/cardmgr.te new file mode 100644 index 0000000..8f78988 --- /dev/null +++ b/mls/domains/program/cardmgr.te @@ -0,0 +1,90 @@ +#DESC Cardmgr - PCMCIA control programs +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: pcmcia-cs +# + +################################# +# +# Rules for the cardmgr_t domain. +# +daemon_domain(cardmgr, `, privmodule') + +# for SSP +allow cardmgr_t urandom_device_t:chr_file read; + +type cardctl_exec_t, file_type, sysadmfile, exec_type; +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) +') +role sysadm_r types cardmgr_t; +allow cardmgr_t admin_tty_type:chr_file { read write }; + +allow cardmgr_t sysfs_t:dir search; +allow cardmgr_t home_root_t:dir search; + +# Use capabilities (net_admin for route), setuid for cardctl +allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; + +# for /etc/resolv.conf +file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) + +allow cardmgr_t etc_runtime_t:file { getattr read }; + +allow cardmgr_t modules_object_t:dir search; +allow cardmgr_t self:unix_dgram_socket create_socket_perms; +allow cardmgr_t self:unix_stream_socket create_socket_perms; +allow cardmgr_t self:fifo_file rw_file_perms; + +# Create stab file +var_lib_domain(cardmgr) + +# for /var/lib/misc/pcmcia-scheme +# would be better to have it in a different type if I knew how it was created.. +allow cardmgr_t var_lib_t:file { getattr read }; + +# Create device files in /tmp. +type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; +file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) + +# Create symbolic links in /dev. +type cardmgr_lnk_t, file_type, sysadmfile; +file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) + +# Run a shell, normal commands, /etc/pcmcia scripts. +can_exec_any(cardmgr_t) +allow cardmgr_t etc_t:lnk_file read; + +# Run ifconfig. +domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) +allow ifconfig_t cardmgr_t:fd use; + +allow cardmgr_t proc_t:file { getattr read ioctl }; + +# Read /proc/PID directories for all domains (for fuser). +can_ps(cardmgr_t, domain -unrestricted) +dontaudit cardmgr_t unrestricted:dir search; + +allow cardmgr_t device_type:{ chr_file blk_file } getattr; +allow cardmgr_t ttyfile:chr_file getattr; +dontaudit cardmgr_t ptyfile:chr_file getattr; +dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; +dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; +dontaudit cardmgr_t proc_kmsg_t:file getattr; + +allow cardmgr_t tty_device_t:chr_file rw_file_perms; + +ifdef(`apmd.te', ` +domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) +') + +ifdef(`hide_broken_symptoms', ` +dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; +dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; +') +ifdef(`hald.te', ` +rw_dir_file(hald_t, cardmgr_var_run_t) +allow hald_t cardmgr_var_run_t:chr_file create_file_perms; +') +allow cardmgr_t device_t:lnk_file { getattr read }; diff --git a/mls/domains/program/cdrecord.te b/mls/domains/program/cdrecord.te new file mode 100644 index 0000000..6460090 --- /dev/null +++ b/mls/domains/program/cdrecord.te @@ -0,0 +1,10 @@ +# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master +# +# Author: Thomas Bleher + +# Type for the cdrecord excutable. +type cdrecord_exec_t, file_type, sysadmfile, exec_type; + +# everything else is in the cdrecord_domain macros in +# macros/program/cdrecord_macros.te. + diff --git a/mls/domains/program/certwatch.te b/mls/domains/program/certwatch.te new file mode 100644 index 0000000..2abb168 --- /dev/null +++ b/mls/domains/program/certwatch.te @@ -0,0 +1,11 @@ +#DESC certwatch - generate SSL certificate expiry warnings +# +# Domains for the certwatch process +# Authors: Dan Walsh , +# +application_domain(certwatch) +role system_r types certwatch_t; +r_dir_file(certwatch_t, cert_t) +can_exec(certwatch_t, httpd_modules_t) +system_crond_entry(certwatch_exec_t, certwatch_t) +read_locale(certwatch_t) diff --git a/mls/domains/program/checkpolicy.te b/mls/domains/program/checkpolicy.te new file mode 100644 index 0000000..0cfa5a0 --- /dev/null +++ b/mls/domains/program/checkpolicy.te @@ -0,0 +1,64 @@ +#DESC Checkpolicy - SELinux policy compliler +# +# Authors: Frank Mayer, mayerf@tresys.com +# X-Debian-Packages: checkpolicy +# + +########################### +# +# checkpolicy_t is the domain type for checkpolicy +# checkpolicy_exec_t if file type for the executable + +type checkpolicy_t, domain; +role sysadm_r types checkpolicy_t; +role system_r types checkpolicy_t; +role secadm_r types checkpolicy_t; + +type checkpolicy_exec_t, file_type, exec_type, sysadmfile; + +########################## +# +# Rules + +domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t) + +# able to create and modify binary policy files +allow checkpolicy_t policy_config_t:dir rw_dir_perms; +allow checkpolicy_t policy_config_t:file create_file_perms; + +########################### +# constrain what checkpolicy can use as source files +# + +# only allow read of policy source files +allow checkpolicy_t policy_src_t:dir r_dir_perms; +allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; + +# allow test policies to be created in src directories +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) + +# directory search permissions for path to source and binary policy files +allow checkpolicy_t root_t:dir search; +allow checkpolicy_t etc_t:dir search; + +# Read the devpts root directory. +allow checkpolicy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te', +`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; +uses_shlib(checkpolicy_t) +allow checkpolicy_t self:capability dac_override; + +########################## +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +can_exec(unpriv_userdomain, checkpolicy_exec_t) + +allow checkpolicy_t { userdomain privfd }:fd use; + +allow checkpolicy_t fs_t:filesystem getattr; +allow checkpolicy_t console_device_t:chr_file { read write }; +allow checkpolicy_t init_t:fd use; +allow checkpolicy_t selinux_config_t:dir search; diff --git a/mls/domains/program/chkpwd.te b/mls/domains/program/chkpwd.te new file mode 100644 index 0000000..22ac7f2 --- /dev/null +++ b/mls/domains/program/chkpwd.te @@ -0,0 +1,18 @@ +#DESC Chkpwd - PAM password checking programs +# X-Debian-Packages: libpam-modules +# +# Domains for the /sbin/.*_chkpwd utilities. +# + +# +# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables. +# +type chkpwd_exec_t, file_type, sysadmfile, exec_type; + +chkpwd_domain(system) +dontaudit system_chkpwd_t privfd:fd use; +role sysadm_r types system_chkpwd_t; +in_user_role(system_chkpwd_t) + +# Everything else is in the chkpwd_domain macro in +# macros/program/chkpwd_macros.te. diff --git a/mls/domains/program/chroot.te b/mls/domains/program/chroot.te new file mode 100644 index 0000000..8992c66 --- /dev/null +++ b/mls/domains/program/chroot.te @@ -0,0 +1,21 @@ +#DESC Chroot - Establish chroot environments +# +# Author: Russell Coker +# X-Debian-Packages: +# +type chroot_exec_t, file_type, sysadmfile, exec_type; + +# For a chroot environment named potato that can be entered from user_t (so +# the user can run an old version of Debian in a chroot), with the possibility +# of user_devpts_t or user_tty_device_t being the controlling tty type for +# administration. This also defines a mount_domain for the user (so they can +# mount file systems). +#chroot(user, potato) +# For a chroot environment named apache that can be entered from initrc_t for +# running a different version of apache. +# initrc is a special case, uses the system_r role (usually appends "_r" to +# the base name of the parent domain), and has sysadm_devpts_t and +# sysadm_tty_device_t for the controlling terminal +#chroot(initrc, apache) + +# the main code is in macros/program/chroot_macros.te diff --git a/mls/domains/program/comsat.te b/mls/domains/program/comsat.te new file mode 100644 index 0000000..cd0e3f9 --- /dev/null +++ b/mls/domains/program/comsat.te @@ -0,0 +1,20 @@ +#DESC comsat - biff server +# +# Author: Dan Walsh +# Depends: inetd.te +# + +################################# +# +# Rules for the comsat_t domain. +# +# comsat_exec_t is the type of the comsat executable. +# + +inetd_child_domain(comsat, udp) +allow comsat_t initrc_var_run_t:file r_file_perms; +dontaudit comsat_t initrc_var_run_t:file write; +allow comsat_t mail_spool_t:dir r_dir_perms; +allow comsat_t mail_spool_t:lnk_file read; +allow comsat_t var_spool_t:dir search; +dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; diff --git a/mls/domains/program/consoletype.te b/mls/domains/program/consoletype.te new file mode 100644 index 0000000..b1cc126 --- /dev/null +++ b/mls/domains/program/consoletype.te @@ -0,0 +1,65 @@ +#DESC consoletype - determine the type of a console device +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the consoletype_t domain. +# +# consoletype_t is the domain for the consoletype program. +# consoletype_exec_t is the type of the corresponding program. +# +type consoletype_t, domain, mlsfileread, mlsfilewrite; +type consoletype_exec_t, file_type, sysadmfile, exec_type; + +role system_r types consoletype_t; + +uses_shlib(consoletype_t) +general_domain_access(consoletype_t) + +ifdef(`targeted_policy', `', ` +domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) + +ifdef(`xdm.te', ` +domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) +allow consoletype_t xdm_tmp_t:file { read write }; +') + +ifdef(`hotplug.te', ` +domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) +') +') + +allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms; + +allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; + +# Use capabilities. +allow consoletype_t self:capability sys_admin; + +allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; +allow consoletype_t initrc_t:fifo_file write; +allow consoletype_t nfs_t:file write; +allow consoletype_t sysadm_t:fifo_file rw_file_perms; + +ifdef(`lpd.te', ` +allow consoletype_t printconf_t:file { getattr read }; +') + +ifdef(`pam.te', ` +allow consoletype_t pam_var_run_t:file { getattr read }; +') +ifdef(`distro_redhat', ` +allow consoletype_t tmpfs_t:chr_file rw_file_perms; +') +ifdef(`firstboot.te', ` +allow consoletype_t firstboot_t:fifo_file write; +') +dontaudit consoletype_t proc_t:dir search; +dontaudit consoletype_t proc_t:file read; +dontaudit consoletype_t root_t:file read; +allow consoletype_t crond_t:fifo_file { read getattr ioctl }; +allow consoletype_t system_crond_t:fd use; +allow consoletype_t fs_t:filesystem getattr; diff --git a/mls/domains/program/cpucontrol.te b/mls/domains/program/cpucontrol.te new file mode 100644 index 0000000..23a13b7 --- /dev/null +++ b/mls/domains/program/cpucontrol.te @@ -0,0 +1,17 @@ +#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU +# +# Author: Russell Coker +# + +type cpucontrol_conf_t, file_type, sysadmfile; + +daemon_base_domain(cpucontrol) + +# Access cpu devices. +allow cpucontrol_t cpu_device_t:chr_file rw_file_perms; +allow cpucontrol_t device_t:lnk_file { getattr read }; +allow initrc_t cpu_device_t:chr_file getattr; + +allow cpucontrol_t self:capability sys_rawio; + +r_dir_file(cpucontrol_t, cpucontrol_conf_t) diff --git a/mls/domains/program/cpuspeed.te b/mls/domains/program/cpuspeed.te new file mode 100644 index 0000000..b80f705 --- /dev/null +++ b/mls/domains/program/cpuspeed.te @@ -0,0 +1,17 @@ +#DESC cpuspeed - domain for microcode_ctl, powernowd, etc +# +# Authors: Russell Coker +# Thomas Bleher +# + +daemon_base_domain(cpuspeed) +read_locale(cpuspeed_t) + +allow cpuspeed_t sysfs_t:dir search; +allow cpuspeed_t sysfs_t:file rw_file_perms; +allow cpuspeed_t proc_t:dir r_dir_perms; +allow cpuspeed_t proc_t:file { getattr read }; +allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read }; + +allow cpuspeed_t self:process setsched; +allow cpuspeed_t self:unix_dgram_socket create_socket_perms; diff --git a/mls/domains/program/crack.te b/mls/domains/program/crack.te new file mode 100644 index 0000000..1706f6e --- /dev/null +++ b/mls/domains/program/crack.te @@ -0,0 +1,48 @@ +#DESC Crack - Password cracking application +# +# Author: Russell Coker +# X-Debian-Packages: crack +# + +################################# +# +# Rules for the crack_t domain. +# +# crack_exec_t is the type of the crack executable. +# +system_domain(crack) +ifdef(`crond.te', ` +system_crond_entry(crack_exec_t, crack_t) +') + +# for SSP +allow crack_t urandom_device_t:chr_file read; + +type crack_db_t, file_type, sysadmfile, usercanread; +allow crack_t var_t:dir search; +rw_dir_create_file(crack_t, crack_db_t) + +allow crack_t device_t:dir search; +allow crack_t devtty_t:chr_file rw_file_perms; +allow crack_t self:fifo_file { read write getattr }; + +tmp_domain(crack) + +# for dictionaries +allow crack_t usr_t:file { getattr read }; + +can_exec(crack_t, bin_t) +allow crack_t { bin_t sbin_t }:dir search; + +allow crack_t self:process { fork signal_perms }; + +allow crack_t proc_t:dir { read search }; +allow crack_t proc_t:file { read getattr }; + +# read config files +allow crack_t { etc_t etc_runtime_t }:file { getattr read }; +allow crack_t etc_t:dir r_dir_perms; + +allow crack_t fs_t:filesystem getattr; + +dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; diff --git a/mls/domains/program/crond.te b/mls/domains/program/crond.te new file mode 100644 index 0000000..4649348 --- /dev/null +++ b/mls/domains/program/crond.te @@ -0,0 +1,214 @@ +#DESC Crond - Crond daemon +# +# Domains for the top-level crond daemon process and +# for system cron jobs. The domains for user cron jobs +# are in macros/program/crond_macros.te. +# +# X-Debian-Packages: cron +# Authors: Jonathan Crowley (MITRE) , +# Stephen Smalley and Timothy Fraser +# + +# NB The constraints file has some entries for crond_t, this makes it +# different from all other domains... + +# Domain for crond. It needs auth_chkpwd to check for locked accounts. +daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain') + +# This domain is granted permissions common to most domains (including can_net) +general_domain_access(crond_t) + +# Type for the anacron executable. +type anacron_exec_t, file_type, sysadmfile, exec_type; + +# Type for temporary files. +tmp_domain(crond) + +crond_domain(system) + +allow system_crond_t proc_mdstat_t:file { getattr read }; +allow system_crond_t proc_t:lnk_file read; +allow system_crond_t proc_t:filesystem getattr; +allow system_crond_t usbdevfs_t:filesystem getattr; + +ifdef(`mta.te', ` +allow mta_user_agent system_crond_t:fd use; +') + +# read files in /etc +allow system_crond_t etc_t:file r_file_perms; +allow system_crond_t etc_runtime_t:file { getattr read }; + +allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; + +read_locale(crond_t) + +# Use capabilities. +allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control }; +dontaudit crond_t self:capability sys_resource; + +# Get security policy decisions. +can_getsecurity(crond_t) + +# for finding binaries and /bin/sh +allow crond_t { bin_t sbin_t }:dir search; +allow crond_t { bin_t sbin_t }:lnk_file read; + +# Read from /var/spool/cron. +allow crond_t var_lib_t:dir search; +allow crond_t var_spool_t:dir r_dir_perms; +allow crond_t cron_spool_t:dir r_dir_perms; +allow crond_t cron_spool_t:file r_file_perms; + +# Read /etc/security/default_contexts. +r_dir_file(crond_t, default_context_t) + +allow crond_t etc_t:file { getattr read }; +allow crond_t etc_t:lnk_file read; + +allow crond_t default_t:dir search; + +# crond tries to search /root. Not sure why. +allow crond_t sysadm_home_dir_t:dir r_dir_perms; + +# to search /home +allow crond_t home_root_t:dir { getattr search }; +allow crond_t user_home_dir_type:dir r_dir_perms; + +# Run a shell. +can_exec(crond_t, shell_exec_t) + +ifdef(`distro_redhat', ` +# Run the rpm program in the rpm_t domain. Allow creation of RPM log files +# via redirection of standard out. +ifdef(`rpm.te', ` +allow crond_t rpm_log_t: file create_file_perms; + +system_crond_entry(rpm_exec_t, rpm_t) +allow system_crond_t rpm_log_t:file create_file_perms; +#read ahead wants to read this +allow initrc_t system_cron_spool_t:file { getattr read }; +') +') + +allow system_crond_t var_log_t:file r_file_perms; + + +# Set exec context. +can_setexec(crond_t) + +# Transition to this domain for anacron as well. +# Still need to study anacron. +domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) + +# Inherit and use descriptors from init for anacron. +allow system_crond_t init_t:fd use; + +# Inherit and use descriptors from initrc for anacron. +allow system_crond_t initrc_t:fd use; +can_access_pty(system_crond_t, initrc) + +# Use capabilities. +allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; + +allow crond_t urandom_device_t:chr_file { getattr read }; + +# Read the system crontabs. +allow system_crond_t system_cron_spool_t:file r_file_perms; + +allow crond_t system_cron_spool_t:dir r_dir_perms; +allow crond_t system_cron_spool_t:file r_file_perms; + +# Read from /var/spool/cron. +allow system_crond_t cron_spool_t:dir r_dir_perms; +allow system_crond_t cron_spool_t:file r_file_perms; + +# Write to /var/lib/slocate.db. +allow system_crond_t var_lib_t:dir rw_dir_perms; +allow system_crond_t var_lib_t:file create_file_perms; + +# Update whatis files. +allow system_crond_t man_t:dir create_dir_perms; +allow system_crond_t man_t:file create_file_perms; +allow system_crond_t man_t:lnk_file read; + +# Write /var/lock/makewhatis.lock. +lock_domain(system_crond) + +# for if /var/mail is a symlink +allow { system_crond_t crond_t } mail_spool_t:lnk_file read; +allow crond_t mail_spool_t:dir search; + +ifdef(`mta.te', ` +r_dir_file(system_mail_t, crond_tmp_t) +') + +# Stat any file and search any directory for find. +allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; +allow system_crond_t device_type:{ chr_file blk_file } getattr; +allow system_crond_t file_type:dir { read search getattr }; + +# Create temporary files. +type system_crond_tmp_t, file_type, sysadmfile, tmpfile; +file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) + +# /sbin/runlevel ask for w access to utmp, but will operate +# correctly without it. Do not audit write denials to utmp. +# /sbin/runlevel needs lock access however +dontaudit system_crond_t initrc_var_run_t:file write; +allow system_crond_t initrc_var_run_t:file { getattr read lock }; + +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +allow system_crond_t var_spool_t:file create_file_perms; +allow system_crond_t var_spool_t:dir rw_dir_perms; + +# Do not audit attempts to search unlabeled directories (e.g. slocate). +dontaudit system_crond_t unlabeled_t:dir r_dir_perms; +dontaudit system_crond_t unlabeled_t:file r_file_perms; + +# +# reading /var/spool/cron/mailman +# +allow crond_t var_spool_t:file { getattr read }; +allow system_crond_t devpts_t:filesystem getattr; +allow system_crond_t sysfs_t:filesystem getattr; +allow system_crond_t tmpfs_t:filesystem getattr; +allow system_crond_t rpc_pipefs_t:filesystem getattr; + +# +# These rules are here to allow system cron jobs to su +# +ifdef(`su.te', ` +su_restricted_domain(system_crond,system) +role system_r types system_crond_su_t; +allow system_crond_su_t crond_t:fifo_file ioctl; +') +allow system_crond_t self:passwd rootok; +# +# prelink tells init to restart it self, we either need to allow or dontaudit +# +allow system_crond_t initctl_t:fifo_file write; +dontaudit userdomain system_crond_t:fd use; + +r_dir_file(crond_t, selinux_config_t) + +# Allow system cron jobs to relabel filesystem for restoring file contexts. +bool cron_can_relabel false; +if (cron_can_relabel) { +domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) +} else { +r_dir_file(system_crond_t, file_context_t) +can_getsecurity(system_crond_t) +} +dontaudit system_crond_t removable_t:filesystem getattr; +# +# Required for webalizer +# +dontaudit crond_t self:capability sys_tty_config; +ifdef(`apache.te', ` +allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; +allow system_crond_t httpd_modules_t:lnk_file read; +# Needed for certwatch +can_exec(system_crond_t, httpd_modules_t) +') diff --git a/mls/domains/program/crontab.te b/mls/domains/program/crontab.te new file mode 100644 index 0000000..48b5fcc --- /dev/null +++ b/mls/domains/program/crontab.te @@ -0,0 +1,12 @@ +#DESC Crontab - Crontab manipulation programs +# +# Domains for the crontab program. +# +# X-Debian-Packages: cron +# + +# Type for the crontab executable. +type crontab_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the crontab_domain macro in +# macros/program/crontab_macros.te. diff --git a/mls/domains/program/cups.te b/mls/domains/program/cups.te new file mode 100644 index 0000000..6bc5106 --- /dev/null +++ b/mls/domains/program/cups.te @@ -0,0 +1,321 @@ +#DESC Cups - Common Unix Printing System +# +# Created cups policy from lpd policy: Russell Coker +# X-Debian-Packages: cupsys cupsys-client cupsys-bsd +# Depends: lpd.te lpr.te + +################################# +# +# Rules for the cupsd_t domain. +# +# cupsd_t is the domain of cupsd. +# cupsd_exec_t is the type of the cupsd executable. +# +daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain') +etcdir_domain(cupsd) +type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; + +can_network(cupsd_t) +allow cupsd_t port_type:tcp_socket name_connect; +logdir_domain(cupsd) + +tmp_domain(cupsd, `', { file dir fifo_file }) + +allow cupsd_t devpts_t:dir search; + +allow cupsd_t device_t:lnk_file read; +allow cupsd_t printer_device_t:chr_file rw_file_perms; +allow cupsd_t urandom_device_t:chr_file { getattr read }; +dontaudit cupsd_t random_device_t:chr_file ioctl; + +# temporary solution, we need something better +allow cupsd_t serial_device:chr_file rw_file_perms; + +r_dir_file(cupsd_t, usbdevfs_t) +r_dir_file(cupsd_t, usbfs_t) + +ifdef(`logrotate.te', ` +domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) +') + +ifdef(`inetd.te', ` +allow inetd_t printer_port_t:tcp_socket name_bind; +domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) +') + +# write to spool +allow cupsd_t var_spool_t:dir search; + +# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong +file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file }) +allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms }; +allow cupsd_t cupsd_etc_t:file setattr; +allow cupsd_t cupsd_etc_t:dir setattr; + +allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl }; +can_exec(cupsd_t, initrc_exec_t) +allow cupsd_t proc_t:file r_file_perms; +allow cupsd_t proc_t:dir r_dir_perms; +allow cupsd_t self:file { getattr read }; +read_sysctl(cupsd_t) +allow cupsd_t sysctl_dev_t:dir search; +allow cupsd_t sysctl_dev_t:file { getattr read }; + +# for /etc/printcap +dontaudit cupsd_t etc_t:file write; + +# allow cups to execute its backend scripts +can_exec(cupsd_t, cupsd_exec_t) +allow cupsd_t cupsd_exec_t:dir search; +allow cupsd_t cupsd_exec_t:lnk_file read; +allow cupsd_t reserved_port_t:tcp_socket name_bind; +dontaudit cupsd_t reserved_port_type:tcp_socket name_bind; + +allow cupsd_t self:unix_stream_socket create_socket_perms; +allow cupsd_t self:unix_dgram_socket create_socket_perms; +allow cupsd_t self:fifo_file rw_file_perms; + +# Use capabilities. +allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write }; +dontaudit cupsd_t self:capability net_admin; + +# +# /usr/lib/cups/backend/serial needs sys_admin +# Need new context to run under??? +allow cupsd_t self:capability sys_admin; + +allow cupsd_t self:process setsched; + +# for /var/lib/defoma +allow cupsd_t var_lib_t:dir search; +r_dir_file(cupsd_t, readable_t) + +# Bind to the cups/ipp port (631). +allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; + +can_tcp_connect(web_client_domain, cupsd_t) +can_tcp_connect(cupsd_t, cupsd_t) + +# Send to portmap. +ifdef(`portmap.te', ` +can_udp_send(cupsd_t, portmap_t) +can_udp_send(portmap_t, cupsd_t) +') + +# Write to /var/spool/cups. +allow cupsd_t print_spool_t:dir { setattr rw_dir_perms }; +allow cupsd_t print_spool_t:file create_file_perms; +allow cupsd_t print_spool_t:file rw_file_perms; + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +allow cupsd_t { bin_t sbin_t }:dir { search getattr }; +allow cupsd_t bin_t:lnk_file read; +can_exec(cupsd_t, { shell_exec_t bin_t sbin_t }) + +# They will also invoke ghostscript, which needs to read fonts +read_fonts(cupsd_t) + +# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +allow cupsd_t lib_t:file { read getattr }; + +# read python modules +allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl }; + +# +# lots of errors generated requiring the following +# +allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms }; + +# +# Satisfy readahead +# +allow initrc_t cupsd_log_t:file { getattr read }; +r_dir_file(cupsd_t, var_t) + +r_dir_file(cupsd_t, usercanread) +ifdef(`samba.te', ` +rw_dir_file(cupsd_t, samba_var_t) +allow smbd_t cupsd_etc_t:dir search; +') + +ifdef(`pam.te', ` +dontaudit cupsd_t pam_var_run_t:file { getattr read }; +') +dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; +# PTAL +daemon_domain(ptal) +etcdir_domain(ptal) + +file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t) +allow ptal_t self:capability { chown sys_rawio }; +allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; +allow ptal_t self:unix_stream_socket { listen accept }; +can_network_server_tcp(ptal_t) +allow ptal_t ptal_port_t:tcp_socket name_bind; +allow userdomain ptal_t:unix_stream_socket connectto; +allow userdomain ptal_var_run_t:sock_file write; +allow userdomain ptal_var_run_t:dir search; +allow ptal_t self:fifo_file rw_file_perms; +allow ptal_t device_t:dir read; +allow ptal_t printer_device_t:chr_file rw_file_perms; +allow initrc_t printer_device_t:chr_file getattr; +allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(ptal_t, usbdevfs_t) +rw_dir_file(ptal_t, usbfs_t) +allow cupsd_t ptal_var_run_t:sock_file { write setattr }; +allow cupsd_t ptal_t:unix_stream_socket connectto; +allow cupsd_t ptal_var_run_t:dir search; +dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; + +allow initrc_t ptal_var_run_t:dir rmdir; +allow initrc_t ptal_var_run_t:fifo_file unlink; + + +# HPLIP +daemon_domain(hplip) +etcdir_domain(hplip) +allow hplip_t etc_t:file r_file_perms; +allow hplip_t etc_runtime_t:file { read getattr }; +allow hplip_t printer_device_t:chr_file rw_file_perms; +allow cupsd_t hplip_var_run_t:file { read getattr }; +allow hplip_t cupsd_etc_t:dir search; +can_network(hplip_t) +allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect; +allow hplip_t hplip_port_t:tcp_socket name_bind; + +# Uses networking to talk to the daemons +allow hplip_t self:unix_dgram_socket create_socket_perms; +allow hplip_t self:unix_stream_socket create_socket_perms; +allow hplip_t self:rawip_socket create_socket_perms; + +# for python +can_exec(hplip_t, bin_t) +allow hplip_t { sbin_t bin_t }:dir search; +allow hplip_t self:file { getattr read }; +allow hplip_t proc_t:file r_file_perms; +allow hplip_t urandom_device_t:chr_file { getattr read }; +allow hplip_t usr_t:{ file lnk_file } r_file_perms; +allow hplip_t devpts_t:dir search; +allow hplip_t devpts_t:chr_file { getattr ioctl }; + + +dontaudit cupsd_t selinux_config_t:dir search; +dontaudit cupsd_t selinux_config_t:file { getattr read }; + +allow cupsd_t printconf_t:file { getattr read }; + +ifdef(`dbusd.te', ` +dbusd_client(system, cupsd) +allow cupsd_t system_dbusd_t:dbus send_msg; +allow cupsd_t userdomain:dbus send_msg; +') + +# CUPS configuration daemon +daemon_domain(cupsd_config, `, nscd_client_domain') + +allow cupsd_config_t devpts_t:dir search; +allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; +allow cupsd_config_t rpm_var_lib_t:file { getattr read }; +') +allow cupsd_config_t initrc_exec_t:file getattr; +')dnl end distro_redhat + +allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read }; +allow cupsd_config_t self:file { getattr read }; + +allow cupsd_config_t proc_t:file { getattr read }; +allow cupsd_config_t cupsd_var_run_t:file { getattr read }; +allow cupsd_config_t cupsd_t:process { signal }; +allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; +can_ps(cupsd_config_t, cupsd_t) + +allow cupsd_config_t self:capability { chown sys_tty_config }; + +rw_dir_create_file(cupsd_config_t, cupsd_etc_t) +rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) +file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) +file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) +allow cupsd_config_t var_t:lnk_file read; + +can_network_tcp(cupsd_config_t) +can_ypbind(cupsd_config_t) +allow cupsd_config_t port_type:tcp_socket name_connect; +can_tcp_connect(cupsd_config_t, cupsd_t) +allow cupsd_config_t self:fifo_file rw_file_perms; + +allow cupsd_config_t self:unix_stream_socket create_socket_perms; +allow cupsd_config_t self:unix_dgram_socket create_socket_perms; +ifdef(`dbusd.te', ` +dbusd_client(system, cupsd_config) +allow cupsd_config_t userdomain:dbus send_msg; +allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; +allow userdomain cupsd_config_t:dbus send_msg; +')dnl end if dbusd.te + +ifdef(`hald.te', ` + +ifdef(`dbusd.te', ` +allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; +allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; +')dnl end if dbusd.te + +allow hald_t cupsd_config_t:process signal; +domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) + +') dnl end if hald.te + + +can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t }) +ifdef(`hostname.te', ` +can_exec(cupsd_t, hostname_exec_t) +can_exec(cupsd_config_t, hostname_exec_t) +') +allow cupsd_config_t { bin_t sbin_t }:dir { search getattr }; +allow cupsd_config_t { bin_t sbin_t }:lnk_file read; +# killall causes the following +dontaudit cupsd_config_t domain:dir { getattr search }; +dontaudit cupsd_config_t selinux_config_t:dir search; + +can_exec(cupsd_config_t, cupsd_config_exec_t) + +allow cupsd_config_t usr_t:file { getattr read }; +allow cupsd_config_t var_lib_t:dir { getattr search }; +allow cupsd_config_t rpm_var_lib_t:file { getattr read }; +allow cupsd_config_t printconf_t:file { getattr read }; + +allow cupsd_config_t urandom_device_t:chr_file { getattr read }; + +ifdef(`logrotate.te', ` +allow cupsd_config_t logrotate_t:fd use; +')dnl end if logrotate.te +allow cupsd_config_t system_crond_t:fd use; +allow cupsd_config_t crond_t:fifo_file r_file_perms; +allow cupsd_t crond_t:fifo_file read; +allow cupsd_t crond_t:fd use; + +# Alternatives asks for this +allow cupsd_config_t initrc_exec_t:file getattr; +ifdef(`targeted_policy', ` +can_unix_connect(cupsd_t, initrc_t) +allow cupsd_t initrc_t:dbus send_msg; +allow initrc_t cupsd_t:dbus send_msg; +allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; +allow unconfined_t cupsd_config_t:dbus send_msg; +allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; +') +typealias printer_port_t alias cupsd_lpd_port_t; +inetd_child_domain(cupsd_lpd) +allow inetd_t printer_port_t:tcp_socket name_bind; +r_dir_file(cupsd_lpd_t, cupsd_etc_t) +r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t) +allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect; +ifdef(`use_mcs', ` +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +') + diff --git a/mls/domains/program/cvs.te b/mls/domains/program/cvs.te new file mode 100644 index 0000000..503c809 --- /dev/null +++ b/mls/domains/program/cvs.te @@ -0,0 +1,30 @@ +#DESC cvs - Concurrent Versions System +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the cvs_t domain. +# +# cvs_exec_t is the type of the cvs executable. +# + +inetd_child_domain(cvs, tcp) +typeattribute cvs_t privmail; +typeattribute cvs_t auth_chkpwd; + +type cvs_data_t, file_type, sysadmfile, customizable; +create_dir_file(cvs_t, cvs_data_t) +can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) +allow cvs_t bin_t:dir search; +allow cvs_t { bin_t sbin_t }:lnk_file read; +allow cvs_t etc_runtime_t:file { getattr read }; +allow system_mail_t cvs_data_t:file { getattr read }; +dontaudit cvs_t devtty_t:chr_file { read write }; +ifdef(`kerberos.te', ` +# Allow kerberos to work +allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; +dontaudit cvs_t krb5_conf_t:file write; +') diff --git a/mls/domains/program/cyrus.te b/mls/domains/program/cyrus.te new file mode 100644 index 0000000..13b2f66 --- /dev/null +++ b/mls/domains/program/cyrus.te @@ -0,0 +1,60 @@ +#DESC cyrus-imapd +# +# Authors: Dan Walsh +# + +# cyrusd_exec_t is the type of the cyrusd executable. +# cyrusd_key_t is the type of the cyrus private key files +daemon_domain(cyrus) + +general_domain_access(cyrus_t) +file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file) + +type cyrus_var_lib_t, file_type, sysadmfile; + +allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +allow cyrus_t self:process setrlimit; + +can_network(cyrus_t) +allow cyrus_t port_type:tcp_socket name_connect; +can_ypbind(cyrus_t) +can_exec(cyrus_t, bin_t) +allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; +allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; +allow cyrus_t etc_t:file { getattr read }; +allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; +read_locale(cyrus_t) +read_sysctl(cyrus_t) +tmp_domain(cyrus) +allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind; +allow cyrus_t proc_t:dir search; +allow cyrus_t proc_t:file { getattr read }; +allow cyrus_t sysadm_devpts_t:chr_file { read write }; + +allow cyrus_t var_lib_t:dir search; + +allow cyrus_t etc_runtime_t:file { read getattr }; +ifdef(`crond.te', ` +system_crond_entry(cyrus_exec_t, cyrus_t) +allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms; +allow system_crond_t cyrus_var_lib_t:file create_file_perms; +') +create_dir_file(cyrus_t, mail_spool_t) +allow cyrus_t var_spool_t:dir search; + +ifdef(`saslauthd.te', ` +allow cyrus_t saslauthd_var_run_t:dir search; +allow cyrus_t saslauthd_var_run_t:sock_file { read write }; +allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; +') + +r_dir_file(cyrus_t, cert_t) +allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr }; + +ifdef(`postfix.te', ` +allow postfix_master_t cyrus_t:unix_stream_socket connectto; +allow postfix_master_t var_lib_t:dir search; +allow postfix_master_t cyrus_var_lib_t:dir search; +allow postfix_master_t cyrus_var_lib_t:sock_file write; +') + diff --git a/mls/domains/program/dbskkd.te b/mls/domains/program/dbskkd.te new file mode 100644 index 0000000..e75d90b --- /dev/null +++ b/mls/domains/program/dbskkd.te @@ -0,0 +1,14 @@ +#DESC dbskkd - A dictionary server for the SKK Japanese input method system. +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the dbskkd_t domain. +# +# dbskkd_exec_t is the type of the dbskkd executable. +# +# Depends: inetd.te + +inetd_child_domain(dbskkd) diff --git a/mls/domains/program/dbusd.te b/mls/domains/program/dbusd.te new file mode 100644 index 0000000..acad4de --- /dev/null +++ b/mls/domains/program/dbusd.te @@ -0,0 +1,27 @@ +#DESC dbus-daemon-1 server for dbus desktop bus protocol +# +# Author: Russell Coker + +dbusd_domain(system) + +allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; + +ifdef(`pamconsole.te', ` +r_dir_file(system_dbusd_t, pam_var_console_t) +') + +# dac_override: /var/run/dbus is owned by messagebus on Debian +allow system_dbusd_t self:capability { dac_override setgid setuid }; +nsswitch_domain(system_dbusd_t) + +# I expect we need more than this + +allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; +allow initrc_t system_dbusd_t:unix_stream_socket connectto; +allow initrc_t system_dbusd_var_run_t:sock_file write; + +can_exec(system_dbusd_t, sbin_t) +allow system_dbusd_t self:fifo_file { read write }; +allow system_dbusd_t self:unix_stream_socket connectto; +allow system_dbusd_t self:unix_stream_socket connectto; +allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/mls/domains/program/ddcprobe.te b/mls/domains/program/ddcprobe.te new file mode 100644 index 0000000..4087126 --- /dev/null +++ b/mls/domains/program/ddcprobe.te @@ -0,0 +1,42 @@ +#DESC ddcprobe - output ddcprobe results from kudzu +# +# Author: dan walsh +# + +type ddcprobe_t, domain, privmem; +type ddcprobe_exec_t, file_type, exec_type, sysadmfile; + +# Allow execution by the sysadm +role sysadm_r types ddcprobe_t; +role system_r types ddcprobe_t; +domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t) + +uses_shlib(ddcprobe_t) + +# Allow terminal access +access_terminal(ddcprobe_t, sysadm) + +# Allow ddcprobe to read /dev/mem +allow ddcprobe_t memory_device_t:chr_file read; +allow ddcprobe_t memory_device_t:chr_file { execute write }; +allow ddcprobe_t self:process execmem; +allow ddcprobe_t zero_device_t:chr_file { execute read }; + +allow ddcprobe_t proc_t:dir search; +allow ddcprobe_t proc_t:file { getattr read }; +can_exec(ddcprobe_t, sbin_t) +allow ddcprobe_t user_tty_type:chr_file rw_file_perms; +allow ddcprobe_t userdomain:fd use; +read_sysctl(ddcprobe_t) +allow ddcprobe_t urandom_device_t:chr_file { getattr read }; +allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms; +allow ddcprobe_t self:capability { sys_rawio sys_admin }; + +allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read }; +allow ddcprobe_t kudzu_exec_t:file getattr; +allow ddcprobe_t lib_t:file { getattr read }; +read_locale(ddcprobe_t) +allow ddcprobe_t modules_object_t:dir search; +allow ddcprobe_t modules_dep_t:file { getattr read }; +allow ddcprobe_t usr_t:file { getattr read }; +allow ddcprobe_t kernel_t:system syslog_console; diff --git a/mls/domains/program/dhcpc.te b/mls/domains/program/dhcpc.te new file mode 100644 index 0000000..83cbe81 --- /dev/null +++ b/mls/domains/program/dhcpc.te @@ -0,0 +1,169 @@ +#DESC DHCPC - DHCP client +# +# Authors: Wayne Salamon (NAI Labs) +# Russell Coker +# X-Debian-Packages: pump dhcp-client udhcpc +# + +################################# +# +# Rules for the dhcpc_t domain. +# +# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP +# network configurator daemon started by /etc/sysconfig/network-scripts +# rc scripts, runs in this domain. +# dhcpc_exec_t is the type of the dhcpcd executable. +# The dhcpc_t can be used for other DHCPC related files as well. +# +daemon_domain(dhcpc) + +# for SSP +allow dhcpc_t urandom_device_t:chr_file read; + +can_network(dhcpc_t) +allow dhcpc_t port_type:tcp_socket name_connect; +can_ypbind(dhcpc_t) +allow dhcpc_t self:unix_dgram_socket create_socket_perms; +allow dhcpc_t self:unix_stream_socket create_socket_perms; +allow dhcpc_t self:fifo_file rw_file_perms; + +allow dhcpc_t devpts_t:dir search; + +# for localization +allow dhcpc_t lib_t:file { getattr read }; + +ifdef(`consoletype.te', ` +domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t) +') +ifdef(`nscd.te', ` +domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) +allow dhcpc_t nscd_var_run_t:file { getattr read }; +') +ifdef(`cardmgr.te', ` +domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) +allow cardmgr_t dhcpc_var_run_t:file { getattr read }; +allow cardmgr_t dhcpc_t:process signal_perms; +allow cardmgr_t dhcpc_var_run_t:file unlink; +allow dhcpc_t cardmgr_dev_t:chr_file { read write }; +') +ifdef(`hotplug.te', ` +domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) +allow hotplug_t dhcpc_t:process signal_perms; +allow hotplug_t dhcpc_var_run_t:file { getattr read }; +allow hotplug_t dhcp_etc_t:file rw_file_perms; +allow dhcpc_t hotplug_etc_t:dir { getattr search }; +ifdef(`distro_redhat', ` +domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t) +') +')dnl end hotplug.te + +# for the dhcp client to run ping to check IP addresses +ifdef(`ping.te', ` +domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) +ifdef(`hotplug.te', ` +allow ping_t hotplug_t:fd use; +') dnl end if hotplug +ifdef(`cardmgr.te', ` +allow ping_t cardmgr_t:fd use; +') dnl end if cardmgr +', ` +allow dhcpc_t self:capability setuid; +allow dhcpc_t self:rawip_socket create_socket_perms; +') dnl end if ping + +ifdef(`dhcpd.te', `', ` +type dhcp_state_t, file_type, sysadmfile; +type dhcp_etc_t, file_type, sysadmfile, usercanread; +') +type dhcpc_state_t, file_type, sysadmfile; + +allow dhcpc_t etc_t:lnk_file read; +allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read }; +allow dhcpc_t proc_net_t:dir search; +allow dhcpc_t { proc_t proc_net_t }:file { getattr read }; +allow dhcpc_t self:file { getattr read }; +read_sysctl(dhcpc_t) +allow dhcpc_t userdomain:fd use; +ifdef(`run_init.te', ` +allow dhcpc_t run_init_t:fd use; +') + +# Use capabilities +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; + +# for access("/etc/bashrc", X_OK) on Red Hat +dontaudit dhcpc_t self:capability { dac_read_search sys_module }; + +# for udp port 68 +allow dhcpc_t dhcpc_port_t:udp_socket name_bind; + +# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files +# in /etc created by dhcpcd will be labelled net_conf_t. +file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file) + +# Allow access to the dhcpc file types +r_dir_file(dhcpc_t, dhcp_etc_t) +allow dhcpc_t sbin_t:dir search; +can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t }) +ifdef(`distro_redhat', ` +can_exec(dhcpc_t, etc_t) +allow initrc_t dhcp_etc_t:file rw_file_perms; +') +ifdef(`ifconfig.te', ` +domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) +')dnl end if def ifconfig + + +tmp_domain(dhcpc) + +# Allow dhcpc_t to use packet sockets +allow dhcpc_t self:packet_socket create_socket_perms; +allow dhcpc_t var_lib_t:dir search; +file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +rw_dir_create_file(dhcpc_t, dhcpc_state_t) +allow dhcpc_t dhcp_state_t:file { getattr read }; + +allow dhcpc_t bin_t:dir { getattr search }; +allow dhcpc_t bin_t:lnk_file read; +can_exec(dhcpc_t, { bin_t shell_exec_t }) + +ifdef(`hostname.te', ` +domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) +') +dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms; +allow dhcpc_t { userdomain kernel_t }:fd use; + +allow dhcpc_t home_root_t:dir search; +allow initrc_t dhcpc_state_t:file { getattr read }; +dontaudit dhcpc_t var_lock_t:dir search; +allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit dhcpc_t domain:dir getattr; +allow dhcpc_t initrc_var_run_t:file rw_file_perms; +# +# dhclient sometimes starts ypbind and ntdp +# +can_exec(dhcpc_t, initrc_exec_t) +ifdef(`ypbind.te', ` +domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) +allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; +allow dhcpc_t ypbind_t:process signal; +') +ifdef(`ntpd.te', ` +domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) +') +role sysadm_r types dhcpc_t; +domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t) +ifdef(`dbusd.te', ` +dbusd_client(system, dhcpc) +domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) +allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow dhcpc_t self:dbus send_msg; +allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; +allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; +ifdef(`unconfined.te', ` +allow unconfined_t dhcpc_t:dbus send_msg; +allow dhcpc_t unconfined_t:dbus send_msg; +')dnl end ifdef unconfined.te +') +ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)') +allow dhcpc_t locale_t:file write; diff --git a/mls/domains/program/dhcpd.te b/mls/domains/program/dhcpd.te new file mode 100644 index 0000000..137fbbf --- /dev/null +++ b/mls/domains/program/dhcpd.te @@ -0,0 +1,79 @@ +#DESC DHCPD - DHCP server +# +# Author: Russell Coker +# based on the dhcpc_t policy from: +# Wayne Salamon (NAI Labs) +# X-Debian-Packages: dhcp dhcp3-server +# + +################################# +# +# Rules for the dhcpd_t domain. +# +# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP +# server daemon rc scripts, runs in this domain. +# dhcpd_exec_t is the type of the dhcpdd executable. +# The dhcpd_t can be used for other DHCPC related files as well. +# +daemon_domain(dhcpd, `, nscd_client_domain') + +# for UDP port 4011 +allow dhcpd_t pxe_port_t:udp_socket name_bind; + +type dhcp_etc_t, file_type, sysadmfile, usercanread; + +# Use the network. +can_network(dhcpd_t) +allow dhcpd_t port_type:tcp_socket name_connect; +allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind; +can_ypbind(dhcpd_t) +allow dhcpd_t self:unix_dgram_socket create_socket_perms; +allow dhcpd_t self:unix_stream_socket create_socket_perms; +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; + +allow dhcpd_t var_lib_t:dir search; + +allow dhcpd_t devtty_t:chr_file { read write }; + +# Use capabilities +allow dhcpd_t self:capability { net_raw net_bind_service }; +dontaudit dhcpd_t self:capability net_admin; + +# Allow access to the dhcpd file types +type dhcp_state_t, file_type, sysadmfile; +type dhcpd_state_t, file_type, sysadmfile; +allow dhcpd_t dhcp_etc_t:file { read getattr }; +allow dhcpd_t dhcp_etc_t:dir search; +file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file) +rw_dir_create_file(dhcpd_t, dhcpd_state_t) + +allow dhcpd_t etc_t:lnk_file read; +allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms; + +# Allow dhcpd_t programs to execute themselves and bin_t (uname etc) +can_exec(dhcpd_t, { dhcpd_exec_t bin_t }) + +# Allow dhcpd_t to use packet sockets +allow dhcpd_t self:packet_socket create_socket_perms; +allow dhcpd_t self:rawip_socket create_socket_perms; + +# allow to run utilities and scripts +allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms; +allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms; +allow dhcpd_t self:fifo_file { read write getattr }; + +# allow reading /proc +allow dhcpd_t proc_t:{ file lnk_file } r_file_perms; +tmp_domain(dhcpd) + +ifdef(`distro_gentoo', ` +allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; +allow initrc_t dhcpd_state_t:file setattr; +') +r_dir_file(dhcpd_t, usr_t) +allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; + +ifdef(`named.te', ` +allow dhcpd_t { named_conf_t named_zone_t }:dir search; +allow dhcpd_t dnssec_t:file { getattr read }; +') diff --git a/mls/domains/program/dictd.te b/mls/domains/program/dictd.te new file mode 100644 index 0000000..d610d07 --- /dev/null +++ b/mls/domains/program/dictd.te @@ -0,0 +1,48 @@ +#DESC Dictd - Dictionary daemon +# +# Authors: Russell Coker +# X-Debian-Packages: dictd +# + +################################# +# +# Rules for the dictd_t domain. +# +# dictd_exec_t is the type of the dictd executable. +# +daemon_base_domain(dictd) +type dictd_var_lib_t, file_type, sysadmfile; +typealias dictd_var_lib_t alias var_lib_dictd_t; +etc_domain(dictd) + +# for checking for nscd +dontaudit dictd_t var_run_t:dir search; + +# read config files +allow dictd_t { etc_t etc_runtime_t }:file r_file_perms; + +read_locale(dictd_t) + +allow dictd_t { var_t var_lib_t }:dir search; +allow dictd_t dictd_var_lib_t:dir r_dir_perms; +allow dictd_t dictd_var_lib_t:file r_file_perms; + +allow dictd_t self:capability { setuid setgid }; + +allow dictd_t usr_t:file r_file_perms; + +allow dictd_t self:process { setpgid fork sigchld }; + +allow dictd_t proc_t:file r_file_perms; + +allow dictd_t dict_port_t:tcp_socket name_bind; + +allow dictd_t devtty_t:chr_file rw_file_perms; + +allow dictd_t self:unix_stream_socket create_stream_socket_perms; + +can_network_server(dictd_t) +can_ypbind(dictd_t) +can_tcp_connect(userdomain, dictd_t) + +allow dictd_t fs_t:filesystem getattr; diff --git a/mls/domains/program/dmesg.te b/mls/domains/program/dmesg.te new file mode 100644 index 0000000..9f9392e --- /dev/null +++ b/mls/domains/program/dmesg.te @@ -0,0 +1,29 @@ +#DESC dmesg - control kernel ring buffer +# +# Author: Dan Walsh dwalsh@redhat.com +# +# X-Debian-Packages: util-linux + +################################# +# +# Rules for the dmesg_t domain. +# +# dmesg_exec_t is the type of the dmesg executable. +# +# while sysadm_t has the sys_admin capability there is no point in using +# dmesg_t when run from sysadm_t, so we use nosysadm. +# +daemon_base_domain(dmesg, , `nosysadm') + +# +# Rules used for dmesg +# +allow dmesg_t self:capability sys_admin; +allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod }; +allow dmesg_t admin_tty_type:chr_file { getattr read write }; +allow dmesg_t sysadm_tty_device_t:chr_file ioctl; +allow dmesg_t var_log_t:file { getattr write }; +read_locale(dmesg_t) + +# for when /usr is not mounted +dontaudit dmesg_t file_t:dir search; diff --git a/mls/domains/program/dmidecode.te b/mls/domains/program/dmidecode.te new file mode 100644 index 0000000..05b93f7 --- /dev/null +++ b/mls/domains/program/dmidecode.te @@ -0,0 +1,22 @@ +#DESC dmidecode - decodes DMI data for x86/ia64 bioses +# +# Author: Ivan Gyurdiev +# + +type dmidecode_t, domain, privmem; +type dmidecode_exec_t, file_type, exec_type, sysadmfile; + +# Allow execution by the sysadm +role sysadm_r types dmidecode_t; +role system_r types dmidecode_t; +domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) + +uses_shlib(dmidecode_t) + +# Allow terminal access +access_terminal(dmidecode_t, sysadm) + +# Allow dmidecode to read /dev/mem +allow dmidecode_t memory_device_t:chr_file read; + +allow dmidecode_t self:capability sys_rawio; diff --git a/mls/domains/program/dovecot.te b/mls/domains/program/dovecot.te new file mode 100644 index 0000000..bd3873a --- /dev/null +++ b/mls/domains/program/dovecot.te @@ -0,0 +1,75 @@ +#DESC Dovecot POP and IMAP servers +# +# Author: Russell Coker +# X-Debian-Packages: dovecot-imapd, dovecot-pop3d + +# +# Main dovecot daemon +# +daemon_domain(dovecot, `, privhome') +etc_domain(dovecot); + +allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; + +can_exec(dovecot_t, dovecot_exec_t) + +type dovecot_cert_t, file_type, sysadmfile; +type dovecot_passwd_t, file_type, sysadmfile; +type dovecot_spool_t, file_type, sysadmfile; + +allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; +allow dovecot_t self:process setrlimit; +can_network_tcp(dovecot_t) +allow dovecot_t port_type:tcp_socket name_connect; +can_ypbind(dovecot_t) +allow dovecot_t self:unix_dgram_socket create_socket_perms; +allow dovecot_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(dovecot_t, self) + +allow dovecot_t etc_t:file { getattr read }; +allow dovecot_t initrc_var_run_t:file getattr; +allow dovecot_t bin_t:dir { getattr search }; +can_exec(dovecot_t, bin_t) + +allow dovecot_t pop_port_t:tcp_socket name_bind; +allow dovecot_t urandom_device_t:chr_file { getattr read }; +allow dovecot_t cert_t:dir search; +r_dir_file(dovecot_t, dovecot_cert_t) +r_dir_file(dovecot_t, cert_t) + +allow dovecot_t { self proc_t }:file { getattr read }; +allow dovecot_t self:fifo_file rw_file_perms; + +can_kerberos(dovecot_t) + +allow dovecot_t tmp_t:dir search; +rw_dir_create_file(dovecot_t, mail_spool_t) + + +create_dir_file(dovecot_t, dovecot_spool_t) +create_dir_file(mta_delivery_agent, dovecot_spool_t) +allow dovecot_t mail_spool_t:lnk_file read; +allow dovecot_t var_spool_t:dir { search }; + +# +# Dovecot auth daemon +# +daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd') +can_ldap(dovecot_auth_t) +can_ypbind(dovecot_auth_t) +can_kerberos(dovecot_auth_t) +can_resolve(dovecot_auth_t) +allow dovecot_auth_t self:process { fork signal_perms }; +allow dovecot_auth_t self:capability { setgid setuid }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; +allow dovecot_auth_t self:fifo_file rw_file_perms; +allow dovecot_auth_t urandom_device_t:chr_file { getattr read }; +allow dovecot_auth_t etc_t:file { getattr read }; +allow dovecot_auth_t { self proc_t }:file { getattr read }; +read_locale(dovecot_auth_t) +read_sysctl(dovecot_auth_t) +allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; +dontaudit dovecot_auth_t selinux_config_t:dir search; +allow dovecot_auth_t etc_runtime_t:file { getattr read }; diff --git a/mls/domains/program/fetchmail.te b/mls/domains/program/fetchmail.te new file mode 100644 index 0000000..225f08e --- /dev/null +++ b/mls/domains/program/fetchmail.te @@ -0,0 +1,32 @@ +#DESC fetchmail - remote-mail retrieval utility +# +# Author: Greg Norris +# X-Debian-Packages: fetchmail +# Depends: mta.te +# +# Note: This policy is only required when running fetchmail in daemon mode. + +################################# +# +# Rules for the fetchmail_t domain. +# +daemon_domain(fetchmail); +type fetchmail_etc_t, file_type, sysadmfile; +type fetchmail_uidl_cache_t, file_type, sysadmfile; + +# misc. requirements +allow fetchmail_t self:process setrlimit; + +# network-related goodies +can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t }) +can_network_udp(fetchmail_t, dns_port_t) +allow fetchmail_t port_type:tcp_socket name_connect; + +allow fetchmail_t self:unix_dgram_socket create_socket_perms; +allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; + +# file access +allow fetchmail_t etc_t:file r_file_perms; +allow fetchmail_t fetchmail_etc_t:file r_file_perms; +allow fetchmail_t mail_spool_t:dir search; +file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file) diff --git a/mls/domains/program/fingerd.te b/mls/domains/program/fingerd.te new file mode 100644 index 0000000..73fee16 --- /dev/null +++ b/mls/domains/program/fingerd.te @@ -0,0 +1,80 @@ +#DESC Fingerd - Finger daemon +# +# Author: Russell Coker +# X-Debian-Packages: fingerd cfingerd efingerd ffingerd +# + +################################# +# +# Rules for the fingerd_t domain. +# +# fingerd_exec_t is the type of the fingerd executable. +# +daemon_domain(fingerd) + +etcdir_domain(fingerd) + +allow fingerd_t etc_t:lnk_file read; +allow fingerd_t { etc_t etc_runtime_t }:file { read getattr }; + +log_domain(fingerd) +system_crond_entry(fingerd_exec_t, fingerd_t) +ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)') + +allow fingerd_t fingerd_port_t:tcp_socket name_bind; +ifdef(`inetd.te', ` +allow inetd_t fingerd_port_t:tcp_socket name_bind; +# can be run from inetd +domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t) +allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl }; +') +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t) +') + +allow fingerd_t self:capability { setgid setuid }; +# for gzip from logrotate +dontaudit fingerd_t self:capability fsetid; + +# cfingerd runs shell scripts +allow fingerd_t { bin_t sbin_t }:dir search; +allow fingerd_t bin_t:lnk_file read; +can_exec(fingerd_t, { shell_exec_t bin_t sbin_t }) +allow fingerd_t devtty_t:chr_file { read write }; + +allow fingerd_t { ttyfile ptyfile }:chr_file getattr; + +# Use the network. +can_network_server(fingerd_t) +can_ypbind(fingerd_t) + +allow fingerd_t self:unix_dgram_socket create_socket_perms; +allow fingerd_t self:unix_stream_socket create_socket_perms; +allow fingerd_t self:fifo_file { read write getattr }; + +# allow any user domain to connect to the finger server +can_tcp_connect(userdomain, fingerd_t) + +# for .finger, .plan. etc +allow fingerd_t { home_root_t user_home_dir_type }:dir search; +# should really have a different type for .plan etc +allow fingerd_t user_home_type:file { getattr read }; +# stop it accessing sub-directories, prevents checking a Maildir for new mail, +# have to change this when we create a type for Maildir +dontaudit fingerd_t user_home_t:dir search; + +# for mail +allow fingerd_t { var_spool_t mail_spool_t }:dir search; +allow fingerd_t mail_spool_t:file getattr; +allow fingerd_t mail_spool_t:lnk_file read; + +# see who is logged in and when users last logged in +allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr }; +dontaudit fingerd_t initrc_var_run_t:file lock; +allow fingerd_t devpts_t:dir search; +allow fingerd_t ptyfile:chr_file getattr; + +allow fingerd_t proc_t:file { read getattr }; + +# for date command +read_sysctl(fingerd_t) diff --git a/mls/domains/program/firstboot.te b/mls/domains/program/firstboot.te new file mode 100644 index 0000000..e07bc43 --- /dev/null +++ b/mls/domains/program/firstboot.te @@ -0,0 +1,131 @@ +#DESC firstboot +# +# Author: Dan Walsh +# X-Debian-Packages: firstboot +# + +################################# +# +# Rules for the firstboot_t domain. +# +# firstboot_exec_t is the type of the firstboot executable. +# +application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer') +type firstboot_rw_t, file_type, sysadmfile; +role system_r types firstboot_t; + +ifdef(`xserver.te', ` +domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) +') + +etc_domain(firstboot) + +allow firstboot_t proc_t:file r_file_perms; + +allow firstboot_t urandom_device_t:chr_file { getattr read }; +allow firstboot_t proc_t:file { getattr read write }; + +domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) +file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) + +can_exec_any(firstboot_t) +ifdef(`useradd.te',` +domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) +domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) +') +allow firstboot_t etc_runtime_t:file { getattr read }; + +r_dir_file(firstboot_t, etc_t) + +allow firstboot_t firstboot_rw_t:dir create_dir_perms; +allow firstboot_t firstboot_rw_t:file create_file_perms; +allow firstboot_t self:fifo_file { getattr read write }; +allow firstboot_t self:process { fork sigchld }; +allow firstboot_t self:unix_stream_socket { connect create }; +allow firstboot_t initrc_exec_t:file { getattr read }; +allow firstboot_t initrc_var_run_t:file r_file_perms; +allow firstboot_t lib_t:file { getattr read }; +allow firstboot_t local_login_t:fd use; +read_locale(firstboot_t) + +allow firstboot_t proc_t:dir search; +allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms; +allow firstboot_t usr_t:file r_file_perms; + +allow firstboot_t etc_t:file write; + +# Allow write to utmp file +allow firstboot_t initrc_var_run_t:file write; + +ifdef(`samba.te', ` +rw_dir_file(firstboot_t, samba_etc_t) +') + +dontaudit firstboot_t shadow_t:file getattr; + +role system_r types initrc_t; +#role_transition firstboot_r initrc_exec_t system_r; +domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t) + +allow firstboot_t self:passwd rootok; + +ifdef(`userhelper.te', ` +role system_r types sysadm_userhelper_t; +domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) +') + +ifdef(`consoletype.te', ` +allow consoletype_t devtty_t:chr_file { read write }; +allow consoletype_t etc_t:file { getattr read }; +allow consoletype_t firstboot_t:fd use; +') + +allow firstboot_t etc_t:{ file lnk_file } create_file_perms; + +allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:dir search; +allow firstboot_t self:file { read write }; +allow firstboot_t self:lnk_file read; +can_setfscreate(firstboot_t) +allow firstboot_t krb5_conf_t:file rw_file_perms; + +allow firstboot_t modules_conf_t:file { getattr read }; +allow firstboot_t modules_dep_t:file { getattr read }; +allow firstboot_t modules_object_t:dir search; +allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; +allow firstboot_t proc_t:lnk_file read; + +can_getsecurity(firstboot_t) + +dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition }; +read_sysctl(firstboot_t) + +allow firstboot_t var_run_t:dir getattr; +allow firstboot_t var_t:dir getattr; +ifdef(`hostname.te', ` +allow hostname_t devtty_t:chr_file { read write }; +allow hostname_t firstboot_t:fd use; +') +ifdef(`iptables.te', ` +allow iptables_t devtty_t:chr_file { read write }; +allow iptables_t firstboot_t:fd use; +allow iptables_t firstboot_t:fifo_file write; +') +can_network_server(firstboot_t) +can_ypbind(firstboot_t) +ifdef(`printconf.te', ` +can_exec(firstboot_t, printconf_t) +') +create_dir_file(firstboot_t, var_t) +# Add/remove user home directories +file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir) +file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) + +# +# The big hammer +# +unconfined_domain(firstboot_t) +ifdef(`targeted_policy', ` +allow firstboot_t unconfined_t:process transition; +') + diff --git a/mls/domains/program/fs_daemon.te b/mls/domains/program/fs_daemon.te new file mode 100644 index 0000000..05c98a9 --- /dev/null +++ b/mls/domains/program/fs_daemon.te @@ -0,0 +1,28 @@ +#DESC file system daemons +# +# Author: Russell Coker +# X-Debian-Packages: smartmontools + +daemon_domain(fsdaemon, `, fs_domain, privmail') +allow fsdaemon_t self:unix_dgram_socket create_socket_perms; +allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; + +# for config +allow fsdaemon_t etc_t:file { getattr read }; + +allow fsdaemon_t device_t:dir read; +allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; +allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; +allow fsdaemon_t etc_runtime_t:file { getattr read }; + +allow fsdaemon_t proc_mdstat_t:file { getattr read }; + +can_exec_any(fsdaemon_t) +allow fsdaemon_t self:fifo_file rw_file_perms; +can_network_udp(fsdaemon_t) +tmp_domain(fsdaemon) +allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read }; + +dontaudit fsdaemon_t devpts_t:dir search; +allow fsdaemon_t proc_t:file { getattr read }; +dontaudit system_mail_t fixed_disk_device_t:blk_file read; diff --git a/mls/domains/program/fsadm.te b/mls/domains/program/fsadm.te new file mode 100644 index 0000000..0bfbb68 --- /dev/null +++ b/mls/domains/program/fsadm.te @@ -0,0 +1,123 @@ +#DESC Fsadm - Disk and file system administration +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount +# + +################################# +# +# Rules for the fsadm_t domain. +# +# fsadm_t is the domain for disk and file system +# administration. +# fsadm_exec_t is the type of the corresponding programs. +# +type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite; +role system_r types fsadm_t; +role sysadm_r types fsadm_t; + +general_domain_access(fsadm_t) + +# for swapon +r_dir_file(fsadm_t, sysfs_t) + +# Read system information files in /proc. +r_dir_file(fsadm_t, proc_t) + +# Read system variables in /proc/sys +read_sysctl(fsadm_t) + +# for /dev/shm +allow fsadm_t tmpfs_t:dir { getattr search }; +allow fsadm_t tmpfs_t:file { read write }; + +base_file_read_access(fsadm_t) + +# Read /etc. +r_dir_file(fsadm_t, etc_t) + +# Read module-related files. +allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow fsadm_t device_t:dir r_dir_perms; +allow fsadm_t device_t:lnk_file r_file_perms; + +uses_shlib(fsadm_t) + +type fsadm_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) +') +tmp_domain(fsadm) + +# remount file system to apply changes +allow fsadm_t fs_t:filesystem remount; + +allow fsadm_t fs_t:filesystem getattr; + +# mkreiserfs needs this +allow fsadm_t proc_t:filesystem getattr; + +# mkreiserfs and other programs need this for UUID +allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; + +# Use capabilities. ipc_lock is for losetup +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; + +# Write to /etc/mtab. +file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) + +# Inherit and use descriptors from init. +allow fsadm_t init_t:fd use; + +# Run other fs admin programs in the fsadm_t domain. +can_exec(fsadm_t, fsadm_exec_t) + +# Access disk devices. +allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; +allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; +allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; + +# Access lost+found. +allow fsadm_t lost_found_t:dir create_dir_perms; +allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; +allow fsadm_t lost_found_t:lnk_file create_lnk_perms; + +allow fsadm_t file_t:dir { search read getattr rmdir create }; + +# Recreate /mnt/cdrom. +allow fsadm_t mnt_t:dir { search read getattr rmdir create }; + +# Recreate /dev/cdrom. +allow fsadm_t device_t:dir rw_dir_perms; +allow fsadm_t device_t:lnk_file { unlink create }; + +# Enable swapping to devices and files +allow fsadm_t swapfile_t:file { getattr swapon }; +allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; + +# Allow console log change (updfstab) +allow fsadm_t kernel_t:system syslog_console; + +# Access terminals. +can_access_pty(fsadm_t, initrc) +allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') +allow fsadm_t privfd:fd use; + +read_locale(fsadm_t) + +# for smartctl cron jobs +system_crond_entry(fsadm_exec_t, fsadm_t) + +# Access to /initrd devices +allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; +allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; +allow fsadm_t usbfs_t:dir { getattr search }; +allow fsadm_t ramfs_t:fifo_file rw_file_perms; +allow fsadm_t device_type:chr_file getattr; + +# for tune2fs +allow fsadm_t file_type:dir { getattr search }; diff --git a/mls/domains/program/ftpd.te b/mls/domains/program/ftpd.te new file mode 100644 index 0000000..b20252b --- /dev/null +++ b/mls/domains/program/ftpd.te @@ -0,0 +1,116 @@ +#DESC Ftpd - Ftp daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd +# + +################################# +# +# Rules for the ftpd_t domain +# +daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain') +etc_domain(ftpd) + +can_network(ftpd_t) +allow ftpd_t port_type:tcp_socket name_connect; +allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow ftpd_t self:unix_stream_socket create_socket_perms; +allow ftpd_t self:process { getcap setcap setsched setrlimit }; +allow ftpd_t self:fifo_file rw_file_perms; + +allow ftpd_t bin_t:dir search; +can_exec(ftpd_t, bin_t) +allow ftpd_t bin_t:lnk_file read; +read_sysctl(ftpd_t) + +allow ftpd_t urandom_device_t:chr_file { getattr read }; + +ifdef(`crond.te', ` +system_crond_entry(ftpd_exec_t, ftpd_t) +allow system_crond_t xferlog_t:file r_file_perms; +can_exec(ftpd_t, { sbin_t shell_exec_t }) +allow ftpd_t usr_t:file { getattr read }; +ifdef(`logrotate.te', ` +can_exec(ftpd_t, logrotate_exec_t) +')dnl end if logrotate.te +')dnl end if crond.te + +allow ftpd_t ftp_data_port_t:tcp_socket name_bind; +allow ftpd_t port_t:tcp_socket name_bind; + +# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally +type ftpd_lock_t, file_type, sysadmfile, lockfile; + +# Allow ftpd to run directly without inetd. +bool ftpd_is_daemon false; +if (ftpd_is_daemon) { +file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file) +allow ftpd_t ftp_port_t:tcp_socket name_bind; +can_tcp_connect(userdomain, ftpd_t) +# Allows it to check exec privs on daemon +allow inetd_t ftpd_exec_t:file x_file_perms; +} +ifdef(`inetd.te', ` +if (!ftpd_is_daemon) { +ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') +domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) + +# Use sockets inherited from inetd. +allow ftpd_t inetd_t:fd use; +allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Send SIGCHLD to inetd on death. +allow ftpd_t inetd_t:process sigchld; +} +') dnl end inetd.te + +# Access shared memory tmpfs instance. +tmpfs_domain(ftpd) + +# Use capabilities. +allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; + +# Append to /var/log/wtmp. +allow ftpd_t wtmp_t:file { getattr append }; +#kerberized ftp requires the following +allow ftpd_t wtmp_t:file { write lock }; + +# Create and modify /var/log/xferlog. +type xferlog_t, file_type, sysadmfile, logfile; +file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) + +# Execute /bin/ls (can comment this out for proftpd) +# also may need rules to allow tar etc... +can_exec(ftpd_t, ls_exec_t) + +allow initrc_t ftpd_etc_t:file { getattr read }; +allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; +allow ftpd_t proc_t:file { getattr read }; + +dontaudit ftpd_t sysadm_home_dir_t:dir getattr; +dontaudit ftpd_t selinux_config_t:dir search; +allow ftpd_t autofs_t:dir search; +allow ftpd_t self:file { getattr read }; +tmp_domain(ftpd) + +# Allow ftp to read/write files in the user home directories. +bool ftp_home_dir false; + +if (ftp_home_dir) { +# allow access to /home +allow ftpd_t home_root_t:dir r_dir_perms; +create_dir_file(ftpd_t, home_type) +ifdef(`targeted_policy', ` +file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t) +') +} +if (use_nfs_home_dirs && ftp_home_dir) { + r_dir_file(ftpd_t, nfs_t) +} +if (use_samba_home_dirs && ftp_home_dir) { + r_dir_file(ftpd_t, cifs_t) +} +dontaudit ftpd_t selinux_config_t:dir search; +anonymous_domain(ftpd) + diff --git a/mls/domains/program/getty.te b/mls/domains/program/getty.te new file mode 100644 index 0000000..8101b49 --- /dev/null +++ b/mls/domains/program/getty.te @@ -0,0 +1,61 @@ +#DESC Getty - Manage ttys +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty +# + +################################# +# +# Rules for the getty_t domain. +# +init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite') + +etcdir_domain(getty) + +allow getty_t console_device_t:chr_file setattr; + +tmp_domain(getty) +log_domain(getty) + +allow getty_t { etc_t etc_runtime_t }:file { getattr read }; +allow getty_t etc_t:lnk_file read; +allow getty_t self:process { getpgid getsession }; +allow getty_t self:unix_dgram_socket create_socket_perms; +allow getty_t self:unix_stream_socket create_socket_perms; + +# Use capabilities. +allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; + +read_locale(getty_t) + +# Run login in local_login_t domain. +allow getty_t { sbin_t bin_t }:dir search; +domain_auto_trans(getty_t, login_exec_t, local_login_t) + +# Write to /var/run/utmp. +allow getty_t { var_t var_run_t }:dir search; +allow getty_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow getty_t wtmp_t:file rw_file_perms; + +# Chown, chmod, read and write ttys. +allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; +allow getty_t ttyfile:chr_file { setattr rw_file_perms }; +dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; + +# for error condition handling +allow getty_t fs_t:filesystem getattr; + +lock_domain(getty) +r_dir_file(getty_t, sysfs_t) +# for mgetty +var_run_domain(getty) +allow getty_t self:capability { fowner fsetid }; + +# +# getty needs to be able to run pppd +# +ifdef(`pppd.te', ` +domain_auto_trans(getty_t, pppd_exec_t, pppd_t) +') diff --git a/mls/domains/program/gpg-agent.te b/mls/domains/program/gpg-agent.te new file mode 100644 index 0000000..2942c6c --- /dev/null +++ b/mls/domains/program/gpg-agent.te @@ -0,0 +1,13 @@ +#DESC gpg-agent - agent to securely store gpg-keys +# +# Author: Thomas Bleher +# + +# Type for the gpg-agent executable. +type gpg_agent_exec_t, file_type, exec_type, sysadmfile; + +# type for the pinentry executable +type pinentry_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the gpg_agent_domain macro in +# macros/program/gpg_agent_macros.te. diff --git a/mls/domains/program/gpg.te b/mls/domains/program/gpg.te new file mode 100644 index 0000000..b9cadb5 --- /dev/null +++ b/mls/domains/program/gpg.te @@ -0,0 +1,15 @@ +#DESC GPG - Gnu Privacy Guard (PGP replacement) +# +# Authors: Russell Coker +# X-Debian-Packages: gnupg +# + +# Type for gpg or pgp executables. +type gpg_exec_t, file_type, sysadmfile, exec_type; +type gpg_helper_exec_t, file_type, sysadmfile, exec_type; + +allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search; +allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; + +# Everything else is in the gpg_domain macro in +# macros/program/gpg_macros.te. diff --git a/mls/domains/program/gpm.te b/mls/domains/program/gpm.te new file mode 100644 index 0000000..ff81d69 --- /dev/null +++ b/mls/domains/program/gpm.te @@ -0,0 +1,45 @@ +#DESC Gpm - General Purpose Mouse driver +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: gpm +# + +################################# +# +# Rules for the gpm_t domain. +# +# gpm_t is the domain of the console mouse server. +# gpm_exec_t is the type of the console mouse server program. +# gpmctl_t is the type of the Unix domain socket or pipe created +# by the console mouse server. +# +daemon_domain(gpm) + +type gpmctl_t, file_type, sysadmfile, dev_fs; + +tmp_domain(gpm) + +# Allow to read the /etc/gpm/ conf files +type gpm_conf_t, file_type, sysadmfile; +r_dir_file(gpm_t, gpm_conf_t) + +# Use capabilities. +allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; + +# Create and bind to /dev/gpmctl. +file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file }) +allow gpm_t gpmctl_t:unix_stream_socket name_bind; +allow gpm_t self:unix_dgram_socket create_socket_perms; +allow gpm_t self:unix_stream_socket create_stream_socket_perms; + +# Read and write ttys. +allow gpm_t tty_device_t:chr_file rw_file_perms; + +# Access the mouse. +allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; +allow gpm_t device_t:lnk_file { getattr read }; + +read_locale(gpm_t) + +allow initrc_t gpmctl_t:sock_file setattr; + diff --git a/mls/domains/program/hald.te b/mls/domains/program/hald.te new file mode 100644 index 0000000..a51709a --- /dev/null +++ b/mls/domains/program/hald.te @@ -0,0 +1,104 @@ +#DESC hald - server for device info +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the hald_t domain. +# +# hald_exec_t is the type of the hald executable. +# +daemon_domain(hald, `, fs_domain, nscd_client_domain') + +can_exec_any(hald_t) + +allow hald_t { etc_t etc_runtime_t }:file { getattr read }; +allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow hald_t self:unix_dgram_socket create_socket_perms; + +ifdef(`dbusd.te', ` +allow hald_t system_dbusd_t:dbus { acquire_svc send_msg }; +dbusd_client(system, hald) +allow hald_t self:dbus send_msg; +') + +allow hald_t self:file { getattr read }; +allow hald_t proc_t:file rw_file_perms; + +allow hald_t { bin_t sbin_t }:dir search; +allow hald_t self:fifo_file rw_file_perms; +allow hald_t usr_t:file { getattr read }; +allow hald_t bin_t:file getattr; + +# For backwards compatibility with older kernels +allow hald_t self:netlink_socket create_socket_perms; + +allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; +allow hald_t self:netlink_route_socket r_netlink_socket_perms; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; +can_network_server(hald_t) +can_ypbind(hald_t) + +allow hald_t device_t:lnk_file read; +allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; +allow hald_t removable_device_t:blk_file write; +allow hald_t event_device_t:chr_file { getattr read ioctl }; +allow hald_t printer_device_t:chr_file rw_file_perms; +allow hald_t urandom_device_t:chr_file read; +allow hald_t mouse_device_t:chr_file r_file_perms; +allow hald_t device_type:chr_file getattr; + +can_getsecurity(hald_t) + +ifdef(`updfstab.te', ` +domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) +allow updfstab_t hald_t:dbus send_msg; +allow hald_t updfstab_t:dbus send_msg; +') +ifdef(`udev.te', ` +domain_auto_trans(hald_t, udev_exec_t, udev_t) +allow udev_t hald_t:unix_dgram_socket sendto; +allow hald_t udev_tbl_t:file { getattr read }; +') + +ifdef(`hotplug.te', ` +r_dir_file(hald_t, hotplug_etc_t) +') +allow hald_t fs_type:dir { search getattr }; +allow hald_t usbfs_t:dir r_dir_perms; +allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms; +allow hald_t bin_t:lnk_file read; +r_dir_file(hald_t, { selinux_config_t default_context_t } ) +allow hald_t initrc_t:dbus send_msg; +allow initrc_t hald_t:dbus send_msg; +allow hald_t etc_runtime_t:file rw_file_perms; +allow hald_t var_lib_t:dir search; +allow hald_t device_t:dir create_dir_perms; +allow hald_t device_t:chr_file create_file_perms; +tmp_domain(hald) +allow hald_t mnt_t:dir search; +r_dir_file(hald_t, proc_net_t) + +# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket +ifdef(`apmd.te', ` +allow hald_t apmd_var_run_t:sock_file write; +allow hald_t apmd_t:unix_stream_socket connectto; +') + +# For /usr/libexec/hald-probe-smbios +domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) + +# ?? +ifdef(`lvm.te', ` +allow hald_t lvm_control_t:chr_file r_file_perms; +') +ifdef(`targeted_policy', ` +allow unconfined_t hald_t:dbus send_msg; +allow hald_t unconfined_t:dbus send_msg; +') +ifdef(`mount.te', ` +domain_auto_trans(hald_t, mount_exec_t, mount_t) +') +r_dir_file(hald_t, hwdata_t) diff --git a/mls/domains/program/hostname.te b/mls/domains/program/hostname.te new file mode 100644 index 0000000..2138baf --- /dev/null +++ b/mls/domains/program/hostname.te @@ -0,0 +1,28 @@ +#DESC hostname - show or set the system host name +# +# Author: Russell Coker +# X-Debian-Packages: hostname + +# for setting the hostname +daemon_core_rules(hostname, , nosysadm) +allow hostname_t self:capability sys_admin; +allow hostname_t etc_t:file { getattr read }; + +allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; +read_locale(hostname_t) +can_resolve(hostname_t) +allow hostname_t userdomain:fd use; +dontaudit hostname_t kernel_t:fd use; +allow hostname_t net_conf_t:file { getattr read }; +allow hostname_t self:unix_stream_socket create_stream_socket_perms; +dontaudit hostname_t var_t:dir search; +allow hostname_t fs_t:filesystem getattr; + +# for when /usr is not mounted +dontaudit hostname_t file_t:dir search; + +ifdef(`distro_redhat', ` +allow hostname_t tmpfs_t:chr_file rw_file_perms; +') +can_access_pty(hostname_t, initrc) +allow hostname_t initrc_t:fd use; diff --git a/mls/domains/program/hotplug.te b/mls/domains/program/hotplug.te new file mode 100644 index 0000000..d966b4b --- /dev/null +++ b/mls/domains/program/hotplug.te @@ -0,0 +1,160 @@ +#DESC Hotplug - Hardware event manager +# +# Author: Russell Coker +# X-Debian-Packages: hotplug +# + +################################# +# +# Rules for the hotplug_t domain. +# +# hotplug_exec_t is the type of the hotplug executable. +# +ifdef(`unlimitedUtils', ` +daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain') +', ` +daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain') +') + +etcdir_domain(hotplug) + +allow hotplug_t self:fifo_file { read write getattr ioctl }; +allow hotplug_t self:unix_dgram_socket create_socket_perms; +allow hotplug_t self:unix_stream_socket create_socket_perms; +allow hotplug_t self:udp_socket create_socket_perms; + +read_sysctl(hotplug_t) +allow hotplug_t sysctl_net_t:dir r_dir_perms; +allow hotplug_t sysctl_net_t:file { getattr read }; + +# get info from /proc +r_dir_file(hotplug_t, proc_t) +allow hotplug_t self:file { getattr read ioctl }; + +allow hotplug_t devtty_t:chr_file rw_file_perms; + +allow hotplug_t device_t:dir r_dir_perms; + +# for SSP +allow hotplug_t urandom_device_t:chr_file read; + +allow hotplug_t { bin_t sbin_t }:dir search; +allow hotplug_t { bin_t sbin_t }:lnk_file read; +can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t }) +ifdef(`hostname.te', ` +can_exec(hotplug_t, hostname_exec_t) +dontaudit hostname_t hotplug_t:fd use; +') +ifdef(`netutils.te', ` +ifdef(`distro_redhat', ` +# for arping used for static IP addresses on PCMCIA ethernet +domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t) + +allow hotplug_t tmpfs_t:dir search; +allow hotplug_t tmpfs_t:chr_file rw_file_perms; +')dnl end if distro_redhat +')dnl end if netutils.te + +allow initrc_t usbdevfs_t:file { getattr read ioctl }; +allow initrc_t modules_dep_t:file { getattr read ioctl }; +r_dir_file(hotplug_t, usbdevfs_t) +allow hotplug_t usbfs_t:dir r_dir_perms; +allow hotplug_t usbfs_t:file { getattr read }; + +# read config files +allow hotplug_t etc_t:dir r_dir_perms; +allow hotplug_t etc_t:{ file lnk_file } r_file_perms; + +allow hotplug_t kernel_t:process { sigchld setpgid }; + +ifdef(`distro_redhat', ` +allow hotplug_t var_lock_t:dir search; +allow hotplug_t var_lock_t:file getattr; +') + +ifdef(`hald.te', ` +allow hotplug_t hald_t:unix_dgram_socket sendto; +allow hald_t hotplug_etc_t:dir search; +allow hald_t hotplug_etc_t:file { getattr read }; +') + +# for killall +allow hotplug_t self:process { getsession getattr }; +allow hotplug_t self:file getattr; + +domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t) +ifdef(`mount.te', ` +domain_auto_trans(hotplug_t, mount_exec_t, mount_t) +') +domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t) +ifdef(`updfstab.te', ` +domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) +') + +# init scripts run /etc/hotplug/usb.rc +domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t) +allow initrc_t hotplug_etc_t:dir r_dir_perms; + +ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)') + +r_dir_file(hotplug_t, modules_object_t) +allow hotplug_t modules_dep_t:file { getattr read ioctl }; + +# for lsmod +dontaudit hotplug_t self:capability { sys_module sys_admin }; + +# for access("/etc/bashrc", X_OK) on Red Hat +dontaudit hotplug_t self:capability { dac_override dac_read_search }; + +ifdef(`fsadm.te', ` +domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) +') + +allow hotplug_t var_log_t:dir search; + +# for ps +dontaudit hotplug_t domain:dir { getattr search }; +dontaudit hotplug_t { init_t kernel_t }:file read; +ifdef(`initrc.te', ` +can_ps(hotplug_t, initrc_t) +') + +# for when filesystems are not mounted early in the boot +dontaudit hotplug_t file_t:dir { search getattr }; + +# kernel threads inherit from shared descriptor table used by init +dontaudit hotplug_t initctl_t:fifo_file { read write }; + +# Read /usr/lib/gconv/.* +allow hotplug_t lib_t:file { getattr read }; + +allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +allow hotplug_t sysfs_t:dir { getattr read search write }; +allow hotplug_t sysfs_t:file rw_file_perms; +allow hotplug_t sysfs_t:lnk_file { getattr read }; +r_dir_file(hotplug_t, hwdata_t) +allow hotplug_t udev_runtime_t:file rw_file_perms; +ifdef(`lpd.te', ` +allow hotplug_t printer_device_t:chr_file setattr; +') +allow hotplug_t fixed_disk_device_t:blk_file setattr; +allow hotplug_t removable_device_t:blk_file setattr; +allow hotplug_t sound_device_t:chr_file setattr; + +ifdef(`udev.te', ` +domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t) +') + +file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) + +can_network_server(hotplug_t) +can_ypbind(hotplug_t) +dbusd_client(system, hotplug) + +# Allow hotplug (including /sbin/ifup-local) to start/stop services +domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) + +allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr }; +allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; + +dontaudit hotplug_t selinux_config_t:dir search; diff --git a/mls/domains/program/howl.te b/mls/domains/program/howl.te new file mode 100644 index 0000000..ccb2fb1 --- /dev/null +++ b/mls/domains/program/howl.te @@ -0,0 +1,21 @@ +#DESC howl - port of Apple Rendezvous multicast DNS +# +# Author: Russell Coker +# + +daemon_domain(howl, `, privsysmod') +r_dir_file(howl_t, proc_net_t) +can_network_server(howl_t) +can_ypbind(howl_t) +allow howl_t self:unix_dgram_socket create_socket_perms; +allow howl_t self:capability { kill net_admin sys_module }; + +allow howl_t self:fifo_file rw_file_perms; + +allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; + +allow howl_t self:unix_dgram_socket create_socket_perms; + +allow howl_t etc_t:file { getattr read }; +allow howl_t initrc_var_run_t:file rw_file_perms; + diff --git a/mls/domains/program/hwclock.te b/mls/domains/program/hwclock.te new file mode 100644 index 0000000..e8beb31 --- /dev/null +++ b/mls/domains/program/hwclock.te @@ -0,0 +1,50 @@ +#DESC Hwclock - Hardware clock manager +# +# Author: David A. Wheeler +# Russell Coker +# X-Debian-Packages: util-linux +# + +################################# +# +# Rules for the hwclock_t domain. +# This domain moves time information between the "hardware clock" +# (which runs when the system is off) and the "system clock", +# and it stores adjustment values in /etc/adjtime so that errors in the +# hardware clock are corrected. +# Note that any errors from this domain are NOT recorded by the system logger, +# because the system logger isnt running when this domain is active. +# +daemon_base_domain(hwclock) +role sysadm_r types hwclock_t; +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) +') +type adjtime_t, file_type, sysadmfile; + +allow hwclock_t fs_t:filesystem getattr; + +read_locale(hwclock_t) + +# Give hwclock the capabilities it requires. dac_override is a surprise, +# but hwclock does require it. +allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; + +# Allow hwclock to set the hardware clock. +allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms }; + +# Allow hwclock to store & retrieve correction factors. +allow hwclock_t adjtime_t:file { setattr rw_file_perms }; + +# Read and write console and ttys. +allow hwclock_t tty_device_t:chr_file rw_file_perms; +allow hwclock_t ttyfile:chr_file rw_file_perms; +allow hwclock_t ptyfile:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') + +read_locale(hwclock_t) + +# for when /usr is not mounted +dontaudit hwclock_t file_t:dir search; +allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +r_dir_file(hwclock_t, etc_t) diff --git a/mls/domains/program/i18n_input.te b/mls/domains/program/i18n_input.te new file mode 100644 index 0000000..cdff6ca --- /dev/null +++ b/mls/domains/program/i18n_input.te @@ -0,0 +1,33 @@ +# i18n_input.te +# Security Policy for IIIMF htt server +# Date: 2004, 12th April (Monday) + +# Establish i18n_input as a daemon +daemon_domain(i18n_input) + +can_exec(i18n_input_t, i18n_input_exec_t) +can_network(i18n_input_t) +allow i18n_input_t port_type:tcp_socket name_connect; +can_ypbind(i18n_input_t) + +can_tcp_connect(userdomain, i18n_input_t) +can_unix_connect(i18n_input_t, initrc_t) + +allow i18n_input_t self:fifo_file rw_file_perms; +allow i18n_input_t i18n_input_port_t:tcp_socket name_bind; + +allow i18n_input_t self:capability { kill setgid setuid }; +allow i18n_input_t self:process { setsched setpgid }; + +allow i18n_input_t { bin_t sbin_t }:dir search; +can_exec(i18n_input_t, bin_t) + +allow i18n_input_t etc_t:file r_file_perms; +allow i18n_input_t self:unix_dgram_socket create_socket_perms; +allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; +allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; +allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; +allow i18n_input_t usr_t:file { getattr read }; +allow i18n_input_t home_root_t:dir search; +allow i18n_input_t etc_runtime_t:file { getattr read }; +allow i18n_input_t proc_t:file { getattr read }; diff --git a/mls/domains/program/ifconfig.te b/mls/domains/program/ifconfig.te new file mode 100644 index 0000000..6cccc32 --- /dev/null +++ b/mls/domains/program/ifconfig.te @@ -0,0 +1,74 @@ +#DESC Ifconfig - Configure network interfaces +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: net-tools +# + +################################# +# +# Rules for the ifconfig_t domain. +# +# ifconfig_t is the domain for the ifconfig program. +# ifconfig_exec_t is the type of the corresponding program. +# +type ifconfig_t, domain, privlog, privmodule; +type ifconfig_exec_t, file_type, sysadmfile, exec_type; + +role system_r types ifconfig_t; +role sysadm_r types ifconfig_t; + +uses_shlib(ifconfig_t) +general_domain_access(ifconfig_t) + +domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) +') + +# for /sbin/ip +allow ifconfig_t self:packet_socket create_socket_perms; +allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; +allow ifconfig_t self:tcp_socket { create ioctl }; +allow ifconfig_t etc_t:file { getattr read }; + +allow ifconfig_t self:socket create_socket_perms; + +# Use capabilities. +allow ifconfig_t self:capability { net_raw net_admin }; +dontaudit ifconfig_t self:capability sys_module; +allow ifconfig_t self:capability sys_tty_config; + +# Inherit and use descriptors from init. +allow ifconfig_t { kernel_t init_t }:fd use; + +# Access /proc +r_dir_file(ifconfig_t, proc_t) +r_dir_file(ifconfig_t, proc_net_t) + +allow ifconfig_t privfd:fd use; +allow ifconfig_t run_init_t:fd use; + +# Create UDP sockets, necessary when called from dhcpc +allow ifconfig_t self:udp_socket create_socket_perms; + +# Access terminals. +can_access_pty(ifconfig_t, initrc) +allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') + +allow ifconfig_t tun_tap_device_t:chr_file { read write }; + +# ifconfig attempts to search some sysctl entries. +# Do not audit those attempts; comment out these rules if it is desired to +# see the denials. +allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; + +allow ifconfig_t fs_t:filesystem getattr; + +read_locale(ifconfig_t) +allow ifconfig_t lib_t:file { getattr read }; + +rhgb_domain(ifconfig_t) +allow ifconfig_t userdomain:fd use; +dontaudit ifconfig_t root_t:file read; +r_dir_file(ifconfig_t, sysfs_t) diff --git a/mls/domains/program/inetd.te b/mls/domains/program/inetd.te new file mode 100644 index 0000000..5c88ab3 --- /dev/null +++ b/mls/domains/program/inetd.te @@ -0,0 +1,64 @@ +#DESC Inetd - Internet services daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# re-written with daemon_domain by Russell Coker +# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd +# + +################################# +# +# Rules for the inetd_t domain and +# the inetd_child_t domain. +# + +daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) + +can_network(inetd_t) +allow inetd_t port_type:tcp_socket name_connect; +allow inetd_t self:unix_dgram_socket create_socket_perms; +allow inetd_t self:unix_stream_socket create_socket_perms; +allow inetd_t self:fifo_file rw_file_perms; +allow inetd_t etc_t:file { getattr read ioctl }; +allow inetd_t self:process setsched; + +log_domain(inetd) +tmp_domain(inetd) + +# Use capabilities. +allow inetd_t self:capability { setuid setgid net_bind_service }; + +# allow any domain to connect to inetd +can_tcp_connect(userdomain, inetd_t) + +# Run each daemon with a defined domain in its own domain. +# These rules have been moved to the individual target domain .te files. + +# Run other daemons in the inetd_child_t domain. +allow inetd_t { bin_t sbin_t }:dir search; +allow inetd_t sbin_t:lnk_file read; + +# Bind to the telnet, ftp, rlogin and rsh ports. +ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') +ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') +ifdef(`talk.te', ` +allow inetd_t talk_port_t:tcp_socket name_bind; +allow inetd_t ntalk_port_t:tcp_socket name_bind; +') + +allow inetd_t auth_port_t:tcp_socket name_bind; +# Communicate with the portmapper. +ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') + + +inetd_child_domain(inetd_child) +allow inetd_child_t proc_net_t:dir search; +allow inetd_child_t proc_net_t:file { getattr read }; + +ifdef(`unconfined.te', ` +domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) +') + +ifdef(`unlimitedInetd', ` +unconfined_domain(inetd_t) +') + diff --git a/mls/domains/program/init.te b/mls/domains/program/init.te new file mode 100644 index 0000000..dc5c050 --- /dev/null +++ b/mls/domains/program/init.te @@ -0,0 +1,147 @@ +#DESC Init - Process initialization +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysvinit +# + +################################# +# +# Rules for the init_t domain. +# +# init_t is the domain of the init process. +# init_exec_t is the type of the init program. +# initctl_t is the type of the named pipe created +# by init during initialization. This pipe is used +# to communicate with init. +# +type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite; +role system_r types init_t; +uses_shlib(init_t); +type init_exec_t, file_type, sysadmfile, exec_type; +type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; + +# for init to determine whether SE Linux is active so it can know whether to +# activate it +allow init_t security_t:dir search; +allow init_t security_t:file { getattr read }; + +# for mount points +allow init_t file_t:dir search; + +# Use capabilities. +allow init_t self:capability ~sys_module; + +# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. +domain_auto_trans(init_t, initrc_exec_t, initrc_t) + +# Run the shell in the sysadm_t domain for single-user mode. +domain_auto_trans(init_t, shell_exec_t, sysadm_t) + +# Run /sbin/update in the init_t domain. +can_exec(init_t, sbin_t) + +# Run init. +can_exec(init_t, init_exec_t) + +# Run chroot from initrd scripts. +ifdef(`chroot.te', ` +can_exec(init_t, chroot_exec_t) +') + +# Create /dev/initctl. +file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) +ifdef(`distro_redhat', ` +file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) +') + +# Create ioctl.save. +file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) + +# Update /etc/ld.so.cache +allow init_t ld_so_cache_t:file rw_file_perms; + +# Allow access to log files +allow init_t var_t:dir search; +allow init_t var_log_t:dir search; +allow init_t var_log_t:file rw_file_perms; + +read_locale(init_t) + +# Create unix sockets +allow init_t self:unix_dgram_socket create_socket_perms; +allow init_t self:unix_stream_socket create_socket_perms; +allow init_t self:fifo_file rw_file_perms; + +# Permissions required for system startup +allow init_t { bin_t sbin_t }:dir r_dir_perms; +allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; + +# allow init to fork +allow init_t self:process { fork sigchld }; + +# Modify utmp. +allow init_t var_run_t:file rw_file_perms; +allow init_t initrc_var_run_t:file { setattr rw_file_perms }; +can_unix_connect(init_t, initrc_t) + +# For /var/run/shutdown.pid. +var_run_domain(init) + +# Shutdown permissions +r_dir_file(init_t, proc_t) +r_dir_file(init_t, self) +allow init_t devpts_t:dir r_dir_perms; + +# Modify wtmp. +allow init_t wtmp_t:file rw_file_perms; + +# Kill all processes. +allow init_t domain:process signal_perms; + +# Allow all processes to send SIGCHLD to init. +allow domain init_t:process { sigchld signull }; + +# If you load a new policy that removes active domains, processes can +# get stuck if you do not allow unlabeled processes to signal init +# If you load an incompatible policy, you should probably reboot, +# since you may have compromised system security. +allow unlabeled_t init_t:process sigchld; + +# for loading policy +allow init_t policy_config_t:file r_file_perms; + +# Set booleans. +can_setbool(init_t) + +# Read and write the console and ttys. +allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; +ifdef(`distro_redhat', ` +allow init_t tmpfs_t:chr_file rw_file_perms; +') +allow init_t ttyfile:chr_file rw_file_perms; +allow init_t ptyfile:chr_file rw_file_perms; + +# Run system executables. +can_exec(init_t,bin_t) +ifdef(`consoletype.te', ` +can_exec(init_t, consoletype_exec_t) +') + +# Run /etc/X11/prefdm. +can_exec(init_t,etc_t) + +allow init_t lib_t:file { getattr read }; + +allow init_t devtty_t:chr_file { read write }; +allow init_t ramfs_t:dir search; +allow init_t ramfs_t:sock_file write; +r_dir_file(init_t, sysfs_t) + +r_dir_file(init_t, selinux_config_t) + +# file descriptors inherited from the rootfs. +dontaudit init_t root_t:{ file chr_file } { read write }; +ifdef(`targeted_policy', ` +unconfined_domain(init_t) +') + diff --git a/mls/domains/program/initrc.te b/mls/domains/program/initrc.te new file mode 100644 index 0000000..683e1e3 --- /dev/null +++ b/mls/domains/program/initrc.te @@ -0,0 +1,346 @@ +#DESC Initrc - System initialization scripts +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysvinit policycoreutils +# + +################################# +# +# Rules for the initrc_t domain. +# +# initrc_t is the domain of the init rc scripts. +# initrc_exec_t is the type of the init program. +# +# do not use privmail for sendmail as it creates a type transition conflict +type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans; + +role system_r types initrc_t; +uses_shlib(initrc_t); +can_network(initrc_t) +allow initrc_t port_type:tcp_socket name_connect; +can_ypbind(initrc_t) +type initrc_exec_t, file_type, sysadmfile, exec_type; + +# for halt to down interfaces +allow initrc_t self:udp_socket create_socket_perms; + +# read files in /etc/init.d +allow initrc_t etc_t:lnk_file r_file_perms; + +read_locale(initrc_t) + +r_dir_file(initrc_t, usr_t) + +# Read system information files in /proc. +r_dir_file(initrc_t, { proc_t proc_net_t }) +allow initrc_t proc_mdstat_t:file { getattr read }; + +# Allow IPC with self +allow initrc_t self:unix_dgram_socket create_socket_perms; +allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow initrc_t self:fifo_file rw_file_perms; + +# Read the root directory of a usbdevfs filesystem, and +# the devices and drivers files. Permit stating of the +# device nodes, but nothing else. +allow initrc_t usbdevfs_t:dir r_dir_perms; +allow initrc_t usbdevfs_t:lnk_file r_file_perms; +allow initrc_t usbdevfs_t:file getattr; +allow initrc_t usbfs_t:dir r_dir_perms; +allow initrc_t usbfs_t:file getattr; + +# allow initrc to fork and renice itself +allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched }; + +# Can create ptys for open_init_pty +can_create_pty(initrc) + +tmp_domain(initrc) +# +# Some initscripts generate scripts that they need to execute (ldap) +# +can_exec(initrc_t, initrc_tmp_t) + +var_run_domain(initrc) +allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; +allow initrc_t var_run_t:dir { create rmdir }; + +ifdef(`distro_debian', ` +allow initrc_t { etc_t device_t }:dir setattr; + +# for storing state under /dev/shm +allow initrc_t tmpfs_t:dir setattr; +file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) +file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) +allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; +') + +allow initrc_t framebuf_device_t:chr_file r_file_perms; + +# Use capabilities. +allow initrc_t self:capability ~{ sys_admin sys_module }; + +# Use system operations. +allow initrc_t kernel_t:system *; + +# Set values in /proc/sys. +can_sysctl(initrc_t) + +# Run helper programs in the initrc_t domain. +allow initrc_t {bin_t sbin_t }:dir r_dir_perms; +allow initrc_t {bin_t sbin_t }:lnk_file read; +can_exec(initrc_t, etc_t) +can_exec(initrc_t, lib_t) +can_exec(initrc_t, bin_t) +can_exec(initrc_t, sbin_t) +can_exec(initrc_t, exec_type) +# +# These rules are here to allow init scripts to su +# +ifdef(`su.te', ` +su_restricted_domain(initrc,system) +role system_r types initrc_su_t; +') +allow initrc_t self:passwd rootok; + +# read /lib/modules +allow initrc_t modules_object_t:dir { search read }; + +# Read conf.modules. +allow initrc_t modules_conf_t:file r_file_perms; + +# Run other rc scripts in the initrc_t domain. +can_exec(initrc_t, initrc_exec_t) + +# Run init (telinit) in the initrc_t domain. +can_exec(initrc_t, init_exec_t) + +# Communicate with the init process. +allow initrc_t initctl_t:fifo_file rw_file_perms; + +# Read /proc/PID directories for all domains. +r_dir_file(initrc_t, domain) +allow initrc_t domain:process { getattr getsession }; + +# Mount and unmount file systems. +allow initrc_t fs_type:filesystem mount_fs_perms; +allow initrc_t file_t:dir { read search getattr mounton }; + +# during boot up initrc needs to do the following +allow initrc_t default_t:dir { write read search getattr mounton }; + +# rhgb-console writes to ramfs +allow initrc_t ramfs_t:fifo_file write; + +# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. +file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) + +# Update /etc/ld.so.cache. +allow initrc_t ld_so_cache_t:file rw_file_perms; + +# Update /var/log/wtmp and /var/log/dmesg. +allow initrc_t wtmp_t:file { setattr rw_file_perms }; +allow initrc_t var_log_t:dir rw_dir_perms; +allow initrc_t var_log_t:file create_file_perms; +allow initrc_t lastlog_t:file { setattr rw_file_perms }; +allow initrc_t logfile:file { read append }; + +# remove old locks +allow initrc_t lockfile:dir rw_dir_perms; +allow initrc_t lockfile:file { getattr unlink }; + +# Access /var/lib/random-seed. +allow initrc_t var_lib_t:file rw_file_perms; +allow initrc_t var_lib_t:file unlink; + +# Create lock file. +allow initrc_t var_lock_t:dir create_dir_perms; +allow initrc_t var_lock_t:file create_file_perms; + +# Set the clock. +allow initrc_t clock_device_t:devfile_class_set rw_file_perms; + +# Kill all processes. +allow initrc_t domain:process signal_perms; + +# Write to /dev/urandom. +allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; + +# for cryptsetup +allow initrc_t fixed_disk_device_t:blk_file getattr; + +# Set device ownerships/modes. +allow initrc_t framebuf_device_t:chr_file setattr; +allow initrc_t misc_device_t:devfile_class_set setattr; +allow initrc_t device_t:devfile_class_set setattr; +allow initrc_t fixed_disk_device_t:devfile_class_set setattr; +allow initrc_t removable_device_t:devfile_class_set setattr; +allow initrc_t device_t:lnk_file read; +allow initrc_t xconsole_device_t:fifo_file setattr; + +# Stat any file. +allow initrc_t file_type:notdevfile_class_set getattr; +allow initrc_t file_type:dir { search getattr }; + +# Read and write console and ttys. +allow initrc_t devtty_t:chr_file rw_file_perms; +allow initrc_t console_device_t:chr_file rw_file_perms; +allow initrc_t tty_device_t:chr_file rw_file_perms; +allow initrc_t ttyfile:chr_file rw_file_perms; +allow initrc_t ptyfile:chr_file rw_file_perms; + +# Reset tty labels. +allow initrc_t ttyfile:chr_file relabelfrom; +allow initrc_t tty_device_t:chr_file relabelto; + +ifdef(`distro_redhat', ` +# Create and read /boot/kernel.h and /boot/System.map. +# Redhat systems typically create this file at boot time. +allow initrc_t boot_t:lnk_file rw_file_perms; +file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) + +allow initrc_t tmpfs_t:chr_file rw_file_perms; +allow initrc_t tmpfs_t:dir r_dir_perms; + +# Allow initrc domain to set the enforcing flag. +can_setenforce(initrc_t) + +# +# readahead asks for these +# +allow initrc_t etc_aliases_t:file { getattr read }; +allow initrc_t var_lib_nfs_t:file { getattr read }; + +# for /halt /.autofsck and other flag files +file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) + +file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) +allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; +allow initrc_t self:capability sys_admin; +allow initrc_t device_t:dir create; +# wants to delete /poweroff and other files +allow initrc_t root_t:file unlink; +# wants to read /.fonts directory +allow initrc_t default_t:file { getattr read }; +ifdef(`xserver.te', ` +# wants to cleanup xserver log dir +allow initrc_t xserver_log_t:dir rw_dir_perms; +allow initrc_t xserver_log_t:file unlink; +') +')dnl end distro_redhat + +allow initrc_t system_map_t:{ file lnk_file } r_file_perms; +allow initrc_t var_spool_t:file rw_file_perms; + +# Allow access to the sysadm TTYs. Note that this will give access to the +# TTYs to any process in the initrc_t domain. Therefore, daemons and such +# started from init should be placed in their own domain. +allow initrc_t admin_tty_type:chr_file rw_file_perms; + +# Access sound device and files. +allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; + +# Read user home directories. +allow initrc_t { home_root_t home_type }:dir r_dir_perms; +allow initrc_t home_type:file r_file_perms; + +# Read and unlink /var/run/*.pid files. +allow initrc_t pidfile:file { getattr read unlink }; + +# for system start scripts +allow initrc_t pidfile:dir { rmdir rw_dir_perms }; +allow initrc_t pidfile:sock_file unlink; + +rw_dir_create_file(initrc_t, var_lib_t) + +# allow start scripts to clean /tmp +allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; +allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; + +# for lsof which is used by alsa shutdown +dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; +dontaudit initrc_t proc_kmsg_t:file getattr; + +################################# +# +# Rules for the run_init_t domain. +# +ifdef(`targeted_policy', ` +type run_init_exec_t, file_type, sysadmfile, exec_type; +type run_init_t, domain; +domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) +allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; +allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; +typeattribute initrc_t privuser; +domain_trans(initrc_t, shell_exec_t, unconfined_t) +allow initrc_t unconfined_t:system syslog_mod; +', ` +run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) +') +allow initrc_t privfd:fd use; + +# Transition to system_r:initrc_t upon executing init scripts. +ifdef(`direct_sysadm_daemon', ` +role_transition sysadm_r initrc_exec_t system_r; +domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) +ifdef(`mls_policy', ` +typeattribute initrc_t mlsrangetrans; +range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255; +') +') + +# +# Shutting down xinet causes these +# +# Fam +dontaudit initrc_t device_t:dir { read write }; +# Rsync +dontaudit initrc_t mail_spool_t:lnk_file read; + +allow initrc_t sysfs_t:dir { getattr read search }; +allow initrc_t sysfs_t:file { getattr read write }; +allow initrc_t sysfs_t:lnk_file { getattr read }; +allow initrc_t udev_runtime_t:file rw_file_perms; +allow initrc_t device_type:chr_file setattr; +allow initrc_t binfmt_misc_fs_t:dir { getattr search }; +allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; + +# for lsof in shutdown scripts +can_kerberos(initrc_t) + +# +# Wants to remove udev.tbl +# +allow initrc_t device_t:dir rw_dir_perms; +allow initrc_t device_t:lnk_file unlink; + +r_dir_file(initrc_t,selinux_config_t) + +ifdef(`unlimitedRC', ` +unconfined_domain(initrc_t) +') +# +# initrc script does a cat /selinux/enforce +# +allow initrc_t security_t:dir { getattr search }; +allow initrc_t security_t:file { getattr read }; + +# init script state +type initrc_state_t, file_type, sysadmfile; +create_dir_file(initrc_t,initrc_state_t) + +ifdef(`distro_gentoo', ` +# Gentoo integrated run_init+open_init_pty-runscript: +domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) +') +allow initrc_t self:netlink_route_socket r_netlink_socket_perms; +allow initrc_t device_t:lnk_file create_file_perms; +ifdef(`dbusd.te', ` +allow initrc_t system_dbusd_var_run_t:sock_file write; +') + +# Slapd needs to read cert files from its initscript +r_dir_file(initrc_t, cert_t) +ifdef(`use_mcs', ` +range_transition sysadm_t initrc_exec_t s0; +') diff --git a/mls/domains/program/innd.te b/mls/domains/program/innd.te new file mode 100644 index 0000000..25047df --- /dev/null +++ b/mls/domains/program/innd.te @@ -0,0 +1,81 @@ +#DESC INN - InterNetNews server +# +# Author: Faye Coker +# X-Debian-Packages: inn +# +################################ + +# Types for the server port and news spool. +# +type news_spool_t, file_type, sysadmfile; + + +# need privmail attribute so innd can access system_mail_t +daemon_domain(innd, `, privmail') + +# allow innd to create files and directories of type news_spool_t +create_dir_file(innd_t, news_spool_t) + +# allow user domains to read files and directories these types +r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) + +can_exec(initrc_t, innd_etc_t) +can_exec(innd_t, { innd_exec_t bin_t shell_exec_t }) +ifdef(`hostname.te', ` +can_exec(innd_t, hostname_exec_t) +') + +allow innd_t var_spool_t:dir { getattr search }; + +can_network(innd_t) +allow innd_t port_type:tcp_socket name_connect; +can_ypbind(innd_t) + +can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) +allow innd_t self:unix_dgram_socket create_socket_perms; +allow innd_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(innd_t, self) + +allow innd_t self:fifo_file rw_file_perms; +allow innd_t innd_port_t:tcp_socket name_bind; + +allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; +allow innd_t self:process setsched; + +allow innd_t { bin_t sbin_t }:dir search; +allow innd_t usr_t:lnk_file read; +allow innd_t usr_t:file { getattr read ioctl }; +allow innd_t lib_t:file ioctl; +allow innd_t etc_t:file { getattr read }; +allow innd_t { proc_t etc_runtime_t }:file { getattr read }; +allow innd_t urandom_device_t:chr_file read; + +allow innd_t innd_var_run_t:sock_file create_file_perms; + +# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type +etcdir_domain(innd) + +# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that +# it can write to +logdir_domain(innd) + +# allow innd read-write directory permissions to /var/lib/news. +var_lib_domain(innd) + +ifdef(`crond.te', ` +system_crond_entry(innd_exec_t, innd_t) +allow system_crond_t innd_etc_t:file { getattr read }; +rw_dir_create_file(system_crond_t, innd_log_t) +rw_dir_create_file(system_crond_t, innd_var_run_t) +') + +ifdef(`syslogd.te', ` +allow syslogd_t innd_log_t:dir search; +allow syslogd_t innd_log_t:file create_file_perms; +') + +allow innd_t self:file { getattr read }; +dontaudit innd_t selinux_config_t:dir { search }; +allow system_crond_t innd_etc_t:file { getattr read }; +allow innd_t bin_t:lnk_file { read }; +allow innd_t sbin_t:lnk_file { read }; diff --git a/mls/domains/program/ipsec.te b/mls/domains/program/ipsec.te new file mode 100644 index 0000000..ea45a36 --- /dev/null +++ b/mls/domains/program/ipsec.te @@ -0,0 +1,229 @@ +#DESC ipsec - TCP/IP encryption +# +# Authors: Mark Westerman mark.westerman@westcam.com +# massively butchered by paul krumviede +# further massaged by Chris Vance +# X-Debian-Packages: freeswan +# +######################################## +# +# Rules for the ipsec_t domain. +# +# a domain for things that need access to the PF_KEY socket +daemon_base_domain(ipsec, `, privlog') + +# type for ipsec configuration file(s) - not for keys +type ipsec_conf_file_t, file_type, sysadmfile; + +# type for file(s) containing ipsec keys - RSA or preshared +type ipsec_key_file_t, file_type, sysadmfile; + +# type for runtime files, including pluto.ctl +# lots of strange stuff for the ipsec_var_run_t - need to check it +var_run_domain(ipsec) + +type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain; +type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) +file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file) +file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file) + +allow ipsec_mgmt_t modules_object_t:dir search; +allow ipsec_mgmt_t modules_object_t:file getattr; + +allow ipsec_t self:capability { net_admin net_bind_service }; +allow ipsec_t self:process signal; +allow ipsec_t etc_t:lnk_file read; + +domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t) + +# Inherit and use descriptors from init. +# allow access (for, e.g., klipsdebug) to console +allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms; +allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use; + +# I do not know where this pesky pipe is... +allow ipsec_t initrc_t:fifo_file write; + +r_dir_file(ipsec_t, ipsec_conf_file_t) +r_dir_file(ipsec_t, ipsec_key_file_t) +allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; +rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) + +allow ipsec_t self:key_socket { create write read setopt }; + +# for lsof +allow sysadm_t ipsec_t:key_socket getattr; + +# the ipsec wrapper wants to run /usr/bin/logger (should we put +# it in its own domain?) +can_exec(ipsec_mgmt_t, bin_t) +# logger, running in ipsec_mgmt_t needs to use sockets +allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms; +allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms; + +# also need to run things like whack and shell scripts +can_exec(ipsec_mgmt_t, ipsec_exec_t) +can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) +allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; +can_exec(ipsec_mgmt_t, shell_exec_t) +can_exec(ipsec_t, shell_exec_t) +can_exec(ipsec_t, bin_t) +can_exec(ipsec_t, ipsec_mgmt_exec_t) +# now for a icky part... +# pluto runs an updown script (by calling popen()!); as this is by default +# a shell script, we need to find a way to make things work without +# letting all sorts of stuff possibly be run... +# so try flipping back into the ipsec_mgmt_t domain +domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t) +allow ipsec_mgmt_t ipsec_t:fd use; + +# the default updown script wants to run route +can_exec(ipsec_mgmt_t, sbin_t) +allow ipsec_mgmt_t sbin_t:lnk_file read; +allow ipsec_mgmt_t self:capability { net_admin dac_override }; + +# need access to /proc/sys/net/ipsec/icmp +allow ipsec_mgmt_t sysctl_t:file write; +allow ipsec_mgmt_t sysctl_net_t:dir search; +allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; + +# whack needs to be able to read/write pluto.ctl +allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; +# and it wants to connect to a socket... +allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; + +# allow system administrator to use the ipsec script to look +# at things (e.g., ipsec auto --status) +# probably should create an ipsec_admin role for this kind of thing +can_exec(sysadm_t, ipsec_mgmt_exec_t) +allow sysadm_t ipsec_t:unix_stream_socket connectto; + +# _realsetup needs to be able to cat /var/run/pluto.pid, +# run ps on that pid, and delete the file +allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; + +allow ipsec_mgmt_t boot_t:dir search; +allow ipsec_mgmt_t system_map_t:file { read getattr }; + +# denials when ps tries to search /proc. Do not audit these denials. +dontaudit ipsec_mgmt_t domain:dir r_dir_perms; + +# suppress audit messages about unnecessary socket access +dontaudit ipsec_mgmt_t domain:key_socket { read write }; +dontaudit ipsec_mgmt_t domain:udp_socket { read write }; + +# from rbac +role system_r types { ipsec_t ipsec_mgmt_t }; + +# from initrc.te +domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) +domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t) + + +########## The following rules were added by cvance@tislabs.com ########## + +# allow pluto and startup scripts to access /dev/urandom +allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms; + +# allow pluto to access /proc/net/ipsec_eroute; +general_proc_read_access(ipsec_t) +general_proc_read_access(ipsec_mgmt_t) + +# allow pluto to search the root directory (not sure why, but mostly harmless) +# Are these all really necessary? +allow ipsec_t var_t:dir search; +allow ipsec_t bin_t:dir search; +allow ipsec_t device_t:dir { getattr search }; +allow ipsec_mgmt_t device_t:dir { getattr search read }; +dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; +dontaudit ipsec_mgmt_t devpts_t:dir getattr; +allow ipsec_mgmt_t etc_t:lnk_file read; +allow ipsec_mgmt_t var_t:dir search; +allow ipsec_mgmt_t sbin_t:dir search; +allow ipsec_mgmt_t bin_t:dir search; +allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read }; + +# Startup scripts +# use libraries +uses_shlib({ ipsec_t ipsec_mgmt_t }) +# Read and write /dev/tty +allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms; +# fork +allow ipsec_mgmt_t self:process fork; +# startup script runs /bin/gawk with a pipe +allow ipsec_mgmt_t self:fifo_file rw_file_perms; +# read /etc/mtab Why? +allow ipsec_mgmt_t etc_runtime_t:file { read getattr }; +# read link for /bin/sh +allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; + +# +allow ipsec_mgmt_t self:process { sigchld signal setrlimit }; + +# Allow read/write access to /var/run/pluto.ctl +allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write }; + +# Pluto needs network access +can_network_server(ipsec_t) +can_ypbind(ipsec_t) +allow ipsec_t self:unix_dgram_socket create_socket_perms; + +# for sleep +allow ipsec_mgmt_t fs_t:filesystem getattr; + +# for the start script +can_exec(ipsec_mgmt_t, etc_t) + +# allow access to /etc/localtime +allow ipsec_mgmt_t etc_t:file { read getattr }; +allow ipsec_t etc_t:file { read getattr }; + +# allow access to /dev/null +allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; +allow ipsec_t null_device_t:chr_file rw_file_perms; + +# Allow scripts to use /var/lock/subsys/ipsec +lock_domain(ipsec_mgmt) + +# allow tncfg to create sockets +allow ipsec_mgmt_t self:udp_socket { create ioctl }; + +#When running ipsec auto --up +allow ipsec_t self:process { fork sigchld }; +allow ipsec_t self:fifo_file { read getattr }; + +# ideally it would not need this. It wants to write to /root/.rnd +file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) + +allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; +allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; +allow ipsec_mgmt_t self:lnk_file read; + +allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search }; +read_locale(ipsec_mgmt_t) +var_run_domain(ipsec_mgmt) +dontaudit ipsec_mgmt_t default_t:dir getattr; +dontaudit ipsec_mgmt_t default_t:file getattr; +allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; +allow ipsec_mgmt_t self:key_socket { create setopt }; +can_exec(ipsec_mgmt_t, initrc_exec_t) +allow ipsec_t self:netlink_xfrm_socket create_socket_perms; +allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; +read_locale(ipsec_t) +ifdef(`consoletype.te', ` +can_exec(ipsec_mgmt_t, consoletype_exec_t ) +') +dontaudit ipsec_mgmt_t selinux_config_t:dir search; +dontaudit ipsec_t ttyfile:chr_file { read write }; +allow ipsec_t self:capability { dac_override dac_read_search }; +allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind; +allow ipsec_mgmt_t dev_fs:file_class_set getattr; +dontaudit ipsec_mgmt_t device_t:lnk_file read; +allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; +allow ipsec_mgmt_t sysctl_net_t:file { getattr read }; +rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t) +rw_dir_create_file(initrc_t, ipsec_var_run_t) +allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; diff --git a/mls/domains/program/iptables.te b/mls/domains/program/iptables.te new file mode 100644 index 0000000..8d83280 --- /dev/null +++ b/mls/domains/program/iptables.te @@ -0,0 +1,63 @@ +#DESC Ipchains - IP packet filter administration +# +# Authors: Justin Smith +# Russell Coker +# X-Debian-Packages: ipchains iptables +# + +# +# Rules for the iptables_t domain. +# +daemon_base_domain(iptables, `, privmodule') +role sysadm_r types iptables_t; +domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) + +ifdef(`modutil.te', ` +# for modprobe +allow iptables_t sbin_t:dir search; +allow iptables_t sbin_t:lnk_file read; +') + +read_locale(iptables_t) + +# to allow rules to be saved on reboot +allow iptables_t initrc_tmp_t:file rw_file_perms; + +domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) +allow iptables_t var_t:dir search; +var_run_domain(iptables) + +allow iptables_t self:process { fork signal_perms }; + +allow iptables_t { sysctl_t sysctl_kernel_t }:dir search; +allow iptables_t sysctl_modprobe_t:file { getattr read }; + +tmp_domain(iptables) + +# for iptables -L +allow iptables_t self:unix_stream_socket create_socket_perms; +can_resolve(iptables_t) +can_ypbind(iptables_t) + +allow iptables_t iptables_exec_t:file execute_no_trans; +allow iptables_t self:capability { net_admin net_raw }; +allow iptables_t self:rawip_socket create_socket_perms; + +allow iptables_t etc_t:file { getattr read }; + +allow iptables_t fs_t:filesystem getattr; +allow iptables_t { userdomain kernel_t }:fd use; + +# Access terminals. +allow iptables_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') + +allow iptables_t proc_t:file { getattr read }; +allow iptables_t proc_net_t:dir search; +allow iptables_t proc_net_t:file { read getattr }; + +# system-config-network appends to /var/log +allow iptables_t var_log_t:file append; +ifdef(`firstboot.te', ` +allow iptables_t firstboot_t:fifo_file write; +') diff --git a/mls/domains/program/irc.te b/mls/domains/program/irc.te new file mode 100644 index 0000000..50c1122 --- /dev/null +++ b/mls/domains/program/irc.te @@ -0,0 +1,12 @@ +#DESC Irc - IRC client +# +# Domains for the irc program. +# X-Debian-Packages: tinyirc ircii + +# +# irc_exec_t is the type of the irc executable. +# +type irc_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the irc_domain macro in +# macros/program/irc_macros.te. diff --git a/mls/domains/program/irqbalance.te b/mls/domains/program/irqbalance.te new file mode 100644 index 0000000..35be192 --- /dev/null +++ b/mls/domains/program/irqbalance.te @@ -0,0 +1,15 @@ +#DESC IRQBALANCE - IRQ balance daemon +# +# Author: Ulrich Drepper +# + +################################# +# +# Rules for the irqbalance_t domain. +# +daemon_domain(irqbalance) + +# irqbalance needs access to /proc. +allow irqbalance_t proc_t:file { read getattr }; +allow irqbalance_t sysctl_irq_t:dir r_dir_perms; +allow irqbalance_t sysctl_irq_t:file rw_file_perms; diff --git a/mls/domains/program/java.te b/mls/domains/program/java.te new file mode 100644 index 0000000..dfd0372 --- /dev/null +++ b/mls/domains/program/java.te @@ -0,0 +1,14 @@ +#DESC Java VM +# +# Authors: Dan Walsh +# X-Debian-Packages: java +# + +# Type for the netscape, java or other browser executables. +type java_exec_t, file_type, sysadmfile, exec_type; + +# Allow java executable stack +bool allow_java_execstack false; + +# Everything else is in the java_domain macro in +# macros/program/java_macros.te. diff --git a/mls/domains/program/kerberos.te b/mls/domains/program/kerberos.te new file mode 100644 index 0000000..19cc3c4 --- /dev/null +++ b/mls/domains/program/kerberos.te @@ -0,0 +1,91 @@ +#DESC Kerberos5 - MIT Kerberos5 +# supports krb5kdc and kadmind daemons +# kinit, kdestroy, klist clients +# ksu support not complete +# +# includes rules for OpenSSH daemon compiled with both +# kerberos5 and SELinux support +# +# Not supported : telnetd, ftpd, kprop/kpropd daemons +# +# Author: Kerry Thompson +# Modified by Colin Walters +# + +################################# +# +# Rules for the krb5kdc_t,kadmind_t domains. +# +daemon_domain(krb5kdc) +daemon_domain(kadmind) + +can_exec(krb5kdc_t, krb5kdc_exec_t) +can_exec(kadmind_t, kadmind_exec_t) + +# types for general configuration files in /etc +type krb5_keytab_t, file_type, sysadmfile, secure_file_type; + +# types for KDC configs and principal file(s) +type krb5kdc_conf_t, file_type, sysadmfile; +type krb5kdc_principal_t, file_type, sysadmfile; + +# Use capabilities. Surplus capabilities may be allowed. +allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice }; +allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; + +# krb5kdc and kadmind can use network +can_network_server( { krb5kdc_t kadmind_t } ) +can_ypbind( { krb5kdc_t kadmind_t } ) + +# allow UDP transfer to/from any program +can_udp_send(kerberos_port_t, krb5kdc_t) +can_udp_send(krb5kdc_t, kerberos_port_t) +can_tcp_connect(kerberos_port_t, krb5kdc_t) +can_tcp_connect(kerberos_admin_port_t, kadmind_t) + +# Bind to the kerberos, kerberos-adm ports. +allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; +allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; +allow kadmind_t reserved_port_t:tcp_socket name_bind; +dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; + +# +# Rules for Kerberos5 KDC daemon +allow krb5kdc_t self:unix_dgram_socket create_socket_perms; +allow krb5kdc_t self:unix_stream_socket create_socket_perms; +allow kadmind_t self:unix_stream_socket create_socket_perms; +allow krb5kdc_t krb5kdc_conf_t:dir search; +allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; +allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; +dontaudit krb5kdc_t krb5kdc_principal_t:file write; +allow krb5kdc_t locale_t:file { getattr read }; +dontaudit krb5kdc_t krb5kdc_conf_t:file write; +allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search }; +allow { kadmind_t krb5kdc_t } etc_t:file { getattr read }; +allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms; +dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write; +tmp_domain(krb5kdc) +log_domain(krb5kdc) +allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read }; +allow kadmind_t random_device_t:chr_file { getattr read }; +allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; +allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; +allow krb5kdc_t proc_t:dir r_dir_perms; +allow krb5kdc_t proc_t:file { getattr read }; + +# +# Rules for Kerberos5 Kadmin daemon +allow kadmind_t self:unix_dgram_socket { connect create write }; +allow kadmind_t krb5kdc_conf_t:dir search; +allow kadmind_t krb5kdc_conf_t:file r_file_perms; +allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; +read_locale(kadmind_t) +dontaudit kadmind_t krb5kdc_conf_t:file write; +tmp_domain(kadmind) +log_domain(kadmind) + +# +# Allow user programs to talk to KDC +allow krb5kdc_t userdomain:udp_socket recvfrom; +allow userdomain krb5kdc_t:udp_socket recvfrom; +allow initrc_t krb5_conf_t:file ioctl; diff --git a/mls/domains/program/klogd.te b/mls/domains/program/klogd.te new file mode 100644 index 0000000..dd0b79c --- /dev/null +++ b/mls/domains/program/klogd.te @@ -0,0 +1,48 @@ +#DESC Klogd - Kernel log daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: klogd +# + +################################# +# +# Rules for the klogd_t domain. +# +daemon_domain(klogd, `, privmem, privkmsg, mlsfileread') + +tmp_domain(klogd) +allow klogd_t proc_t:dir r_dir_perms; +allow klogd_t proc_t:lnk_file r_file_perms; +allow klogd_t proc_t:file { getattr read }; +allow klogd_t self:dir r_dir_perms; +allow klogd_t self:lnk_file r_file_perms; + +# read /etc/nsswitch.conf +allow klogd_t etc_t:lnk_file read; +allow klogd_t etc_t:file r_file_perms; + +read_locale(klogd_t) + +allow klogd_t etc_runtime_t:file { getattr read }; + +# Create unix sockets +allow klogd_t self:unix_dgram_socket create_socket_perms; + +# Use the sys_admin and sys_rawio capabilities. +allow klogd_t self:capability { sys_admin sys_rawio }; +dontaudit klogd_t self:capability sys_resource; + + +# Read /proc/kmsg and /dev/mem. +allow klogd_t proc_kmsg_t:file r_file_perms; +allow klogd_t memory_device_t:chr_file r_file_perms; + +# Control syslog and console logging +allow klogd_t kernel_t:system { syslog_mod syslog_console }; + +# Read /boot/System.map* +allow klogd_t system_map_t:file r_file_perms; +allow klogd_t boot_t:dir r_dir_perms; +ifdef(`targeted_policy', ` +allow klogd_t unconfined_t:system syslog_mod; +') diff --git a/mls/domains/program/ktalkd.te b/mls/domains/program/ktalkd.te new file mode 100644 index 0000000..7ae0109 --- /dev/null +++ b/mls/domains/program/ktalkd.te @@ -0,0 +1,14 @@ +#DESC ktalkd - KDE version of the talk server +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the ktalkd_t domain. +# +# ktalkd_exec_t is the type of the ktalkd executable. +# + +inetd_child_domain(ktalkd, udp) diff --git a/mls/domains/program/kudzu.te b/mls/domains/program/kudzu.te new file mode 100644 index 0000000..9b64f98 --- /dev/null +++ b/mls/domains/program/kudzu.te @@ -0,0 +1,117 @@ +#DESC kudzu - Red Hat utility to recognise new hardware +# +# Author: Russell Coker +# + +daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem') + +read_locale(kudzu_t) + +# for /etc/sysconfig/hwconf - probably need a new type +allow kudzu_t etc_runtime_t:file rw_file_perms; + +# for kmodule +if (allow_execmem) { +allow kudzu_t self:process execmem; +} +allow kudzu_t zero_device_t:chr_file rx_file_perms; +allow kudzu_t memory_device_t:chr_file { read write execute }; + +allow kudzu_t ramfs_t:dir search; +allow kudzu_t ramfs_t:sock_file write; +allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t modules_conf_t:file { getattr read unlink rename }; +allow kudzu_t modules_object_t:dir r_dir_perms; +allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; +allow kudzu_t mouse_device_t:chr_file { read write }; +allow kudzu_t proc_net_t:dir r_dir_perms; +allow kudzu_t { proc_net_t proc_t }:file { getattr read }; +allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; +allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; +allow kudzu_t { bin_t sbin_t }:dir { getattr search }; +allow kudzu_t { bin_t sbin_t }:lnk_file read; +read_sysctl(kudzu_t) +allow kudzu_t sysctl_dev_t:dir { getattr search read }; +allow kudzu_t sysctl_dev_t:file { getattr read }; +allow kudzu_t sysctl_kernel_t:file write; +allow kudzu_t usbdevfs_t:dir search; +allow kudzu_t usbdevfs_t:file { getattr read }; +allow kudzu_t usbfs_t:dir search; +allow kudzu_t usbfs_t:file { getattr read }; +var_run_domain(kudzu) +allow kudzu_t kernel_t:system syslog_console; +allow kudzu_t self:udp_socket { create ioctl }; +allow kudzu_t var_lock_t:dir search; +allow kudzu_t devpts_t:dir search; + +# so it can write messages to the console +allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; + +role sysadm_r types kudzu_t; +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) +') +ifdef(`anaconda.te', ` +domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) +') + +allow kudzu_t sysadm_home_dir_t:dir search; +rw_dir_create_file(kudzu_t, etc_t) + +rw_dir_create_file(kudzu_t, mnt_t) +can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) +# Read /usr/lib/gconv/gconv-modules.* +allow kudzu_t lib_t:file { read getattr }; +# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux +allow kudzu_t usr_t:file { read getattr }; +r_dir_file(kudzu_t, hwdata_t) + +# Communicate with rhgb-client. +allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow kudzu_t self:unix_dgram_socket create_socket_perms; + +ifdef(`rhgb.te', ` +allow kudzu_t rhgb_t:unix_stream_socket connectto; +') + +allow kudzu_t self:file { getattr read }; +allow kudzu_t self:fifo_file rw_file_perms; +ifdef(`gpm.te', ` +allow kudzu_t gpmctl_t:sock_file getattr; +') + +can_exec(kudzu_t, shell_exec_t) + +# Write to /proc/sys/kernel/hotplug. Why? +allow kudzu_t sysctl_hotplug_t:file { read write }; + +allow kudzu_t sysfs_t:dir { getattr read search }; +allow kudzu_t sysfs_t:file { getattr read }; +allow kudzu_t sysfs_t:lnk_file read; +file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file) +allow kudzu_t tape_device_t:chr_file r_file_perms; +tmp_domain(kudzu, `', `{ file dir chr_file }') + +# for file systems that are not yet mounted +dontaudit kudzu_t file_t:dir search; +ifdef(`lpd.te', ` +allow kudzu_t printconf_t:file { getattr read }; +') +ifdef(`cups.te', ` +allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; +') +dontaudit kudzu_t src_t:dir search; +ifdef(`xserver.te', ` +allow kudzu_t xserver_exec_t:file getattr; +') + +ifdef(`userhelper.te', ` +role system_r types sysadm_userhelper_t; +domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) +', ` +unconfined_domain(kudzu_t) +') + +allow kudzu_t initrc_t:unix_stream_socket connectto; +allow kudzu_t net_conf_t:file { getattr read }; + diff --git a/mls/domains/program/ldconfig.te b/mls/domains/program/ldconfig.te new file mode 100644 index 0000000..fbb7688 --- /dev/null +++ b/mls/domains/program/ldconfig.te @@ -0,0 +1,52 @@ +#DESC Ldconfig - Configure dynamic linker bindings +# +# Author: Russell Coker +# X-Debian-Packages: libc6 +# + +################################# +# +# Rules for the ldconfig_t domain. +# +type ldconfig_t, domain, privlog, etc_writer; +type ldconfig_exec_t, file_type, sysadmfile, exec_type; + +role sysadm_r types ldconfig_t; +role system_r types ldconfig_t; + +domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) +dontaudit ldconfig_t device_t:dir search; +can_access_pty(ldconfig_t, initrc) +allow ldconfig_t admin_tty_type:chr_file rw_file_perms; +allow ldconfig_t privfd:fd use; + +uses_shlib(ldconfig_t) + +file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) +allow ldconfig_t lib_t:dir rw_dir_perms; +allow ldconfig_t lib_t:lnk_file create_lnk_perms; + +allow ldconfig_t userdomain:fd use; +# unlink for when /etc/ld.so.cache is mislabeled +allow ldconfig_t etc_t:file { getattr read unlink }; +allow ldconfig_t etc_t:lnk_file read; + +allow ldconfig_t fs_t:filesystem getattr; +allow ldconfig_t tmp_t:dir search; + +ifdef(`apache.te', ` +# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway +dontaudit ldconfig_t httpd_modules_t:dir search; +') + +allow ldconfig_t { var_t var_lib_t }:dir search; +allow ldconfig_t proc_t:file { getattr read }; +ifdef(`hide_broken_symptoms', ` +ifdef(`unconfined.te',` +dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; +'); +')dnl end hide_broken_symptoms +ifdef(`targeted_policy', ` +allow ldconfig_t lib_t:file r_file_perms; +unconfined_domain(ldconfig_t) +') diff --git a/mls/domains/program/load_policy.te b/mls/domains/program/load_policy.te new file mode 100644 index 0000000..3d43900 --- /dev/null +++ b/mls/domains/program/load_policy.te @@ -0,0 +1,65 @@ +#DESC LoadPolicy - SELinux policy loading utilities +# +# Authors: Frank Mayer, mayerf@tresys.com +# X-Debian-Packages: policycoreutils +# + +########################### +# load_policy_t is the domain type for load_policy +# load_policy_exec_t is the file type for the executable + +# boolean to determine whether the system permits loading policy, setting +# enforcing mode, and changing boolean values. Set this to true and you +# have to reboot to set it back +bool secure_mode_policyload false; + +type load_policy_t, domain; +role sysadm_r types load_policy_t; +role secadm_r types load_policy_t; +role system_r types load_policy_t; + +type load_policy_exec_t, file_type, exec_type, sysadmfile; + +########################## +# +# Rules + +domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t) + +allow load_policy_t console_device_t:chr_file { read write }; + +# Reload the policy configuration (sysadm_t no longer has this ability) +can_loadpol(load_policy_t) + +# Reset policy boolean values. +can_setbool(load_policy_t) + + +########################### +# constrain from where load_policy can load a policy, specifically +# policy_config_t files +# + +# only allow read of policy config files +allow load_policy_t policy_src_t:dir search; +r_dir_file(load_policy_t, policy_config_t) +r_dir_file(load_policy_t, selinux_config_t) + +# directory search permissions for path to binary policy files +allow load_policy_t root_t:dir search; +allow load_policy_t etc_t:dir search; + +# for mcs.conf +allow load_policy_t etc_t:file { getattr read }; + +# Other access +can_access_pty(load_policy_t, initrc) +allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; +uses_shlib(load_policy_t) +allow load_policy_t self:capability dac_override; + +allow load_policy_t { userdomain privfd initrc_t }:fd use; + +allow load_policy_t fs_t:filesystem getattr; + +read_locale(load_policy_t) diff --git a/mls/domains/program/loadkeys.te b/mls/domains/program/loadkeys.te new file mode 100644 index 0000000..0959762 --- /dev/null +++ b/mls/domains/program/loadkeys.te @@ -0,0 +1,45 @@ +#DESC loadkeys - for changing to unicode at login time +# +# Author: Russell Coker +# +# X-Debian-Packages: console-tools + +# +# loadkeys_exec_t is the type of the wrapper +# +type loadkeys_exec_t, file_type, sysadmfile, exec_type; + +can_exec(initrc_t, loadkeys_exec_t) + +# Derived domain based on the calling user domain and the program. +type loadkeys_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t) + +uses_shlib(loadkeys_t) +dontaudit loadkeys_t proc_t:dir search; +allow loadkeys_t proc_t:file { getattr read }; +allow loadkeys_t self:process { fork sigchld }; + +allow loadkeys_t self:fifo_file rw_file_perms; +allow loadkeys_t bin_t:dir search; +allow loadkeys_t bin_t:lnk_file read; +can_exec(loadkeys_t, { shell_exec_t bin_t }) + +read_locale(loadkeys_t) + +dontaudit loadkeys_t etc_runtime_t:file { getattr read }; + +# Use capabilities. +allow loadkeys_t self:capability { setuid sys_tty_config }; + +allow loadkeys_t local_login_t:fd use; +allow loadkeys_t devtty_t:chr_file rw_file_perms; + +# The user role is authorized for this domain. +in_user_role(loadkeys_t) + +# Write to the user domain tty. +allow loadkeys_t ttyfile:chr_file rw_file_perms; + diff --git a/mls/domains/program/lockdev.te b/mls/domains/program/lockdev.te new file mode 100644 index 0000000..adb2a77 --- /dev/null +++ b/mls/domains/program/lockdev.te @@ -0,0 +1,11 @@ +#DESC Lockdev - libblockdev helper application +# +# Authors: Daniel Walsh +# + + +# Type for the lockdev +type lockdev_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the lockdev_domain macro in +# macros/program/lockdev_macros.te. diff --git a/mls/domains/program/login.te b/mls/domains/program/login.te new file mode 100644 index 0000000..ad9fab0 --- /dev/null +++ b/mls/domains/program/login.te @@ -0,0 +1,234 @@ +#DESC Login - Local/remote login utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# Macroised by Russell Coker +# X-Debian-Packages: login +# + +################################# +# +# Rules for the local_login_t domain +# and the remote_login_t domain. +# + +# $1 is the name of the domain (local or remote) +define(`login_domain', ` +type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; +role system_r types $1_login_t; + +dontaudit $1_login_t shadow_t:file { getattr read }; + +general_domain_access($1_login_t); + +# Read system information files in /proc. +r_dir_file($1_login_t, proc_t) + +base_file_read_access($1_login_t) + +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +allow $1_login_t readable_t:dir r_dir_perms; +allow $1_login_t readable_t:notdevfile_class_set r_file_perms; + +# Read /var, /var/spool +allow $1_login_t { var_t var_spool_t }:dir search; + +# for when /var/mail is a sym-link +allow $1_login_t var_t:lnk_file read; + +# Read /etc. +r_dir_file($1_login_t, etc_t) +allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms; + +read_locale($1_login_t) + +# for SSP/ProPolice +allow $1_login_t urandom_device_t:chr_file { getattr read }; + +# Read executable types. +allow $1_login_t exec_type:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_login_t device_t:dir r_dir_perms; +allow $1_login_t device_t:lnk_file r_file_perms; + +uses_shlib($1_login_t); + +tmp_domain($1_login) + +ifdef(`pam.te', ` +can_exec($1_login_t, pam_exec_t) +') + +ifdef(`pamconsole.te', ` +rw_dir_create_file($1_login_t, pam_var_console_t) +domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t) +') + +ifdef(`alsa.te', ` +domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) +') + +# Use capabilities +allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow $1_login_t self:process setrlimit; +dontaudit $1_login_t sysfs_t:dir search; + +# Set exec context. +can_setexec($1_login_t) + +allow $1_login_t autofs_t:dir { search read getattr }; +allow $1_login_t mnt_t:dir r_dir_perms; + +if (use_nfs_home_dirs) { +r_dir_file($1_login_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file($1_login_t, cifs_t) +} + +# Login can polyinstantiate +polyinstantiater($1_login_t) + +# FIXME: what is this for? +ifdef(`xdm.te', ` +allow xdm_t $1_login_t:process signull; +') + +ifdef(`crack.te', ` +allow $1_login_t crack_db_t:file r_file_perms; +') + +# Permit login to search the user home directories. +allow $1_login_t home_root_t:dir search; +allow $1_login_t home_dir_type:dir search; + +# Write to /var/run/utmp. +allow $1_login_t var_run_t:dir search; +allow $1_login_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow $1_login_t var_log_t:dir search; +allow $1_login_t wtmp_t:file rw_file_perms; + +# Write to /var/log/lastlog. +allow $1_login_t lastlog_t:file rw_file_perms; + +# Write to /var/log/btmp +allow $1_login_t faillog_t:file { lock append read write }; + +# Search for mail spool file. +allow $1_login_t mail_spool_t:dir r_dir_perms; +allow $1_login_t mail_spool_t:file getattr; +allow $1_login_t mail_spool_t:lnk_file read; + +# Get security policy decisions. +can_getsecurity($1_login_t) + +# allow read access to default_contexts in /etc/security +allow $1_login_t default_context_t:file r_file_perms; +allow $1_login_t default_context_t:dir search; +r_dir_file($1_login_t, selinux_config_t) + +allow $1_login_t mouse_device_t:chr_file { getattr setattr }; + +ifdef(`targeted_policy',` +unconfined_domain($1_login_t) +domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) +') + +')dnl end login_domain macro +################################# +# +# Rules for the local_login_t domain. +# +# local_login_t is the domain of a login process +# spawned by getty. +# +# remote_login_t is the domain of a login process +# spawned by rlogind. +# +# login_exec_t is the type of the login program +# +type login_exec_t, file_type, sysadmfile, exec_type; + +login_domain(local) + +# But also permit other user domains to be entered by login. +login_spawn_domain(local_login, userdomain) + +# Do not audit denied attempts to access devices. +dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; +dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; +dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; +dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; +dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; +dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; +dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; +dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; +dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; + +# Do not audit denied attempts to access /mnt. +dontaudit local_login_t mnt_t:dir r_dir_perms; + + +# Create lock file. +lock_domain(local_login) + +# Read and write ttys. +allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; +allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; + +# Relabel ttys. +allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; +allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; + +ifdef(`gpm.te', +`allow local_login_t gpmctl_t:sock_file { getattr setattr };') + +# Allow setting of attributes on sound devices. +allow local_login_t sound_device_t:chr_file { getattr setattr }; + +# Allow setting of attributes on power management devices. +allow local_login_t power_device_t:chr_file { getattr setattr }; +dontaudit local_login_t init_t:fd use; + +################################# +# +# Rules for the remote_login_t domain. +# + +login_domain(remote) + +# Only permit unprivileged user domains to be entered via rlogin, +# since very weak authentication is used. +login_spawn_domain(remote_login, unpriv_userdomain) + +allow remote_login_t userpty_type:chr_file { setattr write }; + +# Use the pty created by rlogind. +ifdef(`rlogind.te', ` +can_access_pty(remote_login_t, rlogind) +# Relabel ptys created by rlogind. +allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto }; +') + +# Use the pty created by telnetd. +ifdef(`telnetd.te', ` +can_access_pty(remote_login_t, telnetd) +# Relabel ptys created by telnetd. +allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto }; +') + +allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; +allow remote_login_t fs_t:filesystem { getattr }; + +# Allow remote login to resolve host names (passed in via the -h switch) +can_resolve(remote_login_t) + +ifdef(`use_mcs', ` +ifdef(`getty.te', ` +range_transition getty_t login_exec_t s0 - s0:c0.c127; +') +') diff --git a/mls/domains/program/logrotate.te b/mls/domains/program/logrotate.te new file mode 100644 index 0000000..9f71da6 --- /dev/null +++ b/mls/domains/program/logrotate.te @@ -0,0 +1,150 @@ +#DESC Logrotate - Rotate log files +# +# Authors: Stephen Smalley Timothy Fraser +# Russell Coker +# X-Debian-Packages: logrotate +# Depends: crond.te +# + +################################# +# +# Rules for the logrotate_t domain. +# +# logrotate_t is the domain for the logrotate program. +# logrotate_exec_t is the type of the corresponding program. +# +type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade; +role system_r types logrotate_t; +role sysadm_r types logrotate_t; +uses_shlib(logrotate_t) +general_domain_access(logrotate_t) +type logrotate_exec_t, file_type, sysadmfile, exec_type; + +system_crond_entry(logrotate_exec_t, logrotate_t) +allow logrotate_t cron_spool_t:dir search; +allow crond_t logrotate_var_lib_t:dir search; +domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t) +allow logrotate_t self:unix_stream_socket create_socket_perms; +allow logrotate_t devtty_t:chr_file rw_file_perms; + +ifdef(`distro_debian', ` +allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; +# for savelog +can_exec(logrotate_t, logrotate_exec_t) +') + +# for perl +allow logrotate_t usr_t:file { getattr read ioctl }; +allow logrotate_t usr_t:lnk_file read; + +# access files in /etc +allow logrotate_t etc_t:file { getattr read ioctl }; +allow logrotate_t etc_t:lnk_file { getattr read }; +allow logrotate_t etc_runtime_t:file r_file_perms; + +# it should not require this +allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; + +# create lock files +lock_domain(logrotate) + +# Create temporary files. +tmp_domain(logrotate) +can_exec(logrotate_t, logrotate_tmp_t) + +# Run helper programs. +allow logrotate_t { bin_t sbin_t }:dir r_dir_perms; +allow logrotate_t { bin_t sbin_t }:lnk_file read; +can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t }) + +# Read PID files. +allow logrotate_t pidfile:file r_file_perms; + +# Read /proc/PID directories for all domains. +read_sysctl(logrotate_t) +allow logrotate_t proc_t:dir r_dir_perms; +allow logrotate_t proc_t:{ file lnk_file } r_file_perms; +allow logrotate_t domain:notdevfile_class_set r_file_perms; +allow logrotate_t domain:dir r_dir_perms; +allow logrotate_t exec_type:file getattr; + +# Read /dev directories and any symbolic links. +allow logrotate_t device_t:dir r_dir_perms; +allow logrotate_t device_t:lnk_file r_file_perms; + +# Signal processes. +allow logrotate_t domain:process signal; + +# Modify /var/log and other log dirs. +allow logrotate_t var_t:dir r_dir_perms; +allow logrotate_t logfile:dir rw_dir_perms; +allow logrotate_t logfile:lnk_file read; + +# Create, rename, and truncate log files. +allow logrotate_t logfile:file create_file_perms; +allow logrotate_t wtmp_t:file create_file_perms; +ifdef(`squid.te', ` +allow squid_t { system_crond_t crond_t }:fd use; +allow squid_t crond_t:fifo_file { read write }; +allow squid_t system_crond_t:fifo_file write; +allow squid_t self:capability kill; +') + +# Set a context other than the default one for newly created files. +can_setfscreate(logrotate_t) + +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; +# for mailx +dontaudit logrotate_t self:capability { setuid setgid }; + +ifdef(`mta.te', ` +allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; +') + +# Access /var/run +allow logrotate_t var_run_t:dir r_dir_perms; + +# for /var/lib/logrotate.status and /var/lib/logcheck +var_lib_domain(logrotate) +allow logrotate_t logrotate_var_lib_t:dir create; + +# Write to /var/spool/slrnpull - should be moved into its own type. +create_dir_file(logrotate_t, var_spool_t) + +allow logrotate_t urandom_device_t:chr_file { getattr read }; + +# Access terminals. +allow logrotate_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') +allow logrotate_t privfd:fd use; + +# for /var/backups on Debian +ifdef(`backup.te', ` +rw_dir_create_file(logrotate_t, backup_store_t) +') + +read_locale(logrotate_t) + +allow logrotate_t fs_t:filesystem getattr; +can_exec(logrotate_t, shell_exec_t) +ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)') +can_exec(logrotate_t,logfile) +allow logrotate_t net_conf_t:file { getattr read }; + +ifdef(`consoletype.te', ` +can_exec(logrotate_t, consoletype_exec_t) +dontaudit consoletype_t logrotate_t:fd use; +') + +allow logrotate_t syslogd_t:unix_dgram_socket sendto; + +domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) + +# Supress libselinux initialization denials +dontaudit logrotate_t selinux_config_t:dir search; +dontaudit logrotate_t selinux_config_t:file { read getattr }; + +# Allow selinux_getenforce +allow logrotate_t security_t:dir search; +allow logrotate_t security_t:file { getattr read }; diff --git a/mls/domains/program/lpd.te b/mls/domains/program/lpd.te new file mode 100644 index 0000000..76cd44d --- /dev/null +++ b/mls/domains/program/lpd.te @@ -0,0 +1,161 @@ +#DESC Lpd - Print server +# +# Authors: Stephen Smalley and Timothy Fraser +# Modified by David A. Wheeler for LPRng (Red Hat 7.1) +# Modified by Russell Coker +# X-Debian-Packages: lpr +# + +################################# +# +# Rules for the lpd_t domain. +# +# lpd_t is the domain of lpd. +# lpd_exec_t is the type of the lpd executable. +# printer_t is the type of the Unix domain socket created +# by lpd. +# +daemon_domain(lpd) + +allow lpd_t lpd_var_run_t:sock_file create_file_perms; + +read_fonts(lpd_t) + +type printer_t, file_type, sysadmfile, dev_fs; + +type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. + +tmp_domain(lpd); + +# for postscript include files +allow lpd_t usr_t:{ file lnk_file } { getattr read }; + +# Allow checkpc to access the lpd spool so it can check & fix it. +# This requires that /usr/sbin/checkpc have type checkpc_t. +type checkpc_t, domain, privlog; +role system_r types checkpc_t; +uses_shlib(checkpc_t) +can_network_client(checkpc_t) +allow checkpc_t port_type:tcp_socket name_connect; +can_ypbind(checkpc_t) +log_domain(checkpc) +type checkpc_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) +domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) +role sysadm_r types checkpc_t; +allow checkpc_t admin_tty_type:chr_file { read write }; +allow checkpc_t privfd:fd use; +ifdef(`crond.te', ` +system_crond_entry(checkpc_exec_t, checkpc_t) +') +allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:process { fork signal_perms }; + +allow checkpc_t proc_t:dir search; +allow checkpc_t proc_t:lnk_file read; +allow checkpc_t proc_t:file { getattr read }; +r_dir_file(checkpc_t, self) +allow checkpc_t self:unix_stream_socket create_socket_perms; + +allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; +allow checkpc_t etc_t:lnk_file read; + +allow checkpc_t { var_t var_spool_t }:dir { getattr search }; +allow checkpc_t print_spool_t:file { rw_file_perms unlink }; +allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; +allow checkpc_t device_t:dir search; +allow checkpc_t printer_device_t:chr_file { getattr append }; +allow checkpc_t devtty_t:chr_file rw_file_perms; +allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; + +# Allow access to /dev/console through the fd: +allow checkpc_t init_t:fd use; + +# This is less desirable, but checkpc demands /bin/bash and /bin/chown: +allow checkpc_t { bin_t sbin_t }:dir search; +allow checkpc_t bin_t:lnk_file read; +can_exec(checkpc_t, shell_exec_t) +can_exec(checkpc_t, bin_t) + +# bash wants access to /proc/meminfo +allow lpd_t proc_t:file { getattr read }; + +# gs-gnu wants to read some sysctl entries, it seems to work without though +dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; + +# for defoma +r_dir_file(lpd_t, var_lib_t) + +allow checkpc_t var_run_t:dir search; +allow checkpc_t lpd_var_run_t:dir { search getattr }; + +# This is needed to permit chown to read /var/spool/lpd/lp. +# This is opens up security more than necessary; this means that ANYTHING +# running in the initrc_t domain can read the printer spool directory. +# Perhaps executing /etc/rc.d/init.d/lpd should transition +# to domain lpd_t, instead of waiting for executing lpd. +allow initrc_t print_spool_t:dir read; + +# for defoma +r_dir_file(lpd_t, readable_t) + +# Use capabilities. +allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; + +# Use the network. +can_network_server(lpd_t) +can_ypbind(lpd_t) +allow lpd_t self:fifo_file rw_file_perms; +allow lpd_t self:unix_stream_socket create_stream_socket_perms; +allow lpd_t self:unix_dgram_socket create_socket_perms; + +allow lpd_t self:file { getattr read }; +allow lpd_t etc_runtime_t:file { getattr read }; + +# Bind to the printer port. +allow lpd_t printer_port_t:tcp_socket name_bind; + +# Send to portmap. +ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') + +ifdef(`ypbind.te', +`# Connect to ypbind. +can_tcp_connect(lpd_t, ypbind_t)') + +# Create and bind to /dev/printer. +file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) +allow lpd_t printer_t:unix_stream_socket name_bind; +allow lpd_t printer_t:unix_dgram_socket name_bind; +allow lpd_t printer_device_t:chr_file rw_file_perms; + +# Write to /var/spool/lpd. +allow lpd_t var_spool_t:dir search; +allow lpd_t print_spool_t:dir rw_dir_perms; +allow lpd_t print_spool_t:file create_file_perms; +allow lpd_t print_spool_t:file rw_file_perms; + +# Execute filter scripts. +# can_exec(lpd_t, print_spool_t) + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +allow lpd_t bin_t:dir search; +allow lpd_t bin_t:lnk_file read; +can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) + +# lpd must be able to execute the filter utilities in /usr/share/printconf. +can_exec(lpd_t, printconf_t) +allow lpd_t printconf_t:file rx_file_perms; +allow lpd_t printconf_t:dir { getattr search read }; + +# config files for lpd are of type etc_t, probably should change this +allow lpd_t etc_t:file { getattr read }; +allow lpd_t etc_t:lnk_file read; + +# checkpc needs similar permissions. +allow checkpc_t printconf_t:file getattr; +allow checkpc_t printconf_t:dir { getattr search read }; + +# Read printconf files. +allow initrc_t printconf_t:dir r_dir_perms; +allow initrc_t printconf_t:file r_file_perms; + diff --git a/mls/domains/program/lpr.te b/mls/domains/program/lpr.te new file mode 100644 index 0000000..d8ec0c0 --- /dev/null +++ b/mls/domains/program/lpr.te @@ -0,0 +1,12 @@ +#DESC Lpr - Print client +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: lpr lprng +# + + +# Type for the lpr, lpq, and lprm executables. +type lpr_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the lpr_domain macro in +# macros/program/lpr_macros.te. diff --git a/mls/domains/program/lvm.te b/mls/domains/program/lvm.te new file mode 100644 index 0000000..b2e47eb --- /dev/null +++ b/mls/domains/program/lvm.te @@ -0,0 +1,139 @@ +#DESC LVM - Linux Volume Manager +# +# Author: Michael Kaufman +# X-Debian-Packages: lvm10 lvm2 lvm-common +# + +################################# +# +# Rules for the lvm_t domain. +# +# lvm_t is the domain for LVM administration. +# lvm_exec_t is the type of the corresponding programs. +# lvm_etc_t is for read-only LVM configuration files. +# lvm_metadata_t is the type of LVM metadata files in /etc that are +# modified at runtime. +# +type lvm_vg_t, file_type, sysadmfile; +type lvm_metadata_t, file_type, sysadmfile; +type lvm_control_t, device_type, dev_fs; +etcdir_domain(lvm) +lock_domain(lvm) +allow lvm_t lvm_lock_t:dir rw_dir_perms; + +# needs privowner because it assigns the identity system_u to device nodes +# but runs as the identity of the sysadmin +daemon_base_domain(lvm, `, fs_domain, privowner') +role sysadm_r types lvm_t; +domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t) + +# LVM will complain a lot if it cannot set its priority. +allow lvm_t self:process setsched; + +allow lvm_t self:fifo_file rw_file_perms; +allow lvm_t self:unix_dgram_socket create_socket_perms; + +r_dir_file(lvm_t, proc_t) +allow lvm_t self:file rw_file_perms; + +# Read system variables in /proc/sys +read_sysctl(lvm_t) + +# Read /sys/block. Device mapper metadata is kept there. +r_dir_file(lvm_t, sysfs_t) + +allow lvm_t fs_t:filesystem getattr; + +# Read configuration files in /etc. +allow lvm_t { etc_t etc_runtime_t }:file { getattr read }; + +# LVM creates block devices in /dev/mapper or /dev/ +# depending on its version +file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file) + +# LVM(2) needs to create directores (/dev/mapper, /dev/) +# and links from /dev/ to /dev/mapper/- +allow lvm_t device_t:dir create_dir_perms; +allow lvm_t device_t:lnk_file create_lnk_perms; + +# /lib/lvm- holds the actual LVM binaries (and symlinks) +allow lvm_t lvm_exec_t:dir search; +allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; + +tmp_domain(lvm) +allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; + +# DAC overrides and mknod for modifying /dev entries (vgmknodes) +allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod }; + +# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d +file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) + +allow lvm_t lvm_metadata_t:dir rw_dir_perms; + +# Inherit and use descriptors from init. +allow lvm_t init_t:fd use; + +# LVM is split into many individual binaries +can_exec(lvm_t, lvm_exec_t) + +# Access raw devices and old /dev/lvm (c 109,0). Is this needed? +allow lvm_t fixed_disk_device_t:chr_file create_file_perms; + +# relabel devices +allow lvm_t { default_context_t file_context_t }:dir search; +allow lvm_t file_context_t:file { getattr read }; +can_getsecurity(lvm_t) +allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; +allow lvm_t device_t:lnk_file { relabelfrom relabelto }; + +# Access terminals. +allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow lvm_t devtty_t:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;') +allow lvm_t privfd:fd use; +allow lvm_t devpts_t:dir { search getattr read }; + +read_locale(lvm_t) + +# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... +dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read }; +dontaudit lvm_t ttyfile:chr_file getattr; +dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; +dontaudit lvm_t devpts_t:dir { getattr read }; +dontaudit lvm_t xconsole_device_t:fifo_file getattr; + +ifdef(`gpm.te', ` +dontaudit lvm_t gpmctl_t:sock_file getattr; +') +dontaudit lvm_t initctl_t:fifo_file getattr; +allow lvm_t sbin_t:dir search; +dontaudit lvm_t sbin_t:file { getattr read }; +allow lvm_t lvm_control_t:chr_file rw_file_perms; +allow initrc_t lvm_control_t:chr_file { getattr read unlink }; +allow initrc_t device_t:chr_file create; +var_run_domain(lvm) + +# for when /usr is not mounted +dontaudit lvm_t file_t:dir search; + +allow lvm_t tmpfs_t:dir r_dir_perms; +r_dir_file(lvm_t, selinux_config_t) + +# it has no reason to need this +dontaudit lvm_t proc_kcore_t:file getattr; +allow lvm_t var_t:dir { search getattr }; +allow lvm_t ramfs_t:filesystem unmount; + +# cluster LVM daemon +daemon_domain(clvmd) +can_network(clvmd_t) +can_ypbind(clvmd_t) +allow clvmd_t self:capability net_bind_service; +allow clvmd_t self:socket create_socket_perms; +allow clvmd_t self:fifo_file { read write }; +allow clvmd_t self:file { getattr read }; +allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow clvmd_t reserved_port_t:tcp_socket name_bind; +dontaudit clvmd_t reserved_port_type:tcp_socket name_bind; +dontaudit clvmd_t selinux_config_t:dir search; diff --git a/mls/domains/program/mailman.te b/mls/domains/program/mailman.te new file mode 100644 index 0000000..72fe6a7 --- /dev/null +++ b/mls/domains/program/mailman.te @@ -0,0 +1,113 @@ +#DESC Mailman - GNU Mailman mailing list manager +# +# Author: Russell Coker +# X-Debian-Packages: mailman + +type mailman_data_t, file_type, sysadmfile; +type mailman_archive_t, file_type, sysadmfile; + +type mailman_log_t, file_type, sysadmfile, logfile; +type mailman_lock_t, file_type, sysadmfile, lockfile; + +define(`mailman_domain', ` +type mailman_$1_t, domain, privlog $2; +type mailman_$1_exec_t, file_type, sysadmfile, exec_type; +role system_r types mailman_$1_t; +file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) +allow mailman_$1_t mailman_log_t:dir rw_dir_perms; +create_dir_file(mailman_$1_t, mailman_data_t) +uses_shlib(mailman_$1_t) +can_exec_any(mailman_$1_t) +read_sysctl(mailman_$1_t) +allow mailman_$1_t proc_t:dir search; +allow mailman_$1_t proc_t:file { read getattr }; +allow mailman_$1_t var_lib_t:dir r_dir_perms; +allow mailman_$1_t var_lib_t:lnk_file read; +allow mailman_$1_t device_t:dir search; +allow mailman_$1_t etc_runtime_t:file { read getattr }; +read_locale(mailman_$1_t) +file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file) +allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; +allow mailman_$1_t fs_t:filesystem getattr; +can_network(mailman_$1_t) +allow mailman_$1_t smtp_port_t:tcp_socket name_connect; +can_ypbind(mailman_$1_t) +allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; +allow mailman_$1_t var_t:dir r_dir_perms; +tmp_domain(mailman_$1) +') + +mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') +can_tcp_connect(mailman_queue_t, mail_server_domain) + +can_exec(mailman_queue_t, su_exec_t) +allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:fifo_file rw_file_perms; +dontaudit mailman_queue_t var_run_t:dir search; +allow mailman_queue_t proc_t:lnk_file { getattr read }; + +# for su +dontaudit mailman_queue_t selinux_config_t:dir search; +allow mailman_queue_t self:dir search; +allow mailman_queue_t self:file { getattr read }; +allow mailman_queue_t self:unix_dgram_socket create_socket_perms; +allow mailman_queue_t self:lnk_file { getattr read }; + +# some of the following could probably be changed to dontaudit, someone who +# knows mailman well should test this out and send the changes +allow mailman_queue_t sysadm_home_dir_t:dir { getattr search }; + +mailman_domain(mail) +dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write }; +allow mailman_mail_t mta_delivery_agent:fd use; +ifdef(`qmail.te', ` +allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; +# do we really need this? +allow mailman_mail_t qmail_lspawn_t:fifo_file write; +') + +create_dir_file(mailman_queue_t, mailman_archive_t) + +ifdef(`apache.te', ` +mailman_domain(cgi) +can_tcp_connect(mailman_cgi_t, mail_server_domain) + +domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) +# should have separate types for public and private archives +r_dir_file(httpd_t, mailman_archive_t) +create_dir_file(mailman_cgi_t, mailman_archive_t) +allow httpd_t mailman_data_t:dir { getattr search }; + +dontaudit mailman_cgi_t httpd_log_t:file append; +allow httpd_t mailman_cgi_t:process signal; +allow mailman_cgi_t httpd_t:process sigchld; +allow mailman_cgi_t httpd_t:fd use; +allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl }; +allow mailman_cgi_t httpd_sys_script_t:dir search; +allow mailman_cgi_t devtty_t:chr_file { read write }; +allow mailman_cgi_t self:process { fork sigchld }; +allow mailman_cgi_t var_spool_t:dir search; +') + +allow mta_delivery_agent mailman_data_t:dir search; +allow mta_delivery_agent mailman_data_t:lnk_file read; +allow initrc_t mailman_data_t:lnk_file read; +allow initrc_t mailman_data_t:dir r_dir_perms; +domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) +ifdef(`direct_sysadm_daemon', ` +domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) +') +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; + +system_crond_entry(mailman_queue_exec_t, mailman_queue_t) +allow mailman_queue_t devtty_t:chr_file { read write }; +allow mailman_queue_t self:process { fork signal sigchld }; +allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; + +# so MTA can access /var/lib/mailman/mail/wrapper +allow mta_delivery_agent var_lib_t:dir search; + +# Handle mailman log files +rw_dir_create_file(logrotate_t, mailman_log_t) +allow logrotate_t mailman_data_t:dir search; +can_exec(logrotate_t, mailman_mail_exec_t) diff --git a/mls/domains/program/mdadm.te b/mls/domains/program/mdadm.te new file mode 100644 index 0000000..47f82e2 --- /dev/null +++ b/mls/domains/program/mdadm.te @@ -0,0 +1,43 @@ +#DESC mdadm - Linux RAID tool +# +# Author: Colin Walters +# + +daemon_base_domain(mdadm, `, fs_domain, privmail') +role sysadm_r types mdadm_t; + +allow initrc_t mdadm_var_run_t:file create_file_perms; + +# Kernel filesystem permissions +r_dir_file(mdadm_t, proc_t) +allow mdadm_t proc_mdstat_t:file rw_file_perms; +read_sysctl(mdadm_t) +r_dir_file(mdadm_t, sysfs_t) + +# Configuration +allow mdadm_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale(mdadm_t) + +# Linux capabilities +allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; + +# Helper program access +can_exec(mdadm_t, { bin_t sbin_t }) + +# RAID block device access +allow mdadm_t fixed_disk_device_t:blk_file create_file_perms; +allow mdadm_t device_t:lnk_file { getattr read }; + +# Ignore attempts to read every device file +dontaudit mdadm_t device_type:{ chr_file blk_file } getattr; +dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr }; +dontaudit mdadm_t devpts_t:dir r_dir_perms; + +# Ignore attempts to read/write sysadmin tty +dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms; + +# Other random ignores +dontaudit mdadm_t tmpfs_t:dir r_dir_perms; +dontaudit mdadm_t initctl_t:fifo_file getattr; +var_run_domain(mdadm) +allow mdadm_t var_t:dir { getattr search }; diff --git a/mls/domains/program/modutil.te b/mls/domains/program/modutil.te new file mode 100644 index 0000000..a934534 --- /dev/null +++ b/mls/domains/program/modutil.te @@ -0,0 +1,243 @@ +#DESC Modutil - Dynamic module utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: modutils +# + +################################# +# +# Rules for the module utility domains. +# +type modules_dep_t, file_type, sysadmfile; +type modules_conf_t, file_type, sysadmfile; +type modules_object_t, file_type, sysadmfile; + + +ifdef(`IS_INITRD', `', ` +################################# +# +# Rules for the depmod_t domain. +# +type depmod_t, domain; +role system_r types depmod_t; +role sysadm_r types depmod_t; + +uses_shlib(depmod_t) + +r_dir_file(depmod_t, src_t) + +type depmod_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(initrc_t, depmod_exec_t, depmod_t) +allow depmod_t { bin_t sbin_t }:dir search; +can_exec(depmod_t, depmod_exec_t) +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) +') + +# Inherit and use descriptors from init and login programs. +allow depmod_t { init_t privfd }:fd use; + +allow depmod_t { etc_t etc_runtime_t }:file { getattr read }; +allow depmod_t { device_t proc_t }:dir search; +allow depmod_t proc_t:file { getattr read }; +allow depmod_t fs_t:filesystem getattr; + +# read system.map +allow depmod_t boot_t:dir search; +allow depmod_t boot_t:file { getattr read }; +allow depmod_t system_map_t:file { getattr read }; + +# Read conf.modules. +allow depmod_t modules_conf_t:file r_file_perms; + +# Create modules.dep. +file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) + +# Read module objects. +allow depmod_t modules_object_t:dir r_dir_perms; +allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; +allow depmod_t modules_object_t:file unlink; + +# Access terminals. +can_access_pty(depmod_t, initrc) +allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') + +# Read System.map from home directories. +allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; +r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) +')dnl end IS_INITRD + +################################# +# +# Rules for the insmod_t domain. +# + +type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain +; +role system_r types insmod_t; +role sysadm_r types insmod_t; +type insmod_exec_t, file_type, exec_type, sysadmfile; + +bool secure_mode_insmod false; + +can_ypbind(insmod_t) + +ifdef(`unlimitedUtils', ` +unconfined_domain(insmod_t) +') +uses_shlib(insmod_t) +read_locale(insmod_t) + +# for SSP +allow insmod_t urandom_device_t:chr_file read; +allow insmod_t lib_t:file { getattr read }; + +allow insmod_t { bin_t sbin_t }:dir search; +allow insmod_t { bin_t sbin_t }:lnk_file read; + +allow insmod_t self:dir search; +allow insmod_t self:lnk_file read; + +allow insmod_t usr_t:file { getattr read }; + +allow insmod_t privfd:fd use; +can_access_pty(insmod_t, initrc) +allow insmod_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') + +allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; + +allow insmod_t sound_device_t:chr_file { read ioctl write }; +allow insmod_t zero_device_t:chr_file read; +allow insmod_t memory_device_t:chr_file rw_file_perms; + +# Read module config and dependency information +allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; + +# Read module objects. +r_dir_file(insmod_t, modules_object_t) +# for locking +allow insmod_t modules_object_t:file write; + +allow insmod_t { var_t var_log_t }:dir search; +ifdef(`xserver.te', ` +allow insmod_t xserver_log_t:file getattr; +allow insmod_t xserver_misc_device_t:chr_file { read write }; +') +rw_dir_create_file(insmod_t, var_log_ksyms_t) +allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; + +allow insmod_t self:udp_socket create_socket_perms; +allow insmod_t self:unix_dgram_socket create_socket_perms; +allow insmod_t self:unix_stream_socket create_stream_socket_perms; +allow insmod_t self:rawip_socket create_socket_perms; +allow insmod_t self:capability { dac_override kill net_raw sys_tty_config }; +allow insmod_t domain:process signal; +allow insmod_t self:process { fork signal_perms }; +allow insmod_t device_t:dir search; +allow insmod_t etc_runtime_t:file { getattr read }; + +# for loading modules at boot time +allow insmod_t { init_t initrc_t }:fd use; +allow insmod_t initrc_t:fifo_file { getattr read write }; + +allow insmod_t fs_t:filesystem getattr; +allow insmod_t sysfs_t:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:dir search; +allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; +r_dir_file(insmod_t, debugfs_t) + +# Rules for /proc/sys/kernel/tainted +read_sysctl(insmod_t) +allow insmod_t proc_t:dir search; +allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; + +allow insmod_t proc_t:file rw_file_perms; +allow insmod_t proc_t:lnk_file read; + +# Write to /proc/mtrr. +allow insmod_t mtrr_device_t:file write; + +# Read /proc/sys/kernel/hotplug. +allow insmod_t sysctl_hotplug_t:file { getattr read }; + +allow insmod_t device_t:dir read; +allow insmod_t devpts_t:dir { getattr search }; + +if (!secure_mode_insmod) { +domain_auto_trans(privmodule, insmod_exec_t, insmod_t) +allow insmod_t self:capability sys_module; +}dnl end if !secure_mode_insmod + +can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) +allow insmod_t devtty_t:chr_file rw_file_perms; +allow insmod_t privmodule:process sigchld; +dontaudit sysadm_t self:capability sys_module; + +ifdef(`mount.te', ` +# Run mount in the mount_t domain. +domain_auto_trans(insmod_t, mount_exec_t, mount_t) +') +# for when /var is not mounted early in the boot +dontaudit insmod_t file_t:dir search; + +# for nscd +dontaudit insmod_t var_run_t:dir search; + +ifdef(`crond.te', ` +rw_dir_create_file(system_crond_t, var_log_ksyms_t) +') + +ifdef(`IS_INITRD', `', ` +################################# +# +# Rules for the update_modules_t domain. +# +type update_modules_t, domain, privlog; +type update_modules_exec_t, file_type, exec_type, sysadmfile; + +role system_r types update_modules_t; +role sysadm_r types update_modules_t; + +domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) +allow update_modules_t privfd:fd use; +allow update_modules_t init_t:fd use; + +allow update_modules_t device_t:dir { getattr search }; +allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; +can_access_pty(update_modules_t, initrc) +allow update_modules_t admin_tty_type:chr_file rw_file_perms; + +can_exec(update_modules_t, insmod_exec_t) +allow update_modules_t urandom_device_t:chr_file { getattr read }; + +dontaudit update_modules_t sysadm_home_dir_t:dir search; + +uses_shlib(update_modules_t) +read_locale(update_modules_t) +allow update_modules_t lib_t:file { getattr read }; +allow update_modules_t self:process { fork sigchld }; +allow update_modules_t self:fifo_file rw_file_perms; +allow update_modules_t self:file { getattr read }; +allow update_modules_t modules_dep_t:file rw_file_perms; +file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file) +domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) +can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t }) +allow update_modules_t { sbin_t bin_t }:lnk_file read; +allow update_modules_t { sbin_t bin_t }:dir search; +allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms; +allow update_modules_t etc_t:lnk_file read; +allow update_modules_t fs_t:filesystem getattr; + +allow update_modules_t proc_t:dir search; +allow update_modules_t proc_t:file r_file_perms; +allow update_modules_t { self proc_t }:lnk_file read; +read_sysctl(update_modules_t) +allow update_modules_t self:dir search; +allow update_modules_t self:unix_stream_socket create_socket_perms; + +file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file) + +tmp_domain(update_modules) +')dnl end IS_INITRD diff --git a/mls/domains/program/mount.te b/mls/domains/program/mount.te new file mode 100644 index 0000000..b76bf52 --- /dev/null +++ b/mls/domains/program/mount.te @@ -0,0 +1,90 @@ +#DESC Mount - Filesystem mount utilities +# +# Macros for mount +# +# Author: Brian May +# X-Debian-Packages: mount +# +# based on the work of: +# Mark Westerman mark.westerman@csoconline.com +# + +type mount_exec_t, file_type, sysadmfile, exec_type; + +mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite') +mount_loopback_privs(sysadm, mount) +role sysadm_r types mount_t; +role system_r types mount_t; + +can_access_pty(mount_t, initrc) +allow mount_t console_device_t:chr_file { read write }; + +domain_auto_trans(initrc_t, mount_exec_t, mount_t) +allow mount_t init_t:fd use; +allow mount_t privfd:fd use; + +allow mount_t self:capability { dac_override ipc_lock sys_tty_config }; +allow mount_t self:process { fork signal_perms }; + +allow mount_t file_type:dir search; + +# Access disk devices. +allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms; +allow mount_t removable_device_t:devfile_class_set rw_file_perms; +allow mount_t device_t:lnk_file read; + +# for when /etc/mtab loses its type +allow mount_t file_t:file { getattr read unlink }; + +# Mount, remount and unmount file systems. +allow mount_t fs_type:filesystem mount_fs_perms; +allow mount_t mount_point:dir mounton; +allow mount_t nfs_t:dir search; +allow mount_t sysctl_t:dir search; + +allow mount_t root_t:filesystem unmount; + +can_portmap(mount_t) + +ifdef(`portmap.te', ` +# for nfs +can_network(mount_t) +allow mount_t port_type:tcp_socket name_connect; +can_ypbind(mount_t) +allow mount_t port_t:{ tcp_socket udp_socket } name_bind; +allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +can_udp_send(mount_t, portmap_t) +can_udp_send(portmap_t, mount_t) +allow mount_t rpc_pipefs_t:dir search; +') +dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind; + +# +# required for mount.smbfs +# +allow mount_t sbin_t:lnk_file { getattr read }; + +rhgb_domain(mount_t) + +# for localization +allow mount_t lib_t:file { getattr read }; +allow mount_t autofs_t:dir read; +allow mount_t fs_type:filesystem relabelfrom; +# +# This rule needs to be generalized. Only admin, initrc should have it. +# +allow mount_t file_type:filesystem { unmount mount relabelto }; + +allow mount_t mnt_t:dir getattr; +dontaudit mount_t kernel_t:fd use; +allow mount_t userdomain:fd use; +can_exec(mount_t, { sbin_t bin_t }) +allow mount_t device_t:dir r_dir_perms; +allow mount_t tmpfs_t:chr_file { read write }; + +# tries to read /init +dontaudit mount_t root_t:file { getattr read }; + +allow kernel_t mount_t:tcp_socket { read write }; +allow mount_t self:capability { setgid setuid }; +allow mount_t proc_t:lnk_file read; diff --git a/mls/domains/program/mrtg.te b/mls/domains/program/mrtg.te new file mode 100644 index 0000000..e44889d --- /dev/null +++ b/mls/domains/program/mrtg.te @@ -0,0 +1,100 @@ +#DESC MRTG - Network traffic graphing +# +# Author: Russell Coker +# X-Debian-Packages: mrtg +# + +################################# +# +# Rules for the mrtg_t domain. +# +# mrtg_exec_t is the type of the mrtg executable. +# +daemon_base_domain(mrtg) + +allow mrtg_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(mrtg_exec_t, mrtg_t) +allow system_crond_t mrtg_log_t:dir rw_dir_perms; +allow system_crond_t mrtg_log_t:file { create append getattr }; +') + +allow mrtg_t usr_t:{ file lnk_file } { getattr read }; +dontaudit mrtg_t usr_t:file ioctl; + +logdir_domain(mrtg) +etcdir_domain(mrtg) +typealias mrtg_etc_t alias etc_mrtg_t; +type mrtg_var_lib_t, file_type, sysadmfile; +typealias mrtg_var_lib_t alias var_lib_mrtg_t; +type mrtg_lock_t, file_type, sysadmfile, lockfile; +r_dir_file(mrtg_t, lib_t) + +# Use the network. +can_network_client(mrtg_t) +allow mrtg_t port_type:tcp_socket name_connect; +can_ypbind(mrtg_t) + +allow mrtg_t self:fifo_file { getattr read write ioctl }; +allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms; +allow mrtg_t urandom_device_t:chr_file { getattr read }; +allow mrtg_t self:unix_stream_socket create_socket_perms; +ifdef(`apache.te', ` +rw_dir_create_file(mrtg_t, httpd_sys_content_t) +') + +can_exec(mrtg_t, { shell_exec_t bin_t sbin_t }) +allow mrtg_t { bin_t sbin_t }:dir { getattr search }; +allow mrtg_t bin_t:lnk_file read; +allow mrtg_t var_t:dir { getattr search }; + +ifdef(`snmpd.te', ` +can_udp_send(mrtg_t, snmpd_t) +can_udp_send(snmpd_t, mrtg_t) +r_dir_file(mrtg_t, snmpd_var_lib_t) +') + +allow mrtg_t proc_net_t:dir search; +allow mrtg_t { proc_t proc_net_t }:file { read getattr }; +dontaudit mrtg_t proc_t:file ioctl; + +allow mrtg_t { var_lock_t var_lib_t }:dir search; +rw_dir_create_file(mrtg_t, mrtg_var_lib_t) +rw_dir_create_file(mrtg_t, mrtg_lock_t) +ifdef(`distro_redhat', ` +file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) +') + +# read config files +allow mrtg_t etc_t:file { read getattr }; +dontaudit mrtg_t mrtg_etc_t:dir write; +dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; +read_locale(mrtg_t) + +# for /.autofsck +dontaudit mrtg_t root_t:file getattr; + +dontaudit mrtg_t security_t:dir getattr; + +read_sysctl(mrtg_t) + +# for uptime +allow mrtg_t var_run_t:dir search; +allow mrtg_t initrc_var_run_t:file { getattr read }; +dontaudit mrtg_t initrc_var_run_t:file { write lock }; +allow mrtg_t etc_runtime_t:file { getattr read }; + +allow mrtg_t tmp_t:dir getattr; + +# should not need this! +dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; +dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; +ifdef(`quota.te', ` +dontaudit mrtg_t quota_db_t:file getattr; +') +dontaudit mrtg_t root_t:lnk_file getattr; + +allow mrtg_t self:capability { setgid setuid }; +ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)') +allow mrtg_t var_spool_t:dir search; diff --git a/mls/domains/program/mta.te b/mls/domains/program/mta.te new file mode 100644 index 0000000..55e7ca9 --- /dev/null +++ b/mls/domains/program/mta.te @@ -0,0 +1,81 @@ +#DESC MTA - Mail agents +# +# Author: Russell Coker +# X-Debian-Packages: postfix exim sendmail sendmail-wide +# +# policy for all mail servers, including allowing user to send mail from the +# command-line and for cron jobs to use sendmail -t + +# +# sendmail_exec_t is the type of /usr/sbin/sendmail +# +# define sendmail_exec_t if sendmail.te does not do it for us +ifdef(`sendmail.te', `', ` +type sendmail_exec_t, file_type, exec_type, sysadmfile; +') + +# create a system_mail_t domain for daemons, init scripts, etc when they run +# "mail user@domain" +mail_domain(system) + +ifdef(`targeted_policy', ` +# rules are currently defined in sendmail.te, but it is not included in +# targeted policy. We could move these rules permanantly here. +ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') +allow system_mail_t self:dir search; +allow system_mail_t self:lnk_file read; +r_dir_file(system_mail_t, { proc_t proc_net_t }) +allow system_mail_t fs_t:filesystem getattr; +allow system_mail_t { var_t var_spool_t }:dir getattr; +create_dir_file(system_mail_t, mqueue_spool_t) +create_dir_file(system_mail_t, mail_spool_t) +allow system_mail_t mail_spool_t:fifo_file rw_file_perms; +allow system_mail_t etc_mail_t:file { getattr read }; + +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t) +', ` +ifdef(`sendmail.te', ` +# sendmail has an ugly design, the one process parses input from the user and +# then does system things with it. But the sendmail_launch_t domain works +# around this. +domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) +') +allow initrc_t sendmail_exec_t:lnk_file { getattr read }; + +# allow the sysadmin to do "mail someone < /home/user/whatever" +allow sysadm_mail_t user_home_dir_type:dir search; +r_dir_file(sysadm_mail_t, user_home_type) +') +# for a mail server process that does things in response to a user command +allow mta_user_agent userdomain:process sigchld; +allow mta_user_agent { userdomain privfd }:fd use; +ifdef(`crond.te', ` +allow mta_user_agent crond_t:process sigchld; +') +allow mta_user_agent sysadm_t:fifo_file { read write }; + +allow { system_mail_t mta_user_agent } privmail:fd use; +allow { system_mail_t mta_user_agent } privmail:process sigchld; +allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; +allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; + +allow mta_delivery_agent home_root_t:dir { getattr search }; + +# for /var/spool/mail +ra_dir_create_file(mta_delivery_agent, mail_spool_t) + +# for piping mail to a command +can_exec(mta_delivery_agent, shell_exec_t) +allow mta_delivery_agent bin_t:dir search; +allow mta_delivery_agent bin_t:lnk_file read; +allow mta_delivery_agent devtty_t:chr_file rw_file_perms; +allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; + +allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; +ifdef(`targeted_policy', ` +typealias system_mail_t alias sysadm_mail_t; +') + diff --git a/mls/domains/program/mysqld.te b/mls/domains/program/mysqld.te new file mode 100644 index 0000000..637359f --- /dev/null +++ b/mls/domains/program/mysqld.te @@ -0,0 +1,94 @@ +#DESC Mysqld - Database server +# +# Author: Russell Coker +# X-Debian-Packages: mysql-server +# + +################################# +# +# Rules for the mysqld_t domain. +# +# mysqld_exec_t is the type of the mysqld executable. +# +daemon_domain(mysqld, `, nscd_client_domain') + +allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect }; + +allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; + +etcdir_domain(mysqld) +type mysqld_db_t, file_type, sysadmfile; + +log_domain(mysqld) + +# for temporary tables +tmp_domain(mysqld) + +allow mysqld_t usr_t:file { getattr read }; + +allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:unix_stream_socket create_stream_socket_perms; +allow initrc_t mysqld_t:unix_stream_socket connectto; +allow initrc_t mysqld_var_run_t:sock_file write; + +allow initrc_t mysqld_log_t:file { write append setattr ioctl }; + +allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource }; +allow mysqld_t self:process { setrlimit setsched getsched }; + +allow mysqld_t proc_t:file { getattr read }; + +# Allow access to the mysqld databases +create_dir_file(mysqld_t, mysqld_db_t) +file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file }) + +can_network(mysqld_t) +can_ypbind(mysqld_t) + +# read config files +r_dir_file(initrc_t, mysqld_etc_t) +allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; + +allow mysqld_t etc_t:dir search; + +read_sysctl(mysqld_t) + +can_unix_connect(sysadm_t, mysqld_t) + +# for /root/.my.cnf - should not be needed +allow mysqld_t sysadm_home_dir_t:dir search; +allow mysqld_t sysadm_home_t:file { read getattr }; + +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, mysqld_etc_t) +allow logrotate_t mysqld_db_t:dir search; +allow logrotate_t mysqld_var_run_t:dir search; +allow logrotate_t mysqld_var_run_t:sock_file write; +can_unix_connect(logrotate_t, mysqld_t) +') + +ifdef(`daemontools.te', ` +domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) +allow svc_start_t mysqld_t:process signal; +svc_ipc_domain(mysqld_t) +')dnl end ifdef daemontools + +ifdef(`distro_redhat', ` +allow initrc_t mysqld_db_t:dir create_dir_perms; + +# because Fedora has the sock_file in the database directory +file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +') +ifdef(`targeted_policy', `', ` +bool allow_user_mysql_connect false; + +if (allow_user_mysql_connect) { +allow userdomain mysqld_var_run_t:dir search; +allow userdomain mysqld_var_run_t:sock_file write; +} +') + +ifdef(`crond.te', ` +allow system_crond_t mysqld_etc_t:file { getattr read }; +') +allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/mls/domains/program/named.te b/mls/domains/program/named.te new file mode 100644 index 0000000..5a42877 --- /dev/null +++ b/mls/domains/program/named.te @@ -0,0 +1,184 @@ +#DESC BIND - Name server +# +# Authors: Yuichi Nakamura , +# Russell Coker +# X-Debian-Packages: bind bind9 +# +# + +################################# +# +# Rules for the named_t domain. +# + +daemon_domain(named, `, nscd_client_domain') +tmp_domain(named) + +type named_checkconf_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) + +# For /var/run/ndc used in BIND 8 +file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) + +# ndc_t is the domain for the ndc program +type ndc_t, domain, privlog, nscd_client_domain; +role sysadm_r types ndc_t; +role system_r types ndc_t; + +ifdef(`targeted_policy', ` +dontaudit ndc_t root_t:file { getattr read }; +dontaudit ndc_t unlabeled_t:file { getattr read }; +') + +can_exec(named_t, named_exec_t) +allow named_t sbin_t:dir search; + +allow named_t self:process { setsched setcap setrlimit }; + +# A type for configuration files of named. +type named_conf_t, file_type, sysadmfile, mount_point; + +# for primary zone files +type named_zone_t, file_type, sysadmfile; + +# for secondary zone files +type named_cache_t, file_type, sysadmfile; + +# for DNSSEC key files +type dnssec_t, file_type, sysadmfile, secure_file_type; +allow { ndc_t named_t } dnssec_t:file { getattr read }; + +# Use capabilities. Surplus capabilities may be allowed. +allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; + +allow named_t etc_t:file { getattr read }; +allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; + +#Named can use network +can_network(named_t) +allow named_t port_type:tcp_socket name_connect; +can_ypbind(named_t) +# allow UDP transfer to/from any program +can_udp_send(domain, named_t) +can_udp_send(named_t, domain) +can_tcp_connect(domain, named_t) +log_domain(named) + +# Bind to the named port. +allow named_t dns_port_t:udp_socket name_bind; +allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; + +bool named_write_master_zones false; + +#read configuration files +r_dir_file(named_t, named_conf_t) + +if (named_write_master_zones) { +#create and modify zone files +create_dir_file(named_t, named_zone_t) +} +#read zone files +r_dir_file(named_t, named_zone_t) + +#write cache for secondary zones +rw_dir_create_file(named_t, named_cache_t) + +allow named_t self:unix_stream_socket create_stream_socket_perms; +allow named_t self:unix_dgram_socket create_socket_perms; +allow named_t self:netlink_route_socket r_netlink_socket_perms; + +# Read sysctl kernel variables. +read_sysctl(named_t) + +# Read /proc/cpuinfo and /proc/net +r_dir_file(named_t, proc_t) +r_dir_file(named_t, proc_net_t) + +# Read /dev/random. +allow named_t device_t:dir r_dir_perms; +allow named_t random_device_t:chr_file r_file_perms; + +# Use a pipe created by self. +allow named_t self:fifo_file rw_file_perms; + +# Enable named dbus support: +ifdef(`dbusd.te', ` +dbusd_client(system, named) +domain_auto_trans(system_dbusd_t, named_exec_t, named_t) +allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow named_t self:dbus send_msg; +allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg; +allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg; +ifdef(`unconfined.te', ` +allow unconfined_t named_t:dbus send_msg; +allow named_t unconfined_t:dbus send_msg; +') +') + + +# Set own capabilities. +#A type for /usr/sbin/ndc +type ndc_exec_t, file_type,sysadmfile, exec_type; +domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) +uses_shlib(ndc_t) +can_network_client_tcp(ndc_t) +allow ndc_t rndc_port_t:tcp_socket name_connect; +can_ypbind(ndc_t) +can_resolve(ndc_t) +read_locale(ndc_t) +can_tcp_connect(ndc_t, named_t) + +ifdef(`distro_redhat', ` +# for /etc/rndc.key +allow { ndc_t initrc_t } named_conf_t:dir search; +# Allow init script to cp localtime to named_conf_t +allow initrc_t named_conf_t:file { setattr write }; +allow initrc_t named_conf_t:dir create_dir_perms; +allow initrc_t var_run_t:lnk_file create_file_perms; +ifdef(`automount.te', ` +# automount has no need to search the /proc file system for the named chroot +dontaudit automount_t named_zone_t:dir search; +')dnl end ifdef automount.te +')dnl end ifdef distro_redhat + +allow { ndc_t initrc_t } named_conf_t:file { getattr read }; + +allow ndc_t etc_t:dir r_dir_perms; +allow ndc_t etc_t:file r_file_perms; +allow ndc_t self:unix_stream_socket create_stream_socket_perms; +allow ndc_t self:unix_stream_socket connect; +allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t var_t:dir search; +allow ndc_t var_run_t:dir search; +allow ndc_t named_var_run_t:sock_file rw_file_perms; +allow ndc_t named_t:unix_stream_socket connectto; +allow ndc_t { privfd init_t }:fd use; +# seems to need read as well for some reason +allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; +allow ndc_t fs_t:filesystem getattr; + +# Read sysctl kernel variables. +read_sysctl(ndc_t) + +allow ndc_t self:process { fork signal_perms }; +allow ndc_t self:fifo_file { read write getattr ioctl }; +allow ndc_t named_zone_t:dir search; + +# for chmod in start script +dontaudit initrc_t named_var_run_t:dir setattr; + +# for ndc_t to be used for restart shell scripts +ifdef(`ndc_shell_script', ` +system_crond_entry(ndc_exec_t, ndc_t) +allow ndc_t devtty_t:chr_file { read write ioctl }; +allow ndc_t etc_runtime_t:file { getattr read }; +allow ndc_t proc_t:dir search; +allow ndc_t proc_t:file { getattr read }; +can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) +allow ndc_t named_var_run_t:file getattr; +allow ndc_t named_zone_t:dir { read getattr }; +allow ndc_t named_zone_t:file getattr; +dontaudit ndc_t sysadm_home_t:dir { getattr search read }; +') +allow ndc_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl }; diff --git a/mls/domains/program/netutils.te b/mls/domains/program/netutils.te new file mode 100644 index 0000000..8dcbdf1 --- /dev/null +++ b/mls/domains/program/netutils.te @@ -0,0 +1,64 @@ +#DESC Netutils - Network utilities +# +# Authors: Stephen Smalley +# X-Debian-Packages: netbase iputils arping tcpdump +# + +# +# Rules for the netutils_t domain. +# This domain is for network utilities that require access to +# special protocol families. +# +type netutils_t, domain, privlog; +type netutils_exec_t, file_type, sysadmfile, exec_type; +role system_r types netutils_t; +role sysadm_r types netutils_t; + +uses_shlib(netutils_t) +can_network(netutils_t) +allow netutils_t port_type:tcp_socket name_connect; +can_ypbind(netutils_t) +tmp_domain(netutils) + +domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) +') + +# Inherit and use descriptors from init. +allow netutils_t { userdomain init_t }:fd use; + +allow netutils_t self:process { fork signal_perms }; + +# Perform network administration operations and have raw access to the network. +allow netutils_t self:capability { net_admin net_raw setuid setgid }; + +# Create and use netlink sockets. +allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; + +# Create and use packet sockets. +allow netutils_t self:packet_socket create_socket_perms; + +# Create and use UDP sockets. +allow netutils_t self:udp_socket create_socket_perms; + +# Create and use TCP sockets. +allow netutils_t self:tcp_socket create_socket_perms; + +allow netutils_t self:unix_stream_socket create_socket_perms; + +# Read certain files in /etc +allow netutils_t etc_t:file r_file_perms; +read_locale(netutils_t) + +allow netutils_t fs_t:filesystem getattr; + +# Access terminals. +allow netutils_t privfd:fd use; +can_access_pty(netutils_t, initrc) +allow netutils_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') +allow netutils_t proc_t:dir search; + +# for nscd +dontaudit netutils_t var_t:dir search; diff --git a/mls/domains/program/newrole.te b/mls/domains/program/newrole.te new file mode 100644 index 0000000..207274d --- /dev/null +++ b/mls/domains/program/newrole.te @@ -0,0 +1,24 @@ +#DESC Newrole - SELinux utility to run a shell with a new role +# +# Authors: Anthony Colatrella (NSA) +# Maintained by Stephen Smalley +# X-Debian-Packages: policycoreutils +# + +# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t +bool secure_mode false; + +type newrole_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(userdomain, newrole_exec_t, newrole_t) + +newrole_domain(newrole) + +# Write to utmp. +allow newrole_t var_run_t:dir r_dir_perms; +allow newrole_t initrc_var_run_t:file rw_file_perms; + +role secadm_r types newrole_t; + +ifdef(`targeted_policy', ` +typeattribute newrole_t unconfinedtrans; +') diff --git a/mls/domains/program/nscd.te b/mls/domains/program/nscd.te new file mode 100644 index 0000000..8e899c7 --- /dev/null +++ b/mls/domains/program/nscd.te @@ -0,0 +1,79 @@ +#DESC NSCD - Name service cache daemon cache lookup of user-name +# +# Author: Russell Coker +# X-Debian-Packages: nscd +# +define(`nscd_socket_domain', ` +can_unix_connect($1, nscd_t) +allow $1 nscd_var_run_t:sock_file rw_file_perms; +allow $1 { var_run_t var_t }:dir search; +allow $1 nscd_t:nscd { getpwd getgrp gethost }; +dontaudit $1 nscd_t:fd use; +dontaudit $1 nscd_var_run_t:dir { search getattr }; +dontaudit $1 nscd_var_run_t:file { getattr read }; +dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; +') +################################# +# +# Rules for the nscd_t domain. +# +# nscd is both the client program and the daemon. +daemon_domain(nscd, `, userspace_objmgr') + +allow nscd_t etc_t:file r_file_perms; +allow nscd_t etc_t:lnk_file read; +can_network_client(nscd_t) +allow nscd_t port_type:tcp_socket name_connect; +can_ypbind(nscd_t) + +file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) + +allow nscd_t self:unix_stream_socket create_stream_socket_perms; + +nscd_socket_domain(nscd_client_domain) +nscd_socket_domain(daemon) + +# Clients that are allowed to map the database via a fd obtained from nscd. +nscd_socket_domain(nscd_shmem_domain) +allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms; +allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; +# Receive fd from nscd and map the backing file with read access. +allow nscd_shmem_domain nscd_t:fd use; + +# For client program operation, invoked from sysadm_t. +# Transition occurs to nscd_t due to direct_sysadm_daemon. +allow nscd_t self:nscd { admin getstat }; +allow nscd_t admin_tty_type:chr_file rw_file_perms; + +read_sysctl(nscd_t) +allow nscd_t self:process { getattr setsched }; +allow nscd_t self:unix_dgram_socket create_socket_perms; +allow nscd_t self:fifo_file { read write }; +allow nscd_t self:capability { kill setgid setuid net_bind_service }; + +# for when /etc/passwd has just been updated and has the wrong type +allow nscd_t shadow_t:file getattr; + +dontaudit nscd_t sysadm_home_dir_t:dir search; + +ifdef(`winbind.te', ` +# +# Handle winbind for samba, Might only be needed for targeted policy +# +allow nscd_t winbind_var_run_t:sock_file { read write getattr }; +can_unix_connect(nscd_t, winbind_t) +allow nscd_t samba_var_t:dir search; +allow nscd_t winbind_var_run_t:dir { getattr search }; +') + +r_dir_file(nscd_t, selinux_config_t) +can_getsecurity(nscd_t) +allow nscd_t self:netlink_selinux_socket create_socket_perms; +allow nscd_t self:netlink_route_socket r_netlink_socket_perms; +allow nscd_t tmp_t:dir { search getattr }; +allow nscd_t tmp_t:lnk_file read; +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; +log_domain(nscd) +r_dir_file(nscd_t, cert_t) +allow nscd_t tun_tap_device_t:chr_file { read write }; +allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/mls/domains/program/ntpd.te b/mls/domains/program/ntpd.te new file mode 100644 index 0000000..23042c4 --- /dev/null +++ b/mls/domains/program/ntpd.te @@ -0,0 +1,88 @@ +#DESC NTPD - Time synchronisation daemon +# +# Author: Russell Coker +# X-Debian-Packages: ntp ntp-simple +# + +################################# +# +# Rules for the ntpd_t domain. +# +daemon_domain(ntpd, `, nscd_client_domain') +type ntp_drift_t, file_type, sysadmfile; + +type ntpdate_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) + +logdir_domain(ntpd) + +allow ntpd_t var_lib_t:dir r_dir_perms; +allow ntpd_t usr_t:file r_file_perms; +# reading /usr/share/ssl/cert.pem requires +allow ntpd_t usr_t:lnk_file read; +allow ntpd_t ntp_drift_t:dir rw_dir_perms; +allow ntpd_t ntp_drift_t:file create_file_perms; + +# for SSP +allow ntpd_t urandom_device_t:chr_file { getattr read }; + +# sys_resource and setrlimit is for locking memory +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; +dontaudit ntpd_t self:capability { fsetid net_admin }; +allow ntpd_t self:process { setcap setsched setrlimit }; +# ntpdate wants sys_nice + +# for some reason it creates a file in /tmp +tmp_domain(ntpd) + +allow ntpd_t etc_t:dir r_dir_perms; +allow ntpd_t etc_t:file { read getattr }; + +# Use the network. +can_network(ntpd_t) +allow ntpd_t ntp_port_t:tcp_socket name_connect; +can_ypbind(ntpd_t) +allow ntpd_t ntp_port_t:udp_socket name_bind; +allow sysadm_t ntp_port_t:udp_socket name_bind; +allow ntpd_t self:unix_dgram_socket create_socket_perms; +allow ntpd_t self:unix_stream_socket create_socket_perms; +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; + +# so the start script can change firewall entries +allow initrc_t net_conf_t:file { getattr read ioctl }; + +# for cron jobs +# system_crond_t is not right, cron is not doing what it should +ifdef(`crond.te', ` +system_crond_entry(ntpdate_exec_t, ntpd_t) +') + +can_exec(ntpd_t, initrc_exec_t) +allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t etc_runtime_t:file r_file_perms; +can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t }) +allow ntpd_t { sbin_t bin_t }:dir search; +allow ntpd_t bin_t:lnk_file read; +read_sysctl(ntpd_t); +allow ntpd_t proc_t:file r_file_perms; +allow ntpd_t sysadm_home_dir_t:dir r_dir_perms; +allow ntpd_t self:file { getattr read }; +dontaudit ntpd_t domain:dir search; +ifdef(`logrotate.te', ` +can_exec(ntpd_t, logrotate_exec_t) +') + +allow ntpd_t devtty_t:chr_file rw_file_perms; + +can_udp_send(ntpd_t, sysadm_t) +can_udp_send(sysadm_t, ntpd_t) +can_udp_send(ntpd_t, ntpd_t) +ifdef(`firstboot.te', ` +dontaudit ntpd_t firstboot_t:fd use; +') +ifdef(`winbind.te', ` +allow ntpd_t winbind_var_run_t:dir r_dir_perms; +allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; +') +# For clock devices like wwvb1 +allow ntpd_t device_t:lnk_file read; diff --git a/mls/domains/program/openct.te b/mls/domains/program/openct.te new file mode 100644 index 0000000..244fc2f --- /dev/null +++ b/mls/domains/program/openct.te @@ -0,0 +1,16 @@ +#DESC openct - read files in page cache +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for openct +# + +daemon_domain(openct) +# +# openct asks for these +# +rw_dir_file(openct_t, usbfs_t) +allow openct_t etc_t:file r_file_perms; diff --git a/mls/domains/program/orbit.te b/mls/domains/program/orbit.te new file mode 100644 index 0000000..dad353b --- /dev/null +++ b/mls/domains/program/orbit.te @@ -0,0 +1,7 @@ +# +# ORBit related types +# +# Author: Ivan Gyurdiev +# + +# Look in orbit_macros.te diff --git a/mls/domains/program/pam.te b/mls/domains/program/pam.te new file mode 100644 index 0000000..2d71222 --- /dev/null +++ b/mls/domains/program/pam.te @@ -0,0 +1,45 @@ +#DESC Pam - PAM +# X-Debian-Packages: +# +# /sbin/pam_timestamp_check +type pam_exec_t, file_type, exec_type, sysadmfile; +type pam_t, domain, privlog, nscd_client_domain; +general_domain_access(pam_t); + +type pam_var_run_t, file_type, sysadmfile; +allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; +allow pam_t pam_var_run_t:file { getattr read unlink }; + +role system_r types pam_t; +in_user_role(pam_t) +domain_auto_trans(userdomain, pam_exec_t, pam_t) + +uses_shlib(pam_t) +# Read the devpts root directory. +allow pam_t devpts_t:dir r_dir_perms; + +# Access terminals. +allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') + +allow pam_t proc_t:dir search; +allow pam_t proc_t:{ lnk_file file } { getattr read }; + +# Read the /etc/nsswitch file +allow pam_t etc_t:file r_file_perms; + +# Read /var/run. +allow pam_t { var_t var_run_t }:dir r_dir_perms; +tmp_domain(pam) + +allow pam_t local_login_t:fd use; +dontaudit pam_t self:capability sys_tty_config; + +allow initrc_t pam_var_run_t:dir rw_dir_perms; +allow initrc_t pam_var_run_t:file { getattr read unlink }; +dontaudit pam_t initrc_var_run_t:file rw_file_perms; + +# Supress xdm denial +ifdef(`xdm.te', ` +dontaudit pam_t xdm_t:fd use; +') dnl ifdef diff --git a/mls/domains/program/pamconsole.te b/mls/domains/program/pamconsole.te new file mode 100644 index 0000000..0610063 --- /dev/null +++ b/mls/domains/program/pamconsole.te @@ -0,0 +1,52 @@ +#DESC Pamconsole - PAM console +# X-Debian-Packages: +# +# pam_console_apply + +daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread, mlsfilewrite') + +type pam_var_console_t, file_type, sysadmfile; + +allow pam_console_t etc_t:file { getattr read ioctl }; +allow pam_console_t self:unix_stream_socket create_stream_socket_perms; + +# Read /etc/mtab +allow pam_console_t etc_runtime_t:file { read getattr }; + +# Read /proc/meminfo +allow pam_console_t proc_t:file { read getattr }; + +allow pam_console_t self:capability { chown fowner fsetid }; + +# Allow access to /dev/console through the fd: +allow pam_console_t console_device_t:chr_file { read write setattr }; +allow pam_console_t { kernel_t init_t }:fd use; + +# for /var/run/console.lock checking +allow pam_console_t { var_t var_run_t }:dir search; +r_dir_file(pam_console_t, pam_var_console_t) +dontaudit pam_console_t pam_var_console_t:file write; + +# Allow to set attributes on /dev entries +allow pam_console_t device_t:dir { getattr read }; +allow pam_console_t device_t:lnk_file { getattr read }; +# mouse_device_t is for joy sticks +allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; +allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; + +allow pam_console_t mnt_t:dir r_dir_perms; + +ifdef(`gpm.te', ` +allow pam_console_t gpmctl_t:sock_file { getattr setattr }; +') +ifdef(`hotplug.te', ` +dontaudit pam_console_t hotplug_etc_t:dir search; +allow pam_console_t hotplug_t:fd use; +') +ifdef(`xdm.te', ` +allow pam_console_t xdm_var_run_t:file { getattr read }; +') +allow initrc_t pam_var_console_t:dir rw_dir_perms; +allow initrc_t pam_var_console_t:file unlink; +allow pam_console_t file_context_t:file { getattr read }; +nsswitch_domain(pam_console_t) diff --git a/mls/domains/program/passwd.te b/mls/domains/program/passwd.te new file mode 100644 index 0000000..e002c09 --- /dev/null +++ b/mls/domains/program/passwd.te @@ -0,0 +1,157 @@ +#DESC Passwd - Password utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: passwd +# + +################################# +# +# Rules for the passwd_t domain. +# +define(`base_passwd_domain', ` +type $1_t, domain, privlog, $2; + +# for SSP +allow $1_t urandom_device_t:chr_file read; + +allow $1_t self:process setrlimit; + +general_domain_access($1_t); +uses_shlib($1_t); + +# Inherit and use descriptors from login. +allow $1_t privfd:fd use; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +read_locale($1_t) + +allow $1_t fs_t:filesystem getattr; + +# allow checking if a shell is executable +allow $1_t shell_exec_t:file execute; + +# Obtain contexts +can_getsecurity($1_t) + +allow $1_t etc_t:file create_file_perms; + +# read /etc/mtab +allow $1_t etc_runtime_t:file { getattr read }; + +# Allow etc_t symlinks for /etc/alternatives on Debian. +allow $1_t etc_t:lnk_file read; + +# Use capabilities. +allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write }; + +# Access terminals. +allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; +allow $1_t devtty_t:chr_file rw_file_perms; + +dontaudit $1_t devpts_t:dir getattr; + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +dontaudit $1_t initrc_var_run_t:file { read write }; + +# user generally runs this from their home directory, so do not audit a search +# on user home dir +dontaudit $1_t { user_home_dir_type user_home_type }:dir search; + +# When the wrong current passwd is entered, passwd, for some reason, +# attempts to access /proc and /dev, but handles failure appropriately. So +# do not audit those denials. +dontaudit $1_t { proc_t device_t }:dir { search read }; + +allow $1_t device_t:dir getattr; +read_sysctl($1_t) +') + +################################# +# +# Rules for the passwd_t domain. +# +define(`passwd_domain', ` +base_passwd_domain($1, `auth_write, privowner') +# Update /etc/shadow and /etc/passwd +file_type_auto_trans($1_t, etc_t, shadow_t, file) +allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; +can_setfscreate($1_t) +') + +passwd_domain(passwd) +passwd_domain(sysadm_passwd) +base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') +can_setfscreate(chfn_t) + +# can exec /sbin/unix_chkpwd +allow chfn_t { bin_t sbin_t }:dir search; + +# uses unix_chkpwd for checking passwords +dontaudit chfn_t shadow_t:file read; +allow chfn_t etc_t:dir rw_dir_perms; +allow chfn_t etc_t:file create_file_perms; +allow chfn_t proc_t:file { getattr read }; +allow chfn_t self:file write; + +in_user_role(passwd_t) +in_user_role(chfn_t) +role sysadm_r types passwd_t; +role sysadm_r types sysadm_passwd_t; +role sysadm_r types chfn_t; +role system_r types passwd_t; +role system_r types chfn_t; + +type admin_passwd_exec_t, file_type, sysadmfile; +type passwd_exec_t, file_type, sysadmfile, exec_type; +type chfn_exec_t, file_type, sysadmfile, exec_type; + +domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) +domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) +domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) + +dontaudit chfn_t var_t:dir search; + +ifdef(`crack.te', ` +allow passwd_t var_t:dir search; +dontaudit passwd_t var_run_t:dir search; +allow passwd_t crack_db_t:dir r_dir_perms; +allow passwd_t crack_db_t:file r_file_perms; +', ` +dontaudit passwd_t var_t:dir search; +') + +# allow vipw to exec the editor +allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; +allow sysadm_passwd_t bin_t:lnk_file read; +can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) +r_dir_file(sysadm_passwd_t, usr_t) + +# allow vipw to create temporary files under /var/tmp/vi.recover +allow sysadm_passwd_t var_t:dir search; +tmp_domain(sysadm_passwd) +# for vipw - vi looks in the root home directory for config +dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; +# for /etc/alternatives/vi +allow sysadm_passwd_t etc_t:lnk_file read; + +# for nscd lookups +dontaudit sysadm_passwd_t var_run_t:dir search; + +# for /proc/meminfo +allow sysadm_passwd_t proc_t:file { getattr read }; + +dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; +dontaudit sysadm_passwd_t devpts_t:dir search; + +# make sure that getcon succeeds +allow passwd_t userdomain:dir search; +allow passwd_t userdomain:file { getattr read }; +allow passwd_t userdomain:process getattr; + +allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +ifdef(`targeted_policy', ` +role system_r types sysadm_passwd_t; +allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; +') diff --git a/mls/domains/program/pegasus.te b/mls/domains/program/pegasus.te new file mode 100644 index 0000000..3272074 --- /dev/null +++ b/mls/domains/program/pegasus.te @@ -0,0 +1,36 @@ +#DESC pegasus - The Open Group Pegasus CIM/WBEM Server +# +# Author: Jason Vas Dias +# Package: tog-pegasus +# +################################# +# +# Rules for the pegasus domain +# +daemon_domain(pegasus, `, nscd_client_domain, auth_chkpwd') +type pegasus_data_t, file_type, sysadmfile; +type pegasus_conf_t, file_type, sysadmfile; +typealias sbin_t alias pegasus_conf_exec_t; +type pegasus_mof_t, file_type, sysadmfile; +allow pegasus_t self:capability { dac_override net_bind_service audit_write }; +can_network_tcp(pegasus_t); +nsswitch_domain(pegasus_t); +allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; +allow pegasus_t self:unix_dgram_socket create_socket_perms; +allow pegasus_t self:unix_stream_socket create_stream_socket_perms; +allow pegasus_t self:file { read getattr }; +allow pegasus_t self:fifo_file rw_file_perms; +allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect }; +allow pegasus_t proc_t:file { getattr read }; +allow pegasus_t sysctl_vm_t:dir search; +allow pegasus_t initrc_var_run_t:file { read write lock }; +allow pegasus_t urandom_device_t:chr_file { getattr read }; +r_dir_file(pegasus_t, etc_t) +r_dir_file(pegasus_t, var_lib_t) +r_dir_file(pegasus_t, pegasus_mof_t) +allow pegasus_t pegasus_conf_t:file { link unlink }; +r_dir_file(pegasus_t, pegasus_conf_t) +file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t) +rw_dir_create_file(pegasus_t, pegasus_data_t) +dontaudit pegasus_t selinux_config_t:dir search; diff --git a/mls/domains/program/ping.te b/mls/domains/program/ping.te new file mode 100644 index 0000000..0a0d94c --- /dev/null +++ b/mls/domains/program/ping.te @@ -0,0 +1,63 @@ +#DESC Ping - Send ICMP messages to network hosts +# +# Author: David A. Wheeler +# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 +# + +################################# +# +# Rules for the ping_t domain. +# +# ping_t is the domain for the ping program. +# ping_exec_t is the type of the corresponding program. +# +type ping_t, domain, privlog, nscd_client_domain; +role sysadm_r types ping_t; +role system_r types ping_t; +in_user_role(ping_t) +type ping_exec_t, file_type, sysadmfile, exec_type; + +ifdef(`targeted_policy', ` + allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; +', ` +bool user_ping false; + +if (user_ping) { + domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) + # allow access to the terminal + allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; + ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') +} +') + +# Transition into this domain when you run this program. +domain_auto_trans(sysadm_t, ping_exec_t, ping_t) +domain_auto_trans(initrc_t, ping_exec_t, ping_t) + +uses_shlib(ping_t) +can_network_client(ping_t) +can_resolve(ping_t) +can_ypbind(ping_t) +allow ping_t etc_t:file { getattr read }; +allow ping_t self:unix_stream_socket create_socket_perms; + +# Let ping create raw ICMP packets. +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; + +# Use capabilities. +allow ping_t self:capability { net_raw setuid }; + +# Access the terminal. +allow ping_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') +allow ping_t privfd:fd use; +dontaudit ping_t fs_t:filesystem getattr; + +# it tries to access /var/run +dontaudit ping_t var_t:dir search; +dontaudit ping_t devtty_t:chr_file { read write }; +dontaudit ping_t self:capability sys_tty_config; +ifdef(`hide_broken_symptoms', ` +dontaudit ping_t init_t:fd use; +') + diff --git a/mls/domains/program/portmap.te b/mls/domains/program/portmap.te new file mode 100644 index 0000000..54cad6f --- /dev/null +++ b/mls/domains/program/portmap.te @@ -0,0 +1,71 @@ +#DESC Portmap - Maintain RPC program number map +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: portmap +# + + + +################################# +# +# Rules for the portmap_t domain. +# +daemon_domain(portmap, `, nscd_client_domain') + +can_network(portmap_t) +allow portmap_t port_type:tcp_socket name_connect; +can_ypbind(portmap_t) +allow portmap_t self:unix_dgram_socket create_socket_perms; +allow portmap_t self:unix_stream_socket create_stream_socket_perms; + +tmp_domain(portmap) + +allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; + +# portmap binds to arbitary ports +allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; +allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; + +allow portmap_t etc_t:file { getattr read }; + +# Send to ypbind, initrc, rpc.statd, xinetd. +ifdef(`ypbind.te', +`can_udp_send(portmap_t, ypbind_t)') +can_udp_send(portmap_t, { initrc_t init_t }) +can_udp_send(init_t, portmap_t) +ifdef(`rpcd.te', +`can_udp_send(portmap_t, rpcd_t)') +ifdef(`inetd.te', +`can_udp_send(portmap_t, inetd_t)') +ifdef(`lpd.te', +`can_udp_send(portmap_t, lpd_t)') +ifdef(`tcpd.te', ` +can_udp_send(tcpd_t, portmap_t) +') +can_udp_send(portmap_t, kernel_t) +can_udp_send(kernel_t, portmap_t) +can_udp_send(sysadm_t, portmap_t) +can_udp_send(portmap_t, sysadm_t) + +# Use capabilities +allow portmap_t self:capability { net_bind_service setuid setgid }; +allow portmap_t self:netlink_route_socket r_netlink_socket_perms; + +application_domain(portmap_helper) +role system_r types portmap_helper_t; +domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) +dontaudit portmap_helper_t self:capability { net_admin }; +allow portmap_helper_t self:capability { net_bind_service }; +allow portmap_helper_t initrc_var_run_t:file rw_file_perms; +file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) +allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; +can_network(portmap_helper_t) +allow portmap_helper_t port_type:tcp_socket name_connect; +can_ypbind(portmap_helper_t) +dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; +allow portmap_helper_t etc_t:file { getattr read }; +dontaudit portmap_helper_t { userdomain privfd }:fd use; +allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/mls/domains/program/postfix.te b/mls/domains/program/postfix.te new file mode 100644 index 0000000..4f85e81 --- /dev/null +++ b/mls/domains/program/postfix.te @@ -0,0 +1,373 @@ +#DESC Postfix - Mail server +# +# Author: Russell Coker +# X-Debian-Packages: postfix +# Depends: mta.te +# + +# Type for files created during execution of postfix. +type postfix_var_run_t, file_type, sysadmfile, pidfile; + +type postfix_etc_t, file_type, sysadmfile; +type postfix_exec_t, file_type, sysadmfile, exec_type; +type postfix_public_t, file_type, sysadmfile; +type postfix_private_t, file_type, sysadmfile; +type postfix_spool_t, file_type, sysadmfile; +type postfix_spool_maildrop_t, file_type, sysadmfile; +type postfix_spool_flush_t, file_type, sysadmfile; +type postfix_prng_t, file_type, sysadmfile; + +# postfix needs this for newaliases +allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; + +################################# +# +# Rules for the postfix_$1_t domain. +# +# postfix_$1_exec_t is the type of the postfix_$1 executables. +# +define(`postfix_domain', ` +daemon_core_rules(postfix_$1, `$2') +allow postfix_$1_t self:process setpgid; +allow postfix_$1_t postfix_master_t:process sigchld; +allow postfix_master_t postfix_$1_t:process signal; + +allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; +allow postfix_$1_t postfix_etc_t:file r_file_perms; +read_locale(postfix_$1_t) +allow postfix_$1_t etc_t:file { getattr read }; +allow postfix_$1_t self:unix_dgram_socket create_socket_perms; +allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; +allow postfix_$1_t self:unix_stream_socket connectto; + +allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; +allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; +allow postfix_$1_t shell_exec_t:file rx_file_perms; +allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; +allow postfix_$1_t postfix_exec_t:file rx_file_perms; +allow postfix_$1_t devtty_t:chr_file rw_file_perms; +allow postfix_$1_t etc_runtime_t:file r_file_perms; +allow postfix_$1_t proc_t:dir r_dir_perms; +allow postfix_$1_t proc_t:file r_file_perms; +allow postfix_$1_t postfix_exec_t:dir r_dir_perms; +allow postfix_$1_t fs_t:filesystem getattr; +allow postfix_$1_t proc_net_t:dir search; +allow postfix_$1_t proc_net_t:file { getattr read }; +can_exec(postfix_$1_t, postfix_$1_exec_t) +r_dir_file(postfix_$1_t, cert_t) +allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr }; + +allow postfix_$1_t tmp_t:dir getattr; + +file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) + +read_sysctl(postfix_$1_t) + +')dnl end postfix_domain + +ifdef(`crond.te', +`allow system_mail_t crond_t:tcp_socket { read write create };') + +postfix_domain(master, `, mail_server_domain') +rhgb_domain(postfix_master_t) + +# for a find command +dontaudit postfix_master_t security_t:dir search; + +read_sysctl(postfix_master_t) + +ifdef(`targeted_policy', ` +bool postfix_disable_trans false; +if (!postfix_disable_trans) { +') +domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) +allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; + +domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) +allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; +ifdef(`targeted_policy', `', ` +role_transition sysadm_r postfix_master_exec_t system_r; +') +allow postfix_master_t postfix_etc_t:file rw_file_perms; +dontaudit postfix_master_t admin_tty_type:chr_file { read write }; +allow postfix_master_t devpts_t:dir search; + +domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) +allow system_mail_t sysadm_t:process sigchld; +allow system_mail_t privfd:fd use; + +ifdef(`pppd.te', ` +domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) +') + +ifdef(`targeted_policy', ` +} +') + +allow postfix_master_t privfd:fd use; +ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') +allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; + +# postfix does a "find" on startup for some reason - keep it quiet +dontaudit postfix_master_t selinux_config_t:dir search; +can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) +ifdef(`distro_redhat', ` +# compatability for old default main.cf +file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) +# for newer main.cf that uses /etc/aliases +file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t) +') +file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) +allow postfix_master_t sendmail_exec_t:file r_file_perms; +allow postfix_master_t sbin_t:lnk_file { getattr read }; + +can_exec(postfix_master_t, { ls_exec_t sbin_t }) +allow postfix_master_t self:fifo_file rw_file_perms; +allow postfix_master_t usr_t:file r_file_perms; +can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +allow postfix_master_t postfix_public_t:fifo_file create_file_perms; +allow postfix_master_t postfix_public_t:sock_file create_file_perms; +allow postfix_master_t postfix_public_t:dir rw_dir_perms; +allow postfix_master_t postfix_private_t:dir rw_dir_perms; +allow postfix_master_t postfix_private_t:sock_file create_file_perms; +allow postfix_master_t postfix_private_t:fifo_file create_file_perms; +can_network(postfix_master_t) +allow postfix_master_t port_type:tcp_socket name_connect; +can_ypbind(postfix_master_t) +allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind; +allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; +allow postfix_master_t postfix_prng_t:file getattr; +allow postfix_master_t privfd:fd use; +allow postfix_master_t etc_aliases_t:file rw_file_perms; +allow postfix_master_t var_lib_t:dir search; + +ifdef(`saslauthd.te',` +allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; +allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; +can_unix_connect(postfix_smtpd_t,saslauthd_t) +') + +create_dir_file(postfix_master_t, postfix_spool_flush_t) +allow postfix_master_t postfix_prng_t:file rw_file_perms; +# for ls to get the current context +allow postfix_master_t self:file { getattr read }; + +# allow access to deferred queue and allow removing bogus incoming entries +allow postfix_master_t postfix_spool_t:dir create_dir_perms; +allow postfix_master_t postfix_spool_t:file create_file_perms; + +dontaudit postfix_master_t man_t:dir search; + +define(`postfix_server_domain', ` +postfix_domain($1, `$2') +domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) +allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow postfix_$1_t self:capability { setuid setgid dac_override }; +can_network_client(postfix_$1_t) +allow postfix_$1_t port_type:tcp_socket name_connect; +can_ypbind(postfix_$1_t) +') + +postfix_server_domain(smtp, `, mail_server_sender') +allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; +allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; +allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; +# if you have two different mail servers on the same host let them talk via +# SMTP, also if one mail server wants to talk to itself then allow it and let +# the SMTP protocol sort it out (SE Linux is not to prevent mail server +# misconfiguration) +can_tcp_connect(postfix_smtp_t, mail_server_domain) + +postfix_server_domain(smtpd) +allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; +allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; +allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; +allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; +# for OpenSSL certificates +r_dir_file(postfix_smtpd_t,usr_t) +allow postfix_smtpd_t etc_aliases_t:file r_file_perms; +allow postfix_smtpd_t self:file { getattr read }; + +# for prng_exch +allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; + +allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; + +postfix_server_domain(local, `, mta_delivery_agent') +ifdef(`procmail.te', ` +domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) +# for a bug in the postfix local program +dontaudit procmail_t postfix_local_t:tcp_socket { read write }; +dontaudit procmail_t postfix_master_t:fd use; +') +allow postfix_local_t etc_aliases_t:file r_file_perms; +allow postfix_local_t self:fifo_file rw_file_perms; +allow postfix_local_t self:process { setsched setrlimit }; +allow postfix_local_t postfix_spool_t:file rw_file_perms; +# for .forward - maybe we need a new type for it? +allow postfix_local_t postfix_private_t:dir search; +allow postfix_local_t postfix_private_t:sock_file rw_file_perms; +allow postfix_local_t postfix_master_t:unix_stream_socket connectto; +allow postfix_local_t postfix_public_t:dir search; +allow postfix_local_t postfix_public_t:sock_file write; +tmp_domain(postfix_local) +can_exec(postfix_local_t,{ shell_exec_t bin_t }) +ifdef(`spamc.te', ` +can_exec(postfix_local_t, spamc_exec_t) +') +allow postfix_local_t mail_spool_t:dir { remove_name }; +allow postfix_local_t mail_spool_t:file { unlink }; +# For reading spamassasin +r_dir_file(postfix_local_t, etc_mail_t) + +define(`postfix_public_domain',` +postfix_server_domain($1) +allow postfix_$1_t postfix_public_t:dir search; +') + +postfix_public_domain(cleanup) +create_dir_file(postfix_cleanup_t, postfix_spool_t) +allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; +allow postfix_cleanup_t postfix_private_t:dir search; +allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; +allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; +allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; +allow postfix_cleanup_t self:process setrlimit; + +allow user_mail_domain postfix_spool_t:dir r_dir_perms; +allow user_mail_domain postfix_etc_t:dir r_dir_perms; +allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; +allow user_mail_domain self:capability dac_override; + +define(`postfix_user_domain', ` +postfix_domain($1, `$2') +domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) +in_user_role(postfix_$1_t) +role sysadm_r types postfix_$1_t; +allow postfix_$1_t userdomain:process sigchld; +allow postfix_$1_t userdomain:fifo_file { write getattr }; +allow postfix_$1_t { userdomain privfd }:fd use; +allow postfix_$1_t self:capability dac_override; +') + +postfix_user_domain(postqueue) +allow postfix_postqueue_t postfix_public_t:dir search; +allow postfix_postqueue_t postfix_public_t:fifo_file getattr; +allow postfix_postqueue_t self:udp_socket { create ioctl }; +allow postfix_postqueue_t self:tcp_socket create; +allow postfix_master_t postfix_postqueue_exec_t:file getattr; +domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +allow postfix_postqueue_t initrc_t:process sigchld; +allow postfix_postqueue_t initrc_t:fd use; + +# to write the mailq output, it really should not need read access! +allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; +ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') + +# wants to write to /var/spool/postfix/public/showq +allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; +allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; +# write to /var/spool/postfix/public/qmgr +allow postfix_postqueue_t postfix_public_t:fifo_file write; +dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; + +postfix_user_domain(showq) +# the following auto_trans is usually in postfix server domain +domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +can_resolve(postfix_showq_t) +r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) +domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) +allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; +allow postfix_showq_t postfix_spool_t:file r_file_perms; +allow postfix_showq_t self:tcp_socket create_socket_perms; +allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; +dontaudit postfix_showq_t net_conf_t:file r_file_perms; + +postfix_user_domain(postdrop, `, mta_user_agent') +can_resolve(postfix_postdrop_t) +allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; +allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; +allow postfix_postdrop_t postfix_public_t:dir search; +allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; +dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; +dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; +allow postfix_master_t postfix_postdrop_exec_t:file getattr; +ifdef(`crond.te', +`allow postfix_postdrop_t { crond_t system_crond_t }:fd use; +allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') +# usually it does not need a UDP socket +allow postfix_postdrop_t self:udp_socket create_socket_perms; +allow postfix_postdrop_t self:tcp_socket create; +allow postfix_postdrop_t self:capability sys_resource; +allow postfix_postdrop_t self:tcp_socket create; + +postfix_public_domain(pickup) +allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; +allow postfix_pickup_t postfix_private_t:dir search; +allow postfix_pickup_t postfix_private_t:sock_file write; +allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; +allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; +allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; +allow postfix_pickup_t self:tcp_socket create_socket_perms; + +postfix_public_domain(qmgr) +allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_qmgr_t postfix_public_t:sock_file write; +allow postfix_qmgr_t postfix_private_t:dir search; +allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; +allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; + +# for /var/spool/postfix/active +create_dir_file(postfix_qmgr_t, postfix_spool_t) + +postfix_public_domain(bounce) +type postfix_spool_bounce_t, file_type, sysadmfile; +create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) +create_dir_file(postfix_bounce_t, postfix_spool_t) +allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; +allow postfix_master_t postfix_spool_bounce_t:file getattr; +allow postfix_bounce_t self:capability dac_read_search; +allow postfix_bounce_t postfix_public_t:sock_file write; +allow postfix_bounce_t self:tcp_socket create_socket_perms; + +r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) + +postfix_public_domain(pipe) +allow postfix_pipe_t postfix_spool_t:dir search; +allow postfix_pipe_t postfix_spool_t:file rw_file_perms; +allow postfix_pipe_t self:fifo_file { read write }; +allow postfix_pipe_t postfix_private_t:dir search; +allow postfix_pipe_t postfix_private_t:sock_file write; +ifdef(`procmail.te', ` +domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) +') +ifdef(`sendmail.te', ` +r_dir_file(sendmail_t, postfix_etc_t) +allow sendmail_t postfix_spool_t:dir search; +') + +# Program for creating database files +application_domain(postfix_map) +base_file_read_access(postfix_map_t) +allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; +tmp_domain(postfix_map) +create_dir_file(postfix_map_t, postfix_etc_t) +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; +dontaudit postfix_map_t proc_t:dir { getattr read search }; +dontaudit postfix_map_t local_login_t:fd use; +allow postfix_master_t postfix_map_exec_t:file rx_file_perms; +read_locale(postfix_map_t) +allow postfix_map_t self:capability setgid; +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +dontaudit postfix_map_t var_t:dir search; +can_network_server(postfix_map_t) +allow postfix_map_t port_type:tcp_socket name_connect; diff --git a/mls/domains/program/postgresql.te b/mls/domains/program/postgresql.te new file mode 100644 index 0000000..8ab14d0 --- /dev/null +++ b/mls/domains/program/postgresql.te @@ -0,0 +1,145 @@ +#DESC Postgresql - Database server +# +# Author: Russell Coker +# X-Debian-Packages: postgresql +# + +################################# +# +# Rules for the postgresql_t domain. +# +# postgresql_exec_t is the type of the postgresql executable. +# +daemon_domain(postgresql) +allow initrc_t postgresql_exec_t:lnk_file read; +allow postgresql_t usr_t:file { getattr read }; + +allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; + +ifdef(`distro_debian', ` +can_exec(postgresql_t, initrc_exec_t) +# gross hack +domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) +can_exec(postgresql_t, dpkg_exec_t) +') + +dontaudit postgresql_t sysadm_home_dir_t:dir search; + +# quiet ps and killall +dontaudit postgresql_t domain:dir { getattr search }; + +# for currect directory of scripts +allow postgresql_t { var_spool_t cron_spool_t }:dir search; + +# capability kill is for shutdown script +allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; +dontaudit postgresql_t self:capability sys_admin; + +etcdir_domain(postgresql) +type postgresql_db_t, file_type, sysadmfile; + +logdir_domain(postgresql) + +ifdef(`crond.te', ` +# allow crond to find /usr/lib/postgresql/bin/do.maintenance +allow crond_t postgresql_db_t:dir search; +system_crond_entry(postgresql_exec_t, postgresql_t) +') + +tmp_domain(postgresql, `', `{ dir file sock_file }') +file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) + +# Use the network. +can_network(postgresql_t) +allow postgresql_t self:fifo_file { getattr read write ioctl }; +allow postgresql_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(postgresql_t, self) +allow postgresql_t self:unix_dgram_socket create_socket_perms; + +allow postgresql_t self:shm create_shm_perms; + +ifdef(`targeted_policy', `', ` +bool allow_user_postgresql_connect false; + +if (allow_user_postgresql_connect) { +# allow any user domain to connect to the database server +can_tcp_connect(userdomain, postgresql_t) +allow userdomain postgresql_t:unix_stream_socket connectto; +allow userdomain postgresql_var_run_t:sock_file write; +allow userdomain postgresql_tmp_t:sock_file write; +} +') +ifdef(`consoletype.te', ` +can_exec(postgresql_t, consoletype_exec_t) +') + +ifdef(`hostname.te', ` +can_exec(postgresql_t, hostname_exec_t) +') + +allow postgresql_t postgresql_port_t:tcp_socket name_bind; +allow postgresql_t auth_port_t:tcp_socket name_connect; + +allow postgresql_t { proc_t self }:file { getattr read }; + +# Allow access to the postgresql databases +create_dir_file(postgresql_t, postgresql_db_t) +file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) +allow postgresql_t var_lib_t:dir { getattr search }; + +# because postgresql start scripts are broken and put the pid file in the DB +# directory +rw_dir_file(initrc_t, postgresql_db_t) + +# read config files +allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; +r_dir_file(initrc_t, postgresql_etc_t) + +allow postgresql_t etc_t:dir rw_dir_perms; + +read_sysctl(postgresql_t) + +allow postgresql_t devtty_t:chr_file { read write }; +allow postgresql_t devpts_t:dir search; + +allow postgresql_t { bin_t sbin_t }:dir search; +allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; + +allow postgresql_t self:sem create_sem_perms; + +allow postgresql_t initrc_var_run_t:file { getattr read lock }; +dontaudit postgresql_t selinux_config_t:dir search; +allow postgresql_t mail_spool_t:dir search; +lock_domain(postgresql) +can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) +ifdef(`apache.te', ` +# +# Allow httpd to work with postgresql +# +allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; +can_unix_connect(httpd_t, postgresql_t) +') + +ifdef(`distro_gentoo', ` +# "su - postgres ..." is called from initrc_t +allow initrc_su_t postgresql_db_t:dir search; +allow postgresql_t initrc_su_t:process sigchld; +dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; +') + +dontaudit postgresql_t home_root_t:dir search; +allow postgresql_t urandom_device_t:chr_file { getattr read }; + +if (allow_execmem) { +allow postgresql_t self:process execmem; +} + +authentication_domain(postgresql_t) +# +# postgresql has pam support +# +bool allow_postgresql_use_pam false; +if (allow_postgresql_use_pam) { +domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t) +} diff --git a/mls/domains/program/pppd.te b/mls/domains/program/pppd.te new file mode 100644 index 0000000..33b9b8f --- /dev/null +++ b/mls/domains/program/pppd.te @@ -0,0 +1,153 @@ +#DESC PPPD - PPP daemon +# +# Author: Russell Coker +# X-Debian-Packages: ppp +# + +################################# +# +# Rules for the pppd_t domain, et al. +# +# pppd_t is the domain for the pppd program. +# pppd_exec_t is the type of the pppd executable. +# pppd_secret_t is the type of the pap and chap password files +# +bool pppd_for_user false; + +daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain') +type pppd_secret_t, file_type, sysadmfile; + +# Define a separate type for /etc/ppp +etcdir_domain(pppd) +# Define a separate type for writable files under /etc/ppp +type pppd_etc_rw_t, file_type, sysadmfile; +# Automatically label newly created files under /etc/ppp with this type +file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + +# for SSP +allow pppd_t urandom_device_t:chr_file read; + +allow pppd_t sysfs_t:dir search; + +log_domain(pppd) + +# Use the network. +can_network_server(pppd_t) +can_ypbind(pppd_t) + +# Use capabilities. +allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module }; +lock_domain(pppd) + +# Access secret files +allow pppd_t pppd_secret_t:file r_file_perms; + +ifdef(`postfix.te', ` +allow pppd_t postfix_etc_t:dir search; +allow pppd_t postfix_etc_t:file r_file_perms; +allow pppd_t postfix_master_exec_t:file { getattr read }; +allow postfix_postqueue_t pppd_t:fd use; +allow postfix_postqueue_t pppd_t:process sigchld; +') + +# allow running ip-up and ip-down scripts and running chat. +can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) +allow pppd_t { bin_t sbin_t }:dir search; +allow pppd_t { sbin_t bin_t }:lnk_file read; +allow ifconfig_t pppd_t:fd use; + +# Access /dev/ppp. +allow pppd_t ppp_device_t:chr_file rw_file_perms; +allow pppd_t devtty_t:chr_file { read write }; + +allow pppd_t self:unix_dgram_socket create_socket_perms; +allow pppd_t self:unix_stream_socket create_socket_perms; + +allow pppd_t proc_t:dir search; +allow pppd_t proc_t:{ file lnk_file } r_file_perms; +allow pppd_t proc_net_t:dir { read search }; +allow pppd_t proc_net_t:file r_file_perms; + +allow pppd_t etc_runtime_t:file r_file_perms; + +allow pppd_t self:socket create_socket_perms; + +allow pppd_t tty_device_t:chr_file { setattr rw_file_perms }; + +allow pppd_t devpts_t:dir search; +allow pppd_t devpts_t:chr_file ioctl; + +# for scripts +allow pppd_t self:fifo_file rw_file_perms; +allow pppd_t etc_t:lnk_file read; + +# for ~/.ppprc - if it actually exists then you need some policy to read it +allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; + +in_user_role(pppd_t) +if (pppd_for_user) { +# Run pppd in pppd_t by default for user +domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) +allow unpriv_userdomain pppd_t:process signal; +} + +# for pppoe +can_create_pty(pppd) +allow pppd_t self:file { read getattr }; + +allow pppd_t self:packet_socket create_socket_perms; + +file_type_auto_trans(pppd_t, etc_t, net_conf_t, file) +tmp_domain(pppd) +allow pppd_t sysctl_net_t:dir search; +allow pppd_t sysctl_net_t:file r_file_perms; +allow pppd_t self:netlink_route_socket r_netlink_socket_perms; +allow pppd_t initrc_var_run_t:file r_file_perms; +dontaudit pppd_t initrc_var_run_t:file { lock write }; + +# pppd needs to load kernel modules for certain modems +ifdef(`modutil.te', ` +bool pppd_can_insmod false; +typeattribute ifconfig_t privsysmod; + +if (pppd_can_insmod && !secure_mode_insmod) { +domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) +allow ifconfig_t self:capability sys_module; +} + +') + +daemon_domain(pptp, `, nscd_client_domain') +can_network_client_tcp(pptp_t) +allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect; +can_exec(pptp_t, hostname_exec_t) +domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) +allow pptp_t self:rawip_socket create_socket_perms; +allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow pptp_t self:unix_dgram_socket create_socket_perms; +can_exec(pptp_t, pppd_etc_rw_t) +allow pptp_t devpts_t:dir search; +allow pptp_t pppd_devpts_t:chr_file rw_file_perms; +allow pptp_t devpts_t:chr_file ioctl; +r_dir_file(pptp_t, pppd_etc_rw_t) +r_dir_file(pptp_t, pppd_etc_t) +allow pppd_t pptp_t:process signal; +allow pptp_t self:capability net_raw; +allow pptp_t self:fifo_file { read write }; +allow pptp_t ptmx_t:chr_file rw_file_perms; +log_domain(pptp) + +# Fix sockets +allow pptp_t pptp_var_run_t:sock_file create_file_perms; + +# Allow pptp to append to pppd log files +allow pptp_t pppd_log_t:file append; + +ifdef(`named.te', ` +dontaudit ndc_t pppd_t:fd use; +') + +# Allow /etc/ppp/ip-{up,down} to run most anything +type pppd_script_exec_t, file_type, sysadmfile; +domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) +allow pppd_t initrc_t:process noatsecure; diff --git a/mls/domains/program/prelink.te b/mls/domains/program/prelink.te new file mode 100644 index 0000000..3ffa0d7 --- /dev/null +++ b/mls/domains/program/prelink.te @@ -0,0 +1,50 @@ +#DESC PRELINK - Security Enhanced version of the GNU Prelink +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the prelink_t domain. +# +# prelink_exec_t is the type of the prelink executable. +# +daemon_base_domain(prelink, `, admin, privowner') + +allow prelink_t self:process { execheap execmem execstack }; +allow prelink_t texrel_shlib_t:file execmod; +allow prelink_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(prelink_exec_t, prelink_t) +allow system_crond_t prelink_log_t:dir rw_dir_perms; +allow system_crond_t prelink_log_t:file create_file_perms; +allow system_crond_t prelink_cache_t:file { getattr read unlink }; +allow prelink_t crond_log_t:file append; +') + +logdir_domain(prelink) +type etc_prelink_t, file_type, sysadmfile; +type var_lock_prelink_t, file_type, sysadmfile, lockfile; + +allow prelink_t etc_prelink_t:file { getattr read }; +allow prelink_t file_type:dir rw_dir_perms; +allow prelink_t file_type:lnk_file r_file_perms; +allow prelink_t file_type:file getattr; +allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom }; +allow prelink_t ld_so_t:file execute_no_trans; + +allow prelink_t self:capability { chown dac_override fowner fsetid }; +allow prelink_t self:fifo_file rw_file_perms; +allow prelink_t self:file { getattr read }; +dontaudit prelink_t sysctl_kernel_t:dir search; +dontaudit prelink_t sysctl_t:dir search; +allow prelink_t etc_runtime_t:file { getattr read }; +read_locale(prelink_t) +allow prelink_t urandom_device_t:chr_file read; +allow prelink_t proc_t:file { getattr read }; +# +# prelink_cache_t is the type of /etc/prelink.cache. +# +type prelink_cache_t, file_type, sysadmfile; +file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file) diff --git a/mls/domains/program/privoxy.te b/mls/domains/program/privoxy.te new file mode 100644 index 0000000..b8a522d --- /dev/null +++ b/mls/domains/program/privoxy.te @@ -0,0 +1,27 @@ +#DESC privoxy - privacy enhancing proxy +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the privoxy_t domain. +# +daemon_domain(privoxy, `, web_client_domain') + +logdir_domain(privoxy) + +# Use capabilities. +allow privoxy_t self:capability net_bind_service; + +# Use the network. +can_network_tcp(privoxy_t) +can_ypbind(privoxy_t) +can_resolve(privoxy_t) +allow privoxy_t http_cache_port_t:tcp_socket name_bind; +allow privoxy_t etc_t:file { getattr read }; +allow privoxy_t self:capability { setgid setuid }; +allow privoxy_t self:unix_stream_socket create_socket_perms ; +allow privoxy_t admin_tty_type:chr_file { read write }; + diff --git a/mls/domains/program/procmail.te b/mls/domains/program/procmail.te new file mode 100644 index 0000000..7616e34 --- /dev/null +++ b/mls/domains/program/procmail.te @@ -0,0 +1,92 @@ +#DESC Procmail - Mail delivery agent for mail servers +# +# Author: Russell Coker +# X-Debian-Packages: procmail +# + +################################# +# +# Rules for the procmail_t domain. +# +# procmail_exec_t is the type of the procmail executable. +# +# privhome only works until we define a different type for maildir +type procmail_t, domain, privlog, privhome, nscd_client_domain; +type procmail_exec_t, file_type, sysadmfile, exec_type; + +role system_r types procmail_t; + +uses_shlib(procmail_t) +allow procmail_t device_t:dir search; +can_network(procmail_t) +nsswitch_domain(procmail_t) +allow procmail_t spamd_port_t:tcp_socket name_connect; + +allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; + +allow procmail_t etc_t:dir r_dir_perms; +allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; +allow procmail_t etc_t:lnk_file read; +read_locale(procmail_t) +read_sysctl(procmail_t) + +allow procmail_t sysctl_t:dir search; + +allow procmail_t self:process { setsched fork sigchld signal }; +dontaudit procmail_t sbin_t:dir { getattr search }; +can_exec(procmail_t, { bin_t shell_exec_t }) +allow procmail_t bin_t:dir { getattr search }; +allow procmail_t bin_t:lnk_file read; +allow procmail_t self:fifo_file rw_file_perms; + +allow procmail_t self:unix_stream_socket create_socket_perms; +allow procmail_t self:unix_dgram_socket create_socket_perms; + +# for /var/mail +rw_dir_create_file(procmail_t, mail_spool_t) + +allow procmail_t var_t:dir { getattr search }; +allow procmail_t var_spool_t:dir r_dir_perms; + +allow procmail_t fs_t:filesystem getattr; +allow procmail_t { self proc_t }:dir search; +allow procmail_t proc_t:file { getattr read }; +allow procmail_t { self proc_t }:lnk_file read; + +# for if /var/mail is a symlink to /var/spool/mail +#allow procmail_t mail_spool_t:lnk_file r_file_perms; + +# for spamassasin +allow procmail_t usr_t:file { getattr ioctl read }; +ifdef(`spamassassin.te', ` +can_exec(procmail_t, spamassassin_exec_t) +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; +') +ifdef(`spamc.te', ` +can_exec(procmail_t, spamc_exec_t) +') + +ifdef(`targeted_policy', ` +allow procmail_t port_t:udp_socket name_bind; +allow procmail_t tmp_t:dir getattr; +') + +# Search /var/run. +allow procmail_t var_run_t:dir { getattr search }; + +# Do not audit attempts to access /root. +dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; + +allow procmail_t devtty_t:chr_file { read write }; + +allow procmail_t urandom_device_t:chr_file { getattr read }; + +ifdef(`sendmail.te', ` +r_dir_file(procmail_t, etc_mail_t) +allow procmail_t sendmail_t:tcp_socket { read write }; +') + +ifdef(`hide_broken_symptoms', ` +dontaudit procmail_t mqueue_spool_t:file { getattr read write }; +') diff --git a/mls/domains/program/quota.te b/mls/domains/program/quota.te new file mode 100644 index 0000000..7374053 --- /dev/null +++ b/mls/domains/program/quota.te @@ -0,0 +1,59 @@ +#DESC Quota - File system quota management utilities +# +# Author: Russell Coker +# X-Debian-Packages: quota quotatool +# + +################################# +# +# Rules for the quota_t domain. +# +# needs auth attribute because it has read access to shadow_t because checkquota +# is buggy +daemon_base_domain(quota, `, auth, fs_domain') + +# so the administrator can run quotacheck +domain_auto_trans(sysadm_t, quota_exec_t, quota_t) +role sysadm_r types quota_t; +allow quota_t admin_tty_type:chr_file { read write }; + +type quota_flag_t, file_type, sysadmfile; +type quota_db_t, file_type, sysadmfile; + +rw_dir_create_file(initrc_t, quota_flag_t) + +allow quota_t fs_t:filesystem { getattr quotaget quotamod remount }; +# quotacheck creates new quota_db_t files +file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) +# for some reason it wants dac_override not dac_read_search +allow quota_t self:capability { sys_admin dac_override }; +allow quota_t file_type:{ fifo_file sock_file } getattr; +allow quota_t file_t:file quotaon; + +# for quotacheck +allow quota_t file_type:dir r_dir_perms; +# The following line is apparently necessary, although read and +# ioctl seem to be more than should be required. +allow quota_t file_type:file { getattr read ioctl }; +allow quota_t file_type:{ fifo_file sock_file } getattr; +allow quota_t file_type:lnk_file { read getattr }; +allow quota_t device_type:{ chr_file blk_file } getattr; + +allow quota_t fixed_disk_device_t:blk_file { getattr read }; + +# for /quota.* +allow quota_t quota_db_t:file { read write }; +dontaudit unpriv_userdomain quota_db_t:file getattr; +allow quota_t quota_db_t:file quotaon; + +# Read /etc/mtab. +allow quota_t etc_runtime_t:file { read getattr }; + +allow quota_t device_t:dir r_dir_perms; +allow quota_t fixed_disk_device_t:blk_file getattr; +allow quota_t boot_t:dir r_dir_perms; +allow quota_t sysctl_t:dir { getattr search }; + +allow quota_t initrc_devpts_t:chr_file rw_file_perms; + +allow quota_t proc_t:file getattr; diff --git a/mls/domains/program/radius.te b/mls/domains/program/radius.te new file mode 100644 index 0000000..57eccc2 --- /dev/null +++ b/mls/domains/program/radius.te @@ -0,0 +1,67 @@ +#DESC RADIUS - Radius server +# +# Author: Russell Coker +# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius +# + +################################# +# +# Rules for the radiusd_t domain. +# +# radiusd_exec_t is the type of the radiusd executable. +# +daemon_domain(radiusd, `, auth_chkpwd') + +etcdir_domain(radiusd) + +system_crond_entry(radiusd_exec_t, radiusd_t) + +allow radiusd_t self:process setsched; + +allow radiusd_t proc_t:file { read getattr }; + +dontaudit radiusd_t sysadm_home_dir_t:dir getattr; + +# allow pthreads to read kernel version +read_sysctl(radiusd_t) + +# read config files +allow radiusd_t etc_t:dir r_dir_perms; +allow radiusd_t { etc_t etc_runtime_t }:file { read getattr }; +allow radiusd_t etc_t:lnk_file read; + +# write log files +logdir_domain(radiusd) +allow radiusd_t radiusd_log_t:dir create; + +allow radiusd_t usr_t:file r_file_perms; + +can_exec(radiusd_t, lib_t) +can_exec(radiusd_t, { bin_t shell_exec_t }) +allow radiusd_t { bin_t sbin_t }:dir search; +allow radiusd_t bin_t:lnk_file read; + +allow radiusd_t devtty_t:chr_file { read write }; +allow radiusd_t self:fifo_file rw_file_perms; +# fsetid is for gzip which needs it when run from scripts +# gzip also needs chown access to preserve GID for radwtmp files +allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; + +can_network_server(radiusd_t) +can_ypbind(radiusd_t) +allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; + +# for RADIUS proxy port +allow radiusd_t port_t:udp_socket name_bind; + +ifdef(`snmpd.te', ` +can_tcp_connect(radiusd_t, snmpd_t) +') +ifdef(`logrotate.te', ` +can_exec(radiusd_t, logrotate_exec_t) +') +can_udp_send(sysadm_t, radiusd_t) +can_udp_send(radiusd_t, sysadm_t) + +allow radiusd_t self:unix_stream_socket create_stream_socket_perms; +allow radiusd_t urandom_device_t:chr_file { getattr read }; diff --git a/mls/domains/program/radvd.te b/mls/domains/program/radvd.te new file mode 100644 index 0000000..868ef8b --- /dev/null +++ b/mls/domains/program/radvd.te @@ -0,0 +1,30 @@ +#DESC Radv - IPv6 route advisory daemon +# +# Author: Russell Coker +# X-Debian-Packages: radvd +# + +################################# +# +# Rules for the radvd_t domain. +# +daemon_domain(radvd) + +etc_domain(radvd) +allow radvd_t etc_t:file { getattr read }; + +allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; + +allow radvd_t self:capability { setgid setuid net_raw }; +allow radvd_t self:{ unix_dgram_socket rawip_socket } create; +allow radvd_t self:unix_stream_socket create_socket_perms; + +can_network_server(radvd_t) +can_ypbind(radvd_t) + +allow radvd_t { proc_t proc_net_t }:dir r_dir_perms; +allow radvd_t { proc_t proc_net_t }:file { getattr read }; +allow radvd_t etc_t:lnk_file read; + +allow radvd_t sysctl_net_t:file r_file_perms; +allow radvd_t sysctl_net_t:dir r_dir_perms; diff --git a/mls/domains/program/rdisc.te b/mls/domains/program/rdisc.te new file mode 100644 index 0000000..79331fa --- /dev/null +++ b/mls/domains/program/rdisc.te @@ -0,0 +1,13 @@ +#DESC rdisc - network router discovery daemon +# +# Author: Russell Coker + +daemon_base_domain(rdisc) +allow rdisc_t self:unix_stream_socket create_stream_socket_perms; +allow rdisc_t self:rawip_socket create_socket_perms; +allow rdisc_t self:udp_socket create_socket_perms; +allow rdisc_t self:capability net_raw; + +can_network_udp(rdisc_t) + +allow rdisc_t etc_t:file { getattr read }; diff --git a/mls/domains/program/readahead.te b/mls/domains/program/readahead.te new file mode 100644 index 0000000..dde8e37 --- /dev/null +++ b/mls/domains/program/readahead.te @@ -0,0 +1,21 @@ +#DESC readahead - read files in page cache +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for readahead +# + +daemon_domain(readahead) +# +# readahead asks for these +# +allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read }; +allow readahead_t { file_type -secure_file_type }:dir r_dir_perms; +dontaudit readahead_t shadow_t:file { getattr read }; +allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr; +dontaudit readahead_t file_type:sock_file getattr; +allow readahead_t proc_t:file { getattr read }; +dontaudit readahead_t device_type:blk_file read; diff --git a/mls/domains/program/restorecon.te b/mls/domains/program/restorecon.te new file mode 100644 index 0000000..27a012b --- /dev/null +++ b/mls/domains/program/restorecon.te @@ -0,0 +1,69 @@ +#DESC restorecon - Restore or check the context of a file +# +# Authors: Russell Coker +# X-Debian-Packages: policycoreutils +# + +################################# +# +# Rules for the restorecon_t domain. +# +# restorecon_exec_t is the type of the restorecon executable. +# +# needs auth_write attribute because it has relabelfrom/relabelto +# access to shadow_t +type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; +type restorecon_exec_t, file_type, sysadmfile, exec_type; + +role system_r types restorecon_t; +role sysadm_r types restorecon_t; +role secadm_r types restorecon_t; + +can_access_pty(restorecon_t, initrc) +allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; + +domain_auto_trans({ initrc_t secadmin }, restorecon_exec_t, restorecon_t) +allow restorecon_t { userdomain init_t privfd }:fd use; + +uses_shlib(restorecon_t) +allow restorecon_t self:capability { dac_override dac_read_search fowner }; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that restorecon can not be run! +allow restorecon_t lib_t:file { read execute }; + +# Get security policy decisions. +can_getsecurity(restorecon_t) + +r_dir_file(restorecon_t, policy_config_t) + +allow restorecon_t file_type:dir r_dir_perms; +allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto }; +allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; +allow restorecon_t unlabeled_t:dir read; +allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto }; +ifdef(`distro_redhat', ` +allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +') +ifdef(`dpkg.te', ` +domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) +') + +allow restorecon_t ptyfile:chr_file getattr; + +allow restorecon_t fs_t:filesystem getattr; + +allow restorecon_t etc_runtime_t:file { getattr read }; +allow restorecon_t etc_t:file { getattr read }; +allow restorecon_t proc_t:file { getattr read }; +dontaudit restorecon_t proc_t:lnk_file { getattr read }; + +allow restorecon_t device_t:file { read write }; +allow restorecon_t kernel_t:fd use; +allow restorecon_t kernel_t:fifo_file { read write }; +allow restorecon_t kernel_t:unix_dgram_socket { read write }; +r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) +allow restorecon_t autofs_t:dir r_dir_perms; +allow restorecon_t devpts_t:chr_file getattr; +# need to restorecon /dev/pts during boot (from /etc/rc.d/rc.sysinit) +allow restorecon_t devpts_t:dir { relabelfrom relabelto }; diff --git a/mls/domains/program/rlogind.te b/mls/domains/program/rlogind.te new file mode 100644 index 0000000..88af4e4 --- /dev/null +++ b/mls/domains/program/rlogind.te @@ -0,0 +1,40 @@ +#DESC Rlogind - Remote login daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: rsh-client rsh-redone-client +# Depends: inetd.te +# + +################################# +# +# Rules for the rlogind_t domain. +# +remote_login_daemon(rlogind) +typeattribute rlogind_t auth_chkpwd; + +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t) +') + +# for /usr/lib/telnetlogin +can_exec(rlogind_t, rlogind_exec_t) + +# Use capabilities. +allow rlogind_t self:capability { net_bind_service }; + +# Run login in remote_login_t. +allow remote_login_t inetd_t:fd use; +allow remote_login_t inetd_t:tcp_socket rw_file_perms; + +# Send SIGCHLD to inetd on death. +allow rlogind_t inetd_t:process sigchld; + +allow rlogind_t home_dir_type:dir search; +allow rlogind_t home_type:file { getattr read }; +allow rlogind_t self:file { getattr read }; +allow rlogind_t default_t:dir search; +typealias rlogind_port_t alias rlogin_port_t; +read_sysctl(rlogind_t); +ifdef(`kerberos.te', ` +allow rlogind_t krb5_keytab_t:file { getattr read }; +') diff --git a/mls/domains/program/roundup.te b/mls/domains/program/roundup.te new file mode 100644 index 0000000..4c3e97a --- /dev/null +++ b/mls/domains/program/roundup.te @@ -0,0 +1,29 @@ +# Roundup Issue Tracking System +# +# Authors: W. Michael Petullo and Timothy Fraser +# Russell Coker +# Depends: portmap.te +# X-Debian-Packages: nfs-common +# + +################################# +# +# Rules for the rpcd_t and nfsd_t domain. +# +define(`rpc_domain', ` +ifdef(`targeted_policy', ` +daemon_base_domain($1, `, transitionbool') +', ` +daemon_base_domain($1) +') +can_network($1_t) +allow $1_t port_type:tcp_socket name_connect; +can_ypbind($1_t) +allow $1_t { etc_runtime_t etc_t }:file { getattr read }; +read_locale($1_t) +allow $1_t self:capability net_bind_service; +dontaudit $1_t self:capability net_admin; + +allow $1_t var_t:dir { getattr search }; +allow $1_t var_lib_t:dir search; +allow $1_t var_lib_nfs_t:dir create_dir_perms; +allow $1_t var_lib_nfs_t:file create_file_perms; +# do not log when it tries to bind to a port belonging to another domain +dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +allow $1_t self:netlink_route_socket r_netlink_socket_perms; +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_stream_socket_perms; +# bind to arbitary unused ports +allow $1_t port_t:{ tcp_socket udp_socket } name_bind; +allow $1_t sysctl_rpc_t:dir search; +allow $1_t sysctl_rpc_t:file rw_file_perms; +') + +type exports_t, file_type, sysadmfile; +dontaudit userdomain exports_t:file getattr; + +# rpcd_t is the domain of rpc daemons. +# rpcd_exec_t is the type of rpc daemon programs. +# +rpc_domain(rpcd) +var_run_domain(rpcd) +allow rpcd_t rpcd_var_run_t:dir setattr; + +# for rpc.rquotad +allow rpcd_t sysctl_t:dir r_dir_perms; +allow rpcd_t self:fifo_file rw_file_perms; + +# rpcd_t needs to talk to the portmap_t domain +can_udp_send(rpcd_t, portmap_t) + +allow initrc_t exports_t:file r_file_perms; +ifdef(`distro_redhat', ` +allow rpcd_t self:capability { chown dac_override setgid setuid }; +# for /etc/rc.d/init.d/nfs to create /etc/exports +allow initrc_t exports_t:file write; +') + +allow rpcd_t self:file { getattr read }; + +# nfs kernel server needs kernel UDP access. It is less risky and painful +# to just give it everything. +can_network_server(kernel_t) +#can_udp_send(kernel_t, rpcd_t) +#can_udp_send(rpcd_t, kernel_t) + +rpc_domain(nfsd) +domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) +role sysadm_r types nfsd_t; + +# for /proc/fs/nfs/exports - should we have a new type? +allow nfsd_t proc_t:file r_file_perms; +allow nfsd_t proc_net_t:dir search; +allow nfsd_t exports_t:file { getattr read }; + +allow nfsd_t nfsd_fs_t:filesystem mount; +allow nfsd_t nfsd_fs_t:dir search; +allow nfsd_t nfsd_fs_t:file rw_file_perms; +allow initrc_t sysctl_rpc_t:dir search; +allow initrc_t sysctl_rpc_t:file rw_file_perms; + +type nfsd_rw_t, file_type, sysadmfile, usercanread; +type nfsd_ro_t, file_type, sysadmfile, usercanread; + +bool nfs_export_all_rw false; + +if(nfs_export_all_rw) { +allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; +r_dir_file(kernel_t, noexattrfile) +create_dir_file(kernel_t,{ file_type -shadow_t }) +} + +dontaudit kernel_t shadow_t:file getattr; + +bool nfs_export_all_ro false; + +if(nfs_export_all_ro) { +allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; +r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t }) +} + +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; +create_dir_file(kernel_t, nfsd_rw_t); +r_dir_file(kernel_t, nfsd_ro_t); + +allow kernel_t nfsd_t:udp_socket rw_socket_perms; +can_udp_send(kernel_t, nfsd_t) +can_udp_send(nfsd_t, kernel_t) + +# does not really need this, but it is easier to just allow it +allow nfsd_t var_run_t:dir search; + +allow nfsd_t self:capability { sys_admin sys_resource }; +allow nfsd_t fs_type:filesystem getattr; + +can_udp_send(nfsd_t, portmap_t) +can_udp_send(portmap_t, nfsd_t) + +can_tcp_connect(nfsd_t, portmap_t) + +# for exportfs and rpc.mountd +allow nfsd_t tmp_t:dir getattr; + +r_dir_file(rpcd_t, rpc_pipefs_t) +allow rpcd_t rpc_pipefs_t:sock_file { read write }; +dontaudit rpcd_t selinux_config_t:dir { search }; +allow rpcd_t proc_net_t:dir search; + + +rpc_domain(gssd) +can_kerberos(gssd_t) +ifdef(`kerberos.te', ` +allow gssd_t krb5_keytab_t:file r_file_perms; +') +allow gssd_t urandom_device_t:chr_file { getattr read }; +r_dir_file(gssd_t, tmp_t) +tmp_domain(gssd) +allow gssd_t self:fifo_file { read write }; +r_dir_file(gssd_t, proc_net_t) +allow gssd_t rpc_pipefs_t:dir r_dir_perms; +allow gssd_t rpc_pipefs_t:sock_file { read write }; +allow gssd_t rpc_pipefs_t:file r_file_perms; +allow gssd_t self:capability { dac_override dac_read_search setuid }; +allow nfsd_t devtty_t:chr_file rw_file_perms; +allow rpcd_t devtty_t:chr_file rw_file_perms; + +bool allow_gssd_read_tmp true; +if (allow_gssd_read_tmp) { +# +#needs to be able to udpate the kerberos ticket file +# +ifdef(`targeted_policy', ` +r_dir_file(gssd_t, tmp_t) +allow gssd_t tmp_t:file write; +', ` +r_dir_file(gssd_t, user_tmpfile) +allow gssd_t user_tmpfile:file write; +') +} diff --git a/mls/domains/program/rpm.te b/mls/domains/program/rpm.te new file mode 100644 index 0000000..d772da7 --- /dev/null +++ b/mls/domains/program/rpm.te @@ -0,0 +1,260 @@ +#DESC RPM - Red Hat package management +# +# X-Debian-Packages: +################################# +# +# Rules for running the Redhat Package Manager (RPM) tools. +# +# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm +# rpm_exec_t is the type of the rpm executables. +# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*) +# rpm_var_lib_t is the type for rpm files in /var/lib +# +type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade; +role system_r types rpm_t; +uses_shlib(rpm_t) +type rpm_exec_t, file_type, sysadmfile, exec_type; + +general_domain_access(rpm_t) +can_ps(rpm_t, domain) +allow rpm_t self:process setrlimit; +system_crond_entry(rpm_exec_t, rpm_t) +role sysadm_r types rpm_t; +domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t) + +type rpm_file_t, file_type, sysadmfile; + +tmp_domain(rpm) + +tmpfs_domain(rpm) + +log_domain(rpm) + +can_network(rpm_t) +allow rpm_t port_type:tcp_socket name_connect; +can_ypbind(rpm_t) + +# Allow the rpm domain to execute other programs +can_exec_any(rpm_t) + +# Capabilties needed by rpm utils +allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod }; + +# Access /var/lib/rpm files +var_lib_domain(rpm) +allow userdomain var_lib_t:dir { getattr search }; +r_dir_file(userdomain, rpm_var_lib_t) +r_dir_file(rpm_t, proc_t) + +allow rpm_t sysfs_t:dir r_dir_perms; +allow rpm_t usbdevfs_t:dir r_dir_perms; + +# for installing kernel packages +allow rpm_t fixed_disk_device_t:blk_file { getattr read }; + +# Access terminals. +allow rpm_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;') +allow rpm_t privfd:fd use; +allow rpm_t devtty_t:chr_file rw_file_perms; + +domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t) +domain_auto_trans(rpm_t, initrc_exec_t, initrc_t) + +ifdef(`cups.te', ` +r_dir_file(cupsd_t, rpm_var_lib_t) +allow cupsd_t initrc_exec_t:file { getattr read }; +domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) +') + +# for a bug in rm +dontaudit initrc_t pidfile:file write; + +# bash tries to access a block device in the initrd +dontaudit initrc_t unlabeled_t:blk_file getattr; + +# bash tries ioctl for some reason +dontaudit initrc_t pidfile:file ioctl; + +allow rpm_t autofs_t:dir { search getattr }; +allow rpm_t autofs_t:filesystem getattr; +allow rpm_script_t autofs_t:dir { search getattr }; +allow rpm_t devpts_t:dir { setattr r_dir_perms }; +allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr; +dontaudit rpm_t security_t:filesystem getattr; +can_getcon(rpm_t) +can_setfscreate(rpm_t) +can_setexec(rpm_t) +read_sysctl(rpm_t) +general_domain_access(rpm_script_t) + +# read/write/create any files in the system +allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; +allow rpm_t { file_type - shadow_t }:dir create_dir_perms; +allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; +allow rpm_t sysfs_t:filesystem getattr; +allow rpm_t tmpfs_t:filesystem getattr; +dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; +# needs rw permission to the directory for an rpm package that includes a mount +# point +allow rpm_t fs_type:dir { setattr rw_dir_perms }; +allow rpm_t fs_type:filesystem getattr; + +# allow compiling and loading new policy +create_dir_file(rpm_t, { policy_src_t policy_config_t }) + +can_getsecurity({ rpm_t rpm_script_t }) +dontaudit rpm_t shadow_t:file { getattr read }; +allow rpm_t urandom_device_t:chr_file read; +allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; +allow rpm_t ttyfile:chr_file unlink; +allow rpm_script_t tty_device_t:chr_file getattr; +allow rpm_script_t devpts_t:dir search; +allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms; + +allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; + +type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privmail, privrole, priv_system_role, mlsfileread, mlsfilewrite; +# policy for rpm scriptlet +role system_r types rpm_script_t; +uses_shlib(rpm_script_t) +read_locale(rpm_script_t) + +can_ps(rpm_script_t, domain) + +ifdef(`lpd.te', ` +can_exec(rpm_script_t, printconf_t) +') + +read_sysctl(rpm_script_t) + +type rpm_script_exec_t, file_type, sysadmfile, exec_type; + +role sysadm_r types rpm_script_t; +domain_trans(rpm_t, shell_exec_t, rpm_script_t) +ifdef(`hide_broken_symptoms', ` +ifdef(`pamconsole.te', ` +domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) +') +') + +tmp_domain(rpm_script) + +tmpfs_domain(rpm_script) + +# Allow the rpm domain to execute other programs +can_exec_any(rpm_script_t) + +# Capabilties needed by rpm scripts utils +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; + +# ideally we would not need this +allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms; +allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; +allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms; + +# for kernel package installation +ifdef(`mount.te', ` +allow mount_t rpm_t:fifo_file rw_file_perms; +') + +# Commonly used from postinst scripts +ifdef(`consoletype.te', ` +allow consoletype_t rpm_t:fifo_file r_file_perms; +') +ifdef(`crond.te', ` +allow crond_t rpm_t:fifo_file r_file_perms; +') + +allow rpm_script_t proc_t:dir r_dir_perms; +allow rpm_script_t proc_t:{ file lnk_file } r_file_perms; + +allow rpm_script_t devtty_t:chr_file rw_file_perms; +allow rpm_script_t devpts_t:dir r_dir_perms; +allow rpm_script_t admin_tty_type:chr_file rw_file_perms; +allow rpm_script_t etc_runtime_t:file { getattr read }; +allow rpm_script_t privfd:fd use; +allow rpm_script_t rpm_tmp_t:file { getattr read ioctl }; + +allow rpm_script_t urandom_device_t:chr_file read; + +ifdef(`ssh-agent.te', ` +domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) +') + +ifdef(`useradd.te', ` +domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t) +domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t) +role system_r types { useradd_t groupadd_t }; +allow { useradd_t groupadd_t } rpm_t:fd use; +allow { useradd_t groupadd_t } rpm_t:fifo_file { read write }; +') + +domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t) + +domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t) +domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t) +role sysadm_r types initrc_t; +domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t) +ifdef(`bootloader.te', ` +domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t) +allow bootloader_t rpm_t:fifo_file rw_file_perms; +') + +domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t) + +rw_dir_file(rpm_script_t, nfs_t) +allow rpm_script_t nfs_t:filesystem getattr; + +allow rpm_script_t fs_t:filesystem { getattr mount unmount }; +allow rpm_script_t rpm_script_tmp_t:dir mounton; +can_exec(rpm_script_t, usr_t) +can_exec(rpm_script_t, sbin_t) + +allow rpm_t mount_t:tcp_socket write; +create_dir_file(rpm_t, nfs_t) +allow rpm_t { removable_t nfs_t }:filesystem getattr; + +allow rpm_script_t userdomain:fd use; + +allow domain rpm_t:fifo_file r_file_perms; +allow domain rpm_t:fd use; + +ifdef(`ssh.te', ` +allow sshd_t rpm_script_t:fd use; +allow sshd_t rpm_t:fd use; +') + +dontaudit rpm_script_t shadow_t:file getattr; +allow rpm_script_t sysfs_t:dir r_dir_perms; + +ifdef(`prelink.te', ` +domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) +') + +allow rpm_t rpc_pipefs_t:dir search; +allow rpm_script_t init_t:dir search; + +type rpmbuild_exec_t, file_type, sysadmfile, exec_type; +type rpmbuild_t, domain; +allow rpmbuild_t policy_config_t:dir search; +allow rpmbuild_t policy_src_t:dir search; +allow rpmbuild_t policy_src_t:file { getattr read }; +can_getsecurity(rpmbuild_t) + +allow rpm_script_t domain:process { signal signull }; + +# Access /var/lib/rpm. +allow initrc_t rpm_var_lib_t:dir rw_dir_perms; +allow initrc_t rpm_var_lib_t:file create_file_perms; + +ifdef(`unlimitedRPM', ` +typeattribute rpm_t auth_write; +unconfined_domain(rpm_t) +typeattribute rpm_script_t auth_write; +unconfined_domain(rpm_script_t) +') +if (allow_execmem) { +allow rpm_script_t self:process execmem; +} + diff --git a/mls/domains/program/rshd.te b/mls/domains/program/rshd.te new file mode 100644 index 0000000..39976c5 --- /dev/null +++ b/mls/domains/program/rshd.te @@ -0,0 +1,65 @@ +#DESC RSHD - RSH daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: rsh-server rsh-redone-server +# Depends: inetd.te +# + +################################# +# +# Rules for the rshd_t domain. +# +daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole') + +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t) +') + +# Use sockets inherited from inetd. +allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Use capabilities. +allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; + +# Use the network. +can_network_server(rshd_t) +allow rshd_t rsh_port_t:tcp_socket name_bind; + +allow rshd_t etc_t:file { getattr read }; +read_locale(rshd_t) +allow rshd_t self:unix_dgram_socket create_socket_perms; +allow rshd_t self:unix_stream_socket create_stream_socket_perms; +allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; +can_kerberos(rshd_t) +allow rshd_t { bin_t sbin_t tmp_t}:dir { search }; +allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms; +ifdef(`rlogind.te', ` +allow rshd_t rlogind_tmp_t:file rw_file_perms; +') +allow rshd_t urandom_device_t:chr_file { getattr read }; + +# Read the user's .rhosts file. +allow rshd_t home_type:file r_file_perms ; + +# Random reasons +can_getsecurity(rshd_t) +can_setexec(rshd_t) +r_dir_file(rshd_t, selinux_config_t) +r_dir_file(rshd_t, default_context_t) +read_sysctl(rshd_t); + +if (use_nfs_home_dirs) { +r_dir_file(rshd_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file(rshd_t, cifs_t) +} + +allow rshd_t self:process { fork signal setsched setpgid }; +allow rshd_t self:fifo_file rw_file_perms; + +ifdef(`targeted_policy', ` +unconfined_domain(rshd_t) +domain_auto_trans(rshd_t,shell_exec_t,unconfined_t) +') diff --git a/mls/domains/program/rsync.te b/mls/domains/program/rsync.te new file mode 100644 index 0000000..bed52a3 --- /dev/null +++ b/mls/domains/program/rsync.te @@ -0,0 +1,18 @@ +#DESC rsync - flexible replacement for rcp +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the rsync_t domain. +# +# rsync_exec_t is the type of the rsync executable. +# + +inetd_child_domain(rsync) +type rsync_data_t, file_type, sysadmfile; +r_dir_file(rsync_t, rsync_data_t) +anonymous_domain(rsync) +allow rsync_t self:capability sys_chroot; diff --git a/mls/domains/program/samba.te b/mls/domains/program/samba.te new file mode 100644 index 0000000..2e7b587 --- /dev/null +++ b/mls/domains/program/samba.te @@ -0,0 +1,226 @@ +#DESC SAMBA - SMB file server +# +# Author: Ryan Bergauer (bergauer@rice.edu) +# X-Debian-Packages: samba +# + +################################# +# +# Declarations for Samba +# + +daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain') +daemon_domain(nmbd) +type samba_etc_t, file_type, sysadmfile, usercanread; +type samba_log_t, file_type, sysadmfile, logfile; +type samba_var_t, file_type, sysadmfile; +type samba_share_t, file_type, sysadmfile, customizable; +type samba_secrets_t, file_type, sysadmfile; + +# for /var/run/samba/messages.tdb +allow smbd_t nmbd_var_run_t:file rw_file_perms; + +allow smbd_t self:process setrlimit; + +# not sure why it needs this +tmp_domain(smbd) + +# Allow samba to search mnt_t for potential mounted dirs +allow smbd_t mnt_t:dir r_dir_perms; + +ifdef(`crond.te', ` +allow system_crond_t samba_etc_t:file { read getattr lock }; +allow system_crond_t samba_log_t:file { read getattr lock }; +#allow system_crond_t samba_secrets_t:file { read getattr lock }; +') + +################################# +# +# Rules for the smbd_t domain. +# + +# Permissions normally found in every_domain. +general_domain_access(smbd_t) +general_proc_read_access(smbd_t) + +allow smbd_t smbd_port_t:tcp_socket name_bind; + +# Use capabilities. +allow smbd_t self:capability { fowner setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; + +# Use the network. +can_network(smbd_t) +nsswitch_domain(smbd_t) +can_kerberos(smbd_t) +allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect; + +allow smbd_t urandom_device_t:chr_file { getattr read }; + +# Permissions for Samba files in /etc/samba +# either allow read access to the directory or allow the auto_trans rule to +# allow creation of the secrets.tdb file and the MACHINE.SID file +#allow smbd_t samba_etc_t:dir { search getattr }; +file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file) + +allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; + +# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba +allow smbd_t var_lib_t:dir search; +create_dir_file(smbd_t, samba_var_t) + +# Needed for shared printers +allow smbd_t var_spool_t:dir search; + +# Permissions to write log files. +allow smbd_t samba_log_t:file { create ra_file_perms }; +allow smbd_t var_log_t:dir search; +allow smbd_t samba_log_t:dir ra_dir_perms; +dontaudit smbd_t samba_log_t:dir remove_name; + +ifdef(`hide_broken_symptoms', ` +dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr; +dontaudit smbd_t devpts_t:dir getattr; +') +allow smbd_t fs_t:filesystem quotaget; + +allow smbd_t usr_t:file { getattr read }; + +# Access Samba shares. +create_dir_file(smbd_t, samba_share_t) + +anonymous_domain(smbd) + +ifdef(`logrotate.te', ` +# the application should be changed +can_exec(logrotate_t, samba_log_t) +') +################################# +# +# Rules for the nmbd_t domain. +# + +# Permissions normally found in every_domain. +general_domain_access(nmbd_t) +general_proc_read_access(nmbd_t) + +allow nmbd_t nmbd_port_t:udp_socket name_bind; + +# Use capabilities. +allow nmbd_t self:capability net_bind_service; + +# Use the network. +can_network_server(nmbd_t) + +# Permissions for Samba files in /etc/samba +allow nmbd_t samba_etc_t:file { getattr read }; +allow nmbd_t samba_etc_t:dir { search getattr }; + +# Permissions for Samba cache files in /var/cache/samba +allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search }; +allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; + +allow nmbd_t usr_t:file { getattr read }; + +# Permissions to write log files. +allow nmbd_t samba_log_t:file { create ra_file_perms }; +allow nmbd_t var_log_t:dir search; +allow nmbd_t samba_log_t:dir ra_dir_perms; +allow nmbd_t etc_t:file { getattr read }; +ifdef(`cups.te', ` +allow smbd_t cupsd_rw_etc_t:file { getattr read }; +') +# Needed for winbindd +allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; + +# Support Samba sharing of home directories +bool samba_enable_home_dirs false; + +ifdef(`mount.te', ` +# +# Domain for running smbmount +# + +# Derive from app. domain. Transition from mount. +application_domain(smbmount, `, fs_domain, nscd_client_domain') +domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) + +# Capabilities +# FIXME: is all of this really necessary? +allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; + +# Access samba config +allow smbmount_t samba_etc_t:file r_file_perms; +allow smbmount_t samba_etc_t:dir r_dir_perms; +allow initrc_t samba_etc_t:file rw_file_perms; + +# Write samba log +allow smbmount_t samba_log_t:file create_file_perms; +allow smbmount_t samba_log_t:dir r_dir_perms; + +# Write stuff in var +allow smbmount_t var_log_t:dir r_dir_perms; +rw_dir_create_file(smbmount_t, samba_var_t) + +# Access mtab +file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) + +# Read nsswitch.conf +allow smbmount_t etc_t:file r_file_perms; + +# Networking +can_network(smbmount_t) +allow smbmount_t port_type:tcp_socket name_connect; +can_ypbind(smbmount_t) +allow smbmount_t self:unix_dgram_socket create_socket_perms; +allow smbmount_t self:unix_stream_socket create_socket_perms; +allow kernel_t smbmount_t:tcp_socket { read write }; +allow userdomain smbmount_t:tcp_socket write; + +# Proc +# FIXME: is this necessary? +r_dir_file(smbmount_t, proc_t) + +# Fork smbmnt +allow smbmount_t bin_t:dir r_dir_perms; +can_exec(smbmount_t, smbmount_exec_t) +allow smbmount_t self:process { fork signal_perms }; + +# Mount +allow smbmount_t cifs_t:filesystem mount_fs_perms; +allow smbmount_t cifs_t:dir r_dir_perms; +allow smbmount_t mnt_t:dir r_dir_perms; +allow smbmount_t mnt_t:dir mounton; + +# Terminal +read_locale(smbmount_t) +access_terminal(smbmount_t, sysadm) +allow smbmount_t userdomain:fd use; +allow smbmount_t local_login_t:fd use; +') +# Derive from app. domain. Transition from mount. +application_domain(samba_net, `, nscd_client_domain') +role system_r types samba_net_t; +in_user_role(samba_net_t) +file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) +read_locale(samba_net_t) +allow samba_net_t samba_etc_t:file r_file_perms; +r_dir_file(samba_net_t, samba_var_t) +can_network_udp(samba_net_t) +access_terminal(samba_net_t, sysadm) +allow samba_net_t self:unix_dgram_socket create_socket_perms; +allow samba_net_t self:unix_stream_socket create_stream_socket_perms; +rw_dir_create_file(samba_net_t, samba_var_t) +allow samba_net_t etc_t:file { getattr read }; +can_network_client(samba_net_t) +allow samba_net_t smbd_port_t:tcp_socket name_connect; +can_ldap(samba_net_t) +can_kerberos(samba_net_t) +allow samba_net_t urandom_device_t:chr_file r_file_perms; +allow samba_net_t proc_t:dir search; +allow samba_net_t proc_t:lnk_file read; +allow samba_net_t self:dir search; +allow samba_net_t self:file read; +allow samba_net_t self:process signal; +tmp_domain(samba_net) +dontaudit samba_net_t sysadm_home_dir_t:dir search; +allow samba_net_t privfd:fd use; diff --git a/mls/domains/program/saslauthd.te b/mls/domains/program/saslauthd.te new file mode 100644 index 0000000..f614094 --- /dev/null +++ b/mls/domains/program/saslauthd.te @@ -0,0 +1,42 @@ +#DESC saslauthd - Authentication daemon for SASL +# +# Author: Colin Walters +# + +daemon_domain(saslauthd, `, auth_chkpwd, auth_bool') + +allow saslauthd_t self:fifo_file { read write }; +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; +allow saslauthd_t var_lib_t:dir search; + +allow saslauthd_t etc_t:dir { getattr search }; +allow saslauthd_t etc_t:file r_file_perms; +allow saslauthd_t net_conf_t:file r_file_perms; + +allow saslauthd_t self:file r_file_perms; +allow saslauthd_t proc_t:file { getattr read }; + +allow saslauthd_t urandom_device_t:chr_file { getattr read }; + +# Needs investigation +dontaudit saslauthd_t home_root_t:dir getattr; +can_network_client_tcp(saslauthd_t) +allow saslauthd_t pop_port_t:tcp_socket name_connect; + +bool allow_saslauthd_read_shadow false; + +if (allow_saslauthd_read_shadow) { +allow saslauthd_t shadow_t:file r_file_perms; +} +dontaudit saslauthd_t selinux_config_t:dir search; +dontaudit saslauthd_t selinux_config_t:file { getattr read }; + + +dontaudit saslauthd_t initrc_t:unix_stream_socket connectto; +ifdef(`mysqld.te', ` +allow saslauthd_t mysqld_db_t:dir search; +allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms; +') +dontaudit saslauthd_t self:capability setuid; diff --git a/mls/domains/program/screen.te b/mls/domains/program/screen.te new file mode 100644 index 0000000..e9be1a0 --- /dev/null +++ b/mls/domains/program/screen.te @@ -0,0 +1,13 @@ +#DESC screen - Program to detach sessions +# +# X-Debian-Packages: screen +# Domains for the screen program. + +# +# screen_exec_t is the type of the screen executable. +# +type screen_exec_t, file_type, sysadmfile, exec_type; +type screen_dir_t, file_type, sysadmfile, pidfile; + +# Everything else is in the screen_domain macro in +# macros/program/screen_macros.te. diff --git a/mls/domains/program/sendmail.te b/mls/domains/program/sendmail.te new file mode 100644 index 0000000..f3f9b71 --- /dev/null +++ b/mls/domains/program/sendmail.te @@ -0,0 +1,136 @@ +#DESC Sendmail - Mail server +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sendmail sendmail-wide +# Depends: mta.te +# + +################################# +# +# Rules for the sendmail_t domain. +# +# sendmail_t is the domain for the sendmail +# daemon started by the init rc scripts. +# + +daemon_base_domain(sendmail_launch) + +allow sendmail_launch_t { etc_t proc_t etc_runtime_t self }:file { getattr read }; +allow sendmail_launch_t { bin_t sbin_t etc_t }:lnk_file { getattr read }; +allow sendmail_launch_t { bin_t sbin_t }:dir search; +can_exec(sendmail_launch_t, { etc_t bin_t sbin_t shell_exec_t }) +access_terminal(sendmail_launch_t, sysadm) +ifdef(`consoletype.te', ` +domain_auto_trans(sendmail_launch_t, consoletype_exec_t, consoletype_t) +') +read_locale(sendmail_launch_t) +r_dir_file(sendmail_launch_t, etc_mail_t) +allow sendmail_launch_t self:fifo_file rw_file_perms; +allow sendmail_launch_t self:capability { chown kill sys_nice }; +allow sendmail_launch_t self:unix_stream_socket create_stream_socket_perms; +can_ps(sendmail_launch_t, sendmail_t) +dontaudit sendmail_launch_t domain:dir search; +allow sendmail_launch_t sendmail_t:process signal; +ifdef(`distro_redhat', ` +lock_domain(sendmail_launch) +') +dontaudit sendmail_launch_t mnt_t:dir search; +allow sendmail_launch_t devpts_t:dir search; + +file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file) + +daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender') + +# stuff from daemon_domain and daemon_base_domain because we can not have an +# automatic transition from initrc_t +rhgb_domain(sendmail_t) +read_sysctl(sendmail_t) +domain_auto_trans(sendmail_launch_t, sendmail_exec_t, sendmail_t) +allow sendmail_t privfd:fd use; +allow { sendmail_t sendmail_launch_t } var_t:dir { getattr search }; +var_run_domain(sendmail) +allow sendmail_t { ttyfile devtty_t }:chr_file rw_file_perms; +dontaudit { sendmail_t sendmail_launch_t } sysadm_home_dir_t:dir search; +read_locale(sendmail_t) +allow sendmail_t fs_t:filesystem getattr; + + +tmp_domain(sendmail) +logdir_domain(sendmail) + +# Use capabilities +allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; + +# Use the network. +can_network(sendmail_t) +allow sendmail_t port_type:tcp_socket name_connect; +can_ypbind(sendmail_t) + +allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:fifo_file rw_file_perms; + +# Bind to the SMTP port. +allow sendmail_t smtp_port_t:tcp_socket name_bind; + +allow sendmail_t etc_t:file { getattr read }; + +# Write to /etc/aliases and /etc/mail. +allow sendmail_t etc_aliases_t:file { setattr rw_file_perms }; + +allow sendmail_t etc_mail_t:dir rw_dir_perms; +allow sendmail_t etc_mail_t:file create_file_perms; + +# Write to /var/spool/mail and /var/spool/mqueue. +allow sendmail_t var_spool_t:dir { getattr search }; +allow sendmail_t mail_spool_t:dir rw_dir_perms; +allow sendmail_t mail_spool_t:file create_file_perms; +allow sendmail_t mqueue_spool_t:dir rw_dir_perms; +allow sendmail_t mqueue_spool_t:file create_file_perms; +allow sendmail_t urandom_device_t:chr_file { getattr read }; + +# Read /usr/lib/sasl2/.* +allow sendmail_t lib_t:file { getattr read }; + +# When sendmail runs as user_mail_domain, it needs some extra permissions +# to update /etc/mail/statistics. +allow user_mail_domain etc_mail_t:file rw_file_perms; + +# Silently deny attempts to access /root. +dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; + +# Run procmail in its own domain, if defined. +ifdef(`procmail.te',` +domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t) +domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) +allow sendmail_t bin_t:dir { getattr search }; +') + +read_sysctl(sendmail_t) +read_sysctl(system_mail_t) + +allow system_mail_t etc_mail_t:dir { getattr search }; +allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t proc_t:dir search; +allow system_mail_t proc_t:file { getattr read }; +allow system_mail_t proc_t:lnk_file read; +dontaudit system_mail_t proc_net_t:dir search; +allow system_mail_t fs_t:filesystem getattr; +allow system_mail_t self:dir { getattr search }; +allow system_mail_t var_t:dir getattr; +allow system_mail_t var_spool_t:dir getattr; +dontaudit system_mail_t userpty_type:chr_file { getattr read write }; + +# sendmail -q +allow system_mail_t mqueue_spool_t:dir rw_dir_perms; +allow system_mail_t mqueue_spool_t:file create_file_perms; + +ifdef(`crond.te', ` +dontaudit system_mail_t system_crond_tmp_t:file append; +') +dontaudit sendmail_t admin_tty_type:chr_file rw_file_perms; + +# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console +allow sendmail_t initrc_var_run_t:file { getattr read }; +dontaudit sendmail_t initrc_var_run_t:file { lock write }; + diff --git a/mls/domains/program/setfiles.te b/mls/domains/program/setfiles.te new file mode 100644 index 0000000..85bcd4c --- /dev/null +++ b/mls/domains/program/setfiles.te @@ -0,0 +1,66 @@ +#DESC Setfiles - SELinux filesystem labeling utilities +# +# Authors: Russell Coker +# X-Debian-Packages: policycoreutils +# + +################################# +# +# Rules for the setfiles_t domain. +# +# setfiles_exec_t is the type of the setfiles executable. +# +# needs auth_write attribute because it has relabelfrom/relabelto +# access to shadow_t +type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; +type setfiles_exec_t, file_type, sysadmfile, exec_type; + +role system_r types setfiles_t; +role sysadm_r types setfiles_t; +role secadm_r types setfiles_t; + +ifdef(`distro_redhat', ` +domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) +') +can_access_pty(hostname_t, initrc) +allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; + +allow setfiles_t self:unix_dgram_socket create_socket_perms; + +domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t) +allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; + +uses_shlib(setfiles_t) +allow setfiles_t self:capability { dac_override dac_read_search fowner }; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that setfiles can not be run! +allow setfiles_t lib_t:file { read execute }; + +# Get security policy decisions. +can_getsecurity(setfiles_t) + +r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) + +allow setfiles_t file_type:dir r_dir_perms; +allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; +allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; +allow setfiles_t unlabeled_t:dir read; +allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto }; +allow setfiles_t { ttyfile ptyfile }:chr_file getattr; +# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal +dontaudit setfiles_t ttyfile:chr_file relabelfrom; + +allow setfiles_t fs_t:filesystem getattr; +allow setfiles_t fs_type:dir r_dir_perms; + +read_locale(setfiles_t) + +allow setfiles_t etc_runtime_t:file { getattr read }; +allow setfiles_t etc_t:file { getattr read }; +allow setfiles_t proc_t:file { getattr read }; +dontaudit setfiles_t proc_t:lnk_file { getattr read }; + +# for config files in a home directory +allow setfiles_t home_type:file r_file_perms; +dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom; diff --git a/mls/domains/program/slapd.te b/mls/domains/program/slapd.te new file mode 100644 index 0000000..4983870 --- /dev/null +++ b/mls/domains/program/slapd.te @@ -0,0 +1,78 @@ +#DESC Slapd - OpenLDAP server +# +# Author: Russell Coker +# X-Debian-Packages: slapd +# + +################################# +# +# Rules for the slapd_t domain. +# +# slapd_exec_t is the type of the slapd executable. +# +daemon_domain(slapd) + +allow slapd_t ldap_port_t:tcp_socket name_bind; + +etc_domain(slapd) +type slapd_db_t, file_type, sysadmfile; +type slapd_replog_t, file_type, sysadmfile; + +tmp_domain(slapd) + +# Use the network. +can_network(slapd_t) +allow slapd_t port_type:tcp_socket name_connect; +can_ypbind(slapd_t) +allow slapd_t self:fifo_file rw_file_perms; +allow slapd_t self:unix_stream_socket create_stream_socket_perms; +file_type_auto_trans(slapd_t,var_run_t,slapd_var_run_t,sock_file) +allow slapd_t self:unix_dgram_socket create_socket_perms; +# allow any domain to connect to the LDAP server +can_tcp_connect(domain, slapd_t) + +# Use capabilities should not need kill... +allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search }; +allow slapd_t self:process setsched; + +allow slapd_t proc_t:file r_file_perms; + +# Allow access to the slapd databases +create_dir_file(slapd_t, slapd_db_t) +allow initrc_t slapd_db_t:dir r_dir_perms; +allow slapd_t var_lib_t:dir r_dir_perms; + +# Allow access to write the replication log (should tighten this) +create_dir_file(slapd_t, slapd_replog_t) + +# read config files +allow slapd_t etc_t:{ file lnk_file } { getattr read }; +allow slapd_t etc_runtime_t:file { getattr read }; + +# for startup script +allow initrc_t slapd_etc_t:file { getattr read }; + +allow slapd_t etc_t:dir r_dir_perms; + +read_sysctl(slapd_t) + +allow slapd_t usr_t:{ lnk_file file } { read getattr }; +allow slapd_t urandom_device_t:chr_file { getattr read ioctl }; +allow slapd_t self:netlink_route_socket r_netlink_socket_perms; +r_dir_file(slapd_t, cert_t) + + +type slapd_cert_t, file_type, sysadmfile; +allow slapd_t bin_t:dir search; +can_exec(slapd_t, bin_t) +r_dir_file(slapd_t, proc_net_t) +allow slapd_t self:capability { chown sys_nice }; +allow slapd_t self:file { getattr read }; +allow slapd_t self:process { execstack getsched }; +allow slapd_t sysctl_net_t:dir r_dir_perms; +lock_domain(slapd) +create_dir_file(slapd_t, slapd_lock_t) +dontaudit slapd_t devpts_t:dir search; +rw_dir_create_file(slapd_t, slapd_cert_t) +allow slapd_t usr_t:dir { add_name write }; +allow slapd_t usr_t:file { create write }; diff --git a/mls/domains/program/slocate.te b/mls/domains/program/slocate.te new file mode 100644 index 0000000..8512aab --- /dev/null +++ b/mls/domains/program/slocate.te @@ -0,0 +1,77 @@ +#DESC LOCATE - Security Enhanced version of the GNU Locate +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the locate_t domain. +# +# locate_exec_t is the type of the locate executable. +# +daemon_base_domain(locate) +role system_r types locate_t; +role sysadm_r types locate_t; +allow locate_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(locate_exec_t, locate_t) +allow system_crond_t locate_log_t:dir rw_dir_perms; +allow system_crond_t locate_log_t:file { create append getattr }; +allow system_crond_t locate_etc_t:file { getattr read }; +') + +allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; + +allow locate_t { fs_type file_type }:dir r_dir_perms; +dontaudit locate_t sysctl_t:dir getattr; +allow locate_t file_type:lnk_file r_file_perms; +allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; +dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; +dontaudit locate_t security_t:dir getattr; +dontaudit locate_t shadow_t:file getattr; + +allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr; +allow locate_t unlabeled_t:dir_file_class_set getattr; +allow locate_t unlabeled_t:dir read; + +logdir_domain(locate) +etcdir_domain(locate) + +type locate_var_lib_t, file_type, sysadmfile; +typealias locate_var_lib_t alias var_lib_locate_t; + +create_dir_file(locate_t, locate_var_lib_t) +dontaudit locate_t sysadmfile:file getattr; + +allow locate_t proc_t:file { getattr read }; +allow locate_t self:unix_stream_socket create_socket_perms; +# +# Need to be able to exec renice +# +can_exec(locate_t, bin_t) + +dontaudit locate_t rpc_pipefs_t:dir r_dir_perms; +dontaudit locate_t rpc_pipefs_t:file getattr; + +# +# Read Mtab file +# +allow locate_t etc_runtime_t:file { getattr read }; + +# +# Read nsswitch file +# +allow locate_t etc_t:file { getattr read }; +dontaudit locate_t self:capability dac_override; +allow locate_t self:capability dac_read_search; + +# sysadm_t runs locate in his own domain. +# We use a type alias to simplify the rest of the policy, +# which often refers to $1_locate_t for the user domains. +typealias sysadm_t alias sysadm_locate_t; + +allow locate_t userdomain:fd use; +ifdef(`cardmgr.te', ` +allow locate_t cardmgr_var_run_t:chr_file getattr; +') diff --git a/mls/domains/program/slrnpull.te b/mls/domains/program/slrnpull.te new file mode 100644 index 0000000..25edb93 --- /dev/null +++ b/mls/domains/program/slrnpull.te @@ -0,0 +1,24 @@ +#DESC slrnpull +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the slrnpull_t domain. +# +# slrnpull_exec_t is the type of the slrnpull executable. +# +daemon_domain(slrnpull) +type slrnpull_spool_t, file_type, sysadmfile; + +log_domain(slrnpull) + +ifdef(`logrotate.te', ` +create_dir_file(logrotate_t, slrnpull_spool_t) +') +system_crond_entry(slrnpull_exec_t, slrnpull_t) +allow userdomain slrnpull_spool_t:dir search; +rw_dir_create_file(slrnpull_t, slrnpull_spool_t) +allow slrnpull_t var_spool_t:dir search; +allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; diff --git a/mls/domains/program/snmpd.te b/mls/domains/program/snmpd.te new file mode 100644 index 0000000..ea75c8d --- /dev/null +++ b/mls/domains/program/snmpd.te @@ -0,0 +1,85 @@ +#DESC SNMPD - Simple Network Management Protocol daemon +# +# Author: Russell Coker +# X-Debian-Packages: snmpd +# + +################################# +# +# Rules for the snmpd_t domain. +# +daemon_domain(snmpd, `, nscd_client_domain') + +#temp +allow snmpd_t var_t:dir getattr; + +can_network_server(snmpd_t) +can_ypbind(snmpd_t) + +allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; + +etc_domain(snmpd) + +# for the .index file +var_lib_domain(snmpd) +file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file }) +file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) +allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; + +log_domain(snmpd) +# for /usr/share/snmp/mibs +allow snmpd_t usr_t:file { getattr read }; + +can_udp_send(sysadm_t, snmpd_t) +can_udp_send(snmpd_t, sysadm_t) + +allow snmpd_t self:unix_dgram_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +allow snmpd_t etc_t:lnk_file read; +allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; +allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; +allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; + +allow snmpd_t proc_t:dir search; +allow snmpd_t proc_t:file r_file_perms; +allow snmpd_t self:file { getattr read }; +allow snmpd_t self:fifo_file rw_file_perms; +allow snmpd_t { bin_t sbin_t }:dir search; +can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +r_dir_file(snmpd_t, rpm_var_lib_t) +dontaudit snmpd_t rpm_var_lib_t:dir write; +dontaudit snmpd_t rpm_var_lib_t:file write; +') +') + +allow snmpd_t home_root_t:dir search; +allow snmpd_t initrc_var_run_t:file r_file_perms; +dontaudit snmpd_t initrc_var_run_t:file write; +dontaudit snmpd_t rpc_pipefs_t:dir getattr; +allow snmpd_t rpc_pipefs_t:dir getattr; +read_sysctl(snmpd_t) +allow snmpd_t sysctl_net_t:dir search; +allow snmpd_t sysctl_net_t:file { getattr read }; + +dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; +allow snmpd_t sysfs_t:dir { getattr read search }; +ifdef(`amanda.te', ` +dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; +') +ifdef(`cupsd.te', ` +allow snmpd_t cupsd_rw_etc_t:file { getattr read }; +') +allow snmpd_t var_lib_nfs_t:dir search; + +# needed in order to retrieve net traffic data +allow snmpd_t proc_net_t:dir search; +allow snmpd_t proc_net_t:file r_file_perms; + +allow snmpd_t domain:dir { getattr search }; +allow snmpd_t domain:file { getattr read }; +allow snmpd_t domain:process signull; + +dontaudit snmpd_t selinux_config_t:dir search; diff --git a/mls/domains/program/sound.te b/mls/domains/program/sound.te new file mode 100644 index 0000000..01f7355 --- /dev/null +++ b/mls/domains/program/sound.te @@ -0,0 +1,26 @@ +#DESC Sound - Sound utilities +# +# Authors: Mark Westerman +# X-Debian-Packages: esound +# +################################# +# +# Rules for the sound_t domain. +# +daemon_base_domain(sound) +type sound_file_t, file_type, sysadmfile; +allow initrc_t sound_file_t:file { getattr read }; +allow sound_t sound_file_t:file rw_file_perms; + +# Use capabilities. +# Commented out by default. +#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override }; +dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override }; + +# Read and write the sound device. +allow sound_t sound_device_t:chr_file rw_file_perms; + +# Read and write ttys. +allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; +read_locale(sound_t) +allow initrc_t sound_file_t:file { setattr write }; diff --git a/mls/domains/program/spamassassin.te b/mls/domains/program/spamassassin.te new file mode 100644 index 0000000..d08eaa3 --- /dev/null +++ b/mls/domains/program/spamassassin.te @@ -0,0 +1,11 @@ +#DESC Spamassassin +# +# Author: Colin Walters +# X-Debian-Packages: spamassassin +# + +type spamassassin_exec_t, file_type, sysadmfile, exec_type; + +bool spamassasin_can_network false; + +# Everything else is in spamassassin_macros.te. diff --git a/mls/domains/program/spamc.te b/mls/domains/program/spamc.te new file mode 100644 index 0000000..9b49fbf --- /dev/null +++ b/mls/domains/program/spamc.te @@ -0,0 +1,10 @@ +#DESC Spamc - Spamassassin client +# +# Author: Colin Walters +# X-Debian-Packages: spamc +# Depends: spamassassin.te +# + +type spamc_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in spamassassin_macros.te. diff --git a/mls/domains/program/spamd.te b/mls/domains/program/spamd.te new file mode 100644 index 0000000..26f2a5a --- /dev/null +++ b/mls/domains/program/spamd.te @@ -0,0 +1,57 @@ +#DESC Spamd - Spamassassin daemon +# +# Author: Colin Walters +# X-Debian-Packages: spamassassin +# Depends: spamassassin.te +# + +daemon_domain(spamd) + +tmp_domain(spamd) + +general_domain_access(spamd_t) +uses_shlib(spamd_t) +read_sysctl(spamd_t) + +# Various Perl bits +allow spamd_t lib_t:file rx_file_perms; +dontaudit spamd_t shadow_t:file { getattr read }; +dontaudit spamd_t initrc_var_run_t:file { read write lock }; +dontaudit spamd_t sysadm_home_dir_t:dir { getattr search }; + +can_network_server(spamd_t) +allow spamd_t spamd_port_t:tcp_socket name_bind; +allow spamd_t port_type:udp_socket name_bind; +dontaudit spamd_t reserved_port_type:udp_socket name_bind; +can_ypbind(spamd_t) +can_resolve(spamd_t) +allow spamd_t self:capability net_bind_service; + +allow spamd_t proc_t:file { getattr read }; + +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not +# using this ability. +allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; + +allow spamd_t { bin_t sbin_t }:dir { getattr search }; +can_exec(spamd_t, bin_t) + +ifdef(`sendmail.te', ` +allow spamd_t etc_mail_t:dir { getattr read search }; +allow spamd_t etc_mail_t:file { getattr ioctl read }; +') +allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read }; + +ifdef(`amavis.te', ` +# for bayes tokens +allow spamd_t var_lib_t:dir { getattr search }; +rw_dir_create_file(spamd_t, amavisd_lib_t) +') + +allow spamd_t usr_t:file { getattr ioctl read }; +allow spamd_t usr_t:lnk_file { getattr read }; +allow spamd_t urandom_device_t:chr_file { getattr read }; + +system_crond_entry(spamd_exec_t, spamd_t) +ifdef(`targeted_policy', `home_domain_access(spamd_t, user)') diff --git a/mls/domains/program/squid.te b/mls/domains/program/squid.te new file mode 100644 index 0000000..141518b --- /dev/null +++ b/mls/domains/program/squid.te @@ -0,0 +1,84 @@ +#DESC Squid - Web cache +# +# Author: Russell Coker +# X-Debian-Packages: squid +# + +################################# +# +# Rules for the squid_t domain. +# +# squid_t is the domain the squid process runs in +ifdef(`apache.te',` +can_tcp_connect(squid_t, httpd_t) +') +bool squid_connect_any false; +daemon_domain(squid, `, web_client_domain, nscd_client_domain') +type squid_conf_t, file_type, sysadmfile; +general_domain_access(squid_t) +allow { squid_t initrc_t } squid_conf_t:file r_file_perms; +allow squid_t squid_conf_t:dir r_dir_perms; +allow squid_t squid_conf_t:lnk_file read; + +logdir_domain(squid) +rw_dir_create_file(initrc_t, squid_log_t) + +allow squid_t usr_t:file { getattr read }; + +# type for /var/cache/squid +type squid_cache_t, file_type, sysadmfile; + +allow squid_t self:capability { setgid setuid net_bind_service dac_override }; +allow squid_t { etc_t etc_runtime_t }:file r_file_perms; +allow squid_t etc_t:lnk_file read; +allow squid_t self:unix_stream_socket create_socket_perms; +allow squid_t self:unix_dgram_socket create_socket_perms; +allow squid_t self:fifo_file rw_file_perms; + +read_sysctl(squid_t) + +allow squid_t devtty_t:chr_file rw_file_perms; + +allow squid_t { self proc_t }:file { read getattr }; + +# for when we use /var/spool/cache +allow squid_t var_spool_t:dir search; + +# Grant permissions to create, access, and delete cache files. +# No type transitions required, as the files inherit the parent directory type. +create_dir_file(squid_t, squid_cache_t) +ifdef(`logrotate.te', +`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') +ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') + +# Use the network +can_network(squid_t) +if (squid_connect_any) { +allow squid_t port_type:tcp_socket name_connect; +} +can_ypbind(squid_t) +can_tcp_connect(web_client_domain, squid_t) + +# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) +allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind; +allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; + +# to allow running programs from /usr/lib/squid (IE unlinkd) +# also allow exec()ing itself +can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) +allow squid_t { bin_t sbin_t }:dir search; +allow squid_t { bin_t sbin_t }:lnk_file read; + +dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr; +ifdef(`targeted_policy', ` +dontaudit squid_t tty_device_t:chr_file { read write }; +') +allow squid_t urandom_device_t:chr_file { getattr read }; + +#squid requires the following when run in diskd mode, the recommended setting +r_dir_file(squid_t, cert_t) +ifdef(`winbind.te', ` +domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) +allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; +allow winbind_helper_t squid_log_t:file ra_file_perms; +') diff --git a/mls/domains/program/ssh-agent.te b/mls/domains/program/ssh-agent.te new file mode 100644 index 0000000..f2e3d84 --- /dev/null +++ b/mls/domains/program/ssh-agent.te @@ -0,0 +1,13 @@ +#DESC ssh-agent - agent to securely store ssh-keys +# +# Authors: Thomas Bleher +# +# X-Debian-Packages: ssh +# + +# Type for the ssh-agent executable. +type ssh_agent_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the ssh_agent_domain macro in +# macros/program/ssh_agent_macros.te. + diff --git a/mls/domains/program/ssh.te b/mls/domains/program/ssh.te new file mode 100644 index 0000000..367e4c7 --- /dev/null +++ b/mls/domains/program/ssh.te @@ -0,0 +1,237 @@ +#DESC SSH - SSH daemon +# +# Authors: Anthony Colatrella (NSA) +# Stephen Smalley +# Russell Coker +# X-Debian-Packages: ssh +# + +# Allow ssh logins as sysadm_r:sysadm_t +bool ssh_sysadm_login false; + +# allow host key based authentication +bool allow_ssh_keysign false; + +ifdef(`inetd.te', ` +# Allow ssh to run from inetd instead of as a daemon. +bool run_ssh_inetd false; +') + +# sshd_exec_t is the type of the sshd executable. +# sshd_key_t is the type of the ssh private key files +type sshd_exec_t, file_type, exec_type, sysadmfile; +type sshd_key_t, file_type, sysadmfile; + +define(`sshd_program_domain', ` +# privowner is for changing the identity on the terminal device +# privfd is for passing the terminal file handle to the user process +# auth_chkpwd is for running unix_chkpwd and unix_verify. +type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; +can_exec($1_t, sshd_exec_t) +r_dir_file($1_t, self) +role system_r types $1_t; +dontaudit $1_t shadow_t:file { getattr read }; +uses_shlib($1_t) +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_stream_socket_perms; +allow $1_t self:fifo_file rw_file_perms; +allow $1_t self:process { fork sigchld signal setsched setrlimit }; + +dontaudit $1_t self:lnk_file read; + +# do not allow statfs() +dontaudit $1_t fs_type:filesystem getattr; + +allow $1_t bin_t:dir search; +allow $1_t bin_t:lnk_file read; + +# for sshd subsystems, such as sftp-server. +allow $1_t bin_t:file getattr; + +# Read /var. +allow $1_t var_t:dir { getattr search }; + +# Read /var/log. +allow $1_t var_log_t:dir search; + +# Read /etc. +allow $1_t etc_t:dir search; +# ioctl is for pam_console +dontaudit $1_t etc_t:file ioctl; +allow $1_t etc_t:file { getattr read }; +allow $1_t etc_t:lnk_file { getattr read }; +allow $1_t etc_runtime_t:file { getattr read }; + +# Read and write /dev/tty and /dev/null. +allow $1_t devtty_t:chr_file rw_file_perms; +allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; + +# Read /dev/urandom +allow $1_t urandom_device_t:chr_file { getattr read }; + +can_network($1_t) +allow $1_t port_type:tcp_socket name_connect; +can_kerberos($1_t) + +allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; +allow $1_t { home_root_t home_dir_type }:dir { search getattr }; +if (use_nfs_home_dirs) { +allow $1_t autofs_t:dir { search getattr }; +allow $1_t nfs_t:dir { search getattr }; +allow $1_t nfs_t:file { getattr read }; +} + +if (use_samba_home_dirs) { +allow $1_t cifs_t:dir { search getattr }; +allow $1_t cifs_t:file { getattr read }; +} + +# Set exec context. +can_setexec($1_t) + +# Update utmp. +allow $1_t initrc_var_run_t:file rw_file_perms; + +# Update wtmp. +allow $1_t wtmp_t:file rw_file_perms; + +# Get security policy decisions. +can_getsecurity($1_t) + +# Allow read access to login context +r_dir_file( $1_t, default_context_t) + +# Access key files +allow $1_t sshd_key_t:file { getattr read }; + +# Update /var/log/lastlog. +allow $1_t lastlog_t:file rw_file_perms; + +read_locale($1_t) +read_sysctl($1_t) + +# Can create ptys +can_create_pty($1, `, server_pty') +allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; +dontaudit sshd_t userpty_type:chr_file relabelfrom; + +allow $1_t faillog_t:file { append getattr }; +allow $1_t sbin_t:file getattr; + +# Allow checking users mail at login +allow $1_t { var_spool_t mail_spool_t }:dir search; +allow $1_t mail_spool_t:lnk_file read; +allow $1_t mail_spool_t:file getattr; +')dnl end sshd_program_domain + +# macro for defining which domains a sshd can spawn +# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the +# type of the pty for the child +define(`sshd_spawn_domain', ` +login_spawn_domain($1, $2) +ifdef(`xauth.te', ` +domain_trans($1_t, xauth_exec_t, $2) +') + +# Relabel and access ptys created by sshd +# ioctl is necessary for logout() processing for utmp entry and for w to +# display the tty. +# some versions of sshd on the new SE Linux require setattr +allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr }; + +# inheriting stream sockets is needed for "ssh host command" as no pty +# is allocated +allow $2 $1_t:unix_stream_socket rw_stream_socket_perms; +')dnl end sshd_spawn_domain definition + +################################# +# +# Rules for the sshd_t domain, et al. +# +# sshd_t is the domain for the sshd program. +# sshd_extern_t is the domain for ssh from outside our network +# +sshd_program_domain(sshd) +if (ssh_sysadm_login) { +allow sshd_t devpts_t:dir r_dir_perms; +sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type }) +} else { +sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type) +} + +# for X forwarding +allow sshd_t xserver_port_t:tcp_socket name_bind; + +r_dir_file(sshd_t, selinux_config_t) +sshd_program_domain(sshd_extern) +sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type) + +# for when the network connection breaks after running newrole -r sysadm_r +dontaudit sshd_t sysadm_devpts_t:chr_file setattr; + +ifdef(`inetd.te', ` +if (run_ssh_inetd) { +allow inetd_t ssh_port_t:tcp_socket name_bind; +domain_auto_trans(inetd_t, sshd_exec_t, sshd_t) +domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) +allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms; +allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search }; +allow { sshd_t sshd_extern_t } self:process signal; +} else { +') +can_access_pty({ sshd_t sshd_extern_t }, initrc) +allow { sshd_t sshd_extern_t } self:capability net_bind_service; +allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind; + +# for port forwarding +can_tcp_connect(userdomain, sshd_t) + +domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) +domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) +dontaudit initrc_t sshd_key_t:file { getattr read }; + +# Inherit and use descriptors from init. +allow { sshd_t sshd_extern_t } init_t:fd use; +ifdef(`inetd.te', ` +} +') + +# Create /var/run/sshd.pid +var_run_domain(sshd) +var_run_domain(sshd_extern) + +ifdef(`direct_sysadm_daemon', ` +# Direct execution by sysadm_r. +domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) +role_transition sysadm_r sshd_exec_t system_r; +') + +undefine(`sshd_program_domain') + +# so a tunnel can point to another ssh tunnel... +can_tcp_connect(sshd_t, sshd_t) + +tmp_domain(sshd, `', { dir file sock_file }) +ifdef(`pam.te', ` +can_exec(sshd_t, pam_exec_t) +') + +# ssh_keygen_t is the type of the ssh-keygen program when run at install time +# and by sysadm_t +daemon_base_domain(ssh_keygen) +allow ssh_keygen_t etc_t:file { getattr read }; +file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) + +# Type for the ssh executable. +type ssh_exec_t, file_type, exec_type, sysadmfile; +type ssh_keysign_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the ssh_domain macro in +# macros/program/ssh_macros.te. + +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; +allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; +allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; +ifdef(`use_mcs', ` +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +') diff --git a/mls/domains/program/stunnel.te b/mls/domains/program/stunnel.te new file mode 100644 index 0000000..4dbfcec --- /dev/null +++ b/mls/domains/program/stunnel.te @@ -0,0 +1,33 @@ +# DESC: selinux policy for stunnel +# +# Author: petre rodan +# +ifdef(`distro_gentoo', ` + +daemon_domain(stunnel) + +can_network(stunnel_t) +allow stunnel_t port_type:tcp_socket name_connect; + +allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:fifo_file { read write }; +allow stunnel_t self:tcp_socket { read write }; +allow stunnel_t self:unix_stream_socket { connect create }; + +r_dir_file(stunnel_t, etc_t) +', ` +inetd_child_domain(stunnel, tcp) +allow stunnel_t self:capability sys_chroot; + +bool stunnel_is_daemon false; +if (stunnel_is_daemon) { +# Policy to run stunnel as a daemon should go here. +allow stunnel_t self:tcp_socket rw_stream_socket_perms; +allow stunnel_t stunnel_port_t:tcp_socket name_bind; +} +') + +type stunnel_etc_t, file_type, sysadmfile; +r_dir_file(stunnel_t, stunnel_etc_t) +allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; + diff --git a/mls/domains/program/su.te b/mls/domains/program/su.te new file mode 100644 index 0000000..5769d11 --- /dev/null +++ b/mls/domains/program/su.te @@ -0,0 +1,26 @@ +#DESC Su - Run shells with substitute user and group +# +# Domains for the su program. +# X-Debian-Packages: login + +# +# su_exec_t is the type of the su executable. +# +type su_exec_t, file_type, sysadmfile; + +allow sysadm_su_t user_home_dir_type:dir search; + +# Everything else is in the su_domain macro in +# macros/program/su_macros.te. + +ifdef(`use_mcs', ` +ifdef(`targeted_policy', ` +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t) +# allow user to suspend terminal +allow sysadm_su_t unconfined_t:process signal; +allow sysadm_su_t self:process { signal sigstop }; +can_exec(sysadm_su_t, bin_t) +rw_dir_create_file(sysadm_su_t, home_dir_type) +') +') diff --git a/mls/domains/program/sudo.te b/mls/domains/program/sudo.te new file mode 100644 index 0000000..a1fad31 --- /dev/null +++ b/mls/domains/program/sudo.te @@ -0,0 +1,11 @@ +#DESC sudo - execute a command as another user +# +# Authors: Dan Walsh, Russell Coker +# Maintained by Dan Walsh +# + +# Type for the sudo executable. +type sudo_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the sudo_domain macro in +# macros/program/sudo_macros.te. diff --git a/mls/domains/program/sulogin.te b/mls/domains/program/sulogin.te new file mode 100644 index 0000000..0bed085 --- /dev/null +++ b/mls/domains/program/sulogin.te @@ -0,0 +1,56 @@ +#DESC sulogin - Single-User login +# +# Authors: Dan Walsh +# +# X-Debian-Packages: sysvinit + +################################# +# +# Rules for the sulogin_t domain +# + +type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth; +type sulogin_exec_t, file_type, exec_type, sysadmfile; +role system_r types sulogin_t; + +general_domain_access(sulogin_t) + +domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t) +allow sulogin_t initrc_t:process getpgid; +uses_shlib(sulogin_t) + +# suse and debian do not use pam with sulogin... +ifdef(`distro_suse', ` +define(`sulogin_no_pam', `') +') +ifdef(`distro_debian', ` +define(`sulogin_no_pam', `') +') + +ifdef(`sulogin_no_pam', ` +domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) +allow sulogin_t init_t:process getpgid; +allow sulogin_t self:capability sys_tty_config; +', ` +domain_trans(sulogin_t, shell_exec_t, sysadm_t) +allow sulogin_t shell_exec_t:file r_file_perms; + +can_setexec(sulogin_t) +can_getsecurity(sulogin_t) +') + +r_dir_file(sulogin_t, etc_t) + +allow sulogin_t bin_t:dir r_dir_perms; +r_dir_file(sulogin_t, proc_t) +allow sulogin_t root_t:dir search; + +allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; +allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +allow sulogin_t default_context_t:dir search; +allow sulogin_t default_context_t:file { getattr read }; + +r_dir_file(sulogin_t, selinux_config_t) + +# because file systems are not mounted +dontaudit sulogin_t file_t:dir search; diff --git a/mls/domains/program/swat.te b/mls/domains/program/swat.te new file mode 100644 index 0000000..aa94d2f --- /dev/null +++ b/mls/domains/program/swat.te @@ -0,0 +1,14 @@ +#DESC swat - Samba Web Administration Tool +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the swat_t domain. +# +# swat_exec_t is the type of the swat executable. +# + +inetd_child_domain(swat) diff --git a/mls/domains/program/syslogd.te b/mls/domains/program/syslogd.te new file mode 100644 index 0000000..8957fea --- /dev/null +++ b/mls/domains/program/syslogd.te @@ -0,0 +1,110 @@ +#DESC Syslogd - System log daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysklogd syslog-ng +# + +################################# +# +# Rules for the syslogd_t domain. +# +# syslogd_t is the domain of syslogd. +# syslogd_exec_t is the type of the syslogd executable. +# devlog_t is the type of the Unix domain socket created +# by syslogd. +# +ifdef(`klogd.te', ` +daemon_domain(syslogd, `, privkmsg, nscd_client_domain') +', ` +daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain') +') + +# can_network is for the UDP socket +can_network_udp(syslogd_t) +can_ypbind(syslogd_t) + +r_dir_file(syslogd_t, sysfs_t) + +type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; + +# if something can log to syslog they should be able to log to the console +allow privlog console_device_t:chr_file { ioctl read write getattr }; + +tmp_domain(syslogd) + +# read files in /etc +allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms; + +# Use capabilities. +allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; + +# Modify/create log files. +create_append_log_file(syslogd_t, var_log_t) + +# Create and bind to /dev/log or /var/run/log. +file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) +ifdef(`distro_suse', ` +# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel +file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) +') +allow syslogd_t self:unix_dgram_socket create_socket_perms; +allow syslogd_t self:unix_dgram_socket sendto; +allow syslogd_t self:unix_stream_socket create_stream_socket_perms; +allow syslogd_t self:fifo_file rw_file_perms; +allow syslogd_t devlog_t:unix_stream_socket name_bind; +allow syslogd_t devlog_t:unix_dgram_socket name_bind; +# log to the xconsole +allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; + +# Domains with the privlog attribute may log to syslogd. +allow privlog devlog_t:sock_file rw_file_perms; +can_unix_send(privlog,syslogd_t) +can_unix_connect(privlog,syslogd_t) +# allow /dev/log to be a link elsewhere for chroot setup +allow privlog devlog_t:lnk_file read; + +ifdef(`crond.te', ` +# for daemon re-start +allow system_crond_t syslogd_t:lnk_file read; +') + +ifdef(`logrotate.te', ` +allow logrotate_t syslogd_exec_t:file r_file_perms; +') + +# for sending messages to logged in users +allow syslogd_t initrc_var_run_t:file { read lock }; +dontaudit syslogd_t initrc_var_run_t:file write; +allow syslogd_t ttyfile:chr_file { getattr write }; + +# +# Special case to handle crashes +# +allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; + +# Allow syslog to a terminal +allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; + +# Allow name_bind for remote logging +allow syslogd_t syslogd_port_t:udp_socket name_bind; +# +# /initrd is not umounted before minilog starts +# +dontaudit syslogd_t file_t:dir search; +allow syslogd_t { tmpfs_t devpts_t }:dir search; +dontaudit syslogd_t unlabeled_t:file { getattr read }; +dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; +allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; +ifdef(`targeted_policy', ` +allow syslogd_t var_run_t:fifo_file { ioctl read write }; +allow syslogd_t ttyfile:chr_file { getattr write ioctl append }; +') + +# Allow access to /proc/kmsg for syslog-ng +allow syslogd_t proc_t:dir search; +allow syslogd_t proc_kmsg_t:file { getattr read }; +allow syslogd_t kernel_t:system { syslog_mod syslog_console }; +allow syslogd_t self:capability { sys_admin chown fsetid }; +allow syslogd_t var_log_t:dir { create setattr }; +allow syslogd_t syslogd_port_t:tcp_socket name_bind; +allow syslogd_t rsh_port_t:tcp_socket name_connect; diff --git a/mls/domains/program/sysstat.te b/mls/domains/program/sysstat.te new file mode 100644 index 0000000..f01da4c --- /dev/null +++ b/mls/domains/program/sysstat.te @@ -0,0 +1,65 @@ +#DESC Sysstat - Sar and similar programs +# +# Authors: Russell Coker +# X-Debian-Packages: sysstat +# + +################################# +# +# Rules for the sysstat_t domain. +# +# sysstat_exec_t is the type of the sysstat executable. +# +type sysstat_t, domain, privlog; +type sysstat_exec_t, file_type, sysadmfile, exec_type; + +role system_r types sysstat_t; + +allow sysstat_t device_t:dir search; + +allow sysstat_t self:process { sigchld fork }; + +#for date +can_exec(sysstat_t, { sysstat_exec_t bin_t }) +allow sysstat_t bin_t:dir r_dir_perms; +dontaudit sysstat_t sbin_t:dir search; + +dontaudit sysstat_t self:capability sys_admin; +allow sysstat_t self:capability sys_resource; + +allow sysstat_t devtty_t:chr_file rw_file_perms; + +allow sysstat_t urandom_device_t:chr_file read; + +# for mtab +allow sysstat_t etc_runtime_t:file { read getattr }; +# for fstab +allow sysstat_t etc_t:file { read getattr }; + +dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms; + +allow sysstat_t self:fifo_file rw_file_perms; + +# Type for files created during execution of sysstatd. +logdir_domain(sysstat) +allow sysstat_t var_t:dir search; + +allow sysstat_t etc_t:dir r_dir_perms; +read_locale(sysstat_t) + +allow sysstat_t fs_t:filesystem getattr; + +# get info from /proc +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; + +domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t) +allow sysstat_t init_t:fd use; +allow sysstat_t console_device_t:chr_file { read write }; + +uses_shlib(sysstat_t) + +system_crond_entry(sysstat_exec_t, sysstat_t) +allow system_crond_t sysstat_log_t:dir { write remove_name add_name }; +allow system_crond_t sysstat_log_t:file create_file_perms; +allow sysstat_t initrc_devpts_t:chr_file { read write }; diff --git a/mls/domains/program/tcpd.te b/mls/domains/program/tcpd.te new file mode 100644 index 0000000..af135be --- /dev/null +++ b/mls/domains/program/tcpd.te @@ -0,0 +1,43 @@ +#DESC Tcpd - Access control facilities from internet services +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: tcpd +# Depends: inetd.te +# + +################################# +# +# Rules for the tcpd_t domain. +# +type tcpd_t, domain, privlog; +role system_r types tcpd_t; +uses_shlib(tcpd_t) +type tcpd_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t) + +allow tcpd_t fs_t:filesystem getattr; + +# no good reason for this, probably nscd +dontaudit tcpd_t var_t:dir search; + +can_network_server(tcpd_t) +can_ypbind(tcpd_t) +allow tcpd_t self:unix_dgram_socket create_socket_perms; +allow tcpd_t self:unix_stream_socket create_socket_perms; +allow tcpd_t etc_t:file { getattr read }; +read_locale(tcpd_t) + +tmp_domain(tcpd) + +# Use sockets inherited from inetd. +allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Run each daemon with a defined domain in its own domain. +# These rules have been moved to each target domain .te file. + +# Run other daemons in the inetd_child_t domain. +allow tcpd_t { bin_t sbin_t }:dir search; +domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t) + +allow tcpd_t device_t:dir search; diff --git a/mls/domains/program/telnetd.te b/mls/domains/program/telnetd.te new file mode 100644 index 0000000..bbbb2c1 --- /dev/null +++ b/mls/domains/program/telnetd.te @@ -0,0 +1,10 @@ +# telnet server daemon +# + +################################# +# +# Rules for the telnetd_t domain +# + +remote_login_daemon(telnetd) +typealias telnetd_port_t alias telnet_port_t; diff --git a/mls/domains/program/tftpd.te b/mls/domains/program/tftpd.te new file mode 100644 index 0000000..c749987 --- /dev/null +++ b/mls/domains/program/tftpd.te @@ -0,0 +1,41 @@ +#DESC TFTP - UDP based file server for boot loaders +# +# Author: Russell Coker +# X-Debian-Packages: tftpd atftpd +# Depends: inetd.te +# + +################################# +# +# Rules for the tftpd_t domain. +# +# tftpd_exec_t is the type of the tftpd executable. +# +daemon_domain(tftpd) + +# tftpdir_t is the type of files in the /tftpboot directories. +type tftpdir_t, file_type, sysadmfile; +r_dir_file(tftpd_t, tftpdir_t) + +domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) + +# Use the network. +can_network_udp(tftpd_t) +allow tftpd_t tftp_port_t:udp_socket name_bind; +ifdef(`inetd.te', ` +allow inetd_t tftp_port_t:udp_socket name_bind; +') +allow tftpd_t self:unix_dgram_socket create_socket_perms; +allow tftpd_t self:unix_stream_socket create_stream_socket_perms; + +# allow any domain to connect to the TFTP server +allow tftpd_t inetd_t:udp_socket rw_socket_perms; + +# Use capabilities +allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot }; + +allow tftpd_t etc_t:dir r_dir_perms; +allow tftpd_t etc_t:file r_file_perms; + +allow tftpd_t var_t:dir r_dir_perms; +allow tftpd_t var_t:{ file lnk_file } r_file_perms; diff --git a/mls/domains/program/timidity.te b/mls/domains/program/timidity.te new file mode 100644 index 0000000..e007d3f --- /dev/null +++ b/mls/domains/program/timidity.te @@ -0,0 +1,34 @@ +# DESC timidity - MIDI to WAV converter and player +# +# Author: Thomas Bleher +# +# Note: You only need this policy if you want to run timidity as a server + +daemon_base_domain(timidity) +can_network_server(timidity_t) + +allow timidity_t device_t:lnk_file read; + +# read /usr/share/alsa/alsa.conf +allow timidity_t usr_t:file { getattr read }; +# read /etc/esd.conf and /proc/cpuinfo +allow timidity_t { etc_t proc_t }:file { getattr read }; +# read libartscbackend.la - should these be shlib_t? +allow timidity_t lib_t:file { getattr read }; + +allow timidity_t sound_device_t:chr_file { read write ioctl }; + +# stupid timidity won't start if it can't search its current directory. +# allow this so /etc/init.d/alsasound start works from /root +allow timidity_t sysadm_home_dir_t:dir search; + +allow timidity_t tmp_t:dir search; +tmpfs_domain(timidity) + +allow timidity_t self:shm create_shm_perms; + +allow timidity_t self:unix_stream_socket create_stream_socket_perms; + +allow timidity_t devpts_t:dir search; +allow timidity_t self:capability { dac_override dac_read_search }; +allow timidity_t self:process getsched; diff --git a/mls/domains/program/tmpreaper.te b/mls/domains/program/tmpreaper.te new file mode 100644 index 0000000..8cd0fe9 --- /dev/null +++ b/mls/domains/program/tmpreaper.te @@ -0,0 +1,33 @@ +#DESC Tmpreaper - Monitor and maintain temporary files +# +# Author: Russell Coker +# X-Debian-Packages: tmpreaper +# + +################################# +# +# Rules for the tmpreaper_t domain. +# +type tmpreaper_t, domain, privlog, mlsfileread, mlsfilewrite; +type tmpreaper_exec_t, file_type, sysadmfile, exec_type; + +role system_r types tmpreaper_t; + +system_crond_entry(tmpreaper_exec_t, tmpreaper_t) +uses_shlib(tmpreaper_t) +# why does it need setattr? +allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir }; +allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink }; +allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; +allow tmpreaper_t self:process { fork sigchld }; +allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; +allow tmpreaper_t fs_t:filesystem getattr; + +r_dir_file(tmpreaper_t, etc_t) +allow tmpreaper_t var_t:dir { getattr search }; +r_dir_file(tmpreaper_t, var_lib_t) +allow tmpreaper_t device_t:dir { getattr search }; +allow tmpreaper_t urandom_device_t:chr_file { getattr read }; + +read_locale(tmpreaper_t) + diff --git a/mls/domains/program/traceroute.te b/mls/domains/program/traceroute.te new file mode 100644 index 0000000..af25e20 --- /dev/null +++ b/mls/domains/program/traceroute.te @@ -0,0 +1,66 @@ +#DESC Traceroute - Display network routes +# +# Author: Russell Coker +# based on the work of David A. Wheeler +# X-Debian-Packages: traceroute lft +# + +################################# +# +# Rules for the traceroute_t domain. +# +# traceroute_t is the domain for the traceroute program. +# traceroute_exec_t is the type of the corresponding program. +# +type traceroute_t, domain, privlog, nscd_client_domain; +role sysadm_r types traceroute_t; +role system_r types traceroute_t; +# for user_ping: +in_user_role(traceroute_t) +uses_shlib(traceroute_t) +can_network_client(traceroute_t) +allow traceroute_t port_type:tcp_socket name_connect; +can_ypbind(traceroute_t) +allow traceroute_t node_t:rawip_socket node_bind; +type traceroute_exec_t, file_type, sysadmfile, exec_type; + +# Transition into this domain when you run this program. +domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t) +domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) + +allow traceroute_t etc_t:file { getattr read }; + +# Use capabilities. +allow traceroute_t self:capability { net_admin net_raw setuid setgid }; + +allow traceroute_t self:rawip_socket create_socket_perms; +allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow traceroute_t self:unix_stream_socket create_socket_perms; +allow traceroute_t device_t:dir search; + +# for lft +allow traceroute_t self:packet_socket create_socket_perms; +r_dir_file(traceroute_t, proc_t) +r_dir_file(traceroute_t, proc_net_t) + +# Access the terminal. +allow traceroute_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') +allow traceroute_t privfd:fd use; + +# dont need this +dontaudit traceroute_t fs_t:filesystem getattr; +dontaudit traceroute_t var_t:dir search; + +ifdef(`ping.te', ` +if (user_ping) { + domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) + # allow access to the terminal + allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; +} +') +#rules needed for nmap +allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms; +allow traceroute_t usr_t:file { getattr read }; +read_locale(traceroute_t) +dontaudit traceroute_t userdomain:dir search; diff --git a/mls/domains/program/udev.te b/mls/domains/program/udev.te new file mode 100644 index 0000000..cc5f7d4 --- /dev/null +++ b/mls/domains/program/udev.te @@ -0,0 +1,152 @@ +#DESC udev - Linux configurable dynamic device naming support +# +# Author: Dan Walsh dwalsh@redhat.com +# + +################################# +# +# Rules for the udev_t domain. +# +# udev_exec_t is the type of the udev executable. +# +daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') + +general_domain_access(udev_t) + +if (allow_execmem) { +# for alsactl +allow udev_t self:process execmem; +} + +etc_domain(udev) +type udev_helper_exec_t, file_type, sysadmfile, exec_type; +can_exec_any(udev_t) + +# +# Rules used for udev +# +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice }; +allow udev_t self:file { getattr read }; +allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; +allow udev_t self:unix_dgram_socket create_socket_perms; +allow udev_t self:fifo_file rw_file_perms; +allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; +allow udev_t device_t:file { unlink rw_file_perms }; +allow udev_t device_t:sock_file create_file_perms; +allow udev_t device_t:lnk_file create_lnk_perms; +allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; +ifdef(`distro_redhat', ` +allow udev_t tmpfs_t:dir create_dir_perms; +allow udev_t tmpfs_t:{ sock_file file } create_file_perms; +allow udev_t tmpfs_t:lnk_file create_lnk_perms; +allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; +allow udev_t tmpfs_t:dir search; + +# for arping used for static IP addresses on PCMCIA ethernet +domain_auto_trans(udev_t, netutils_exec_t, netutils_t) +') +allow udev_t etc_t:file { getattr read ioctl }; +allow udev_t { bin_t sbin_t }:dir r_dir_perms; +allow udev_t { sbin_t bin_t }:lnk_file read; +allow udev_t bin_t:lnk_file read; +can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) +can_exec(udev_t, udev_exec_t) +rw_dir_file(udev_t, sysfs_t) +allow udev_t sysadm_tty_device_t:chr_file { read write }; + +# to read the file_contexts file +r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) + +allow udev_t policy_config_t:dir search; +allow udev_t proc_t:file { getattr read ioctl }; +allow udev_t proc_kcore_t:file getattr; + +# Get security policy decisions. +can_getsecurity(udev_t) + +# set file system create context +can_setfscreate(udev_t) + +allow udev_t kernel_t:fd use; +allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; +allow udev_t kernel_t:process signal; + +allow udev_t initrc_var_run_t:file r_file_perms; +dontaudit udev_t initrc_var_run_t:file write; + +domain_auto_trans(kernel_t, udev_exec_t, udev_t) +domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t) +ifdef(`hide_broken_symptoms', ` +dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; +') +allow udev_t devpts_t:dir { getattr search }; +allow udev_t etc_runtime_t:file { getattr read }; +ifdef(`xdm.te', ` +allow udev_t xdm_var_run_t:file { getattr read }; +') + +ifdef(`hotplug.te', ` +r_dir_file(udev_t, hotplug_etc_t) +') +allow udev_t var_log_t:dir search; + +ifdef(`consoletype.te', ` +can_exec(udev_t, consoletype_exec_t) +') +ifdef(`pamconsole.te', ` +allow udev_t pam_var_console_t:dir search; +allow udev_t pam_var_console_t:file { getattr read }; +domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) +') +allow udev_t var_lock_t:dir search; +allow udev_t var_lock_t:file getattr; +domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) +ifdef(`hide_broken_symptoms', ` +dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; +') + +dontaudit udev_t file_t:dir search; +ifdef(`dhcpc.te', ` +domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) +') + +allow udev_t udev_helper_exec_t:dir r_dir_perms; + +dbusd_client(system, udev) + +allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; +allow udev_t sysctl_dev_t:dir search; +allow udev_t mnt_t:dir search; +allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read }; +allow udev_t self:rawip_socket create_socket_perms; +dontaudit udev_t domain:dir r_dir_perms; +dontaudit udev_t ttyfile:chr_file unlink; +ifdef(`hotplug.te', ` +r_dir_file(udev_t, hotplug_var_run_t) +') +r_dir_file(udev_t, modules_object_t) +# +# Udev is now writing dhclient-eth*.conf* files. +# +ifdef(`dhcpd.te', `define(`use_dhcp')') +ifdef(`dhcpc.te', `define(`use_dhcp')') +ifdef(`use_dhcp', ` +allow udev_t dhcp_etc_t:file rw_file_perms; +file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) +') +r_dir_file(udev_t, domain) +allow udev_t modules_dep_t:file r_file_perms; + +nsswitch_domain(udev_t) + +ifdef(`unlimitedUtils', ` +unconfined_domain(udev_t) +') +dontaudit hostname_t udev_t:fd use; +ifdef(`use_mcs', ` +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +') diff --git a/mls/domains/program/unconfined.te b/mls/domains/program/unconfined.te new file mode 100644 index 0000000..9497a3c --- /dev/null +++ b/mls/domains/program/unconfined.te @@ -0,0 +1,15 @@ +#DESC Unconfined - Use to essentially disable SELinux for a particular program +# This domain will be useful as a workaround for e.g. third-party daemon software +# that has no policy, until one can be written for it. +# +# To use, label the executable with unconfined_exec_t, e.g.: +# chcon -t unconfined_exec_t /usr/local/bin/appsrv +# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc + +type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write; +type unconfined_exec_t, file_type, sysadmfile, exec_type; +role sysadm_r types unconfined_t; +domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t) +role system_r types unconfined_t; +domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t) +unconfined_domain(unconfined_t) diff --git a/mls/domains/program/unused/afs.te b/mls/domains/program/unused/afs.te new file mode 100644 index 0000000..8bcab3b --- /dev/null +++ b/mls/domains/program/unused/afs.te @@ -0,0 +1,166 @@ +# +# Policy for AFS server +# + +type afs_files_t, file_type; +type afs_config_t, file_type, sysadmfile; +type afs_logfile_t, file_type, logfile; +type afs_dbdir_t, file_type; + +allow afs_files_t afs_files_t:filesystem associate; +# df should show sizes +allow sysadm_t afs_files_t:filesystem getattr; + +# +# Macros for defining AFS server domains +# + +define(`afs_server_domain',` +type afs_$1server_t, domain $2; +type afs_$1server_exec_t, file_type, sysadmfile; + +role system_r types afs_$1server_t; + +allow afs_$1server_t afs_config_t:file r_file_perms; +allow afs_$1server_t afs_config_t:dir r_dir_perms; +allow afs_$1server_t afs_logfile_t:file create_file_perms; +allow afs_$1server_t afs_logfile_t:dir create_dir_perms; +allow afs_$1server_t afs_$1_port_t:udp_socket name_bind; +uses_shlib(afs_$1server_t) +can_network(afs_$1server_t) +read_locale(afs_$1server_t) + +dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms; +dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms; +dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms; +') + +define(`afs_under_bos',` +domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t) +allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms; +allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms; +allow afs_$1server_t net_conf_t:file r_file_perms; +allow afs_bosserver_t afs_$1server_t:process signal_perms; +') + +define(`afs_server_db',` +type afs_$1_db_t, file_type; + +allow afs_$1server_t afs_$1_db_t:file create_file_perms; +file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file); +') + + +# +# bosserver +# + +afs_server_domain(`bos') +base_file_read_access(afs_bosserver_t) + +domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t) + +allow afs_bosserver_t self:process { fork setsched signal_perms }; +allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms }; +allow afs_bosserver_t afs_dbdir_t:dir { search read getattr }; +allow afs_bosserver_t afs_config_t:file create_file_perms; +allow afs_bosserver_t afs_config_t:dir create_dir_perms; + +allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms; +allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; +allow afs_bosserver_t device_t:dir r_dir_perms; + +# allow sysadm to use bos +allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom }; +allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto }; + +# +# fileserver, volserver, and salvager +# + +afs_server_domain(`fs',`,privlog') +afs_under_bos(`fs') + +base_file_read_access(afs_fsserver_t) +file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t) + +allow afs_fsserver_t self:process { fork sigchld setsched signal_perms }; +allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; +allow afs_fsserver_t self:fifo_file { rw_file_perms }; +can_exec(afs_fsserver_t, afs_fsserver_exec_t) +allow afs_fsserver_t afs_files_t:file create_file_perms; +allow afs_fsserver_t afs_files_t:dir create_dir_perms; +allow afs_fsserver_t afs_config_t:file create_file_perms; +allow afs_fsserver_t afs_config_t:dir create_dir_perms; + +allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind; +allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr; + +allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; +allow afs_fsserver_t device_t:dir r_dir_perms; +allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms; +allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms; + +allow afs_fsserver_t proc_t:dir r_dir_perms; +allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms; +allow afs_fsserver_t { self proc_t } : dir r_dir_perms; + +# fs communicates with other servers +allow afs_fsserver_t self:unix_dgram_socket create_socket_perms; +allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom }; +allow afs_fsserver_t self:udp_socket { sendto recvfrom }; +allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom }; +allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom }; +allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto }; + +dontaudit afs_fsserver_t self:capability fsetid; +dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms; +dontaudit afs_fsserver_t initrc_t:fd use; +dontaudit afs_fsserver_t mnt_t:dir search; + + +# +# kaserver +# + +afs_server_domain(`ka') +afs_under_bos(`ka') +afs_server_db(`ka') + +base_file_read_access(afs_kaserver_t) + +allow afs_kaserver_t kerberos_port_t:udp_socket name_bind; +allow afs_kaserver_t self:capability { net_bind_service }; +allow afs_kaserver_t afs_config_t:file create_file_perms; +allow afs_kaserver_t afs_config_t:dir rw_dir_perms; + +# allow sysadm to use kas +allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom }; +allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto }; + + +# +# ptserver +# + +afs_server_domain(`pt') +afs_under_bos(`pt') +afs_server_db(`pt') + +# allow users to use pts +allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom }; +allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto }; +allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom }; + + +# +# vlserver +# + +afs_server_domain(`vl') +afs_under_bos(`vl') +afs_server_db(`vl') + +allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom }; +allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto }; +allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom }; diff --git a/mls/domains/program/unused/amavis.te b/mls/domains/program/unused/amavis.te new file mode 100644 index 0000000..1e1752f --- /dev/null +++ b/mls/domains/program/unused/amavis.te @@ -0,0 +1,117 @@ +#DESC Amavis - Anti-virus +# +# Author: Brian May +# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper +# Depends: clamav.te +# + +################################# +# +# Rules for the amavisd_t domain. +# +type amavisd_etc_t, file_type, sysadmfile; +type amavisd_lib_t, file_type, sysadmfile; + +# Virus and spam found and quarantined. +type amavisd_quarantine_t, file_type, sysadmfile, tmpfile; + +daemon_domain(amavisd) +tmp_domain(amavisd) + +allow initrc_t amavisd_etc_t:file { getattr read }; +allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink }; +allow initrc_t amavisd_lib_t:file unlink; +allow initrc_t amavisd_var_run_t:dir setattr; +allow amavisd_t self:capability { chown dac_override setgid setuid }; +dontaudit amavisd_t self:capability sys_tty_config; + +allow amavisd_t usr_t:{ file lnk_file } { getattr read }; +dontaudit amavisd_t usr_t:file ioctl; + +# networking +can_network_server_tcp(amavisd_t, amavisd_recv_port_t) +allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind; +allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect; +# The next line doesn't work right so drop the port specification. +#can_network_client_tcp(amavisd_t, amavisd_send_port_t) +can_network_client_tcp(amavisd_t) +allow amavisd_t amavisd_send_port_t:tcp_socket name_connect; +can_resolve(amavisd_t); +can_ypbind(amavisd_t); +can_tcp_connect(mail_server_sender, amavisd_t); +can_tcp_connect(amavisd_t, mail_server_domain) + +ifdef(`scannerdaemon.te', ` +can_tcp_connect(amavisd_t, scannerdaemon_t); +allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms; +allow scannerdaemon_t amavisd_lib_t:file r_file_perms; +') + +ifdef(`clamav.te', ` +clamscan_domain(amavisd) +role system_r types amavisd_clamscan_t; +domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t) +allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms; +allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms; +can_clamd_connect(amavisd) +allow clamd_t amavisd_lib_t:dir r_dir_perms; +allow clamd_t amavisd_lib_t:file r_file_perms; +') + +# DCC +ifdef(`dcc.te', ` +allow dcc_client_t amavisd_lib_t:file r_file_perms; +') + +# Pyzor +ifdef(`pyzor.te',` +domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t) +#allow pyzor_t amavisd_data_t:dir search; +# Pyzor creates a temp file adjacent to the working file. +create_dir_file(pyzor_t, amavisd_lib_t); +') + +# SpamAssassin is executed from within amavisd, but needs to read its +# config +ifdef(`spamd.te', ` +r_dir_file(amavisd_t, etc_mail_t) +') + +# Can create unix sockets +allow amavisd_t self:unix_stream_socket create_stream_socket_perms; +allow amavisd_t self:unix_dgram_socket create_socket_perms; +allow amavisd_t self:fifo_file getattr; + +read_locale(amavisd_t) + +# Access config files (amavisd). +allow amavisd_t amavisd_etc_t:file r_file_perms; + +log_domain(amavisd) + +# Access amavisd var/lib files. +create_dir_file(amavisd_t, amavisd_lib_t) + +# Access amavisd quarantined files. +create_dir_file(amavisd_t, amavisd_quarantine_t) + +# Run helper programs. +can_exec_any(amavisd_t,bin_t) +allow amavisd_t bin_t:dir { getattr search }; +allow amavisd_t sbin_t:dir search; +allow amavisd_t var_lib_t:dir search; + +# allow access to files for scanning (required for amavis): +allow clamd_t self:capability { dac_override dac_read_search }; + +# unknown stuff +allow amavisd_t self:fifo_file { ioctl read write }; +allow amavisd_t { random_device_t urandom_device_t }:chr_file read; +allow amavisd_t proc_t:file { getattr read }; +allow amavisd_t etc_runtime_t:file { getattr read }; + +# broken stuff +dontaudit amavisd_t sysadm_home_dir_t:dir search; +dontaudit amavisd_t shadow_t:file { getattr read }; +dontaudit amavisd_t sysadm_devpts_t:chr_file { read write }; + diff --git a/mls/domains/program/unused/asterisk.te b/mls/domains/program/unused/asterisk.te new file mode 100644 index 0000000..7ae5ffc --- /dev/null +++ b/mls/domains/program/unused/asterisk.te @@ -0,0 +1,56 @@ +#DESC Asterisk IP telephony server +# +# Author: Russell Coker +# +# X-Debian-Packages: asterisk + +daemon_domain(asterisk) +allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms; +allow initrc_t asterisk_var_run_t:fifo_file unlink; + +allow asterisk_t self:process setsched; +allow asterisk_t self:fifo_file rw_file_perms; + +allow asterisk_t proc_t:file { getattr read }; + +allow asterisk_t { bin_t sbin_t }:dir search; +allow asterisk_t bin_t:lnk_file read; +can_exec(asterisk_t, bin_t) + +etcdir_domain(asterisk) +logdir_domain(asterisk) +var_lib_domain(asterisk) + +allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind; + +# for VOIP voice channels. +allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind; + +allow asterisk_t device_t:lnk_file read; +allow asterisk_t sound_device_t:chr_file rw_file_perms; + +type asterisk_spool_t, file_type, sysadmfile; +create_dir_file(asterisk_t, asterisk_spool_t) +allow asterisk_t var_spool_t:dir search; + +# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm +# are labeled usr_t +allow asterisk_t usr_t:file r_file_perms; + +can_network_server(asterisk_t) +can_ypbind(asterisk_t) +allow asterisk_t etc_t:file { getattr read }; + +allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow asterisk_t self:sem create_sem_perms; +allow asterisk_t self:shm create_shm_perms; + +# dac_override for /var/run/asterisk +allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; + +# for shutdown +dontaudit asterisk_t self:capability sys_tty_config; + +tmpfs_domain(asterisk) +tmp_domain(asterisk) diff --git a/mls/domains/program/unused/audio-entropyd.te b/mls/domains/program/unused/audio-entropyd.te new file mode 100644 index 0000000..216108a --- /dev/null +++ b/mls/domains/program/unused/audio-entropyd.te @@ -0,0 +1,12 @@ +#DESC audio-entropyd - Generate entropy from audio input +# +# Author: Chris PeBenito +# + +daemon_domain(entropyd) + +allow entropyd_t self:capability { ipc_lock sys_admin }; + +allow entropyd_t random_device_t:chr_file rw_file_perms; +allow entropyd_t device_t:dir r_dir_perms; +allow entropyd_t sound_device_t:chr_file r_file_perms; diff --git a/mls/domains/program/unused/authbind.te b/mls/domains/program/unused/authbind.te new file mode 100644 index 0000000..6aabc3e --- /dev/null +++ b/mls/domains/program/unused/authbind.te @@ -0,0 +1,29 @@ +#DESC Authbind - Program to bind to low ports as non-root +# +# Authors: Russell Coker +# X-Debian-Packages: authbind +# + +################################# +# +# Rules for the authbind_t domain. +# +# authbind_exec_t is the type of the authbind executable. +# +type authbind_t, domain, privlog; +type authbind_exec_t, file_type, sysadmfile, exec_type; + +role system_r types authbind_t; + +etcdir_domain(authbind) + +can_exec(authbind_t, authbind_etc_t) +allow authbind_t etc_t:dir r_dir_perms; + +uses_shlib(authbind_t) + +allow authbind_t self:capability net_bind_service; + +allow authbind_t domain:fd use; + +allow authbind_t console_device_t:chr_file { read write }; diff --git a/mls/domains/program/unused/backup.te b/mls/domains/program/unused/backup.te new file mode 100644 index 0000000..628527d --- /dev/null +++ b/mls/domains/program/unused/backup.te @@ -0,0 +1,62 @@ +#DESC Backup - Backup scripts +# +# Author: Russell Coker +# X-Debian-Packages: dpkg +# + +################################# +# +# Rules for the backup_t domain. +# +type backup_t, domain, privlog, auth; +type backup_exec_t, file_type, sysadmfile, exec_type; + +type backup_store_t, file_type, sysadmfile; + +role system_r types backup_t; +role sysadm_r types backup_t; + +ifdef(`targeted_policy', `', ` +domain_auto_trans(sysadm_t, backup_exec_t, backup_t) +') +allow backup_t privfd:fd use; +ifdef(`crond.te', ` +system_crond_entry(backup_exec_t, backup_t) +rw_dir_create_file(system_crond_t, backup_store_t) +') + +# for SSP +allow backup_t urandom_device_t:chr_file read; + +can_network_client(backup_t) +allow backup_t port_type:tcp_socket name_connect; +can_ypbind(backup_t) +uses_shlib(backup_t) + +allow backup_t devtty_t:chr_file rw_file_perms; + +allow backup_t { file_type fs_type }:dir r_dir_perms; +allow backup_t file_type:{ file lnk_file } r_file_perms; +allow backup_t file_type:{ sock_file fifo_file } getattr; +allow backup_t { device_t device_type ttyfile }:chr_file getattr; +allow backup_t { device_t device_type }:blk_file getattr; +allow backup_t var_t:file create_file_perms; + +allow backup_t proc_t:dir r_dir_perms; +allow backup_t proc_t:file r_file_perms; +allow backup_t proc_t:lnk_file { getattr read }; +read_sysctl(backup_t) + +allow backup_t self:fifo_file rw_file_perms; +allow backup_t self:process { signal sigchld fork }; +allow backup_t self:capability dac_override; + +rw_dir_file(backup_t, backup_store_t) +allow backup_t backup_store_t:file { create setattr }; + +allow backup_t fs_t:filesystem getattr; + +allow backup_t self:unix_stream_socket create_socket_perms; + +can_exec(backup_t, bin_t) +ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)') diff --git a/mls/domains/program/unused/calamaris.te b/mls/domains/program/unused/calamaris.te new file mode 100644 index 0000000..1bfce36 --- /dev/null +++ b/mls/domains/program/unused/calamaris.te @@ -0,0 +1,72 @@ +#DESC Calamaris - Squid log analysis +# +# Author: Russell Coker +# X-Debian-Packages: calamaris +# Depends: squid.te +# + +################################# +# +# Rules for the calamaris_t domain. +# +# calamaris_t is the domain the calamaris process runs in + +system_domain(calamaris, `, privmail') + +ifdef(`crond.te', ` +system_crond_entry(calamaris_exec_t, calamaris_t) +') + +allow calamaris_t { var_t var_run_t }:dir { getattr search }; +allow calamaris_t squid_log_t:dir search; +allow calamaris_t squid_log_t:file { getattr read }; +allow calamaris_t { usr_t lib_t }:file { getattr read }; +allow calamaris_t usr_t:lnk_file { getattr read }; +dontaudit calamaris_t usr_t:file ioctl; + +type calamaris_www_t, file_type, sysadmfile; +ifdef(`apache.te', ` +allow calamaris_t httpd_sys_content_t:dir search; +') +rw_dir_create_file(calamaris_t, calamaris_www_t) + +# for when squid has a different UID +allow calamaris_t self:capability dac_override; + +logdir_domain(calamaris) + +allow calamaris_t device_t:dir search; +allow calamaris_t devtty_t:chr_file { read write }; + +allow calamaris_t urandom_device_t:chr_file { getattr read }; + +allow calamaris_t self:process { fork signal_perms setsched }; +read_sysctl(calamaris_t) +allow calamaris_t proc_t:dir search; +allow calamaris_t proc_t:file { getattr read }; +allow calamaris_t { proc_t self }:lnk_file read; +allow calamaris_t self:dir search; + +allow calamaris_t { bin_t sbin_t }:dir search; +allow calamaris_t bin_t:lnk_file read; +allow calamaris_t etc_runtime_t:file { getattr read }; +allow calamaris_t self:fifo_file { getattr read write ioctl }; +read_locale(calamaris_t) + +can_exec(calamaris_t, bin_t) +allow calamaris_t self:unix_stream_socket create_stream_socket_perms; +allow calamaris_t self:udp_socket create_socket_perms; +allow calamaris_t etc_t:file { getattr read }; +allow calamaris_t etc_t:lnk_file read; +dontaudit calamaris_t etc_t:file ioctl; +dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search }; +can_network_server(calamaris_t) +can_ypbind(calamaris_t) +ifdef(`named.te', ` +can_udp_send(calamaris_t, named_t) +can_udp_send(named_t, calamaris_t) +') + +ifdef(`apache.te', ` +r_dir_file(httpd_t, calamaris_www_t) +') diff --git a/mls/domains/program/unused/ciped.te b/mls/domains/program/unused/ciped.te new file mode 100644 index 0000000..6fddf97 --- /dev/null +++ b/mls/domains/program/unused/ciped.te @@ -0,0 +1,32 @@ + + +daemon_base_domain(ciped) + +# for SSP +allow ciped_t urandom_device_t:chr_file read; + +# cipe uses the afs3-bos port (udp 7007) +allow ciped_t afs_bos_port_t:udp_socket name_bind; + +can_network_udp(ciped_t) +can_ypbind(ciped_t) + +allow ciped_t devpts_t:dir search; +allow ciped_t devtty_t:chr_file { read write }; +allow ciped_t etc_runtime_t:file { getattr read }; +allow ciped_t etc_t:file { getattr read }; +allow ciped_t proc_t:file { getattr read }; +allow ciped_t { bin_t sbin_t }:dir { getattr search read }; +allow ciped_t bin_t:lnk_file read; +can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t }) +allow ciped_t self:fifo_file rw_file_perms; + +read_locale(ciped_t) + +allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; +allow ciped_t self:unix_dgram_socket create_socket_perms; +allow ciped_t self:unix_stream_socket create_socket_perms; + +allow ciped_t random_device_t:chr_file { getattr read }; + +dontaudit ciped_t var_t:dir search; diff --git a/mls/domains/program/unused/clamav.te b/mls/domains/program/unused/clamav.te new file mode 100644 index 0000000..3ef34ee --- /dev/null +++ b/mls/domains/program/unused/clamav.te @@ -0,0 +1,147 @@ +#DESC CLAM - Anti-virus program +# +# Author: Brian May +# X-Debian-Packages: clamav +# + +################################# +# +# Rules for the clamscan_t domain. +# + +# Virus database +type clamav_var_lib_t, file_type, sysadmfile; + +# clamscan_t is the domain of the clamscan virus scanner +type clamscan_exec_t, file_type, sysadmfile, exec_type; + +########## +########## + +# +# Freshclam +# + +daemon_base_domain(freshclam, `, web_client_domain') +read_locale(freshclam_t) + +# not sure why it needs this +read_sysctl(freshclam_t) + +can_network_client_tcp(freshclam_t, http_port_t); +allow freshclam_t http_port_t:tcp_socket name_connect; +can_resolve(freshclam_t) +can_ypbind(freshclam_t) + +# Access virus signatures +allow freshclam_t { var_t var_lib_t }:dir search; +rw_dir_create_file(freshclam_t, clamav_var_lib_t) + +allow freshclam_t devtty_t:chr_file { read write }; +allow freshclam_t devpts_t:dir search; +allow freshclam_t etc_t:file { getattr read }; +allow freshclam_t proc_t:file { getattr read }; + +allow freshclam_t urandom_device_t:chr_file { getattr read }; +dontaudit freshclam_t urandom_device_t:chr_file ioctl; + +# for nscd +dontaudit freshclam_t var_run_t:dir search; + +# setuid/getuid used (although maybe not required...) +allow freshclam_t self:capability { setgid setuid }; + +allow freshclam_t sbin_t:dir search; + +# Allow notification to daemon that virus database has changed +can_clamd_connect(freshclam) + +allow freshclam_t etc_runtime_t:file { read getattr }; +allow freshclam_t self:unix_stream_socket create_stream_socket_perms; +allow freshclam_t self:unix_dgram_socket create_socket_perms; +allow freshclam_t self:fifo_file rw_file_perms; + +# Log files for freshclam executable +logdir_domain(freshclam) +allow initrc_t freshclam_log_t:file append; + +# Pid files for freshclam +allow initrc_t clamd_var_run_t:file { create setattr }; + +system_crond_entry(freshclam_exec_t, freshclam_t) +domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t) + +domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t) +role sysadm_r types freshclam_t; + +create_dir_file(freshclam_t, clamd_var_run_t) + +########## +########## + +# +# Clamscan +# + +# macros/program/clamav_macros.te. +user_clamscan_domain(sysadm) + +########## +########## + +# +# Clamd +# + +type clamd_sock_t, file_type, sysadmfile; + +# clamd executable +daemon_domain(clamd) + +tmp_domain(clamd) + +# The dir containing the clamd log files is labelled freshclam_t +logdir_domain(clamd) +allow clamd_t freshclam_log_t:dir search; + +allow clamd_t self:capability { kill setgid setuid dac_override }; + +# Give the clamd local communications socket a unique type +ifdef(`distro_debian', ` +file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file) +') +ifdef(`distro_redhat', ` +file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file) +') + +# Clamd can be configured to listen on a TCP port. +can_network_server_tcp(clamd_t, clamd_port_t) +allow clamd_t clamd_port_t:tcp_socket name_bind; +can_resolve(clamd_t); + +allow clamd_t var_lib_t:dir search; +r_dir_file(clamd_t, clamav_var_lib_t) +r_dir_file(clamd_t, etc_t) +# allow access /proc/sys/kernel/version +read_sysctl(clamd_t) +allow clamd_t self:unix_stream_socket create_stream_socket_perms; +allow clamd_t self:unix_dgram_socket create_stream_socket_perms; +allow clamd_t self:fifo_file rw_file_perms; + +allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read }; +dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl; + + +########## +########## + +# +# Interaction with external programs +# + +ifdef(`amavis.te',` +allow amavisd_t clamd_var_run_t:dir search; +allow amavisd_t clamd_t:unix_stream_socket connectto; +allow amavisd_t clamd_sock_t:sock_file write; +') + diff --git a/mls/domains/program/unused/clockspeed.te b/mls/domains/program/unused/clockspeed.te new file mode 100644 index 0000000..f79c314 --- /dev/null +++ b/mls/domains/program/unused/clockspeed.te @@ -0,0 +1,26 @@ +#DESC clockspeed - Simple network time protocol client +# +# Author Petre Rodan +# + +daemon_base_domain(clockspeed) +var_lib_domain(clockspeed) +can_network(clockspeed_t) +allow clockspeed_t port_type:tcp_socket name_connect; +read_locale(clockspeed_t) + +allow clockspeed_t self:capability { sys_time net_bind_service }; +allow clockspeed_t self:unix_dgram_socket create_socket_perms; +allow clockspeed_t self:unix_stream_socket create_socket_perms; +allow clockspeed_t clockspeed_port_t:udp_socket name_bind; +allow clockspeed_t domain:packet_socket recvfrom; + +allow clockspeed_t var_t:dir search; +allow clockspeed_t clockspeed_var_lib_t:file create_file_perms; +allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms; + +# sysadm can play with clockspeed +role sysadm_r types clockspeed_t; +ifdef(`targeted_policy', `', ` +domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t) +') diff --git a/mls/domains/program/unused/courier.te b/mls/domains/program/unused/courier.te new file mode 100644 index 0000000..75e42d3 --- /dev/null +++ b/mls/domains/program/unused/courier.te @@ -0,0 +1,139 @@ +#DESC Courier - POP and IMAP servers +# +# Author: Russell Coker +# X-Debian-Packages: courier-base +# + +# Type for files created during execution of courier. +type courier_var_run_t, file_type, sysadmfile, pidfile; +type courier_var_lib_t, file_type, sysadmfile; + +type courier_etc_t, file_type, sysadmfile; + +# allow start scripts to read the config +allow initrc_t courier_etc_t:file r_file_perms; + +type courier_exec_t, file_type, sysadmfile, exec_type; +type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type; + +define(`courier_domain', ` +################################# +# +# Rules for the courier_$1_t domain. +# +# courier_$1_exec_t is the type of the courier_$1 executables. +# +daemon_base_domain(courier_$1, `$2') + +allow courier_$1_t var_run_t:dir search; +rw_dir_create_file(courier_$1_t, courier_var_run_t) +allow courier_$1_t courier_var_run_t:sock_file create_file_perms; + +# allow it to read config files etc +allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms; +allow courier_$1_t courier_etc_t:file r_file_perms; +allow courier_$1_t etc_t:dir r_dir_perms; +allow courier_$1_t etc_t:file r_file_perms; + +# execute scripts etc +allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms; +allow courier_$1_t bin_t:dir r_dir_perms; +allow courier_$1_t fs_t:filesystem getattr; + +# set process group and allow permissions over-ride +allow courier_$1_t self:process setpgid; +allow courier_$1_t self:capability dac_override; + +# Use the network. +can_network_server(courier_$1_t) +allow courier_$1_t self:fifo_file { read write getattr }; +allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; +allow courier_$1_t self:unix_dgram_socket create_socket_perms; + +allow courier_$1_t null_device_t:chr_file rw_file_perms; + +# allow it to log to /dev/tty +allow courier_$1_t devtty_t:chr_file rw_file_perms; + +allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms; +allow courier_$1_t usr_t:dir r_dir_perms; +allow courier_$1_t root_t:dir r_dir_perms; +can_exec(courier_$1_t, courier_$1_exec_t) +can_exec(courier_$1_t, bin_t) +allow courier_$1_t bin_t:dir search; + +allow courier_$1_t proc_t:dir r_dir_perms; +allow courier_$1_t proc_t:file r_file_perms; + +')dnl + +courier_domain(authdaemon, `, auth_chkpwd') +allow courier_authdaemon_t sbin_t:dir search; +allow courier_authdaemon_t lib_t:file { read getattr }; +allow courier_authdaemon_t tmp_t:dir getattr; +allow courier_authdaemon_t self:file { getattr read }; +read_locale(courier_authdaemon_t) +can_exec(courier_authdaemon_t, courier_exec_t) +dontaudit courier_authdaemon_t selinux_config_t:dir search; + +# for SSP +allow courier_authdaemon_t urandom_device_t:chr_file read; + +# should not be needed! +allow courier_authdaemon_t home_root_t:dir search; +allow courier_authdaemon_t user_home_dir_type:dir search; +dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search; +allow courier_authdaemon_t self:unix_stream_socket connectto; +allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; + +courier_domain(tcpd) +allow courier_tcpd_t self:capability { kill net_bind_service }; +allow courier_tcpd_t pop_port_t:tcp_socket name_bind; +allow courier_tcpd_t sbin_t:dir search; +allow courier_tcpd_t var_lib_t:dir search; +# for TLS +allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; +read_locale(courier_tcpd_t) +can_exec(courier_tcpd_t, courier_exec_t) +allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:process sigchld; + +can_tcp_connect(userdomain, courier_tcpd_t) +rw_dir_create_file(courier_tcpd_t, courier_var_lib_t) + +# domain for pop and imap +courier_domain(pop) +read_locale(courier_pop_t) +domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) +allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; +domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) +allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; +allow courier_pop_t courier_authdaemon_t:process sigchld; +domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) + +# inherits file handle - should it? +allow courier_pop_t courier_var_lib_t:file { read write }; + +# do the actual work (read the Maildir) +# imap needs to write files +allow courier_pop_t home_root_t:dir { getattr search }; +allow courier_pop_t user_home_dir_type:dir { getattr search }; +# pop does not need to create subdirs, IMAP does +#rw_dir_create_file(courier_pop_t, user_home_type) +create_dir_file(courier_pop_t, user_home_type) + +# for calendaring +courier_domain(pcp) + +allow courier_pcp_t self:capability { setuid setgid }; +allow courier_pcp_t random_device_t:chr_file r_file_perms; + +# for webmail +courier_domain(sqwebmail) +ifdef(`crond.te', ` +system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t) +') +read_sysctl(courier_sqwebmail_t) diff --git a/mls/domains/program/unused/daemontools.te b/mls/domains/program/unused/daemontools.te new file mode 100644 index 0000000..b24a58c --- /dev/null +++ b/mls/domains/program/unused/daemontools.te @@ -0,0 +1,203 @@ +#DESC Daemontools - Tools for managing UNIX services +# +# Author: Petre Rodan +# with the help of Chris PeBenito, Russell Coker and Tad Glines +# + +# +# selinux policy for daemontools +# http://cr.yp.to/daemontools.html +# +# thanks for D. J. Bernstein and the NSA team for the great software +# they provide +# + +############################################################## +# type definitions + +type svc_conf_t, file_type, sysadmfile; +type svc_log_t, file_type, sysadmfile; +type svc_svc_t, file_type, sysadmfile; + + +############################################################## +# Macros +define(`svc_filedir_domain', ` +create_dir_file($1, svc_svc_t) +file_type_auto_trans($1, svc_svc_t, svc_svc_t); +') + +############################################################## +# the domains +daemon_base_domain(svc_script) +svc_filedir_domain(svc_script_t) + +# part started by initrc_t +daemon_base_domain(svc_start) +domain_auto_trans(init_t, svc_start_exec_t, svc_start_t) +svc_filedir_domain(svc_start_t) + +# also get here from svc_script_t +domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t) + +# the domain for /service/*/run and /service/*/log/run +daemon_sub_domain(svc_start_t, svc_run) +r_dir_file(svc_run_t, svc_conf_t) + +# the logger +daemon_sub_domain(svc_run_t, svc_multilog) +file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file); + +###### +# rules for all those domains + +# sysadm can tweak svc_run_exec_t files +allow sysadm_t svc_run_exec_t:file create_file_perms; + +# run_init can control svc_script_t and svc_start_t domains +domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t) +domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t) +allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint; +svc_filedir_domain(initrc_t) + +# svc_start_t +allow svc_start_t self:fifo_file rw_file_perms; +allow svc_start_t self:capability kill; +allow svc_start_t self:unix_stream_socket create_socket_perms; + +allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms; +allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; +allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms; +allow svc_start_t { var_t var_run_t }:dir search; +can_exec(svc_start_t, bin_t) +can_exec(svc_start_t, shell_exec_t) +allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans }; +allow svc_start_t svc_run_t:process signal; +dontaudit svc_start_t proc_t:file r_file_perms; +dontaudit svc_start_t devtty_t:chr_file { read write }; + +# svc script +allow svc_script_t self:capability sys_admin; +allow svc_script_t self:fifo_file { getattr read write }; +allow svc_script_t self:file r_file_perms; +allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms; +allow svc_script_t bin_t:lnk_file r_file_perms; +can_exec(svc_script_t, bin_t) +can_exec(svc_script_t, shell_exec_t) +allow svc_script_t proc_t:file r_file_perms; +allow svc_script_t shell_exec_t:file rx_file_perms; +allow svc_script_t devtty_t:chr_file rw_file_perms; +allow svc_script_t etc_runtime_t:file r_file_perms; +allow svc_script_t svc_run_exec_t:file r_file_perms; +allow svc_script_t svc_script_exec_t:file execute_no_trans; +allow svc_script_t sysctl_kernel_t:dir r_dir_perms; +allow svc_script_t sysctl_kernel_t:file r_file_perms; + +# svc_run_t +allow svc_run_t self:capability { setgid setuid chown fsetid }; +allow svc_run_t self:fifo_file rw_file_perms; +allow svc_run_t self:file r_file_perms; +allow svc_run_t self:process { fork setrlimit }; +allow svc_run_t self:unix_stream_socket create_stream_socket_perms; +allow svc_run_t svc_svc_t:dir r_dir_perms; +allow svc_run_t svc_svc_t:file r_file_perms; +allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans }; +allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms; +allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; +allow svc_run_t { var_t var_run_t }:dir search; +can_exec(svc_run_t, etc_t) +can_exec(svc_run_t, lib_t) +can_exec(svc_run_t, bin_t) +can_exec(svc_run_t, sbin_t) +can_exec(svc_run_t, ls_exec_t) +can_exec(svc_run_t, shell_exec_t) +allow svc_run_t devtty_t:chr_file rw_file_perms; +allow svc_run_t etc_runtime_t:file r_file_perms; +allow svc_run_t exec_type:{ file lnk_file } getattr; +allow svc_run_t init_t:fd use; +allow svc_run_t initrc_t:fd use; +allow svc_run_t proc_t:file r_file_perms; +allow svc_run_t sysctl_t:dir search; +allow svc_run_t sysctl_kernel_t:dir r_dir_perms; +allow svc_run_t sysctl_kernel_t:file r_file_perms; +allow svc_run_t var_lib_t:dir r_dir_perms; + +# multilog creates /service/*/log/status +allow svc_multilog_t svc_svc_t:dir { read search }; +allow svc_multilog_t svc_svc_t:file { append write }; +# writes to /var/log/*/* +allow svc_multilog_t var_t:dir search; +allow svc_multilog_t var_log_t:dir create_dir_perms; +allow svc_multilog_t var_log_t:file create_file_perms; +# misc +allow svc_multilog_t init_t:fd use; +allow svc_start_t svc_multilog_t:process signal; +svc_ipc_domain(svc_multilog_t) + +################################################################ +# scripts that can be started by daemontools +# keep it sorted please. + +ifdef(`apache.te', ` +domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t) +svc_ipc_domain(httpd_t) +dontaudit httpd_t svc_svc_t:dir { search }; +') + +ifdef(`clamav.te', ` +domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t) +svc_ipc_domain(clamd_t) +') + +ifdef(`clockspeed.te', ` +domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t) +svc_ipc_domain(clockspeed_t) +r_dir_file(svc_run_t, clockspeed_var_lib_t) +allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr }; +') + +ifdef(`dante.te', ` +domain_auto_trans( svc_run_t, dante_exec_t, dante_t); +svc_ipc_domain(dante_t) +') + +ifdef(`publicfile.te', ` +svc_ipc_domain(publicfile_t) +') + +ifdef(`qmail.te', ` +allow svc_run_t qmail_start_exec_t:file rx_file_perms; +domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t) +r_dir_file(svc_run_t, qmail_etc_t) +svc_ipc_domain(qmail_send_t) +svc_ipc_domain(qmail_start_t) +svc_ipc_domain(qmail_queue_t) +svc_ipc_domain(qmail_smtpd_t) +') + +ifdef(`rsyncd.te', ` +domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t) +svc_ipc_domain(rsyncd_t) +') + +ifdef(`spamd.te', ` +domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t) +svc_ipc_domain(spamd_t) +') + +ifdef(`ssh.te', ` +domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t) +svc_ipc_domain(sshd_t) +') + +ifdef(`stunnel.te', ` +domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t) +svc_ipc_domain(stunnel_t) +') + +ifdef(`ucspi-tcp.te', ` +domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t) +allow svc_run_t utcpserver_t:process { signal }; +svc_ipc_domain(utcpserver_t) +') + diff --git a/mls/domains/program/unused/dante.te b/mls/domains/program/unused/dante.te new file mode 100644 index 0000000..70885ab --- /dev/null +++ b/mls/domains/program/unused/dante.te @@ -0,0 +1,23 @@ +#DESC dante - socks daemon +# +# Author: petre rodan +# + +type dante_conf_t, file_type, sysadmfile; + +daemon_domain(dante) +can_network_server(dante_t) + +allow dante_t self:fifo_file { read write }; +allow dante_t self:capability { setuid setgid }; +allow dante_t self:unix_dgram_socket { connect create write }; +allow dante_t self:unix_stream_socket { connect create read setopt write }; +allow dante_t self:tcp_socket connect; + +allow dante_t socks_port_t:tcp_socket name_bind; + +allow dante_t { etc_t etc_runtime_t }:file r_file_perms; +r_dir_file(dante_t, dante_conf_t) + +allow dante_t initrc_var_run_t:file { getattr write }; + diff --git a/mls/domains/program/unused/dcc.te b/mls/domains/program/unused/dcc.te new file mode 100644 index 0000000..4db79d0 --- /dev/null +++ b/mls/domains/program/unused/dcc.te @@ -0,0 +1,251 @@ +# +# DCC - Distributed Checksum Clearinghouse +# Author: David Hampton +# +# +# NOTE: DCC has writeable files in /etc/dcc that should probably be in +# /var/lib/dcc. For now this policy supports both directories being +# writable. + +# Files common to all dcc programs +type dcc_client_map_t, file_type, sysadmfile; +type dcc_var_t, file_type, sysadmfile; +type dcc_var_run_t, file_type, sysadmfile; + + +########## +########## + +# +# common to all dcc variants +# +define(`dcc_common',` +# Access files in /var/dcc. The map file can be updated +r_dir_file($1_t, dcc_var_t) +allow $1_t dcc_client_map_t:file rw_file_perms; + +# Read mtab, nsswitch and locale +allow $1_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale($1_t) + +#Networking +can_resolve($1_t) +ifelse($2, `server', ` +can_network_udp($1_t) +', ` +can_network_udp($1_t, `dcc_port_t') +') +allow $1_t self:unix_dgram_socket create_socket_perms; + +# Create private temp files +tmp_domain($1) + +# Triggered by a call to gethostid(2) in dcc client libs +allow $1_t self:unix_stream_socket { connect create }; + +allow $1_t sysadm_su_t:process { sigchld }; +allow $1_t dcc_script_t:fd use; + +dontaudit $1_t kernel_t:fd use; +dontaudit $1_t root_t:file read; +') + +allow initrc_t dcc_var_run_t:dir rw_dir_perms; + + +########## +########## + +# +# dccd - Server daemon that can be accessed over the net +# +daemon_domain(dccd, `, privlog, nscd_client_domain') +dcc_common(dccd, server); + +# Runs the dbclean program +allow dccd_t bin_t:dir search; +domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) + +# The daemon needs to listen on the dcc ports +allow dccd_t dcc_port_t:udp_socket name_bind; + +# Updating dcc_db, flod, ... +create_dir_file(dccd_t, dcc_var_t); + +allow dccd_t self:capability net_admin; +allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + +# Reading /proc/meminfo +allow dccd_t proc_t:file { getattr read }; + + +# +# cdcc - control dcc daemon +# +application_domain(cdcc, `, nscd_client_domain') +role system_r types cdcc_t; +dcc_common(cdcc) + +# suid program +allow cdcc_t self:capability setuid; + +# Running from the command line +allow cdcc_t sshd_t:fd use; +allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; + + + +########## +########## + +# +# DCC Clients +# + +# +# dccifd - Spamassassin and general MTA persistent client +# +daemon_domain(dccifd, `, privlog, nscd_client_domain') +dcc_common(dccifd); +file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file) + +# Allow the domain to communicate with other processes +allow dccifd_t self:unix_stream_socket create_stream_socket_perms; + +# Updating dcc_db, flod, ... +create_dir_notdevfile(dccifd_t, dcc_var_t); + +# Updating map, ... +allow dccifd_t dcc_client_map_t:file rw_file_perms; + +# dccifd communications socket +type dccifd_sock_t, file_type, sysadmfile; +file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) + +# Reading /proc/meminfo +allow dccifd_t proc_t:file { getattr read }; + + +# +# dccm - sendmail milter client +# +daemon_domain(dccm, `, privlog, nscd_client_domain') +dcc_common(dccm); +file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file) + +# Allow the domain to communicate with other processes +allow dccm_t self:unix_stream_socket create_stream_socket_perms; + +# Updating map, ... +create_dir_notdevfile(dccm_t, dcc_var_t); +allow dccm_t dcc_client_map_t:file rw_file_perms; + +# dccm communications socket +type dccm_sock_t, file_type, sysadmfile; +file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file) + + +# +# dccproc - dcc procmail interface +# +application_domain(dcc_client, `, privlog, nscd_client_domain') +role system_r types dcc_client_t; +dcc_common(dcc_client) + +# suid program +allow dcc_client_t self:capability setuid; + +# Running from the command line +allow dcc_client_t sshd_t:fd use; +allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; + + +########## +########## + +# +# DCC Utilities +# + +# +# dbclean - database cleanup tool +# +application_domain(dcc_dbclean, `, nscd_client_domain') +role system_r types dcc_dbclean_t; +dcc_common(dcc_dbclean) + +# Updating various files. +create_dir_file(dcc_dbclean_t, dcc_var_t); + +# wants to look at /proc/meminfo +allow dcc_dbclean_t proc_t:dir search; +allow dcc_dbclean_t proc_t:file { getattr read }; + +# Running from the command line +allow dcc_dbclean_t sshd_t:fd use; +allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; + +########## +########## + +# +# DCC Startup scripts +# +# These are shell sccripts that start/stop/restart the various dcc +# programs. +# +init_service_domain(dcc_script, `, nscd_client_domain') +general_domain_access(dcc_script_t) +general_proc_read_access(dcc_script_t) +can_exec_any(dcc_script_t) +dcc_common(dcc_script) + +# Allow calling the script from an init script (initrt_t) +domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t) + +# Start up the daemon process. These scripts run 'su' to change to +# the dcc user (even though the default dcc user is root). +allow dcc_script_t self:capability setuid; +su_restricted_domain(dcc_script, system) +role system_r types dcc_script_su_t; +domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) +domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) +domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) + +# Stop the daemon process +allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; + +# Access various DCC files +allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; +allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; + +allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; +allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; +allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; +allow dcc_script_t devtty_t:chr_file { read write }; +allow dcc_script_su_t sysadm_home_dir_t:dir search; +allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; +allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; + +dontaudit dcc_script_su_t kernel_t:fd use; +dontaudit dcc_script_su_t root_t:file read; +dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; + +allow sysadm_t dcc_script_t:fd use; + +########## +########## + +# +# External spam checkers need to run and/or talk to DCC +# +define(`access_dcc',` +domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t); +allow $1_t dcc_var_t:dir search; +allow $1_t dccifd_sock_t:sock_file { getattr write }; +allow $1_t dccifd_t:unix_stream_socket connectto; +allow $1_t dcc_script_t:unix_stream_socket connectto; +') + +ifdef(`amavis.te',`access_dcc(amavisd)') +ifdef(`spamd.te',`access_dcc(spamd)') diff --git a/mls/domains/program/unused/ddclient.te b/mls/domains/program/unused/ddclient.te new file mode 100644 index 0000000..29255f3 --- /dev/null +++ b/mls/domains/program/unused/ddclient.te @@ -0,0 +1,44 @@ +#DESC ddclient - Update dynamic IP address at DynDNS.org +# +# Author: Greg Norris +# X-Debian-Packages: ddclient +# + +################################# +# +# Rules for the ddclient_t domain. +# +daemon_domain(ddclient); +type ddclient_etc_t, file_type, sysadmfile; +type ddclient_var_t, file_type, sysadmfile; +log_domain(ddclient) +var_lib_domain(ddclient) + +base_file_read_access(ddclient_t) +can_exec(ddclient_t, { shell_exec_t bin_t }) + +# ddclient can be launched by pppd +ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)') + +# misc. requirements +allow ddclient_t self:fifo_file rw_file_perms; +allow ddclient_t self:socket create_socket_perms; +allow ddclient_t etc_t:file { getattr read }; +allow ddclient_t etc_runtime_t:file r_file_perms; +allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans }; +allow ddclient_t urandom_device_t:chr_file read; +general_proc_read_access(ddclient_t) +allow ddclient_t sysctl_net_t:dir search; + +# network-related goodies +can_network_client(ddclient_t) +allow ddclient_t port_type:tcp_socket name_connect; +allow ddclient_t self:unix_dgram_socket create_socket_perms; +allow ddclient_t self:unix_stream_socket create_socket_perms; + +# allow access to ddclient.conf and ddclient.cache +allow ddclient_t ddclient_etc_t:file r_file_perms; +file_type_auto_trans(ddclient_t, var_t, ddclient_var_t) +dontaudit ddclient_t devpts_t:dir search; +dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms; +dontaudit httpd_t selinux_config_t:dir search; diff --git a/mls/domains/program/unused/distcc.te b/mls/domains/program/unused/distcc.te new file mode 100644 index 0000000..56034f9 --- /dev/null +++ b/mls/domains/program/unused/distcc.te @@ -0,0 +1,34 @@ +#DESC distcc - Distributed compiler daemon +# +# Author: Chris PeBenito +# + +daemon_domain(distccd) +can_network_server(distccd_t) +can_ypbind(distccd_t) +log_domain(distccd) +tmp_domain(distccd) + +allow distccd_t distccd_port_t:tcp_socket name_bind; +allow distccd_t self:capability { setgid setuid }; + +# distccd can renice +allow distccd_t self:process setsched; + +# compiler stuff +allow distccd_t { bin_t sbin_t }:dir { search getattr }; +allow distccd_t { bin_t sbin_t }:lnk_file { getattr read }; +can_exec(distccd_t,bin_t) +can_exec(distccd_t,lib_t) + +# comm stuff +allow distccd_t net_conf_t:file r_file_perms; +allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write }; +allow distccd_t self:fifo_file { read write getattr }; + +# config access +allow distccd_t { etc_t etc_runtime_t }:file r_file_perms; +allow distccd_t proc_t:file r_file_perms; + +allow distccd_t var_t:dir search; +allow distccd_t admin_tty_type:chr_file { ioctl read write }; diff --git a/mls/domains/program/unused/djbdns.te b/mls/domains/program/unused/djbdns.te new file mode 100644 index 0000000..3e11395 --- /dev/null +++ b/mls/domains/program/unused/djbdns.te @@ -0,0 +1,46 @@ +# DESC selinux policy for djbdns +# http://cr.yp.to/djbdns.html +# +# Author: petre rodan +# +# this policy depends on ucspi-tcp and daemontools policies +# + +ifdef(`daemontools.te', ` +ifdef(`ucspi-tcp.te', ` + +define(`djbdns_daemon_domain', ` +type djbdns_$1_conf_t, file_type, sysadmfile; +daemon_domain(djbdns_$1) +domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t) +svc_ipc_domain(djbdns_$1_t) +can_network(djbdns_$1_t) +allow djbdns_$1_t port_type:tcp_socket name_connect; +allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind; +allow djbdns_$1_t port_t:udp_socket name_bind; +r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) +allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; +allow djbdns_$1_t svc_svc_t:dir r_dir_perms; +') + +define(`djbdns_tcpserver_domain', ` +type djbdns_$1_conf_t, file_type, sysadmfile; +daemon_domain(djbdns_$1) +domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t) +svc_ipc_domain(djbdns_$1_t) +allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind; +r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) +allow djbdns_$1_t utcpserver_t:tcp_socket { read write }; +') + +djbdns_daemon_domain(dnscache) +# read seed file +allow djbdns_dnscache_t svc_svc_t:file r_file_perms; + +djbdns_daemon_domain(tinydns) + +djbdns_tcpserver_domain(axfrdns) +r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t) + +') dnl ifdef ucspi-tcp.te +') dnl ifdef daemontools.te diff --git a/mls/domains/program/unused/dnsmasq.te b/mls/domains/program/unused/dnsmasq.te new file mode 100644 index 0000000..bdef592 --- /dev/null +++ b/mls/domains/program/unused/dnsmasq.te @@ -0,0 +1,38 @@ +#DESC dnsmasq - DNS forwarder and DHCP server +# +# Author: Greg Norris +# X-Debian-Packages: dnsmasq +# + +################################# +# +# Rules for the dnsmasq_t domain. +# +daemon_domain(dnsmasq); +type dnsmasq_lease_t, file_type, sysadmfile; + +# misc. requirements +allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw }; +allow dnsmasq_t urandom_device_t:chr_file read; + +# network-related goodies +can_network_server(dnsmasq_t) +can_ypbind(dnsmasq_t) +allow dnsmasq_t self:packet_socket create_socket_perms; +allow dnsmasq_t self:rawip_socket create_socket_perms; +allow dnsmasq_t self:unix_dgram_socket create_socket_perms; +allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms; + +# UDP ports 53 and 67 +allow dnsmasq_t dhcpd_port_t:udp_socket name_bind; +allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind; + +# By default, dnsmasq binds to the wildcard address to listen for DNS requests. +# Comment out the following entry if you do not want to allow this behaviour. +allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind; + +# allow access to dnsmasq.conf +allow dnsmasq_t etc_t:file r_file_perms; + +# dhcp leases +file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file) diff --git a/mls/domains/program/unused/dpkg.te b/mls/domains/program/unused/dpkg.te new file mode 100644 index 0000000..4feb508 --- /dev/null +++ b/mls/domains/program/unused/dpkg.te @@ -0,0 +1,414 @@ +#DESC Dpkg - Debian package manager +# +# Author: Russell Coker +# X-Debian-Packages: dpkg +# + +################################# +# +# Rules for the dpkg_t domain. +# +type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule; +type dpkg_exec_t, file_type, sysadmfile, exec_type; +type dpkg_var_lib_t, file_type, sysadmfile; +type dpkg_etc_t, file_type, sysadmfile, usercanread; +type dpkg_lock_t, file_type, sysadmfile; +type debconf_cache_t, file_type, sysadmfile; + +tmp_domain(dpkg) +can_setfscreate(dpkg_t) +can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t }) + +ifdef(`load_policy.te', ` +domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t) +') +ifdef(`rlogind.te', ` +# for ssh +can_exec(dpkg_t, rlogind_exec_t) +') +can_exec(dpkg_t, { init_exec_t etc_t }) +ifdef(`hostname.te', ` +can_exec(dpkg_t, hostname_exec_t) +') +ifdef(`mta.te', ` +allow system_mail_t dpkg_tmp_t:file { getattr read }; +') +ifdef(`logrotate.te', ` +allow logrotate_t dpkg_var_lib_t:file create_file_perms; +') + +# for open office +can_exec(dpkg_t, usr_t) + +allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read; + +# for upgrading policycoreutils and loading policy +allow dpkg_t security_t:dir { getattr search }; +allow dpkg_t security_t:file { getattr read }; + +ifdef(`setfiles.te', +`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)') +ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)') +ifdef(`modutil.te', ` +domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t) +domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t) + +# for touch +allow initrc_t modules_dep_t:file write; +') +ifdef(`ipsec.te', ` +allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use; +allow ipsec_mgmt_t dpkg_t:fifo_file write; +allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write }; +allow ipsec_t dpkg_t:fifo_file { read write }; +domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) +') +ifdef(`cardmgr.te', ` +allow cardmgr_t dpkg_t:fd use; +allow cardmgr_t dpkg_t:fifo_file write; +domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) +# for start-stop-daemon +allow dpkg_t cardmgr_t:process signull; +') +ifdef(`mount.te', ` +domain_auto_trans(dpkg_t, mount_exec_t, mount_t) +') +ifdef(`mozilla.te', ` +# hate to do this, for mozilla install scripts +can_exec(dpkg_t, mozilla_exec_t) +') +ifdef(`postfix.te', ` +domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t) +') +ifdef(`apache.te', ` +domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t) +') +ifdef(`named.te', ` +file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file) +') +ifdef(`nsd.te', ` +allow nsd_crond_t initrc_t:fd use; +allow nsd_crond_t initrc_devpts_t:chr_file { read write }; +domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t) +') +# because the syslogd package is broken and does not use the start scripts +ifdef(`klogd.te', ` +domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t) +') +ifdef(`syslogd.te', ` +domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t) +allow system_crond_t syslogd_t:dir search; +allow system_crond_t syslogd_t:file { getattr read }; +allow system_crond_t syslogd_t:process signal; +') +# mysqld is broken too +ifdef(`mysqld.te', ` +domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t) +can_unix_connect(dpkg_t, mysqld_t) +allow mysqld_t dpkg_tmp_t:file { getattr read }; +') +ifdef(`postgresql.te', ` +# because postgresql postinst creates scripts in /tmp and then runs them +# also the init scripts do more than they should +allow { initrc_t postgresql_t } dpkg_tmp_t:file write; +# for "touch" when it tries to create the log file +# this works for upgrades, maybe we should allow create access for first install +allow initrc_t postgresql_log_t:file { write setattr }; +# for dumpall +can_exec(postgresql_t, postgresql_db_t) +') +ifdef(`sysstat.te', ` +domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t) +') +ifdef(`rpcd.te', ` +allow rpcd_t dpkg_t:fd use; +allow rpcd_t dpkg_t:fifo_file { read write }; +') +ifdef(`load_policy.te', ` +allow load_policy_t initrc_t:fifo_file { read write }; +') +ifdef(`checkpolicy.te', ` +domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t) +role system_r types checkpolicy_t; +allow checkpolicy_t initrc_t:fd use; +allow checkpolicy_t initrc_t:fifo_file write; +allow checkpolicy_t initrc_devpts_t:chr_file { read write }; +') +ifdef(`amavis.te', ` +r_dir_file(initrc_t, dpkg_var_lib_t) +') +ifdef(`nessusd.te', ` +domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t) +') +ifdef(`crack.te', ` +allow crack_t initrc_t:fd use; +domain_auto_trans(dpkg_t, crack_exec_t, crack_t) +') +ifdef(`xdm.te', ` +domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t) +') +ifdef(`clamav.te', ` +domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t) +') +ifdef(`squid.te', ` +domain_auto_trans(dpkg_t, squid_exec_t, squid_t) +') +ifdef(`useradd.te', ` +domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t) +domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t) +role system_r types { useradd_t groupadd_t }; +') +ifdef(`passwd.te', ` +domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t) +') +ifdef(`ldconfig.te', ` +domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t) +') +ifdef(`portmap.te', ` +# for pmap_dump +domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t) +') + +# for apt +type apt_t, domain, admin, privmail, web_client_domain; +type apt_exec_t, file_type, sysadmfile, exec_type; +type apt_var_lib_t, file_type, sysadmfile; +type var_cache_apt_t, file_type, sysadmfile; +etcdir_domain(apt) +type apt_rw_etc_t, file_type, sysadmfile; +tmp_domain(apt, `', `{ dir file lnk_file }') +can_exec(apt_t, apt_tmp_t) +ifdef(`crond.te', ` +allow system_crond_t apt_etc_t:file { getattr read }; +') + +rw_dir_create_file(apt_t, apt_rw_etc_t) + +allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search }; + +dontaudit apt_t var_log_t:dir getattr; +dontaudit apt_t var_run_t:dir search; + +# for rc files such as ~/.less +r_dir_file(apt_t, sysadm_home_t) +allow apt_t sysadm_home_dir_t:dir { search getattr }; + +allow apt_t bin_t:lnk_file r_file_perms; + +rw_dir_create_file(apt_t, debconf_cache_t) +r_dir_file(userdomain, debconf_cache_t) + +# for python +read_sysctl(apt_t) +read_sysctl(dpkg_t) + +allow dpkg_t console_device_t:chr_file rw_file_perms; + +allow apt_t self:unix_stream_socket create_socket_perms; + +allow dpkg_t domain:dir r_dir_perms; +allow dpkg_t domain:{ file lnk_file } r_file_perms; + +# for shared objects that are not yet labelled (upgrades) +allow { apt_t dpkg_t } lib_t:file execute; + +# when dpkg runs postinst scripts run them in initrc_t domain so that the +# daemons are started in the correct context +domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t) + +ifdef(`bootloader.te', ` +domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t) +# for mkinitrd +can_exec(bootloader_t, dpkg_exec_t) +# for lilo to run dpkg +allow bootloader_t dpkg_etc_t:file { getattr read }; +') + +# for kernel-image postinst +dontaudit dpkg_t fixed_disk_device_t:blk_file read; + +# for /usr/lib/dpkg/controllib.pl calling getpwnam(3) +dontaudit dpkg_t shadow_t:file { getattr read }; + +# allow user domains to execute dpkg +allow userdomain dpkg_exec_t:dir r_dir_perms; +can_exec(userdomain, { dpkg_exec_t apt_exec_t }) + +# allow everyone to read dpkg database +allow userdomain var_lib_t:dir search; +r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t }) + +# for /var/lib/dpkg/lock +rw_dir_create_file(apt_t, dpkg_var_lib_t) + +ifdef(`crond.te', ` +rw_dir_create_file(system_crond_t, dpkg_var_lib_t) +allow system_crond_t dpkg_etc_t:file r_file_perms; + +# for Debian cron job +create_dir_file(system_crond_t, tetex_data_t) +can_exec(dpkg_t, tetex_data_t) +') + +r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t }) +allow install_menu_t initrc_t:fifo_file { read write }; +allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms; +can_exec(sysadm_t, dpkg_etc_t) + +# Inherit and use descriptors from open_init_pty +allow { apt_t dpkg_t install_menu_t } initrc_t:fd use; +dontaudit dpkg_t privfd:fd use; +allow { apt_t dpkg_t install_menu_t } devpts_t:dir search; +allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms; + +allow ifconfig_t dpkg_t:fd use; +allow ifconfig_t dpkg_t:fifo_file { read write }; + +uses_shlib({ dpkg_t apt_t }) +allow dpkg_t proc_t:dir r_dir_perms; +allow dpkg_t proc_t:{ file lnk_file } r_file_perms; +allow dpkg_t fs_t:filesystem getattr; + +allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable }; + +# for fgconsole - need policy for it +allow dpkg_t self:capability sys_tty_config; + +allow dpkg_t self:unix_dgram_socket create_socket_perms; +allow dpkg_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(dpkg_t, self) +allow dpkg_t self:unix_dgram_socket sendto; +allow dpkg_t self:unix_stream_socket connect; + +allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms; +allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms; + +# dpkg really needs to be able to kill any process, unfortunate but true +allow dpkg_t domain:process signal; +allow dpkg_t sysadm_t:process sigchld; +allow dpkg_t self:process { setpgid signal_perms fork getsched }; + +# read/write/create any files in the system +allow dpkg_t sysadmfile:dir create_dir_perms; +allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms; +allow dpkg_t sysadmfile:lnk_file create_lnk_perms; +allow dpkg_t device_type:{ chr_file blk_file } getattr; +dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; +allow dpkg_t proc_kmsg_t:file getattr; +allow dpkg_t fs_type:dir getattr; + +# allow compiling and loading new policy +create_dir_file(dpkg_t, { policy_src_t policy_config_t }) + +# change to the apt_t domain on exec from dpkg_t (dselect) +domain_auto_trans(dpkg_t, apt_exec_t, apt_t) + +# allow apt to change /var/lib/apt files +allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms; +allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms; + +# allow apt to create /usr/lib/site-python/DebianControlParser.pyc +rw_dir_create_file(apt_t, lib_t) + +# for apt-listbugs +allow apt_t usr_t:file { getattr read ioctl }; +allow apt_t usr_t:lnk_file read; + +# allow /var/cache/apt/archives to be owned by non-root +allow apt_t self:capability { chown dac_override fowner fsetid }; + +can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t }) +allow apt_t { bin_t sbin_t }:dir search; +allow apt_t self:process { signal sigchld fork }; +allow apt_t sysadm_t:process sigchld; +can_network({ apt_t dpkg_t }) +allow { apt_t dpkg_t } port_type:tcp_socket name_connect; +can_ypbind({ apt_t dpkg_t }) + +allow { apt_t dpkg_t } var_t:dir { search getattr }; +dontaudit apt_t { fs_type file_type }:dir getattr; +allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms; + +allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms }; + +# for /proc/meminfo and for "ps" +allow apt_t { proc_t apt_t }:dir r_dir_perms; +allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms; +allow apt_t self:fifo_file rw_file_perms; +allow dpkg_t self:fifo_file rw_file_perms; + +allow apt_t etc_t:dir r_dir_perms; +allow apt_t etc_t:file r_file_perms; +allow apt_t etc_t:lnk_file read; +read_locale(apt_t) +r_dir_file(userdomain, apt_etc_t) + +# apt wants to check available disk space +allow apt_t fs_t:filesystem getattr; +allow apt_t etc_runtime_t:file r_file_perms; + +# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you +# have apt run dpkg. +# This means that getting apt_t access is almost as good as dpkg_t which has +# as much power as sysadm_t... +domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t) + +# hack to allow update-menus/install-menu to manage menus +type install_menu_t, domain, admin, etc_writer; +type install_menu_exec_t, file_type, sysadmfile, exec_type; +var_run_domain(install_menu) + +allow install_menu_t self:unix_stream_socket create_socket_perms; + +type debian_menu_t, file_type, sysadmfile; + +r_dir_file(userdomain, debian_menu_t) +dontaudit install_menu_t sysadm_home_dir_t:dir search; +create_dir_file(install_menu_t, debian_menu_t) +allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms }; +allow install_menu_t self:process signal; +allow install_menu_t proc_t:dir search; +allow install_menu_t proc_t:file r_file_perms; +can_getcon(install_menu_t) +can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t }) +allow install_menu_t { bin_t sbin_t }:dir search; +allow install_menu_t bin_t:lnk_file read; + +# for menus +allow install_menu_t usr_t:file r_file_perms; + +# for /etc/kde3/debian/kde-update-menu.sh +can_exec(install_menu_t, etc_t) + +allow install_menu_t var_t:dir search; +tmp_domain(install_menu) + +create_dir_file(install_menu_t, var_lib_t) +ifdef(`xdm.te', ` +create_dir_file(install_menu_t, xdm_var_lib_t) +') +allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms; +allow install_menu_t { var_spool_t etc_t }:file create_file_perms; +allow install_menu_t self:fifo_file rw_file_perms; +allow install_menu_t etc_runtime_t:file r_file_perms; +allow install_menu_t devtty_t:chr_file rw_file_perms; +allow install_menu_t fs_t:filesystem getattr; + +domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t) +allow dpkg_t install_menu_t:process signal_perms; + +allow install_menu_t privfd:fd use; +uses_shlib(install_menu_t) + +allow install_menu_t self:process { fork sigchld }; + +role system_r types { dpkg_t apt_t install_menu_t }; + +################################# +# +# Rules for the run_deb_t domain. +# +#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t) +#domain_trans(run_deb_t, apt_exec_t, apt_t) +domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t) +domain_auto_trans(initrc_t, apt_exec_t, apt_t) diff --git a/mls/domains/program/unused/ethereal.te b/mls/domains/program/unused/ethereal.te new file mode 100644 index 0000000..a56d321 --- /dev/null +++ b/mls/domains/program/unused/ethereal.te @@ -0,0 +1,48 @@ +# DESC - Ethereal +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type tethereal_exec_t, file_type, exec_type, sysadmfile; +type ethereal_exec_t, file_type, exec_type, sysadmfile; + +######################################################## +# Tethereal +# + +# Type for program +type tethereal_t, domain, nscd_client_domain; + +# Transition from sysadm type +domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t) +role sysadm_r types tethereal_t; + +uses_shlib(tethereal_t) +read_locale(tethereal_t) + +# Terminal output +access_terminal(tethereal_t, sysadm) + +# /proc +read_sysctl(tethereal_t) +allow tethereal_t { self proc_t }:dir { read search getattr }; +allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr }; + +# Access root +allow tethereal_t root_t:dir search; + +# Read ethereal files in /usr +allow tethereal_t usr_t:file { read getattr }; + +# /etc/nsswitch.conf +allow tethereal_t etc_t:file { read getattr }; + +# Ethereal sysadm rules +ethereal_networking(tethereal) + +# FIXME: policy is incomplete + +##################################### +# Ethereal (GNOME) policy can be found +# in ethereal_macros.te diff --git a/mls/domains/program/unused/evolution.te b/mls/domains/program/unused/evolution.te new file mode 100644 index 0000000..c8a045e --- /dev/null +++ b/mls/domains/program/unused/evolution.te @@ -0,0 +1,14 @@ +# DESC - Evolution +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type evolution_exec_t, file_type, exec_type, sysadmfile; +type evolution_server_exec_t, file_type, exec_type, sysadmfile; +type evolution_webcal_exec_t, file_type, exec_type, sysadmfile; +type evolution_alarm_exec_t, file_type, exec_type, sysadmfile; +type evolution_exchange_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/evolution_macros.te +bool disable_evolution_trans false; diff --git a/mls/domains/program/unused/exim.te b/mls/domains/program/unused/exim.te new file mode 100644 index 0000000..ccc6555 --- /dev/null +++ b/mls/domains/program/unused/exim.te @@ -0,0 +1,309 @@ +#DESC Exim - Mail server +# +# Author: David Hampton +# From postfix.te by Russell Coker +# Depends: mta.te +# + +type exim_spool_t, file_type, sysadmfile; +type exim_spool_db_t, file_type, sysadmfile; + + +########## +# Exim daemon +########## +daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm) +exim_common(exim); +etcdir_domain(exim) +logdir_domain(exim) +######################################## +######################################## +role sysadm_r types exim_t; + +# Server side networking +can_network_tcp(exim_t); +allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind; +# The exim daemon gets to listen to mail coming back from amavisd +# For identd lookups +allow exim_t inetd_child_port_t:tcp_socket name_connect; +allow exim_t self:unix_dgram_socket create_socket_perms; + +# Lock file between exim processes. Exim creates a lock file in /tmp +# that doesn't transition to the exim_tmp_t domain for some reason, +# thus the allow statement. +tmp_domain(exim) +allow exim_t tmp_t:file { getattr read }; + +# Lock files for the actual mail delivery. Exim wants to create a +# 'hitching post' file in the same directory as the delivery file. +# These are the additiona privileges over and above what's defined for +# an mta_delivery_agent. Additional privs for maildir mail files +allow exim_t mail_spool_t:dir remove_name; +allow exim_t mail_spool_t:file { link setattr unlink write rename }; + +# For access to users .forward files +allow exim_t home_dir_type:dir { getattr search }; + +allow exim_t self:capability { dac_read_search net_bind_service }; + +# Create exim spool files, update spool database +create_dir_file(exim_t, exim_spool_t) +rw_dir_file(exim_t, exim_spool_db_t) + +# Start daemon/child processes +can_exec(exim_t, exim_exec_t) + +allow exim_t sbin_t:dir r_dir_perms; + +# Read aliases file +allow exim_t etc_aliases_t:file r_file_perms; + +# +allow exim_t devpts_t:chr_file getattr; + +ifdef(`crond.te', ` +system_crond_entry(exim_exec_t, exim_t) +domain_auto_trans(crond_t, exim_exec_t, exim_t) +allow exim_t system_crond_tmp_t:file { getattr read append }; +#logwatch +allow system_crond_t exim_log_t:file read; +') + +# For squirrelmail +ifdef(`httpd.te', ` +domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t) +allow exim_t httpd_t:fd use; +allow exim_t httpd_t:process sigchld; +allow exim_t httpd_log_t:file { append getattr }; +allow exim_t httpd_squirrelmail_t:file { append read }; +allow exim_t httpd_t:fifo_file { read write getattr }; +allow exim_t httpd_t:tcp_socket { read write }; +') + +######################################## +######################################## + + +## -------------------------------------------------- +## exim_ro, exim_ro_net +## +## Many of the subsequent applications call exim for +## the sole purpose of extracting configuration or +## other information. Lock down the permissions on +## these instances to be pretty much read-only +## everything. +## +## One of the applications calls exim only to +## determine whether an address is valid. It does +## this by having exim attempt to deliver an empty +## message, without doing the actual deliver. +## These function are aplit out here to keep all the +## access controls on exim itself in poe part of the +## file. +## -------------------------------------------------- + +define(`exim_ro_base', ` +application_domain($1) +role system_r types $1_t; +read_sysctl($1_t) +r_dir_file($1_t, etc_t) #for nsswitch.conf +r_dir_file($1_t, var_spool_t) +r_dir_file($1_t, exim_spool_t) +allow $1_t devpts_t:chr_file { getattr read write }; +allow $1_t self:capability { dac_override setgid setuid }; +') + +exim_ro_base(exim_ro) +dontaudit exim_ro_t self:unix_stream_socket { connect create }; + +exim_ro_base(exim_ro_net) +can_network(exim_ro_net_t) +general_proc_read_access(exim_ro_net_t) +read_locale(exim_ro_net_t) +allow exim_ro_net_t mail_spool_t:dir search; +allow exim_ro_net_t etc_aliases_t:file r_file_perms; +allow exim_ro_net_t self:unix_stream_socket { create connect }; + + + + +## -------------------------------------------------- +## exim_helper_base +## +## Define the base attributes for an exim helper +## program. +## -------------------------------------------------- +define(`exim_helper_base',` +application_domain($1) +role system_r types $1_t; +can_exec_any($1_t) + +allow $1_t devpts_t:dir search; + +# Needed for perl +general_domain_access($1_t) +general_proc_read_access($1_t) +allow $1_t urandom_device_t:chr_file read; +allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl }; +read_locale($1_t) +allow $1_t sbin_t:dir r_dir_perms; +') + + + + +## -------------------------------------------------- +## exim_helper_script_base +## -------------------------------------------------- +define(`exim_helper_script_base',` +exim_helper_base($1) + +# Needed for bash +allow $1_t { devtty_t devpts_t }:chr_file { read write getattr }; +allow $1_t devpts_t:dir search; +allow $1_t fs_t:filesystem getattr; +rw_dir_create_file($1_t, tmp_t) # Script uses a "here" document +dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab +dontaudit $1_t selinux_config_t:dir { search }; +dontaudit $1_t selinux_config_t:file { getattr read }; # mtab +allow $1_t var_spool_t:dir search; # Needed to traverse to get to /var/spool/exim + +') + + +## -------------------------------------------------- +## exicyclog +## -------------------------------------------------- + +exim_helper_script_base(exicyclog) +allow exicyclog_t self:capability { dac_override setuid setgid }; +create_dir_file(exicyclog_t, exim_log_t) +allow exicyclog_t var_t:dir r_dir_perms; +allow exicyclog_t var_log_t:dir r_dir_perms; +allow exicyclog_t exim_spool_t:dir r_dir_perms; + + + + +## -------------------------------------------------- +## exigrep +## -------------------------------------------------- + +exim_helper_base(exigrep) +allow exigrep_t self:capability dac_override; +r_dir_file(exigrep_t, var_log_t) +r_dir_file(exigrep_t, exim_log_t) + + + + +## -------------------------------------------------- +## exipick +## -------------------------------------------------- + +exim_helper_base(exipick) +domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t) +r_dir_file(exipick_t, var_spool_t) +r_dir_file(exipick_t, exim_spool_t) +allow exipick_t self:capability dac_override; + + + + +## -------------------------------------------------- +## exiqgrep +## -------------------------------------------------- + +exim_helper_base(exiqgrep) +domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t) + + + +application_domain(exim_lock) +role system_r types exim_lock_t; + + +## -------------------------------------------------- +## exiwhat +## 1) Runs exim to extract config info +## 2) Sends a signal to all running exim processes +## 3) Collects the status files they drop in the spool directory +## -------------------------------------------------- + +exim_helper_script_base(exiwhat) +domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t) +allow exiwhat_t exim_spool_t:dir { rw_dir_perms }; +allow exiwhat_t exim_spool_t:file { r_file_perms unlink }; + +# killall +r_dir_file(exiwhat_t, exim_t) +r_dir_file(exiwhat_t, selinux_config_t) +allow exiwhat_t exim_t:process signal; +allow exiwhat_t self:capability { dac_override kill sys_nice }; + +dontaudit exiwhat_t file_type:dir search; +dontaudit exiwhat_t file_type:file { getattr read }; + +# rm +allow exiwhat_t devpts_t:chr_file ioctl; + + + + +## -------------------------------------------------- +## exim_check_access +## 1) Runs exim to simulate mail receipt +## 2) Checks on whether the mail address is allowed from the ip address +## -------------------------------------------------- + +exim_helper_script_base(exim_checkaccess) +domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t) +allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms }; +allow exim_checkaccess_t self:capability dac_override; + + + + + +## -------------------------------------------------- +## exim_helper +## -------------------------------------------------- +application_domain(exim_helper) +domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t) +can_exec(exim_helper_t, bin_t) +role system_r types exim_helper_t; +general_domain_access(exim_helper_t) +read_locale(exim_helper_t) + +allow exim_helper_t { devtty_t devpts_t }:chr_file { read write }; + +# Have to walk through /var/log to get to /var/log/exim +allow exim_helper_t var_t:dir r_dir_perms; +r_dir_file(exim_helper_t, exim_log_t) + + + + + + +## -------------------------------------------------- +## exim database maintenance programs +## exim_dump_db, exim_fixdb, exim_tidydb +## -------------------------------------------------- +define(`exim_db_base',` +application_domain($1) +role system_r types $1_t; +read_locale($1_t) +general_proc_read_access($1_t) +allow $1_t devpts_t:chr_file { getattr read write }; +allow $1_t self:capability { dac_override setgid setuid }; +allow $1_t tmp_t:dir { getattr }; +r_dir_file($1_t, var_spool_t) +r_dir_file($1_t, exim_spool_t) +r_dir_file($1_t, exim_spool_db_t) +dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab +') + +exim_db_base(exim_db_ro) +exim_db_base(exim_db_rw) +rw_dir_file(exim_db_rw_t, exim_spool_db_t) diff --git a/mls/domains/program/unused/fontconfig.te b/mls/domains/program/unused/fontconfig.te new file mode 100644 index 0000000..836470a --- /dev/null +++ b/mls/domains/program/unused/fontconfig.te @@ -0,0 +1,7 @@ +# +# Fontconfig related types +# +# Author: Ivan Gyurdiev +# + +# Look in fontconfig_macros.te diff --git a/mls/domains/program/unused/games.te b/mls/domains/program/unused/games.te new file mode 100644 index 0000000..dee046c --- /dev/null +++ b/mls/domains/program/unused/games.te @@ -0,0 +1,20 @@ +#DESC Games - Miscellaneous games +# +# Author: Russell Coker +# X-Debian-Packages: bsdgames +# + +# type for shared data from games +type games_data_t, file_type, sysadmfile; + +# domain games_t is for system operation of games, generic games daemons and +# games recovery scripts, also defines games_exec_t +daemon_domain(games,,nosysadm) +rw_dir_create_file(games_t, games_data_t) +r_dir_file(initrc_t, games_data_t) + +# Run in user_t +bool disable_games_trans false; + +# Everything else is in the x_client_domain macro in +# macros/program/x_client_macros.te. diff --git a/mls/domains/program/unused/gatekeeper.te b/mls/domains/program/unused/gatekeeper.te new file mode 100644 index 0000000..a1b464e --- /dev/null +++ b/mls/domains/program/unused/gatekeeper.te @@ -0,0 +1,51 @@ +#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper +# +# Author: Russell Coker +# X-Debian-Packages: opengate openh323gk +# + +################################# +# +# Rules for the gatekeeper_t domain. +# +# gatekeeper_exec_t is the type of the gk executable. +# +daemon_domain(gatekeeper) + +# for SSP +allow gatekeeper_t urandom_device_t:chr_file read; + +etc_domain(gatekeeper) +allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; +logdir_domain(gatekeeper) + +# Use the network. +can_network_server(gatekeeper_t) +can_ypbind(gatekeeper_t) +allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind; +allow gatekeeper_t self:unix_stream_socket create_socket_perms; + +# for stupid symlinks +tmp_domain(gatekeeper) + +# pthreads wants to know the kernel version +read_sysctl(gatekeeper_t) + +allow gatekeeper_t etc_t:file { getattr read }; + +allow gatekeeper_t etc_t:dir r_dir_perms; +allow gatekeeper_t sbin_t:dir r_dir_perms; + +allow gatekeeper_t self:process setsched; +allow gatekeeper_t self:fifo_file rw_file_perms; + +allow gatekeeper_t proc_t:file read; + +# for local users to run VOIP software +can_udp_send(userdomain, gatekeeper_t) +can_udp_send(gatekeeper_t, userdomain) +can_tcp_connect(gatekeeper_t, userdomain) + +# this is crap, gk wants to create symlinks in /etc every time it starts and +# remove them when it exits. +#allow gatekeeper_t etc_t:dir rw_dir_perms; diff --git a/mls/domains/program/unused/gconf.te b/mls/domains/program/unused/gconf.te new file mode 100644 index 0000000..e4dfa4b --- /dev/null +++ b/mls/domains/program/unused/gconf.te @@ -0,0 +1,12 @@ +# DESC - GConf preference daemon +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type gconfd_exec_t, file_type, exec_type, sysadmfile; + +# Type for /etc files +type gconf_etc_t, file_type, sysadmfile; + +# Everything else is in macros/gconfd_macros.te diff --git a/mls/domains/program/unused/gift.te b/mls/domains/program/unused/gift.te new file mode 100644 index 0000000..9e9786e --- /dev/null +++ b/mls/domains/program/unused/gift.te @@ -0,0 +1,9 @@ +# DESC - giFT file sharing tool +# +# Author: Ivan Gyurdiev +# + +type gift_exec_t, file_type, exec_type, sysadmfile; +type giftd_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/program/gift_macros.te diff --git a/mls/domains/program/unused/gnome-pty-helper.te b/mls/domains/program/unused/gnome-pty-helper.te new file mode 100644 index 0000000..084aa68 --- /dev/null +++ b/mls/domains/program/unused/gnome-pty-helper.te @@ -0,0 +1,11 @@ +#DESC Gnome Terminal - Helper program for GNOME x-terms +# +# Domains for the gnome-pty-helper program. +# X-Debian-Packages: gnome-terminal +# + +# Type for the gnome-pty-helper executable. +type gph_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the gph_domain macro in +# macros/program/gph_macros.te. diff --git a/mls/domains/program/unused/gnome.te b/mls/domains/program/unused/gnome.te new file mode 100644 index 0000000..b45ea8e --- /dev/null +++ b/mls/domains/program/unused/gnome.te @@ -0,0 +1,7 @@ +# +# GNOME related types +# +# Author: Ivan Gyurdiev +# + +# Look in gnome_macros.te diff --git a/mls/domains/program/unused/gnome_vfs.te b/mls/domains/program/unused/gnome_vfs.te new file mode 100644 index 0000000..d4cabb6 --- /dev/null +++ b/mls/domains/program/unused/gnome_vfs.te @@ -0,0 +1,9 @@ +# DESC - GNOME VFS Daemon +# +# Author: Ivan Gyurdiev +# + +# Type for executable +type gnome_vfs_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/gnome_vfs_macros.te diff --git a/mls/domains/program/unused/iceauth.te b/mls/domains/program/unused/iceauth.te new file mode 100644 index 0000000..f41ad9e --- /dev/null +++ b/mls/domains/program/unused/iceauth.te @@ -0,0 +1,12 @@ +#DESC ICEauth - ICE authority file utility +# +# Domains for the iceauth program. +# +# Author: Ivan Gyurdiev +# +# iceauth_exec_t is the type of the xauth executable. +# +type iceauth_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the iceauth_domain macro in +# macros/program/iceauth_macros.te. diff --git a/mls/domains/program/unused/imazesrv.te b/mls/domains/program/unused/imazesrv.te new file mode 100644 index 0000000..27bae3f --- /dev/null +++ b/mls/domains/program/unused/imazesrv.te @@ -0,0 +1,29 @@ +#DESC Imazesrv - Imaze Server +# +# Author: Torsten Knodt +# based on games.te by Russell Coker +# + +# type for shared data from imazesrv +type imazesrv_data_t, file_type, sysadmfile; +type imazesrv_data_labs_t, file_type, sysadmfile; + +# domain imazesrv_t is for system operation of imazesrv +# also defines imazesrv_exec_t +daemon_domain(imazesrv) +log_domain(imazesrv); + +r_dir_file(imazesrv_t, imazesrv_data_t) + +allow imazesrv_t imaze_port_t:tcp_socket name_bind; +allow imazesrv_t imaze_port_t:udp_socket name_bind; + +create_append_log_file(imazesrv_t,imazesrv_log_t) + +can_network_server(imazesrv_t) + +allow imazesrv_t self:capability net_bind_service; + +r_dir_file(imazesrv_t, etc_t) + +general_domain_access(imazesrv_t) diff --git a/mls/domains/program/unused/ircd.te b/mls/domains/program/unused/ircd.te new file mode 100644 index 0000000..c85390e --- /dev/null +++ b/mls/domains/program/unused/ircd.te @@ -0,0 +1,43 @@ +#DESC Ircd - IRC server +# +# Author: Russell Coker +# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu +# + +################################# +# +# Rules for the ircd_t domain. +# +# ircd_exec_t is the type of the slapd executable. +# +daemon_domain(ircd) + +allow ircd_t ircd_port_t:tcp_socket name_bind; + +etcdir_domain(ircd) + +logdir_domain(ircd) + +var_lib_domain(ircd) + +# Use the network. +can_network_server(ircd_t) +can_ypbind(ircd_t) +#allow ircd_t self:fifo_file { read write }; +allow ircd_t self:unix_stream_socket create_socket_perms; +allow ircd_t self:unix_dgram_socket create_socket_perms; + +allow ircd_t devtty_t:chr_file rw_file_perms; + +allow ircd_t sbin_t:dir search; + +allow ircd_t proc_t:file { getattr read }; + +# read config files +allow ircd_t { etc_t etc_runtime_t }:file { getattr read }; +allow ircd_t etc_t:lnk_file read; + +ifdef(`logrotate.te', ` +allow logrotate_t ircd_var_run_t:dir search; +allow logrotate_t ircd_var_run_t:file { getattr read }; +') diff --git a/mls/domains/program/unused/jabberd.te b/mls/domains/program/unused/jabberd.te new file mode 100644 index 0000000..aed3b81 --- /dev/null +++ b/mls/domains/program/unused/jabberd.te @@ -0,0 +1,29 @@ +#DESC jabberd - Jabber daemon +# +# Author: Colin Walters +# X-Debian-Packages: jabber + +daemon_domain(jabberd) +logdir_domain(jabberd) +var_lib_domain(jabberd) + +allow jabberd_t jabber_client_port_t:tcp_socket name_bind; +allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind; + +allow jabberd_t etc_t:lnk_file read; +allow jabberd_t { etc_t etc_runtime_t }:file { read getattr }; + +# For SSL +allow jabberd_t random_device_t:file r_file_perms; + +can_network_server(jabberd_t) +can_ypbind(jabberd_t) + +allow jabberd_t self:unix_dgram_socket create_socket_perms; +allow jabberd_t self:unix_stream_socket create_socket_perms; +allow jabberd_t self:fifo_file { read write getattr }; + +allow jabberd_t self:capability dac_override; + +# allow any user domain to connect to jabber +can_tcp_connect(userdomain, jabberd_t) diff --git a/mls/domains/program/unused/lcd.te b/mls/domains/program/unused/lcd.te new file mode 100644 index 0000000..2e2eddf --- /dev/null +++ b/mls/domains/program/unused/lcd.te @@ -0,0 +1,35 @@ +#DESC lcd - program for Cobalt LCD device +# +# Author: Russell Coker +# + +################################# +# +# Rules for the lcd_t domain. +# +# lcd_t is the domain for the lcd program. +# lcd_exec_t is the type of the corresponding program. +# +type lcd_t, domain, privlog; +role sysadm_r types lcd_t; +role system_r types lcd_t; +uses_shlib(lcd_t) +type lcd_exec_t, file_type, sysadmfile, exec_type; +type lcd_device_t, file_type; + +# Transition into this domain when you run this program. +domain_auto_trans(initrc_t, lcd_exec_t, lcd_t) +domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t) + +allow lcd_t lcd_device_t:chr_file rw_file_perms; + +# for /etc/locks/.lcd_lock +lock_domain(lcd) +allow lcd_t etc_t:lnk_file read; +allow lcd_t var_t:dir search; + +# Access the terminal. +allow lcd_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;') +allow lcd_t privfd:fd use; + diff --git a/mls/domains/program/unused/lrrd.te b/mls/domains/program/unused/lrrd.te new file mode 100644 index 0000000..b1916f1 --- /dev/null +++ b/mls/domains/program/unused/lrrd.te @@ -0,0 +1,68 @@ +#DESC LRRD - network-wide load graphing +# +# Author: Erich Schubert +# X-Debian-Packages: lrrd-client, lrrd-server +# + +################################# +# +# Rules for the lrrd_t domain. +# +# lrrd_exec_t is the type of the lrrd executable. +# +daemon_domain(lrrd) + +allow lrrd_t lrrd_var_run_t:sock_file create_file_perms; + +etcdir_domain(lrrd) +type lrrd_var_lib_t, file_type, sysadmfile; + +log_domain(lrrd) +tmp_domain(lrrd) + +# has cron jobs +system_crond_entry(lrrd_exec_t, lrrd_t) +allow crond_t lrrd_var_lib_t:dir search; + +# init script +allow initrc_t lrrd_log_t:file { write append setattr ioctl }; + +# allow to drop privileges and renice +allow lrrd_t self:capability { setgid setuid }; +allow lrrd_t self:process { getsched setsched }; + +allow lrrd_t urandom_device_t:chr_file { getattr read }; +allow lrrd_t proc_t:file { getattr read }; +allow lrrd_t usr_t:file { read ioctl }; + +can_exec(lrrd_t, bin_t) +allow lrrd_t bin_t:dir search; +allow lrrd_t usr_t:lnk_file read; + +# Allow access to the lrrd databases +create_dir_file(lrrd_t, lrrd_var_lib_t) +allow lrrd_t var_lib_t:dir search; + +# read config files +r_dir_file(initrc_t, lrrd_etc_t) +allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; +# for accessing the output directory +ifdef(`apache.te', ` +allow lrrd_t httpd_sys_content_t:dir search; +') + +allow lrrd_t etc_t:dir search; + +can_unix_connect(sysadm_t, lrrd_t) +can_unix_connect(lrrd_t, lrrd_t) +can_unix_send(lrrd_t, lrrd_t) +can_network_server(lrrd_t) +can_ypbind(lrrd_t) + +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, lrrd_etc_t) +allow logrotate_t lrrd_var_lib_t:dir search; +allow logrotate_t lrrd_var_run_t:dir search; +allow logrotate_t lrrd_var_run_t:sock_file write; +can_unix_connect(logrotate_t, lrrd_t) +') diff --git a/mls/domains/program/unused/monopd.te b/mls/domains/program/unused/monopd.te new file mode 100644 index 0000000..3512592 --- /dev/null +++ b/mls/domains/program/unused/monopd.te @@ -0,0 +1,30 @@ +#DESC MonopD - Monopoly Daemon +# +# Author: Torsten Knodt +# based on the dhcpd_t policy from: +# Russell Coker +# + +################################# +# +# Rules for the monopd_t domain. +# +daemon_domain(monopd) +etc_domain(monopd) +typealias monopd_etc_t alias etc_monopd_t; + +type monopd_share_t, file_type, sysadmfile; +typealias monopd_share_t alias share_monopd_t; + +# Use the network. +can_network_server(monopd_t) +can_ypbind(monopd_t) + +allow monopd_t monopd_port_t:tcp_socket name_bind; + +r_dir_file(monopd_t,share_monopd_t) + +allow monopd_t self:unix_dgram_socket create_socket_perms; +allow monopd_t self:unix_stream_socket create_socket_perms; + +r_dir_file(monopd_t, etc_t) diff --git a/mls/domains/program/unused/mozilla.te b/mls/domains/program/unused/mozilla.te new file mode 100644 index 0000000..f286ea0 --- /dev/null +++ b/mls/domains/program/unused/mozilla.te @@ -0,0 +1,15 @@ +#DESC Netscape - Web browser +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: mozilla +# + +# Type for the netscape, mozilla or other browser executables. +type mozilla_exec_t, file_type, sysadmfile, exec_type; +type mozilla_conf_t, file_type, sysadmfile; + +# Run in user_t +bool disable_mozilla_trans false; + +# Everything else is in the mozilla_domain macro in +# macros/program/mozilla_macros.te. diff --git a/mls/domains/program/unused/mplayer.te b/mls/domains/program/unused/mplayer.te new file mode 100644 index 0000000..194c807 --- /dev/null +++ b/mls/domains/program/unused/mplayer.te @@ -0,0 +1,15 @@ +#DESC mplayer - media player +# +# Author: Ivan Gyurdiev +# + +# Type for the mplayer executable. +type mplayer_exec_t, file_type, exec_type, sysadmfile; +type mencoder_exec_t, file_type, exec_type, sysadmfile; +type mplayer_etc_t, file_type, sysadmfile; + +# Allow mplayer executable stack +bool allow_mplayer_execstack false; + +# Everything else is in the mplayer_domain macro in +# macros/program/mplayer_macros.te. diff --git a/mls/domains/program/unused/nagios.te b/mls/domains/program/unused/nagios.te new file mode 100644 index 0000000..9d540c8 --- /dev/null +++ b/mls/domains/program/unused/nagios.te @@ -0,0 +1,90 @@ +#DESC Net Saint / NAGIOS - network monitoring server +# +# Author: Russell Coker +# X-Debian-Packages: netsaint, nagios +# Depends: mta.te +# + +################################# +# +# Rules for the nagios_t domain. +# +# nagios_exec_t is the type of the netsaint/nagios executable. +# +daemon_domain(nagios, `, privmail') + +etcdir_domain(nagios) + +logdir_domain(nagios) +allow nagios_t nagios_log_t:fifo_file create_file_perms; +allow initrc_t nagios_log_t:dir rw_dir_perms; + +tmp_domain(nagios) +allow system_mail_t nagios_tmp_t:file { getattr read }; +# for open file handles +dontaudit system_mail_t nagios_etc_t:file read; +dontaudit system_mail_t nagios_log_t:fifo_file read; + +# Use the network. +allow nagios_t self:fifo_file rw_file_perms; +allow nagios_t self:unix_stream_socket create_socket_perms; +allow nagios_t self:unix_dgram_socket create_socket_perms; + +# Use capabilities +allow nagios_t self:capability { dac_override setgid setuid }; +allow nagios_t self:process setpgid; + +allow nagios_t { bin_t sbin_t }:dir search; +allow nagios_t bin_t:lnk_file read; +can_exec(nagios_t, { shell_exec_t bin_t }) + +allow nagios_t proc_t:file { getattr read }; + +can_network_server(nagios_t) +can_ypbind(nagios_t) + +# read config files +allow nagios_t { etc_t etc_runtime_t }:file { getattr read }; +allow nagios_t etc_t:lnk_file read; + +allow nagios_t etc_t:dir r_dir_perms; + +# for ps +r_dir_file(nagios_t, domain) +allow nagios_t boot_t:dir search; +allow nagios_t system_map_t:file { getattr read }; + +# for who +allow nagios_t initrc_var_run_t:file { getattr read lock }; + +system_domain(nagios_cgi) +allow nagios_cgi_t device_t:dir search; +r_dir_file(nagios_cgi_t, nagios_etc_t) +allow nagios_cgi_t var_log_t:dir search; +r_dir_file(nagios_cgi_t, nagios_log_t) +allow nagios_cgi_t self:process { fork signal_perms }; +allow nagios_cgi_t self:fifo_file rw_file_perms; +allow nagios_cgi_t bin_t:dir search; +can_exec(nagios_cgi_t, bin_t) +read_locale(nagios_cgi_t) + +# for ps +allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read }; +r_dir_file(nagios_cgi_t, { proc_t self nagios_t }) +allow nagios_cgi_t boot_t:dir search; +allow nagios_cgi_t system_map_t:file { getattr read }; +dontaudit nagios_cgi_t domain:dir getattr; +allow nagios_cgi_t self:unix_stream_socket create_socket_perms; + +ifdef(`apache.te', ` +r_dir_file(httpd_t, nagios_etc_t) +domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t) +allow nagios_cgi_t httpd_log_t:file append; +') + +ifdef(`ping.te', ` +domain_auto_trans(nagios_t, ping_exec_t, ping_t) +allow nagios_t ping_t:process { sigkill signal }; +dontaudit ping_t nagios_etc_t:file read; +dontaudit ping_t nagios_log_t:fifo_file read; +') diff --git a/mls/domains/program/unused/nessusd.te b/mls/domains/program/unused/nessusd.te new file mode 100644 index 0000000..65d89e1 --- /dev/null +++ b/mls/domains/program/unused/nessusd.te @@ -0,0 +1,54 @@ +#DESC Nessus network scanning daemon +# +# Author: Russell Coker +# X-Debian-Packages: nessus +# + +################################# +# +# Rules for the nessusd_t domain. +# +# nessusd_exec_t is the type of the nessusd executable. +# +daemon_domain(nessusd) + +etc_domain(nessusd) +type nessusd_db_t, file_type, sysadmfile; + +allow nessusd_t nessus_port_t:tcp_socket name_bind; + +#tmp_domain(nessusd) + +# Use the network. +can_network(nessusd_t) +allow nessusd_t port_type:tcp_socket name_connect; +can_ypbind(nessusd_t) +allow nessusd_t self:unix_stream_socket create_socket_perms; +#allow nessusd_t self:unix_dgram_socket create_socket_perms; + +# why ioctl on /dev/urandom? +allow nessusd_t random_device_t:chr_file { getattr read ioctl }; +allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms; +allow nessusd_t self:capability net_raw; + +# for nmap etc +allow nessusd_t { bin_t sbin_t }:dir search; +allow nessusd_t bin_t:lnk_file read; +can_exec(nessusd_t, bin_t) +allow nessusd_t self:fifo_file { getattr read write }; + +# allow user domains to connect to nessusd +can_tcp_connect(userdomain, nessusd_t) + +allow nessusd_t self:process setsched; + +allow nessusd_t proc_t:file { getattr read }; + +# Allow access to the nessusd authentication database +create_dir_file(nessusd_t, nessusd_db_t) +allow nessusd_t var_lib_t:dir r_dir_perms; + +# read config files +allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms; + +logdir_domain(nessusd) diff --git a/mls/domains/program/unused/nrpe.te b/mls/domains/program/unused/nrpe.te new file mode 100644 index 0000000..87d1a02 --- /dev/null +++ b/mls/domains/program/unused/nrpe.te @@ -0,0 +1,40 @@ +# DESC nrpe - Nagios Remote Plugin Execution +# +# Author: Thomas Bleher +# +# Depends: tcpd.te +# X-Debian-Packages: nagios-nrpe-server +# +# This policy assumes that nrpe is called from inetd + +daemon_base_domain(nrpe) +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t) +') +domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t) + +allow nrpe_t urandom_device_t:chr_file { getattr ioctl read }; + +allow nrpe_t self:fifo_file rw_file_perms; +allow nrpe_t self:unix_dgram_socket create_socket_perms; +# use sockets inherited from inetd +allow nrpe_t inetd_t:tcp_socket { ioctl read write }; +allow nrpe_t devtty_t:chr_file { read write }; + +allow nrpe_t self:process setpgid; + +etc_domain(nrpe) +read_locale(nrpe_t) + +# permissions for the scripts executed by nrpe +# +# call shell programs +can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t }) +allow nrpe_t { bin_t sbin_t }:dir search; +# for /bin/sh +allow nrpe_t bin_t:lnk_file read; + +# read /proc/meminfo, /proc/self/mounts and /etc/mtab +allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read }; + +# you will have to add more permissions here, depending on the scripts you call! diff --git a/mls/domains/program/unused/nsd.te b/mls/domains/program/unused/nsd.te new file mode 100644 index 0000000..2aa35c5 --- /dev/null +++ b/mls/domains/program/unused/nsd.te @@ -0,0 +1,102 @@ +#DESC Authoritative only name server +# +# Author: Russell Coker +# X-Debian-Packages: nsd +# +# + +################################# +# +# Rules for the nsd_t domain. +# + +daemon_domain(nsd) + +# a type for nsd.db +type nsd_db_t, file_type, sysadmfile; + +# for zone update cron job +type nsd_crond_t, domain, privlog; +role system_r types nsd_crond_t; +uses_shlib(nsd_crond_t) +can_network_client(nsd_crond_t) +allow nsd_crond_t port_type:tcp_socket name_connect; +can_ypbind(nsd_crond_t) +allow nsd_crond_t self:unix_dgram_socket create_socket_perms; +allow nsd_crond_t self:process { fork signal_perms }; +system_crond_entry(nsd_exec_t, nsd_crond_t) +allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read }; +allow nsd_crond_t proc_t:lnk_file { getattr read }; +allow nsd_crond_t { bin_t sbin_t }:dir search; +can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t }) +allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr; +allow nsd_crond_t bin_t:lnk_file read; +read_locale(nsd_crond_t) +allow nsd_crond_t self:fifo_file rw_file_perms; +# kill capability for root cron job and non-root daemon +allow nsd_crond_t self:capability { dac_override kill }; +allow nsd_crond_t nsd_t:process signal; +dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr }; +dontaudit nsd_crond_t self:capability sys_nice; +dontaudit nsd_crond_t domain:dir search; +allow nsd_crond_t self:process setsched; +can_ps(nsd_crond_t, nsd_t) + +file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) +file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file) +allow nsd_crond_t var_lib_t:dir search; + +allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; +allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; +allow nsd_crond_t proc_t:dir r_dir_perms; +allow nsd_crond_t device_t:dir search; +allow nsd_crond_t devtty_t:chr_file rw_file_perms; +allow nsd_crond_t etc_t:file { getattr read }; +allow nsd_crond_t etc_t:lnk_file read; +allow nsd_crond_t { var_t var_run_t }:dir search; +allow nsd_crond_t nsd_var_run_t:file { getattr read }; + +# for SSP +allow nsd_crond_t urandom_device_t:chr_file read; + +# A type for configuration files of nsd +type nsd_conf_t, file_type, sysadmfile; +# A type for zone files +type nsd_zone_t, file_type, sysadmfile; + +r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t }) +# zone files may be in /var/lib/nsd +allow nsd_t var_lib_t:dir search; +r_dir_file(initrc_t, nsd_conf_t) +allow nsd_t etc_runtime_t:file { getattr read }; +allow nsd_t proc_t:file { getattr read }; +allow nsd_t { sbin_t bin_t }:dir search; +can_exec(nsd_t, { nsd_exec_t bin_t }) + +# Use capabilities. chown is for chowning /var/run/nsd.pid +allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service }; + +allow nsd_t etc_t:{ file lnk_file } { getattr read }; + +# nsd can use network +can_network_server(nsd_t) +can_ypbind(nsd_t) +# allow client access from caching BIND +ifdef(`named.te', ` +can_udp_send(named_t, nsd_t) +can_udp_send(nsd_t, named_t) +can_tcp_connect(named_t, nsd_t) +') + +# if you want to allow all programs to contact the primary name server +#can_udp_send(domain, nsd_t) +#can_udp_send(nsd_t, domain) +#can_tcp_connect(domain, nsd_t) + +# Bind to the named port. +allow nsd_t dns_port_t:udp_socket name_bind; +allow nsd_t dns_port_t:tcp_socket name_bind; + +allow nsd_t self:unix_stream_socket create_stream_socket_perms; +allow nsd_t self:unix_dgram_socket create_socket_perms; + diff --git a/mls/domains/program/unused/nx_server.te b/mls/domains/program/unused/nx_server.te new file mode 100644 index 0000000..a6e723a --- /dev/null +++ b/mls/domains/program/unused/nx_server.te @@ -0,0 +1,70 @@ +# DESC NX - NX Server +# +# Author: Thomas Bleher +# +# Depends: sshd.te +# + +# Type for the nxserver executable, called from ssh +type nx_server_exec_t, file_type, sysadmfile, exec_type; + +# type of the nxserver; userdomain is needed so sshd can transition +type nx_server_t, domain, userdomain; + +# we need an extra role because nxserver is called from sshd +role nx_server_r types nx_server_t; +allow system_r nx_server_r; +domain_trans(sshd_t, nx_server_exec_t, nx_server_t) + +# not really sure if the additional attributes are needed, copied from userdomains +can_create_pty(nx_server, `, userpty_type, user_tty_type') +type_change nx_server_t server_pty:chr_file nx_server_devpts_t; + +uses_shlib(nx_server_t) +read_locale(nx_server_t) + +tmp_domain(nx_server) +var_run_domain(nx_server) + +# nxserver is a shell script --> call other programs +can_exec(nx_server_t, { bin_t shell_exec_t }) +allow nx_server_t self:process { fork sigchld }; +allow nx_server_t self:fifo_file { getattr ioctl read write }; +allow nx_server_t bin_t:dir { getattr read search }; +allow nx_server_t bin_t:lnk_file read; + +r_dir_file(nx_server_t, proc_t) +allow nx_server_t { etc_t etc_runtime_t }:file { getattr read }; + +# we do not actually need this attribute or the types defined here, +# but otherwise we cannot call the ssh_domain-macro +attribute nx_server_file_type; +type nx_server_home_dir_t alias nx_server_home_t; +type nx_server_xauth_home_t; +type nx_server_tty_device_t; +type nx_server_gph_t; +type nx_server_fonts_cache_t; +type nx_server_fonts_t; +type nx_server_fonts_config_t; +type nx_server_gnome_settings_t; + +ssh_domain(nx_server) + +can_network_client(nx_server_t) +allow nx_server_t port_type:tcp_socket name_connect; + +allow nx_server_t devtty_t:chr_file { read write }; +allow nx_server_t sysctl_kernel_t:dir search; +allow nx_server_t sysctl_kernel_t:file { getattr read }; +allow nx_server_t urandom_device_t:chr_file read; +# for reading the config files; maybe a separate type, +# but users need to be able to also read the config +allow nx_server_t usr_t:file { getattr read }; + +dontaudit nx_server_t selinux_config_t:dir search; + +# clients already have create permissions; the nxclient wants to also have unlink rights +allow userdomain xdm_tmp_t:sock_file unlink; +# for a lockfile created by the client process +allow nx_server_t user_tmpfile:file getattr; + diff --git a/mls/domains/program/unused/oav-update.te b/mls/domains/program/unused/oav-update.te new file mode 100644 index 0000000..a9843c6 --- /dev/null +++ b/mls/domains/program/unused/oav-update.te @@ -0,0 +1,38 @@ +#DESC Oav - Anti-virus update program +# +# Author: Brian May +# X-Debian-Packages: +# + +type oav_update_var_lib_t, file_type, sysadmfile; +type oav_update_exec_t, file_type, sysadmfile, exec_type; +type oav_update_etc_t, file_type, sysadmfile; + +# Derived domain based on the calling user domain and the program. +type oav_update_t, domain, privlog; + +# Transition from the sysadm domain to the derived domain. +role sysadm_r types oav_update_t; +domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t) + +# Transition from the sysadm domain to the derived domain. +role system_r types oav_update_t; +system_crond_entry(oav_update_exec_t, oav_update_t) + +# Uses shared librarys +uses_shlib(oav_update_t) + +# Run helper programs. +can_exec_any(oav_update_t,bin_t) + +# Can read /etc/oav-update/* files +allow oav_update_t oav_update_etc_t:dir r_dir_perms; +allow oav_update_t oav_update_etc_t:file r_file_perms; + +# Can read /var/lib/oav-update/current +allow oav_update_t oav_update_var_lib_t:dir create_dir_perms; +allow oav_update_t oav_update_var_lib_t:file create_file_perms; +allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; + +# Can download via network +can_network_server(oav_update_t) diff --git a/mls/domains/program/unused/openca-ca.te b/mls/domains/program/unused/openca-ca.te new file mode 100644 index 0000000..411c61d --- /dev/null +++ b/mls/domains/program/unused/openca-ca.te @@ -0,0 +1,134 @@ +#DESC OpenCA - Open Certificate Authority +# +# Author: Brian May +# X-Debian-Packages: +# Depends: apache.te +# + +################################# +# +# domain for openCA cgi-bin scripts. +# +# Type that system CGI scripts run as +# +type openca_ca_t, domain; +role system_r types openca_ca_t; +uses_shlib(openca_ca_t) + +# Types that system CGI scripts on the disk are +# labeled with +# +type openca_ca_exec_t, file_type, sysadmfile; + +# When the server starts the script it needs to get the proper context +# +domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t) + +# +# Allow httpd daemon to search /usr/share/openca +# +allow httpd_t openca_usr_share_t:dir { getattr search }; + +################################################################ +# Allow the web server to run scripts and serve pages +############################################################## +allow httpd_t bin_t:file { read execute }; # execute perl + +allow httpd_t openca_ca_exec_t:file {execute getattr read}; +allow httpd_t openca_ca_t:process {signal sigkill sigstop}; +allow httpd_t openca_ca_t:process transition; +allow httpd_t openca_ca_exec_t:dir r_dir_perms; + +################################################################## +# Allow the script to get the file descriptor from the http deamon +# and send sigchild to http deamon +################################################################# +allow openca_ca_t httpd_t:process sigchld; +allow openca_ca_t httpd_t:fd use; +allow openca_ca_t httpd_t:fifo_file {getattr write}; + +############################################ +# Allow scripts to append to http logs +######################################### +allow openca_ca_t httpd_log_t:file { append getattr }; + +############################################################# +# Allow the script access to the library files so it can run +############################################################# +can_exec(openca_ca_t, lib_t) + +######################################################################## +# The script needs to inherit the file descriptor and find the script it +# needs to run +######################################################################## +allow openca_ca_t initrc_t:fd use; +allow openca_ca_t init_t:fd use; +allow openca_ca_t default_t:dir r_dir_perms; +allow openca_ca_t random_device_t:chr_file r_file_perms; + +####################################################################### +# Allow the script to return its output +###################################################################### +#allow openca_ca_t httpd_var_run_t: file rw_file_perms; +allow openca_ca_t null_device_t: chr_file rw_file_perms; +allow openca_ca_t httpd_cache_t: file rw_file_perms; + +########################################################################### +# Allow the script interpreters to run the scripts. So +# the perl executable will be able to run a perl script +######################################################################### +can_exec(openca_ca_t, bin_t) + +############################################################################ +# Allow the script process to search the cgi directory, and users directory +############################################################################## +allow openca_ca_t openca_ca_exec_t:dir search; + +# +# Allow access to writeable files under /etc/openca +# +allow openca_ca_t openca_etc_writeable_t:file create_file_perms; +allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms; + +# +# Allow access to other files under /etc/openca +# +allow openca_ca_t openca_etc_t:file r_file_perms; +allow openca_ca_t openca_etc_t:dir r_dir_perms; + +# +# Allow access to private CA key +# +allow openca_ca_t openca_var_lib_keys_t:file create_file_perms; +allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms; + +# +# Allow access to other /var/lib/openca files +# +allow openca_ca_t openca_var_lib_t:file create_file_perms; +allow openca_ca_t openca_var_lib_t:dir create_dir_perms; + +# +# Allow access to other /usr/share/openca files +# +allow openca_ca_t openca_usr_share_t:file r_file_perms; +allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; +allow openca_ca_t openca_usr_share_t:dir r_dir_perms; + +# /etc/openca standard files +type openca_etc_t, file_type, sysadmfile; + +# /etc/openca template files +type openca_etc_in_t, file_type, sysadmfile; + +# /etc/openca writeable (from CGI script) files +type openca_etc_writeable_t, file_type, sysadmfile; + +# /var/lib/openca +type openca_var_lib_t, file_type, sysadmfile; + +# /var/lib/openca/crypto/keys +type openca_var_lib_keys_t, file_type, sysadmfile; + +# /usr/share/openca/crypto/keys +type openca_usr_share_t, file_type, sysadmfile; diff --git a/mls/domains/program/unused/openvpn.te b/mls/domains/program/unused/openvpn.te new file mode 100644 index 0000000..0ab1317 --- /dev/null +++ b/mls/domains/program/unused/openvpn.te @@ -0,0 +1,39 @@ +#DESC OpenVPN - Firewall-friendly SSL-based VPN +# +# Author: Colin Walters +# +######################################## +# + +daemon_domain(openvpn) +etcdir_domain(openvpn) + +allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; + +allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr }; +allow openvpn_t devpts_t:dir { search getattr }; +allow openvpn_t tun_tap_device_t:chr_file rw_file_perms; +allow openvpn_t proc_t:file { getattr read }; + +allow openvpn_t self:unix_dgram_socket create_socket_perms; +allow openvpn_t self:unix_stream_socket create_stream_socket_perms; +allow openvpn_t self:unix_dgram_socket sendto; +allow openvpn_t self:unix_stream_socket connectto; +allow openvpn_t self:capability { net_admin setgid setuid }; +r_dir_file(openvpn_t, sysctl_net_t) + +can_network_server(openvpn_t) +allow openvpn_t openvpn_port_t:udp_socket name_bind; + +# OpenVPN executes a lot of helper programs and scripts +allow openvpn_t { bin_t sbin_t }:dir { search getattr }; +allow openvpn_t bin_t:lnk_file { getattr read }; +can_exec(openvpn_t, { bin_t sbin_t shell_exec_t }) +# Do not transition to ifconfig_t, since then it needs +# permission to access openvpn_t:udp_socket, which seems +# worse. +can_exec(openvpn_t, ifconfig_exec_t) + +# The Fedora init script iterates over /etc/openvpn/*.conf, and +# starts a daemon for each file. +r_dir_file(initrc_t, openvpn_etc_t) diff --git a/mls/domains/program/unused/perdition.te b/mls/domains/program/unused/perdition.te new file mode 100644 index 0000000..b95cb75 --- /dev/null +++ b/mls/domains/program/unused/perdition.te @@ -0,0 +1,29 @@ +#DESC Perdition POP and IMAP proxy +# +# Author: Russell Coker +# X-Debian-Packages: perdition +# + +################################# +# +# Rules for the perdition_t domain. +# +daemon_domain(perdition) + +allow perdition_t pop_port_t:tcp_socket name_bind; + +etc_domain(perdition) + +# Use the network. +can_network_server(perdition_t) +allow perdition_t self:unix_stream_socket create_socket_perms; +allow perdition_t self:unix_dgram_socket create_socket_perms; + +# allow any domain to connect to the proxy +can_tcp_connect(userdomain, perdition_t) + +# Use capabilities +allow perdition_t self:capability { setgid setuid net_bind_service }; + +allow perdition_t etc_t:file { getattr read }; +allow perdition_t etc_t:lnk_file read; diff --git a/mls/domains/program/unused/portslave.te b/mls/domains/program/unused/portslave.te new file mode 100644 index 0000000..55dfad6 --- /dev/null +++ b/mls/domains/program/unused/portslave.te @@ -0,0 +1,85 @@ +#DESC Portslave - Terminal server software +# +# Author: Russell Coker +# X-Debian-Packages: portslave +# Depends: pppd.te +# + +################################# +# +# Rules for the portslave_t domain. +# +daemon_base_domain(portslave, `, privmail, auth_chkpwd') + +type portslave_etc_t, file_type, sysadmfile; + +general_domain_access(portslave_t) +domain_auto_trans(init_t, portslave_exec_t, portslave_t) +ifdef(`rlogind.te', ` +domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t) +') +ifdef(`inetd.te', ` +domain_auto_trans(inetd_t, portslave_exec_t, portslave_t) +allow portslave_t inetd_t:tcp_socket { getattr read write }; +') + +allow portslave_t { etc_t etc_runtime_t }:file { read getattr }; +read_locale(portslave_t) +r_dir_file(portslave_t, portslave_etc_t) + +allow portslave_t pppd_etc_t:dir r_dir_perms; +allow portslave_t pppd_etc_rw_t:file { getattr read }; + +allow portslave_t proc_t:file { getattr read }; + +allow portslave_t { var_t var_log_t devpts_t }:dir search; + +allow portslave_t devtty_t:chr_file { setattr rw_file_perms }; + +allow portslave_t pppd_secret_t:file r_file_perms; + +can_network_server(portslave_t) +allow portslave_t fs_t:filesystem getattr; +ifdef(`radius.te', ` +can_udp_send(portslave_t, radiusd_t) +can_udp_send(radiusd_t, portslave_t) +') +# for rlogin etc +can_exec(portslave_t, { bin_t ssh_exec_t }) +# net_bind_service for rlogin +allow portslave_t self:capability { net_bind_service sys_tty_config }; +# for ssh +allow portslave_t urandom_device_t:chr_file read; +ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)') + +# for pppd +allow portslave_t self:capability { setuid setgid net_admin fsetid }; +allow portslave_t ppp_device_t:chr_file rw_file_perms; + +# for ~/.ppprc - if it actually exists then you need some policy to read it +allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; + +# for ctlportslave +dontaudit portslave_t self:capability sys_admin; + +file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file) +can_exec(portslave_t, { etc_t shell_exec_t }) + +# Run login in local_login_t domain. +#domain_auto_trans(portslave_t, login_exec_t, local_login_t) + +# Write to /var/run/utmp. +allow portslave_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow portslave_t wtmp_t:file rw_file_perms; + +# Read and write ttys. +allow portslave_t tty_device_t:chr_file { setattr rw_file_perms }; +allow portslave_t ttyfile:chr_file rw_file_perms; + + +lock_domain(portslave) +can_exec(portslave_t, pppd_exec_t) +allow portslave_t { bin_t sbin_t }:dir search; +allow portslave_t bin_t:lnk_file read; diff --git a/mls/domains/program/unused/postgrey.te b/mls/domains/program/unused/postgrey.te new file mode 100644 index 0000000..f60e67b --- /dev/null +++ b/mls/domains/program/unused/postgrey.te @@ -0,0 +1,30 @@ +#DESC postgrey - Postfix Grey-listing server +# +# Author: Russell Coker +# X-Debian-Packages: postgrey + +daemon_domain(postgrey) + +allow postgrey_t urandom_device_t:chr_file { getattr read }; + +# for perl +allow postgrey_t { bin_t sbin_t }:dir { getattr search }; +allow postgrey_t usr_t:{ file lnk_file } { getattr read }; +dontaudit postgrey_t usr_t:file ioctl; + +allow postgrey_t { etc_t etc_runtime_t }:file { getattr read }; +etcdir_domain(postgrey) + +can_network_server_tcp(postgrey_t) +can_ypbind(postgrey_t) +allow postgrey_t postgrey_port_t:tcp_socket name_bind; +allow postgrey_t self:unix_dgram_socket create_socket_perms; +allow postgrey_t self:unix_stream_socket create_stream_socket_perms; +allow postgrey_t proc_t:file { getattr read }; + +allow postgrey_t self:capability { chown setgid setuid }; +dontaudit postgrey_t self:capability sys_tty_config; + +var_lib_domain(postgrey) + +allow postgrey_t tmp_t:dir getattr; diff --git a/mls/domains/program/unused/publicfile.te b/mls/domains/program/unused/publicfile.te new file mode 100644 index 0000000..b6a206b --- /dev/null +++ b/mls/domains/program/unused/publicfile.te @@ -0,0 +1,25 @@ +#DESC Publicfile - HTTP and FTP file services +# http://cr.yp.to/publicfile.html +# +# Author: petre rodan +# +# this policy depends on ucspi-tcp +# + +daemon_domain(publicfile) +type publicfile_content_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t) + +ifdef(`ucspi-tcp.te', ` +domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t) +allow publicfile_t utcpserver_t:tcp_socket { read write }; +allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind; +') + +allow publicfile_t initrc_t:tcp_socket { read write }; + +allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; + +r_dir_file(publicfile_t, publicfile_content_t) + + diff --git a/mls/domains/program/unused/pxe.te b/mls/domains/program/unused/pxe.te new file mode 100644 index 0000000..1515593 --- /dev/null +++ b/mls/domains/program/unused/pxe.te @@ -0,0 +1,21 @@ +#DESC PXE - a server for the PXE network boot protocol +# +# Author: Russell Coker +# X-Debian-Packages: pxe +# + +################################# +# +# Rules for the pxe_t domain. +# +daemon_domain(pxe) + +allow pxe_t pxe_port_t:udp_socket name_bind; + +allow pxe_t etc_t:file { getattr read }; + +allow pxe_t self:capability { chown setgid setuid }; + +allow pxe_t zero_device_t:chr_file rw_file_perms; + +log_domain(pxe) diff --git a/mls/domains/program/unused/pyzor.te b/mls/domains/program/unused/pyzor.te new file mode 100644 index 0000000..b0629ad --- /dev/null +++ b/mls/domains/program/unused/pyzor.te @@ -0,0 +1,57 @@ +# +# Pyzor - Pyzor is a collaborative, networked system to detect and +# block spam using identifying digests of messages. +# +# Author: David Hampton +# + +# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms. +# Pyzor normally dumps everything into $HOME/.pyzor. By putting the +# following line to the spamassassin config file: +# +# pyzor_options --homedir /etc/pyzor +# +# the various files will be put into appropriate directories. +# (I.E. The log file into /var/log, etc.) This policy will work +# either way. + +########## +# pyzor daemon +########## +daemon_domain(pyzord, `, privlog, nscd_client_domain') +pyzor_base_domain(pyzord) +allow pyzord_t pyzor_port_t:udp_socket name_bind; +home_domain_access(pyzord_t, sysadm, pyzor) +log_domain(pyzord) + +# Read shared daemon/client config file +r_dir_file(pyzord_t, pyzor_etc_t) + +# Write shared daemon/client data dir +allow pyzord_t var_lib_t:dir search; +create_dir_file(pyzord_t, pyzor_var_lib_t) + +########## +# Pyzor query application - from system_r applictions +########## +type pyzor_t, domain, privlog, daemon; +type pyzor_exec_t, file_type, sysadmfile, exec_type; +role system_r types pyzor_t; + +pyzor_base_domain(pyzor) + +# System config/data files +etcdir_domain(pyzor) +var_lib_domain(pyzor) + +########## +########## + +# +# Some spam filters executes the pyzor code directly. Allow them access here. +# +ifdef(`spamd.te',` +domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t); +# pyzor needs access to the email spamassassin is checking +allow pyzor_t spamd_tmp_t:file r_file_perms; +') diff --git a/mls/domains/program/unused/qmail.te b/mls/domains/program/unused/qmail.te new file mode 100644 index 0000000..6c51cd7 --- /dev/null +++ b/mls/domains/program/unused/qmail.te @@ -0,0 +1,197 @@ +#DESC Qmail - Mail server +# +# Author: Russell Coker +# X-Debian-Packages: qmail-src qmail +# Depends: inetd.te mta.te +# + + +# Type for files created during execution of qmail. +type qmail_var_run_t, file_type, sysadmfile, pidfile; + +type qmail_etc_t, file_type, sysadmfile; + +allow inetd_t smtp_port_t:tcp_socket name_bind; + +type qmail_exec_t, file_type, sysadmfile, exec_type; +type qmail_spool_t, file_type, sysadmfile; +type var_qmail_t, file_type, sysadmfile; + +define(`qmaild_sub_domain', ` +daemon_sub_domain($1, $2, `$3') +allow $2_t qmail_etc_t:dir { getattr search }; +allow $2_t qmail_etc_t:{ lnk_file file } { getattr read }; +allow $2_t { var_t var_spool_t }:dir search; +allow $2_t console_device_t:chr_file rw_file_perms; +allow $2_t fs_t:filesystem getattr; +') + +################################# +# +# Rules for the qmail_$1_t domain. +# +# qmail_$1_exec_t is the type of the qmail_$1 executables. +# +define(`qmail_daemon_domain', ` +qmaild_sub_domain(qmail_start_t, qmail_$1, `$2') +allow qmail_$1_t qmail_start_t:fifo_file { read write }; +')dnl + + +daemon_base_domain(qmail_start) + +allow qmail_start_t self:capability { setgid setuid }; +allow qmail_start_t { bin_t sbin_t }:dir search; +allow qmail_start_t qmail_etc_t:dir search; +allow qmail_start_t qmail_etc_t:file { getattr read }; +can_exec(qmail_start_t, qmail_start_exec_t) +allow qmail_start_t self:fifo_file { getattr read write }; + +qmail_daemon_domain(lspawn, `, mta_delivery_agent') +allow qmail_lspawn_t self:fifo_file { read write }; +allow qmail_lspawn_t self:capability { setuid setgid }; +allow qmail_lspawn_t self:process { fork signal_perms }; +allow qmail_lspawn_t sbin_t:dir search; +can_exec(qmail_lspawn_t, qmail_exec_t) +allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; +allow qmail_lspawn_t qmail_spool_t:dir search; +allow qmail_lspawn_t qmail_spool_t:file { read getattr }; +allow qmail_lspawn_t etc_t:file { getattr read }; +allow qmail_lspawn_t tmp_t:dir getattr; +dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search }; + +qmail_daemon_domain(send, `, mail_server_sender') +rw_dir_create_file(qmail_send_t, qmail_spool_t) +allow qmail_send_t qmail_spool_t:fifo_file read; +allow qmail_send_t self:process { fork signal_perms }; +allow qmail_send_t self:fifo_file write; +domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_send_t sbin_t:dir search; + +qmail_daemon_domain(splogger) +allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; +allow qmail_splogger_t etc_t:lnk_file read; +dontaudit qmail_splogger_t initrc_t:fd use; +read_locale(qmail_splogger_t) + +qmail_daemon_domain(rspawn) +allow qmail_rspawn_t qmail_spool_t:dir search; +allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; +allow qmail_rspawn_t self:process { fork signal_perms }; +allow qmail_rspawn_t self:fifo_file read; +allow qmail_rspawn_t { bin_t sbin_t }:dir search; + +qmaild_sub_domain(qmail_rspawn_t, qmail_remote) +allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read }; +can_network_server(qmail_remote_t) +can_ypbind(qmail_remote_t) +allow qmail_remote_t qmail_spool_t:dir search; +allow qmail_remote_t qmail_spool_t:file rw_file_perms; +allow qmail_remote_t self:tcp_socket create_socket_perms; +allow qmail_remote_t self:udp_socket create_socket_perms; + +qmail_daemon_domain(clean) +allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; +allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; + +# privhome will do until we get a separate maildir type +qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent') +allow qmail_lspawn_t qmail_local_exec_t:file { getattr read }; +allow qmail_local_t self:process { fork signal_perms }; +domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_local_t qmail_queue_exec_t:file { getattr read }; +allow qmail_local_t qmail_spool_t:file { ioctl read }; +allow qmail_local_t self:fifo_file write; +allow qmail_local_t sbin_t:dir search; +allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; +allow qmail_local_t etc_t:file { getattr read }; + +# for piping mail to a command +can_exec(qmail_local_t, shell_exec_t) +allow qmail_local_t bin_t:dir search; +allow qmail_local_t bin_t:lnk_file read; +allow qmail_local_t devtty_t:chr_file rw_file_perms; +allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read }; + +ifdef(`tcpd.te', ` +qmaild_sub_domain(tcpd_t, qmail_tcp_env) +# bug +can_exec(tcpd_t, tcpd_exec_t) +', ` +qmaild_sub_domain(inetd_t, qmail_tcp_env) +') +allow qmail_tcp_env_t inetd_t:fd use; +allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; +allow qmail_tcp_env_t inetd_t:process sigchld; +allow qmail_tcp_env_t sbin_t:dir search; +can_network_server(qmail_tcp_env_t) +can_ypbind(qmail_tcp_env_t) + +qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) +allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read }; +can_network_server(qmail_smtpd_t) +can_ypbind(qmail_smtpd_t) +allow qmail_smtpd_t inetd_t:fd use; +allow qmail_smtpd_t inetd_t:tcp_socket { read write }; +allow qmail_smtpd_t inetd_t:process sigchld; +allow qmail_smtpd_t self:process { fork signal_perms }; +allow qmail_smtpd_t self:fifo_file write; +allow qmail_smtpd_t self:tcp_socket create_socket_perms; +allow qmail_smtpd_t sbin_t:dir search; +domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read }; + +qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent') +allow qmail_inject_t self:process { fork signal_perms }; +allow qmail_inject_t self:fifo_file write; +allow qmail_inject_t sbin_t:dir search; +role sysadm_r types qmail_inject_t; +in_user_role(qmail_inject_t) + +qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent') +in_user_role(qmail_qread_t) +role sysadm_r types qmail_qread_t; +r_dir_file(qmail_qread_t, qmail_spool_t) +allow qmail_qread_t self:capability dac_override; +allow qmail_qread_t privfd:fd use; + +qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent') +role sysadm_r types qmail_queue_t; +in_user_role(qmail_queue_t) +allow qmail_inject_t qmail_queue_exec_t:file { getattr read }; +rw_dir_create_file(qmail_queue_t, qmail_spool_t) +allow qmail_queue_t qmail_spool_t:fifo_file { read write }; +allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use; +allow qmail_queue_t qmail_lspawn_t:fifo_file write; +allow qmail_queue_t qmail_start_t:fifo_file { read write }; +allow qmail_queue_t privfd:fd use; +allow qmail_queue_t crond_t:fifo_file { read write }; +allow qmail_queue_t inetd_t:fd use; +allow qmail_queue_t inetd_t:tcp_socket { read write }; +allow qmail_queue_t sysadm_t:fd use; +allow qmail_queue_t sysadm_t:fifo_file write; + +allow user_crond_domain qmail_etc_t:dir search; +allow user_crond_domain qmail_etc_t:file { getattr read }; + +qmaild_sub_domain(user_crond_domain, qmail_serialmail) +in_user_role(qmail_serialmail_t) +can_network_server(qmail_serialmail_t) +can_ypbind(qmail_serialmail_t) +can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) +allow qmail_serialmail_t self:process { fork signal_perms }; +allow qmail_serialmail_t proc_t:file { getattr read }; +allow qmail_serialmail_t etc_runtime_t:file { getattr read }; +allow qmail_serialmail_t home_root_t:dir search; +allow qmail_serialmail_t user_home_dir_type:dir { search read getattr }; +rw_dir_create_file(qmail_serialmail_t, user_home_type) +allow qmail_serialmail_t self:fifo_file { read write }; +allow qmail_serialmail_t self:udp_socket create_socket_perms; +allow qmail_serialmail_t self:tcp_socket create_socket_perms; +allow qmail_serialmail_t privfd:fd use; +allow qmail_serialmail_t crond_t:fifo_file { read write ioctl }; +allow qmail_serialmail_t devtty_t:chr_file { read write }; + +# for tcpclient +can_exec(qmail_serialmail_t, bin_t) +allow qmail_serialmail_t bin_t:dir search; diff --git a/mls/domains/program/unused/razor.te b/mls/domains/program/unused/razor.te new file mode 100644 index 0000000..e88bb49 --- /dev/null +++ b/mls/domains/program/unused/razor.te @@ -0,0 +1,53 @@ +# +# Razor - Vipul's Razor is a distributed, collaborative, spam +# detection and filtering network. +# +# Author: David Hampton +# + +# NOTE: This policy will work with either the ATrpms provided config +# file in /etc/razor, or with the default of dumping everything into +# $HOME/.razor. + +########## +# Razor query application - from system_r applictions +########## +type razor_t, domain, privlog, daemon; +type razor_exec_t, file_type, sysadmfile, exec_type; +role system_r types razor_t; + +razor_base_domain(razor) + +# Razor config file directory. When invoked as razor-admin, it can +# update files in this directory. +etcdir_domain(razor) +create_dir_file(razor_t, razor_etc_t); + +# Shared razor files updated freuently +var_lib_domain(razor) + +# Log files +log_domain(razor) +allow razor_t var_log_t:dir search; +ifdef(`logrotate.te', ` +allow logrotate_t razor_log_t:file r_file_perms; +') + +########## +########## + +# +# Some spam filters executes the razor code directly. Allow them access here. +# +define(`razor_access',` +r_dir_file($1, razor_etc_t) +allow $1 var_log_t:dir search; +allow $1 razor_log_t:file ra_file_perms; +r_dir_file($1, razor_var_lib_t) +r_dir_file($1, sysadm_razor_home_t) +can_network_client_tcp($1, razor_port_t) +allow $1 razor_port_t:tcp_socket name_connect; +') + +ifdef(`spamd.te', `razor_access(spamd_t)'); +ifdef(`amavis.te', `razor_access(amavisd_t)'); diff --git a/mls/domains/program/unused/resmgrd.te b/mls/domains/program/unused/resmgrd.te new file mode 100644 index 0000000..9224ad3 --- /dev/null +++ b/mls/domains/program/unused/resmgrd.te @@ -0,0 +1,25 @@ +# DESC resmgrd - resource manager daemon +# +# Author: Thomas Bleher + +daemon_base_domain(resmgrd) +var_run_domain(resmgrd, { file sock_file }) +etc_domain(resmgrd) +read_locale(resmgrd_t) +allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio }; + +allow resmgrd_t etc_t:file { getattr read }; +allow resmgrd_t self:unix_stream_socket create_stream_socket_perms; +allow resmgrd_t self:unix_dgram_socket create_socket_perms; + +# hardware access +allow resmgrd_t device_t:lnk_file { getattr read }; +# not sure if it needs write access, needs to be investigated further... +allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write }; +allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write }; +allow resmgrd_t scanner_device_t:chr_file { getattr }; +# I think a dontaudit should be enough there +dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read }; + +# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te + diff --git a/mls/domains/program/unused/rhgb.te b/mls/domains/program/unused/rhgb.te new file mode 100644 index 0000000..5d176e9 --- /dev/null +++ b/mls/domains/program/unused/rhgb.te @@ -0,0 +1,100 @@ +#DESC rhgb - Red Hat Graphical Boot +# +# Author: Russell Coker +# Depends: xdm.te gnome-pty-helper.te xserver.te + +daemon_base_domain(rhgb) + +allow rhgb_t { bin_t sbin_t }:dir search; +allow rhgb_t bin_t:lnk_file read; + +domain_auto_trans(rhgb_t, shell_exec_t, initrc_t) +domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t) +can_exec(rhgb_t, { bin_t sbin_t gph_exec_t }) + +allow rhgb_t self:unix_stream_socket create_stream_socket_perms; +allow rhgb_t self:fifo_file rw_file_perms; + +# for gnome-pty-helper +gph_domain(rhgb, system) +allow initrc_t rhgb_gph_t:fd use; + +allow rhgb_t proc_t:file { getattr read }; + +allow rhgb_t devtty_t:chr_file { read write }; +allow rhgb_t tty_device_t:chr_file rw_file_perms; + +read_locale(rhgb_t) +allow rhgb_t { etc_t etc_runtime_t }:file { getattr read }; + +# for ramfs file systems +allow rhgb_t ramfs_t:dir { setattr rw_dir_perms }; +allow rhgb_t ramfs_t:sock_file create_file_perms; +allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms; +allow insmod_t ramfs_t:file write; +allow insmod_t rhgb_t:fd use; + +allow rhgb_t ramfs_t:filesystem { mount unmount }; +allow rhgb_t mnt_t:dir { search mounton }; +allow rhgb_t self:capability { sys_admin sys_tty_config }; +dontaudit rhgb_t var_run_t:dir search; + +can_network_client(rhgb_t) +allow rhgb_t port_type:tcp_socket name_connect; +can_ypbind(rhgb_t) + +allow rhgb_t usr_t:{ file lnk_file } { getattr read }; + +# for running setxkbmap +r_dir_file(rhgb_t, xkb_var_lib_t) + +# for localization +allow rhgb_t lib_t:file { getattr read }; + +allow rhgb_t initctl_t:fifo_file write; + +ifdef(`hide_broken_symptoms', ` +# it should not do this +dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +')dnl end hide_broken_symptoms + +can_create_pty(rhgb) + +allow rhgb_t self:shm create_shm_perms; +allow xdm_xserver_t rhgb_t:shm rw_shm_perms; + +can_unix_connect(initrc_t, rhgb_t) +tmpfs_domain(rhgb) +allow xdm_xserver_t rhgb_tmpfs_t:file { read write }; + +read_fonts(rhgb_t) + +# for nscd +dontaudit rhgb_t var_t:dir search; + +ifdef(`hide_broken_symptoms', ` +# for a bug in the X server +dontaudit insmod_t xdm_xserver_t:tcp_socket { read write }; +dontaudit insmod_t serial_device:chr_file { read write }; +dontaudit mount_t rhgb_gph_t:fd use; +dontaudit mount_t rhgb_t:unix_stream_socket { read write }; +dontaudit mount_t ptmx_t:chr_file { read write }; +')dnl end hide_broken_symptoms + +ifdef(`firstboot.te', ` +allow rhgb_t firstboot_rw_t:file r_file_perms; +') +allow rhgb_t tmp_t:dir search; +allow rhgb_t xdm_xserver_t:process sigkill; +allow domain rhgb_devpts_t:chr_file { read write }; +ifdef(`fsadm.te', ` +dontaudit fsadm_t ramfs_t:fifo_file write; +') +allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; +dontaudit rhgb_t default_t:file read; + +allow initrc_t ramfs_t:dir search; +allow initrc_t ramfs_t:sock_file write; +allow initrc_t rhgb_t:unix_stream_socket { read write }; + +allow rhgb_t default_t:file { getattr read }; diff --git a/mls/domains/program/unused/rssh.te b/mls/domains/program/unused/rssh.te new file mode 100644 index 0000000..73bab4a --- /dev/null +++ b/mls/domains/program/unused/rssh.te @@ -0,0 +1,13 @@ +#DESC Rssh - Restricted (scp/sftp) only shell +# +# Authors: Colin Walters +# X-Debian-Package: rssh +# + +type rssh_exec_t, file_type, sysadmfile, exec_type; + +ifdef(`ssh.te',` +allow sshd_t rssh_exec_t:file r_file_perms; +') + +# See rssh_macros.te for the rest. diff --git a/mls/domains/program/unused/scannerdaemon.te b/mls/domains/program/unused/scannerdaemon.te new file mode 100644 index 0000000..6245e8b --- /dev/null +++ b/mls/domains/program/unused/scannerdaemon.te @@ -0,0 +1,58 @@ +#DESC Scannerdaemon - Virus scanner daemon +# +# Author: Brian May +# X-Debian-Packages: +# + +################################# +# +# Rules for the scannerdaemon_t domain. +# +type scannerdaemon_etc_t, file_type, sysadmfile; + +#networking +daemon_domain(scannerdaemon) +can_network_server(scannerdaemon_t) +ifdef(`postfix.te', +`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);') + +# for testing +can_tcp_connect(sysadm_t,scannerdaemon_t) + +# Can create unix sockets +allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms; + +# Access config files (libc6). +allow scannerdaemon_t etc_t:file r_file_perms; +allow scannerdaemon_t etc_t:lnk_file r_file_perms; +allow scannerdaemon_t proc_t:file r_file_perms; +allow scannerdaemon_t etc_runtime_t:file r_file_perms; + +# Access config files (scannerdaemon). +allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms; + +# Access signature files. +ifdef(`oav-update.te',` +allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms; +allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms; +') + +log_domain(scannerdaemon) +ifdef(`logrotate.te', ` +allow logrotate_t scannerdaemon_log_t:file create_file_perms; +') + +# Can run kaffe +# Run helper programs. +can_exec_any(scannerdaemon_t) +allow scannerdaemon_t var_lib_t:dir search; +allow scannerdaemon_t { sbin_t bin_t }:dir search; +allow scannerdaemon_t bin_t:lnk_file read; + +# unknown stuff +allow scannerdaemon_t self:fifo_file { read write }; + +# broken stuff +dontaudit scannerdaemon_t sysadm_home_dir_t:dir search; +dontaudit scannerdaemon_t devtty_t:chr_file { read write }; +dontaudit scannerdaemon_t shadow_t:file { read getattr }; diff --git a/mls/domains/program/unused/snort.te b/mls/domains/program/unused/snort.te new file mode 100644 index 0000000..24188f6 --- /dev/null +++ b/mls/domains/program/unused/snort.te @@ -0,0 +1,33 @@ +#DESC Snort - Network sniffer +# +# Author: Shaun Savage +# Modified by Russell Coker +# X-Debian-Packages: snort-common +# + +daemon_domain(snort) + +logdir_domain(snort) +allow snort_t snort_log_t:dir create; +can_network_server(snort_t) +type snort_etc_t, file_type, sysadmfile; + +# Create temporary files. +tmp_domain(snort) + +# use iptable netlink +allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; + +r_dir_file(snort_t, snort_etc_t) +allow snort_t etc_t:file { getattr read }; +allow snort_t etc_t:lnk_file read; + +allow snort_t self:unix_dgram_socket create_socket_perms; +allow snort_t self:unix_stream_socket create_socket_perms; + +# for start script +allow initrc_t snort_etc_t:file { getattr read }; + +dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read }; diff --git a/mls/domains/program/unused/sound-server.te b/mls/domains/program/unused/sound-server.te new file mode 100644 index 0000000..c84a1fa --- /dev/null +++ b/mls/domains/program/unused/sound-server.te @@ -0,0 +1,42 @@ +#DESC sound server - for network audio server programs, nasd, yiff, etc +# +# Author: Russell Coker +# + +################################# +# +# Rules for the soundd_t domain. +# +# soundd_exec_t is the type of the soundd executable. +# +daemon_domain(soundd) + +allow soundd_t soundd_port_t:tcp_socket name_bind; + +type etc_soundd_t, file_type, sysadmfile; +type soundd_state_t, file_type, sysadmfile; + +tmp_domain(soundd) +rw_dir_create_file(soundd_t, soundd_state_t) + +allow soundd_t sound_device_t:chr_file rw_file_perms; +allow soundd_t device_t:lnk_file read; + +# Use the network. +can_network_server(soundd_t) +allow soundd_t self:unix_stream_socket create_stream_socket_perms; +allow soundd_t self:unix_dgram_socket create_socket_perms; +# allow any domain to connect to the sound server +can_tcp_connect(userdomain, soundd_t) + +allow soundd_t self:process setpgid; + +# read config files +allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; + +allow soundd_t etc_t:dir r_dir_perms; +r_dir_file(soundd_t, etc_soundd_t) + +# for yiff - probably need some rules for the client support too +allow soundd_t self:shm create_shm_perms; +tmpfs_domain(soundd) diff --git a/mls/domains/program/unused/speedmgmt.te b/mls/domains/program/unused/speedmgmt.te new file mode 100644 index 0000000..6d399fb --- /dev/null +++ b/mls/domains/program/unused/speedmgmt.te @@ -0,0 +1,26 @@ +#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem +# +# Author: Russell Coker +# + +################################# +# +# Rules for the speedmgmt_t domain. +# +# speedmgmt_exec_t is the type of the speedmgmt executable. +# +daemon_domain(speedmgmt) +tmp_domain(speedmgmt) + +# for accessing USB +allow speedmgmt_t proc_t:dir r_dir_perms; +allow speedmgmt_t usbdevfs_t:file rw_file_perms; +allow speedmgmt_t usbdevfs_t:dir r_dir_perms; + +allow speedmgmt_t usr_t:file r_file_perms; + +allow speedmgmt_t self:unix_dgram_socket create_socket_perms; + +# allow time +allow speedmgmt_t etc_t:dir r_dir_perms; +allow speedmgmt_t etc_t:lnk_file r_file_perms; diff --git a/mls/domains/program/unused/sxid.te b/mls/domains/program/unused/sxid.te new file mode 100644 index 0000000..a96c987 --- /dev/null +++ b/mls/domains/program/unused/sxid.te @@ -0,0 +1,62 @@ +#DESC Sxid - SUID/SGID program monitoring +# +# Author: Russell Coker +# X-Debian-Packages: sxid +# + +################################# +# +# Rules for the sxid_t domain. +# +# sxid_exec_t is the type of the sxid executable. +# +daemon_base_domain(sxid, `, privmail') +tmp_domain(sxid) + +allow sxid_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(sxid_exec_t, sxid_t) +') +#allow system_crond_t sxid_log_t:file create_file_perms; + +read_locale(sxid_t) + +can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t }) +allow sxid_t bin_t:lnk_file read; + +log_domain(sxid) + +allow sxid_t file_type:notdevfile_class_set getattr; +allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr; +allow sxid_t ttyfile:chr_file getattr; +allow sxid_t file_type:dir { getattr read search }; +allow sxid_t sysadmfile:file { getattr read }; +dontaudit sxid_t devpts_t:dir r_dir_perms; +allow sxid_t fs_type:dir { getattr read search }; + +# Use the network. +can_network_server(sxid_t) +allow sxid_t self:fifo_file rw_file_perms; +allow sxid_t self:unix_stream_socket create_socket_perms; + +allow sxid_t { proc_t self }:{ file lnk_file } { read getattr }; +read_sysctl(sxid_t) +allow sxid_t devtty_t:chr_file rw_file_perms; + +allow sxid_t self:capability { dac_override dac_read_search fsetid }; +dontaudit sxid_t self:capability { setuid setgid }; + +ifdef(`mta.te', ` +# sxid leaves an open file handle to /proc/mounts +dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr }; + +# allow mta to read the log files +allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read }; +# stop warnings if mailx is passed a read/write file handle +dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write; +') + +allow logrotate_t sxid_t:file { getattr write }; + +dontaudit sxid_t security_t:dir { getattr read search }; diff --git a/mls/domains/program/unused/thunderbird.te b/mls/domains/program/unused/thunderbird.te new file mode 100644 index 0000000..c640f87 --- /dev/null +++ b/mls/domains/program/unused/thunderbird.te @@ -0,0 +1,10 @@ +# DESC - Thunderbird +# +# Author: Ivan Gyurdiev +# + +# Type for executables +type thunderbird_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/thunderbird_macros.te +bool disable_thunderbird_trans false; diff --git a/mls/domains/program/unused/tinydns.te b/mls/domains/program/unused/tinydns.te new file mode 100644 index 0000000..a911b89 --- /dev/null +++ b/mls/domains/program/unused/tinydns.te @@ -0,0 +1,58 @@ +#DESC TINYDNS - Name server for djbdns +# +# Authors: Matthew J. Fanto +# +# Based off Named policy file written by +# Yuichi Nakamura , +# Russell Coker +# X-Debian-Packages: djbdns-installer djbdns +# +# + +################################# +# +# Rules for the tinydns_t domain. +# +daemon_domain(tinydns) + +can_exec(tinydns_t, tinydns_exec_t) +allow tinydns_t sbin_t:dir search; + +allow tinydns_t self:process setsched; + +# A type for configuration files of tinydns. +type tinydns_conf_t, file_type, sysadmfile; + +# for primary zone files - the data file +type tinydns_zone_t, file_type, sysadmfile; + +allow tinydns_t etc_t:file { getattr read }; +allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; + +#tinydns can use network +can_network_server(tinydns_t) +allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind; +# allow UDP transfer to/from any program +can_udp_send(domain, tinydns_t) +can_udp_send(tinydns_t, domain) +# tinydns itself doesn't do zone transfers +# so we do not need to have it tcp_connect + +#read configuration files +r_dir_file(tinydns_t, tinydns_conf_t) + +r_dir_file(tinydns_t, tinydns_zone_t) + +# allow tinydns to create datagram sockets (udp) +# allow tinydns_t self:unix_stream_socket create_stream_socket_perms; +allow tinydns_t self:unix_dgram_socket create_socket_perms; + +# Read /dev/random. +allow tinydns_t device_t:dir r_dir_perms; +allow tinydns_t random_device_t:chr_file r_file_perms; + +# Set own capabilities. +allow tinydns_t self:process setcap; + +# for chmod in start script +dontaudit initrc_t tinydns_var_run_t:dir setattr; diff --git a/mls/domains/program/unused/transproxy.te b/mls/domains/program/unused/transproxy.te new file mode 100644 index 0000000..e34b804 --- /dev/null +++ b/mls/domains/program/unused/transproxy.te @@ -0,0 +1,36 @@ +#DESC Transproxy - Transparent proxy for web access +# +# Author: Russell Coker +# X-Debian-Packages: transproxy +# + +################################# +# +# Rules for the transproxy_t domain. +# +# transproxy_exec_t is the type of the transproxy executable. +# +daemon_domain(transproxy) + +# Use the network. +can_network_server_tcp(transproxy_t) +allow transproxy_t transproxy_port_t:tcp_socket name_bind; + +#allow transproxy_t self:fifo_file { read write }; +allow transproxy_t self:unix_stream_socket create_socket_perms; +allow transproxy_t self:unix_dgram_socket create_socket_perms; + +# Use capabilities +allow transproxy_t self:capability { setgid setuid }; +#allow transproxy_t self:process setsched; + +#allow transproxy_t proc_t:file r_file_perms; + +# read config files +allow transproxy_t etc_t:lnk_file read; +allow transproxy_t etc_t:file { read getattr }; + +#allow transproxy_t etc_t:dir r_dir_perms; + +#read_sysctl(transproxy_t) + diff --git a/mls/domains/program/unused/tripwire.te b/mls/domains/program/unused/tripwire.te new file mode 100644 index 0000000..9ee61e8 --- /dev/null +++ b/mls/domains/program/unused/tripwire.te @@ -0,0 +1,139 @@ +# DESC tripwire +# +# Author: David Hampton +# + +# NOTE: Tripwire creates temp file in its current working directory. +# This policy does not allow write access to home directories, so +# users will need to either cd to a directory where they have write +# permission, or set the TEMPDIRECTORY variable in the tripwire config +# file. The latter is preferable, as then the file_type_auto_trans +# rules will kick in and label the files as private to tripwire. + + +# Common definitions +type tripwire_report_t, file_type, sysadmfile; +etcdir_domain(tripwire) +var_lib_domain(tripwire) +tmp_domain(tripwire) + + +# Macro for defining tripwire domains +define(`tripwire_domain',` +application_domain($1, `, auth') +role system_r types $1_t; + +# Allow access to common tripwire files +allow $1_t tripwire_etc_t:file r_file_perms; +allow $1_t tripwire_etc_t:dir r_dir_perms; +allow $1_t tripwire_etc_t:lnk_file { getattr read }; +file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file) +allow $1_t tripwire_var_lib_t:dir rw_dir_perms; +file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') + +allow $1_t self:process { fork sigchld }; +allow $1_t self:capability { setgid setuid dac_override }; + +# Tripwire needs to read all files on the system +general_proc_read_access($1_t) +allow $1_t file_type:dir { search getattr read}; +allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; +allow $1_t file_type:fifo_file { getattr }; +allow $1_t device_type:file { getattr read }; +allow $1_t sysctl_t:dir { getattr read }; +allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr; + +# Tripwire report files +create_dir_file($1_t, tripwire_report_t) + +# gethostid()? +allow $1_t self:unix_stream_socket { connect create }; + +# Running editor program (tripwire forks then runs bash which rins editor) +can_exec($1_t, shell_exec_t) +can_exec($1_t, bin_t) +uses_shlib($1_t) + +allow $1_t self:dir search; +allow $1_t self:file { getattr read }; +') + + +########## +########## + +# +# When run by a user +# +tripwire_domain(`tripwire') + +# Running from the command line +allow tripwire_t devpts_t:dir search; +allow tripwire_t devtty_t:chr_file { read write }; +allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; +allow tripwire_t privfd:fd use; + + +########## +########## + +# +# When run from cron +# +tripwire_domain(`tripwire_crond') +system_crond_entry(tripwire_exec_t, tripwire_crond_t) +domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t) + +# Tripwire uses a temp file in the root home directory +#create_dir_file(tripwire_crond_t, root_t) + + +########## +# Twadmin +########## +application_domain(twadmin) +read_locale(twadmin_t) +create_dir_file(twadmin_t, tripwire_etc_t) + +allow twadmin_t sysadm_tmp_t:file { getattr read write }; + +# Running from the command line +allow twadmin_t sshd_t:fd use; +allow twadmin_t admin_tty_type:chr_file rw_file_perms; + +dontaudit twadmin_t { bin_t sbin_t }:dir search; +dontaudit twadmin_t home_root_t:dir search; +dontaudit twprint_t user_home_dir_t:dir search; + + +########## +# Twprint +########## +application_domain(twprint) +read_locale(twprint_t) +r_dir_file(twprint_t, tripwire_etc_t) +allow twprint_t { var_t var_lib_t }:dir search; +r_dir_file(twprint_t, tripwire_var_lib_t) +r_dir_file(twprint_t, tripwire_report_t) + +# Running from the command line +allow twprint_t sshd_t:fd use; +allow twprint_t admin_tty_type:chr_file rw_file_perms; + +dontaudit twprint_t { bin_t sbin_t }:dir search; +dontaudit twprint_t home_root_t:dir search; + + +########## +# Siggen +########## +application_domain(siggen, `, auth') +read_locale(siggen_t) + +# Need permission to read files +allow siggen_t file_type:dir { search getattr read}; +allow siggen_t file_type:file {getattr read}; + +# Running from the command line +allow siggen_t sshd_t:fd use; +allow siggen_t admin_tty_type:chr_file rw_file_perms; diff --git a/mls/domains/program/unused/tvtime.te b/mls/domains/program/unused/tvtime.te new file mode 100644 index 0000000..fa72021 --- /dev/null +++ b/mls/domains/program/unused/tvtime.te @@ -0,0 +1,12 @@ +#DESC tvtime - a high quality television application +# +# Domains for the tvtime program. +# Author : Dan Walsh +# +# tvtime_exec_t is the type of the tvtime executable. +# +type tvtime_exec_t, file_type, sysadmfile, exec_type; +type tvtime_dir_t, file_type, sysadmfile, pidfile; + +# Everything else is in the tvtime_domain macro in +# macros/program/tvtime_macros.te. diff --git a/mls/domains/program/unused/ucspi-tcp.te b/mls/domains/program/unused/ucspi-tcp.te new file mode 100644 index 0000000..b2eeb5c --- /dev/null +++ b/mls/domains/program/unused/ucspi-tcp.te @@ -0,0 +1,49 @@ +#DESC ucspi-tcp - TCP Server and Client Tools +# +# Author Petre Rodan +# Andy Dustman (rblsmtp-related policy) +# + +# http://cr.yp.to/ucspi-tcp.html + +daemon_base_domain(utcpserver) +can_network(utcpserver_t) + +allow utcpserver_t etc_t:file r_file_perms; +allow utcpserver_t { bin_t sbin_t var_t }:dir search; + +allow utcpserver_t self:capability { net_bind_service setgid setuid }; +allow utcpserver_t self:fifo_file { read write }; +allow utcpserver_t self:process { fork sigchld }; + +allow utcpserver_t port_t:udp_socket name_bind; + +ifdef(`qmail.te', ` +domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t) +allow utcpserver_t smtp_port_t:tcp_socket name_bind; +allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr }; +allow utcpserver_t qmail_etc_t:dir r_dir_perms; +allow utcpserver_t qmail_etc_t:file r_file_perms; +') + +daemon_base_domain(rblsmtpd) +can_network(rblsmtpd_t) + +allow rblsmtpd_t self:process { fork sigchld }; + +allow rblsmtpd_t etc_t:file r_file_perms; +allow rblsmtpd_t { bin_t var_t }:dir search; +allow rblsmtpd_t port_t:udp_socket name_bind; +allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr }; + +ifdef(`qmail.te', ` +domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t) +allow qmail_queue_t rblsmtpd_t:fd use; +') + +ifdef(`daemontools.te', ` +svc_ipc_domain(rblsmtpd_t) +') + +domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t) + diff --git a/mls/domains/program/unused/uml.te b/mls/domains/program/unused/uml.te new file mode 100644 index 0000000..75ae501 --- /dev/null +++ b/mls/domains/program/unused/uml.te @@ -0,0 +1,14 @@ + +# Author: Russell Coker +# +type uml_exec_t, file_type, sysadmfile, exec_type; +type uml_ro_t, file_type, sysadmfile; + +# the main code is in macros/program/uml_macros.te + +daemon_domain(uml_switch) +allow uml_switch_t self:unix_dgram_socket create_socket_perms; +allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; +allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; +allow initrc_t uml_switch_var_run_t:sock_file setattr; +rw_dir_create_file(initrc_t, uml_switch_var_run_t) diff --git a/mls/domains/program/unused/uml_net.te b/mls/domains/program/unused/uml_net.te new file mode 100644 index 0000000..da3fe34 --- /dev/null +++ b/mls/domains/program/unused/uml_net.te @@ -0,0 +1,30 @@ +#DESC uml_net helper program for user-mode Linux +# +# Author: Russell Coker +# +# WARNING: Do not install this file on any machine that has hostile users. + +type uml_net_t, domain, privlog; +type uml_net_exec_t, file_type, sysadmfile, exec_type; +in_user_role(uml_net_t) +allow uml_net_t self:process { fork signal_perms }; +allow uml_net_t { bin_t sbin_t }:dir search; +allow uml_net_t self:fifo_file { read write }; +allow uml_net_t device_t:dir search; +allow uml_net_t self:udp_socket { create ioctl }; +uses_shlib(uml_net_t) +allow uml_net_t devtty_t:chr_file { read write }; +allow uml_net_t etc_runtime_t:file { getattr read }; +allow uml_net_t etc_t:file { getattr read }; +allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search; +allow uml_net_t proc_t:file { getattr read }; + +# if you want ip_forward to be set then you should set it yourself +dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search; +dontaudit uml_net_t sysctl_net_t:file write; + +dontaudit ifconfig_t uml_net_t:udp_socket { read write }; +dontaudit uml_net_t self:capability sys_module; + +allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl }; +can_exec(uml_net_t, { shell_exec_t sbin_t }) diff --git a/mls/domains/program/unused/uptimed.te b/mls/domains/program/unused/uptimed.te new file mode 100644 index 0000000..0c9b1c7 --- /dev/null +++ b/mls/domains/program/unused/uptimed.te @@ -0,0 +1,37 @@ +#DESC uptimed - a uptime daemon +# +# Author: Carsten Grohmann +# +# Date: 19. June 2003 +# + +################################# +# +# General Types +# + +type uptimed_spool_t, file_type, sysadmfile; + +################################# +# +# Rules for the uptimed_t domain. +# +daemon_domain(uptimed, `,privmail') +etc_domain(uptimed) +typealias uptimed_etc_t alias etc_uptimed_t; +file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t) +allow uptimed_t proc_t:file { getattr read }; +read_locale(uptimed_t) +allow uptimed_t uptimed_spool_t:file create_file_perms; +allow uptimed_t self:unix_dgram_socket create_socket_perms; + +# to send mail +can_exec(uptimed_t, shell_exec_t) +allow uptimed_t { bin_t sbin_t }:dir search; +allow uptimed_t bin_t:lnk_file read; +allow uptimed_t etc_runtime_t:file { getattr read }; +allow uptimed_t self:fifo_file { getattr write }; + +# rules for uprecords - it runs in the user context +allow userdomain uptimed_spool_t:dir search; +allow userdomain uptimed_spool_t:file { getattr read }; diff --git a/mls/domains/program/unused/uwimapd.te b/mls/domains/program/unused/uwimapd.te new file mode 100644 index 0000000..f1f5831 --- /dev/null +++ b/mls/domains/program/unused/uwimapd.te @@ -0,0 +1,47 @@ +#DESC uw-imapd-ssl server +# +# Author: Ed Street +# X-Debian-Packages: uw-imapd (was uw-imapd-ssl) +# Depends: inetd.te +# + +daemon_domain(imapd, `, auth_chkpwd, privhome') +tmp_domain(imapd) + +can_network_server_tcp(imapd_t) +allow imapd_t port_type:tcp_socket name_connect; + +#declare our own services +allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +allow imapd_t pop_port_t:tcp_socket name_bind; + +#declare this a socket from inetd +allow imapd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow imapd_t self:unix_stream_socket create_socket_perms; +domain_auto_trans(inetd_t, imapd_exec_t, imapd_t) +ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)') + +#friendly stuff we dont want to see :) +dontaudit imapd_t bin_t:dir search; + +#read /etc/ for hostname nsswitch.conf +allow imapd_t etc_t:file { getattr read }; + +#socket i/o stuff +allow imapd_t inetd_t:tcp_socket { read write ioctl getattr }; + +#read resolv.conf +allow imapd_t net_conf_t:file { getattr read }; + +#urandom, for ssl +allow imapd_t random_device_t:chr_file read; +allow imapd_t urandom_device_t:chr_file { read getattr }; + +allow imapd_t self:fifo_file rw_file_perms; + +#mail directory +rw_dir_file(imapd_t, mail_spool_t) + +#home directory +allow imapd_t home_root_t:dir search; +allow imapd_t self:file { read getattr }; diff --git a/mls/domains/program/unused/vmware.te b/mls/domains/program/unused/vmware.te new file mode 100644 index 0000000..fcda9b8 --- /dev/null +++ b/mls/domains/program/unused/vmware.te @@ -0,0 +1,52 @@ +#DESC VMWare - Virtual machine +# +# Domains,types and permissions for running VMWare (the program) and for +# running a SELinux system in a VMWare session (the VMWare-tools). +# +# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), +# modifications by NAI Labs. +# +# Domain is for the VMWare admin programs and daemons. +# X-Debian-Packages: +# +# NOTE: The user vmware domain is provided separately in +# macros/program/vmware_macros.te +# +# Next two domains are create by the daemon_domain() macro. +# The vmware_t domain is for running VMWare daemons +# The vmware_exec_t type is for the VMWare daemon and admin programs. +# +# quick hack making it privhome, should have a domain for each user in a macro +daemon_domain(vmware, `, privhome') + +# +# The vmware_user_exec_t type is for the user programs. +# +type vmware_user_exec_t, file_type, sysadmfile, exec_type; + +# Type for vmware devices. +type vmware_device_t, device_type, dev_fs; + +# The sys configuration used for the /etc/vmware configuration files +type vmware_sys_conf_t, file_type, sysadmfile; + +######################################################################### +# Additional rules to start/stop VMWare +# + +# Give init access to VMWare configuration files +allow initrc_t vmware_sys_conf_t:file { ioctl read append }; + +# +# Rules added to kernel_t domain for VMWare to start up +# +# VMWare need access to pcmcia devices for network +ifdef(`cardmgr.te', ` +allow kernel_t cardmgr_var_lib_t:dir { getattr search }; +allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; +') + +# Vmware create network devices +allow kernel_t self:capability net_admin; +allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow kernel_t self:socket create; diff --git a/mls/domains/program/unused/watchdog.te b/mls/domains/program/unused/watchdog.te new file mode 100644 index 0000000..01ceea8 --- /dev/null +++ b/mls/domains/program/unused/watchdog.te @@ -0,0 +1,55 @@ +#DESC Watchdog - Software watchdog daemon +# +# Author: Russell Coker +# X-Debian-Packages: watchdog +# + +################################# +# +# Rules for the watchdog_t domain. +# + +daemon_domain(watchdog, `, privmail') +type watchdog_device_t, device_type, dev_fs; + +allow watchdog_t self:process setsched; + +log_domain(watchdog) + +allow watchdog_t etc_t:file r_file_perms; +allow watchdog_t etc_t:lnk_file read; +allow watchdog_t self:unix_dgram_socket create_socket_perms; + +allow watchdog_t proc_t:file r_file_perms; + +allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource }; +allow watchdog_t self:fifo_file rw_file_perms; +allow watchdog_t self:unix_stream_socket create_socket_perms; +can_network(watchdog_t) +allow watchdog_t port_type:tcp_socket name_connect; +can_ypbind(watchdog_t) +allow watchdog_t bin_t:dir search; +allow watchdog_t bin_t:lnk_file read; +allow watchdog_t init_t:process signal; +allow watchdog_t kernel_t:process sigstop; + +allow watchdog_t watchdog_device_t:chr_file { getattr write }; + +# for orderly shutdown +can_exec(watchdog_t, shell_exec_t) +allow watchdog_t domain:process { signal_perms getsession }; +allow watchdog_t self:capability kill; +allow watchdog_t sbin_t:dir search; + +# for updating mtab on umount +file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file) + +allow watchdog_t self:capability { sys_admin net_admin sys_boot }; +allow watchdog_t fixed_disk_device_t:blk_file swapon; +allow watchdog_t { proc_t fs_t }:filesystem unmount; + +# record the fact that we are going down +allow watchdog_t wtmp_t:file append; + +# do not care about saving the random seed +dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read; diff --git a/mls/domains/program/unused/xauth.te b/mls/domains/program/unused/xauth.te new file mode 100644 index 0000000..6382d77 --- /dev/null +++ b/mls/domains/program/unused/xauth.te @@ -0,0 +1,13 @@ +#DESC Xauth - X authority file utility +# +# Domains for the xauth program. +# X-Debian-Packages: xbase-clients + +# Author: Russell Coker +# +# xauth_exec_t is the type of the xauth executable. +# +type xauth_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the xauth_domain macro in +# macros/program/xauth_macros.te. diff --git a/mls/domains/program/unused/xdm.te b/mls/domains/program/unused/xdm.te new file mode 100644 index 0000000..e3e9c8d --- /dev/null +++ b/mls/domains/program/unused/xdm.te @@ -0,0 +1,376 @@ +#DESC XDM - X Display Manager +# +# Authors: Mark Westerman mark.westerman@westcam.com +# Russell Coker +# X-Debian-Packages: gdm xdm wdm kdm +# Depends: xserver.te +# +# Some wdm-specific changes by Tom Vogt +# +# Some alterations and documentation by Stephen Smalley +# + +################################# +# +# Rules for the xdm_t domain. +# +# xdm_t is the domain of a X Display Manager process +# spawned by getty. +# xdm_exec_t is the type of the [xgkw]dm program +# +daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') + +# for running xdm from init +domain_auto_trans(init_t, xdm_exec_t, xdm_t) + +allow xdm_t xdm_var_run_t:dir setattr; + +# for xdmctl +allow xdm_t xdm_var_run_t:fifo_file create_file_perms; +allow initrc_t xdm_var_run_t:fifo_file unlink; +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) + +tmp_domain(xdm, `', `{ file dir sock_file }') +var_lib_domain(xdm) +# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open +# handle of a file inside the dir!!! +allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; +dontaudit xdm_xserver_t xdm_var_lib_t:dir search; +allow xdm_xserver_t xdm_var_run_t:file { getattr read }; +type xsession_exec_t, file_type, sysadmfile, exec_type; +type xdm_rw_etc_t, file_type, sysadmfile; +typealias xdm_rw_etc_t alias etc_xdm_t; + +allow xdm_t default_context_t:dir search; +allow xdm_t default_context_t:{ file lnk_file } { read getattr }; + +can_network(xdm_t) +allow xdm_t port_type:tcp_socket name_connect; +allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:fifo_file rw_file_perms; + +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; +allow xdm_xserver_t xdm_t:process signal; +# for reboot +allow xdm_t initctl_t:fifo_file write; + +# init script wants to check if it needs to update windowmanagerlist +allow initrc_t xdm_rw_etc_t:file { getattr read }; +ifdef(`distro_suse', ` +# set permissions on /tmp/.X11-unix +allow initrc_t xdm_tmp_t:dir setattr; +') + +# +# Use capabilities. +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner }; + +allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl }; + +# Transition to user domains for user sessions. +domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) +allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; +allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; +allow unpriv_userdomain xdm_xserver_t:fd use; +allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; +allow xdm_xserver_t unpriv_userdomain:fd use; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# gnome-session creates socket under /tmp/.ICE-unix/ +allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; +allow unpriv_userdomain xdm_tmp_t:sock_file create; + +# Allow xdm logins as sysadm_r:sysadm_t +bool xdm_sysadm_login false; +if (xdm_sysadm_login) { +domain_trans(xdm_t, xsession_exec_t, sysadm_t) +allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; +allow sysadm_t xdm_xserver_t:shm r_shm_perms; +allow sysadm_t xdm_xserver_t:fd use; +allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t sysadm_t:shm rw_shm_perms; +allow xdm_xserver_t sysadm_t:fd use; +} +can_setexec(xdm_t) + +# Label pid and temporary files with derived types. +rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) +allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; + +# Run helper programs. +allow xdm_t etc_t:file { getattr read }; +allow xdm_t bin_t:dir { getattr search }; +# lib_t is for running cpp +can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) +allow xdm_t { bin_t sbin_t }:lnk_file read; +ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') +ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') +allow xdm_t xdm_xserver_t:process sigkill; +allow xdm_t xdm_xserver_tmp_t:file unlink; + +# Access devices. +allow xdm_t device_t:dir { read search }; +allow xdm_t console_device_t:chr_file setattr; +allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t framebuf_device_t:chr_file { getattr setattr }; +allow xdm_t mouse_device_t:chr_file { getattr setattr }; +allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; +allow xdm_t dri_device_t:chr_file rw_file_perms; +allow xdm_t device_t:dir rw_dir_perms; +allow xdm_t agp_device_t:chr_file rw_file_perms; +allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; +allow xdm_t v4l_device_t:chr_file { setattr getattr }; +allow xdm_t scanner_device_t:chr_file { setattr getattr }; +allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; +allow xdm_t device_t:lnk_file read; +can_resmgrd_connect(xdm_t) + +# Access xdm log files. +file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) +allow xdm_t xserver_log_t:dir rw_dir_perms; +allow xdm_t xserver_log_t:dir setattr; +# Access /var/gdm/.gdmfifo. +allow xdm_t xserver_log_t:fifo_file create_file_perms; + +allow xdm_t self:shm create_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; +allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; + +# Remove /tmp/.X11-unix/X0. +allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; +allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + +ifdef(`gpm.te', ` +# Talk to the console mouse server. +allow xdm_t gpmctl_t:sock_file { getattr setattr write }; +allow xdm_t gpm_t:unix_stream_socket connectto; +') + +allow xdm_t sysfs_t:dir search; + +# Update utmp and wtmp. +allow xdm_t initrc_var_run_t: file { read write lock }; +allow xdm_t wtmp_t:file append; + +# Update lastlog. +allow xdm_t lastlog_t:file rw_file_perms; + +# Ask the security server for SIDs for user sessions. +can_getsecurity(xdm_t) + +tmpfs_domain(xdm) + +# Need to further investigate these permissions and +# perhaps define derived types. +allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +allow xdm_t var_lib_t:file { create write unlink }; + +lock_domain(xdm) + +# Connect to xfs. +ifdef(`xfs.te', ` +allow xdm_t xfs_tmp_t:dir search; +allow xdm_t xfs_tmp_t:sock_file write; +can_unix_connect(xdm_t, xfs_t) +') + +allow xdm_t self:process { setpgid setsched }; +allow xdm_t etc_t:lnk_file read; +allow xdm_t etc_runtime_t:file { getattr read }; + +# wdm has its own config dir /etc/X11/wdm +# this is ugly, daemons should not create files under /etc! +allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; +allow xdm_t xdm_rw_etc_t:file create_file_perms; + +# Signal any user domain. +allow xdm_t userdomain:process signal_perms; + +allow xdm_t proc_t:file { getattr read }; + +read_sysctl(xdm_t) + +# Search /proc for any user domain processes. +allow xdm_t userdomain:dir r_dir_perms; +allow xdm_t userdomain:{ file lnk_file } r_file_perms; + +# Allow xdm access to the user domains +allow xdm_t home_root_t:dir search; +allow xdm_xserver_t home_root_t:dir search; + +# Do not audit denied attempts to access devices. +dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; +dontaudit xdm_t device_t:file_class_set rw_file_perms; +dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; +dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; +dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; +dontaudit xdm_t devpts_t:dir search; + +# Do not audit denied probes of /proc. +dontaudit xdm_t domain:dir r_dir_perms; +dontaudit xdm_t domain:{ file lnk_file } r_file_perms; + +# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... +allow xdm_t usr_t:{ lnk_file file } { getattr read }; + +# Read fonts +read_fonts(xdm_t) + +# Do not audit attempts to write to index files under /usr +dontaudit xdm_t usr_t:file write; + +# Do not audit access to /root +dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# Do not audit attempts to check whether user root has email +dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; +dontaudit xdm_t mail_spool_t:file getattr; + +# Access sound device. +allow xdm_t sound_device_t:chr_file { setattr getattr }; + +# Allow setting of attributes on power management devices. +allow xdm_t power_device_t:chr_file { getattr setattr }; + +# Run the X server in a derived domain. +xserver_domain(xdm) + +ifdef(`rhgb.te', ` +allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +allow xdm_xserver_t ramfs_t:file create_file_perms; +allow rhgb_t xdm_xserver_t:process signal; +') + +# Unrestricted inheritance. +allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; + +# Run xkbcomp. +allow xdm_xserver_t var_lib_t:dir search; +allow xdm_xserver_t xkb_var_lib_t:lnk_file read; +can_exec(xdm_xserver_t, xkb_var_lib_t) + +# Insert video drivers. +allow xdm_xserver_t self:capability mknod; +allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; +domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) +allow insmod_t xserver_log_t:file write; +allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; + +# Read /proc/dri/.* +allow xdm_xserver_t proc_t:dir { search read }; + +# Search /var/run. +allow xdm_xserver_t var_run_t:dir search; + +# FIXME: After per user fonts are properly working +# xdm_xserver_t may no longer have any reason +# to read ROLE_home_t - examine this in more detail +# (xauth?) + +# Search home directories. +allow xdm_xserver_t user_home_type:dir search; +allow xdm_xserver_t user_home_type:file { getattr read }; + +if (use_nfs_home_dirs) { +allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; +allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, nfs_t) +} + +if (use_samba_home_dirs) { +allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, cifs_t) +} + +# for .dmrc +allow xdm_t user_home_dir_type:dir { getattr search }; +allow xdm_t user_home_type:file { getattr read }; + +ifdef(`support_polyinstatiation', ` +# xdm_t can polyinstantiate +polyinstantiater(xdm_t) +# xdm needs access for linking .X11-unix to poly /tmp +allow xdm_t polymember:dir { add_name remove_name write }; +allow xdm_t polymember:lnk_file { create unlink }; +# xdm needs access for copying .Xauthority into new home +allow xdm_t polymember:file { create getattr write }; +') + +allow xdm_t mnt_t:dir { getattr read search }; +# +# Wants to delete .xsession-errors file +# +allow xdm_t user_home_type:file unlink; +# +# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# +ifdef(`pam.te', ` +allow xdm_t pam_var_run_t:dir create_dir_perms; +allow xdm_t pam_var_run_t:file create_file_perms; +allow pam_t xdm_t:fifo_file { getattr ioctl write }; +domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) +can_exec(xdm_t, pam_exec_t) +# For pam_console +rw_dir_create_file(xdm_t, pam_var_console_t) +') + +# Pamconsole/alsa +ifdef(`alsa.te', ` +domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) +') dnl ifdef + +allow xdm_t var_log_t:file { getattr read }; +allow xdm_t self:capability { sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process setrlimit; +allow xdm_t wtmp_t:file { getattr read }; + +domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) +# +# Poweroff wants to create the /poweroff file when run from xdm +# +file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) + +# +# xdm tries to bind to biff_port_t +# +dontaudit xdm_t port_type:tcp_socket name_bind; + +# VNC v4 module in X server +allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; +ifdef(`crack.te', ` +allow xdm_t crack_db_t:file r_file_perms; +') +r_dir_file(xdm_t, selinux_config_t) + +# Run telinit->init to shutdown. +can_exec(xdm_t, init_exec_t) +allow xdm_t self:sem create_sem_perms; + +# Allow gdm to run gdm-binary +can_exec(xdm_t, xdm_exec_t) + +# Supress permission check on .ICE-unix +dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; + +#### Also see xdm_macros.te +ifdef(`use_mcs', ` +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +') diff --git a/mls/domains/program/unused/xprint.te b/mls/domains/program/unused/xprint.te new file mode 100644 index 0000000..e1af323 --- /dev/null +++ b/mls/domains/program/unused/xprint.te @@ -0,0 +1,50 @@ +#DESC X print server +# +# Author: Russell Coker +# X-Debian-Packages: xprt-xprintorg +# + +################################# +# +# Rules for the xprint_t domain. +# +# xprint_exec_t is the type of the xprint executable. +# +daemon_domain(xprint) + +allow initrc_t readable_t:dir r_dir_perms; +allow initrc_t fonts_t:dir r_dir_perms; + +allow xprint_t var_lib_t:dir search; +allow xprint_t fonts_t:dir r_dir_perms; +allow xprint_t fonts_t:file { getattr read }; + +allow xprint_t { bin_t sbin_t }:dir search; +can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t }) +allow xprint_t bin_t:lnk_file { getattr read }; + +allow xprint_t tmp_t:dir { getattr search }; +ifdef(`xdm.te', ` +allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms; +allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms; +') + +# Use the network. +can_network_server(xprint_t) +can_ypbind(xprint_t) +allow xprint_t self:fifo_file rw_file_perms; +allow xprint_t self:unix_stream_socket create_stream_socket_perms; + +allow xprint_t proc_t:file { getattr read }; +allow xprint_t self:file { getattr read }; + +# read config files +allow xprint_t { etc_t etc_runtime_t }:file { getattr read }; +ifdef(`cups.te', ` +allow xprint_t cupsd_etc_t:dir search; +allow xprint_t cupsd_etc_t:file { getattr read }; +') + +r_dir_file(xprint_t, usr_t) + +allow xprint_t urandom_device_t:chr_file { getattr read }; diff --git a/mls/domains/program/unused/xserver.te b/mls/domains/program/unused/xserver.te new file mode 100644 index 0000000..cc2c493 --- /dev/null +++ b/mls/domains/program/unused/xserver.te @@ -0,0 +1,20 @@ +#DESC XServer - X Server +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: xserver-common xserver-xfree86 +# + +# Type for the executable used to start the X server, e.g. Xwrapper. +type xserver_exec_t, file_type, sysadmfile, exec_type; + +# Type for the X server log file. +type xserver_log_t, file_type, sysadmfile, logfile; + +# type for /var/lib/xkb +type xkb_var_lib_t, file_type, sysadmfile, usercanread; +typealias xkb_var_lib_t alias var_lib_xkb_t; + +# Everything else is in the xserver_domain macro in +# macros/program/xserver_macros.te. + +allow initrc_t xserver_log_t:fifo_file { read write }; diff --git a/mls/domains/program/unused/yam.te b/mls/domains/program/unused/yam.te new file mode 100644 index 0000000..da85a8c --- /dev/null +++ b/mls/domains/program/unused/yam.te @@ -0,0 +1,149 @@ +# DESC yam - Yum/Apt Mirroring +# +# Author: David Hampton +# + + +# +# Yam downloads lots of files, indexes them, and makes them available +# for upload. Define a type for these file. +# +type yam_content_t, file_type, sysadmfile, httpdcontent; + + +# +# Common definitions used by both the command line and the cron +# invocation of yam. +# +define(`yam_common',` + +# Update the content being managed by yam. +create_dir_file($1_t, yam_content_t) + +# Content can also be on ISO image files. +r_dir_file($1_t, iso9660_t) + +# Need to go through /var to get to /var/yam +# Go through /var/www to get to /var/www/yam +allow $1_t var_t:dir { getattr search }; +allow $1_t httpd_sys_content_t:dir { getattr search }; + +# Allow access to locale database, nsswitch, and mtab +read_locale($1_t) +allow $1_t etc_t:file { getattr read }; +allow $1_t etc_runtime_t:file { getattr read }; + +# Python seems to need things from various places +allow $1_t { bin_t sbin_t }:dir { search getattr }; +allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; +allow $1_t bin_t:lnk_file read; + +# Python works fine without reading /proc/meminfo +dontaudit $1_t proc_t:dir search; +dontaudit $1_t proc_t:file { getattr read }; + +# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter +# two here. Run rsync and lftp in the yam_t context so that we dont +# have to give any other programs write access to the yam_t files. +general_domain_access($1_t) +can_exec($1_t, shell_exec_t) +can_exec($1_t, rsync_exec_t) +can_exec($1_t, bin_t) +can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py +ifdef(`mount.te', ` +domain_auto_trans($1_t, mount_exec_t, mount_t) +') + +# Rsync and lftp need to network. They also set files attributes to +# match whats on the remote server. +can_network_client($1_t) +allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect; +allow $1_t self:capability { chown fowner fsetid dac_override }; +allow $1_t self:process execmem; + +# access to sysctl_kernel_t ( proc/sys/kernel/* ) +read_sysctl($1_t) + +# Programs invoked to build package lists need various permissions. +# genpkglist creates tmp files in /var/cache/apt/genpkglist +allow $1_t var_t:file { getattr read write }; +allow $1_t var_t:dir read; +# mktemp +allow $1_t urandom_device_t:chr_file read; +# mv +allow $1_t proc_t:lnk_file read; +allow $1_t selinux_config_t:dir search; +allow $1_t selinux_config_t:file { getattr read }; +') + + +########## +########## + +# +# Runnig yam from the command line +# +application_domain(yam, `, nscd_client_domain') +role system_r types yam_t; +yam_common(yam) +etc_domain(yam) +tmp_domain(yam) + +# Terminal access +allow yam_t devpts_t:dir search; +allow yam_t devtty_t:chr_file { read write }; +allow yam_t sshd_t:fd use; +allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; + +# Reading dotfiles... +allow yam_t sysadm_home_dir_t:dir search; # /root +allow yam_t sysadm_home_t:dir search; # /root/xxx +allow yam_t home_root_t:dir search; # /home +allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user + + +########## +########## + +# +# Running yam from cron +# +application_domain(yam_crond, `, nscd_client_domain') +role system_r types yam_crond_t; +ifdef(`crond.te', ` +system_crond_entry(yam_exec_t, yam_crond_t) +') + +yam_common(yam_crond) +allow yam_crond_t yam_etc_t:file r_file_perms; +file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') + +allow yam_crond_t devtty_t:chr_file { read write }; + +# Reading dotfiles... +# LFTP uses a directory for its dotfiles +allow yam_crond_t default_t:dir search; + +# Don't know why init tries to read this. +allow initrc_t yam_etc_t:file { getattr read }; + + +########## +########## + +# The whole point of this program is to make updates available on a +# local web server. Allow apache access to these files. +ifdef(`apache.te', ` +r_dir_file(httpd_t, yam_content_t) +') + +ifdef(`webalizer.te', ` +dontaudit webalizer_t yam_content_t:dir search; +') + +# Mount needs access to the yam directories in order to mount the ISO +# files on a loobpack file system. +ifdef(`mount.te', ` +allow mount_t yam_content_t:dir mounton; +allow mount_t yam_content_t:file { read write }; +') diff --git a/mls/domains/program/updfstab.te b/mls/domains/program/updfstab.te new file mode 100644 index 0000000..82edf3d --- /dev/null +++ b/mls/domains/program/updfstab.te @@ -0,0 +1,81 @@ +#DESC updfstab - Red Hat utility to change /etc/fstab +# +# Author: Russell Coker +# + +daemon_base_domain(updfstab, `, fs_domain, etc_writer') + +rw_dir_create_file(updfstab_t, etc_t) +create_dir_file(updfstab_t, mnt_t) + +# Read /dev directories and modify sym-links +allow updfstab_t device_t:dir rw_dir_perms; +allow updfstab_t device_t:lnk_file create_file_perms; + +# Access disk devices. +allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms; +allow updfstab_t removable_device_t:blk_file rw_file_perms; +allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms; + +# for /proc/partitions +allow updfstab_t proc_t:file { getattr read }; + +# for /proc/self/mounts +r_dir_file(updfstab_t, self) + +# for /etc/mtab +allow updfstab_t etc_runtime_t:file { getattr read }; + +read_locale(updfstab_t) + +ifdef(`dbusd.te', ` +dbusd_client(system, updfstab) +allow updfstab_t system_dbusd_t:dbus { send_msg }; +allow initrc_t updfstab_t:dbus send_msg; +allow updfstab_t initrc_t:dbus send_msg; +') + +# not sure what the sysctl_kernel_t file is, or why it wants to write it, so +# I will not allow it +read_sysctl(updfstab_t) +dontaudit updfstab_t sysctl_kernel_t:file write; +allow updfstab_t modules_conf_t:file { getattr read }; +allow updfstab_t sbin_t:dir search; +allow updfstab_t sbin_t:lnk_file read; +allow updfstab_t { var_t var_log_t }:dir search; + +allow updfstab_t kernel_t:fd use; + +allow updfstab_t self:unix_stream_socket create_stream_socket_perms; +allow updfstab_t self:unix_dgram_socket create_socket_perms; + +ifdef(`modutil.te', ` +dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t) +can_exec(updfstab_t, insmod_exec_t) +allow updfstab_t modules_object_t:dir search; +allow updfstab_t modules_dep_t:file { getattr read }; +') + +ifdef(`pamconsole.te', ` +domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t) +') +allow updfstab_t kernel_t:system syslog_console; +allow updfstab_t sysadm_tty_device_t:chr_file { read write }; +allow updfstab_t self:capability dac_override; +dontaudit updfstab_t self:capability sys_admin; + +r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } ) +can_getsecurity(updfstab_t) + +allow updfstab_t { sbin_t bin_t }:dir { search getattr }; +dontaudit updfstab_t devtty_t:chr_file { read write }; +allow updfstab_t self:fifo_file { getattr read write ioctl }; +can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) +dontaudit updfstab_t home_root_t:dir { getattr search }; +dontaudit updfstab_t { home_dir_type home_type }:dir search; +allow updfstab_t fs_t:filesystem { getattr }; +allow updfstab_t tmpfs_t:dir getattr; +ifdef(`hald.te', ` +can_unix_connect(updfstab_t, hald_t) +') + diff --git a/mls/domains/program/usbmodules.te b/mls/domains/program/usbmodules.te new file mode 100644 index 0000000..f76f56b --- /dev/null +++ b/mls/domains/program/usbmodules.te @@ -0,0 +1,35 @@ +#DESC USBModules - List kernel modules for USB devices +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the usbmodules_t domain. +# +type usbmodules_t, domain, privlog; +type usbmodules_exec_t, file_type, sysadmfile, exec_type; + +in_user_role(usbmodules_t) +role sysadm_r types usbmodules_t; +role system_r types usbmodules_t; + +domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t) +ifdef(`hotplug.te',` +domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t) +allow usbmodules_t hotplug_etc_t:file r_file_perms; +allow usbmodules_t hotplug_etc_t:dir search; +') +allow usbmodules_t init_t:fd use; +allow usbmodules_t console_device_t:chr_file { read write }; + +uses_shlib(usbmodules_t) + +# allow usb device access +allow usbmodules_t usbdevfs_t:file rw_file_perms; + +allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms; + +# needs etc_t read access for the hotplug config, maybe should have a new type +allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms; diff --git a/mls/domains/program/useradd.te b/mls/domains/program/useradd.te new file mode 100644 index 0000000..1df38af --- /dev/null +++ b/mls/domains/program/useradd.te @@ -0,0 +1,108 @@ +#DESC Useradd - Manage system user accounts +# +# Authors: Chris Vance David Caplan +# Russell Coker +# X-Debian-Packages: passwd +# + +################################# +# +# Rules for the useradd_t and groupadd_t domains. +# +# useradd_t is the domain of the useradd/userdel programs. +# groupadd_t is for adding groups (can not create home dirs) +# +define(`user_group_add_program', ` +type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain; +role sysadm_r types $1_t; +role system_r types $1_t; + +general_domain_access($1_t) +uses_shlib($1_t) + +type $1_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +domain_auto_trans(initrc_t, $1_exec_t, $1_t) + +# Use capabilities. +allow $1_t self:capability { dac_override chown kill }; + +# Allow access to context for shadow file +can_getsecurity($1_t) + +# Inherit and use descriptors from login. +allow $1_t { init_t privfd }:fd use; + +# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +allow $1_t { bin_t sbin_t }:dir r_dir_perms; +can_exec($1_t, { bin_t sbin_t }) + +# Update /etc/shadow and /etc/passwd +file_type_auto_trans($1_t, etc_t, shadow_t, file) +allow $1_t etc_t:file create_file_perms; + +# some apps ask for these accesses, but seems to work regardless +dontaudit $1_t var_run_t:dir search; +r_dir_file($1_t, selinux_config_t) + +# Set fscreate context. +can_setfscreate($1_t) + +allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; + +read_locale($1_t) + +# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, +# but will operate without them. +dontaudit $1_t { device_t var_t var_log_t }:dir search; + +# For userdel and groupadd +allow $1_t fs_t:filesystem getattr; + +# Access terminals. +allow $1_t ttyfile:chr_file rw_file_perms; +allow $1_t ptyfile:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +# for when /root is the cwd +dontaudit $1_t sysadm_home_dir_t:dir search; +nsswitch_domain($1_t) + +allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; +') +user_group_add_program(useradd) +allow useradd_t lastlog_t:file { getattr read write }; + +# for getting the number of groups +read_sysctl(useradd_t) + +# Add/remove user home directories +file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) +file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) + +# create/delete mail spool file in /var/mail +allow useradd_t var_spool_t:dir search; +allow useradd_t mail_spool_t:dir { search write add_name remove_name }; +allow useradd_t mail_spool_t:file create_file_perms; +# /var/mail is a link to /var/spool/mail +allow useradd_t mail_spool_t:lnk_file read; + +allow useradd_t self:capability { fowner fsetid setuid sys_resource }; +can_exec(useradd_t, shell_exec_t) + +# /usr/bin/userdel locks the user being deleted, allow write access to utmp +allow useradd_t initrc_var_run_t:file { read write lock }; + +user_group_add_program(groupadd) + +dontaudit groupadd_t self:capability fsetid; + +allow groupadd_t self:capability { setuid sys_resource }; +allow groupadd_t self:process setrlimit; +allow groupadd_t initrc_var_run_t:file r_file_perms; +dontaudit groupadd_t initrc_var_run_t:file write; + +allow useradd_t default_context_t:dir search; +allow useradd_t file_context_t:dir search; +allow useradd_t file_context_t:file { getattr read }; +allow useradd_t var_lib_t:dir search; diff --git a/mls/domains/program/userhelper.te b/mls/domains/program/userhelper.te new file mode 100644 index 0000000..cab6c70 --- /dev/null +++ b/mls/domains/program/userhelper.te @@ -0,0 +1,22 @@ +#DESC Userhelper - SELinux utility to run a shell with a new role +# +# Authors: Dan Walsh (Red Hat) +# Maintained by Dan Walsh +# + +################################# +# +# Rules for the userhelper_t domain. +# +# userhelper_exec_t is the type of the userhelper executable. +# userhelper_conf_t is the type of the userhelper configuration files. +# +type userhelper_exec_t, file_type, exec_type, sysadmfile; +type userhelper_conf_t, file_type, sysadmfile; + +# Everything else is in the userhelper_domain macro in +# macros/program/userhelper_macros.te. + +ifdef(`xdm.te', ` +dontaudit xdm_t userhelper_conf_t:dir search; +') diff --git a/mls/domains/program/usernetctl.te b/mls/domains/program/usernetctl.te new file mode 100644 index 0000000..6a2c64f --- /dev/null +++ b/mls/domains/program/usernetctl.te @@ -0,0 +1,64 @@ +#DESC usernetctl - User network interface configuration helper +# +# Author: Colin Walters + +type usernetctl_exec_t, file_type, sysadmfile, exec_type; + +type usernetctl_t, domain, privfd; + +if (user_net_control) { +domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t) +} else { +can_exec(userdomain, usernetctl_exec_t) +} +in_user_role(usernetctl_t) +role sysadm_r types usernetctl_t; + +define(`usernetctl_transition',` +domain_auto_trans(usernetctl_t, $1_exec_t, $1_t) +in_user_role($1_t) +allow $1_t userpty_type:chr_file { getattr read write }; +') + +ifdef(`ifconfig.te',` +usernetctl_transition(ifconfig) +') +ifdef(`iptables.te',` +usernetctl_transition(iptables) +') +ifdef(`dhcpc.te',` +usernetctl_transition(dhcpc) +allow usernetctl_t dhcp_etc_t:file ra_file_perms; +') +ifdef(`modutil.te',` +usernetctl_transition(insmod) +') +ifdef(`consoletype.te',` +usernetctl_transition(consoletype) +') +ifdef(`hostname.te',` +usernetctl_transition(hostname) +') + +allow usernetctl_t self:capability { setuid setgid dac_override }; + +base_file_read_access(usernetctl_t) +base_pty_perms(usernetctl) +allow usernetctl_t devtty_t:chr_file rw_file_perms; +uses_shlib(usernetctl_t) +read_locale(usernetctl_t) +general_domain_access(usernetctl_t) + +r_dir_file(usernetctl_t, proc_t) +dontaudit usernetctl_t { domain - usernetctl_t }:dir search; + +allow usernetctl_t userpty_type:chr_file rw_file_perms; + +can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t}) +can_exec(usernetctl_t, etc_t) + +r_dir_file(usernetctl_t, etc_t) +allow usernetctl_t { var_t var_run_t }:dir { getattr read search }; +allow usernetctl_t etc_runtime_t:file r_file_perms; +allow usernetctl_t net_conf_t:file r_file_perms; + diff --git a/mls/domains/program/utempter.te b/mls/domains/program/utempter.te new file mode 100644 index 0000000..92b443f --- /dev/null +++ b/mls/domains/program/utempter.te @@ -0,0 +1,51 @@ +#DESC Utempter - Privileged helper for utmp/wtmp updates +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: +# + +################################# +# +# Rules for the utempter_t domain. +# +# This is the domain for the utempter program. utempter is +# executed by xterm to update utmp and wtmp. +# utempter_exec_t is the type of the utempter binary. +# +type utempter_t, domain, nscd_client_domain; +in_user_role(utempter_t) +role sysadm_r types utempter_t; +uses_shlib(utempter_t) +type utempter_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(userdomain, utempter_exec_t, utempter_t) + +allow utempter_t urandom_device_t:chr_file { getattr read }; + +# Use capabilities. +allow utempter_t self:capability setgid; + +allow utempter_t etc_t:file { getattr read }; + +# Update /var/run/utmp and /var/log/wtmp. +allow utempter_t initrc_var_run_t:file rw_file_perms; +allow utempter_t var_log_t:dir search; +allow utempter_t wtmp_t:file rw_file_perms; + +# dontaudit access to /dev/ptmx. +dontaudit utempter_t ptmx_t:chr_file rw_file_perms; +dontaudit utempter_t sysadm_devpts_t:chr_file { read write }; + +# Allow utemper to write to /tmp/.xses-* +allow utempter_t user_tmpfile:file { getattr write append }; + +# Inherit and use descriptors from login. +allow utempter_t privfd:fd use; +ifdef(`xdm.te', `can_pipe_xdm(utempter_t)') + +allow utempter_t self:unix_stream_socket create_stream_socket_perms; + +# Access terminals. +allow utempter_t ttyfile:chr_file getattr; +allow utempter_t ptyfile:chr_file getattr; +allow utempter_t devpts_t:dir search; +dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write }; diff --git a/mls/domains/program/uucpd.te b/mls/domains/program/uucpd.te new file mode 100644 index 0000000..05791bd --- /dev/null +++ b/mls/domains/program/uucpd.te @@ -0,0 +1,24 @@ +#DESC uucpd - UUCP file transfer daemon +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the uucpd_t domain. +# +# uucpd_exec_t is the type of the uucpd executable. +# + +inetd_child_domain(uucpd, tcp) +type uucpd_rw_t, file_type, sysadmfile; +type uucpd_ro_t, file_type, sysadmfile; +type uucpd_spool_t, file_type, sysadmfile; +create_dir_file(uucpd_t, uucpd_rw_t) +r_dir_file(uucpd_t, uucpd_ro_t) +allow uucpd_t sbin_t:dir search; +can_exec(uucpd_t, sbin_t) +logdir_domain(uucpd) +allow uucpd_t var_spool_t:dir search; +create_dir_file(uucpd_t, uucpd_spool_t) diff --git a/mls/domains/program/vpnc.te b/mls/domains/program/vpnc.te new file mode 100644 index 0000000..01ddac1 --- /dev/null +++ b/mls/domains/program/vpnc.te @@ -0,0 +1,62 @@ +#DESC vpnc +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the vpnc_t domain, et al. +# +# vpnc_t is the domain for the vpnc program. +# vpnc_exec_t is the type of the vpnc executable. +# +application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain') + +allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read }; + +# Use the network. +can_network(vpnc_t) +allow vpnc_t port_type:tcp_socket name_connect; +allow vpnc_t isakmp_port_t:udp_socket name_bind; + +can_ypbind(vpnc_t) +allow vpnc_t self:socket create_socket_perms; + +# Use capabilities. +allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw }; + +allow vpnc_t devpts_t:dir search; +allow vpnc_t etc_t:file { getattr read }; +allow vpnc_t tun_tap_device_t:chr_file { ioctl read write }; +allow vpnc_t self:rawip_socket create_socket_perms; +allow vpnc_t self:unix_dgram_socket create_socket_perms; +allow vpnc_t self:unix_stream_socket create_socket_perms; +allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms; +allow vpnc_t port_t:udp_socket name_bind; +allow vpnc_t etc_runtime_t:file { getattr read }; +allow vpnc_t proc_t:file { getattr read }; +dontaudit vpnc_t selinux_config_t:dir search; +can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t }) +allow vpnc_t sysctl_net_t:dir search; +allow vpnc_t sysctl_net_t:file write; +allow vpnc_t sbin_t:dir search; +allow vpnc_t bin_t:dir search; +allow vpnc_t bin_t:lnk_file read; +allow vpnc_t self:dir search; +r_dir_file(vpnc_t, proc_t) +r_dir_file(vpnc_t, proc_net_t) +tmp_domain(vpnc) +allow vpnc_t self:fifo_file { getattr ioctl read write }; +allow vpnc_t self:file { getattr read }; +allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file) +allow vpnc_t etc_t:file { execute execute_no_trans ioctl }; +dontaudit vpnc_t home_root_t:dir search; +dontaudit vpnc_t user_home_dir_type:dir search; +var_run_domain(vpnc) +allow vpnc_t userdomain:fd use; +r_dir_file(vpnc_t, sysfs_t) +allow vpnc_t self:process { fork sigchld }; +read_locale(vpnc_t) +read_sysctl(vpnc_t) +allow vpnc_t fs_t:filesystem getattr; diff --git a/mls/domains/program/webalizer.te b/mls/domains/program/webalizer.te new file mode 100644 index 0000000..c1f38bd --- /dev/null +++ b/mls/domains/program/webalizer.te @@ -0,0 +1,51 @@ +# DESC webalizer - webalizer +# +# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp) +# +# Depends: apache.te + +application_domain(webalizer, `, nscd_client_domain') +# to use from cron +system_crond_entry(webalizer_exec_t,webalizer_t) +role system_r types webalizer_t; + +##type definision +# type for usage file +type webalizer_usage_t,file_type,sysadmfile; +# type for /var/lib/webalizer +type webalizer_write_t,file_type,sysadmfile; +# type for webalizer.conf +etc_domain(webalizer) + +#read apache log +allow webalizer_t var_log_t:dir r_dir_perms; +r_dir_file(webalizer_t, httpd_log_t) +ifdef(`ftpd.te', ` +allow webalizer_t xferlog_t:file { getattr read }; +') + +#r/w /var/lib/webalizer +var_lib_domain(webalizer) + +#read /var/www/usage +create_dir_file(webalizer_t, httpd_sys_content_t) + +#read system files under /etc +allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale(webalizer_t) + +# can use tmp file +tmp_domain(webalizer) + +# can read /proc +read_sysctl(webalizer_t) +allow webalizer_t proc_t:dir search; +allow webalizer_t proc_t:file r_file_perms; + +# network +can_network_server(webalizer_t) + +#process communication inside webalizer itself +general_domain_access(webalizer_t) + +allow webalizer_t self:capability dac_override; diff --git a/mls/domains/program/winbind.te b/mls/domains/program/winbind.te new file mode 100644 index 0000000..7b9e5e9 --- /dev/null +++ b/mls/domains/program/winbind.te @@ -0,0 +1,50 @@ +#DESC winbind - Name Service Switch daemon for resolving names from NT servers +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for winbind +# + +daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain') +log_domain(winbind) +tmp_domain(winbind) +allow winbind_t etc_t:file r_file_perms; +allow winbind_t etc_t:lnk_file read; +can_network(winbind_t) +allow winbind_t smbd_port_t:tcp_socket name_connect; +can_resolve(winbind_t) + +ifdef(`samba.te', `', ` +type samba_etc_t, file_type, sysadmfile, usercanread; +type samba_log_t, file_type, sysadmfile, logfile; +type samba_var_t, file_type, sysadmfile; +type samba_secrets_t, file_type, sysadmfile; +') +file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file) +rw_dir_create_file(winbind_t, samba_log_t) +allow winbind_t samba_secrets_t:file rw_file_perms; +allow winbind_t self:unix_dgram_socket create_socket_perms; +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t urandom_device_t:chr_file { getattr read }; +allow winbind_t self:fifo_file { read write }; +rw_dir_create_file(winbind_t, samba_var_t) +can_kerberos(winbind_t) +allow winbind_t self:netlink_route_socket r_netlink_socket_perms; +allow winbind_t winbind_var_run_t:sock_file create_file_perms; +allow initrc_t winbind_var_run_t:file r_file_perms; + +application_domain(winbind_helper, `, nscd_client_domain') +role system_r types winbind_helper_t; +access_terminal(winbind_helper_t, sysadm) +read_locale(winbind_helper_t) +r_dir_file(winbind_helper_t, samba_etc_t) +r_dir_file(winbind_t, samba_etc_t) +allow winbind_helper_t self:unix_dgram_socket create_socket_perms; +allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_helper_t samba_var_t:dir search; +allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; +can_winbind(winbind_helper_t) +allow winbind_helper_t privfd:fd use; diff --git a/mls/domains/program/xfs.te b/mls/domains/program/xfs.te new file mode 100644 index 0000000..04302cd --- /dev/null +++ b/mls/domains/program/xfs.te @@ -0,0 +1,49 @@ +#DESC XFS - X Font Server +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: xfs +# + +################################# +# +# Rules for the xfs_t domain. +# +# xfs_t is the domain of the X font server. +# xfs_exec_t is the type of the xfs executable. +# +daemon_domain(xfs) + +# for /tmp/.font-unix/fs7100 +ifdef(`distro_debian', ` +type xfs_tmp_t, file_type, sysadmfile, tmpfile; +allow xfs_t tmp_t:dir search; +file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file) +', ` +tmp_domain(xfs, `', `{dir sock_file}') +') + +allow xfs_t { etc_t etc_runtime_t }:file { getattr read }; +allow xfs_t proc_t:file { getattr read }; + +allow xfs_t self:process setpgid; +can_ypbind(xfs_t) + +# Use capabilities. +allow xfs_t self:capability { setgid setuid }; + +# Bind to /tmp/.font-unix/fs-1. +allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; +allow xfs_t self:unix_stream_socket create_stream_socket_perms; +allow xfs_t self:unix_dgram_socket create_socket_perms; + +# Read fonts +read_fonts(xfs_t) + +# Unlink the xfs socket. +allow initrc_t xfs_tmp_t:dir rw_dir_perms; +allow initrc_t xfs_tmp_t:dir rmdir; +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; +allow initrc_t fonts_t:dir create_dir_perms; +allow initrc_t fonts_t:file create_file_perms; + diff --git a/mls/domains/program/ypbind.te b/mls/domains/program/ypbind.te new file mode 100644 index 0000000..ed7c3f8 --- /dev/null +++ b/mls/domains/program/ypbind.te @@ -0,0 +1,44 @@ +#DESC Ypbind - NIS/YP +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: nis +# Depends: portmap.te named.te +# + +################################# +# +# Rules for the ypbind_t domain. +# +daemon_domain(ypbind) + +tmp_domain(ypbind) + +# Use capabilities. +allow ypbind_t self:capability { net_bind_service }; +dontaudit ypbind_t self:capability net_admin; + +# Use the network. +can_network(ypbind_t) +allow ypbind_t port_type:tcp_socket name_connect; +allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; + +allow ypbind_t self:fifo_file rw_file_perms; + +read_sysctl(ypbind_t) + +# Send to portmap and initrc. +can_udp_send(ypbind_t, portmap_t) +can_udp_send(ypbind_t, initrc_t) + +# Read and write /var/yp. +allow ypbind_t var_yp_t:dir rw_dir_perms; +allow ypbind_t var_yp_t:file create_file_perms; +allow initrc_t var_yp_t:dir { getattr read }; +allow ypbind_t etc_t:file { getattr read }; +allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; +allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; +allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_udp_send(initrc_t, ypbind_t) + diff --git a/mls/domains/program/yppasswdd.te b/mls/domains/program/yppasswdd.te new file mode 100644 index 0000000..b7588a2 --- /dev/null +++ b/mls/domains/program/yppasswdd.te @@ -0,0 +1,40 @@ +#DESC yppassdd - NIS password update daemon +# +# Authors: Dan Walsh +# Depends: portmap.te +# + +################################# +# +# Rules for the yppasswdd_t domain. +# +daemon_domain(yppasswdd, `, auth_write, privowner') + +# Use capabilities. +allow yppasswdd_t self:capability { net_bind_service }; + +# Use the network. +can_network_server(yppasswdd_t) + +read_sysctl(yppasswdd_t) + +# Send to portmap and initrc. +can_udp_send(yppasswdd_t, portmap_t) +can_udp_send(yppasswdd_t, initrc_t) + +allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; + +allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read }; +allow yppasswdd_t self:unix_dgram_socket create_socket_perms; +allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; +file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file) +allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto }; +can_setfscreate(yppasswdd_t) +allow yppasswdd_t proc_t:file getattr; +allow yppasswdd_t { bin_t sbin_t }:dir search; +allow yppasswdd_t bin_t:lnk_file read; +can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t }) +allow yppasswdd_t self:fifo_file rw_file_perms; +rw_dir_create_file(yppasswdd_t, var_yp_t) diff --git a/mls/domains/program/ypserv.te b/mls/domains/program/ypserv.te new file mode 100644 index 0000000..b9d95fb --- /dev/null +++ b/mls/domains/program/ypserv.te @@ -0,0 +1,50 @@ +#DESC Ypserv - NIS/YP +# +# Authors: Dan Walsh +# Depends: portmap.te +# + +################################# +# +# Rules for the ypserv_t domain. +# +daemon_domain(ypserv) + +tmp_domain(ypserv) + +# Use capabilities. +allow ypserv_t self:capability { net_bind_service }; + +# Use the network. +can_network_server(ypserv_t) + +allow ypserv_t self:fifo_file rw_file_perms; + +read_sysctl(ypserv_t) + +# Send to portmap and initrc. +can_udp_send(ypserv_t, portmap_t) +can_udp_send(ypserv_t, initrc_t) + +type ypserv_conf_t, file_type, sysadmfile; + +# Read and write /var/yp. +allow ypserv_t var_yp_t:dir rw_dir_perms; +allow ypserv_t var_yp_t:file create_file_perms; +allow ypserv_t ypserv_conf_t:file { getattr read }; +allow ypserv_t self:unix_dgram_socket create_socket_perms; +allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +ifdef(`rpcd.te', ` +allow rpcd_t ypserv_conf_t:file { getattr read }; +') +allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_exec(ypserv_t, bin_t) + +application_domain(ypxfr, `, nscd_client_domain') +can_network_client(ypxfr_t) +allow ypxfr_t etc_t:file { getattr read }; +allow ypxfr_t portmap_port_t:tcp_socket name_connect; +allow ypxfr_t reserved_port_t:tcp_socket name_connect; +dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect; +allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; diff --git a/mls/domains/program/zebra.te b/mls/domains/program/zebra.te new file mode 100644 index 0000000..0cf4e24 --- /dev/null +++ b/mls/domains/program/zebra.te @@ -0,0 +1,32 @@ +#DESC Zebra - BGP server +# +# Author: Russell Coker +# X-Debian-Packages: zebra +# + +daemon_domain(zebra, `, sysctl_net_writer') +type zebra_conf_t, file_type, sysadmfile; +r_dir_file({ initrc_t zebra_t }, zebra_conf_t) + +can_network_server(zebra_t) +can_ypbind(zebra_t) +allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; + +allow zebra_t self:process setcap; +allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; +file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) + +logdir_domain(zebra) + +# /tmp/.bgpd is such a bad idea! +tmp_domain(zebra, `', sock_file) + +allow zebra_t self:unix_dgram_socket create_socket_perms; +allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow zebra_t self:rawip_socket create_socket_perms; +allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; +allow zebra_t zebra_port_t:tcp_socket name_bind; + +allow zebra_t proc_t:file { getattr read }; +allow zebra_t { sysctl_t sysctl_net_t }:dir search; +allow zebra_t sysctl_net_t:file rw_file_perms; diff --git a/mls/domains/user.te b/mls/domains/user.te new file mode 100644 index 0000000..d86e5d4 --- /dev/null +++ b/mls/domains/user.te @@ -0,0 +1,108 @@ +#DESC User - Domains for ordinary users. +# +################################# + +# Booleans for user domains. + +# Allow applications to read untrusted content +# If this is disallowed, Internet content has +# to be manually relabeled for read access to be granted +bool read_untrusted_content false; + +# Allow applications to write untrusted content +# If this is disallowed, no Internet content +# will be stored. +bool write_untrusted_content false; + +# Allow users to read system messages. +bool user_dmesg false; + +# Support NFS home directories +bool use_nfs_home_dirs false; + +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. +bool allow_execmem false; + +# Allow making the stack executable via mprotect. +# Also requires allow_execmem. +bool allow_execstack false; + +# Allow making a modified private file mapping executable (text relocation). +bool allow_execmod false; + +# Support SAMBA home directories +bool use_samba_home_dirs false; + +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols +bool user_tcp_server false; + +# Allow system to run with NIS +bool allow_ypbind false; + +# Allow system to run with kerberos +bool allow_kerberos false; + +# Allow users to rw usb devices +bool user_rw_usb false; + +# Allow users to control network interfaces (also needs USERCTL=true) +bool user_net_control false; + +# Allow regular users direct mouse access +bool user_direct_mouse false; + +# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) +bool user_rw_noexattrfile false; + +# Allow reading of default_t files. +bool read_default_t false; + +# Allow staff_r users to search the sysadm home dir and read +# files (such as ~/.bashrc) +bool staff_read_sysadm_file false; + + +full_user_role(user) + +ifdef(`user_canbe_sysadm', ` +reach_sysadm(user) +role_tty_type_change(user, sysadm) +') + +# Do not add any rules referring to user_t to this file! That will break +# support for multiple user roles. + +# a role for staff that allows seeing all domains and control over the user_t +# domain +full_user_role(staff) + +priv_user(staff) +# if adding new user roles make sure you edit the in_user_role macro in +# macros/user_macros.te to match + +# lots of user programs accidentally search /root, and also the admin often +# logs in as UID=0 domain=user_t... +dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; + +# +# Allow the user roles to transition +# into each other. +role_tty_type_change(sysadm, user) +role_tty_type_change(staff, sysadm) +role_tty_type_change(sysadm, staff) +role_tty_type_change(sysadm, secadm) +role_tty_type_change(staff, secadm) + +# "ps aux" and "ls -l /dev/pts" make too much noise without this +dontaudit unpriv_userdomain ptyfile:chr_file getattr; + +# to allow w to display everyone... +bool user_ttyfile_stat false; + +if (user_ttyfile_stat) { +allow userdomain ttyfile:chr_file getattr; +} + diff --git a/mls/file_contexts/distros.fc b/mls/file_contexts/distros.fc new file mode 100644 index 0000000..33c7f5e --- /dev/null +++ b/mls/file_contexts/distros.fc @@ -0,0 +1,164 @@ +ifdef(`distro_redhat', ` +/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0 +/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0 +/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0 +/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0 +/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0 +/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0 +/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0 +/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0 +/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0 +/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0 +/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0 +/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0 +/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0 +/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0 +/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0 +/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0 +/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0 +/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0 +/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0 +/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0 +/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0 +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0 +/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0 +/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0 +# +# /emul/ia32-linux/usr +# +/emul(/.*)? system_u:object_r:usr_t:s0 +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0 +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0 +# /emul/ia32-linux/lib +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0 +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 +# /emul/ia32-linux/bin +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0 +# /emul/ia32-linux/sbin +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0 + +ifdef(`dbusd.te', `', ` +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 +') + +# The following are libraries with text relocations in need of execmod permissions +# Some of them should be fixed and removed from this list + +# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv +# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php +/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0 +/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0 +/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0 + +# Fedora Extras packages: ladspa, imlib2, ocaml +/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0 + +# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame +/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0 + +# Flash plugin, Macromedia +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 + +# Jai, Sun Microsystems (Jpackage SPRM) +/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0 + +# Java, Sun Microsystems (JPackage SRPM) +/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0 + +/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0 +/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0 +') + +ifdef(`distro_suse', ` +/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0 +/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0 +/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0 +/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/success -- system_u:object_r:etc_runtime_t:s0 +/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0 +') diff --git a/mls/file_contexts/homedir_template b/mls/file_contexts/homedir_template new file mode 100644 index 0000000..6c7695a --- /dev/null +++ b/mls/file_contexts/homedir_template @@ -0,0 +1,21 @@ +# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd +# HOME_DIR expands to each users home directory, +# and to HOME_ROOT/[^/]+ for each HOME_ROOT. +# ROLE expands to each users role when role != user_r, and to "user" otherwise. +HOME_ROOT -d system_u:object_r:home_root_t:s0 +HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255 +HOME_DIR/.+ <> +HOME_ROOT/\.journal <> +HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +HOME_ROOT/lost\+found/.* <> +HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 +HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0 +HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0 +/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0 +/tmp/orbit-USER(-.*)?/linc.* -s <> +/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0 +HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 +HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0 +HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0 +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0 +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 diff --git a/mls/file_contexts/program/NetworkManager.fc b/mls/file_contexts/program/NetworkManager.fc new file mode 100644 index 0000000..cb57584 --- /dev/null +++ b/mls/file_contexts/program/NetworkManager.fc @@ -0,0 +1,2 @@ +# NetworkManager +/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0 diff --git a/mls/file_contexts/program/acct.fc b/mls/file_contexts/program/acct.fc new file mode 100644 index 0000000..78622bd --- /dev/null +++ b/mls/file_contexts/program/acct.fc @@ -0,0 +1,5 @@ +# berkeley process accounting +/sbin/accton -- system_u:object_r:acct_exec_t:s0 +/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0 +/var/account(/.*)? system_u:object_r:acct_data_t:s0 +/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0 diff --git a/mls/file_contexts/program/afs.fc b/mls/file_contexts/program/afs.fc new file mode 100644 index 0000000..fb49f33 --- /dev/null +++ b/mls/file_contexts/program/afs.fc @@ -0,0 +1,20 @@ +# afs +/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t +/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t +/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t +/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t +/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t +/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t +/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t + +/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t +/usr/afs/etc(/.*)? system_u:object_r:afs_config_t +/usr/afs/local(/.*)? system_u:object_r:afs_config_t +/usr/afs/db -d system_u:object_r:afs_dbdir_t +/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t +/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t +/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t + +/vicepa system_u:object_r:afs_files_t +/vicepb system_u:object_r:afs_files_t +/vicepc system_u:object_r:afs_files_t diff --git a/mls/file_contexts/program/alsa.fc b/mls/file_contexts/program/alsa.fc new file mode 100644 index 0000000..ce56849 --- /dev/null +++ b/mls/file_contexts/program/alsa.fc @@ -0,0 +1,3 @@ +#DESC ainit - configuration tool for ALSA +/usr/bin/ainit -- system_u:object_r:alsa_exec_t:s0 +/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t:s0 diff --git a/mls/file_contexts/program/amanda.fc b/mls/file_contexts/program/amanda.fc new file mode 100644 index 0000000..917b41a --- /dev/null +++ b/mls/file_contexts/program/amanda.fc @@ -0,0 +1,70 @@ +# +# Author: Carsten Grohmann +# + +# amanda +/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0 +/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0 +/etc/amandates system_u:object_r:amanda_amandates_t:s0 +/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0 +/root/restore -d system_u:object_r:amanda_recover_dir_t:s0 +/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0 +/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0 +/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0 +/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0 +/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0 +/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0 +/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0 +/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0 +/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0 +/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0 +/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0 +/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0 +/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0 +/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0 +/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0 +/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0 +/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0 +/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0 +/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0 +/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0 +/var/lib/amanda/index system_u:object_r:amanda_data_t:s0 +/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0 diff --git a/mls/file_contexts/program/amavis.fc b/mls/file_contexts/program/amavis.fc new file mode 100644 index 0000000..366da33 --- /dev/null +++ b/mls/file_contexts/program/amavis.fc @@ -0,0 +1,8 @@ +# amavis +/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t +/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t +/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t +/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t +/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t +/var/amavis(/.*)? system_u:object_r:amavisd_lib_t +/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t diff --git a/mls/file_contexts/program/anaconda.fc b/mls/file_contexts/program/anaconda.fc new file mode 100644 index 0000000..a0cbc0e --- /dev/null +++ b/mls/file_contexts/program/anaconda.fc @@ -0,0 +1,5 @@ +# +# Anaconda file context +# currently anaconda does not have any file context since it is started during install +# This is a placeholder to stop makefile from complaining +# diff --git a/mls/file_contexts/program/apache.fc b/mls/file_contexts/program/apache.fc new file mode 100644 index 0000000..a3bf8f4 --- /dev/null +++ b/mls/file_contexts/program/apache.fc @@ -0,0 +1,61 @@ +# apache +HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 +/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 +/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 +/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 +/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0 +/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0 +/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0 +/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0 +/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0 +/etc/httpd -d system_u:object_r:httpd_config_t:s0 +/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0 +/etc/httpd/logs system_u:object_r:httpd_log_t:s0 +/etc/httpd/modules system_u:object_r:httpd_modules_t:s0 +/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0 +/etc/vhosts -- system_u:object_r:httpd_config_t:s0 +/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0 +/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0 +/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0 +/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0 +/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0 +/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0 +/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 +/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0 +/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0 +/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0 +/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 +/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0 +/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0 +/var/run/apache.* system_u:object_r:httpd_var_run_t:s0 +/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0 +/var/lib/dav(/.*)? system_u:object_r:httpd_var_lib_t:s0 +/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0 +/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0 +/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0 +/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0 +/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0 +/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0 +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0 +') +ifdef(`distro_suse', ` +# suse puts shell scripts there :-( +/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0 +/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0 +') +/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0 +/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0 +/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0 +/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0 +ifdef(`targeted_policy', `', ` +/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0 +') +/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0 + diff --git a/mls/file_contexts/program/apmd.fc b/mls/file_contexts/program/apmd.fc new file mode 100644 index 0000000..6554b52 --- /dev/null +++ b/mls/file_contexts/program/apmd.fc @@ -0,0 +1,14 @@ +# apmd +/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0 +/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0 +/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0 +/usr/bin/apm -- system_u:object_r:apm_exec_t:s0 +/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0 +/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0 +/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0 +/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0 +/var/log/acpid -- system_u:object_r:apmd_log_t:s0 +ifdef(`distro_suse', ` +/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0 +') + diff --git a/mls/file_contexts/program/arpwatch.fc b/mls/file_contexts/program/arpwatch.fc new file mode 100644 index 0000000..4869940 --- /dev/null +++ b/mls/file_contexts/program/arpwatch.fc @@ -0,0 +1,4 @@ +# arpwatch - keep track of ethernet/ip address pairings +/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0 +/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 +/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 diff --git a/mls/file_contexts/program/asterisk.fc b/mls/file_contexts/program/asterisk.fc new file mode 100644 index 0000000..6f4eb4b --- /dev/null +++ b/mls/file_contexts/program/asterisk.fc @@ -0,0 +1,7 @@ +# asterisk +/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t +/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t +/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t +/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t +/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t +/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t diff --git a/mls/file_contexts/program/audio-entropyd.fc b/mls/file_contexts/program/audio-entropyd.fc new file mode 100644 index 0000000..a8f616a --- /dev/null +++ b/mls/file_contexts/program/audio-entropyd.fc @@ -0,0 +1 @@ +/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t diff --git a/mls/file_contexts/program/auditd.fc b/mls/file_contexts/program/auditd.fc new file mode 100644 index 0000000..d01ff76 --- /dev/null +++ b/mls/file_contexts/program/auditd.fc @@ -0,0 +1,8 @@ +# auditd +/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0 +/sbin/auditd -- system_u:object_r:auditd_exec_t:s0 +/var/log/audit.log -- system_u:object_r:auditd_log_t:s15:c0.c255 +/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s15:c0.c255 +/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0 +/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0 + diff --git a/mls/file_contexts/program/authbind.fc b/mls/file_contexts/program/authbind.fc new file mode 100644 index 0000000..9fed63e --- /dev/null +++ b/mls/file_contexts/program/authbind.fc @@ -0,0 +1,3 @@ +# authbind +/etc/authbind(/.*)? system_u:object_r:authbind_etc_t +/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t diff --git a/mls/file_contexts/program/automount.fc b/mls/file_contexts/program/automount.fc new file mode 100644 index 0000000..8952107 --- /dev/null +++ b/mls/file_contexts/program/automount.fc @@ -0,0 +1,5 @@ +# automount +/usr/sbin/automount -- system_u:object_r:automount_exec_t:s0 +/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t:s0 +/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t:s0 +/etc/auto\..+ -- system_u:object_r:automount_etc_t:s0 diff --git a/mls/file_contexts/program/avahi.fc b/mls/file_contexts/program/avahi.fc new file mode 100644 index 0000000..fa6e00e --- /dev/null +++ b/mls/file_contexts/program/avahi.fc @@ -0,0 +1,4 @@ +#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture +/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0 +/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0 +/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0 diff --git a/mls/file_contexts/program/backup.fc b/mls/file_contexts/program/backup.fc new file mode 100644 index 0000000..ed82809 --- /dev/null +++ b/mls/file_contexts/program/backup.fc @@ -0,0 +1,6 @@ +# backup +# label programs that do backups to other files on disk (IE a cron job that +# calls tar) in backup_exec_t and label the directory for storing them as +# backup_store_t, Debian uses /var/backups +#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t +/var/backups(/.*)? system_u:object_r:backup_store_t diff --git a/mls/file_contexts/program/bluetooth.fc b/mls/file_contexts/program/bluetooth.fc new file mode 100644 index 0000000..6c5aac3 --- /dev/null +++ b/mls/file_contexts/program/bluetooth.fc @@ -0,0 +1,11 @@ +# bluetooth +/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0 +/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0 +/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0 +/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0 +/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0 +/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0 +/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0 +/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0 +/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0 +/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0 diff --git a/mls/file_contexts/program/bonobo.fc b/mls/file_contexts/program/bonobo.fc new file mode 100644 index 0000000..23d2214 --- /dev/null +++ b/mls/file_contexts/program/bonobo.fc @@ -0,0 +1 @@ +/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t:s0 diff --git a/mls/file_contexts/program/bootloader.fc b/mls/file_contexts/program/bootloader.fc new file mode 100644 index 0000000..bce2ff8 --- /dev/null +++ b/mls/file_contexts/program/bootloader.fc @@ -0,0 +1,11 @@ +# bootloader +/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t:s0 +/initrd\.img.* -l system_u:object_r:boot_t:s0 +/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0 +/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0 +/vmlinuz.* -l system_u:object_r:boot_t:s0 +/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0 +/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0 +/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t:s0 +/sbin/ybin.* -- system_u:object_r:bootloader_exec_t:s0 +/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t:s0 diff --git a/mls/file_contexts/program/calamaris.fc b/mls/file_contexts/program/calamaris.fc new file mode 100644 index 0000000..36d8c87 --- /dev/null +++ b/mls/file_contexts/program/calamaris.fc @@ -0,0 +1,4 @@ +# squid +/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t +/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t +/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t diff --git a/mls/file_contexts/program/canna.fc b/mls/file_contexts/program/canna.fc new file mode 100644 index 0000000..aada263 --- /dev/null +++ b/mls/file_contexts/program/canna.fc @@ -0,0 +1,12 @@ +# canna.fc +/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0 +/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0 +/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0 +/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0 +/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0 +/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0 +/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 +/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 +/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0 +/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0 +/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0 diff --git a/mls/file_contexts/program/cardmgr.fc b/mls/file_contexts/program/cardmgr.fc new file mode 100644 index 0000000..1dc5187 --- /dev/null +++ b/mls/file_contexts/program/cardmgr.fc @@ -0,0 +1,7 @@ +# cardmgr +/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0 +/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0 +/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0 +/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0 +/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0 +/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0 diff --git a/mls/file_contexts/program/cdrecord.fc b/mls/file_contexts/program/cdrecord.fc new file mode 100644 index 0000000..c29a00c --- /dev/null +++ b/mls/file_contexts/program/cdrecord.fc @@ -0,0 +1,3 @@ +# cdrecord +/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t:s0 + diff --git a/mls/file_contexts/program/certwatch.fc b/mls/file_contexts/program/certwatch.fc new file mode 100644 index 0000000..8c955ee --- /dev/null +++ b/mls/file_contexts/program/certwatch.fc @@ -0,0 +1,3 @@ +# certwatch.fc +/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t:s0 + diff --git a/mls/file_contexts/program/checkpolicy.fc b/mls/file_contexts/program/checkpolicy.fc new file mode 100644 index 0000000..dddeecf --- /dev/null +++ b/mls/file_contexts/program/checkpolicy.fc @@ -0,0 +1,2 @@ +# checkpolicy +/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0 diff --git a/mls/file_contexts/program/chkpwd.fc b/mls/file_contexts/program/chkpwd.fc new file mode 100644 index 0000000..5f253f7 --- /dev/null +++ b/mls/file_contexts/program/chkpwd.fc @@ -0,0 +1,6 @@ +# chkpwd +/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 +/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0 +ifdef(`distro_suse', ` +/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 +') diff --git a/mls/file_contexts/program/chroot.fc b/mls/file_contexts/program/chroot.fc new file mode 100644 index 0000000..a23cd81 --- /dev/null +++ b/mls/file_contexts/program/chroot.fc @@ -0,0 +1 @@ +/usr/sbin/chroot -- system_u:object_r:chroot_exec_t:s0 diff --git a/mls/file_contexts/program/ciped.fc b/mls/file_contexts/program/ciped.fc new file mode 100644 index 0000000..e3a12a1 --- /dev/null +++ b/mls/file_contexts/program/ciped.fc @@ -0,0 +1,3 @@ +/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t +/etc/cipe/ip-up.* -- system_u:object_r:bin_t +/etc/cipe/ip-down.* -- system_u:object_r:bin_t diff --git a/mls/file_contexts/program/clamav.fc b/mls/file_contexts/program/clamav.fc new file mode 100644 index 0000000..90c898c --- /dev/null +++ b/mls/file_contexts/program/clamav.fc @@ -0,0 +1,15 @@ +# clamscan +/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t +/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t +/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t +/usr/sbin/clamd -- system_u:object_r:clamd_exec_t +/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t +/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t +/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t +/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t +/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t +/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t +/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t +/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t +/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t +/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t diff --git a/mls/file_contexts/program/clockspeed.fc b/mls/file_contexts/program/clockspeed.fc new file mode 100644 index 0000000..e00cd56 --- /dev/null +++ b/mls/file_contexts/program/clockspeed.fc @@ -0,0 +1,11 @@ +# clockspeed +/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t +/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t +/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t +/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t +/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t +/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t +/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t + +/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t + diff --git a/mls/file_contexts/program/compat.fc b/mls/file_contexts/program/compat.fc new file mode 100644 index 0000000..d64b892 --- /dev/null +++ b/mls/file_contexts/program/compat.fc @@ -0,0 +1,66 @@ +ifdef(`setfiles.te', `', ` +# setfiles +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t +') + +ifdef(`mount.te', `', ` +# mount +/bin/mount.* -- system_u:object_r:mount_exec_t +/bin/umount.* -- system_u:object_r:mount_exec_t +') +ifdef(`loadkeys.te', `', ` +# loadkeys +/bin/unikeys -- system_u:object_r:loadkeys_exec_t +/bin/loadkeys -- system_u:object_r:loadkeys_exec_t +') +ifdef(`dmesg.te', `', ` +# dmesg +/bin/dmesg -- system_u:object_r:dmesg_exec_t +') +ifdef(`fsadm.te', `', ` +# fs admin utilities +/sbin/fsck.* -- system_u:object_r:fsadm_exec_t +/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t +/sbin/e2fsck -- system_u:object_r:fsadm_exec_t +/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t +/sbin/dosfsck -- system_u:object_r:fsadm_exec_t +/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t +/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t +/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t +/sbin/e2label -- system_u:object_r:fsadm_exec_t +/sbin/findfs -- system_u:object_r:fsadm_exec_t +/sbin/mkfs -- system_u:object_r:fsadm_exec_t +/sbin/mke2fs -- system_u:object_r:fsadm_exec_t +/sbin/mkswap -- system_u:object_r:fsadm_exec_t +/sbin/scsi_info -- system_u:object_r:fsadm_exec_t +/sbin/sfdisk -- system_u:object_r:fsadm_exec_t +/sbin/cfdisk -- system_u:object_r:fsadm_exec_t +/sbin/fdisk -- system_u:object_r:fsadm_exec_t +/sbin/parted -- system_u:object_r:fsadm_exec_t +/sbin/tune2fs -- system_u:object_r:fsadm_exec_t +/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t +/sbin/swapon.* -- system_u:object_r:fsadm_exec_t +/sbin/hdparm -- system_u:object_r:fsadm_exec_t +/sbin/raidstart -- system_u:object_r:fsadm_exec_t +/sbin/mkraid -- system_u:object_r:fsadm_exec_t +/sbin/dmraid -- system_u:object_r:fsadm_exec_t +/sbin/blockdev -- system_u:object_r:fsadm_exec_t +/sbin/losetup.* -- system_u:object_r:fsadm_exec_t +/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t +/sbin/lsraid -- system_u:object_r:fsadm_exec_t +/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t +/sbin/install-mbr -- system_u:object_r:fsadm_exec_t +/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t +/usr/bin/raw -- system_u:object_r:fsadm_exec_t +/sbin/partx -- system_u:object_r:fsadm_exec_t +/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t +/sbin/partprobe -- system_u:object_r:fsadm_exec_t +') +ifdef(`lvm.te', `', ` +/sbin/lvm.static -- system_u:object_r:lvm_exec_t +') +ifdef(`kudzu.te', `', ` +# kudzu +/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t +/sbin/kmodule -- system_u:object_r:kudzu_exec_t +') diff --git a/mls/file_contexts/program/comsat.fc b/mls/file_contexts/program/comsat.fc new file mode 100644 index 0000000..3704901 --- /dev/null +++ b/mls/file_contexts/program/comsat.fc @@ -0,0 +1,2 @@ +# biff server +/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0 diff --git a/mls/file_contexts/program/consoletype.fc b/mls/file_contexts/program/consoletype.fc new file mode 100644 index 0000000..1258f57 --- /dev/null +++ b/mls/file_contexts/program/consoletype.fc @@ -0,0 +1,2 @@ +# consoletype +/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0 diff --git a/mls/file_contexts/program/courier.fc b/mls/file_contexts/program/courier.fc new file mode 100644 index 0000000..16f6adb --- /dev/null +++ b/mls/file_contexts/program/courier.fc @@ -0,0 +1,18 @@ +# courier pop, imap, and webmail +/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t +/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t +/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t +/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t +/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t +/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t +/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t +/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t +/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t +/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t +/var/run/courier(/.*)? system_u:object_r:courier_var_run_t +/etc/courier(/.*)? system_u:object_r:courier_etc_t diff --git a/mls/file_contexts/program/cpucontrol.fc b/mls/file_contexts/program/cpucontrol.fc new file mode 100644 index 0000000..e7e488a --- /dev/null +++ b/mls/file_contexts/program/cpucontrol.fc @@ -0,0 +1,3 @@ +# cpucontrol +/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0 +/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0 diff --git a/mls/file_contexts/program/cpuspeed.fc b/mls/file_contexts/program/cpuspeed.fc new file mode 100644 index 0000000..5e91f55 --- /dev/null +++ b/mls/file_contexts/program/cpuspeed.fc @@ -0,0 +1,3 @@ +# cpuspeed +/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0 +/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0 diff --git a/mls/file_contexts/program/crack.fc b/mls/file_contexts/program/crack.fc new file mode 100644 index 0000000..18b5371 --- /dev/null +++ b/mls/file_contexts/program/crack.fc @@ -0,0 +1,6 @@ +# crack - for password checking +/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t:s0 +/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t:s0 +/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t:s0 +/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t:s0 +/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t:s0 diff --git a/mls/file_contexts/program/crond.fc b/mls/file_contexts/program/crond.fc new file mode 100644 index 0000000..3ee6ee5 --- /dev/null +++ b/mls/file_contexts/program/crond.fc @@ -0,0 +1,34 @@ +# crond +/etc/crontab -- system_u:object_r:system_cron_spool_t:s0 +/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0 +/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0 +/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0 +/var/spool/cron -d system_u:object_r:cron_spool_t:s0 +/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0 +/var/spool/cron/crontabs/.* -- <> +/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0 +/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0 +/var/spool/cron/[^/]* -- <> +/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0 +/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0 +# fcron +/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0 +/var/spool/fcron -d system_u:object_r:cron_spool_t:s0 +/var/spool/fcron/.* <> +/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0 +/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0 +/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0 +/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0 +/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0 +# atd +/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0 +/var/spool/at -d system_u:object_r:cron_spool_t:s0 +/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0 +/var/spool/at/[^/]* -- <> +/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0 +ifdef(`distro_suse', ` +/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0 +/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0 +/var/spool/cron/lastrun/[^/]* -- <> +/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0 +') diff --git a/mls/file_contexts/program/crontab.fc b/mls/file_contexts/program/crontab.fc new file mode 100644 index 0000000..e0ee359 --- /dev/null +++ b/mls/file_contexts/program/crontab.fc @@ -0,0 +1,3 @@ +# crontab +/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t:s0 +/usr/bin/at -- system_u:object_r:crontab_exec_t:s0 diff --git a/mls/file_contexts/program/cups.fc b/mls/file_contexts/program/cups.fc new file mode 100644 index 0000000..fea8ef0 --- /dev/null +++ b/mls/file_contexts/program/cups.fc @@ -0,0 +1,46 @@ +# cups printing +/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 +/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 +/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 +/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/client\.conf -- system_u:object_r:etc_t:s0 +/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 +/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0 +/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0 +/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0 +/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0 +/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0 +ifdef(`hald.te', ` +# cupsd_config depends on hald +/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0 +/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0 +/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0 +') +/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0 +/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0 +/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0 +/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0 +/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0 +/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0 +/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0 +/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0 +/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0 +/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0 +/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0 +/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0 +/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0 +/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0 +/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0 +/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0 +/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0 diff --git a/mls/file_contexts/program/cvs.fc b/mls/file_contexts/program/cvs.fc new file mode 100644 index 0000000..8aa1edc --- /dev/null +++ b/mls/file_contexts/program/cvs.fc @@ -0,0 +1,2 @@ +# cvs program +/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0 diff --git a/mls/file_contexts/program/cyrus.fc b/mls/file_contexts/program/cyrus.fc new file mode 100644 index 0000000..f415273 --- /dev/null +++ b/mls/file_contexts/program/cyrus.fc @@ -0,0 +1,5 @@ +# cyrus +/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0 +/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0 +/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0 diff --git a/mls/file_contexts/program/daemontools.fc b/mls/file_contexts/program/daemontools.fc new file mode 100644 index 0000000..c2642ed --- /dev/null +++ b/mls/file_contexts/program/daemontools.fc @@ -0,0 +1,54 @@ +# daemontools + +/var/service/.* system_u:object_r:svc_svc_t + +# symlinks to /var/service/* +/service(/.*)? system_u:object_r:svc_svc_t + +# supervise scripts +/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t +/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t + +# supervise init binaries +# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/* +/usr/bin/svc -- system_u:object_r:svc_start_exec_t +/usr/bin/svscan -- system_u:object_r:svc_start_exec_t +/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t +/usr/bin/svok -- system_u:object_r:svc_start_exec_t +/usr/bin/supervise -- system_u:object_r:svc_start_exec_t + +# starting scripts +/var/service/.*/run.* system_u:object_r:svc_run_exec_t +/var/service/.*/log/run system_u:object_r:svc_run_exec_t + +# configurations +/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t + +# log +/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t + +# programs that impose a given environment to daemons +/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t +/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t +/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t +/usr/bin/envdir -- system_u:object_r:svc_run_exec_t +/usr/bin/setlock -- system_u:object_r:svc_run_exec_t + +# helper programs +/usr/bin/fghack -- system_u:object_r:svc_run_exec_t +/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t + +/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t +# daemontools logger # writes to service/*/log/main/ and /var/log/*/ +/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t + +/sbin/svcinit -- system_u:object_r:initrc_exec_t +/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t + diff --git a/mls/file_contexts/program/dante.fc b/mls/file_contexts/program/dante.fc new file mode 100644 index 0000000..ce7f335 --- /dev/null +++ b/mls/file_contexts/program/dante.fc @@ -0,0 +1,4 @@ +# dante +/usr/sbin/sockd -- system_u:object_r:dante_exec_t +/etc/socks(/.*)? system_u:object_r:dante_conf_t +/var/run/sockd.pid -- system_u:object_r:dante_var_run_t diff --git a/mls/file_contexts/program/dbskkd.fc b/mls/file_contexts/program/dbskkd.fc new file mode 100644 index 0000000..4f2d72f --- /dev/null +++ b/mls/file_contexts/program/dbskkd.fc @@ -0,0 +1,2 @@ +# A dictionary server for the SKK Japanese input method system. +/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0 diff --git a/mls/file_contexts/program/dbusd.fc b/mls/file_contexts/program/dbusd.fc new file mode 100644 index 0000000..ea4e065 --- /dev/null +++ b/mls/file_contexts/program/dbusd.fc @@ -0,0 +1,3 @@ +/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 +/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0 +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 diff --git a/mls/file_contexts/program/dcc.fc b/mls/file_contexts/program/dcc.fc new file mode 100644 index 0000000..a6b1372 --- /dev/null +++ b/mls/file_contexts/program/dcc.fc @@ -0,0 +1,17 @@ +# DCC +/etc/dcc(/.*)? system_u:object_r:dcc_var_t +/etc/dcc/map -- system_u:object_r:dcc_client_map_t +/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t +/usr/bin/cdcc system_u:object_r:cdcc_exec_t +/usr/bin/dccproc system_u:object_r:dcc_client_exec_t +/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t +/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t +/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t +/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t +/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t +/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t +/var/dcc(/.*)? system_u:object_r:dcc_var_t +/var/dcc/map -- system_u:object_r:dcc_client_map_t +/var/run/dcc system_u:object_r:dcc_var_run_t +/var/run/dcc/map -- system_u:object_r:dcc_client_map_t +/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t diff --git a/mls/file_contexts/program/ddclient.fc b/mls/file_contexts/program/ddclient.fc new file mode 100644 index 0000000..83ee3d2 --- /dev/null +++ b/mls/file_contexts/program/ddclient.fc @@ -0,0 +1,11 @@ +# ddclient +/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t +/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t +/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t +/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t +# ddt - Dynamic DNS client +/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t +/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t +/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t +/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t +/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t diff --git a/mls/file_contexts/program/ddcprobe.fc b/mls/file_contexts/program/ddcprobe.fc new file mode 100644 index 0000000..8879280 --- /dev/null +++ b/mls/file_contexts/program/ddcprobe.fc @@ -0,0 +1 @@ +/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t:s0 diff --git a/mls/file_contexts/program/dhcpc.fc b/mls/file_contexts/program/dhcpc.fc new file mode 100644 index 0000000..e892abe --- /dev/null +++ b/mls/file_contexts/program/dhcpc.fc @@ -0,0 +1,19 @@ +# dhcpcd +/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0 +/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0 +/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0 +/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0 +/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0 +/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0 +/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0 +/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0 +/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0 +/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0 +/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0 +/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0 +# pump +/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0 +ifdef(`dhcp_defined', `', ` +/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0 +define(`dhcp_defined') +') diff --git a/mls/file_contexts/program/dhcpd.fc b/mls/file_contexts/program/dhcpd.fc new file mode 100644 index 0000000..a03636f --- /dev/null +++ b/mls/file_contexts/program/dhcpd.fc @@ -0,0 +1,32 @@ +# dhcpd +/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 +/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0 +/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0 +/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 +/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 +ifdef(`dhcp_defined', `', ` +/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0 +define(`dhcp_defined') +') +/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 +/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0 +ifdef(`distro_gentoo', ` +/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 +/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 +/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 + +# for the chroot setup +/chroot/dhcp -d system_u:object_r:root_t:s0 +/chroot/dhcp/dev -d system_u:object_r:device_t:s0 +/chroot/dhcp/etc -d system_u:object_r:etc_t:s0 +/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 +/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 +/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0 +/chroot/dhcp/var -d system_u:object_r:var_t:s0 +/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0 +/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0 +/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0 +/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 +/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0 +') + diff --git a/mls/file_contexts/program/dictd.fc b/mls/file_contexts/program/dictd.fc new file mode 100644 index 0000000..b089863 --- /dev/null +++ b/mls/file_contexts/program/dictd.fc @@ -0,0 +1,4 @@ +# dictd +/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0 +/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0 +/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0 diff --git a/mls/file_contexts/program/distcc.fc b/mls/file_contexts/program/distcc.fc new file mode 100644 index 0000000..3ab9797 --- /dev/null +++ b/mls/file_contexts/program/distcc.fc @@ -0,0 +1,2 @@ +# distcc +/usr/bin/distccd -- system_u:object_r:distccd_exec_t diff --git a/mls/file_contexts/program/djbdns.fc b/mls/file_contexts/program/djbdns.fc new file mode 100644 index 0000000..6174b9f --- /dev/null +++ b/mls/file_contexts/program/djbdns.fc @@ -0,0 +1,26 @@ +#djbdns +/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t +/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t +/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t + +/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t +/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t +/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t +/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t +/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t +/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t + +/var/tinydns(/.*)? system_u:object_r:svc_svc_t +/var/tinydns/run -- system_u:object_r:svc_run_exec_t +/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t +/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t +/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t +/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t + +/var/axfrdns(/.*)? system_u:object_r:svc_svc_t +/var/axfrdns/run -- system_u:object_r:svc_run_exec_t +/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t +/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t +/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t +/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t + diff --git a/mls/file_contexts/program/dmesg.fc b/mls/file_contexts/program/dmesg.fc new file mode 100644 index 0000000..938875b --- /dev/null +++ b/mls/file_contexts/program/dmesg.fc @@ -0,0 +1,2 @@ +# dmesg +/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0 diff --git a/mls/file_contexts/program/dmidecode.fc b/mls/file_contexts/program/dmidecode.fc new file mode 100644 index 0000000..7b02fd5 --- /dev/null +++ b/mls/file_contexts/program/dmidecode.fc @@ -0,0 +1,4 @@ +# dmidecode +/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0 +/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0 +/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0 diff --git a/mls/file_contexts/program/dnsmasq.fc b/mls/file_contexts/program/dnsmasq.fc new file mode 100644 index 0000000..e1b1c35 --- /dev/null +++ b/mls/file_contexts/program/dnsmasq.fc @@ -0,0 +1,4 @@ +# dnsmasq +/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t +/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t +/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t diff --git a/mls/file_contexts/program/dovecot.fc b/mls/file_contexts/program/dovecot.fc new file mode 100644 index 0000000..bc45b9d --- /dev/null +++ b/mls/file_contexts/program/dovecot.fc @@ -0,0 +1,16 @@ +# for Dovecot POP and IMAP server +/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0 +/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0 +/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0 +ifdef(`distro_redhat', ` +/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 +') +ifdef(`distro_debian', ` +/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 +') +/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 +/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 +/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0 +/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0 +/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0 +/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0 diff --git a/mls/file_contexts/program/dpkg.fc b/mls/file_contexts/program/dpkg.fc new file mode 100644 index 0000000..f0f56f6 --- /dev/null +++ b/mls/file_contexts/program/dpkg.fc @@ -0,0 +1,49 @@ +# dpkg/dselect/apt +/etc/apt(/.*)? system_u:object_r:apt_etc_t +/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t +/usr/bin/apt-cache -- system_u:object_r:apt_exec_t +/usr/bin/apt-config -- system_u:object_r:apt_exec_t +/usr/bin/apt-get -- system_u:object_r:apt_exec_t +/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t +/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t +/usr/bin/dselect -- system_u:object_r:dpkg_exec_t +/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t +/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t +/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t +/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t +/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t +/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t +/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t +/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t +/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t +/usr/share/lintian/.+ -- system_u:object_r:bin_t +/usr/share/kernel-package/.+ -- system_u:object_r:bin_t +/usr/share/smartmontools/selftests -- system_u:object_r:bin_t +/usr/share/bug/[^/]+ -- system_u:object_r:bin_t +/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t +/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t +/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t +/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t +/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t +/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t +/var/lib/kde(/.*)? system_u:object_r:debian_menu_t +/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t +/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t +/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t +/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t +/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t +/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t +/usr/share/dlint/digparse -- system_u:object_r:bin_t +/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t +/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t +/var/lib/defoma(/.*)? system_u:object_r:fonts_t +/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t +/usr/share/intltool-debian/.* -- system_u:object_r:bin_t +/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t +/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t +/usr/share/shorewall/.* -- system_u:object_r:bin_t +/usr/share/reportbug/.* -- system_u:object_r:bin_t +/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t +/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t +/bin/mountpoint -- system_u:object_r:fsadm_exec_t diff --git a/mls/file_contexts/program/ethereal.fc b/mls/file_contexts/program/ethereal.fc new file mode 100644 index 0000000..abe9b02 --- /dev/null +++ b/mls/file_contexts/program/ethereal.fc @@ -0,0 +1,3 @@ +/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t +/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t +HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t diff --git a/mls/file_contexts/program/evolution.fc b/mls/file_contexts/program/evolution.fc new file mode 100644 index 0000000..1a3bf38 --- /dev/null +++ b/mls/file_contexts/program/evolution.fc @@ -0,0 +1,8 @@ +/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t +/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t +/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t +/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t +/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t +HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t +HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t +/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t diff --git a/mls/file_contexts/program/exim.fc b/mls/file_contexts/program/exim.fc new file mode 100644 index 0000000..26f6bac --- /dev/null +++ b/mls/file_contexts/program/exim.fc @@ -0,0 +1,18 @@ +# exim +/usr/sbin/exicyclog -- system_u:object_r:exicyclog_exec_t +/usr/sbin/exigrep -- system_u:object_r:exigrep_exec_t +/usr/sbin/exim_checkaccess -- system_u:object_r:exim_checkaccess_exec_t +/usr/sbin/exim_dumpdb -- system_u:object_r:exim_db_ro_exec_t +/usr/sbin/exim_fixdb -- system_u:object_r:exim_db_rw_exec_t +/usr/sbin/exim_lock -- system_u:object_r:exim_helper_exec_t +/usr/sbin/exim_tidydb -- system_u:object_r:exim_db_rw_exec_t +/usr/sbin/exinext -- system_u:object_r:exim_helper_exec_t +/usr/sbin/exipick -- system_u:object_r:exipick_exec_t +/usr/sbin/exiqgrep -- system_u:object_r:exiqgrep_exec_t +/usr/sbin/exim -- system_u:object_r:exim_exec_t +/usr/sbin/exiwhat -- system_u:object_r:exiwhat_exec_t +/var/spool/exim(/.*)? system_u:object_r:exim_spool_t +/var/spool/exim/db(/.*)? system_u:object_r:exim_spool_db_t +/var/spool/exim/msglog(/.*)? system_u:object_r:exim_log_t +/var/run/exim.pid -- system_u:object_r:exim_var_run_t +/var/log/exim(/.*)? system_u:object_r:exim_log_t diff --git a/mls/file_contexts/program/fetchmail.fc b/mls/file_contexts/program/fetchmail.fc new file mode 100644 index 0000000..9ac51a2 --- /dev/null +++ b/mls/file_contexts/program/fetchmail.fc @@ -0,0 +1,5 @@ +# fetchmail +/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t:s0 +/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t:s0 +/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t:s0 +/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0 diff --git a/mls/file_contexts/program/fingerd.fc b/mls/file_contexts/program/fingerd.fc new file mode 100644 index 0000000..f7ed20d --- /dev/null +++ b/mls/file_contexts/program/fingerd.fc @@ -0,0 +1,6 @@ +# fingerd +/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0 +/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0 +/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0 +/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0 +/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0 diff --git a/mls/file_contexts/program/firstboot.fc b/mls/file_contexts/program/firstboot.fc new file mode 100644 index 0000000..9a087ed --- /dev/null +++ b/mls/file_contexts/program/firstboot.fc @@ -0,0 +1,4 @@ +# firstboot +/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0 +/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0 +/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0 diff --git a/mls/file_contexts/program/fontconfig.fc b/mls/file_contexts/program/fontconfig.fc new file mode 100644 index 0000000..d8a8dc9 --- /dev/null +++ b/mls/file_contexts/program/fontconfig.fc @@ -0,0 +1,4 @@ +HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t +HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t +HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t +HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t diff --git a/mls/file_contexts/program/fs_daemon.fc b/mls/file_contexts/program/fs_daemon.fc new file mode 100644 index 0000000..1e086fd --- /dev/null +++ b/mls/file_contexts/program/fs_daemon.fc @@ -0,0 +1,4 @@ +# fs admin daemons +/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0 +/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t:s0 +/etc/smartd\.conf -- system_u:object_r:etc_runtime_t:s0 diff --git a/mls/file_contexts/program/fsadm.fc b/mls/file_contexts/program/fsadm.fc new file mode 100644 index 0000000..4601a39 --- /dev/null +++ b/mls/file_contexts/program/fsadm.fc @@ -0,0 +1,40 @@ +# fs admin utilities +/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0 +/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0 +/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0 +/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0 +/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0 +/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0 +/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0 +/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0 +/sbin/parted -- system_u:object_r:fsadm_exec_t:s0 +/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0 +/sbin/dump -- system_u:object_r:fsadm_exec_t:s0 +/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0 +/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0 +/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0 +/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0 +/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0 +/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0 +/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0 +/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0 +/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0 +/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0 +/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0 +/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0 +/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0 +/sbin/partx -- system_u:object_r:fsadm_exec_t:s0 +/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0 +/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0 +/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0 diff --git a/mls/file_contexts/program/ftpd.fc b/mls/file_contexts/program/ftpd.fc new file mode 100644 index 0000000..92a8c3e --- /dev/null +++ b/mls/file_contexts/program/ftpd.fc @@ -0,0 +1,17 @@ +# ftpd +/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0 +/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0 +/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0 +/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0 +/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0 +/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0 +/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0 +/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0 +/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0 +/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0 +/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0 +/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0 +/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0 +/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0 +/var/ftp(/.*)? system_u:object_r:public_content_t:s0 +/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0 diff --git a/mls/file_contexts/program/games.fc b/mls/file_contexts/program/games.fc new file mode 100644 index 0000000..3465eee --- /dev/null +++ b/mls/file_contexts/program/games.fc @@ -0,0 +1,61 @@ +# games +/usr/lib/games(/.*)? system_u:object_r:games_exec_t +/var/lib/games(/.*)? system_u:object_r:games_data_t +ifdef(`distro_debian', ` +/usr/games/.* -- system_u:object_r:games_exec_t +/var/games(/.*)? system_u:object_r:games_data_t +', ` +/usr/bin/micq -- system_u:object_r:games_exec_t +/usr/bin/blackjack -- system_u:object_r:games_exec_t +/usr/bin/gataxx -- system_u:object_r:games_exec_t +/usr/bin/glines -- system_u:object_r:games_exec_t +/usr/bin/gnect -- system_u:object_r:games_exec_t +/usr/bin/gnibbles -- system_u:object_r:games_exec_t +/usr/bin/gnobots2 -- system_u:object_r:games_exec_t +/usr/bin/gnome-stones -- system_u:object_r:games_exec_t +/usr/bin/gnomine -- system_u:object_r:games_exec_t +/usr/bin/gnotravex -- system_u:object_r:games_exec_t +/usr/bin/gnotski -- system_u:object_r:games_exec_t +/usr/bin/gtali -- system_u:object_r:games_exec_t +/usr/bin/iagno -- system_u:object_r:games_exec_t +/usr/bin/mahjongg -- system_u:object_r:games_exec_t +/usr/bin/same-gnome -- system_u:object_r:games_exec_t +/usr/bin/sol -- system_u:object_r:games_exec_t +/usr/bin/atlantik -- system_u:object_r:games_exec_t +/usr/bin/kasteroids -- system_u:object_r:games_exec_t +/usr/bin/katomic -- system_u:object_r:games_exec_t +/usr/bin/kbackgammon -- system_u:object_r:games_exec_t +/usr/bin/kbattleship -- system_u:object_r:games_exec_t +/usr/bin/kblackbox -- system_u:object_r:games_exec_t +/usr/bin/kbounce -- system_u:object_r:games_exec_t +/usr/bin/kenolaba -- system_u:object_r:games_exec_t +/usr/bin/kfouleggs -- system_u:object_r:games_exec_t +/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t +/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t +/usr/bin/klickety -- system_u:object_r:games_exec_t +/usr/bin/klines -- system_u:object_r:games_exec_t +/usr/bin/kmahjongg -- system_u:object_r:games_exec_t +/usr/bin/kmines -- system_u:object_r:games_exec_t +/usr/bin/kolf -- system_u:object_r:games_exec_t +/usr/bin/konquest -- system_u:object_r:games_exec_t +/usr/bin/kpat -- system_u:object_r:games_exec_t +/usr/bin/kpoker -- system_u:object_r:games_exec_t +/usr/bin/kreversi -- system_u:object_r:games_exec_t +/usr/bin/ksame -- system_u:object_r:games_exec_t +/usr/bin/kshisen -- system_u:object_r:games_exec_t +/usr/bin/ksirtet -- system_u:object_r:games_exec_t +/usr/bin/ksmiletris -- system_u:object_r:games_exec_t +/usr/bin/ksnake -- system_u:object_r:games_exec_t +/usr/bin/ksokoban -- system_u:object_r:games_exec_t +/usr/bin/kspaceduel -- system_u:object_r:games_exec_t +/usr/bin/ktron -- system_u:object_r:games_exec_t +/usr/bin/ktuberling -- system_u:object_r:games_exec_t +/usr/bin/kwin4 -- system_u:object_r:games_exec_t +/usr/bin/kwin4proc -- system_u:object_r:games_exec_t +/usr/bin/lskat -- system_u:object_r:games_exec_t +/usr/bin/lskatproc -- system_u:object_r:games_exec_t +/usr/bin/Maelstrom -- system_u:object_r:games_exec_t +/usr/bin/civclient.* -- system_u:object_r:games_exec_t +/usr/bin/civserver.* -- system_u:object_r:games_exec_t +')dnl end non-Debian section + diff --git a/mls/file_contexts/program/gatekeeper.fc b/mls/file_contexts/program/gatekeeper.fc new file mode 100644 index 0000000..e51491a --- /dev/null +++ b/mls/file_contexts/program/gatekeeper.fc @@ -0,0 +1,7 @@ +# gatekeeper +/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t +/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t +/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t +/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t +/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t +/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t diff --git a/mls/file_contexts/program/gconf.fc b/mls/file_contexts/program/gconf.fc new file mode 100644 index 0000000..3ee63e0 --- /dev/null +++ b/mls/file_contexts/program/gconf.fc @@ -0,0 +1,5 @@ +/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t +/etc/gconf(/.*)? system_u:object_r:gconf_etc_t +HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t +HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t +/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t diff --git a/mls/file_contexts/program/getty.fc b/mls/file_contexts/program/getty.fc new file mode 100644 index 0000000..19b7e64 --- /dev/null +++ b/mls/file_contexts/program/getty.fc @@ -0,0 +1,5 @@ +# getty +/sbin/.*getty -- system_u:object_r:getty_exec_t:s0 +/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0 +/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0 +/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0 diff --git a/mls/file_contexts/program/gift.fc b/mls/file_contexts/program/gift.fc new file mode 100644 index 0000000..88ed5f2 --- /dev/null +++ b/mls/file_contexts/program/gift.fc @@ -0,0 +1,5 @@ +/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t +/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t +/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t +/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t +HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t diff --git a/mls/file_contexts/program/gnome-pty-helper.fc b/mls/file_contexts/program/gnome-pty-helper.fc new file mode 100644 index 0000000..24a0b1b --- /dev/null +++ b/mls/file_contexts/program/gnome-pty-helper.fc @@ -0,0 +1,3 @@ +# gnome-pty-helper +/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t +/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t diff --git a/mls/file_contexts/program/gnome.fc b/mls/file_contexts/program/gnome.fc new file mode 100644 index 0000000..670c86f --- /dev/null +++ b/mls/file_contexts/program/gnome.fc @@ -0,0 +1,8 @@ +# FIXME: add a lot more GNOME folders +HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t +HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t +ifdef(`evolution.te', ` +HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t +') +HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t +HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t diff --git a/mls/file_contexts/program/gnome_vfs.fc b/mls/file_contexts/program/gnome_vfs.fc new file mode 100644 index 0000000..f945d59 --- /dev/null +++ b/mls/file_contexts/program/gnome_vfs.fc @@ -0,0 +1 @@ +/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t diff --git a/mls/file_contexts/program/gpg-agent.fc b/mls/file_contexts/program/gpg-agent.fc new file mode 100644 index 0000000..a8a7603 --- /dev/null +++ b/mls/file_contexts/program/gpg-agent.fc @@ -0,0 +1,3 @@ +# gpg-agent +/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t:s0 +/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t:s0 diff --git a/mls/file_contexts/program/gpg.fc b/mls/file_contexts/program/gpg.fc new file mode 100644 index 0000000..b820755 --- /dev/null +++ b/mls/file_contexts/program/gpg.fc @@ -0,0 +1,7 @@ +# gpg +HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0 +/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t:s0 +/usr/bin/kgpg -- system_u:object_r:gpg_exec_t:s0 +/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t:s0 +/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t:s0 + diff --git a/mls/file_contexts/program/gpm.fc b/mls/file_contexts/program/gpm.fc new file mode 100644 index 0000000..1210518 --- /dev/null +++ b/mls/file_contexts/program/gpm.fc @@ -0,0 +1,5 @@ +# gpm +/dev/gpmctl -s system_u:object_r:gpmctl_t:s0 +/dev/gpmdata -p system_u:object_r:gpmctl_t:s0 +/usr/sbin/gpm -- system_u:object_r:gpm_exec_t:s0 +/etc/gpm(/.*)? system_u:object_r:gpm_conf_t:s0 diff --git a/mls/file_contexts/program/groupadd.fc b/mls/file_contexts/program/groupadd.fc new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/mls/file_contexts/program/groupadd.fc diff --git a/mls/file_contexts/program/hald.fc b/mls/file_contexts/program/hald.fc new file mode 100644 index 0000000..b57463d --- /dev/null +++ b/mls/file_contexts/program/hald.fc @@ -0,0 +1,6 @@ +# hald - hardware information daemon +/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0 +/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0 +/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0 +/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0 +/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0 diff --git a/mls/file_contexts/program/hostname.fc b/mls/file_contexts/program/hostname.fc new file mode 100644 index 0000000..01a957a --- /dev/null +++ b/mls/file_contexts/program/hostname.fc @@ -0,0 +1 @@ +/bin/hostname -- system_u:object_r:hostname_exec_t:s0 diff --git a/mls/file_contexts/program/hotplug.fc b/mls/file_contexts/program/hotplug.fc new file mode 100644 index 0000000..05c6504 --- /dev/null +++ b/mls/file_contexts/program/hotplug.fc @@ -0,0 +1,13 @@ +# hotplug +/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0 +/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0 +/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0 +/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0 +/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0 +/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0 +/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0 +/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0 +/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0 +/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0 +/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0 +/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0 diff --git a/mls/file_contexts/program/howl.fc b/mls/file_contexts/program/howl.fc new file mode 100644 index 0000000..4546ac1 --- /dev/null +++ b/mls/file_contexts/program/howl.fc @@ -0,0 +1,3 @@ +/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0 +/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0 +/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0 diff --git a/mls/file_contexts/program/hwclock.fc b/mls/file_contexts/program/hwclock.fc new file mode 100644 index 0000000..9d0d909 --- /dev/null +++ b/mls/file_contexts/program/hwclock.fc @@ -0,0 +1,3 @@ +# hwclock +/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0 +/etc/adjtime -- system_u:object_r:adjtime_t:s0 diff --git a/mls/file_contexts/program/i18n_input.fc b/mls/file_contexts/program/i18n_input.fc new file mode 100644 index 0000000..66cea53 --- /dev/null +++ b/mls/file_contexts/program/i18n_input.fc @@ -0,0 +1,11 @@ +# i18n_input.fc +/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t:s0 +/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t:s0 +/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t:s0 +/usr/bin/httx -- system_u:object_r:i18n_input_exec_t:s0 +/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t:s0 +/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t:s0 +/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t:s0 +/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t:s0 +/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t:s0 +/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t:s0 diff --git a/mls/file_contexts/program/iceauth.fc b/mls/file_contexts/program/iceauth.fc new file mode 100644 index 0000000..31bf1f3 --- /dev/null +++ b/mls/file_contexts/program/iceauth.fc @@ -0,0 +1,3 @@ +# iceauth +/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t +HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t diff --git a/mls/file_contexts/program/ifconfig.fc b/mls/file_contexts/program/ifconfig.fc new file mode 100644 index 0000000..22d52ed --- /dev/null +++ b/mls/file_contexts/program/ifconfig.fc @@ -0,0 +1,12 @@ +# ifconfig +/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 +/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 +/bin/ip -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0 +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0 diff --git a/mls/file_contexts/program/imazesrv.fc b/mls/file_contexts/program/imazesrv.fc new file mode 100644 index 0000000..dae194e --- /dev/null +++ b/mls/file_contexts/program/imazesrv.fc @@ -0,0 +1,4 @@ +# imazesrv +/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t +/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t +/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t diff --git a/mls/file_contexts/program/inetd.fc b/mls/file_contexts/program/inetd.fc new file mode 100644 index 0000000..d066e36 --- /dev/null +++ b/mls/file_contexts/program/inetd.fc @@ -0,0 +1,8 @@ +# inetd +/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0 +/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0 +/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0 +/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0 +/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0 +/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0 +/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0 diff --git a/mls/file_contexts/program/init.fc b/mls/file_contexts/program/init.fc new file mode 100644 index 0000000..cdf424f --- /dev/null +++ b/mls/file_contexts/program/init.fc @@ -0,0 +1,3 @@ +# init +/dev/initctl -p system_u:object_r:initctl_t:s0 +/sbin/init -- system_u:object_r:init_exec_t:s0 diff --git a/mls/file_contexts/program/initrc.fc b/mls/file_contexts/program/initrc.fc new file mode 100644 index 0000000..65a1dba --- /dev/null +++ b/mls/file_contexts/program/initrc.fc @@ -0,0 +1,48 @@ +# init rc scripts +ifdef(`targeted_policy', ` +/etc/X11/prefdm -- system_u:object_r:bin_t:s0 +', ` +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0 +') +/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0 +/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0 +/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0 +/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 +/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0 +/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 +/etc/init\.d/functions -- system_u:object_r:etc_t:s0 +/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0 +/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0 +/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0 +/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0 +ifdef(`distro_suse', ` +/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0 +/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0 +/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0 +/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0 +/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0 +/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0 +') + +ifdef(`distro_gentoo', ` +/sbin/rc -- system_u:object_r:initrc_exec_t:s0 +/sbin/runscript -- system_u:object_r:initrc_exec_t:s0 +/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0 +/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0 +') + +# run_init +/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0 +/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0 +/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0 +/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0 +ifdef(`distro_redhat', ` +/halt -- system_u:object_r:etc_runtime_t:s0 +/fastboot -- system_u:object_r:etc_runtime_t:s0 +/fsckoptions -- system_u:object_r:etc_runtime_t:s0 +/forcefsck -- system_u:object_r:etc_runtime_t:s0 +/poweroff -- system_u:object_r:etc_runtime_t:s0 +/\.autofsck -- system_u:object_r:etc_runtime_t:s0 +/\.autorelabel -- system_u:object_r:etc_runtime_t:s0 +') + diff --git a/mls/file_contexts/program/innd.fc b/mls/file_contexts/program/innd.fc new file mode 100644 index 0000000..c8646ea --- /dev/null +++ b/mls/file_contexts/program/innd.fc @@ -0,0 +1,50 @@ +# innd +/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0 +/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0 +/usr/bin/suck -- system_u:object_r:innd_exec_t:s0 +/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0 +/etc/news(/.*)? system_u:object_r:innd_etc_t:s0 +/etc/news/boot -- system_u:object_r:innd_exec_t:s0 +/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0 +/var/log/news(/.*)? system_u:object_r:innd_log_t:s0 +/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0 +/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0 +/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0 +/usr/bin/inews -- system_u:object_r:innd_exec_t:s0 +/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0 +/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/controlchan -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0 +/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0 diff --git a/mls/file_contexts/program/ipsec.fc b/mls/file_contexts/program/ipsec.fc new file mode 100644 index 0000000..cb4c966 --- /dev/null +++ b/mls/file_contexts/program/ipsec.fc @@ -0,0 +1,32 @@ +# IPSEC utilities and daemon. + +/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t:s0 +/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t:s0 +/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t:s0 +/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t:s0 +/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0 +/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t:s0 +/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t:s0 +/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0 +/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 +/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 +/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 +/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 +/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 +/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 +/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 +/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 +/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 +/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 +/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 +/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 +/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t:s0 +/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t:s0 + +# Kame +/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t:s0 +/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0 +/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0 +/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t:s0 +/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t:s0 +/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t:s0 diff --git a/mls/file_contexts/program/iptables.fc b/mls/file_contexts/program/iptables.fc new file mode 100644 index 0000000..c55fd08 --- /dev/null +++ b/mls/file_contexts/program/iptables.fc @@ -0,0 +1,8 @@ +# iptables +/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0 +/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0 +/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0 +/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0 +/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0 +/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0 + diff --git a/mls/file_contexts/program/irc.fc b/mls/file_contexts/program/irc.fc new file mode 100644 index 0000000..586977b --- /dev/null +++ b/mls/file_contexts/program/irc.fc @@ -0,0 +1,5 @@ +# irc clients +/usr/bin/[st]irc -- system_u:object_r:irc_exec_t:s0 +/usr/bin/ircII -- system_u:object_r:irc_exec_t:s0 +/usr/bin/tinyirc -- system_u:object_r:irc_exec_t:s0 +HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0 diff --git a/mls/file_contexts/program/ircd.fc b/mls/file_contexts/program/ircd.fc new file mode 100644 index 0000000..2ef668c --- /dev/null +++ b/mls/file_contexts/program/ircd.fc @@ -0,0 +1,6 @@ +# ircd - irc server +/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t +/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t +/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t +/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t +/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t diff --git a/mls/file_contexts/program/irqbalance.fc b/mls/file_contexts/program/irqbalance.fc new file mode 100644 index 0000000..15b5004 --- /dev/null +++ b/mls/file_contexts/program/irqbalance.fc @@ -0,0 +1,2 @@ +# irqbalance +/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t:s0 diff --git a/mls/file_contexts/program/jabberd.fc b/mls/file_contexts/program/jabberd.fc new file mode 100644 index 0000000..c614cb8 --- /dev/null +++ b/mls/file_contexts/program/jabberd.fc @@ -0,0 +1,4 @@ +# jabberd +/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t +/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t +/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t diff --git a/mls/file_contexts/program/java.fc b/mls/file_contexts/program/java.fc new file mode 100644 index 0000000..0513971 --- /dev/null +++ b/mls/file_contexts/program/java.fc @@ -0,0 +1,2 @@ +# java +/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t:s0 diff --git a/mls/file_contexts/program/kerberos.fc b/mls/file_contexts/program/kerberos.fc new file mode 100644 index 0000000..2faebe0 --- /dev/null +++ b/mls/file_contexts/program/kerberos.fc @@ -0,0 +1,20 @@ +# MIT Kerberos krbkdc, kadmind +/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0 +/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 +/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 +/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 +/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 +/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 +/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 +/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0 +/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0 +/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0 + +# gentoo file locations +/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 +/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 +/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 +/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 +/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0 +/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0 + diff --git a/mls/file_contexts/program/klogd.fc b/mls/file_contexts/program/klogd.fc new file mode 100644 index 0000000..5fcdf29 --- /dev/null +++ b/mls/file_contexts/program/klogd.fc @@ -0,0 +1,4 @@ +# klogd +/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 +/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 +/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0 diff --git a/mls/file_contexts/program/ktalkd.fc b/mls/file_contexts/program/ktalkd.fc new file mode 100644 index 0000000..33973fd --- /dev/null +++ b/mls/file_contexts/program/ktalkd.fc @@ -0,0 +1,2 @@ +# kde talk daemon +/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0 diff --git a/mls/file_contexts/program/kudzu.fc b/mls/file_contexts/program/kudzu.fc new file mode 100644 index 0000000..3602a30 --- /dev/null +++ b/mls/file_contexts/program/kudzu.fc @@ -0,0 +1,4 @@ +# kudzu +(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0 +/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0 +/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0 diff --git a/mls/file_contexts/program/lcd.fc b/mls/file_contexts/program/lcd.fc new file mode 100644 index 0000000..4294d44 --- /dev/null +++ b/mls/file_contexts/program/lcd.fc @@ -0,0 +1,2 @@ +# lcd +/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t diff --git a/mls/file_contexts/program/ldconfig.fc b/mls/file_contexts/program/ldconfig.fc new file mode 100644 index 0000000..1f82fcf --- /dev/null +++ b/mls/file_contexts/program/ldconfig.fc @@ -0,0 +1 @@ +/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0 diff --git a/mls/file_contexts/program/load_policy.fc b/mls/file_contexts/program/load_policy.fc new file mode 100644 index 0000000..a4c98ce --- /dev/null +++ b/mls/file_contexts/program/load_policy.fc @@ -0,0 +1,3 @@ +# load_policy +/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 +/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 diff --git a/mls/file_contexts/program/loadkeys.fc b/mls/file_contexts/program/loadkeys.fc new file mode 100644 index 0000000..ebe1cfc --- /dev/null +++ b/mls/file_contexts/program/loadkeys.fc @@ -0,0 +1,3 @@ +# loadkeys +/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0 +/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0 diff --git a/mls/file_contexts/program/lockdev.fc b/mls/file_contexts/program/lockdev.fc new file mode 100644 index 0000000..b917bf7 --- /dev/null +++ b/mls/file_contexts/program/lockdev.fc @@ -0,0 +1,2 @@ +# lockdev +/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t:s0 diff --git a/mls/file_contexts/program/login.fc b/mls/file_contexts/program/login.fc new file mode 100644 index 0000000..ab8bf1a --- /dev/null +++ b/mls/file_contexts/program/login.fc @@ -0,0 +1,3 @@ +# login +/bin/login -- system_u:object_r:login_exec_t:s0 +/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0 diff --git a/mls/file_contexts/program/logrotate.fc b/mls/file_contexts/program/logrotate.fc new file mode 100644 index 0000000..85b6ee7 --- /dev/null +++ b/mls/file_contexts/program/logrotate.fc @@ -0,0 +1,13 @@ +# logrotate +/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t:s0 +/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t:s0 +ifdef(`distro_debian', ` +/usr/bin/savelog -- system_u:object_r:logrotate_exec_t:s0 +/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t:s0 +', ` +/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t:s0 +') +/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t:s0 +/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t:s0 +# using a hard-coded name under /var/tmp is a bug - new version fixes it +/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t:s0 diff --git a/mls/file_contexts/program/lpd.fc b/mls/file_contexts/program/lpd.fc new file mode 100644 index 0000000..da61bf4 --- /dev/null +++ b/mls/file_contexts/program/lpd.fc @@ -0,0 +1,8 @@ +# lpd +/dev/printer -s system_u:object_r:printer_t:s0 +/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0 +/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0 +/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0 +/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0 +/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0 +/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0 diff --git a/mls/file_contexts/program/lpr.fc b/mls/file_contexts/program/lpr.fc new file mode 100644 index 0000000..a2725c7 --- /dev/null +++ b/mls/file_contexts/program/lpr.fc @@ -0,0 +1,4 @@ +# lp utilities. +/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t:s0 +/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t:s0 +/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t:s0 diff --git a/mls/file_contexts/program/lrrd.fc b/mls/file_contexts/program/lrrd.fc new file mode 100644 index 0000000..08494fc --- /dev/null +++ b/mls/file_contexts/program/lrrd.fc @@ -0,0 +1,10 @@ +# lrrd +/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t +/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t +/var/log/lrrd.* -- system_u:object_r:lrrd_log_t +/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t +/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t +/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t diff --git a/mls/file_contexts/program/lvm.fc b/mls/file_contexts/program/lvm.fc new file mode 100644 index 0000000..baa6ce1 --- /dev/null +++ b/mls/file_contexts/program/lvm.fc @@ -0,0 +1,69 @@ +# lvm +/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t:s0 +/etc/lvm(/.*)? system_u:object_r:lvm_etc_t:s0 +/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t:s0 +/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t:s0 +/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t:s0 +/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t:s0 +/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t:s0 +# LVM creates lock files in /var before /var is mounted +# configure LVM to put lockfiles in /etc/lvm/lock instead +# for this policy to work (unless you have no separate /var) +/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t:s0 +/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t:s0 +/dev/lvm -c system_u:object_r:fixed_disk_device_t:s0 +/dev/mapper/control -c system_u:object_r:lvm_control_t:s0 +/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t:s0 +/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t:s0 +/sbin/e2fsadm -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvchange -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvcreate -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvdisplay -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvextend -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvmchange -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvmsadc -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvmsar -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvreduce -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvremove -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvrename -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvscan -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvchange -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvcreate -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvdata -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvdisplay -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvmove -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvscan -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgchange -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgck -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgcreate -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgdisplay -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgexport -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgextend -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgimport -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgmerge -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgmknodes -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgreduce -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgremove -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgrename -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgscan -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgsplit -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgwrapper -- system_u:object_r:lvm_exec_t:s0 +/sbin/cryptsetup -- system_u:object_r:lvm_exec_t:s0 +/sbin/dmsetup -- system_u:object_r:lvm_exec_t:s0 +/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvm -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvm\.static -- system_u:object_r:lvm_exec_t:s0 +/usr/sbin/lvm -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvresize -- system_u:object_r:lvm_exec_t:s0 +/sbin/lvs -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvremove -- system_u:object_r:lvm_exec_t:s0 +/sbin/pvs -- system_u:object_r:lvm_exec_t:s0 +/sbin/vgs -- system_u:object_r:lvm_exec_t:s0 +/sbin/multipathd -- system_u:object_r:lvm_exec_t:s0 +/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t:s0 +/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t:s0 diff --git a/mls/file_contexts/program/mailman.fc b/mls/file_contexts/program/mailman.fc new file mode 100644 index 0000000..d8d5b4b --- /dev/null +++ b/mls/file_contexts/program/mailman.fc @@ -0,0 +1,24 @@ +# mailman list server +/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0 +/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0 +/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0 +/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0 +/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 +/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0 + +ifdef(`distro_debian', ` +/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0 +/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 +/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 +/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0 +/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0 +') + +ifdef(`distro_redhat', ` +/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0 +/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 +/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0 +/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0 +/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0 +/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0 +') diff --git a/mls/file_contexts/program/mdadm.fc b/mls/file_contexts/program/mdadm.fc new file mode 100644 index 0000000..61ebacd --- /dev/null +++ b/mls/file_contexts/program/mdadm.fc @@ -0,0 +1,4 @@ +# mdadm - manage MD devices aka Linux Software Raid. +/sbin/mdmpd -- system_u:object_r:mdadm_exec_t:s0 +/sbin/mdadm -- system_u:object_r:mdadm_exec_t:s0 +/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t:s0 diff --git a/mls/file_contexts/program/modutil.fc b/mls/file_contexts/program/modutil.fc new file mode 100644 index 0000000..0c88179 --- /dev/null +++ b/mls/file_contexts/program/modutil.fc @@ -0,0 +1,14 @@ +# module utilities +/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0 +/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 +/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0 +/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0 +/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0 +/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 +/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0 +/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0 +/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0 +/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0 +/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0 +/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0 +/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0 diff --git a/mls/file_contexts/program/monopd.fc b/mls/file_contexts/program/monopd.fc new file mode 100644 index 0000000..457493e --- /dev/null +++ b/mls/file_contexts/program/monopd.fc @@ -0,0 +1,4 @@ +# monopd +/etc/monopd\.conf -- system_u:object_r:monopd_etc_t +/usr/sbin/monopd -- system_u:object_r:monopd_exec_t +/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t diff --git a/mls/file_contexts/program/mount.fc b/mls/file_contexts/program/mount.fc new file mode 100644 index 0000000..93b7874 --- /dev/null +++ b/mls/file_contexts/program/mount.fc @@ -0,0 +1,3 @@ +# mount +/bin/mount.* -- system_u:object_r:mount_exec_t:s0 +/bin/umount.* -- system_u:object_r:mount_exec_t:s0 diff --git a/mls/file_contexts/program/mozilla.fc b/mls/file_contexts/program/mozilla.fc new file mode 100644 index 0000000..2b533a6 --- /dev/null +++ b/mls/file_contexts/program/mozilla.fc @@ -0,0 +1,21 @@ +# netscape/mozilla +HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t +/usr/bin/netscape -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t +/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t +/etc/mozpluggerrc system_u:object_r:mozilla_conf_t diff --git a/mls/file_contexts/program/mplayer.fc b/mls/file_contexts/program/mplayer.fc new file mode 100644 index 0000000..10465aa --- /dev/null +++ b/mls/file_contexts/program/mplayer.fc @@ -0,0 +1,6 @@ +# mplayer +/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t +/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t + +/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t +HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t diff --git a/mls/file_contexts/program/mrtg.fc b/mls/file_contexts/program/mrtg.fc new file mode 100644 index 0000000..ed68c4e --- /dev/null +++ b/mls/file_contexts/program/mrtg.fc @@ -0,0 +1,7 @@ +# mrtg - traffic grapher +/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t:s0 +/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t:s0 +/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t:s0 +/etc/mrtg.* system_u:object_r:mrtg_etc_t:s0 +/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t:s0 +/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t:s0 diff --git a/mls/file_contexts/program/mta.fc b/mls/file_contexts/program/mta.fc new file mode 100644 index 0000000..68b30e8 --- /dev/null +++ b/mls/file_contexts/program/mta.fc @@ -0,0 +1,12 @@ +# types for general mail servers +/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0 +/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0 +/etc/aliases -- system_u:object_r:etc_aliases_t:s0 +/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0 +/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0 +/var/mail(/.*)? system_u:object_r:mail_spool_t:s0 +ifdef(`postfix.te', `', ` +/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 +/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0 +') + diff --git a/mls/file_contexts/program/mysqld.fc b/mls/file_contexts/program/mysqld.fc new file mode 100644 index 0000000..22933da --- /dev/null +++ b/mls/file_contexts/program/mysqld.fc @@ -0,0 +1,12 @@ +# mysql database server +/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0 +/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0 +/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0 +/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0 +/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 +/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0 +/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0 +/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0 +ifdef(`distro_debian', ` +/etc/mysql/debian-start -- system_u:object_r:bin_t:s0 +') diff --git a/mls/file_contexts/program/nagios.fc b/mls/file_contexts/program/nagios.fc new file mode 100644 index 0000000..6a8a22d --- /dev/null +++ b/mls/file_contexts/program/nagios.fc @@ -0,0 +1,15 @@ +# nagios - network monitoring server +/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t +/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t +# nagios +ifdef(`distro_debian', ` +/usr/sbin/nagios -- system_u:object_r:nagios_exec_t +/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t +', ` +/usr/bin/nagios -- system_u:object_r:nagios_exec_t +/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t +') +/etc/nagios(/.*)? system_u:object_r:nagios_etc_t +/var/log/nagios(/.*)? system_u:object_r:nagios_log_t +/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t diff --git a/mls/file_contexts/program/named.fc b/mls/file_contexts/program/named.fc new file mode 100644 index 0000000..b94d641 --- /dev/null +++ b/mls/file_contexts/program/named.fc @@ -0,0 +1,49 @@ +# named +ifdef(`distro_redhat', ` +/var/named(/.*)? system_u:object_r:named_zone_t:s0 +/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 +/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 +/etc/named\.conf -- system_u:object_r:named_conf_t:s0 +') dnl end distro_redhat + +ifdef(`distro_debian', ` +/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 +/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 +/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 +/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0 +') dnl distro_debian + +/etc/rndc.* -- system_u:object_r:named_conf_t:s0 +/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 +/usr/sbin/named -- system_u:object_r:named_exec_t:s0 +/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0 +/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0 +/var/run/ndc -s system_u:object_r:named_var_run_t:s0 +/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0 +/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0 +/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0 +/var/log/named.* -- system_u:object_r:named_log_t:s0 + +ifdef(`distro_redhat', ` +/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 +/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0 +/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0 +/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0 +/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0 +/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0 +/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0 +/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0 +/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0 +/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0 +/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 +/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 +/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 +') dnl distro_redhat + +ifdef(`distro_gentoo', ` +/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 +/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 +/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 +/var/bind(/.*)? system_u:object_r:named_cache_t:s0 +/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0 +') dnl distro_gentoo diff --git a/mls/file_contexts/program/nessusd.fc b/mls/file_contexts/program/nessusd.fc new file mode 100644 index 0000000..adec00b --- /dev/null +++ b/mls/file_contexts/program/nessusd.fc @@ -0,0 +1,6 @@ +# nessusd - network scanning server +/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t +/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t +/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t +/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t +/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t diff --git a/mls/file_contexts/program/netutils.fc b/mls/file_contexts/program/netutils.fc new file mode 100644 index 0000000..a6ae5d5 --- /dev/null +++ b/mls/file_contexts/program/netutils.fc @@ -0,0 +1,4 @@ +# network utilities +/sbin/arping -- system_u:object_r:netutils_exec_t:s0 +/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0 +/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0 diff --git a/mls/file_contexts/program/newrole.fc b/mls/file_contexts/program/newrole.fc new file mode 100644 index 0000000..6b03678 --- /dev/null +++ b/mls/file_contexts/program/newrole.fc @@ -0,0 +1,2 @@ +# newrole +/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0 diff --git a/mls/file_contexts/program/nrpe.fc b/mls/file_contexts/program/nrpe.fc new file mode 100644 index 0000000..6523cc3 --- /dev/null +++ b/mls/file_contexts/program/nrpe.fc @@ -0,0 +1,7 @@ +# nrpe +/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t +/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t +ifdef(`nagios.te', `', ` +/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t +') diff --git a/mls/file_contexts/program/nscd.fc b/mls/file_contexts/program/nscd.fc new file mode 100644 index 0000000..aa8af5b --- /dev/null +++ b/mls/file_contexts/program/nscd.fc @@ -0,0 +1,7 @@ +# nscd +/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0 +/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0 +/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0 +/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 +/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 +/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0 diff --git a/mls/file_contexts/program/nsd.fc b/mls/file_contexts/program/nsd.fc new file mode 100644 index 0000000..43b49fe --- /dev/null +++ b/mls/file_contexts/program/nsd.fc @@ -0,0 +1,12 @@ +# nsd +/etc/nsd(/.*)? system_u:object_r:nsd_conf_t +/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t +/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t +/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t +/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t +/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t +/usr/sbin/nsd -- system_u:object_r:nsd_exec_t +/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t +/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t +/usr/sbin/zonec -- system_u:object_r:nsd_exec_t +/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t diff --git a/mls/file_contexts/program/ntpd.fc b/mls/file_contexts/program/ntpd.fc new file mode 100644 index 0000000..b9040bb --- /dev/null +++ b/mls/file_contexts/program/ntpd.fc @@ -0,0 +1,12 @@ +/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0 +/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0 +/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0 +/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0 +/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0 +/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0 +/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0 +/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0 +/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0 +/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0 +/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0 +/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0 diff --git a/mls/file_contexts/program/nx_server.fc b/mls/file_contexts/program/nx_server.fc new file mode 100644 index 0000000..d993646 --- /dev/null +++ b/mls/file_contexts/program/nx_server.fc @@ -0,0 +1,5 @@ +# nx +/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t +/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t +/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t + diff --git a/mls/file_contexts/program/oav-update.fc b/mls/file_contexts/program/oav-update.fc new file mode 100644 index 0000000..5e88a02 --- /dev/null +++ b/mls/file_contexts/program/oav-update.fc @@ -0,0 +1,4 @@ +/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t +/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t +/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t +/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t diff --git a/mls/file_contexts/program/openca-ca.fc b/mls/file_contexts/program/openca-ca.fc new file mode 100644 index 0000000..99ddefe --- /dev/null +++ b/mls/file_contexts/program/openca-ca.fc @@ -0,0 +1,8 @@ +/etc/openca(/.*)? system_u:object_r:openca_etc_t +/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t +/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t +/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t +/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t +/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t +/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t +/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t diff --git a/mls/file_contexts/program/openca-common.fc b/mls/file_contexts/program/openca-common.fc new file mode 100644 index 0000000..b75952f --- /dev/null +++ b/mls/file_contexts/program/openca-common.fc @@ -0,0 +1,7 @@ +/etc/openca(/.*)? system_u:object_r:openca_etc_t +/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t +/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t +/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t +/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t +/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t +/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/mls/file_contexts/program/openct.fc b/mls/file_contexts/program/openct.fc new file mode 100644 index 0000000..5f1db4b --- /dev/null +++ b/mls/file_contexts/program/openct.fc @@ -0,0 +1,2 @@ +/usr/sbin/openct-control -- system_u:object_r:openct_exec_t:s0 +/var/run/openct(/.*)? system_u:object_r:openct_var_run_t:s0 diff --git a/mls/file_contexts/program/openvpn.fc b/mls/file_contexts/program/openvpn.fc new file mode 100644 index 0000000..34b2992 --- /dev/null +++ b/mls/file_contexts/program/openvpn.fc @@ -0,0 +1,4 @@ +# OpenVPN + +/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t +/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t diff --git a/mls/file_contexts/program/orbit.fc b/mls/file_contexts/program/orbit.fc new file mode 100644 index 0000000..9ff0bc8 --- /dev/null +++ b/mls/file_contexts/program/orbit.fc @@ -0,0 +1,3 @@ +/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0 +/tmp/orbit-USER(-.*)?/linc.* -s <> +/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0 diff --git a/mls/file_contexts/program/pam.fc b/mls/file_contexts/program/pam.fc new file mode 100644 index 0000000..ad51a01 --- /dev/null +++ b/mls/file_contexts/program/pam.fc @@ -0,0 +1,3 @@ +/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t:s0 +/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t:s0 +/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t:s0 diff --git a/mls/file_contexts/program/pamconsole.fc b/mls/file_contexts/program/pamconsole.fc new file mode 100644 index 0000000..633977d --- /dev/null +++ b/mls/file_contexts/program/pamconsole.fc @@ -0,0 +1,3 @@ +# pam_console_apply +/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t:s0 +/var/run/console(/.*)? system_u:object_r:pam_var_console_t:s0 diff --git a/mls/file_contexts/program/passwd.fc b/mls/file_contexts/program/passwd.fc new file mode 100644 index 0000000..823f931 --- /dev/null +++ b/mls/file_contexts/program/passwd.fc @@ -0,0 +1,13 @@ +# spasswd +/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0 +/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0 +/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0 +/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0 +/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0 +/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0 diff --git a/mls/file_contexts/program/pegasus.fc b/mls/file_contexts/program/pegasus.fc new file mode 100644 index 0000000..f4b9f15 --- /dev/null +++ b/mls/file_contexts/program/pegasus.fc @@ -0,0 +1,9 @@ +# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver +/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0 +/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0 +/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0 +/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0 +/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0 +/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0 +/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0 + diff --git a/mls/file_contexts/program/perdition.fc b/mls/file_contexts/program/perdition.fc new file mode 100644 index 0000000..a2d2adb --- /dev/null +++ b/mls/file_contexts/program/perdition.fc @@ -0,0 +1,3 @@ +# perdition POP and IMAP proxy +/usr/sbin/perdition -- system_u:object_r:perdition_exec_t +/etc/perdition(/.*)? system_u:object_r:perdition_etc_t diff --git a/mls/file_contexts/program/ping.fc b/mls/file_contexts/program/ping.fc new file mode 100644 index 0000000..a4ed8cb --- /dev/null +++ b/mls/file_contexts/program/ping.fc @@ -0,0 +1,3 @@ +# ping +/bin/ping.* -- system_u:object_r:ping_exec_t:s0 +/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0 diff --git a/mls/file_contexts/program/portmap.fc b/mls/file_contexts/program/portmap.fc new file mode 100644 index 0000000..60da994 --- /dev/null +++ b/mls/file_contexts/program/portmap.fc @@ -0,0 +1,10 @@ +# portmap +/sbin/portmap -- system_u:object_r:portmap_exec_t:s0 +ifdef(`distro_debian', ` +/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 +/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 +', ` +/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 +/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 +') +/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0 diff --git a/mls/file_contexts/program/portslave.fc b/mls/file_contexts/program/portslave.fc new file mode 100644 index 0000000..873334d --- /dev/null +++ b/mls/file_contexts/program/portslave.fc @@ -0,0 +1,5 @@ +# portslave +/usr/sbin/portslave -- system_u:object_r:portslave_exec_t +/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t +/etc/portslave(/.*)? system_u:object_r:portslave_etc_t +/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t diff --git a/mls/file_contexts/program/postfix.fc b/mls/file_contexts/program/postfix.fc new file mode 100644 index 0000000..300da75 --- /dev/null +++ b/mls/file_contexts/program/postfix.fc @@ -0,0 +1,59 @@ +# postfix +/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0 +ifdef(`distro_redhat', ` +/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0 +/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0 +/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 +/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 +/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 +/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 +/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 +/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 +/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 +/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 +/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 +/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 +/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 +', ` +/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0 +/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 +/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 +/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 +/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 +/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 +/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 +/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 +/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 +/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 +/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 +/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 +') +/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0 +/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0 +/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0 +/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0 +/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0 +/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0 +/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0 +/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 +/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0 +/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0 +/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0 +/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0 +/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0 +/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0 +/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0 +/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0 +/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0 +/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0 +/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0 +/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0 +/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0 +/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0 +/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0 diff --git a/mls/file_contexts/program/postgresql.fc b/mls/file_contexts/program/postgresql.fc new file mode 100644 index 0000000..635a74a --- /dev/null +++ b/mls/file_contexts/program/postgresql.fc @@ -0,0 +1,20 @@ +# postgresql - database server +/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0 +/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0 +/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0 + +/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0 +/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0 +/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0 +/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0 +/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0 +/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0 +/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0 +/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0 +/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0 +/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0 +/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0 +ifdef(`distro_redhat', ` +/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0 +/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0 +') diff --git a/mls/file_contexts/program/postgrey.fc b/mls/file_contexts/program/postgrey.fc new file mode 100644 index 0000000..89e43fd --- /dev/null +++ b/mls/file_contexts/program/postgrey.fc @@ -0,0 +1,5 @@ +# postgrey - postfix grey-listing server +/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t +/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t +/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t +/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t diff --git a/mls/file_contexts/program/pppd.fc b/mls/file_contexts/program/pppd.fc new file mode 100644 index 0000000..87e3cb7 --- /dev/null +++ b/mls/file_contexts/program/pppd.fc @@ -0,0 +1,25 @@ +# pppd +/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0 +/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0 +/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0 +/dev/ppp -c system_u:object_r:ppp_device_t:s0 +/dev/pppox.* -c system_u:object_r:ppp_device_t:s0 +/dev/ippp.* -c system_u:object_r:ppp_device_t:s0 +/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0 +/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0 +/etc/ppp -d system_u:object_r:pppd_etc_t:s0 +/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0 +/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0 +/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0 +/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0 +/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0 +/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0 +/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0 +/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0 +/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0 +/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0 +/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0 +# Fix pptp sockets +/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0 +# Fix /etc/ppp {up,down} family scripts (see man pppd) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0 diff --git a/mls/file_contexts/program/prelink.fc b/mls/file_contexts/program/prelink.fc new file mode 100644 index 0000000..fca98ee --- /dev/null +++ b/mls/file_contexts/program/prelink.fc @@ -0,0 +1,8 @@ +# prelink - prelink ELF shared libraries and binaries to speed up startup time +/usr/sbin/prelink -- system_u:object_r:prelink_exec_t:s0 +ifdef(`distro_debian', ` +/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t:s0 +') +/etc/prelink\.conf -- system_u:object_r:etc_prelink_t:s0 +/var/log/prelink\.log -- system_u:object_r:prelink_log_t:s0 +/etc/prelink\.cache -- system_u:object_r:prelink_cache_t:s0 diff --git a/mls/file_contexts/program/privoxy.fc b/mls/file_contexts/program/privoxy.fc new file mode 100644 index 0000000..d8d5647 --- /dev/null +++ b/mls/file_contexts/program/privoxy.fc @@ -0,0 +1,3 @@ +# privoxy +/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0 +/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0 diff --git a/mls/file_contexts/program/procmail.fc b/mls/file_contexts/program/procmail.fc new file mode 100644 index 0000000..f231527 --- /dev/null +++ b/mls/file_contexts/program/procmail.fc @@ -0,0 +1,2 @@ +# procmail +/usr/bin/procmail -- system_u:object_r:procmail_exec_t:s0 diff --git a/mls/file_contexts/program/publicfile.fc b/mls/file_contexts/program/publicfile.fc new file mode 100644 index 0000000..dc32249 --- /dev/null +++ b/mls/file_contexts/program/publicfile.fc @@ -0,0 +1,9 @@ + +/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t +/usr/bin/httpd -- system_u:object_r:publicfile_exec_t +/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t + +# this is the place where online content located +# set this to suit your needs +#/var/www(/.*)? system_u:object_r:publicfile_content_t + diff --git a/mls/file_contexts/program/pxe.fc b/mls/file_contexts/program/pxe.fc new file mode 100644 index 0000000..165076a --- /dev/null +++ b/mls/file_contexts/program/pxe.fc @@ -0,0 +1,5 @@ +# pxe network boot server +/usr/sbin/pxe -- system_u:object_r:pxe_exec_t +/var/log/pxe\.log -- system_u:object_r:pxe_log_t +/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t + diff --git a/mls/file_contexts/program/pyzor.fc b/mls/file_contexts/program/pyzor.fc new file mode 100644 index 0000000..ff62295 --- /dev/null +++ b/mls/file_contexts/program/pyzor.fc @@ -0,0 +1,6 @@ +/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t +/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t +/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t +/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t +/var/log/pyzord.log -- system_u:object_r:pyzord_log_t +HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t diff --git a/mls/file_contexts/program/qmail.fc b/mls/file_contexts/program/qmail.fc new file mode 100644 index 0000000..7704ed7 --- /dev/null +++ b/mls/file_contexts/program/qmail.fc @@ -0,0 +1,38 @@ +# qmail - Debian locations +/etc/qmail(/.*)? system_u:object_r:qmail_etc_t +/var/qmail(/.*)? system_u:object_r:qmail_etc_t +/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t +/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t +/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t +/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t +/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t +/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t +/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t +/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t +/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t +/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t +/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t +/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t +/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t +/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t +/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t +/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t +# qmail - djb locations +/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t +/var/qmail/bin -d system_u:object_r:bin_t +/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t +/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t +/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t +/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t +/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t +/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t +/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t +/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t +/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t +/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t +/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t +/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t +/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t +/var/qmail/rc -- system_u:object_r:bin_t +/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t +/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t diff --git a/mls/file_contexts/program/quota.fc b/mls/file_contexts/program/quota.fc new file mode 100644 index 0000000..8aa74f1 --- /dev/null +++ b/mls/file_contexts/program/quota.fc @@ -0,0 +1,10 @@ +# quota system +/var/lib/quota(/.*)? system_u:object_r:quota_flag_t:s0 +/sbin/quota(check|on) -- system_u:object_r:quota_exec_t:s0 +ifdef(`distro_redhat', ` +/usr/sbin/convertquota -- system_u:object_r:quota_exec_t:s0 +', ` +/sbin/convertquota -- system_u:object_r:quota_exec_t:s0 +') +HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 +/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 diff --git a/mls/file_contexts/program/radius.fc b/mls/file_contexts/program/radius.fc new file mode 100644 index 0000000..e3b9d51 --- /dev/null +++ b/mls/file_contexts/program/radius.fc @@ -0,0 +1,15 @@ +# radius +/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0 +/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0 +/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0 +/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 +/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0 +/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0 +/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 +/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0 +/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0 +/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0 +/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0 +/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0 +/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0 +/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0 diff --git a/mls/file_contexts/program/radvd.fc b/mls/file_contexts/program/radvd.fc new file mode 100644 index 0000000..ab6bc47 --- /dev/null +++ b/mls/file_contexts/program/radvd.fc @@ -0,0 +1,5 @@ +# radvd +/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0 +/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0 +/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0 +/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0 diff --git a/mls/file_contexts/program/razor.fc b/mls/file_contexts/program/razor.fc new file mode 100644 index 0000000..f3f1346 --- /dev/null +++ b/mls/file_contexts/program/razor.fc @@ -0,0 +1,6 @@ +# razor +/etc/razor(/.*)? system_u:object_r:razor_etc_t +/usr/bin/razor.* system_u:object_r:razor_exec_t +/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t +/var/log/razor-agent.log system_u:object_r:razor_log_t +HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t diff --git a/mls/file_contexts/program/rdisc.fc b/mls/file_contexts/program/rdisc.fc new file mode 100644 index 0000000..f3ec427 --- /dev/null +++ b/mls/file_contexts/program/rdisc.fc @@ -0,0 +1,2 @@ +# rdisc +/sbin/rdisc system_u:object_r:rdisc_exec_t:s0 diff --git a/mls/file_contexts/program/readahead.fc b/mls/file_contexts/program/readahead.fc new file mode 100644 index 0000000..16362a4 --- /dev/null +++ b/mls/file_contexts/program/readahead.fc @@ -0,0 +1 @@ +/usr/sbin/readahead -- system_u:object_r:readahead_exec_t:s0 diff --git a/mls/file_contexts/program/resmgrd.fc b/mls/file_contexts/program/resmgrd.fc new file mode 100644 index 0000000..bee4680 --- /dev/null +++ b/mls/file_contexts/program/resmgrd.fc @@ -0,0 +1,6 @@ +# resmgrd +/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t +/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t +/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t +/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t + diff --git a/mls/file_contexts/program/restorecon.fc b/mls/file_contexts/program/restorecon.fc new file mode 100644 index 0000000..cd62c78 --- /dev/null +++ b/mls/file_contexts/program/restorecon.fc @@ -0,0 +1,2 @@ +# restorecon +/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0 diff --git a/mls/file_contexts/program/rhgb.fc b/mls/file_contexts/program/rhgb.fc new file mode 100644 index 0000000..118972e --- /dev/null +++ b/mls/file_contexts/program/rhgb.fc @@ -0,0 +1 @@ +/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t diff --git a/mls/file_contexts/program/rlogind.fc b/mls/file_contexts/program/rlogind.fc new file mode 100644 index 0000000..ce68e2c --- /dev/null +++ b/mls/file_contexts/program/rlogind.fc @@ -0,0 +1,4 @@ +# rlogind and telnetd +/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0 +/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0 +/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0 diff --git a/mls/file_contexts/program/roundup.fc b/mls/file_contexts/program/roundup.fc new file mode 100644 index 0000000..394359f --- /dev/null +++ b/mls/file_contexts/program/roundup.fc @@ -0,0 +1,2 @@ +/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t:s0 +/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t:s0 diff --git a/mls/file_contexts/program/rpcd.fc b/mls/file_contexts/program/rpcd.fc new file mode 100644 index 0000000..916cd25 --- /dev/null +++ b/mls/file_contexts/program/rpcd.fc @@ -0,0 +1,12 @@ +# RPC daemons +/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0 +/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0 +/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0 +/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0 +/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0 +/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0 +/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0 +/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0 +/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0 +/etc/exports -- system_u:object_r:exports_t:s0 + diff --git a/mls/file_contexts/program/rpm.fc b/mls/file_contexts/program/rpm.fc new file mode 100644 index 0000000..494fbcf --- /dev/null +++ b/mls/file_contexts/program/rpm.fc @@ -0,0 +1,29 @@ +# rpm +/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0 +/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0 +/bin/rpm -- system_u:object_r:rpm_exec_t:s0 +/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0 +/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0 +/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0 +/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0 +/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0 +/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0 +/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0 +ifdef(`distro_redhat', ` +/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0 +/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0 +') +# SuSE +ifdef(`distro_suse', ` +/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0 +/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0 +/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0 +/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0 +') + +ifdef(`mls_policy', ` +/sbin/cpio -- system_u:object_r:rpm_exec_t:s0 +') diff --git a/mls/file_contexts/program/rshd.fc b/mls/file_contexts/program/rshd.fc new file mode 100644 index 0000000..a7141fe --- /dev/null +++ b/mls/file_contexts/program/rshd.fc @@ -0,0 +1,4 @@ +# rshd. +/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0 +/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0 +/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0 diff --git a/mls/file_contexts/program/rssh.fc b/mls/file_contexts/program/rssh.fc new file mode 100644 index 0000000..16ec3a3 --- /dev/null +++ b/mls/file_contexts/program/rssh.fc @@ -0,0 +1,2 @@ +# rssh +/usr/bin/rssh -- system_u:object_r:rssh_exec_t diff --git a/mls/file_contexts/program/rsync.fc b/mls/file_contexts/program/rsync.fc new file mode 100644 index 0000000..edb25f3 --- /dev/null +++ b/mls/file_contexts/program/rsync.fc @@ -0,0 +1,3 @@ +# rsync program +/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0 +/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0 diff --git a/mls/file_contexts/program/samba.fc b/mls/file_contexts/program/samba.fc new file mode 100644 index 0000000..204eb3f --- /dev/null +++ b/mls/file_contexts/program/samba.fc @@ -0,0 +1,26 @@ +# samba scripts +/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0 +/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0 +/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0 +/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 +/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 +/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 +/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0 +/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 +/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 +# samba really wants write access to smbpasswd +/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0 +/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0 +/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0 +/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0 +/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0 +/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0 +/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0 +/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0 +/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0 +/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0 +/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0 +ifdef(`mount.te', ` +/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0 +/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0 +') diff --git a/mls/file_contexts/program/saslauthd.fc b/mls/file_contexts/program/saslauthd.fc new file mode 100644 index 0000000..a8275a6 --- /dev/null +++ b/mls/file_contexts/program/saslauthd.fc @@ -0,0 +1,3 @@ +# saslauthd +/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0 +/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0 diff --git a/mls/file_contexts/program/scannerdaemon.fc b/mls/file_contexts/program/scannerdaemon.fc new file mode 100644 index 0000000..a43bf87 --- /dev/null +++ b/mls/file_contexts/program/scannerdaemon.fc @@ -0,0 +1,4 @@ +# scannerdaemon +/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t +/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t +/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t diff --git a/mls/file_contexts/program/screen.fc b/mls/file_contexts/program/screen.fc new file mode 100644 index 0000000..401072a --- /dev/null +++ b/mls/file_contexts/program/screen.fc @@ -0,0 +1,5 @@ +# screen +/usr/bin/screen -- system_u:object_r:screen_exec_t:s0 +HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0 +/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t:s0 +/var/run/screens?/S-[^/]+/.* <> diff --git a/mls/file_contexts/program/sendmail.fc b/mls/file_contexts/program/sendmail.fc new file mode 100644 index 0000000..8b9164d --- /dev/null +++ b/mls/file_contexts/program/sendmail.fc @@ -0,0 +1,13 @@ +# sendmail +/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0 +/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0 +/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0 +/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0 +/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0 +ifdef(`distro_redhat', ` +/etc/rc.d/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0 +/var/lock/subsys/sm-client -- system_u:object_r:sendmail_launch_lock_t:s0 +/var/lock/subsys/sendmail -- system_u:object_r:sendmail_launch_lock_t:s0 +', ` +/etc/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0 +') diff --git a/mls/file_contexts/program/setfiles.fc b/mls/file_contexts/program/setfiles.fc new file mode 100644 index 0000000..45e245b --- /dev/null +++ b/mls/file_contexts/program/setfiles.fc @@ -0,0 +1,3 @@ +# setfiles +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0 + diff --git a/mls/file_contexts/program/slapd.fc b/mls/file_contexts/program/slapd.fc new file mode 100644 index 0000000..4a5ff0d --- /dev/null +++ b/mls/file_contexts/program/slapd.fc @@ -0,0 +1,19 @@ +# slapd - ldap server +/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0 +/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0 +/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0 +/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0 +/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0 +/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0 +/var/run/ldapi -s system_u:object_r:slapd_var_run_t:s0 +/opt/(fedora|redhat)-ds(/.*)?/bin/slapd/server/ns-slapd -- system_u:object_r:slapd_exec_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/logs(/.*)? system_u:object_r:slapd_var_run_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/locks(/.*)? system_u:object_r:slapd_lock_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/tmp(/.*)? system_u:object_r:slapd_var_run_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/config(/.*)? system_u:object_r:slapd_var_run_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/db(/.*)? system_u:object_r:slapd_db_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/bak(/.*)? system_u:object_r:slapd_db_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/start-slapd system_u:object_r:initrc_exec_t:s0 +/opt/(fedora|redhat)-ds/slapd-[^/]+/stop-slapd system_u:object_r:initrc_exec_t:s0 +/opt/(fedora|redhat)-ds/alias(/.*)? system_u:object_r:slapd_cert_t:s0 +/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t:s0 diff --git a/mls/file_contexts/program/slocate.fc b/mls/file_contexts/program/slocate.fc new file mode 100644 index 0000000..5baa3b2 --- /dev/null +++ b/mls/file_contexts/program/slocate.fc @@ -0,0 +1,4 @@ +# locate - file locater +/usr/bin/s?locate -- system_u:object_r:locate_exec_t:s0 +/var/lib/[sm]locate(/.*)? system_u:object_r:locate_var_lib_t:s0 +/etc/updatedb\.conf -- system_u:object_r:locate_etc_t:s0 diff --git a/mls/file_contexts/program/slrnpull.fc b/mls/file_contexts/program/slrnpull.fc new file mode 100644 index 0000000..e05abc8 --- /dev/null +++ b/mls/file_contexts/program/slrnpull.fc @@ -0,0 +1,3 @@ +# slrnpull +/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t:s0 +/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t:s0 diff --git a/mls/file_contexts/program/snmpd.fc b/mls/file_contexts/program/snmpd.fc new file mode 100644 index 0000000..c81b3fe --- /dev/null +++ b/mls/file_contexts/program/snmpd.fc @@ -0,0 +1,10 @@ +# snmpd +/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0 +/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 +/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 +/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0 +/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0 +/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0 +/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0 +/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0 +/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0 diff --git a/mls/file_contexts/program/snort.fc b/mls/file_contexts/program/snort.fc new file mode 100644 index 0000000..a40670c --- /dev/null +++ b/mls/file_contexts/program/snort.fc @@ -0,0 +1,4 @@ +# SNORT +/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t +/etc/snort(/.*)? system_u:object_r:snort_etc_t +/var/log/snort(/.*)? system_u:object_r:snort_log_t diff --git a/mls/file_contexts/program/sound-server.fc b/mls/file_contexts/program/sound-server.fc new file mode 100644 index 0000000..dfa8245 --- /dev/null +++ b/mls/file_contexts/program/sound-server.fc @@ -0,0 +1,8 @@ +# sound servers, nas, yiff, etc +/usr/sbin/yiff -- system_u:object_r:soundd_exec_t +/usr/bin/nasd -- system_u:object_r:soundd_exec_t +/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t +/etc/nas(/.*)? system_u:object_r:etc_soundd_t +/etc/yiff(/.*)? system_u:object_r:etc_soundd_t +/var/state/yiff(/.*)? system_u:object_r:soundd_state_t +/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t diff --git a/mls/file_contexts/program/sound.fc b/mls/file_contexts/program/sound.fc new file mode 100644 index 0000000..4226dc3 --- /dev/null +++ b/mls/file_contexts/program/sound.fc @@ -0,0 +1,3 @@ +# sound +/bin/aumix-minimal -- system_u:object_r:sound_exec_t:s0 +/etc/\.aumixrc -- system_u:object_r:sound_file_t:s0 diff --git a/mls/file_contexts/program/spamassassin.fc b/mls/file_contexts/program/spamassassin.fc new file mode 100644 index 0000000..6896485 --- /dev/null +++ b/mls/file_contexts/program/spamassassin.fc @@ -0,0 +1,3 @@ +# spamassasin +/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t:s0 +HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0 diff --git a/mls/file_contexts/program/spamc.fc b/mls/file_contexts/program/spamc.fc new file mode 100644 index 0000000..1168d40 --- /dev/null +++ b/mls/file_contexts/program/spamc.fc @@ -0,0 +1 @@ +/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0 diff --git a/mls/file_contexts/program/spamd.fc b/mls/file_contexts/program/spamd.fc new file mode 100644 index 0000000..8c9add8 --- /dev/null +++ b/mls/file_contexts/program/spamd.fc @@ -0,0 +1,3 @@ +/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0 +/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0 +/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0 diff --git a/mls/file_contexts/program/speedmgmt.fc b/mls/file_contexts/program/speedmgmt.fc new file mode 100644 index 0000000..486906e --- /dev/null +++ b/mls/file_contexts/program/speedmgmt.fc @@ -0,0 +1,2 @@ +# speedmgmt +/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t diff --git a/mls/file_contexts/program/squid.fc b/mls/file_contexts/program/squid.fc new file mode 100644 index 0000000..03f291b --- /dev/null +++ b/mls/file_contexts/program/squid.fc @@ -0,0 +1,11 @@ +# squid +/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0 +/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0 +/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0 +/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0 +/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0 +/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0 +/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0 +ifdef(`apache.te', ` +/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0 +') diff --git a/mls/file_contexts/program/ssh-agent.fc b/mls/file_contexts/program/ssh-agent.fc new file mode 100644 index 0000000..90a4603 --- /dev/null +++ b/mls/file_contexts/program/ssh-agent.fc @@ -0,0 +1,2 @@ +# ssh-agent +/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t:s0 diff --git a/mls/file_contexts/program/ssh.fc b/mls/file_contexts/program/ssh.fc new file mode 100644 index 0000000..4ccba2e --- /dev/null +++ b/mls/file_contexts/program/ssh.fc @@ -0,0 +1,21 @@ +# ssh +/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0 +/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0 +/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0 +# sshd +/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0 +/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0 +/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0 +/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0 +/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0 +/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0 +# subsystems +/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0 +/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0 +ifdef(`distro_suse', ` +/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0 +') +ifdef(`targeted_policy', `', ` +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0 +') diff --git a/mls/file_contexts/program/stunnel.fc b/mls/file_contexts/program/stunnel.fc new file mode 100644 index 0000000..2f0798c --- /dev/null +++ b/mls/file_contexts/program/stunnel.fc @@ -0,0 +1,3 @@ +/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0 +/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0 +/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0 diff --git a/mls/file_contexts/program/su.fc b/mls/file_contexts/program/su.fc new file mode 100644 index 0000000..8712b4b --- /dev/null +++ b/mls/file_contexts/program/su.fc @@ -0,0 +1,2 @@ +# su +/bin/su -- system_u:object_r:su_exec_t:s0 diff --git a/mls/file_contexts/program/sudo.fc b/mls/file_contexts/program/sudo.fc new file mode 100644 index 0000000..ecaf228 --- /dev/null +++ b/mls/file_contexts/program/sudo.fc @@ -0,0 +1,3 @@ +# sudo +/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t:s0 + diff --git a/mls/file_contexts/program/sulogin.fc b/mls/file_contexts/program/sulogin.fc new file mode 100644 index 0000000..bb2bc51 --- /dev/null +++ b/mls/file_contexts/program/sulogin.fc @@ -0,0 +1,2 @@ +# sulogin +/sbin/sulogin -- system_u:object_r:sulogin_exec_t:s0 diff --git a/mls/file_contexts/program/swat.fc b/mls/file_contexts/program/swat.fc new file mode 100644 index 0000000..e75e1e3 --- /dev/null +++ b/mls/file_contexts/program/swat.fc @@ -0,0 +1,2 @@ +# samba management tool +/usr/sbin/swat -- system_u:object_r:swat_exec_t:s0 diff --git a/mls/file_contexts/program/sxid.fc b/mls/file_contexts/program/sxid.fc new file mode 100644 index 0000000..e9126bc --- /dev/null +++ b/mls/file_contexts/program/sxid.fc @@ -0,0 +1,6 @@ +# sxid - ldap server +/usr/bin/sxid -- system_u:object_r:sxid_exec_t +/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t +/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t +/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t +/var/log/setuid.* -- system_u:object_r:sxid_log_t diff --git a/mls/file_contexts/program/syslogd.fc b/mls/file_contexts/program/syslogd.fc new file mode 100644 index 0000000..d0fb0a4 --- /dev/null +++ b/mls/file_contexts/program/syslogd.fc @@ -0,0 +1,11 @@ +# syslogd +/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 +/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0 +/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 +/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0 +/dev/log -s system_u:object_r:devlog_t:s0 +/var/run/log -s system_u:object_r:devlog_t:s0 +ifdef(`distro_suse', ` +/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0 +') +/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0 diff --git a/mls/file_contexts/program/sysstat.fc b/mls/file_contexts/program/sysstat.fc new file mode 100644 index 0000000..1b5e5e7 --- /dev/null +++ b/mls/file_contexts/program/sysstat.fc @@ -0,0 +1,7 @@ +# sysstat and other sar programs +/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t:s0 +/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t:s0 +/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t:s0 +/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t:s0 +/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t:s0 +/var/log/sa(/.*)? system_u:object_r:sysstat_log_t:s0 diff --git a/mls/file_contexts/program/tcpd.fc b/mls/file_contexts/program/tcpd.fc new file mode 100644 index 0000000..7215d91 --- /dev/null +++ b/mls/file_contexts/program/tcpd.fc @@ -0,0 +1,2 @@ +# tcpd +/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t:s0 diff --git a/mls/file_contexts/program/telnetd.fc b/mls/file_contexts/program/telnetd.fc new file mode 100644 index 0000000..15587a2 --- /dev/null +++ b/mls/file_contexts/program/telnetd.fc @@ -0,0 +1,3 @@ +# telnetd +/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0 +/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0 diff --git a/mls/file_contexts/program/tftpd.fc b/mls/file_contexts/program/tftpd.fc new file mode 100644 index 0000000..1e503b9 --- /dev/null +++ b/mls/file_contexts/program/tftpd.fc @@ -0,0 +1,4 @@ +# tftpd +/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0 +/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0 +/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0 diff --git a/mls/file_contexts/program/thunderbird.fc b/mls/file_contexts/program/thunderbird.fc new file mode 100644 index 0000000..ca37346 --- /dev/null +++ b/mls/file_contexts/program/thunderbird.fc @@ -0,0 +1,2 @@ +/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t +HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t diff --git a/mls/file_contexts/program/timidity.fc b/mls/file_contexts/program/timidity.fc new file mode 100644 index 0000000..84221fa --- /dev/null +++ b/mls/file_contexts/program/timidity.fc @@ -0,0 +1,2 @@ +# timidity +/usr/bin/timidity -- system_u:object_r:timidity_exec_t:s0 diff --git a/mls/file_contexts/program/tinydns.fc b/mls/file_contexts/program/tinydns.fc new file mode 100644 index 0000000..10ea1a3 --- /dev/null +++ b/mls/file_contexts/program/tinydns.fc @@ -0,0 +1,6 @@ +# tinydns +/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t +/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t +/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t +#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t +#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t diff --git a/mls/file_contexts/program/tmpreaper.fc b/mls/file_contexts/program/tmpreaper.fc new file mode 100644 index 0000000..796037a --- /dev/null +++ b/mls/file_contexts/program/tmpreaper.fc @@ -0,0 +1,3 @@ +# tmpreaper or tmpwatch +/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t:s0 +/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t:s0 diff --git a/mls/file_contexts/program/traceroute.fc b/mls/file_contexts/program/traceroute.fc new file mode 100644 index 0000000..634dbe9 --- /dev/null +++ b/mls/file_contexts/program/traceroute.fc @@ -0,0 +1,6 @@ +# traceroute +/bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0 +/bin/tracepath.* -- system_u:object_r:traceroute_exec_t:s0 +/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0 +/usr/bin/lft -- system_u:object_r:traceroute_exec_t:s0 +/usr/bin/nmap -- system_u:object_r:traceroute_exec_t:s0 diff --git a/mls/file_contexts/program/transproxy.fc b/mls/file_contexts/program/transproxy.fc new file mode 100644 index 0000000..2027eea --- /dev/null +++ b/mls/file_contexts/program/transproxy.fc @@ -0,0 +1,3 @@ +# transproxy - http transperant proxy +/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t +/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t diff --git a/mls/file_contexts/program/tripwire.fc b/mls/file_contexts/program/tripwire.fc new file mode 100644 index 0000000..88afc34 --- /dev/null +++ b/mls/file_contexts/program/tripwire.fc @@ -0,0 +1,9 @@ +# tripwire +/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t +/usr/sbin/siggen system_u:object_r:siggen_exec_t +/usr/sbin/tripwire system_u:object_r:tripwire_exec_t +/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t +/usr/sbin/twadmin system_u:object_r:twadmin_exec_t +/usr/sbin/twprint system_u:object_r:twprint_exec_t +/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t +/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t diff --git a/mls/file_contexts/program/tvtime.fc b/mls/file_contexts/program/tvtime.fc new file mode 100644 index 0000000..0969e96 --- /dev/null +++ b/mls/file_contexts/program/tvtime.fc @@ -0,0 +1,3 @@ +# tvtime +/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t + diff --git a/mls/file_contexts/program/ucspi-tcp.fc b/mls/file_contexts/program/ucspi-tcp.fc new file mode 100644 index 0000000..448c1ab --- /dev/null +++ b/mls/file_contexts/program/ucspi-tcp.fc @@ -0,0 +1,3 @@ +#ucspi-tcp +/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t +/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t diff --git a/mls/file_contexts/program/udev.fc b/mls/file_contexts/program/udev.fc new file mode 100644 index 0000000..0df162f --- /dev/null +++ b/mls/file_contexts/program/udev.fc @@ -0,0 +1,14 @@ +# udev +/sbin/udevsend -- system_u:object_r:udev_exec_t:s0 +/sbin/udev -- system_u:object_r:udev_exec_t:s0 +/sbin/udevd -- system_u:object_r:udev_exec_t:s0 +/sbin/start_udev -- system_u:object_r:udev_exec_t:s0 +/sbin/udevstart -- system_u:object_r:udev_exec_t:s0 +/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0 +/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0 +/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0 +/etc/udev/devices/.* system_u:object_r:device_t:s0 +/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0 +/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0 +/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0 +/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0 diff --git a/mls/file_contexts/program/uml.fc b/mls/file_contexts/program/uml.fc new file mode 100644 index 0000000..dc1621d --- /dev/null +++ b/mls/file_contexts/program/uml.fc @@ -0,0 +1,4 @@ +# User Mode Linux +/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t +/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t +HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t diff --git a/mls/file_contexts/program/uml_net.fc b/mls/file_contexts/program/uml_net.fc new file mode 100644 index 0000000..67aa1f2 --- /dev/null +++ b/mls/file_contexts/program/uml_net.fc @@ -0,0 +1,3 @@ +# User Mode Linux +# WARNING: Do not install this file on any machine that has hostile users. +/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t diff --git a/mls/file_contexts/program/unconfined.fc b/mls/file_contexts/program/unconfined.fc new file mode 100644 index 0000000..5e289fa --- /dev/null +++ b/mls/file_contexts/program/unconfined.fc @@ -0,0 +1,3 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t:s0 diff --git a/mls/file_contexts/program/updfstab.fc b/mls/file_contexts/program/updfstab.fc new file mode 100644 index 0000000..f6ac1d9 --- /dev/null +++ b/mls/file_contexts/program/updfstab.fc @@ -0,0 +1,3 @@ +# updfstab +/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0 +/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0 diff --git a/mls/file_contexts/program/uptimed.fc b/mls/file_contexts/program/uptimed.fc new file mode 100644 index 0000000..f80ccb4 --- /dev/null +++ b/mls/file_contexts/program/uptimed.fc @@ -0,0 +1,4 @@ +# uptimed +/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t +/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t +/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t diff --git a/mls/file_contexts/program/usbmodules.fc b/mls/file_contexts/program/usbmodules.fc new file mode 100644 index 0000000..1ab2742 --- /dev/null +++ b/mls/file_contexts/program/usbmodules.fc @@ -0,0 +1,3 @@ +# usbmodules +/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0 +/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0 diff --git a/mls/file_contexts/program/useradd.fc b/mls/file_contexts/program/useradd.fc new file mode 100644 index 0000000..c7bb659 --- /dev/null +++ b/mls/file_contexts/program/useradd.fc @@ -0,0 +1,10 @@ +#useradd +/usr/sbin/usermod -- system_u:object_r:useradd_exec_t:s0 +/usr/sbin/useradd -- system_u:object_r:useradd_exec_t:s0 +/usr/sbin/userdel -- system_u:object_r:useradd_exec_t:s0 +#groupadd +/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t:s0 +/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t:s0 +/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t:s0 +/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 +/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 diff --git a/mls/file_contexts/program/userhelper.fc b/mls/file_contexts/program/userhelper.fc new file mode 100644 index 0000000..319c82a --- /dev/null +++ b/mls/file_contexts/program/userhelper.fc @@ -0,0 +1,2 @@ +/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t:s0 +/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t:s0 diff --git a/mls/file_contexts/program/usernetctl.fc b/mls/file_contexts/program/usernetctl.fc new file mode 100644 index 0000000..728a65c --- /dev/null +++ b/mls/file_contexts/program/usernetctl.fc @@ -0,0 +1,2 @@ +# usernetctl +/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t:s0 diff --git a/mls/file_contexts/program/utempter.fc b/mls/file_contexts/program/utempter.fc new file mode 100644 index 0000000..922bc2a --- /dev/null +++ b/mls/file_contexts/program/utempter.fc @@ -0,0 +1,2 @@ +# utempter +/usr/sbin/utempter -- system_u:object_r:utempter_exec_t:s0 diff --git a/mls/file_contexts/program/uucpd.fc b/mls/file_contexts/program/uucpd.fc new file mode 100644 index 0000000..a359cc3 --- /dev/null +++ b/mls/file_contexts/program/uucpd.fc @@ -0,0 +1,5 @@ +# uucico program +/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0 +/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0 +/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0 +/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0 diff --git a/mls/file_contexts/program/uwimapd.fc b/mls/file_contexts/program/uwimapd.fc new file mode 100644 index 0000000..00f9073 --- /dev/null +++ b/mls/file_contexts/program/uwimapd.fc @@ -0,0 +1,2 @@ +# uw-imapd and uw-imapd-ssl +/usr/sbin/imapd -- system_u:object_r:imapd_exec_t diff --git a/mls/file_contexts/program/vmware.fc b/mls/file_contexts/program/vmware.fc new file mode 100644 index 0000000..d015988 --- /dev/null +++ b/mls/file_contexts/program/vmware.fc @@ -0,0 +1,42 @@ +# +# File contexts for VMWare. +# Contributed by Mark Westerman (mark.westerman@westcam.com) +# Changes made by NAI Labs. +# Tested with VMWare 3.1 +# +/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t +/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t + +/dev/vmmon -c system_u:object_r:vmware_device_t +/dev/vmnet.* -c system_u:object_r:vmware_device_t +/dev/plex86 -c system_u:object_r:vmware_device_t + +/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t +/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t + +/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t +/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t + +# +# This is only an example of how to protect vmware session configuration +# files. A general user can execute vmware and start a vmware session +# but the user can not modify the session configuration information +#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t +#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t + +# The rules below assume that the user VMWare virtual disks are in the +# ~/vmware, and the preferences and license files are in ~/.vmware. +# +HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t diff --git a/mls/file_contexts/program/vpnc.fc b/mls/file_contexts/program/vpnc.fc new file mode 100644 index 0000000..66a6271 --- /dev/null +++ b/mls/file_contexts/program/vpnc.fc @@ -0,0 +1,4 @@ +# vpnc +/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0 +/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0 +/etc/vpnc/vpnc-script -- system_u:object_r:bin_t:s0 diff --git a/mls/file_contexts/program/watchdog.fc b/mls/file_contexts/program/watchdog.fc new file mode 100644 index 0000000..d7a8c7f --- /dev/null +++ b/mls/file_contexts/program/watchdog.fc @@ -0,0 +1,5 @@ +# watchdog +/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t +/dev/watchdog -c system_u:object_r:watchdog_device_t +/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t +/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t diff --git a/mls/file_contexts/program/webalizer.fc b/mls/file_contexts/program/webalizer.fc new file mode 100644 index 0000000..7244932 --- /dev/null +++ b/mls/file_contexts/program/webalizer.fc @@ -0,0 +1,3 @@ +# +/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0 +/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0 diff --git a/mls/file_contexts/program/winbind.fc b/mls/file_contexts/program/winbind.fc new file mode 100644 index 0000000..b1d9d57 --- /dev/null +++ b/mls/file_contexts/program/winbind.fc @@ -0,0 +1,11 @@ +/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0 +/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0 +ifdef(`samba.te', `', ` +/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 +/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 +/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 +/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 +/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 +') +/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0 +/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0 diff --git a/mls/file_contexts/program/xauth.fc b/mls/file_contexts/program/xauth.fc new file mode 100644 index 0000000..055fc2f --- /dev/null +++ b/mls/file_contexts/program/xauth.fc @@ -0,0 +1,4 @@ +# xauth +/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t +HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t +HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t diff --git a/mls/file_contexts/program/xdm.fc b/mls/file_contexts/program/xdm.fc new file mode 100644 index 0000000..16c2d7d --- /dev/null +++ b/mls/file_contexts/program/xdm.fc @@ -0,0 +1,40 @@ +# X Display Manager +/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t +/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t +/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t +/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t +/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t +/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t +/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t +/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t +/var/log/gdm(/.*)? system_u:object_r:xserver_log_t +/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t +/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t +/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t +/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t +/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t +/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t +/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t +/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t +/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t +/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t +/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t +ifdef(`distro_suse', ` +/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t +') + +# +# Additional Xsession scripts +# +/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t +/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t +/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t +/etc/X11/xinit(/.*)? system_u:object_r:bin_t +# +# Rules for kde login +# +/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t +/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t diff --git a/mls/file_contexts/program/xfs.fc b/mls/file_contexts/program/xfs.fc new file mode 100644 index 0000000..dc1881f --- /dev/null +++ b/mls/file_contexts/program/xfs.fc @@ -0,0 +1,5 @@ +# xfs +/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t:s0 +/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t:s0 +/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t:s0 +/usr/bin/xfstt -- system_u:object_r:xfs_exec_t:s0 diff --git a/mls/file_contexts/program/xprint.fc b/mls/file_contexts/program/xprint.fc new file mode 100644 index 0000000..3c72a77 --- /dev/null +++ b/mls/file_contexts/program/xprint.fc @@ -0,0 +1 @@ +/usr/bin/Xprt -- system_u:object_r:xprint_exec_t diff --git a/mls/file_contexts/program/xserver.fc b/mls/file_contexts/program/xserver.fc new file mode 100644 index 0000000..3d48a6f --- /dev/null +++ b/mls/file_contexts/program/xserver.fc @@ -0,0 +1,17 @@ +# X server +/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t +/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t +/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t +/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t +/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t +/var/log/XFree86.* -- system_u:object_r:xserver_log_t +/var/log/Xorg.* -- system_u:object_r:xserver_log_t +/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t +/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t +/tmp/\.X11-unix/.* -s <> +/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t +/tmp/\.ICE-unix/.* -s <> diff --git a/mls/file_contexts/program/yam.fc b/mls/file_contexts/program/yam.fc new file mode 100644 index 0000000..023b740 --- /dev/null +++ b/mls/file_contexts/program/yam.fc @@ -0,0 +1,5 @@ +# yam +/etc/yam.conf -- system_u:object_r:yam_etc_t +/usr/bin/yam system_u:object_r:yam_exec_t +/var/yam(/.*)? system_u:object_r:yam_content_t +/var/www/yam(/.*)? system_u:object_r:yam_content_t diff --git a/mls/file_contexts/program/ypbind.fc b/mls/file_contexts/program/ypbind.fc new file mode 100644 index 0000000..f9f6ff8 --- /dev/null +++ b/mls/file_contexts/program/ypbind.fc @@ -0,0 +1,2 @@ +# ypbind +/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0 diff --git a/mls/file_contexts/program/yppasswdd.fc b/mls/file_contexts/program/yppasswdd.fc new file mode 100644 index 0000000..b70c5a0 --- /dev/null +++ b/mls/file_contexts/program/yppasswdd.fc @@ -0,0 +1,2 @@ +# yppasswd +/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t:s0 diff --git a/mls/file_contexts/program/ypserv.fc b/mls/file_contexts/program/ypserv.fc new file mode 100644 index 0000000..023746f --- /dev/null +++ b/mls/file_contexts/program/ypserv.fc @@ -0,0 +1,4 @@ +# ypserv +/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0 +/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0 +/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0 diff --git a/mls/file_contexts/program/zebra.fc b/mls/file_contexts/program/zebra.fc new file mode 100644 index 0000000..328f987 --- /dev/null +++ b/mls/file_contexts/program/zebra.fc @@ -0,0 +1,13 @@ +# Zebra - BGP daemon +/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0 +/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0 +/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0 +/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0 +/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0 +/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0 +# Quagga +/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0 +/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0 +/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0 +/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0 +/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0 diff --git a/mls/file_contexts/types.fc b/mls/file_contexts/types.fc new file mode 100644 index 0000000..b80644c --- /dev/null +++ b/mls/file_contexts/types.fc @@ -0,0 +1,523 @@ +# +# This file describes the security contexts to be applied to files +# when the security policy is installed. The setfiles program +# reads this file and labels files accordingly. +# +# Each specification has the form: +# regexp [ -type ] ( context | <> ) +# +# By default, the regexp is an anchored match on both ends (i.e. a +# caret (^) is prepended and a dollar sign ($) is appended automatically). +# This default may be overridden by using .* at the beginning and/or +# end of the regular expression. +# +# The optional type field specifies the file type as shown in the mode +# field by ls, e.g. use -d to match only directories or -- to match only +# regular files. +# +# The value of < may be used to indicate that matching files +# should not be relabeled. +# +# The last matching specification is used. +# +# If there are multiple hard links to a file that match +# different specifications and those specifications indicate +# different security contexts, then a warning is displayed +# but the file is still labeled based on the last matching +# specification other than <>. +# +# Some of the files listed here get re-created during boot and therefore +# need type transition rules to retain the correct type. These files are +# listed here anyway so that if the setfiles program is used on a running +# system it does not relabel them to something we do not want. An example of +# this is /var/run/utmp. +# + +# +# The security context for all files not otherwise specified. +# +/.* system_u:object_r:default_t:s0 + +# +# The root directory. +# +/ -d system_u:object_r:root_t:s0 + +# +# Ordinary user home directories. +# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd +# HOME_DIR expands to each users home directory, +# and to HOME_ROOT/[^/]+ for each HOME_ROOT. +# ROLE expands to each users role when role != user_r, and to "user" otherwise. +# +HOME_ROOT -d system_u:object_r:home_root_t:s0 +HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255 +HOME_DIR/.+ <> + +/root/\.default_contexts -- system_u:object_r:default_context_t:s0 + +# +# Mount points; do not relabel subdirectories, since +# we do not want to change any removable media by default. +/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 +/mnt/[^/]*/.* <> +/media(/[^/]*)? -d system_u:object_r:mnt_t:s0 +/media/[^/]*/.* <> + +# +# /var +# +/var(/.*)? system_u:object_r:var_t:s0 +/var/cache/man(/.*)? system_u:object_r:man_t:s0 +/var/yp(/.*)? system_u:object_r:var_yp_t:s0 +/var/lib(/.*)? system_u:object_r:var_lib_t:s0 +/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0 +/var/lib/abl(/.*)? system_u:object_r:var_auth_t:s0 +/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0 +/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0 +/var/lock(/.*)? system_u:object_r:var_lock_t:s0 +/var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 +/var/tmp/.* <> +/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0 +/var/lib/nfs/rpc_pipefs(/.*)? <> +/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0 +/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0 + +# +# /var/ftp +# +/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 +/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0 +/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 +/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 +/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 + +# +# /bin +# +/bin(/.*)? system_u:object_r:bin_t:s0 +/bin/tcsh -- system_u:object_r:shell_exec_t:s0 +/bin/bash -- system_u:object_r:shell_exec_t:s0 +/bin/bash2 -- system_u:object_r:shell_exec_t:s0 +/bin/sash -- system_u:object_r:shell_exec_t:s0 +/bin/d?ash -- system_u:object_r:shell_exec_t:s0 +/bin/zsh.* -- system_u:object_r:shell_exec_t:s0 +/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0 +/bin/ls -- system_u:object_r:ls_exec_t:s0 + +# +# /boot +# +/boot(/.*)? system_u:object_r:boot_t:s0 +/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0 + +# +# /dev +# +/dev(/.*)? system_u:object_r:device_t:s0 +/dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255 +/dev/pts(/.*)? <> +/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0 +/dev/microcode -c system_u:object_r:cpu_device_t:s0 +/dev/MAKEDEV -- system_u:object_r:sbin_t:s0 +/dev/null -c system_u:object_r:null_device_t:s0 +/dev/full -c system_u:object_r:null_device_t:s0 +/dev/zero -c system_u:object_r:zero_device_t:s0 +/dev/console -c system_u:object_r:console_device_t:s0 +/dev/xconsole -p system_u:object_r:xconsole_device_t:s0 +/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s15:c0.c255 +/dev/nvram -c system_u:object_r:memory_device_t:s0 +/dev/random -c system_u:object_r:random_device_t:s0 +/dev/urandom -c system_u:object_r:urandom_device_t:s0 +/dev/adb.* -c system_u:object_r:tty_device_t:s0 +/dev/capi.* -c system_u:object_r:tty_device_t:s0 +/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0 +/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0 +/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0 +/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0 +/dev/isdn.* -c system_u:object_r:tty_device_t:s0 +/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 +/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0 +/dev/cu.* -c system_u:object_r:tty_device_t:s0 +/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0 +/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0 +/dev/hvc.* -c system_u:object_r:tty_device_t:s0 +/dev/hvsi.* -c system_u:object_r:tty_device_t:s0 +/dev/ttySG.* -c system_u:object_r:tty_device_t:s0 +/dev/tty -c system_u:object_r:devtty_t:s0 +/dev/lp.* -c system_u:object_r:printer_device_t:s0 +/dev/par.* -c system_u:object_r:printer_device_t:s0 +/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0 +/dev/usblp.* -c system_u:object_r:printer_device_t:s0 +ifdef(`distro_redhat', ` +/dev/root -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +') +/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0 +/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0 +/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/initrd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/js.* -c system_u:object_r:mouse_device_t:s0 +/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 +/dev/xvd.* -b system_u:object_r:fixed_disk_device_t:s0 +/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0 +/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0 +/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0 +# I think a parallel port disk is a removable device... +/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0 +/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0 +/dev/aztcd -b system_u:object_r:removable_device_t:s0 +/dev/bpcd -b system_u:object_r:removable_device_t:s0 +/dev/gscd -b system_u:object_r:removable_device_t:s0 +/dev/hitcd -b system_u:object_r:removable_device_t:s0 +/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0 +/dev/mcdx? -b system_u:object_r:removable_device_t:s0 +/dev/cdu.* -b system_u:object_r:removable_device_t:s0 +/dev/cm20.* -b system_u:object_r:removable_device_t:s0 +/dev/optcd -b system_u:object_r:removable_device_t:s0 +/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0 +/dev/sjcd -b system_u:object_r:removable_device_t:s0 +/dev/sonycd -b system_u:object_r:removable_device_t:s0 +# parallel port ATAPI generic device +/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0 +/dev/rtc -c system_u:object_r:clock_device_t:s0 +/dev/psaux -c system_u:object_r:mouse_device_t:s0 +/dev/atibm -c system_u:object_r:mouse_device_t:s0 +/dev/logibm -c system_u:object_r:mouse_device_t:s0 +/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 +/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0 +/dev/input/event.* -c system_u:object_r:event_device_t:s0 +/dev/input/mice -c system_u:object_r:mouse_device_t:s0 +/dev/input/js.* -c system_u:object_r:mouse_device_t:s0 +/dev/ptmx -c system_u:object_r:ptmx_t:s0 +/dev/sequencer -c system_u:object_r:misc_device_t:s0 +/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0 +/dev/apm_bios -c system_u:object_r:apm_bios_t:s0 +/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0 +/dev/pmu -c system_u:object_r:power_device_t:s0 +/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0 +/dev/winradio. -c system_u:object_r:v4l_device_t:s0 +/dev/vttuner -c system_u:object_r:v4l_device_t:s0 +/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0 +/dev/adsp -c system_u:object_r:sound_device_t:s0 +/dev/mixer.* -c system_u:object_r:sound_device_t:s0 +/dev/dsp.* -c system_u:object_r:sound_device_t:s0 +/dev/audio.* -c system_u:object_r:sound_device_t:s0 +/dev/r?midi.* -c system_u:object_r:sound_device_t:s0 +/dev/sequencer2 -c system_u:object_r:sound_device_t:s0 +/dev/smpte.* -c system_u:object_r:sound_device_t:s0 +/dev/sndstat -c system_u:object_r:sound_device_t:s0 +/dev/beep -c system_u:object_r:sound_device_t:s0 +/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0 +/dev/mpu401.* -c system_u:object_r:sound_device_t:s0 +/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0 +/dev/aload.* -c system_u:object_r:sound_device_t:s0 +/dev/amidi.* -c system_u:object_r:sound_device_t:s0 +/dev/amixer.* -c system_u:object_r:sound_device_t:s0 +/dev/snd/.* -c system_u:object_r:sound_device_t:s0 +/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0 +/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0 +/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0 +/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0 +/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0 +/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0 +/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0 +/dev/tape.* -c system_u:object_r:tape_device_t:s0 +ifdef(`distro_suse', ` +/dev/usbscanner -c system_u:object_r:scanner_device_t:s0 +') +/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0 +/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0 +/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0 +/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0 +/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0 +/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0 +/dev/dri/.+ -c system_u:object_r:dri_device_t:s0 +/dev/radeon -c system_u:object_r:dri_device_t:s0 +/dev/agpgart -c system_u:object_r:agp_device_t:s0 +/dev/z90crypt -c system_u:object_r:crypt_device_t:s0 + +# +# Misc +# +/proc(/.*)? <> +/sys(/.*)? <> +/selinux(/.*)? <> + +# +# /opt +# +/opt(/.*)? system_u:object_r:usr_t:s0 +/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 +/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0 +/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 +/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 +/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0 +/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0 + +# +# /etc +# +/etc(/.*)? system_u:object_r:etc_t:s0 +/var/db/.*\.db -- system_u:object_r:etc_t:s0 +/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0 +/etc/passwd\.lock -- system_u:object_r:shadow_t:s0 +/etc/group\.lock -- system_u:object_r:shadow_t:s0 +/etc/shadow.* -- system_u:object_r:shadow_t:s0 +/etc/gshadow.* -- system_u:object_r:shadow_t:s0 +/var/db/shadow.* -- system_u:object_r:shadow_t:s0 +/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0 +/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0 +/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0 +/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0 +/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0 +/etc/mtab -- system_u:object_r:etc_runtime_t:s0 +/etc/motd -- system_u:object_r:etc_runtime_t:s0 +/etc/issue -- system_u:object_r:etc_runtime_t:s0 +/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0 +/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0 +/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0 +/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0 +/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0 +/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0 +ifdef(`distro_gentoo', ` +/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0 +/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0 +/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0 +') +/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0 +/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0 +/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0 +/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0 + +/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 +/etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s15:c0.c255 +/etc/selinux/([^/]*/)?users(/.*)? system_u:object_r:selinux_config_t:s15:c0.c255 +/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s15:c0.c255 +/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s15:c0.c255 +/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 +/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s15:c0.c255 + + +# +# /lib(64)? +# +/lib(64)?(/.*)? system_u:object_r:lib_t:s0 +/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 + +# +# /sbin +# +/sbin(/.*)? system_u:object_r:sbin_t:s0 + +# +# /tmp +# +/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 +/tmp/.* <> + +# +# /usr +# +/usr(/.*)? system_u:object_r:usr_t:s0 +/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 +/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0 +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 +/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 +/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 +/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 +/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 +/usr/etc(/.*)? system_u:object_r:etc_t:s0 +/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0 +/usr/libexec(/.*)? system_u:object_r:bin_t:s0 +/usr/src(/.*)? system_u:object_r:src_t:s0 +/usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 +/usr/tmp/.* <> +/usr/man(/.*)? system_u:object_r:man_t:s0 +/usr/share/man(/.*)? system_u:object_r:man_t:s0 +/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0 +/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0 +/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0 +/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0 + +# nvidia share libraries +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 +/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0 + +# libGL +/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0 + +ifdef(`distro_debian', ` +/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0 +') +ifdef(`distro_gentoo', ` +/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0 +') + +# +# /usr/lib(64)? +# +/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0 +/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0 +/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0 + +# +# /usr/local +# +/usr/local/etc(/.*)? system_u:object_r:etc_t:s0 +/usr/local/src(/.*)? system_u:object_r:src_t:s0 +/usr/local/man(/.*)? system_u:object_r:man_t:s0 +/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 +/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 + + +# +# /usr/X11R6/man +# +/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0 + +# +# Fonts dir +# +/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0 +ifdef(`distro_debian', ` +/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0 +') +/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0 +/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0 +/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0 + +# +# /var/run +# +/var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255 +/var/run/.*\.*pid <> +/var/run/.* system_u:object_r:var_run_t:s0 + +# +# /var/spool +# +/var/spool(/.*)? system_u:object_r:var_spool_t:s0 +/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0 +/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0 + +# +# /var/log +# +/var/log(/.*)? system_u:object_r:var_log_t:s0 +/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0 +/var/log/btmp.* -- system_u:object_r:faillog_t:s0 +/var/log/faillog -- system_u:object_r:faillog_t:s0 +/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0 +/var/log/dmesg -- system_u:object_r:var_log_t:s0 +/var/log/lastlog -- system_u:object_r:lastlog_t:s0 +/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0 +/var/log/syslog -- system_u:object_r:var_log_t:s0 + +# +# Journal files +# +/\.journal <> +/usr/\.journal <> +/boot/\.journal <> +HOME_ROOT/\.journal <> +/var/\.journal <> +/tmp/\.journal <> +/usr/local/\.journal <> + +# +# Lost and found directories. +# +/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/lost\+found/.* <> +/usr/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/usr/lost\+found/.* <> +/boot/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/boot/lost\+found/.* <> +HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +HOME_ROOT/lost\+found/.* <> +/var/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/var/lost\+found/.* <> +/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/tmp/lost\+found/.* <> +/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/var/tmp/lost\+found/.* <> +/usr/local/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 +/usr/local/lost\+found/.* <> + +# +# system localization +# +/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0 +/usr/share/locale(/.*)? system_u:object_r:locale_t:s0 +/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0 +/etc/localtime -- system_u:object_r:locale_t:s0 +/etc/localtime -l system_u:object_r:etc_t:s0 +/etc/pki(/.*)? system_u:object_r:cert_t:s0 + +# +# Gnu Cash +# +/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0 +/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0 + +# +# Turboprint +# +/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0 +/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0 + +# +# initrd mount point, only used during boot +# +/initrd -d system_u:object_r:root_t:s0 + +# +# The krb5.conf file is always being tested for writability, so +# we defined a type to dontaudit +# +/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0 + +# +# Thunderbird +# +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0 +/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0 + +# +# /srv +# +/srv(/.*)? system_u:object_r:var_t:s0 + +/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0 +/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0 diff --git a/mls/flask/Makefile b/mls/flask/Makefile new file mode 100644 index 0000000..970b9fe --- /dev/null +++ b/mls/flask/Makefile @@ -0,0 +1,41 @@ +# flask needs to know where to export the libselinux headers. +LIBSEL ?= ../../libselinux + +# flask needs to know where to export the kernel headers. +LINUXDIR ?= ../../../linux-2.6 + +AWK = awk + +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + else if [ -x /bin/bash ]; then echo /bin/bash; \ + else echo sh; fi ; fi) + +FLASK_H_DEPEND = security_classes initial_sids +AV_H_DEPEND = access_vectors + +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) + +all: $(ALL_H_FILES) + +$(FLASK_H_FILES): $(FLASK_H_DEPEND) + $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) + +$(AV_H_FILES): $(AV_H_DEPEND) + $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) + +tolib: all + install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux + install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src + +tokern: all + install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include + +install: all + +relabel: + +clean: + rm -f $(FLASK_H_FILES) + rm -f $(AV_H_FILES) diff --git a/mls/flask/access_vectors b/mls/flask/access_vectors new file mode 100644 index 0000000..dc20463 --- /dev/null +++ b/mls/flask/access_vectors @@ -0,0 +1,608 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class lnk_file +inherits file + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control +} + + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class drawable +{ + create + destroy + draw + copy + getattr +} + +class gc +{ + create + free + getattr + setattr +} + +class window +{ + addchild + create + destroy + map + unmap + chstack + chproplist + chprop + listprop + getattr + setattr + setfocus + move + chselection + chparent + ctrllife + enumerate + transparent + mousemotion + clientcomevent + inputevent + drawevent + windowchangeevent + windowchangerequest + serverchangeevent + extensionevent +} + +class font +{ + load + free + getattr + use +} + +class colormap +{ + create + free + install + uninstall + list + read + store + getattr + setattr +} + +class property +{ + create + free + read + write +} + +class cursor +{ + create + createglyph + free + assign + setattr +} + +class xclient +{ + kill +} + +class xinput +{ + lookup + getattr + setattr + setfocus + warppointer + activegrab + passivegrab + ungrab + bell + mousemotion + relabelinput +} + +class xserver +{ + screensaver + gethostlist + sethostlist + getfontpath + setfontpath + getattr + grab + ungrab +} + +class xextension +{ + query + use +} + +# +# Define the access vector interpretation for controlling +# PaX flags +# +class pax +{ + pageexec # Paging based non-executable pages + emutramp # Emulate trampolines + mprotect # Restrict mprotect() + randmmap # Randomize mmap() base + randexec # Randomize ET_EXEC base + segmexec # Segmentation based non-executable pages +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket diff --git a/mls/flask/initial_sids b/mls/flask/initial_sids new file mode 100644 index 0000000..95894eb --- /dev/null +++ b/mls/flask/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/mls/flask/mkaccess_vector.sh b/mls/flask/mkaccess_vector.sh new file mode 100644 index 0000000..b5da734 --- /dev/null +++ b/mls/flask/mkaccess_vector.sh @@ -0,0 +1,227 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="av_permissions.h" +av_inherit="av_inherit.h" +common_perm_to_string="common_perm_to_string.h" +av_perm_to_string="av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + inheritfile = \"$av_inherit\" + cpermfile = \"$common_perm_to_string\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; + printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "common" { + if (nextstate != "COMMON_OR_AV") + { + printf("Parse error: Unexpected COMMON definition on line %d\n", NR); + next; + } + + if ($2 in common_defined) + { + printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); + next; + } + common_defined[$2] = 1; + + tclass = $2; + common_name = $2; + permission = 1; + + printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; + + nextstate = "COMMON-OPENBRACKET"; + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + inherits = ""; + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "inherits" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); + next; + } + + if (!($2 in common_defined)) + { + printf("COMMON %s is not defined (line %d).\n", $2, NR); + next; + } + + inherits = $2; + permission = common_base[$2]; + + for (combined in common_perms) + { + split(combined,separate, SUBSEP); + if (separate[1] == inherits) + { + inherited_perms[common_perms[combined]] = separate[2]; + } + } + + j = 1; + for (i in inherited_perms) { + ind[j] = i + 0; + j++; + } + n = asort(ind); + for (i = 1; i <= n; i++) { + perm = inherited_perms[ind[i]]; + printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; + spaces = 40 - (length(perm) + length(tclass)); + if (spaces < 1) + spaces = 1; + for (j = 0; j < spaces; j++) + printf(" ") > outfile; + printf("0x%08xUL\n", ind[i]) > outfile; + } + printf("\n") > outfile; + for (i in ind) delete ind[i]; + for (i in inherited_perms) delete inherited_perms[i]; + + printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; + + nextstate = "CLASS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + if (inherits != "") + { + if ((inherits,$1) in common_perms) + { + printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); + next; + } + } + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/mls/flask/mkflask.sh b/mls/flask/mkflask.sh new file mode 100644 index 0000000..9c84754 --- /dev/null +++ b/mls/flask/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="flask.h" +debug_file="class_to_string.h" +debug_file2="initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/mls/flask/security_classes b/mls/flask/security_classes new file mode 100644 index 0000000..2669c30 --- /dev/null +++ b/mls/flask/security_classes @@ -0,0 +1,86 @@ +# FLASK + +# +# Define the security object classes +# + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd + +# SE-X Windows stuff +class drawable +class window +class gc +class font +class colormap +class property +class cursor +class xclient +class xinput +class xserver +class xextension + +# pax flags +class pax + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus +class nscd + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +# FLASK diff --git a/mls/fs_use b/mls/fs_use new file mode 100644 index 0000000..d884039 --- /dev/null +++ b/mls/fs_use @@ -0,0 +1,33 @@ +# +# Define the labeling behavior for inodes in particular filesystem types. +# This information was formerly hardcoded in the SELinux module. + +# Use xattrs for the following filesystem types. +# Requires that a security xattr handler exist for the filesystem. +fs_use_xattr ext2 system_u:object_r:fs_t:s0; +fs_use_xattr ext3 system_u:object_r:fs_t:s0; +fs_use_xattr xfs system_u:object_r:fs_t:s0; +fs_use_xattr jfs system_u:object_r:fs_t:s0; +fs_use_xattr reiserfs system_u:object_r:fs_t:s0; + +# Use the allocating task SID to label inodes in the following filesystem +# types, and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems that represent objects +# like pipes and sockets, so that these objects are labeled with the same +# type as the creating task. +fs_use_task pipefs system_u:object_r:fs_t:s0; +fs_use_task sockfs system_u:object_r:fs_t:s0; + +# Use a transition SID based on the allocating task SID and the +# filesystem SID to label inodes in the following filesystem types, +# and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems like devpts and tmpfs +# where we want to label objects with a derived type. +fs_use_trans devpts system_u:object_r:devpts_t:s0; +fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; +fs_use_trans shm system_u:object_r:tmpfs_t:s0; +fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; + +# The separate genfs_contexts configuration can be used for filesystem +# types that cannot support persistent label mappings or use +# one of the fixed label schemes specified here. diff --git a/mls/genfs_contexts b/mls/genfs_contexts new file mode 100644 index 0000000..b9d5bc2 --- /dev/null +++ b/mls/genfs_contexts @@ -0,0 +1,108 @@ +# FLASK + +# +# Security contexts for files in filesystems that +# cannot support xattr or use one of the fixed labeling schemes +# specified in fs_use. +# +# Each specifications has the form: +# genfscon fstype pathname-prefix [ -type ] context +# +# The entry with the longest matching pathname prefix is used. +# / refers to the root directory of the file system, and +# everything is specified relative to this root directory. +# If there is no entry with a matching pathname prefix, then +# the unlabeled initial SID is used. +# +# The optional type field specifies the file type as shown in the mode +# field by ls, e.g. use -c to match only character device files, -b +# to match only block device files. +# +# Except for proc, in 2.6 other filesystems are limited to a single entry (/) +# that covers all entries in the filesystem with a default file context. +# For proc, a pathname can be reliably generated from the proc_dir_entry +# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) +# calls. /proc/PID entries are automatically labeled based on the associated +# process. +# +# Support for other filesystem types requires corresponding code to be +# added to the kernel, either as an xattr handler in the filesystem +# implementation (preferred, and necessary if you want to access the labels +# from userspace) or as logic in the SELinux module. + +# proc (excluding /proc/PID) +genfscon proc / system_u:object_r:proc_t:s0 +genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255 +genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255 +genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 +genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 +genfscon proc /net system_u:object_r:proc_net_t:s0 +genfscon proc /sysvipc system_u:object_r:proc_t:s0 +genfscon proc /sys system_u:object_r:sysctl_t:s0 +genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 +genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 +genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 +genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 +genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 +genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 +genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 +genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 +genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 + +# rootfs +genfscon rootfs / system_u:object_r:root_t:s0 + +# sysfs +genfscon sysfs / system_u:object_r:sysfs_t:s0 + +# selinuxfs +genfscon selinuxfs / system_u:object_r:security_t:s0 + +# autofs +genfscon autofs / system_u:object_r:autofs_t:s0 +genfscon automount / system_u:object_r:autofs_t:s0 + +# usbdevfs +genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0 + +# iso9660 +genfscon iso9660 / system_u:object_r:iso9660_t:s0 +genfscon udf / system_u:object_r:iso9660_t:s0 + +# romfs +genfscon romfs / system_u:object_r:romfs_t:s0 +genfscon cramfs / system_u:object_r:romfs_t:s0 + +# ramfs +genfscon ramfs / system_u:object_r:ramfs_t:s0 + +# vfat, msdos +genfscon vfat / system_u:object_r:dosfs_t:s0 +genfscon msdos / system_u:object_r:dosfs_t:s0 +genfscon fat / system_u:object_r:dosfs_t:s0 +genfscon ntfs / system_u:object_r:dosfs_t:s0 + +# samba +genfscon cifs / system_u:object_r:cifs_t:s0 +genfscon smbfs / system_u:object_r:cifs_t:s0 + +# nfs +genfscon nfs / system_u:object_r:nfs_t:s0 +genfscon nfs4 / system_u:object_r:nfs_t:s0 +genfscon afs / system_u:object_r:nfs_t:s0 + +genfscon debugfs / system_u:object_r:debugfs_t:s0 +genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 +genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 +genfscon capifs / system_u:object_r:capifs_t:s0 +genfscon configfs / system_u:object_r:configfs_t:s0 + +# needs more work +genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 +genfscon futexfs / system_u:object_r:futexfs_t:s0 +genfscon bdev / system_u:object_r:bdev_t:s0 +genfscon usbfs / system_u:object_r:usbfs_t:s0 +genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 +genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 +genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 + diff --git a/mls/initial_sid_contexts b/mls/initial_sid_contexts new file mode 100644 index 0000000..53a3504 --- /dev/null +++ b/mls/initial_sid_contexts @@ -0,0 +1,46 @@ +# FLASK + +# +# Define the security context for each initial SID +# sid sidname context + +sid kernel system_u:system_r:kernel_t:s15:c0.c255 +sid security system_u:object_r:security_t:s15:c0.c255 +sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 +sid fs system_u:object_r:fs_t:s0 +sid file system_u:object_r:file_t:s0 +# Persistent label mapping is gone. This initial SID can be removed. +sid file_labels system_u:object_r:unlabeled_t:s15:c0.c255 +# init_t is still used, but an initial SID is no longer required. +sid init system_u:object_r:unlabeled_t:s15:c0.c255 +# any_socket is no longer used. +sid any_socket system_u:object_r:unlabeled_t:s15:c0.c255 +sid port system_u:object_r:port_t:s0 +sid netif system_u:object_r:netif_t:s0 +# netmsg is no longer used. +sid netmsg system_u:object_r:unlabeled_t:s15:c0.c255 +sid node system_u:object_r:node_t:s0 +# These sockets are now labeled with the kernel SID, +# and do not require their own initial SIDs. +sid igmp_packet system_u:object_r:unlabeled_t:s15:c0.c255 +sid icmp_socket system_u:object_r:unlabeled_t:s15:c0.c255 +sid tcp_socket system_u:object_r:unlabeled_t:s15:c0.c255 +# Most of the sysctl SIDs are now computed at runtime +# from genfs_contexts, so the corresponding initial SIDs +# are no longer required. +sid sysctl_modprobe system_u:object_r:unlabeled_t:s15:c0.c255 +# But we still need the base sysctl initial SID as a default. +sid sysctl system_u:object_r:sysctl_t:s0 +sid sysctl_fs system_u:object_r:unlabeled_t:s15:c0.c255 +sid sysctl_kernel system_u:object_r:unlabeled_t:s15:c0.c255 +sid sysctl_net system_u:object_r:unlabeled_t:s15:c0.c255 +sid sysctl_net_unix system_u:object_r:unlabeled_t:s15:c0.c255 +sid sysctl_vm system_u:object_r:unlabeled_t:s15:c0.c255 +sid sysctl_dev system_u:object_r:unlabeled_t:s15:c0.c255 +# No longer used, can be removed. +sid kmod system_u:object_r:unlabeled_t:s15:c0.c255 +sid policy system_u:object_r:unlabeled_t:s15:c0.c255 +sid scmp_packet system_u:object_r:unlabeled_t:s15:c0.c255 +sid devnull system_u:object_r:null_device_t:s0 + +# FLASK diff --git a/mls/local.users b/mls/local.users new file mode 100644 index 0000000..6dd04d6 --- /dev/null +++ b/mls/local.users @@ -0,0 +1,21 @@ +################################## +# +# User configuration. +# +# This file defines additional users recognized by the system security policy. +# Only the user identities defined in this file and the system.users file +# may be used as the user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ level default_level range allowed_range ]; +# +# The MLS default level and allowed range should only be specified if +# MLS was enabled in the policy. + +# sample for administrative user +# user jadmin roles { staff_r sysadm_r system_r }; + +# sample for regular user +#user jdoe roles { user_r }; diff --git a/mls/macros/admin_macros.te b/mls/macros/admin_macros.te new file mode 100644 index 0000000..aaa816e --- /dev/null +++ b/mls/macros/admin_macros.te @@ -0,0 +1,227 @@ +# +# Macros for all admin domains. +# + +# +# admin_domain(domain_prefix) +# +# Define derived types and rules for an administrator domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. If the every_domain() rules are desired, +# then these rules must also be specified separately. +# +undefine(`admin_domain') +define(`admin_domain',` +# Type for home directory. +attribute $1_file_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; +type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; + +# Type and access for pty devices. +can_create_pty($1, `, admin_tty_type') + +# Transition manually for { lnk sock fifo }. The rest is in content macros. +tmp_domain_notrans($1, `, $1_file_type') +file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) +allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; + +# Type for tty devices. +type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type; + +# Inherit rules for ordinary users. +base_user_domain($1) +access_removable_media($1_t) + +allow $1_t self:capability setuid; + +ifdef(`su.te', `su_domain($1)') +ifdef(`userhelper.te', `userhelper_domain($1)') +ifdef(`sudo.te', `sudo_domain($1)') + +# Let admin stat the shadow file. +allow $1_t shadow_t:file getattr; + +ifdef(`crond.te', ` +allow $1_crond_t var_log_t:file r_file_perms; +') + +# Allow system log read +allow $1_t kernel_t:system syslog_read; + +# Allow autrace +# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv; + +# Use capabilities other than sys_module. +allow $1_t self:capability ~sys_module; + +# Use system operations. +allow $1_t kernel_t:system *; + +# Set password information for other users. +allow $1_t self:passwd { passwd chfn chsh }; + +# Skip authentication when pam_rootok is specified. +allow $1_t self:passwd rootok; + +# Manipulate other user crontab. +allow $1_t self:passwd crontab; +can_getsecurity(sysadm_crontab_t) + +# Change system parameters. +can_sysctl($1_t) + +# Create and use all files that have the sysadmfile attribute. +allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; +allow $1_t sysadmfile:lnk_file create_lnk_perms; +allow $1_t sysadmfile:dir create_dir_perms; + +# for lsof +allow $1_t mtrr_device_t:file getattr; +allow $1_t fs_type:dir getattr; + +# Access removable devices. +allow $1_t removable_device_t:devfile_class_set rw_file_perms; + +# Communicate with the init process. +allow $1_t initctl_t:fifo_file rw_file_perms; + +# Examine all processes. +can_ps($1_t, domain) + +# allow renice +allow $1_t domain:process setsched; + +# Send signals to all processes. +allow $1_t { domain unlabeled_t }:process signal_perms; + +# Access all user terminals. +allow $1_t tty_device_t:chr_file rw_file_perms; +allow $1_t ttyfile:chr_file rw_file_perms; +allow $1_t ptyfile:chr_file rw_file_perms; +allow $1_t serial_device:chr_file setattr; + +# allow setting up tunnels +allow $1_t tun_tap_device_t:chr_file rw_file_perms; + +# run ls -l /dev +allow $1_t device_t:dir r_dir_perms; +allow $1_t { device_t device_type }:{ chr_file blk_file } getattr; +allow $1_t ptyfile:chr_file getattr; + +# Run programs from staff home directories. +# Not ideal, but typical if users want to login as both sysadm_t or staff_t. +can_exec($1_t, staff_home_t) + +# Run programs from /usr/src. +can_exec($1_t, src_t) + +# Relabel all files. +# Actually this will not allow relabeling ALL files unless you change +# sysadmfile to file_type (and change the assertion in assert.te that +# only auth_write can relabel shadow_t) +allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; +allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; + +ifdef(`startx.te', ` +ifdef(`xserver.te', ` +# Create files in /tmp/.X11-unix with our X servers derived +# tmp type rather than user_xserver_tmp_t. +file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) +')dnl end xserver.te +')dnl end startx.te + +ifdef(`xdm.te', ` +ifdef(`xauth.te', ` +if (xdm_sysadm_login) { +allow xdm_t $1_home_t:lnk_file read; +allow xdm_t $1_home_t:dir search; +} +can_pipe_xdm($1_t) +')dnl end ifdef xauth.te +')dnl end ifdef xdm.te + +# +# A user who is authorized for sysadm_t may nonetheless have +# a home directory labeled with user_home_t if the user is expected +# to login in either user_t or sysadm_t. Hence, the derived domains +# for programs need to be able to access user_home_t. +# + +# Allow our gph domain to write to .xsession-errors. +ifdef(`gnome-pty-helper.te', ` +allow $1_gph_t user_home_dir_type:dir rw_dir_perms; +allow $1_gph_t user_home_type:file create_file_perms; +') + +# Allow our crontab domain to unlink a user cron spool file. +ifdef(`crontab.te', +`allow $1_crontab_t user_cron_spool_t:file unlink;') + +# for the administrator to run TCP servers directly +can_tcp_connect($1_t, $1_t) +allow $1_t port_t:tcp_socket name_bind; + +# Connect data port to ftpd. +ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') + +# Connect second port to rshd. +ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') + +# +# Allow sysadm to execute quota commands against filesystems and files. +# +allow $1_t fs_type:filesystem quotamod; + +# Grant read and write access to /dev/console. +allow $1_t console_device_t:chr_file rw_file_perms; + +# Allow MAKEDEV to work +allow $1_t device_t:dir rw_dir_perms; +allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; +allow $1_t device_t:lnk_file { create read }; + +# for lsof +allow $1_t domain:socket_class_set getattr; +allow $1_t eventpollfs_t:file getattr; +') + +define(`security_manager_domain', ` + +typeattribute $1 secadmin; +# Allow administrator domains to set the enforcing flag. +can_setenforce($1) + +# Allow administrator domains to set policy booleans. +can_setbool($1) + +# Get security policy decisions. +can_getsecurity($1) + +# Allow administrator domains to set security parameters +can_setsecparam($1) + +# Run admin programs that require different permissions in their own domain. +# These rules were moved into the appropriate program domain file. + +# added by mayerf@tresys.com +# The following rules are temporary until such time that a complete +# policy management infrastructure is in place so that an administrator +# cannot directly manipulate policy files with arbitrary programs. +# +allow $1 secadmfile:file { relabelto relabelfrom create_file_perms }; +allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms }; +allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms }; + +# Set an exec context, e.g. for runcon. +can_setexec($1) + +# Set a context other than the default one for newly created files. +can_setfscreate($1) + +allow $1 self:netlink_audit_socket nlmsg_readpriv; + +') + + diff --git a/mls/macros/base_user_macros.te b/mls/macros/base_user_macros.te new file mode 100644 index 0000000..cecbaf7 --- /dev/null +++ b/mls/macros/base_user_macros.te @@ -0,0 +1,397 @@ +# +# Macros for all user login domains. +# + +# +# base_user_domain(domain_prefix) +# +# Define derived types and rules for an ordinary user domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. +# + +# base_user_domain() is also called by the admin_domain() macro +undefine(`base_user_domain') +define(`base_user_domain', ` + +# Type for network-obtained content +type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember; +type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember; + +# Allow user to relabel untrusted content +allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; +allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; + +# Read content +read_content($1_t, $1) + +# Write trusted content. This includes proper transition +# for /home, and /tmp, so no other transition is necessary (or allowed) +write_trusted($1_t, $1) + +# Maybe the home directory is networked +network_home($1_t) + +# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted. +# Relabel files in the home directory +file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); +allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; +can_setfscreate($1_t) + +ifdef(`ftpd.te' , ` +if (ftpd_is_daemon) { +file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) +} +') + +allow $1_t self:capability { setgid chown fowner }; +dontaudit $1_t self:capability { sys_nice fsetid }; + +# $1_r is authorized for $1_t for the initial login domain. +role $1_r types $1_t; +allow system_r $1_r; + +r_dir_file($1_t, usercanread) + +# Grant permissions within the domain. +general_domain_access($1_t) + +if (allow_execmem) { +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. +allow $1_t self:process execmem; +} + +if (allow_execmem && allow_execstack) { +# Allow making the stack executable via mprotect. +allow $1_t self:process execstack; +} + +# Allow text relocations on system shared libraries, e.g. libGL. +allow $1_t texrel_shlib_t:file execmod; + +# +# kdeinit wants this access +# +allow $1_t device_t:dir { getattr search }; + +# Find CDROM devices +r_dir_file($1_t, sysctl_dev_t) +# for eject +allow $1_t fixed_disk_device_t:blk_file getattr; + +allow $1_t fs_type:dir getattr; + +allow $1_t event_device_t:chr_file { getattr read ioctl }; + +# open office is looking for the following +allow $1_t dri_device_t:chr_file getattr; +dontaudit $1_t dri_device_t:chr_file rw_file_perms; + +# Supress ls denials: +# getattr() - ls -l +# search_dir() - symlink path resolution +# read_dir() - deep ls: ls parent/... + +dontaudit_getattr($1_t) +dontaudit_search_dir($1_t) +dontaudit_read_dir($1_t) + +# allow ptrace +can_ptrace($1_t, $1_t) + +# Allow user to run restorecon and relabel files +can_getsecurity($1_t) +r_dir_file($1_t, default_context_t) +r_dir_file($1_t, file_context_t) + +allow $1_t usbtty_device_t:chr_file read; + +# GNOME checks for usb and other devices +rw_dir_file($1_t,usbfs_t) + +can_exec($1_t, noexattrfile) +# Bind to a Unix domain socket in /tmp. +allow $1_t $1_tmp_t:unix_stream_socket name_bind; + +# Use the type when relabeling terminal devices. +type_change $1_t tty_device_t:chr_file $1_tty_device_t; + +# Debian login is from shadow utils and does not allow resetting the perms. +# have to fix this! +type_change $1_t ttyfile:chr_file $1_tty_device_t; + +# for running TeX programs +r_dir_file($1_t, tetex_data_t) +can_exec($1_t, tetex_data_t) + +# Use the type when relabeling pty devices. +type_change $1_t server_pty:chr_file $1_devpts_t; + +tmpfs_domain($1) + +ifdef(`cardmgr.te', ` +# to allow monitoring of pcmcia status +allow $1_t cardmgr_var_run_t:file { getattr read }; +') + +# Modify mail spool file. +allow $1_t mail_spool_t:dir r_dir_perms; +allow $1_t mail_spool_t:file rw_file_perms; +allow $1_t mail_spool_t:lnk_file read; + +# +# Allow graphical boot to check battery lifespan +# +ifdef(`apmd.te', ` +allow $1_t apmd_t:unix_stream_socket connectto; +allow $1_t apmd_var_run_t:sock_file write; +') + +# +# Allow the query of filesystem quotas +# +allow $1_t fs_type:filesystem quotaget; + +# Run helper programs. +can_exec_any($1_t) +# Run programs developed by other users in the same domain. +can_exec($1_t, $1_home_t) +can_exec($1_t, $1_tmp_t) + +# Run user programs that require different permissions in their own domain. +# These rules were moved into the individual program domains. + +# Instantiate derived domains for a number of programs. +# These derived domains encode both information about the calling +# user domain and the program, and allow us to maintain separation +# between different instances of the program being run by different +# user domains. +ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') +ifdef(`chkpwd.te', `chkpwd_domain($1)') +ifdef(`fingerd.te', `fingerd_macro($1)') +ifdef(`mta.te', `mail_domain($1)') +ifdef(`exim.te', `exim_user_domain($1)') +ifdef(`crontab.te', `crontab_domain($1)') + +ifdef(`screen.te', `screen_domain($1)') +ifdef(`tvtime.te', `tvtime_domain($1)') +ifdef(`mozilla.te', `mozilla_domain($1)') +ifdef(`thunderbird.te', `thunderbird_domain($1)') +ifdef(`samba.te', `samba_domain($1)') +ifdef(`gpg.te', `gpg_domain($1)') +ifdef(`xauth.te', `xauth_domain($1)') +ifdef(`iceauth.te', `iceauth_domain($1)') +ifdef(`startx.te', `xserver_domain($1)') +ifdef(`lpr.te', `lpr_domain($1)') +ifdef(`ssh.te', `ssh_domain($1)') +ifdef(`irc.te', `irc_domain($1)') +ifdef(`using_spamassassin', `spamassassin_domain($1)') +ifdef(`pyzor.te', `pyzor_domain($1)') +ifdef(`razor.te', `razor_domain($1)') +ifdef(`uml.te', `uml_domain($1)') +ifdef(`cdrecord.te', `cdrecord_domain($1)') +ifdef(`mplayer.te', `mplayer_domains($1)') + +fontconfig_domain($1) + +# GNOME +ifdef(`gnome.te', ` +gnome_domain($1) +ifdef(`games.te', `games_domain($1)') +ifdef(`gift.te', `gift_domains($1)') +ifdef(`evolution.te', `evolution_domains($1)') +ifdef(`ethereal.te', `ethereal_domain($1)') +') + +# ICE communication channel +ice_domain($1, $1) + +# ORBit communication channel (independent of GNOME) +orbit_domain($1, $1) + +# Instantiate a derived domain for user cron jobs. +ifdef(`crond.te', `crond_domain($1)') + +ifdef(`vmware.te', `vmware_domain($1)') + +if (user_direct_mouse) { +# Read the mouse. +allow $1_t mouse_device_t:chr_file r_file_perms; +} +# Access other miscellaneous devices. +allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; +allow $1_t device_t:lnk_file { getattr read }; + +can_resmgrd_connect($1_t) + +# +# evolution and gnome-session try to create a netlink socket +# +dontaudit $1_t self:netlink_socket create_socket_perms; +dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; + +# Use the network. +can_network($1_t) +allow $1_t port_type:tcp_socket name_connect; +can_ypbind($1_t) +can_winbind($1_t) + +ifdef(`pamconsole.te', ` +allow $1_t pam_var_console_t:dir search; +') + +allow $1_t var_lock_t:dir search; + +# Grant permissions to access the system DBus +ifdef(`dbusd.te', ` +dbusd_client(system, $1) +can_network_server_tcp($1_dbusd_t) +allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; + +allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; +dbusd_client($1, $1) +allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; +dbusd_domain($1) +ifdef(`hald.te', ` +allow $1_t hald_t:dbus send_msg; +allow hald_t $1_t:dbus send_msg; +') dnl end ifdef hald.te +') dnl end ifdef dbus.te + +# allow port_t name binding for UDP because it is not very usable otherwise +allow $1_t port_t:udp_socket name_bind; + +# Gnome pannel binds to the following +ifdef(`cups.te', ` +allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; +') + +# for perl +dontaudit $1_t net_conf_t:file ioctl; + +# Communicate within the domain. +can_udp_send($1_t, self) + +# Connect to inetd. +ifdef(`inetd.te', ` +can_tcp_connect($1_t, inetd_t) +can_udp_send($1_t, inetd_t) +can_udp_send(inetd_t, $1_t) +') + +# Connect to portmap. +ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') + +# Inherit and use sockets from inetd +ifdef(`inetd.te', ` +allow $1_t inetd_t:fd use; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') + +# Very permissive allowing every domain to see every type. +allow $1_t kernel_t:system ipc_info; + +# When the user domain runs ps, there will be a number of access +# denials when ps tries to search /proc. Do not audit these denials. +dontaudit $1_t domain:dir r_dir_perms; +dontaudit $1_t domain:notdevfile_class_set r_file_perms; +dontaudit $1_t domain:process { getattr getsession }; +# +# Cups daemon running as user tries to write /etc/printcap +# +dontaudit $1_t usr_t:file setattr; + +# Use X +x_client_domain($1, $1) + +ifdef(`xserver.te', ` +allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; +') + +ifdef(`xdm.te', ` +# Connect to the X server run by the X Display Manager. +can_unix_connect($1_t, xdm_t) +# certain apps want to read xdm.pid file +r_dir_file($1_t, xdm_var_run_t) +allow $1_t xdm_var_lib_t:file { getattr read }; +allow xdm_t $1_home_dir_t:dir getattr; +ifdef(`xauth.te', ` +file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) +') + +')dnl end ifdef xdm.te + +# Access the sound device. +allow $1_t sound_device_t:chr_file { getattr read write ioctl }; + +# Access the power device. +allow $1_t power_device_t:chr_file { getattr read write ioctl }; + +allow $1_t var_log_t:dir { getattr search }; +dontaudit $1_t logfile:file getattr; + +# Check to see if cdrom is mounted +allow $1_t mnt_t:dir { getattr search }; + +# Get attributes of file systems. +allow $1_t fs_type:filesystem getattr; + +# Read and write /dev/tty and /dev/null. +allow $1_t devtty_t:chr_file rw_file_perms; +allow $1_t null_device_t:chr_file rw_file_perms; +allow $1_t zero_device_t:chr_file { rw_file_perms execute }; +allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms; +# +# Added to allow reading of cdrom +# +allow $1_t rpc_pipefs_t:dir getattr; +allow $1_t nfsd_fs_t:dir getattr; +allow $1_t binfmt_misc_fs_t:dir getattr; + +# /initrd is left mounted, various programs try to look at it +dontaudit $1_t ramfs_t:dir getattr; + +# +# Emacs wants this access +# +allow $1_t wtmp_t:file r_file_perms; +dontaudit $1_t wtmp_t:file write; + +# Read the devpts root directory. +allow $1_t devpts_t:dir r_dir_perms; + +r_dir_file($1_t, src_t) + +# Allow user to read default_t files +# This is different from reading default_t content, +# because it also includes sockets, fifos, and links + +if (read_default_t) { +allow $1_t default_t:dir r_dir_perms; +allow $1_t default_t:notdevfile_class_set r_file_perms; +} + +# Read fonts +read_fonts($1_t, $1) + +read_sysctl($1_t); + +# +# Caused by su - init scripts +# +dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; + +# +# Running ifconfig as a user generates the following +# +dontaudit $1_t self:socket create; +dontaudit $1_t sysctl_net_t:dir search; + +ifdef(`rpcd.te', ` +create_dir_file($1_t, nfsd_rw_t) +') + +')dnl end base_user_domain macro + diff --git a/mls/macros/content_macros.te b/mls/macros/content_macros.te new file mode 100644 index 0000000..fb36d46 --- /dev/null +++ b/mls/macros/content_macros.te @@ -0,0 +1,188 @@ +# Content access macros + +# FIXME: After nested booleans are supported, replace NFS/CIFS +# w/ read_network_home, and write_network_home macros from global + +# FIXME: If true/false constant booleans are supported, replace +# ugly $3 ifdefs with if(true), if(false)... + +# FIXME: Do we want write to imply read? + +############################################################ +# read_content(domain, role_prefix, bool_prefix) +# +# Allow the given domain to read content. +# Content may be trusted or untrusted, +# Reading anything is subject to a controlling boolean based on bool_prefix. +# Reading untrusted content is additionally subject to read_untrusted_content +# Reading default_t is additionally subject to read_default_t + +define(`read_content', ` + +# Declare controlling boolean +ifelse($3, `', `', ` +ifdef(`$3_read_content_defined', `', ` +define(`$3_read_content_defined') +bool $3_read_content false; +') dnl ifdef +') dnl ifelse + +# Handle nfs home dirs +ifelse($3, `', +`if (use_nfs_home_dirs) { ', +`if ($3_read_content && use_nfs_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +r_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file r_file_perms; +dontaudit $1 nfs_t:dir r_dir_perms; +} + +# Handle samba home dirs +ifelse($3, `', +`if (use_samba_home_dirs) { ', +`if ($3_read_content && use_samba_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +r_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file r_file_perms; +dontaudit $1 cifs_t:dir r_dir_perms; +} + +# Handle removable media, /tmp, and /home +ifelse($3, `', `', +`if ($3_read_content) {') +allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +r_dir_file($1, { $2_tmp_t $2_home_t } ) +ifdef(`mls_policy', `', ` +r_dir_file($1, removable_t) +') + +ifelse($3, `', `', +`} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms; +dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms; +}') + +# Handle default_t content +ifelse($3, `', +`if (read_default_t) { ', +`if ($3_read_content && read_default_t) {') +r_dir_file($1, default_t) +} else { +dontaudit $1 default_t:file r_file_perms; +dontaudit $1 default_t:dir r_dir_perms; +} + +# Handle untrusted content +ifelse($3, `', +`if (read_untrusted_content) { ', +`if ($3_read_content && read_untrusted_content) {') +allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t }) +} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms; +dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms; +} +') dnl read_content + +################################################# +# write_trusted(domain, role_prefix, bool_prefix) +# +# Allow the given domain to write trusted content. +# This is subject to a controlling boolean based +# on bool_prefix. + +define(`write_trusted', ` + +# Declare controlling boolean +ifelse($3, `', `', ` +ifdef(`$3_write_content_defined', `', ` +define(`$3_write_content_defined') +bool $3_write_content false; +') dnl ifdef +') dnl ifelse + +# Handle nfs homedirs +ifelse($3, `', +`if (use_nfs_home_dirs) { ', +`if ($3_write_content && use_nfs_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file create_file_perms; +dontaudit $1 nfs_t:dir create_dir_perms; +} + +# Handle samba homedirs +ifelse($3, `', +`if (use_samba_home_dirs) { ', +`if ($3_write_content && use_samba_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file create_file_perms; +dontaudit $1 cifs_t:dir create_dir_perms; +} + +# Handle /tmp and /home +ifelse($3, `', `', +`if ($3_write_content) {') +allow $1 home_root_t:dir { read getattr search }; +file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file }); +file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file }); +ifelse($3, `', `', +`} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; +dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; +}') + +') dnl write_trusted + +######################################### +# write_untrusted(domain, role_prefix) +# +# Allow the given domain to write untrusted content. +# This is subject to the global boolean write_untrusted. + +define(`write_untrusted', ` + +# Handle nfs homedirs +if (write_untrusted_content && use_nfs_home_dirs) { +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file create_file_perms; +dontaudit $1 nfs_t:dir create_dir_perms; +} + +# Handle samba homedirs +if (write_untrusted_content && use_samba_home_dirs) { +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file create_file_perms; +dontaudit $1 cifs_t:dir create_dir_perms; +} + +# Handle /tmp and /home +if (write_untrusted_content) { +allow $1 home_root_t:dir { read getattr search }; +file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file }) +file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file }) +} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; +dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; +} + +') dnl write_untrusted diff --git a/mls/macros/core_macros.te b/mls/macros/core_macros.te new file mode 100644 index 0000000..6bae8bf --- /dev/null +++ b/mls/macros/core_macros.te @@ -0,0 +1,706 @@ + +############################## +# +# core macros for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley , Timothy Fraser +# Howard Holm (NSA) +# Russell Coker +# + +################################# +# +# Macros for groups of classes and +# groups of permissions. +# + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + + +# +# Permissions for getting file attributes. +# +define(`stat_file_perms', `{ getattr }') + +# +# Permissions for executing files. +# +define(`x_file_perms', `{ getattr execute }') + +# +# Permissions for reading files and their attributes. +# +define(`r_file_perms', `{ read getattr lock ioctl }') + +# +# Permissions for reading and executing files. +# +define(`rx_file_perms', `{ read getattr lock execute ioctl }') + +# +# Permissions for reading and writing files and their attributes. +# +define(`rw_file_perms', `{ ioctl read getattr lock write append }') + +# +# Permissions for reading and appending to files. +# +define(`ra_file_perms', `{ ioctl read getattr lock append }') + +# +# Permissions for linking, unlinking and renaming files. +# +define(`link_file_perms', `{ getattr link unlink rename }') + +# +# Permissions for creating lnk_files. +# +define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') + +# +# Permissions for creating and using files. +# +define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') + +# +# Permissions for reading directories and their attributes. +# +define(`r_dir_perms', `{ read getattr lock search ioctl }') + +# +# Permissions for reading and writing directories and their attributes. +# +define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') + +# +# Permissions for reading and adding names to directories. +# +define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') + + +# +# Permissions for creating and using directories. +# +define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') + +################################# +# +# Macros for type transition rules and +# access vector rules. +# + +# +# Simple combinations for reading and writing both +# directories and files. +# +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:file r_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`rw_dir_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file rw_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`ra_dir_file', ` +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file ra_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`ra_dir_create_file', ` +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file { create ra_file_perms }; +allow $1 $2:lnk_file { create read getattr }; +') + +define(`rw_dir_create_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_dir_file', ` +allow $1 $2:dir create_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_dir_notdevfile', ` +allow $1 $2:dir create_dir_perms; +allow $1 $2:{ file sock_file fifo_file } create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_append_log_file', ` +allow $1 $2:dir { read getattr search add_name write }; +allow $1 $2:file { create ioctl getattr setattr append link }; +') + +################################## +# +# can_ps(domain1, domain2) +# +# Authorize domain1 to see /proc entries for domain2 (see it in ps output) +# +define(`can_ps',` +allow $1 $2:dir { search getattr read }; +allow $1 $2:{ file lnk_file } { read getattr }; +allow $1 $2:process getattr; +# We need to suppress this denial because procps tries to access +# /proc/pid/environ and this now triggers a ptrace check in recent kernels +# (2.4 and 2.6). Might want to change procps to not do this, or only if +# running in a privileged domain. +dontaudit $1 $2:process ptrace; +') + +################################## +# +# can_getsecurity(domain) +# +# Authorize a domain to get security policy decisions. +# +define(`can_getsecurity',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } { getattr read }; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; +') + +################################## +# +# can_setenforce(domain) +# +# Authorize a domain to set the enforcing flag. +# Due to its sensitivity, always audit this permission. +# +define(`can_setenforce',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +if (!secure_mode_policyload) { +allow $1 security_t:security setenforce; +auditallow $1 security_t:security setenforce; +}dnl end if !secure_mode_policyload +') + +################################## +# +# can_setbool(domain) +# +# Authorize a domain to set a policy boolean. +# Due to its sensitivity, always audit this permission. +# +define(`can_setbool',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +if (!secure_mode_policyload) { +allow $1 security_t:security setbool; +auditallow $1 security_t:security setbool; +}dnl end if !secure_mode_policyload +') + +################################## +# +# can_setsecparam(domain) +# +# Authorize a domain to set security parameters. +# Due to its sensitivity, always audit this permission. +# +define(`can_setsecparam',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setsecparam; +auditallow $1 security_t:security setsecparam; +') + +################################## +# +# can_loadpol(domain) +# +# Authorize a domain to load a policy configuration. +# Due to its sensitivity, always audit this permission. +# +define(`can_loadpol',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 proc_t:file { getattr read }; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +if (!secure_mode_policyload) { +allow $1 security_t:security load_policy; +auditallow $1 security_t:security load_policy; +}dnl end if !secure_mode_policyload +') + +################################# +# +# domain_trans(parent_domain, program_type, child_domain) +# +# Permissions for transitioning to a new domain. +# + +define(`domain_trans',` + +# +# Allow the process to transition to the new domain. +# +allow $1 $3:process transition; + +# +# Do not audit when glibc secure mode is enabled upon the transition. +# +dontaudit $1 $3:process noatsecure; + +# +# Do not audit when signal-related state is cleared upon the transition. +# +dontaudit $1 $3:process siginh; + +# +# Do not audit when resource limits are reset upon the transition. +# +dontaudit $1 $3:process rlimitinh; + +# +# Allow the process to execute the program. +# +allow $1 $2:file { read x_file_perms }; + +# +# Allow the process to reap the new domain. +# +allow $3 $1:process sigchld; + +# +# Allow the new domain to inherit and use file +# descriptions from the creating process and vice versa. +# +allow $3 $1:fd use; +allow $1 $3:fd use; + +# +# Allow the new domain to write back to the old domain via a pipe. +# +allow $3 $1:fifo_file rw_file_perms; + +# +# Allow the new domain to read and execute the program. +# +allow $3 $2:file rx_file_perms; + +# +# Allow the new domain to be entered via the program. +# +allow $3 $2:file entrypoint; +') + +################################# +# +# domain_auto_trans(parent_domain, program_type, child_domain) +# +# Define a default domain transition and allow it. +# +define(`domain_auto_trans',` +domain_trans($1,$2,$3) +type_transition $1 $2:process $3; +') + +################################# +# +# can_ptrace(domain, domain) +# +# Permissions for running ptrace (strace or gdb) on another domain +# +define(`can_ptrace',` +allow $1 $2:process ptrace; +allow $2 $1:process sigchld; +') + +################################# +# +# can_exec(domain, type) +# +# Permissions for executing programs with +# a specified type without changing domains. +# +define(`can_exec',` +allow $1 $2:file { rx_file_perms execute_no_trans }; +') + +# this is an internal macro used by can_create +define(`can_create_internal', ` +ifelse(`$3', `dir', ` +allow $1 $2:$3 create_dir_perms; +', `$3', `lnk_file', ` +allow $1 $2:$3 create_lnk_perms; +', ` +allow $1 $2:$3 create_file_perms; +')dnl end if dir +')dnl end can_create_internal + + +################################# +# +# can_create(domain, file_type, object_class) +# +# Permissions for creating files of the specified type and class +# +define(`can_create', ` +ifelse(regexp($3, `\w'), -1, `', ` +can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) + +can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) +') +') +################################# +# +# file_type_trans(domain, dir_type, file_type) +# +# Permissions for transitioning to a new file type. +# + +define(`file_type_trans',` + +# +# Allow the process to modify the directory. +# +allow $1 $2:dir rw_dir_perms; + +# +# Allow the process to create the file. +# +ifelse(`$4', `', ` +can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') +', ` +can_create($1, $3, $4) +')dnl end if param 4 specified + +') + +################################# +# +# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) +# +# the object class will default to notdevfile_class_set if not specified as +# the fourth parameter +# +# Define a default file type transition and allow it. +# +define(`file_type_auto_trans',` +ifelse(`$4', `', ` +file_type_trans($1,$2,$3) +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +', ` +file_type_trans($1,$2,$3,$4) +type_transition $1 $2:$4 $3; +')dnl end ifelse + +') + + +################################# +# +# can_unix_connect(client, server) +# +# Permissions for establishing a Unix stream connection. +# +define(`can_unix_connect',` +allow $1 $2:unix_stream_socket connectto; +') + +################################# +# +# can_unix_send(sender, receiver) +# +# Permissions for sending Unix datagrams. +# +define(`can_unix_send',` +allow $1 $2:unix_dgram_socket sendto; +') + +################################# +# +# can_tcp_connect(client, server) +# +# Permissions for establishing a TCP connection. +# Irrelevant until we have labeled networking. +# +define(`can_tcp_connect',` +#allow $1 $2:tcp_socket { connectto recvfrom }; +#allow $2 $1:tcp_socket { acceptfrom recvfrom }; +#allow $2 kernel_t:tcp_socket recvfrom; +#allow $1 kernel_t:tcp_socket recvfrom; +') + +################################# +# +# can_udp_send(sender, receiver) +# +# Permissions for sending/receiving UDP datagrams. +# Irrelevant until we have labeled networking. +# +define(`can_udp_send',` +#allow $1 $2:udp_socket sendto; +#allow $2 $1:udp_socket recvfrom; +') + + +################################## +# +# base_pty_perms(domain_prefix) +# +# Base permissions used for can_create_pty() and can_create_other_pty() +# +define(`base_pty_perms', ` +# Access the pty master multiplexer. +allow $1_t ptmx_t:chr_file rw_file_perms; + +allow $1_t devpts_t:filesystem getattr; + +# allow searching /dev/pts +allow $1_t devpts_t:dir { getattr read search }; + +# ignore old BSD pty devices +dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; +') + + +################################## +# +# pty_slave_label(domain_prefix, attributes) +# +# give access to a slave pty but do not allow creating new ptys +# +define(`pty_slave_label', ` +type $1_devpts_t, file_type, sysadmfile, ptyfile $2; + +# Allow the pty to be associated with the file system. +allow $1_devpts_t devpts_t:filesystem associate; + +# Label pty files with a derived type. +type_transition $1_t devpts_t:chr_file $1_devpts_t; + +# allow searching /dev/pts +allow $1_t devpts_t:dir { getattr read search }; + +# Read and write my pty files. +allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; +') + + +################################## +# +# can_create_pty(domain_prefix, attributes) +# +# Permissions for creating ptys. +# +define(`can_create_pty',` +base_pty_perms($1) +pty_slave_label($1, `$2') +') + + +################################## +# +# can_create_other_pty(domain_prefix,other_domain) +# +# Permissions for creating ptys for another domain. +# +define(`can_create_other_pty',` +base_pty_perms($1) +# Label pty files with a derived type. +type_transition $1_t devpts_t:chr_file $2_devpts_t; + +# Read and write pty files. +allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; +') + + +# +# general_domain_access(domain) +# +# Grant permissions within the domain. +# This includes permissions to processes, /proc/PID files, +# file descriptors, pipes, Unix sockets, and System V IPC objects +# labeled with the domain. +# +define(`general_domain_access',` +# Access other processes in the same domain. +# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. +# These must be granted separately if desired. +allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; + +# Access /proc/PID files for processes in the same domain. +allow $1 self:dir r_dir_perms; +allow $1 self:notdevfile_class_set r_file_perms; + +# Access file descriptions, pipes, and sockets +# created by processes in the same domain. +allow $1 self:fd *; +allow $1 self:fifo_file rw_file_perms; +allow $1 self:unix_dgram_socket create_socket_perms; +allow $1 self:unix_stream_socket create_stream_socket_perms; + +# Allow the domain to communicate with other processes in the same domain. +allow $1 self:unix_dgram_socket sendto; +allow $1 self:unix_stream_socket connectto; + +# Access System V IPC objects created by processes in the same domain. +allow $1 self:sem create_sem_perms; +allow $1 self:msg { send receive }; +allow $1 self:msgq create_msgq_perms; +allow $1 self:shm create_shm_perms; +allow $1 unpriv_userdomain:fd use; +# +# Every app is asking for ypbind so I am adding this here, +# eventually this should become can_nsswitch +# +can_ypbind($1) +allow $1 autofs_t:dir { search getattr }; +')dnl end general_domain_access diff --git a/mls/macros/global_macros.te b/mls/macros/global_macros.te new file mode 100644 index 0000000..277ab49 --- /dev/null +++ b/mls/macros/global_macros.te @@ -0,0 +1,772 @@ +############################## +# +# Global macros for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# Howard Holm (NSA) +# Russell Coker +# +# +# + +################################## +# +# can_setexec(domain) +# +# Authorize a domain to set its exec context +# (via /proc/pid/attr/exec). +# +define(`can_setexec',` +allow $1 self:process setexec; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################## +# +# can_getcon(domain) +# +# Authorize a domain to get its context +# (via /proc/pid/attr/current). +# +define(`can_getcon',` +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +allow $1 self:process getattr; +') + +################################## +# +# can_setcon(domain) +# +# Authorize a domain to set its current context +# (via /proc/pid/attr/current). +# +define(`can_setcon',` +allow $1 self:process setcurrent; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################## +# read_sysctl(domain) +# +# Permissions for reading sysctl variables. +# If the second parameter is full, allow +# reading of any sysctl variables, else only +# sysctl_kernel_t. +# +define(`read_sysctl', ` +# Read system variables in /sys. +ifelse($2,`full', ` +allow $1 sysctl_type:dir r_dir_perms; +allow $1 sysctl_type:file r_file_perms; +', ` +allow $1 sysctl_t:dir search; +allow $1 sysctl_kernel_t:dir search; +allow $1 sysctl_kernel_t:file { getattr read }; +') + +')dnl read_sysctl + +################################## +# +# can_setfscreate(domain) +# +# Authorize a domain to set its fscreate context +# (via /proc/pid/attr/fscreate). +# +define(`can_setfscreate',` +allow $1 self:process setfscreate; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################# +# +# uses_shlib(domain) +# +# Permissions for using shared libraries. +# +define(`uses_shlib',` +allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; +allow $1 lib_t:lnk_file r_file_perms; +allow $1 ld_so_t:file rx_file_perms; +#allow $1 ld_so_t:file execute_no_trans; +allow $1 ld_so_t:lnk_file r_file_perms; +allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; +allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; +allow $1 texrel_shlib_t:file execmod; +allow $1 ld_so_cache_t:file r_file_perms; +allow $1 device_t:dir search; +allow $1 null_device_t:chr_file rw_file_perms; +') + +################################# +# +# can_exec_any(domain) +# +# Permissions for executing a variety +# of executable types. +# +define(`can_exec_any',` +allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; +allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; +uses_shlib($1) +can_exec($1, etc_t) +can_exec($1, lib_t) +can_exec($1, bin_t) +can_exec($1, sbin_t) +can_exec($1, exec_type) +can_exec($1, ld_so_t) +') + + +################################# +# +# can_sysctl(domain) +# +# Permissions for modifying sysctl parameters. +# +define(`can_sysctl',` +allow $1 sysctl_type:dir r_dir_perms; +allow $1 sysctl_type:file { setattr rw_file_perms }; +') + + +################################## +# +# read_locale(domain) +# +# Permissions for reading the locale data, +# /etc/localtime and the files that it links to +# +define(`read_locale', ` +allow $1 etc_t:lnk_file read; +allow $1 lib_t:file r_file_perms; +r_dir_file($1, locale_t) +') + +define(`can_access_pty', ` +allow $1 devpts_t:dir r_dir_perms; +allow $1 $2_devpts_t:chr_file rw_file_perms; +') + +################################### +# +# access_terminal(domain, typeprefix) +# +# Permissions for accessing the terminal +# +define(`access_terminal', ` +allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; +allow $1 devtty_t:chr_file { read write getattr ioctl }; +can_access_pty($1, $2) +') + +# +# general_proc_read_access(domain) +# +# Grant read/search permissions to most of /proc, excluding +# the /proc/PID directories and the /proc/kmsg and /proc/kcore files. +# The general_domain_access macro grants access to the domain /proc/PID +# directories, but not to other domains. Only permissions to stat +# are granted for /proc/kmsg and /proc/kcore, since these files are more +# sensitive. +# +define(`general_proc_read_access',` +# Read system information files in /proc. +r_dir_file($1, proc_t) +r_dir_file($1, proc_net_t) +allow $1 proc_mdstat_t:file r_file_perms; + +# Stat /proc/kmsg and /proc/kcore. +allow $1 proc_fs:file stat_file_perms; + +# Read system variables in /proc/sys. +read_sysctl($1) +') + +# +# base_file_read_access(domain) +# +# Grant read/search permissions to a few system file types. +# +define(`base_file_read_access',` +# Read /. +allow $1 root_t:dir r_dir_perms; +allow $1 root_t:notdevfile_class_set r_file_perms; + +# Read /home. +allow $1 home_root_t:dir r_dir_perms; + +# Read /usr. +allow $1 usr_t:dir r_dir_perms; +allow $1 usr_t:notdevfile_class_set r_file_perms; + +# Read bin and sbin directories. +allow $1 bin_t:dir r_dir_perms; +allow $1 bin_t:notdevfile_class_set r_file_perms; +allow $1 sbin_t:dir r_dir_perms; +allow $1 sbin_t:notdevfile_class_set r_file_perms; +read_sysctl($1) + +r_dir_file($1, selinux_config_t) + +if (read_default_t) { +# +# Read default_t +#. +allow $1 default_t:dir r_dir_perms; +allow $1 default_t:notdevfile_class_set r_file_perms; +} + +') + +####################### +# daemon_core_rules(domain_prefix, attribs) +# +# Define the core rules for a daemon, used by both daemon_base_domain() and +# init_service_domain(). +# Attribs is the list of attributes which must start with "," if it is not empty +# +# Author: Russell Coker +# +define(`daemon_core_rules', ` +type $1_t, domain, privlog, daemon $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +dontaudit $1_t self:capability sys_tty_config; + +role system_r types $1_t; + +# Inherit and use descriptors from init. +allow $1_t init_t:fd use; +allow $1_t init_t:process sigchld; +allow $1_t self:process { signal_perms fork }; + +uses_shlib($1_t) + +allow $1_t { self proc_t }:dir r_dir_perms; +allow $1_t { self proc_t }:lnk_file { getattr read }; + +allow $1_t device_t:dir r_dir_perms; +ifdef(`udev.te', ` +allow $1_t udev_tdb_t:file r_file_perms; +')dnl end if udev.te +allow $1_t null_device_t:chr_file rw_file_perms; +dontaudit $1_t console_device_t:chr_file rw_file_perms; +dontaudit $1_t unpriv_userdomain:fd use; + +r_dir_file($1_t, sysfs_t) + +allow $1_t autofs_t:dir { search getattr }; +ifdef(`targeted_policy', ` +dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; +dontaudit $1_t root_t:file { getattr read }; +')dnl end if targeted_policy + +')dnl end macro daemon_core_rules + +####################### +# init_service_domain(domain_prefix, attribs) +# +# Define a domain for a program that is run from init +# Attribs is the list of attributes which must start with "," if it is not empty +# +# Author: Russell Coker +# +define(`init_service_domain', ` +daemon_core_rules($1, `$2') +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(init_t, $1_exec_t) +} else { +domain_auto_trans(init_t, $1_exec_t, $1_t) +} +')dnl + +####################### +# daemon_base_domain(domain_prefix, attribs) +# +# Define a daemon domain with a base set of type declarations +# and permissions that are common to most daemons. +# attribs is the list of attributes which must start with "," if it is not empty +# nosysadm may be given as an optional third parameter, to specify that the +# sysadmin should not transition to the domain when directly calling the executable +# +# Author: Russell Coker +# +define(`daemon_base_domain', ` +daemon_core_rules($1, `$2') + +rhgb_domain($1_t) + +read_sysctl($1_t) + +ifdef(`direct_sysadm_daemon', ` +dontaudit $1_t admin_tty_type:chr_file rw_file_perms; +') + +# +# Allows user to define a tunable to disable domain transition +# +ifelse(index(`$2',`transitionbool'), -1, `', ` +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(initrc_t, $1_exec_t) +can_exec(sysadm_t, $1_exec_t) +} else { +') dnl transitionbool +domain_auto_trans(initrc_t, $1_exec_t, $1_t) + +allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; +')dnl end nosysadm +')dnl end direct_sysadm_daemon +ifelse(index(`$2', `transitionbool'), -1, `', ` +} +') dnl end transitionbool +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +role_transition sysadm_r $1_exec_t system_r; +')dnl end nosysadm +')dnl end direct_sysadm_daemon + +allow $1_t privfd:fd use; +ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') +allow $1_t initrc_devpts_t:chr_file rw_file_perms; +')dnl + +# allow a domain to create its own files under /var/run and to create files +# in directories that are created for it. $2 is an optional list of +# classes to use; default is file. +define(`var_run_domain', ` +type $1_var_run_t, file_type, sysadmfile, pidfile; + +ifelse(`$2', `', ` +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) +', ` +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) +') +allow $1_t var_t:dir search; +allow $1_t $1_var_run_t:dir rw_dir_perms; +') + +####################### +# daemon_domain(domain_prefix, attribs) +# +# see daemon_base_domain for calling details +# daemon_domain defines some additional privileges needed by many domains, +# like pid files and locale support + +define(`daemon_domain', ` +ifdef(`targeted_policy', ` +daemon_base_domain($1, `$2, transitionbool', $3) +', ` +daemon_base_domain($1, `$2', $3) +') +# Create pid file. +allow $1_t var_t:dir { getattr search }; +var_run_domain($1) + +allow $1_t devtty_t:chr_file rw_file_perms; + +# for daemons that look at /root on startup +dontaudit $1_t sysadm_home_dir_t:dir search; + +# for df +allow $1_t fs_type:filesystem getattr; +allow $1_t removable_t:filesystem getattr; + +read_locale($1_t) + +# for localization +allow $1_t lib_t:file { getattr read }; +')dnl end daemon_domain macro + +define(`uses_authbind', +`domain_auto_trans($1, authbind_exec_t, authbind_t) +allow authbind_t $1:process sigchld; +allow authbind_t $1:fd use; +allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; +') + +# define a sub-domain, $1_t is the parent domain, $2 is the name +# of the sub-domain. +# +define(`daemon_sub_domain', ` +# $1 is the parent domain (or domains), $2_t is the child domain, +# and $3 is any attributes to apply to the child +type $2_t, domain, privlog, daemon $3; +type $2_exec_t, file_type, sysadmfile, exec_type; + +role system_r types $2_t; + +ifelse(index(`$3',`transitionbool'), -1, ` + +domain_auto_trans($1, $2_exec_t, $2_t) + +', ` + +bool $2_disable_trans false; + +if (! $2_disable_trans) { +domain_auto_trans($1, $2_exec_t, $2_t) +} + +'); +# Inherit and use descriptors from parent. +allow $2_t $1:fd use; +allow $2_t $1:process sigchld; + +allow $2_t self:process signal_perms; + +uses_shlib($2_t) + +allow $2_t { self proc_t }:dir r_dir_perms; +allow $2_t { self proc_t }:lnk_file read; + +allow $2_t device_t:dir getattr; +') + +# grant access to /tmp +# by default, only plain files and dirs may be stored there. +# This can be overridden with a third parameter +define(`tmp_domain', ` +type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; +ifelse($3, `', +`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', +`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') +') + +# grant access to /tmp. Do not perform an automatic transition. +define(`tmp_domain_notrans', ` +type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; +') + +define(`tmpfs_domain', ` +ifdef(`$1_tmpfs_t_defined',`', ` +define(`$1_tmpfs_t_defined') +type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; +# Use this type when creating tmpfs/shm objects. +file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) +allow $1_tmpfs_t tmpfs_t:filesystem associate; +') +') + +define(`var_lib_domain', ` +type $1_var_lib_t, file_type, sysadmfile; +file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) +allow $1_t $1_var_lib_t:dir rw_dir_perms; +') + +define(`log_domain', ` +type $1_log_t, file_type, sysadmfile, logfile; +file_type_auto_trans($1_t, var_log_t, $1_log_t, file) +') + +define(`logdir_domain', ` +log_domain($1) +allow $1_t $1_log_t:dir { setattr rw_dir_perms }; +') + +define(`etc_domain', ` +type $1_etc_t, file_type, sysadmfile, usercanread; +allow $1_t $1_etc_t:file r_file_perms; +') + +define(`etcdir_domain', ` +etc_domain($1) +allow $1_t $1_etc_t:dir r_dir_perms; +allow $1_t $1_etc_t:lnk_file { getattr read }; +') + +define(`append_log_domain', ` +type $1_log_t, file_type, sysadmfile, logfile; +allow $1_t var_log_t:dir ra_dir_perms; +allow $1_t $1_log_t:file { create ra_file_perms }; +type_transition $1_t var_log_t:file $1_log_t; +') + +define(`append_logdir_domain', ` +append_log_domain($1) +allow $1_t $1_log_t:dir { setattr ra_dir_perms }; +') + +define(`lock_domain', ` +type $1_lock_t, file_type, sysadmfile, lockfile; +file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) +') + +####################### +# application_domain(domain_prefix) +# +# Define a domain with a base set of type declarations +# and permissions that are common to simple applications. +# +# Author: Russell Coker +# +define(`application_domain', ` +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role sysadm_r types $1_t; +ifdef(`targeted_policy', ` +role system_r types $1_t; +') +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +uses_shlib($1_t) +') + +define(`system_domain', ` +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role system_r types $1_t; +uses_shlib($1_t) +allow $1_t etc_t:dir r_dir_perms; +') + +# Dontaudit macros to prevent flooding the log + +define(`dontaudit_getattr', ` +dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; +dontaudit $1 unlabeled_t:dir_file_class_set getattr; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; +')dnl end dontaudit_getattr + +define(`dontaudit_search_dir', ` +dontaudit $1 file_type - secure_file_type:dir search; +dontaudit $1 unlabeled_t:dir search; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; +')dnl end dontaudit_search_dir + +define(`dontaudit_read_dir', ` +dontaudit $1 file_type - secure_file_type:dir read; +dontaudit $1 unlabeled_t:dir read; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; +')dnl end dontaudit_read_dir + +# Define legacy_domain for legacy binaries (java) +# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old +# toolchain. They cause the kernel to automatically start translating all +# read protection requests to read|execute for backward compatibility on +# x86. They will all need execmem and execmod, including execmod to +# shlib_t and ld_so_t unlike non-legacy binaries. + +define(`legacy_domain', ` +allow $1_t self:process { execmem execstack }; +allow $1_t { texrel_shlib_t shlib_t }:file execmod; +allow $1_t ld_so_t:file execmod; +allow $1_t ld_so_cache_t:file execute; +') + + +# Allow domain to perform polyinstantiation functions +# polyinstantiater(domain) + +define(`polyinstantiater', ` + +ifdef(`support_polyinstantiation', ` +# Need to give access to /selinux/member +allow $1 security_t:security compute_member; + +# Need to give access to the directories to be polyinstantiated +allow $1 polydir:dir { getattr mounton add_name create setattr write search }; + +# Need to give access to the polyinstantiated subdirectories +allow $1 polymember:dir {getattr search }; + +# Need to give access to parent directories where original +# is remounted for polyinstantiation aware programs (like gdm) +allow $1 polyparent:dir { getattr mounton }; + +# Need to give permission to create directories where applicable +allow $1 polymember: dir { create setattr }; +allow $1 polydir: dir { write add_name }; +allow $1 self:process setfscreate; +allow $1 polyparent:dir { write add_name }; +# Default type for mountpoints +allow $1 poly_t:dir { create mounton }; + +# Need sys_admin capability for mounting +allow $1 self:capability sys_admin; +')dnl end else support_polyinstantiation + +')dnl end polyinstantiater + +# +# Domain that is allow to read anonymous data off the network +# without providing authentication. +# Also define boolean to allow anonymous writing +# +define(`anonymous_domain', ` +r_dir_file($1_t, { public_content_t public_content_rw_t } ) +bool allow_$1_anon_write false; +if (allow_$1_anon_write) { +create_dir_file($1_t,public_content_rw_t) +} +') +# +# Define a domain that can do anything, so that it is +# effectively unconfined by the SELinux policy. This +# means that it is only restricted by the normal Linux +# protections. Note that you may need to add further rules +# to allow other domains to interact with this domain as expected, +# since this macro only allows the specified domain to act upon +# all other domains and types, not vice versa. +# +define(`unconfined_domain', ` + +typeattribute $1 unrestricted; +typeattribute $1 privuser; + +# Mount/unmount any filesystem. +allow $1 fs_type:filesystem *; + +# Mount/unmount any filesystem with the context= option. +allow $1 file_type:filesystem *; + +# Create/access any file in a labeled filesystem; +allow $1 file_type:{ file chr_file } ~execmod; +allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; +allow $1 sysctl_t:{ dir file } *; +allow $1 device_type:devfile_class_set *; +allow $1 mtrr_device_t:file *; + +# Create/access other files. fs_type is to pick up various +# pseudo filesystem types that are applied to both the filesystem +# and its files. +allow $1 { unlabeled_t fs_type }:dir_file_class_set *; +allow $1 proc_fs:{ dir file } *; + +# For /proc/pid +r_dir_file($1,domain) +# Write access is for setting attributes under /proc/self/attr. +allow $1 self:file rw_file_perms; + +# Read and write sysctls. +can_sysctl($1) + +# Access the network. +allow $1 node_type:node *; +allow $1 netif_type:netif *; +allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; +allow $1 port_type:tcp_socket name_connect; + +# Bind to any network address. +allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind; +allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; + +# Use/sendto/connectto sockets created by any domain. +allow $1 domain:{ socket_class_set socket key_socket } *; + +# Use descriptors and pipes created by any domain. +allow $1 domain:fd use; +allow $1 domain:fifo_file rw_file_perms; + +# Act upon any other process. +allow $1 domain:process ~{ transition dyntransition execmem }; +# Transition to myself, to make get_ordered_context_list happy. +allow $1 self:process transition; + +if (allow_execmem) { +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. +allow $1 self:process execmem; +} + +if (allow_execmem && allow_execstack) { +# Allow making the stack executable via mprotect. +allow $1 self:process execstack; +} + +if (allow_execmod) { +# Allow text relocations on system shared libraries, e.g. libGL. +ifdef(`targeted_policy', ` +allow $1 file_type:file execmod; +', ` +allow $1 texrel_shlib_t:file execmod; +allow $1 home_type:file execmod; +') +} + +# Create/access any System V IPC objects. +allow $1 domain:{ sem msgq shm } *; +allow $1 domain:msg { send receive }; + +# Access the security API. +if (!secure_mode_policyload) { +allow $1 security_t:security *; +auditallow $1 security_t:security { load_policy setenforce setbool }; +}dnl end if !secure_mode_policyload + +# Perform certain system operations that lacked individual capabilities. +allow $1 kernel_t:system *; + +# Use any Linux capability. +allow $1 self:capability *; + +# Set user information and skip authentication. +allow $1 self:passwd *; + +# Communicate via dbusd. +allow $1 self:dbus *; +ifdef(`dbusd.te', ` +allow $1 system_dbusd_t:dbus *; +') + +# Get info via nscd. +allow $1 self:nscd *; +ifdef(`nscd.te', ` +allow $1 nscd_t:nscd *; +') + +')dnl end unconfined_domain + + +define(`access_removable_media', ` + +can_exec($1, { removable_t noexattrfile } ) +if (user_rw_noexattrfile) { +create_dir_file($1, noexattrfile) +create_dir_file($1, removable_t) +# Write floppies +allow $1 removable_device_t:blk_file rw_file_perms; +allow $1 usbtty_device_t:chr_file write; +} else { +r_dir_file($1, noexattrfile) +r_dir_file($1, removable_t) +allow $1 removable_device_t:blk_file r_file_perms; +} +allow $1 removable_t:filesystem getattr; + +') + +define(`authentication_domain', ` +can_ypbind($1) +can_kerberos($1) +can_ldap($1) +can_resolve($1) +can_winbind($1) +r_dir_file($1, cert_t) +allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; +allow $1 self:capability { audit_write audit_control }; +dontaudit $1 shadow_t:file { getattr read }; +allow $1 sbin_t:dir search; +allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow $1 var_lib_t:dir r_dir_perms; +rw_dir_file($1, var_auth_t) +') diff --git a/mls/macros/home_macros.te b/mls/macros/home_macros.te new file mode 100644 index 0000000..e780425 --- /dev/null +++ b/mls/macros/home_macros.te @@ -0,0 +1,139 @@ +# Home macros + +################################################ +# network_home(source) +# +# Allows source domain to use a network home +# This includes privileges of create and execute +# as well as the ability to create sockets and fifo + +define(`network_home', ` +allow $1 autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs) { +create_dir_file($1, nfs_t) +can_exec($1, nfs_t) +allow $1 nfs_t:{ sock_file fifo_file } create_file_perms; +} + +if (use_samba_home_dirs) { +create_dir_file($1, cifs_t) +can_exec($1, cifs_t) +allow $1 cifs_t:{ sock_file fifo_file } create_file_perms; +} +') dnl network_home + +################################################ +# write_network_home(source) +# +# Allows source domain to create directories and +# files on network file system + +define(`write_network_home', ` +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +create_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; +') dnl write_network_home + +################################################ +# read_network_home(source) +# +# Allows source domain to read directories and +# files on network file system + +define(`read_network_home', ` +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +r_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +r_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; +') dnl read_network_home + +################################################## +# home_domain_ro_access(source, user, app) +# +# Gives source access to the read-only home +# domain of app for the given user type + +define(`home_domain_ro_access', ` +allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; +read_network_home($1) +ifelse($3, `', ` +r_dir_file($1, $2_home_t) +', ` +r_dir_file($1, $2_$3_ro_home_t) +') +') dnl home_domain_ro_access + +################################################# +# home_domain_access(source, user, app) +# +# Gives source full access to the home +# domain of app for the given user type +# +# Requires transition in caller + +define(`home_domain_access', ` +allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; +write_network_home($1) +ifelse($3, `', ` +file_type_auto_trans($1, $2_home_dir_t, $2_home_t) +create_dir_file($1, $2_home_t) +', ` +create_dir_file($1, $2_$3_home_t) +') +') dnl home_domain_access + +#################################################################### +# home_domain (prefix, app) +# +# Creates a domain in the prefix home where an application can +# store its settings. It is accessible by the prefix domain. +# +# Requires transition in caller + +define(`home_domain', ` + +# Declare home domain +type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember; +typealias $1_$2_home_t alias $1_$2_rw_t; + +# User side access +create_dir_file($1_t, $1_$2_home_t) +allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_access($1_$2_t, $1, $2) +') + +#################################################################### +# home_domain_ro (user, app) +# +# Creates a read-only domain in the user home where an application can +# store its settings. It is fully accessible by the user, but +# it is read-only for the application. +# + +define(`home_domain_ro', ` + +# Declare home domain +type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; +typealias $1_$2_ro_home_t alias $1_$2_ro_t; + +# User side access +create_dir_file($1_t, $1_$2_ro_home_t) +allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_ro_access($1_$2_t, $1, $2) +') diff --git a/mls/macros/mini_user_macros.te b/mls/macros/mini_user_macros.te new file mode 100644 index 0000000..9f7d994 --- /dev/null +++ b/mls/macros/mini_user_macros.te @@ -0,0 +1,57 @@ +# +# Macros for all user login domains. +# + +# +# mini_user_domain(domain_prefix) +# +# Define derived types and rules for a minimal privs user domain named +# $1_mini_t which is permitted to be in $1_r role and transition to $1_t. +# +undefine(`mini_user_domain') +define(`mini_user_domain',` +# user_t/$1_t is an unprivileged users domain. +type $1_mini_t, domain, user_mini_domain; + +# for ~/.bash_profile and other files that the mini domain should be allowed +# to read (but not write) +type $1_home_mini_t, file_type, sysadmfile; +allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom }; +allow $1_mini_t $1_home_mini_t:file r_file_perms; + +# $1_r is authorized for $1_mini_t for the initial login domain. +role $1_r types $1_mini_t; +uses_shlib($1_mini_t) +pty_slave_label($1_mini, `, userpty_type, mini_pty_type') + +allow $1_mini_t devtty_t:chr_file rw_file_perms; +allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read }; +dontaudit $1_mini_t proc_t:dir { getattr search }; +allow $1_mini_t self:unix_stream_socket create_socket_perms; +allow $1_mini_t self:fifo_file rw_file_perms; +allow $1_mini_t self:process { fork sigchld setpgid }; +dontaudit $1_mini_t var_t:dir search; +allow $1_mini_t { bin_t sbin_t }:dir search; + +dontaudit $1_mini_t device_t:dir { getattr read }; +dontaudit $1_mini_t devpts_t:dir { getattr read }; +dontaudit $1_mini_t proc_t:lnk_file read; + +can_exec($1_mini_t, bin_t) +allow $1_mini_t { home_root_t $1_home_dir_t }:dir search; +dontaudit $1_mini_t home_root_t:dir getattr; +dontaudit $1_mini_t $1_home_dir_t:dir { getattr read }; +dontaudit $1_mini_t $1_home_t:file { append getattr read write }; + +dontaudit $1_mini_t fs_t:filesystem getattr; + +type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t; +# uncomment this if using mini domains for console logins +#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t; + +type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t; +type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t; + +domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t) +')dnl end mini_user_domain definition + diff --git a/mls/macros/network_macros.te b/mls/macros/network_macros.te new file mode 100644 index 0000000..3d7bd06 --- /dev/null +++ b/mls/macros/network_macros.te @@ -0,0 +1,191 @@ +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`base_can_network',` +# +# Allow the domain to create and use $2 sockets. +# Other kinds of sockets must be separately authorized for use. +allow $1 self:$2_socket connected_socket_perms; + +# +# Allow the domain to send or receive using any network interface. +# netif_type is a type attribute for all network interface types. +# +allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv }; + +# +# Allow the domain to send to or receive from any node. +# node_type is a type attribute for all node types. +# +allow $1 node_type:node { $2_send rawip_send }; +allow $1 node_type:node { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any port. +# port_type is a type attribute for all port types. +# +ifelse($3, `', ` +allow $1 port_type:$2_socket { send_msg recv_msg }; +', ` +allow $1 $3:$2_socket { send_msg recv_msg }; +') + +# XXX Allow binding to any node type. Remove once +# individual rules have been added to all domains that +# bind sockets. +allow $1 node_type:$2_socket node_bind; +# +# Allow access to network files including /etc/resolv.conf +# +allow $1 net_conf_t:file r_file_perms; +')dnl end can_network definition + +################################# +# +# can_network_server_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { listen accept }; +') + +################################# +# +# can_network_client_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { connect }; +') + +################################# +# +# can_network_tcp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_tcp',` + +can_network_server_tcp($1, `$2') +can_network_client_tcp($1, `$2') + +') + +################################# +# +# can_network_udp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_udp',` +base_can_network($1, udp, `$2') +allow $1 self:udp_socket { connect }; +') + +################################# +# +# can_network_server(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server',` + +can_network_server_tcp($1, `$2') +can_network_udp($1, `$2') + +')dnl end can_network_server definition + + +################################# +# +# can_network_client(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client',` + +can_network_client_tcp($1, `$2') +can_network_udp($1, `$2') + +')dnl end can_network_client definition + +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network',` + +can_network_tcp($1, `$2') +can_network_udp($1, `$2') + +ifdef(`mount.te', ` +# +# Allow the domain to send NFS client requests via the socket +# created by mount. +# +allow $1 mount_t:udp_socket rw_socket_perms; +') + +')dnl end can_network definition + +define(`can_resolve',` +can_network_client($1, `dns_port_t') +allow $1 dns_port_t:tcp_socket name_connect; +') + +define(`can_portmap',` +can_network_client($1, `portmap_port_t') +allow $1 portmap_port_t:tcp_socket name_connect; +') + +define(`can_ldap',` +can_network_client_tcp($1, `ldap_port_t') +allow $1 ldap_port_t:tcp_socket name_connect; +') + +define(`can_winbind',` +ifdef(`winbind.te', ` +allow $1 winbind_var_run_t:dir { getattr search }; +allow $1 winbind_t:unix_stream_socket connectto; +allow $1 winbind_var_run_t:sock_file { getattr read write }; +') +') + + +################################# +# +# nsswitch_domain(domain) +# +# Permissions for looking up uid/username mapping via nsswitch +# +define(`nsswitch_domain', ` +can_resolve($1) +can_ypbind($1) +can_ldap($1) +can_winbind($1) +') diff --git a/mls/macros/program/apache_macros.te b/mls/macros/program/apache_macros.te new file mode 100644 index 0000000..a1422be --- /dev/null +++ b/mls/macros/program/apache_macros.te @@ -0,0 +1,205 @@ + +define(`apache_domain', ` + +#This type is for webpages +# +type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable; + +# This type is used for .htaccess files +# +type httpd_$1_htaccess_t, file_type, sysadmfile, customizable; +allow httpd_t httpd_$1_htaccess_t: file r_file_perms; + +# This type is used for executable scripts files +# +type httpd_$1_script_exec_t, file_type, sysadmfile, customizable; + +# Type that CGI scripts run as +type httpd_$1_script_t, domain, privmail, nscd_client_domain; +role system_r types httpd_$1_script_t; +uses_shlib(httpd_$1_script_t) + +if (httpd_enable_cgi) { +domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) +allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; +allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; +allow httpd_t httpd_$1_script_exec_t:file r_file_perms; + +allow httpd_$1_script_t httpd_t:fd use; +allow httpd_$1_script_t httpd_t:process sigchld; + +allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl }; +allow httpd_$1_script_t usr_t:lnk_file { getattr read }; + +allow httpd_$1_script_t self:process { fork signal_perms }; + +allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; +allow httpd_$1_script_t urandom_device_t:chr_file { getattr read }; +allow httpd_$1_script_t etc_runtime_t:file { getattr read }; +read_locale(httpd_$1_script_t) +allow httpd_$1_script_t fs_t:filesystem getattr; +allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow httpd_$1_script_t { self proc_t }:file r_file_perms; +allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; +allow httpd_$1_script_t { self proc_t }:lnk_file read; + +allow httpd_$1_script_t device_t:dir { getattr search }; +allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; +} + +if (httpd_enable_cgi && httpd_can_network_connect) { +can_network_client(httpd_$1_script_t) +allow httpd_$1_script_t port_type:tcp_socket name_connect; +} + +ifdef(`ypbind.te', ` +if (httpd_enable_cgi && allow_ypbind) { +uncond_can_ypbind(httpd_$1_script_t) +} +') +# The following are the only areas that +# scripts can read, read/write, or append to +# +type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; +type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; +type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; +file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) + +######################################################### +# Permissions for running child processes and scripts +########################################################## +allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; + +domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + +allow httpd_$1_script_t httpd_t:fifo_file write; + +allow httpd_$1_script_t self:fifo_file rw_file_perms; + +allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms; + +########################################################################### +# Allow the script interpreters to run the scripts. So +# the perl executable will be able to run a perl script +######################################################################### +allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms; +can_exec_any(httpd_$1_script_t) + +allow httpd_$1_script_t etc_t:file { getattr read }; +dontaudit httpd_$1_script_t selinux_config_t:dir search; + +############################################################################ +# Allow the script process to search the cgi directory, and users directory +############################################################################## +allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; +can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +allow httpd_$1_script_t home_root_t:dir { getattr search }; +allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; + +############################################################################# +# Allow the scripts to read, read/write, append to the specified directories +# or files +############################################################################ +read_fonts(httpd_$1_script_t) +r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) +create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) +allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms; +ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) +anonymous_domain(httpd_$1_script) + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +create_dir_file(httpd_$1_script_t, httpdcontent) +can_exec(httpd_$1_script_t, httpdcontent) +} + +# +# If a user starts a script by hand it gets the proper context +# +ifdef(`targeted_policy', `', ` +if (httpd_enable_cgi) { +domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) +} +') +role sysadm_r types httpd_$1_script_t; + +dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; +dontaudit httpd_$1_script_t sysctl_t:dir search; + +############################################ +# Allow scripts to append to http logs +######################################### +allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search; +allow httpd_$1_script_t httpd_log_t:file { getattr append }; + +# apache should set close-on-exec +dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + +################################################################ +# Allow the web server to run scripts and serve pages +############################################################## +if (httpd_builtin_scripting) { +r_dir_file(httpd_t, httpd_$1_script_ro_t) +create_dir_file(httpd_t, httpd_$1_script_rw_t) +allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; +ra_dir_file(httpd_t, httpd_$1_script_ra_t) +r_dir_file(httpd_t, httpd_$1_content_t) +} + +') +define(`apache_user_domain', ` + +apache_domain($1) + +typeattribute httpd_$1_content_t $1_file_type; + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) +} + +if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +# If a user starts a script by hand it gets the proper context +domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) +} +role $1_r types httpd_$1_script_t; + +####################################### +# Allow user to create or edit web content +######################################### + +create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) +allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; + +###################################################################### +# Allow the user to create htaccess files +##################################################################### + +allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; + +######################################################################### +# Allow user to create files or directories +# that scripts are able to read, write, or append to +########################################################################### + +create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) +allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; + +# allow accessing files/dirs below the users home dir +if (httpd_enable_homedirs) { +allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; +ifdef(`nfs_home_dirs', ` +r_dir_file(httpd_$1_script_t, nfs_t) +')dnl end if nfs_home_dirs +} +ifdef(`crond.te', ` +create_dir_file($1_crond_t, httpd_$1_content_t) +') + +ifdef(`ftpd.te', ` +if (ftp_home_dir) { +create_dir_file(ftpd_t, httpd_$1_content_t) +} +') + + +') diff --git a/mls/macros/program/bonobo_macros.te b/mls/macros/program/bonobo_macros.te new file mode 100644 index 0000000..4c3fdac --- /dev/null +++ b/mls/macros/program/bonobo_macros.te @@ -0,0 +1,117 @@ +# +# Bonobo +# +# Author: Ivan Gyurdiev +# +# bonobo_domain(role_prefix) - invoke per role +# bonobo_client(app_prefix, role_prefix) - invoke per client app +# bonobo_connect(type1_prefix, type2_prefix) - +# connect two bonobo clients, the channel is bidirectional + +###################### + +define(`bonobo_domain', ` + +# Protect against double inclusion for faster compile +ifdef(`bonobo_domain_$1', `', ` +define(`bonobo_domain_$1') + +# Type for daemon +type $1_bonobo_t, domain, nscd_client_domain; + +# Transition from caller +domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t) +role $1_r types $1_bonobo_t; + +# Shared libraries, gconv-modules +uses_shlib($1_bonobo_t) +allow $1_bonobo_t lib_t:file r_file_perms; + +read_locale($1_bonobo_t) +read_sysctl($1_bonobo_t) + +# Session management +# FIXME: More specific context is needed for gnome-session +ice_connect($1_bonobo, $1) + +# nsswitch.conf +allow $1_bonobo_t etc_t:file { read getattr }; + +# Fork to start apps +allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal }; +allow $1_bonobo_t self:fifo_file rw_file_perms; + +# ??? +allow $1_bonobo_t root_t:dir search; +allow $1_bonobo_t home_root_t:dir search; +allow $1_bonobo_t $1_home_dir_t:dir search; + +# libexec ??? +allow $1_bonobo_t bin_t:dir search; + +# ORBit sockets for bonobo +orbit_domain($1_bonobo, $1) + +# Bonobo can launch evolution +ifdef(`evolution.te', ` +domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t) +domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t) +domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t) +domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t) +domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t) +') + +# Bonobo can launch GNOME vfs daemon +ifdef(`gnome_vfs.te', ` +domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t) +') + +# Transition to ROLE_t on bin_t apps +# FIXME: The goal is to get rid of this rule, as it +# defeats the purpose of a separate domain. It is only +# here temporarily, since bonobo runs as ROLE_t by default anyway +domain_auto_trans($1_bonobo_t, bin_t, $1_t) + +can_pipe_xdm($1_bonobo_t) + +') dnl ifdef bonobo_domain_args +') dnl bonobo_domain + +##################### + +define(`bonobo_client', ` + +# Protect against double inclusion for faster compile +ifdef(`bonobo_client_$1_$2', `', ` +define(`bonobo_client_$1_$2') +# Connect over bonobo +bonobo_connect($1, $2_gconfd, $1) + +# Create ORBit sockets +orbit_domain($1, $2) + +# Connect to bonobo +orbit_connect($1, $2_bonobo) +orbit_connect($2_bonobo, $1) + +# Lock /tmp/bonobo-activation-register.lock +# Stat /tmp/bonobo-activation-server.ior +# FIXME: this should probably be of type $2_bonobo.. +# Note that this is file, not sock_file +allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; + +domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t) + +') dnl ifdef bonobo_client_args +') dnl bonobo_client + +##################### + +define(`bonobo_connect', ` + +# FIXME: Should there be a macro for unidirectional conn. ? + +orbit_connect($1, $2) +orbit_connect($2, $1) + +') dnl bonobo_connect diff --git a/mls/macros/program/cdrecord_macros.te b/mls/macros/program/cdrecord_macros.te new file mode 100644 index 0000000..72d3f4f --- /dev/null +++ b/mls/macros/program/cdrecord_macros.te @@ -0,0 +1,53 @@ +# macros for the cdrecord domain +# Author: Thomas Bleher + +define(`cdrecord_domain', ` +type $1_cdrecord_t, domain, privlog; + +domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) + +# The user role is authorized for this domain. +role $1_r types $1_cdrecord_t; + +uses_shlib($1_cdrecord_t) +read_locale($1_cdrecord_t) + +# allow ps to show cdrecord and allow the user to kill it +can_ps($1_t, $1_cdrecord_t) +allow $1_t $1_cdrecord_t:process signal; + +# write to the user domain tty. +access_terminal($1_cdrecord_t, $1) +allow $1_cdrecord_t privfd:fd use; + +allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; + +allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; +allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; + +can_resmgrd_connect($1_cdrecord_t) + +read_content($1_cdrecord_t, $1, cdrecord) + +allow $1_cdrecord_t etc_t:file { getattr read }; + +# allow searching for cdrom-drive +allow $1_cdrecord_t device_t:dir r_dir_perms; +allow $1_cdrecord_t device_t:lnk_file { getattr read }; + +# allow cdrecord to write the CD +allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; +allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; + +allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; +can_access_pty($1_cdrecord_t, $1) +allow $1_cdrecord_t $1_home_t:dir search; +allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; +allow $1_cdrecord_t $1_home_t:file r_file_perms; +if (use_nfs_home_dirs) { +allow $1_cdrecord_t mnt_t:dir search; +r_dir_file($1_cdrecord_t, nfs_t) +} +') + diff --git a/mls/macros/program/chkpwd_macros.te b/mls/macros/program/chkpwd_macros.te new file mode 100644 index 0000000..2151d85 --- /dev/null +++ b/mls/macros/program/chkpwd_macros.te @@ -0,0 +1,72 @@ +# +# Macros for chkpwd domains. +# + +# +# chkpwd_domain(domain_prefix) +# +# Define a derived domain for the *_chkpwd program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/su.te. +# +undefine(`chkpwd_domain') +ifdef(`chkpwd.te', ` +define(`chkpwd_domain',` +# Derived domain based on the calling user domain and the program. +type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; + +role $1_r types $1_chkpwd_t; + +# read /selinux/mls +allow $1_chkpwd_t security_t:dir search; +allow $1_chkpwd_t security_t:file read; +# is_selinux_enabled +allow $1_chkpwd_t proc_t:file read; + +can_getcon($1_chkpwd_t) +authentication_domain($1_chkpwd_t) + +ifelse($1, system, ` +domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) +dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; +authentication_domain(auth_chkpwd) +', ` +domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) + +# Write to the user domain tty. +access_terminal($1_chkpwd_t, $1) + +allow $1_chkpwd_t privfd:fd use; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') +') + +uses_shlib($1_chkpwd_t) +allow $1_chkpwd_t etc_t:file { getattr read }; +allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; +allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; +read_locale($1_chkpwd_t) + +# Use capabilities. +allow $1_chkpwd_t self:capability setuid; +r_dir_file($1_chkpwd_t, selinux_config_t) + +# for nscd +ifdef(`nscd.te', `', ` +dontaudit $1_chkpwd_t var_t:dir search; +') + +dontaudit $1_chkpwd_t fs_t:filesystem getattr; +') + +', ` + +define(`chkpwd_domain',`') + +') diff --git a/mls/macros/program/chroot_macros.te b/mls/macros/program/chroot_macros.te new file mode 100644 index 0000000..47ca86b --- /dev/null +++ b/mls/macros/program/chroot_macros.te @@ -0,0 +1,131 @@ + +# macro for chroot environments +# Author Russell Coker + +# chroot(initial_domain, basename, role, tty_device_type) +define(`chroot', ` + +ifelse(`$1', `initrc', ` +define(`chroot_role', `system_r') +define(`chroot_tty_device', `{ console_device_t admin_tty_type }') +define(`chroot_mount_domain', `mount_t') +define(`chroot_fd_use', `{ privfd init_t }') +', ` +define(`chroot_role', `$1_r') +define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }') +define(`chroot_fd_use', `privfd') + +# allow mounting /proc and /dev +ifdef(`$1_mount_def', `', ` +mount_domain($1, $1_mount) +role chroot_role types $1_mount_t; +') +define(`chroot_mount_domain', `$1_mount_t') +ifdef(`ssh.te', ` +can_tcp_connect($1_ssh_t, $2_t) +')dnl end ssh +')dnl end ifelse initrc + +# types for read-only and read-write files in the chroot +type $2_ro_t, file_type, sysadmfile, home_type, user_home_type; +type $2_rw_t, file_type, sysadmfile, home_type, user_home_type; +# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t +# when you execute it +type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type; + +allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton }; +allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton }; + +# entry point for $2_super_t +type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type; +# $2_t is the base domain, has full access to $2_rw_t files +type $2_t, domain; +# $2_super_t is the super-chroot domain, can also write to $2_ro_t +# but still can not access outside the chroot +type $2_super_t, domain; +allow $2_super_t chroot_tty_device:chr_file rw_file_perms; + +ifdef(`$1_chroot_def', `', ` +dnl can not have this defined twice +define(`$1_chroot_def') + +allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount }; + +# $1_chroot_t is the domain for /usr/sbin/chroot +type $1_chroot_t, domain; + +# allow $1_chroot_t to write to the tty device +allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms; +allow $1_chroot_t chroot_fd_use:fd use; +allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use; + +role chroot_role types $1_chroot_t; +uses_shlib($1_chroot_t) +allow $1_chroot_t self:capability sys_chroot; +allow $1_t $1_chroot_t:dir { search getattr read }; +allow $1_t $1_chroot_t:{ file lnk_file } { read getattr }; +domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t) +allow $1_chroot_t fs_t:filesystem getattr; +')dnl End conditional + +role chroot_role types { $2_t $2_super_t }; + +# allow ps to show processes and allow killing them +allow $1_t { $2_super_t $2_t }:dir { search getattr read }; +allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr }; +allow $1_t { $2_super_t $2_t }:process signal_perms; +allow $2_super_t $2_t:dir { search getattr read }; +allow $2_super_t $2_t:{ file lnk_file } { read getattr }; +allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace }; +allow $1_t $2_super_t:process { signal_perms ptrace }; +allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace }; + +allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr; +allow { $2_super_t $2_t } device_t:dir { search getattr }; +allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms; +allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms; +allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config }; +allow $2_super_t self:capability sys_ptrace; + +can_tcp_connect($2_super_t, $2_t) +allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms; + +# quiet ps and killall +dontaudit { $2_super_t $2_t } domain:dir { search getattr }; + +# allow $2_t to write to the owner tty device (should remove this) +allow $2_t chroot_tty_device:chr_file { read write }; + +r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($2_super_t, { $2_ro_t $2_super_entry_t }) +create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +# $2_super_t transitions to $2_t when it executes +# any file that $2_t can write +domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t) +allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read; +r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t }) +create_dir_notdevfile($2_t, $2_rw_t) +allow $2_t $2_rw_t:fifo_file create_file_perms; +allow $2_t $2_ro_t:fifo_file rw_file_perms; +allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms; +create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($1_t, { $2_ro_t $2_dropdown_t }) +domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t) +domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t) +allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto }; +general_proc_read_access({ $2_t $2_super_t }) +general_domain_access({ $2_t $2_super_t }) +can_create_pty($2) +can_create_pty($2_super) +can_network({ $2_t $2_super_t }) +allow { $2_t $2_super_t } port_type:tcp_socket name_connect; +allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms; +allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton; +allow { $2_t $2_super_t } self:capability { dac_override kill }; + +undefine(`chroot_role') +undefine(`chroot_tty_device') +undefine(`chroot_mount_domain') +undefine(`chroot_fd_use') +') diff --git a/mls/macros/program/clamav_macros.te b/mls/macros/program/clamav_macros.te new file mode 100644 index 0000000..bc15930 --- /dev/null +++ b/mls/macros/program/clamav_macros.te @@ -0,0 +1,58 @@ +# +# Macros for clamscan +# +# Author: Brian May +# + +# +# can_clamd_connect(domain_prefix) +# +# Define a domain that can access clamd +# +define(`can_clamd_connect',` +allow $1_t clamd_var_run_t:dir search; +allow $1_t clamd_var_run_t:sock_file write; +allow $1_t clamd_sock_t:sock_file write; +can_unix_connect($1_t, clamd_t) +') + +# clamscan_domain(domain_prefix) +# +# Define a derived domain for the clamscan program when executed +# +define(`clamscan_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_clamscan_t, domain, privlog; + +# Uses shared librarys +uses_shlib($1_clamscan_t) +allow $1_clamscan_t fs_t:filesystem getattr; +r_dir_file($1_clamscan_t, etc_t) +read_locale($1_clamscan_t) + +# Access virus signatures +allow $1_clamscan_t var_lib_t:dir search; +r_dir_file($1_clamscan_t, clamav_var_lib_t) + +# Allow temp files +tmp_domain($1_clamscan) + +# Why is this required? +allow $1_clamscan_t proc_t:dir r_dir_perms; +allow $1_clamscan_t proc_t:file r_file_perms; +read_sysctl($1_clamscan_t) +allow $1_clamscan_t self:unix_stream_socket { connect create read write }; +') + +define(`user_clamscan_domain',` +clamscan_domain($1) +role $1_r types $1_clamscan_t; +domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) +access_terminal($1_clamscan_t, $1) +r_dir_file($1_clamscan_t,$1_home_t); +r_dir_file($1_clamscan_t,$1_home_dir_t); +allow $1_clamscan_t $1_home_t:file r_file_perms; +allow $1_clamscan_t privfd:fd use; +ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;') +') + diff --git a/mls/macros/program/crond_macros.te b/mls/macros/program/crond_macros.te new file mode 100644 index 0000000..5e61d7d --- /dev/null +++ b/mls/macros/program/crond_macros.te @@ -0,0 +1,126 @@ +# +# Macros for crond domains. +# + +# +# Authors: Jonathan Crowley (MITRE) , +# Stephen Smalley and Timothy Fraser +# Russell Coker +# + +# +# crond_domain(domain_prefix) +# +# Define a derived domain for cron jobs executed by crond on behalf +# of a user domain. These domains are separate from the top-level domain +# defined for the crond daemon and the domain defined for system cron jobs, +# which are specified in domains/program/crond.te. +# +undefine(`crond_domain') +define(`crond_domain',` +# Derived domain for user cron jobs, user user_crond_domain if not system +ifelse(`system', `$1', ` +type $1_crond_t, domain, privlog, privmail, nscd_client_domain; +', ` +type $1_crond_t, domain, user_crond_domain; + +# Access user files and dirs. +allow $1_crond_t home_root_t:dir search; +file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) + +# Run scripts in user home directory and access shared libs. +can_exec($1_crond_t, $1_home_t) + +file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) +') +r_dir_file($1_crond_t, selinux_config_t) + +# Type of user crontabs once moved to cron spool. +type $1_cron_spool_t, file_type, sysadmfile; + +ifdef(`fcron.te', ` +allow crond_t $1_cron_spool_t:file create_file_perms; +') + +allow $1_crond_t urandom_device_t:chr_file { getattr read }; + +allow $1_crond_t usr_t:file { getattr ioctl read }; +allow $1_crond_t usr_t:lnk_file read; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via execve_secure. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +domain_trans(crond_t, shell_exec_t, $1_crond_t) + +ifdef(`mta.te', ` +domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) +allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; + +# $1_mail_t should only be reading from the cron fifo not needing to write +dontaudit $1_mail_t crond_t:fifo_file write; +allow mta_user_agent $1_crond_t:fd use; +') + +# The user role is authorized for this domain. +role $1_r types $1_crond_t; + +# This domain is granted permissions common to most domains. +can_network($1_crond_t) +allow $1_crond_t port_type:tcp_socket name_connect; +can_ypbind($1_crond_t) +r_dir_file($1_crond_t, self) +allow $1_crond_t self:fifo_file rw_file_perms; +allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; +allow $1_crond_t self:unix_dgram_socket create_socket_perms; +allow $1_crond_t etc_runtime_t:file { getattr read }; +allow $1_crond_t self:process { fork signal_perms setsched }; +allow $1_crond_t proc_t:dir r_dir_perms; +allow $1_crond_t proc_t:file { getattr read ioctl }; +read_locale($1_crond_t) +read_sysctl($1_crond_t) +allow $1_crond_t var_spool_t:dir search; +allow $1_crond_t fs_type:filesystem getattr; + +allow $1_crond_t devtty_t:chr_file { read write }; +allow $1_crond_t var_t:dir r_dir_perms; +allow $1_crond_t var_t:file { getattr read ioctl }; +allow $1_crond_t var_log_t:dir search; + +# Use capabilities. +allow $1_crond_t self:capability dac_override; + +# Inherit and use descriptors from initrc - I think this is wrong +#allow $1_crond_t initrc_t:fd use; + +# +# Since crontab files are not directly executed, +# crond must ensure that the crontab file has +# a type that is appropriate for the domain of +# the user cron job. It performs an entrypoint +# permission check for this purpose. +# +allow $1_crond_t $1_cron_spool_t:file entrypoint; + +# Run helper programs. +can_exec_any($1_crond_t) + +# ps does not need to access /boot when run from cron +dontaudit $1_crond_t boot_t:dir search; +# quiet other ps operations +dontaudit $1_crond_t domain:dir { getattr search }; +# for nscd +dontaudit $1_crond_t var_run_t:dir search; +') + +# When system_crond_t domain executes a type $1 executable then transition to +# domain $2, allow $2 to interact with crond_t as well. +define(`system_crond_entry', ` +ifdef(`crond.te', ` +domain_auto_trans(system_crond_t, $1, $2) +allow $2 crond_t:fifo_file { getattr read write ioctl }; +# a rule for privfd may make this obsolete +allow $2 crond_t:fd use; +allow $2 crond_t:process sigchld; +')dnl end ifdef +')dnl end system_crond_entry diff --git a/mls/macros/program/crontab_macros.te b/mls/macros/program/crontab_macros.te new file mode 100644 index 0000000..a18d80f --- /dev/null +++ b/mls/macros/program/crontab_macros.te @@ -0,0 +1,102 @@ +# +# Macros for crontab domains. +# + +# +# Authors: Jonathan Crowley (MITRE) +# Revised by Stephen Smalley +# + +# +# crontab_domain(domain_prefix) +# +# Define a derived domain for the crontab program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/crontab.te. +# +undefine(`crontab_domain') +define(`crontab_domain',` +# Derived domain based on the calling user domain and the program. +type $1_crontab_t, domain, privlog; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) + +can_ps($1_t, $1_crontab_t) + +# for ^Z +allow $1_t $1_crontab_t:process signal; + +# The user role is authorized for this domain. +role $1_r types $1_crontab_t; + +uses_shlib($1_crontab_t) +allow $1_crontab_t etc_t:file { getattr read }; +allow $1_crontab_t self:unix_stream_socket create_socket_perms; +allow $1_crontab_t self:unix_dgram_socket create_socket_perms; +read_locale($1_crontab_t) + +# Use capabilities dac_override is to create the file in the directory +# under /tmp +allow $1_crontab_t self:capability { setuid setgid chown dac_override }; + +# Type for temporary files. +file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) + +# Use the type when creating files in /var/spool/cron. +allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; +allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; +file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) +allow $1_crontab_t self:process { fork signal_perms }; +ifdef(`fcron.te', ` +# fcron wants an instant update of a crontab change for the administrator +# also crontab does a security check for crontab -u +ifelse(`$1', `sysadm', ` +allow $1_crontab_t crond_t:process signal; +can_setfscreate($1_crontab_t) +', ` +dontaudit $1_crontab_t crond_t:process signal; +')dnl end ifelse +')dnl end ifdef fcron + +# for the checks used by crontab -u +dontaudit $1_crontab_t security_t:dir search; +allow $1_crontab_t proc_t:dir search; +allow $1_crontab_t proc_t:{ file lnk_file } { getattr read }; +allow $1_crontab_t selinux_config_t:dir search; +allow $1_crontab_t selinux_config_t:file { getattr read }; +dontaudit $1_crontab_t self:dir search; + +# crontab signals crond by updating the mtime on the spooldir +allow $1_crontab_t cron_spool_t:dir setattr; +# Allow crond to read those crontabs in cron spool. +allow crond_t $1_cron_spool_t:file r_file_perms; + +# Run helper programs as $1_t +allow $1_crontab_t { bin_t sbin_t }:dir search; +allow $1_crontab_t bin_t:lnk_file read; +domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) + +# Read user crontabs +allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; +allow $1_crontab_t $1_home_t:file r_file_perms; +dontaudit $1_crontab_t $1_home_dir_t:dir write; + +# Access the cron log file. +allow $1_crontab_t crond_log_t:file r_file_perms; +allow $1_crontab_t crond_log_t:file append; + +# Access terminals. +allow $1_crontab_t device_t:dir search; +access_terminal($1_crontab_t, $1); + +allow $1_crontab_t fs_t:filesystem getattr; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') +allow $1_crontab_t privfd:fd use; + +dontaudit $1_crontab_t var_run_t:dir search; +') diff --git a/mls/macros/program/daemontools_macros.te b/mls/macros/program/daemontools_macros.te new file mode 100644 index 0000000..94c4f8e --- /dev/null +++ b/mls/macros/program/daemontools_macros.te @@ -0,0 +1,11 @@ +ifdef(`daemontools.te', ` + +define(`svc_ipc_domain',` +allow $1 svc_start_t:process sigchld; +allow $1 svc_start_t:fd use; +allow $1 svc_start_t:fifo_file { read write getattr }; +allow svc_start_t $1:process signal; +') + +') dnl ifdef daemontools + diff --git a/mls/macros/program/dbusd_macros.te b/mls/macros/program/dbusd_macros.te new file mode 100644 index 0000000..2e542a0 --- /dev/null +++ b/mls/macros/program/dbusd_macros.te @@ -0,0 +1,90 @@ +# +# Macros for Dbus +# +# Author: Colin Walters + +# dbusd_domain(domain_prefix) +# +# Define a derived domain for the DBus daemon. + +define(`dbusd_domain', ` +ifelse(`system', `$1',` +daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') +# For backwards compatibility +typealias system_dbusd_t alias dbusd_t; +type etc_dbusd_t, file_type, sysadmfile; +',` +type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; +role $1_r types $1_dbusd_t; +domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) +read_locale($1_dbusd_t) +allow $1_t $1_dbusd_t:process { sigkill signal }; +allow $1_dbusd_t self:process { sigkill signal }; +dontaudit $1_dbusd_t var_t:dir { getattr search }; +')dnl end ifelse system + +base_file_read_access($1_dbusd_t) +uses_shlib($1_dbusd_t) +allow $1_dbusd_t etc_t:file { getattr read }; +r_dir_file($1_dbusd_t, etc_dbusd_t) +tmp_domain($1_dbusd) +allow $1_dbusd_t self:process fork; +can_pipe_xdm($1_dbusd_t) + +allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; +allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; + +allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; +allow $1_dbusd_t self:file { getattr read write }; +allow $1_dbusd_t proc_t:file read; + +can_getsecurity($1_dbusd_t) +r_dir_file($1_dbusd_t, default_context_t) +allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; + +ifdef(`pamconsole.te', ` +r_dir_file($1_dbusd_t, pam_var_console_t) +') + +allow $1_dbusd_t self:dbus { send_msg acquire_svc }; + +')dnl end dbusd_domain definition + +# dbusd_client(dbus_type, domain_prefix) +# Example: dbusd_client_domain(system, user) +# +# Define a new derived domain for connecting to dbus_type +# from domain_prefix_t. +undefine(`dbusd_client') +define(`dbusd_client',` + +ifdef(`dbusd.te',` +# Derived type used for connection +type $2_dbusd_$1_t; +type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; + +# SE-DBus specific permissions +allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + +# For connecting to the bus +allow $2_t $1_dbusd_t:unix_stream_socket connectto; + +ifelse(`system', `$1', ` +allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; +allow { $2_t } system_dbusd_var_run_t:sock_file write; +',`') dnl endif system +') dnl endif dbusd.te +') + +# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) +# Example: can_dbusd_converse(system, hald, updfstab) +# Example: can_dbusd_converse(session, user, user) +define(`can_dbusd_converse',`') +ifdef(`dbusd.te',` +undefine(`can_dbusd_converse') +define(`can_dbusd_converse',` +allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; +allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; +') dnl endif dbusd.te +') diff --git a/mls/macros/program/ethereal_macros.te b/mls/macros/program/ethereal_macros.te new file mode 100644 index 0000000..36f1a96 --- /dev/null +++ b/mls/macros/program/ethereal_macros.te @@ -0,0 +1,82 @@ +# DESC - Ethereal +# +# Author: Ivan Gyurdiev +# + +############################################################# +# ethereal_networking(app_prefix) - +# restricted ethereal rules (sysadm only) +# + +define(`ethereal_networking', ` + +# Create various types of sockets +allow $1_t self:netlink_route_socket create_netlink_socket_perms; +allow $1_t self:udp_socket create_socket_perms; +allow $1_t self:packet_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_stream_socket_perms; +allow $1_t self:tcp_socket create_socket_perms; + +allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid }; + +# Resolve names via DNS +can_resolve($1_t) + +') dnl ethereal_networking + +######################################################## +# Ethereal (GNOME) +# + +define(`ethereal_domain', ` + +# Type for program +type $1_ethereal_t, domain, nscd_client_domain; + +# Transition from sysadm type +domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) +role $1_r types $1_ethereal_t; + +# Manual transition from userhelper +ifdef(`userhelper.te', ` +allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; +allow $1_ethereal_t userhelperdomain:fd use; +allow $1_ethereal_t userhelperdomain:process sigchld; +') dnl userhelper + +# X, GNOME +x_client_domain($1_ethereal, $1) +gnome_application($1_ethereal, $1) +gnome_file_dialog($1_ethereal, $1) + +# Why does it write this? +ifdef(`snmpd.te', ` +dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; +') + +# /home/.ethereal +home_domain($1, ethereal) +file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir) + +# Enable restricted networking rules for sysadm - this is shared w/ tethereal +ifelse($1, `sysadm', ` +ethereal_networking($1_ethereal) + +# Ethereal tries to write to user terminal +dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write }; +dontaudit sysadm_ethereal_t unpriv_userdomain:fd use; +', `') + +# Store temporary files +tmp_domain($1_ethereal) + +# Re-execute itself (why?) +can_exec($1_ethereal_t, ethereal_exec_t) +allow $1_ethereal_t sbin_t:dir search; + +# Supress .local denials until properly implemented +dontaudit $1_ethereal_t $1_home_t:dir search; + +# FIXME: policy is incomplete + +') dnl ethereal_domain diff --git a/mls/macros/program/evolution_macros.te b/mls/macros/program/evolution_macros.te new file mode 100644 index 0000000..37fc087 --- /dev/null +++ b/mls/macros/program/evolution_macros.te @@ -0,0 +1,234 @@ +# +# Evolution +# +# Author: Ivan Gyurdiev +# + +################################################ +# evolution_common(app_prefix,role_prefix) +# +define(`evolution_common', ` + +# Gnome common stuff +gnome_application($1, $2) + +# Stat root +allow $1_t root_t:dir search; + +# Access null device +allow $1_t null_device_t:chr_file rw_file_perms; + +# FIXME: suppress access to .local/.icons/.themes until properly implemented +dontaudit $1_t $2_home_t:dir r_dir_perms; + +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +dontaudit $1_t $2_home_t:file r_file_perms; + +') dnl evolution_common + +####################################### +# evolution_data_server(role_prefix) +# + +define(`evolution_data_server', ` + +# Type for daemon +type $1_evolution_server_t, domain, nscd_client_domain; + +# Transition from user type +if (! disable_evolution_trans) { +domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t) +} +role $1_r types $1_evolution_server_t; + +# Evolution common stuff +evolution_common($1_evolution_server, $1) + +# Access evolution home +home_domain_access($1_evolution_server_t, $1, evolution) + +# Talks to exchange +bonobo_connect($1_evolution_server, $1_evolution_exchange) + +can_exec($1_evolution_server_t, shell_exec_t) + +# Obtain weather data via http (read server name from xml file in /usr) +allow $1_evolution_server_t usr_t:file r_file_perms; +can_resolve($1_evolution_server_t) +can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } ) +allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect; + +# Talk to ldap (address book) +can_network_client_tcp($1_evolution_server_t, ldap_port_t) +allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect; + +# Look in /etc/pki +r_dir_file($1_evolution_server_t, cert_t) + +') dnl evolution_data_server + +####################################### +# evolution_webcal(role_prefix) +# + +define(`evolution_webcal', ` + +# Type for program +type $1_evolution_webcal_t, domain, nscd_client_domain; + +# Transition from user type +domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t) +role $1_r types $1_evolution_webcal_t; + +# X/evolution common stuff +x_client_domain($1_evolution_webcal, $1) +evolution_common($1_evolution_webcal, $1) + +# Search home directory (?) +allow $1_evolution_webcal_t $1_home_dir_t:dir search; + +# Networking capability - connect to website and handle ics link +# FIXME: is this necessary ? +can_resolve($1_evolution_webcal_t); +can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } ) +allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect; + +') dnl evolution_webcal + +####################################### +# evolution_alarm(role_prefix) +# +define(`evolution_alarm', ` + +# Type for program +type $1_evolution_alarm_t, domain, nscd_client_domain; + +# Transition from user type +domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t) +role $1_r types $1_evolution_alarm_t; + +# Common evolution stuff, X +evolution_common($1_evolution_alarm, $1) +x_client_domain($1_evolution_alarm, $1) + +# Connect to exchange, e-d-s +bonobo_connect($1_evolution_alarm, $1_evolution_server) +bonobo_connect($1_evolution_alarm, $1_evolution_exchange) + +# Access evolution home +home_domain_access($1_evolution_alarm_t, $1, evolution) + +') dnl evolution_alarm + +######################################## +# evolution_exchange(role_prefix) +# +define(`evolution_exchange', ` + +# Type for program +type $1_evolution_exchange_t, domain, nscd_client_domain; + +# Transition from user type +domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t) +role $1_r types $1_evolution_exchange_t; + +# Common evolution stuff, X +evolution_common($1_evolution_exchange, $1) +x_client_domain($1_evolution_exchange, $1) + +# Access evolution home +home_domain_access($1_evolution_exchange_t, $1, evolution) + +# /tmp/.exchange-$USER +tmp_domain($1_evolution_exchange) + +# Allow netstat +allow $1_evolution_exchange_t bin_t:dir search; +can_exec($1_evolution_exchange_t, bin_t) +r_dir_file($1_evolution_exchange_t, proc_net_t) +allow $1_evolution_exchange_t sysctl_net_t:dir search; +allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms; + +# Clock applet talks to exchange (FIXME: Needs policy) +bonobo_connect($1, $1_evolution_exchange) + +# FIXME: policy incomplete + +') dnl evolution_exchange + +####################################### +# evolution_domain(role_prefix) +# + +define(`evolution_domain', ` + +# Type for program +type $1_evolution_t, domain, nscd_client_domain, privlog; + +# Transition from user type +domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t) +role $1_r types $1_evolution_t; + +# X, mail, evolution common stuff +x_client_domain($1_evolution, $1) +mail_client_domain($1_evolution, $1) +gnome_file_dialog($1_evolution, $1) +evolution_common($1_evolution, $1) + +# Connect to e-d-s, exchange, alarm +bonobo_connect($1_evolution, $1_evolution_server) +bonobo_connect($1_evolution, $1_evolution_exchange) +bonobo_connect($1_evolution, $1_evolution_alarm) + +# Access .evolution +home_domain($1, evolution) + +# Store passwords in .gnome2_private +gnome_private_store($1_evolution, $1) + +# Run various programs +allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms; +allow $1_evolution_t { self bin_t }:lnk_file r_file_perms; + +### Junk mail filtering (start spamd) +ifdef(`spamd.te', ` +# Start the spam daemon +domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t) +role $1_r types spamd_t; + +# Write pid file and socket in ~/.evolution/cache/tmp +file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file }) + +# Allow evolution to signal the daemon +# FIXME: Now evolution can read spamd temp files +allow $1_evolution_t spamd_tmp_t:file r_file_perms; +allow $1_evolution_t spamd_t:process signal; +dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr; +') dnl spamd.te + +### Junk mail filtering (start spamc) +ifdef(`spamc.te', ` +domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t) + +# Allow connection to spamd socket above +allow $1_spamc_t $1_evolution_home_t:dir search; +') dnl spamc.te + +### Junk mail filtering (start spamassassin) +ifdef(`spamassassin.te', ` +domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t) +') dnl spamassasin.te + +') dnl evolution_domain + +################################# +# evolution_domains(role_prefix) + +define(`evolution_domains', ` +evolution_domain($1) +evolution_data_server($1) +evolution_webcal($1) +evolution_alarm($1) +evolution_exchange($1) +') dnl end evolution_domains diff --git a/mls/macros/program/exim_macros.te b/mls/macros/program/exim_macros.te new file mode 100644 index 0000000..610ca15 --- /dev/null +++ b/mls/macros/program/exim_macros.te @@ -0,0 +1,75 @@ +#DESC Exim - Mail server +# +# Author: David Hampton +# From postfix.te by Russell Coker +# Depends: mta.te +# + +########## +# Permissions common to the exim daemon, and exim invoked by a user to +# send a file +########## +define(`exim_common',` + +# Networking - All instances need to talk to other mail hosts and +# amavisd +can_network_tcp($1_t); +allow $1_t smtp_port_t:tcp_socket name_connect; +## can_network_client_tcp($1_t, smtp_port_t); +## ifdef(`amavis.te', ` +## can_network_client_tcp($1_t, amavisd_recv_port_t); +## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg }; +## ') +can_resolve($1_t); + +# Exim forks children to do its work. +general_domain_access($1_t) + +# Certs and SSL +r_dir_file($1_t, cert_t) +allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; + +general_proc_read_access($1_t) +read_locale($1_t) + +allow $1_t etc_t:file { getattr read }; +allow $1_t sbin_t:dir search; +allow $1_t tmp_t:dir getattr; +allow $1_t self:fifo_file { read write }; +can_exec($1_t, exim_exec_t) +allow $1_t self:capability { chown fowner dac_override setgid setuid }; +allow $1_t self:process setrlimit; + +# Have to walk through /var/xxx to get to /var/xxx/exim +allow $1_t var_log_t:dir search; +allow $1_t var_spool_t:dir search; + +# Exim creates a spool file per message +create_dir_file($1_t, exim_spool_t); +# It also creates a log file per message +create_dir_file($1_t, exim_log_t); +# The database is modified by every message +allow $1_t exim_spool_db_t:dir search; +allow $1_t exim_spool_db_t:file rw_file_perms; + +# Checking the existence of mailman lists +allow $1_t mailman_data_t:file getattr; + +# Trying to read mtab +dontaudit $1_t etc_runtime_t:file { getattr read }; +') + + +define(`exim_user_domain',` +######################################## +######################################## +application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog'); +in_user_role(exim_$1_t) +domain_auto_trans($1_t, exim_exec_t, exim_$1_t) +exim_common(exim_$1) +role $1_r types exim_$1_t; +allow exim_$1_t $1_tmp_t:file { getattr read }; +allow exim_$1_t $1_devpts_t:chr_file rw_file_perms; +allow exim_$1_t sshd_t:fd use; +') + diff --git a/mls/macros/program/fingerd_macros.te b/mls/macros/program/fingerd_macros.te new file mode 100644 index 0000000..fd56ca7 --- /dev/null +++ b/mls/macros/program/fingerd_macros.te @@ -0,0 +1,15 @@ +# +# Macro for fingerd +# +# Author: Russell Coker +# + +# +# fingerd_macro(domain_prefix) +# +# allow fingerd to create a fingerlog file in the user home dir +# +define(`fingerd_macro', ` +type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type; +file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) +') diff --git a/mls/macros/program/fontconfig_macros.te b/mls/macros/program/fontconfig_macros.te new file mode 100644 index 0000000..7f4a56d --- /dev/null +++ b/mls/macros/program/fontconfig_macros.te @@ -0,0 +1,52 @@ +# +# Fontconfig related types +# +# Author: Ivan Gyurdiev +# +# fontconfig_domain(role_prefix) - create fontconfig domain +# +# read_fonts(domain, role_prefix) - +# allow domain to read fonts, optionally per/user +# + +define(`fontconfig_domain', ` + +type $1_fonts_t, file_type, $1_file_type, sysadmfile; +type $1_fonts_config_t, file_type, $1_file_type, sysadmfile; +type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile; + +create_dir_file($1_t, $1_fonts_t) +allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom }; + +create_dir_file($1_t, $1_fonts_config_t) +allow $1_t $1_fonts_config_t:file { relabelto relabelfrom }; + +# For startup relabel +allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; + +') dnl fontconfig_domain + +#################### + +define(`read_fonts', ` + +# Read global fonts and font config +r_dir_file($1, fonts_t) +r_dir_file($1, etc_t) + +ifelse(`$2', `', `', ` + +# Manipulate the global font cache +create_dir_file($1, $2_fonts_cache_t) + +# Read per user fonts and font config +r_dir_file($1, $2_fonts_t) +r_dir_file($1, $2_fonts_config_t) + +# There are some fonts in .gnome2 +ifdef(`gnome.te', ` +allow $1 $2_gnome_settings_t:dir { getattr search }; +') + +') dnl ifelse +') dnl read_fonts diff --git a/mls/macros/program/games_domain.te b/mls/macros/program/games_domain.te new file mode 100644 index 0000000..d4c1d05 --- /dev/null +++ b/mls/macros/program/games_domain.te @@ -0,0 +1,89 @@ +#DESC games +# +# Macros for games +# +# +# Authors: Dan Walsh +# +# +# games_domain(domain_prefix) +# +# +define(`games_domain', ` + +type $1_games_t, domain, nscd_client_domain; + +# Type transition +if (! disable_games_trans) { +domain_auto_trans($1_t, games_exec_t, $1_games_t) +} +can_exec($1_games_t, games_exec_t) +role $1_r types $1_games_t; + +can_create_pty($1_games) + +# X access, GNOME, /tmp files +x_client_domain($1_games, $1) +tmp_domain($1_games, `', { dir notdevfile_class_set }) +gnome_application($1_games, $1) +gnome_file_dialog($1_games, $1) + +# Games seem to need this +if (allow_execmem) { +allow $1_games_t self:process execmem; +} + +allow $1_games_t texrel_shlib_t:file execmod; +allow $1_games_t var_t:dir { search getattr }; +rw_dir_create_file($1_games_t, games_data_t) +allow $1_games_t sound_device_t:chr_file rw_file_perms; +can_udp_send($1_games_t, $1_games_t) +can_tcp_connect($1_games_t, $1_games_t) + +# Access /home/user/.gnome2 +# FIXME: Change to use per app types +create_dir_file($1_games_t, $1_gnome_settings_t) + +# FIXME: why is this necessary - ORBit? +# ORBit works differently now +create_dir_file($1_games_t, $1_tmp_t) +allow $1_games_t $1_tmp_t:sock_file create_file_perms; +can_unix_connect($1_t, $1_games_t) +can_unix_connect($1_games_t, $1_t) + +ifdef(`xdm.te', ` +allow $1_games_t xdm_tmp_t:dir rw_dir_perms; +allow $1_games_t xdm_tmp_t:sock_file create_file_perms; +allow $1_games_t xdm_var_lib_t:file { getattr read }; +')dnl end if xdm.te + +allow $1_games_t var_lib_t:dir search; +r_dir_file($1_games_t, man_t) +allow $1_games_t { proc_t self }:dir search; +allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr }; +ifdef(`mozilla.te', ` +dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; +') +allow $1_games_t event_device_t:chr_file getattr; +allow $1_games_t mouse_device_t:chr_file getattr; + +allow $1_games_t self:file { getattr read }; +allow $1_games_t self:sem create_sem_perms; + +allow $1_games_t { bin_t sbin_t }:dir { getattr search }; +can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t }) +allow $1_games_t bin_t:lnk_file read; + +dontaudit $1_games_t var_run_t:dir search; +dontaudit $1_games_t initrc_var_run_t:file { read write }; +dontaudit $1_games_t var_log_t:dir search; + +can_network($1_games_t) +allow $1_games_t port_t:tcp_socket name_bind; +allow $1_games_t port_t:tcp_socket name_connect; + +# Suppress .icons denial until properly implemented +dontaudit $1_games_t $1_home_t:dir read; + +')dnl end macro definition + diff --git a/mls/macros/program/gconf_macros.te b/mls/macros/program/gconf_macros.te new file mode 100644 index 0000000..6f97ca3 --- /dev/null +++ b/mls/macros/program/gconf_macros.te @@ -0,0 +1,57 @@ +# +# GConfd daemon +# +# Author: Ivan Gyurdiev +# + +####################################### +# gconfd_domain(role_prefix) +# + +define(`gconfd_domain', ` + +# Type for daemon +type $1_gconfd_t, domain, nscd_client_domain, privlog; + +gnome_application($1_gconfd, $1) + +# Transition from user type +domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t) +role $1_r types $1_gconfd_t; + +allow $1_gconfd_t self:process { signal getsched }; + +# Access .gconfd and .gconf +home_domain($1, gconfd) +file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir) + +# Access /etc/gconf +r_dir_file($1_gconfd_t, gconf_etc_t) + +# /tmp/gconfd-USER +tmp_domain($1_gconfd) + +can_pipe_xdm($1_gconfd_t) +ifdef(`xdm.te', ` +allow xdm_t $1_gconfd_t:process signal; +') + +') dnl gconf_domain + +##################################### +# gconf_client(prefix, role_prefix) +# + +define(`gconf_client', ` + +# Launch the daemon if necessary +domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t) + +# Connect over bonobo +bonobo_connect($1, $2_gconfd) + +# Read lock/ior +allow $1_t $2_gconfd_tmp_t:dir { getattr search }; +allow $1_t $2_gconfd_tmp_t:file { getattr read }; + +') dnl gconf_client diff --git a/mls/macros/program/gift_macros.te b/mls/macros/program/gift_macros.te new file mode 100644 index 0000000..d8e39e2 --- /dev/null +++ b/mls/macros/program/gift_macros.te @@ -0,0 +1,104 @@ +# +# Macros for giFT +# +# Author: Ivan Gyurdiev +# +# gift_domains(domain_prefix) +# declares a domain for giftui and giftd + +######################### +# gift_domain(user) # +######################### + +define(`gift_domain', ` + +# Type transition +type $1_gift_t, domain, nscd_client_domain; +domain_auto_trans($1_t, gift_exec_t, $1_gift_t) +role $1_r types $1_gift_t; + +# X access, Home files, GNOME, /tmp +x_client_domain($1_gift, $1) +gnome_application($1_gift, $1) +home_domain($1, gift) +file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) + +# Allow the user domain to signal/ps. +can_ps($1_t, $1_gift_t) +allow $1_t $1_gift_t:process signal_perms; + +# Launch gift daemon +allow $1_gift_t bin_t:dir search; +domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) + +# Connect to gift daemon +can_network_client_tcp($1_gift_t, giftd_port_t) +allow $1_gift_t giftd_port_t:tcp_socket name_connect; + +# Read /proc/meminfo +allow $1_gift_t proc_t:dir search; +allow $1_gift_t proc_t:file { getattr read }; + +# giftui looks in .icons, .themes. +dontaudit $1_gift_t $1_home_t:dir { getattr read search }; +dontaudit $1_gift_t $1_home_t:file { getattr read }; + +') dnl gift_domain + +########################## +# giftd_domain(user) # +########################## + +define(`giftd_domain', ` + +type $1_giftd_t, domain; + +# Transition from user type +domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) +role $1_r types $1_giftd_t; + +# Self permissions, allow fork +allow $1_giftd_t self:process { fork signal sigchld setsched }; +allow $1_giftd_t self:unix_stream_socket create_socket_perms; + +read_sysctl($1_giftd_t) +read_locale($1_giftd_t) +uses_shlib($1_giftd_t) +access_terminal($1_giftd_t, $1) + +# Read /proc/meminfo +allow $1_giftd_t proc_t:dir search; +allow $1_giftd_t proc_t:file { getattr read }; + +# Read /etc/mtab +allow $1_giftd_t etc_runtime_t:file { getattr read }; + +# Access home domain +home_domain_access($1_giftd_t, $1, gift) +file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) + +# Serve content on various p2p networks. Ports can be random. +can_network_server($1_giftd_t) +allow $1_giftd_t self:udp_socket listen; +allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind; + +# Connect to various p2p networks. Ports can be random. +can_network_client($1_giftd_t) +allow $1_giftd_t port_type:tcp_socket name_connect; + +# Plugins +r_dir_file($1_giftd_t, usr_t) + +# Connect to xdm +can_pipe_xdm($1_giftd_t) + +') dnl giftd_domain + +########################## +# gift_domains(user) # +########################## + +define(`gift_domains', ` +gift_domain($1) +giftd_domain($1) +') dnl gift_domains diff --git a/mls/macros/program/gnome_macros.te b/mls/macros/program/gnome_macros.te new file mode 100644 index 0000000..5d31af5 --- /dev/null +++ b/mls/macros/program/gnome_macros.te @@ -0,0 +1,115 @@ +# +# GNOME related types +# +# Author: Ivan Gyurdiev +# +# gnome_domain(role_prefix) - create GNOME domain (run for each role) +# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps +# gnome_file_dialog(role_prefix) - gnome file dialog rules +# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private + +define(`gnome_domain', ` + +# Types for .gnome2 and .gnome2_private. +# For backwards compatibility, allow unrestricted +# access from ROLE_t. However, content inside +# *should* be labeled per application eventually. +# For .gnome2_private, use the private_store macro below. + +type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile; +create_dir_file($1_t, $1_gnome_settings_t) +allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto }; + +type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile; +create_dir_file($1_t, $1_gnome_secret_t) +allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto }; + +# GConf domain +gconfd_domain($1) +gconf_client($1, $1) + +# Bonobo-activation-server +bonobo_domain($1) +bonobo_client($1, $1) + +# GNOME vfs daemon +gnome_vfs_domain($1) +gnome_vfs_client($1, $1) + +# ICE is necessary for session management +ice_domain($1, $1) + +') + +################################# + +define(`gnome_application', ` + +# If launched from a terminal +access_terminal($1_t, $2) + +# Forking is generally okay +allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork }; +allow $1_t self:fifo_file rw_file_perms; + +# Shlib, locale, sysctl, proc +uses_shlib($1_t) +read_locale($1_t) +read_sysctl($1_t) + +allow $1_t { self proc_t }:dir { search read getattr }; +allow $1_t { self proc_t }:{ file lnk_file } { read getattr }; + +# Most gnome apps use bonobo +bonobo_client($1, $2) + +# Within-process bonobo-activation of components +bonobo_connect($1, $1) + +# Session management happens over ICE +# FIXME: More specific context is needed for gnome-session +ice_connect($1, $2) + +# Most talk to GConf +gconf_client($1, $2) + +# Allow getattr/read/search of .gnome2 and .gnome2_private +# Reading files should *not* be allowed - instead, more specific +# types should be created to handle such requests +allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms; + +# Access /etc/mtab, /etc/nsswitch.conf +allow $1_t etc_t:file { read getattr }; +allow $1_t etc_runtime_t:file { read getattr }; + +# Themes, gtkrc +allow $1_t usr_t:{ file lnk_file } r_file_perms; + +') dnl gnome_application + +################################ + +define(`gnome_file_dialog', ` + +# GNOME Open/Save As dialogs +dontaudit_getattr($1_t) +dontaudit_search_dir($1_t) + +# Bonobo connection to gnome_vfs daemon +bonobo_connect($1, $2_gnome_vfs) + +') dnl gnome_file_dialog + +################################ + +define(`gnome_private_store', ` + +# Type for storing secret data +# (different from home, not directly accessible from ROLE_t) +type $1_secret_t, file_type, $2_file_type, sysadmfile; + +# Put secret files in .gnome2_private +file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file); +allow $2_t $1_secret_t:file unlink; + +') dnl gnome_private_store diff --git a/mls/macros/program/gnome_vfs_macros.te b/mls/macros/program/gnome_vfs_macros.te new file mode 100644 index 0000000..8ff5c28 --- /dev/null +++ b/mls/macros/program/gnome_vfs_macros.te @@ -0,0 +1,55 @@ +# +# GNOME VFS daemon +# +# Author: Ivan Gyurdiev +# + +####################################### +# gnome_vfs_domain(role_prefix) +# + +define(`gnome_vfs_domain', ` + +# Type for daemon +type $1_gnome_vfs_t, domain, nscd_client_domain; + +# GNOME, dbus +gnome_application($1_gnome_vfs, $1) +dbusd_client(system, $1_gnome_vfs) +allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg; +ifdef(`hald.te', ` +allow $1_gnome_vfs_t hald_t:dbus send_msg; +allow hald_t $1_gnome_vfs_t:dbus send_msg; +') + +# Transition from user type +domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t) +role $1_r types $1_gnome_vfs_t; + +# Stat top level directories on mount_points (check free space?) +allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr; + +# Search path to /home (??) +allow $1_gnome_vfs_t home_root_t:dir search; +allow $1_gnome_vfs_t $1_home_dir_t:dir search; + +# Search path to rpc_pipefs mount point (??) +allow $1_gnome_vfs_t var_lib_nfs_t:dir search; +allow $1_gnome_vfs_t var_lib_t:dir search; + +# Search libexec (??) +allow $1_gnome_vfs_t bin_t:dir search; +can_exec($1_gnome_vfs_t, bin_t) + +') dnl gnome_vfs_domain + +##################################### +# gnome_vfs_client(prefix, role_prefix) +# + +define(`gnome_vfs_client', ` + +# Connect over bonobo +bonobo_connect($1, $2_gnome_vfs) + +') dnl gnome_vfs_client diff --git a/mls/macros/program/gpg_agent_macros.te b/mls/macros/program/gpg_agent_macros.te new file mode 100644 index 0000000..f7ad8b0 --- /dev/null +++ b/mls/macros/program/gpg_agent_macros.te @@ -0,0 +1,125 @@ +# +# Macros for gpg agent +# +# Author: Thomas Bleher +# +# +# gpg_agent_domain(domain_prefix) +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gpg-agent.te. +# +define(`gpg_agent_domain',` +# Define a derived domain for the gpg-agent program when executed +# by a user domain. +# Derived domain based on the calling user domain and the program. +type $1_gpg_agent_t, domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) + +# The user role is authorized for this domain. +role $1_r types $1_gpg_agent_t; + +allow $1_gpg_agent_t privfd:fd use; + +# Write to the user domain tty. +access_terminal($1_gpg_agent_t, $1) + +# Allow the user shell to signal the gpg-agent program. +allow $1_t $1_gpg_agent_t:process { signal sigkill }; +# allow ps to show gpg-agent +can_ps($1_t, $1_gpg_agent_t) + +uses_shlib($1_gpg_agent_t) +read_locale($1_gpg_agent_t) + +# rlimit: gpg-agent wants to prevent coredumps +allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; + +allow $1_gpg_agent_t { self proc_t }:dir search; +allow $1_gpg_agent_t { self proc_t }:lnk_file read; + +allow $1_gpg_agent_t device_t:dir { getattr read }; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; +create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) +if (use_nfs_home_dirs) { +create_dir_file($1_gpg_agent_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_gpg_agent_t, cifs_t) +} + +allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; +allow $1_gpg_agent_t self:fifo_file { getattr read write }; + +# create /tmp files +tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') + +# gpg connect +allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; +allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; +can_unix_connect($1_gpg_t, $1_gpg_agent_t) + +# policy for pinentry +# =================== +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +# Please note that I didnt use the x_client_domain-macro as it gives too +# much permissions +type $1_gpg_pinentry_t, domain; +role $1_r types $1_gpg_pinentry_t; + +allow $1_gpg_agent_t bin_t:dir search; +domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) + +uses_shlib($1_gpg_pinentry_t) +read_locale($1_gpg_pinentry_t) + +allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; + +ifdef(`xdm.te', ` +allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; +allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; +can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) +')dnl end ig xdm.te + +read_fonts($1_gpg_pinentry_t, $1) +# read kde font cache +allow $1_gpg_pinentry_t usr_t:file { getattr read }; + +allow $1_gpg_pinentry_t { proc_t self }:dir search; +allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; +# read /proc/meminfo +allow $1_gpg_pinentry_t proc_t:file read; + +allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; + +# for .Xauthority +allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; +allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; +# wants to put some lock files into the user home dir, seems to work fine without +dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; +dontaudit $1_gpg_pinentry_t $1_home_t:file write; +if (use_nfs_home_dirs) { +allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; +allow $1_gpg_pinentry_t nfs_t:file { getattr read }; +dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; +dontaudit $1_gpg_pinentry_t nfs_t:file write; +} +if (use_samba_home_dirs) { +allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; +allow $1_gpg_pinentry_t cifs_t:file { getattr read }; +dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; +dontaudit $1_gpg_pinentry_t cifs_t:file write; +} + +# read /etc/X11/qtrc +allow $1_gpg_pinentry_t etc_t:file { getattr read }; + +dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; + +')dnl end if gpg_agent diff --git a/mls/macros/program/gpg_macros.te b/mls/macros/program/gpg_macros.te new file mode 100644 index 0000000..9dba8f7 --- /dev/null +++ b/mls/macros/program/gpg_macros.te @@ -0,0 +1,113 @@ +# +# Macros for gpg and pgp +# +# Author: Russell Coker +# +# based on the work of: +# Stephen Smalley and Timothy Fraser +# + +# +# gpg_domain(domain_prefix) +# +# Define a derived domain for the gpg/pgp program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gpg.te. +# +define(`gpg_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_gpg_t, domain, privlog; +type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) +role $1_r types $1_gpg_t; + +can_network($1_gpg_t) +allow $1_gpg_t port_type:tcp_socket name_connect; +can_ypbind($1_gpg_t) + +# for a bug in kmail +dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; + +allow $1_gpg_t device_t:dir r_dir_perms; +allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; + +allow $1_gpg_t etc_t:file r_file_perms; + +allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; +allow $1_gpg_t self:tcp_socket create_stream_socket_perms; + +access_terminal($1_gpg_t, $1) +ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') + +# Inherit and use descriptors +allow $1_gpg_t { privfd $1_t }:fd use; +allow { $1_t $1_gpg_t } $1_gpg_t:process signal; + +# setrlimit is for ulimit -c 0 +allow $1_gpg_t self:process { setrlimit setcap setpgid }; + +# allow ps to show gpg +can_ps($1_t, $1_gpg_t) + +uses_shlib($1_gpg_t) + +# Access .gnupg +rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) + +# Read content to encrypt/decrypt/sign +read_content($1_gpg_t, $1) + +# Write content to encrypt/decrypt/sign +write_trusted($1_gpg_t, $1) + +allow $1_gpg_t self:capability { ipc_lock setuid }; + +allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; +allow $1_gpg_t fs_t:filesystem getattr; +allow $1_gpg_t usr_t:file r_file_perms; +read_locale($1_gpg_t) + +dontaudit $1_gpg_t var_t:dir search; + +ifdef(`gpg-agent.te', `gpg_agent_domain($1)') + +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. +type $1_gpg_helper_t, domain; +role $1_r types $1_gpg_helper_t; + +domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) +uses_shlib($1_gpg_helper_t) + +# allow gpg to fork so it can call the helpers +allow $1_gpg_t self:process { fork sigchld }; +allow $1_gpg_t self:fifo_file { getattr read write }; + +dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; +if (use_nfs_home_dirs) { +dontaudit $1_gpg_helper_t nfs_t:file { read write }; +} +if (use_samba_home_dirs) { +dontaudit $1_gpg_helper_t cifs_t:file { read write }; +} + +# communicate with the user +allow $1_gpg_helper_t $1_t:fd use; +allow $1_gpg_helper_t $1_t:fifo_file write; +# get keys from the network +can_network_client($1_gpg_helper_t) +allow $1_gpg_helper_t port_type:tcp_socket name_connect; +allow $1_gpg_helper_t etc_t:file { getattr read }; +allow $1_gpg_helper_t urandom_device_t:chr_file read; +allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +# for nscd +dontaudit $1_gpg_helper_t var_t:dir search; + +can_pipe_xdm($1_gpg_t) + +')dnl end gpg_domain definition diff --git a/mls/macros/program/gph_macros.te b/mls/macros/program/gph_macros.te new file mode 100644 index 0000000..d784fcc --- /dev/null +++ b/mls/macros/program/gph_macros.te @@ -0,0 +1,85 @@ +# +# Macros for gnome-pty-helper domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# gph_domain(domain_prefix, role_prefix) +# +# Define a derived domain for the gnome-pty-helper program when +# executed by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gnome-pty-helper.te. +# +# The *_gph_t domains are for the gnome_pty_helper program. +# This program is executed by gnome-terminal to handle +# updates to utmp and wtmp. In this regard, it is similar +# to utempter. However, unlike utempter, gnome-pty-helper +# also creates the pty file for the terminal program. +# There is one *_gph_t domain for each user domain. +# +undefine(`gph_domain') +define(`gph_domain',` +# Derived domain based on the calling user domain and the program. +type $1_gph_t, domain, gphdomain, nscd_client_domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gph_exec_t, $1_gph_t) + +# The user role is authorized for this domain. +role $2_r types $1_gph_t; + +# This domain is granted permissions common to most domains. +uses_shlib($1_gph_t) + +# Use capabilities. +allow $1_gph_t self:capability { chown fsetid setgid setuid }; + +# Update /var/run/utmp and /var/log/wtmp. +allow $1_gph_t { var_t var_run_t }:dir search; +allow $1_gph_t initrc_var_run_t:file rw_file_perms; +allow $1_gph_t wtmp_t:file rw_file_perms; + +# Allow gph to rw to stream sockets of appropriate user type. +# (Need this so gnome-pty-helper can pass pty fd to parent +# gnome-terminal which is running in a user domain.) +allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms; + +allow $1_gph_t self:unix_stream_socket create_stream_socket_perms; + +# Allow user domain to use pty fd from gnome-pty-helper. +allow $1_t $1_gph_t:fd use; + +# Use the network, e.g. for NIS lookups. +can_resolve($1_gph_t) +can_ypbind($1_gph_t) + +allow $1_gph_t etc_t:file { getattr read }; + +# Added by David A. Wheeler: +# Allow gnome-pty-helper to update /var/log/lastlog +# (the gnome-pty-helper in Red Hat Linux 7.1 does this): +allow $1_gph_t lastlog_t:file rw_file_perms; +allow $1_gph_t var_log_t:dir search; +allow $1_t $1_gph_t:process signal; + +ifelse($2, `system', ` +# Create ptys for the system +can_create_other_pty($1_gph, initrc) +', ` +# Create ptys for the user domain. +can_create_other_pty($1_gph, $1) + +# Read and write the users tty. +allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms; + +# Allow gnome-pty-helper to write the .xsession-errors file. +allow $1_gph_t home_root_t:dir search; +allow $1_gph_t $1_home_t:dir { search add_name }; +allow $1_gph_t $1_home_t:file { create write }; +')dnl end ifelse system +')dnl end macro diff --git a/mls/macros/program/i18n_input_macros.te b/mls/macros/program/i18n_input_macros.te new file mode 100644 index 0000000..58699fc --- /dev/null +++ b/mls/macros/program/i18n_input_macros.te @@ -0,0 +1,21 @@ +# +# Macros for i18n_input +# + +# +# Authors: Dan Walsh +# + +# +# i18n_input_domain(domain) +# +ifdef(`i18n_input.te', ` +define(`i18n_input_domain', ` +allow i18n_input_t $1_home_dir_t:dir { getattr search }; +r_dir_file(i18n_input_t, $1_home_t) +if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) } +if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) } +') +') + + diff --git a/mls/macros/program/ice_macros.te b/mls/macros/program/ice_macros.te new file mode 100644 index 0000000..b373496 --- /dev/null +++ b/mls/macros/program/ice_macros.te @@ -0,0 +1,38 @@ +# +# ICE related types +# +# Author: Ivan Gyurdiev +# +# ice_domain(prefix, role) - create ICE sockets +# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets + +define(`ice_domain', ` +ifdef(`$1_ice_tmp_t_defined',`', ` +define(`$1_ice_tmp_t_defined') + +# Type for ICE sockets +type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile; +file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t) + +# Create the sockets +allow $1_t self:unix_stream_socket create_stream_socket_perms; +allow $1_t self:unix_dgram_socket create_socket_perms; + +# FIXME: How does iceauth tie in? + +') +') + +# FIXME: Should this be bidirectional? +# Adding only unidirectional for now. + +define(`ice_connect', ` + +# Read .ICEauthority file +allow $1_t $2_iceauth_home_t:file { read getattr }; + +can_unix_connect($1_t, $2_t) +allow $1_t ice_tmp_t:dir r_dir_perms; +allow $1_t $2_ice_tmp_t:sock_file { read write }; +allow $1_t $2_t:unix_stream_socket { read write }; +') diff --git a/mls/macros/program/iceauth_macros.te b/mls/macros/program/iceauth_macros.te new file mode 100644 index 0000000..cc7e804 --- /dev/null +++ b/mls/macros/program/iceauth_macros.te @@ -0,0 +1,40 @@ +# +# Macros for iceauth domains. +# +# Author: Ivan Gyurdiev +# +# iceauth_domain(domain_prefix) + +define(`iceauth_domain',` + +# Program type +type $1_iceauth_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t) +role $1_r types $1_iceauth_t; + +# Store .ICEauthority files +home_domain($1, iceauth) +file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file) + +# Supress xdm trying to restore .ICEauthority permissions +ifdef(`xdm.te', ` +dontaudit xdm_t $1_iceauth_home_t:file r_file_perms; +') + +# /root +allow $1_iceauth_t root_t:dir search; + +# Terminal output +access_terminal($1_iceauth_t, $1) + +uses_shlib($1_iceauth_t) + +# ??? +allow $1_iceauth_t etc_t:dir search; +allow $1_iceauth_t usr_t:dir search; + +# FIXME: policy is incomplete + +')dnl end xauth_domain macro diff --git a/mls/macros/program/inetd_macros.te b/mls/macros/program/inetd_macros.te new file mode 100644 index 0000000..e5c4eed --- /dev/null +++ b/mls/macros/program/inetd_macros.te @@ -0,0 +1,97 @@ +################################# +# +# Rules for the $1_t domain. +# +# $1_t is a general domain for daemons started +# by inetd that do not have their own individual domains yet. +# $1_exec_t is the type of the corresponding +# programs. +# +define(`inetd_child_domain', ` +type $1_t, domain, privlog, nscd_client_domain; +role system_r types $1_t; + +# +# Allows user to define a tunable to disable domain transition +# +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(initrc_t, $1_exec_t) +can_exec(sysadm_t, $1_exec_t) +} else { +domain_auto_trans(inetd_t, $1_exec_t, $1_t) +allow inetd_t $1_t:process sigkill; +} + +can_network_server($1_t) +can_ypbind($1_t) +uses_shlib($1_t) +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_socket_perms; +allow $1_t self:fifo_file rw_file_perms; +type $1_exec_t, file_type, sysadmfile, exec_type; +read_locale($1_t) +allow $1_t device_t:dir search; +allow $1_t proc_t:dir search; +allow $1_t proc_t:{ file lnk_file } { getattr read }; +allow $1_t self:process { fork signal_perms }; +allow $1_t fs_t:filesystem getattr; + +read_sysctl($1_t) + +allow $1_t etc_t:file { getattr read }; + +tmp_domain($1) +allow $1_t var_t:dir search; +var_run_domain($1) + +# Inherit and use descriptors from inetd. +allow $1_t inetd_t:fd use; + +# for identd +allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow $1_t self:capability { setuid setgid }; +allow $1_t home_root_t:dir search; +allow $1_t self:dir search; +allow $1_t self:{ lnk_file file } { getattr read }; +can_kerberos($1_t) +allow $1_t urandom_device_t:chr_file r_file_perms; +# Use sockets inherited from inetd. +ifelse($2, `', ` +allow inetd_t $1_port_t:udp_socket name_bind; +allow $1_t inetd_t:udp_socket rw_socket_perms; +allow inetd_t $1_port_t:tcp_socket name_bind; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; +') +ifelse($2, tcp, ` +allow inetd_t $1_port_t:tcp_socket name_bind; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; +') +ifelse($2, udp, ` +allow inetd_t $1_port_t:udp_socket name_bind; +allow $1_t inetd_t:udp_socket rw_socket_perms; +') +r_dir_file($1_t, proc_net_t) +') +define(`remote_login_daemon', ` +inetd_child_domain($1) + +# Execute /bin/login on a new PTY +allow $1_t { bin_t sbin_t }:dir search; +domain_auto_trans($1_t, login_exec_t, remote_login_t) +can_create_pty($1, `, server_pty, userpty_type') +allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ; + +# Append to /var/log/wtmp. +allow $1_t var_log_t:dir search; +allow $1_t wtmp_t:file rw_file_perms; +allow $1_t initrc_var_run_t:file rw_file_perms; + +# Allow reading of /etc/issue.net +allow $1_t etc_runtime_t:file r_file_perms; + +# Allow krb5 $1 to use fork and open /dev/tty for use +allow $1_t userpty_type:chr_file setattr; +allow $1_t devtty_t:chr_file rw_file_perms; +dontaudit $1_t selinux_config_t:dir search; +') diff --git a/mls/macros/program/irc_macros.te b/mls/macros/program/irc_macros.te new file mode 100644 index 0000000..3adaef7 --- /dev/null +++ b/mls/macros/program/irc_macros.te @@ -0,0 +1,85 @@ +# +# Macros for irc domains. +# + +# +# Author: Russell Coker +# + +# +# irc_domain(domain_prefix) +# +# Define a derived domain for the irc program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/irc.te. +# +undefine(`irc_domain') +ifdef(`irc.te', ` +define(`irc_domain',` + +# Home domain +home_domain($1, irc) +file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) + +# Derived domain based on the calling user domain and the program. +type $1_irc_t, domain; +type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; + +allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) + +# The user role is authorized for this domain. +role $1_r types $1_irc_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') + +# allow ps to show irc +can_ps($1_t, $1_irc_t) +allow $1_t $1_irc_t:process signal; + +# Use the network. +can_network_client($1_irc_t) +allow $1_irc_t port_type:tcp_socket name_connect; +can_ypbind($1_irc_t) + +allow $1_irc_t usr_t:file { getattr read }; + +access_terminal($1_irc_t, $1) +uses_shlib($1_irc_t) +allow $1_irc_t etc_t:file { read getattr }; +read_locale($1_irc_t) +allow $1_irc_t fs_t:filesystem getattr; +allow $1_irc_t var_t:dir search; +allow $1_irc_t device_t:dir search; +allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; +allow $1_irc_t privfd:fd use; +allow $1_irc_t proc_t:dir search; +allow $1_irc_t { self proc_t }:lnk_file read; +allow $1_irc_t self:dir search; +dontaudit $1_irc_t var_run_t:dir search; + +# allow utmp access +allow $1_irc_t initrc_var_run_t:file { getattr read }; +dontaudit $1_irc_t initrc_var_run_t:file lock; + +# access files under /tmp +file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) + +ifdef(`ircd.te', ` +can_tcp_connect($1_irc_t, ircd_t) +')dnl end ifdef irc.te +')dnl end macro definition + +', ` + +define(`irc_domain',`') + +')dnl end ifdef irc.te diff --git a/mls/macros/program/java_macros.te b/mls/macros/program/java_macros.te new file mode 100644 index 0000000..874d6dc --- /dev/null +++ b/mls/macros/program/java_macros.te @@ -0,0 +1,93 @@ +# +# Authors: Dan Walsh +# +# Macros for javaplugin (java plugin) domains. +# +# +# javaplugin_domain(domain_prefix, role) +# +# Define a derived domain for the javaplugin program when executed by +# a web browser. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/java.te. +# +define(`javaplugin_domain',` +type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; + +# The user role is authorized for this domain. +role $2_r types $1_javaplugin_t; +domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) + +allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; +# Unrestricted inheritance from the caller. +allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; +allow $1_javaplugin_t $1_t:process signull; + +can_unix_connect($1_javaplugin_t, $1_t) +allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; + +# This domain is granted permissions common to most domains (including can_net) +can_network_client($1_javaplugin_t) +allow $1_javaplugin_t port_type:tcp_socket name_connect; +can_ypbind($1_javaplugin_t) +allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; +allow $1_javaplugin_t self:fifo_file rw_file_perms; +allow $1_javaplugin_t etc_runtime_t:file { getattr read }; +allow $1_javaplugin_t fs_t:filesystem getattr; +r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) +allow $1_javaplugin_t self:dir search; +allow $1_javaplugin_t self:lnk_file read; +allow $1_javaplugin_t self:file { getattr read }; + +read_sysctl($1_javaplugin_t) +allow $1_javaplugin_t sysctl_vm_t:dir search; + +tmp_domain($1_javaplugin) +read_fonts($1_javaplugin_t, $2) +r_dir_file($1_javaplugin_t,{ usr_t etc_t }) + +# Search bin directory under javaplugin for javaplugin executable +allow $1_javaplugin_t bin_t:dir search; +can_exec($1_javaplugin_t, java_exec_t) + +# libdeploy.so legacy +allow $1_javaplugin_t texrel_shlib_t:file execmod; +if (allow_execmem) { +allow $1_javaplugin_t self:process execmem; +} + +# Connect to X server +x_client_domain($1_javaplugin, $2) + +uses_shlib($1_javaplugin_t) +read_locale($1_javaplugin_t) +rw_dir_file($1_javaplugin_t, $1_home_t) + +if (allow_java_execstack) { +legacy_domain($1_javaplugin) +allow $1_javaplugin_t lib_t:file execute; +allow $1_javaplugin_t locale_t:file execute; +allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; +allow $1_javaplugin_t fonts_t:file execute; +allow $1_javaplugin_t sound_device_t:chr_file execute; +} + +allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; + +allow $1_javaplugin_t home_root_t:dir { getattr search }; +file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) +allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; +allow $1_javaplugin_t $2_tmp_t:sock_file write; +allow $1_javaplugin_t $2_t:fd use; + +allow $1_javaplugin_t var_t:dir getattr; +allow $1_javaplugin_t var_lib_t:dir { getattr search }; + +dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; +dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; +dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; +dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; +dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; + +') diff --git a/mls/macros/program/kerberos_macros.te b/mls/macros/program/kerberos_macros.te new file mode 100644 index 0000000..91850d3 --- /dev/null +++ b/mls/macros/program/kerberos_macros.te @@ -0,0 +1,11 @@ +define(`can_kerberos',` +ifdef(`kerberos.te',` +if (allow_kerberos) { +can_network_client($1, `kerberos_port_t') +allow $1 kerberos_port_t:tcp_socket name_connect; +can_resolve($1) +} +') dnl kerberos.te +dontaudit $1 krb5_conf_t:file write; +allow $1 krb5_conf_t:file { getattr read }; +') diff --git a/mls/macros/program/lockdev_macros.te b/mls/macros/program/lockdev_macros.te new file mode 100644 index 0000000..28f7c01 --- /dev/null +++ b/mls/macros/program/lockdev_macros.te @@ -0,0 +1,46 @@ +# +# Macros for lockdev domains. +# + +# +# Authors: Daniel Walsh +# + +# +# lockdev_domain(domain_prefix) +# +# Define a derived domain for the lockdev programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/lockdev.te. +# +undefine(`lockdev_domain') +define(`lockdev_domain',` +# Derived domain based on the calling user domain and the program +type $1_lockdev_t, domain, privlog; +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) + +# The user role is authorized for this domain. +role $1_r types $1_lockdev_t; +# Use capabilities. +allow $1_lockdev_t self:capability setgid; +allow $1_lockdev_t $1_t:process signull; + +allow $1_lockdev_t var_t:dir search; + +lock_domain($1_lockdev) + +r_dir_file($1_lockdev_t, lockfile) + +allow $1_lockdev_t device_t:dir search; +allow $1_lockdev_t null_device_t:chr_file rw_file_perms; +access_terminal($1_lockdev_t, $1) +dontaudit $1_lockdev_t root_t:dir search; + +uses_shlib($1_lockdev_t) +allow $1_lockdev_t fs_t:filesystem getattr; + +')dnl end macro definition + diff --git a/mls/macros/program/login_macros.te b/mls/macros/program/login_macros.te new file mode 100644 index 0000000..0d0993c --- /dev/null +++ b/mls/macros/program/login_macros.te @@ -0,0 +1,11 @@ +# Macros for login type programs (/bin/login, sshd, etc). +# +# Author: Russell Coker +# + +define(`login_spawn_domain', ` +domain_trans($1_t, shell_exec_t, $2) + +# Signal the user domains. +allow $1_t $2:process signal; +') diff --git a/mls/macros/program/lpr_macros.te b/mls/macros/program/lpr_macros.te new file mode 100644 index 0000000..d8b3b31 --- /dev/null +++ b/mls/macros/program/lpr_macros.te @@ -0,0 +1,117 @@ +# +# Macros for lpr domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# lpr_domain(domain_prefix) +# +# Define a derived domain for the lpr/lpq/lprm programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/lpr.te. +# +undefine(`lpr_domain') +define(`lpr_domain',` +# Derived domain based on the calling user domain and the program +type $1_lpr_t, domain, privlog, nscd_client_domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) + +allow $1_t $1_lpr_t:process signull; + +# allow using shared objects, accessing root dir, etc +uses_shlib($1_lpr_t) + +read_locale($1_lpr_t) + +# The user role is authorized for this domain. +role $1_r types $1_lpr_t; + +# This domain is granted permissions common to most domains (including can_net) +can_network_client($1_lpr_t) +allow $1_lpr_t port_type:tcp_socket name_connect; +can_ypbind($1_lpr_t) + +# Use capabilities. +allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown }; + +allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; + +# for lpd config files (should have a new type) +r_dir_file($1_lpr_t, etc_t) + +# for test print +r_dir_file($1_lpr_t, usr_t) +ifdef(`lpd.te', ` +r_dir_file($1_lpr_t, printconf_t) +') + +tmp_domain($1_lpr) + +# Type for spool files. +type $1_print_spool_t, file_type, sysadmfile; +# Use this type when creating files in /var/spool/lpd and /var/spool/cups. +file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) +allow $1_lpr_t var_spool_t:dir search; + +# for /dev/null +allow $1_lpr_t device_t:dir search; + +# Access the terminal. +access_terminal($1_lpr_t, $1) + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') +allow $1_lpr_t privfd:fd use; + +# Read user files. +read_content(sysadm_lpr_t, $1) +read_content($1_lpr_t, $1) + +# Read and write shared files in the spool directory. +allow $1_lpr_t print_spool_t:file rw_file_perms; + +# lpr can run in lightweight mode, without a local print spooler. If the +# lpd policy is present, grant some permissions for this domain and the lpd +# domain to interact. +ifdef(`lpd.te', ` +allow $1_lpr_t { var_t var_run_t }:dir search; +allow $1_lpr_t lpd_var_run_t:dir search; +allow $1_lpr_t lpd_var_run_t:sock_file write; + +# Allow lpd to read, rename, and unlink spool files. +allow lpd_t $1_print_spool_t:file r_file_perms; +allow lpd_t $1_print_spool_t:file link_file_perms; + +# Connect to lpd via a Unix domain socket. +allow $1_lpr_t printer_t:sock_file rw_file_perms; +can_unix_connect($1_lpr_t, lpd_t) +dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; + +# Connect to lpd via a TCP socket. +can_tcp_connect($1_lpr_t, lpd_t) + +allow $1_lpr_t fs_t:filesystem getattr; +# Send SIGHUP to lpd. +allow $1_lpr_t lpd_t:process signal; + +')dnl end if lpd.te + +ifdef(`xdm.te', ` +can_pipe_xdm($1_lpr_t) +') + +ifdef(`cups.te', ` +allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; +allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; +can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) +')dnl end ifdef cups.te + +')dnl end macro definition + diff --git a/mls/macros/program/mail_client_macros.te b/mls/macros/program/mail_client_macros.te new file mode 100644 index 0000000..da22a62 --- /dev/null +++ b/mls/macros/program/mail_client_macros.te @@ -0,0 +1,68 @@ +# +# Shared macro for mail clients +# +# Author: Ivan Gyurdiev +# + +######################################## +# mail_client_domain(client, role_prefix) +# + +define(`mail_client_domain', ` + +# Allow netstat +# Startup shellscripts +allow $1_t bin_t:dir r_dir_perms; +allow $1_t bin_t:lnk_file r_file_perms; +can_exec($1_t, bin_t) +r_dir_file($1_t, proc_net_t) +allow $1_t sysctl_net_t:dir search; + +# Allow DNS +can_resolve($1_t) + +# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) +can_ypbind($1_t) +can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }) +allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect; + +# Allow printing the mail +ifdef(`cups.te',` +allow $1_t cupsd_etc_t:dir r_dir_perms; +allow $1_t cupsd_rw_etc_t:file r_file_perms; +') +ifdef(`lpr.te', ` +domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t) +') + +# Attachments +read_content($1_t, $2, mail) + +# Save mail +write_untrusted($1_t, $2) + +# Encrypt mail +ifdef(`gpg.te', ` +domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t) +allow $1_t $2_gpg_t:process signal; +') + +# Start links in web browser +ifdef(`mozilla.te', ` +can_exec($1_t, shell_exec_t) +domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t) +') +ifdef(`dbusd.te', ` +dbusd_client(system, $1) +allow $1_t system_dbusd_t:dbus send_msg; +dbusd_client($2, $1) +allow $1_t $2_dbusd_t:dbus send_msg; +ifdef(`cups.te', ` +allow cupsd_t $1_t:dbus send_msg; +') +') +# Allow the user domain to signal/ps. +can_ps($2_t, $1_t) +allow $2_t $1_t:process signal_perms; + +') diff --git a/mls/macros/program/mount_macros.te b/mls/macros/program/mount_macros.te new file mode 100644 index 0000000..0aa0577 --- /dev/null +++ b/mls/macros/program/mount_macros.te @@ -0,0 +1,90 @@ +# +# Macros for mount +# +# Author: Brian May +# Extended by Russell Coker +# + +# +# mount_domain(domain_prefix,dst_domain_prefix) +# +# Define a derived domain for the mount program for anyone. +# +define(`mount_domain', ` +# +# Rules for the $2_t domain, used by the $1_t domain. +# +# $2_t is the domain for the mount process. +# +# This macro will not be included by all users and it may be included twice if +# called from other macros, so we need protection for this do not call this +# macro if $2_def is defined +define(`$2_def', `') +# +type $2_t, domain, privlog $3, nscd_client_domain; + +allow $2_t sysfs_t:dir search; + +uses_shlib($2_t) + +role $1_r types $2_t; +# when mount is run by $1 goto $2_t domain +domain_auto_trans($1_t, mount_exec_t, $2_t) + +allow $2_t proc_t:dir search; +allow $2_t proc_t:file { getattr read }; + +# +# Allow mounting of cdrom by user +# +allow $2_t device_type:blk_file getattr; + +tmp_domain($2) + +# Use capabilities. +allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; + +allow $2_t self:unix_stream_socket create_socket_perms; + +# Create and modify /etc/mtab. +file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) + +allow $2_t etc_t:file { getattr read }; + +read_locale($2_t) + +allow $2_t home_root_t:dir search; +allow $2_t $1_home_dir_t:dir search; +allow $2_t noexattrfile:filesystem { mount unmount }; +allow $2_t fs_t:filesystem getattr; +allow $2_t removable_t:filesystem { mount unmount }; +allow $2_t mnt_t:dir { mounton search }; +allow $2_t sbin_t:dir search; + +# Access the terminal. +access_terminal($2_t, $1) +ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') +allow $2_t var_t:dir search; +allow $2_t var_run_t:dir search; + +ifdef(`distro_redhat',` +ifdef(`pamconsole.te',` +r_dir_file($2_t,pam_var_console_t) +# mount config by default sets fscontext=removable_t +allow $2_t dosfs_t:filesystem relabelfrom; +') dnl end pamconsole.te +') dnl end distro_redhat +') dnl end mount_domain + +# mount_loopback_privs(domain_prefix,dst_domain_prefix) +# +# Add loopback mounting privileges to a particular derived +# mount domain. +# +define(`mount_loopback_privs',` +type $1_$2_source_t, file_type, sysadmfile, $1_file_type; +allow $1_t $1_$2_source_t:file create_file_perms; +allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; +allow $2_t $1_$2_source_t:file rw_file_perms; +') + diff --git a/mls/macros/program/mozilla_macros.te b/mls/macros/program/mozilla_macros.te new file mode 100644 index 0000000..cc8afb0 --- /dev/null +++ b/mls/macros/program/mozilla_macros.te @@ -0,0 +1,157 @@ +# +# Macros for mozilla/mozilla (or other browser) domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# mozilla_domain(domain_prefix) +# +# Define a derived domain for the mozilla/mozilla program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/mozilla.te. +# + +# FIXME: Rules were removed to centralize policy in a gnome_app macro +# A similar thing might be necessary for mozilla compiled without GNOME +# support (is this possible?). + +define(`mozilla_domain',` + +type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog; + +# Type transition +if (! disable_mozilla_trans) { +domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t) +} +role $1_r types $1_mozilla_t; + +# X access, Home files +home_domain($1, mozilla) +x_client_domain($1_mozilla, $1) + +# GNOME integration +ifdef(`gnome.te', ` +gnome_application($1_mozilla, $1) +gnome_file_dialog($1_mozilla, $1) +') + +# Look for plugins +allow $1_mozilla_t bin_t:dir { getattr read search }; + +# Browse the web, connect to printer +can_resolve($1_mozilla_t) +can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } ) +allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect; + +# Should not need other ports +dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind }; + +allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; +dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; + +# Unrestricted inheritance from the caller. +allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; +allow $1_mozilla_t $1_t:process signull; + +# Allow the user domain to signal/ps. +can_ps($1_t, $1_mozilla_t) +allow $1_t $1_mozilla_t:process signal_perms; + +# Access /proc, sysctl +allow $1_mozilla_t proc_t:dir search; +allow $1_mozilla_t proc_t:file { getattr read }; +allow $1_mozilla_t proc_t:lnk_file read; +allow $1_mozilla_t sysctl_net_t:dir search; +allow $1_mozilla_t sysctl_t:dir search; + +# /var/lib +allow $1_mozilla_t var_lib_t:dir search; +allow $1_mozilla_t var_lib_t:file { getattr read }; + +# Self permissions +allow $1_mozilla_t self:socket create_socket_perms; +allow $1_mozilla_t self:file { getattr read }; +allow $1_mozilla_t self:sem create_sem_perms; + +# for bash - old mozilla binary +can_exec($1_mozilla_t, mozilla_exec_t) +can_exec($1_mozilla_t, shell_exec_t) +can_exec($1_mozilla_t, bin_t) +allow $1_mozilla_t bin_t:lnk_file read; +allow $1_mozilla_t device_t:dir r_dir_perms; +allow $1_mozilla_t self:dir search; +allow $1_mozilla_t self:lnk_file read; +r_dir_file($1_mozilla_t, proc_net_t) + +# interacting with gstreamer +r_dir_file($1_mozilla_t, var_t) + +# Uploads, local html +read_content($1_mozilla_t, $1, mozilla) + +# Save web pages +write_untrusted($1_mozilla_t, $1) + +# Mozpluggerrc +allow $1_mozilla_t mozilla_conf_t:file r_file_perms; + +######### Java plugin +ifdef(`java.te', ` +javaplugin_domain($1_mozilla, $1) +') dnl java.te + +######### Print web content +ifdef(`cups.te', ` +allow $1_mozilla_t cupsd_etc_t:dir search; +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; +') +ifdef(`lpr.te', ` +domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) +dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; +dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; +') dnl if lpr.te + +######### Launch mplayer +ifdef(`mplayer.te', ` +domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) +dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; +dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; +dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; +')dnl end if mplayer.te + +######### Launch email client, and make webcal links work +ifdef(`evolution.te', ` +domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) +domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) +') dnl if evolution.te + +ifdef(`thunderbird.te', ` +domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) +') dnl if evolution.te + +if (allow_execmem) { +allow $1_mozilla_t self:process { execmem execstack }; +} +allow $1_mozilla_t texrel_shlib_t:file execmod; + +ifdef(`dbusd.te', ` +dbusd_client(system, $1_mozilla) +allow $1_mozilla_t system_dbusd_t:dbus send_msg; +ifdef(`cups.te', ` +allow cupsd_t $1_mozilla_t:dbus send_msg; +') +') + +ifdef(`apache.te', ` +ifelse($1, sysadm, `', ` +r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) +') +') + +')dnl end mozilla macro + diff --git a/mls/macros/program/mplayer_macros.te b/mls/macros/program/mplayer_macros.te new file mode 100644 index 0000000..6d06757 --- /dev/null +++ b/mls/macros/program/mplayer_macros.te @@ -0,0 +1,159 @@ +# +# Macros for mplayer +# +# Author: Ivan Gyurdiev +# +# mplayer_domains(user) declares domains for mplayer, gmplayer, +# and mencoder + +##################################################### +# mplayer_common(role_prefix, mplayer_domain) # +##################################################### + +define(`mplayer_common',` + +# Read global config +r_dir_file($1_$2_t, mplayer_etc_t) + +# Allow the user domain to signal/ps. +can_ps($1_t, $1_$2_t) +allow $1_t $1_$2_t:process signal_perms; + +# Read data in /usr/share (fonts, icons..) +r_dir_file($1_$2_t, usr_t) + +# Read /proc files and directories +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +allow $1_$2_t proc_t:dir search; +allow $1_$2_t proc_t:file { getattr read }; + +# Sysctl on kernel version +read_sysctl($1_$2_t) + +# Allow ps, shared libs, locale, terminal access +can_ps($1_t, $1_$2_t) +uses_shlib($1_$2_t) +read_locale($1_$2_t) +access_terminal($1_$2_t, $1) + +# Required for win32 binary loader +allow $1_$2_t zero_device_t:chr_file { read write execute }; +if (allow_execmem) { +allow $1_$2_t self:process execmem; +} + +if (allow_execmod) { +allow $1_$2_t zero_device_t:chr_file execmod; +} +allow $1_$2_t texrel_shlib_t:file execmod; + +# Access to DVD/CD/V4L +allow $1_$2_t device_t:dir r_dir_perms; +allow $1_$2_t device_t:lnk_file { getattr read }; +allow $1_$2_t removable_device_t:blk_file { getattr read }; +allow $1_$2_t v4l_device_t:chr_file { getattr read }; + +# Legacy domain issues +if (allow_mplayer_execstack) { +legacy_domain($1_$2) +allow $1_$2_t lib_t:file execute; +allow $1_$2_t locale_t:file execute; +allow $1_$2_t sound_device_t:chr_file execute; +} +') + +################################### +# mplayer_domain(role_prefix) # +################################### + +define(`mplayer_domain',` + +type $1_mplayer_t, domain, nscd_client_domain; + +# Type transition +domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t) +role $1_r types $1_mplayer_t; + +# Home access, X access +home_domain($1, mplayer) +x_client_domain($1_mplayer, $1) + +# Mplayer common stuff +mplayer_common($1, mplayer) + +# Fork +allow $1_mplayer_t self:process { fork signal_perms getsched }; +allow $1_mplayer_t self:fifo_file rw_file_perms; + +# Audio, alsa.conf +allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; +allow $1_mplayer_t etc_t:file { getattr read }; +r_dir_file($1_mplayer_t, alsa_etc_rw_t); + +# RTC clock +allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; + +# Legacy domain issues +if (allow_mplayer_execstack) { +allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; +} + +#======gmplayer gui==========# +# File dialogs +dontaudit_getattr($1_mplayer_t) +dontaudit_read_dir($1_mplayer_t) +dontaudit_search_dir($1_mplayer_t) + +# Unfortunately the ancient file dialog starts in / +allow $1_mplayer_t home_root_t:dir read; + +# Read /etc/mtab +allow $1_mplayer_t etc_runtime_t:file { read getattr }; + +# Run bash/sed (??) +allow $1_mplayer_t bin_t:dir search; +allow $1_mplayer_t bin_t:lnk_file read; +can_exec($1_mplayer_t, bin_t) +can_exec($1_mplayer_t, shell_exec_t) +#============================# + +# Read songs +read_content($1_mplayer_t, $1) + +') dnl end mplayer_domain + +################################### +# mencoder_domain(role_prefix) # +################################### + +define(`mencoder_domain',` + +type $1_mencoder_t, domain; + +# Type transition +domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) +role $1_r types $1_mencoder_t; + +# Access mplayer home domain +home_domain_access($1_mencoder_t, $1, mplayer) + +# Mplayer common stuff +mplayer_common($1, mencoder) + +# Read content to encode +read_content($1_mencoder_t, $1) + +# Save encoded files +write_trusted($1_mencoder_t, $1) + +') dnl end mencoder_domain + +############################# +# mplayer_domains(role) # +############################# + +define(`mplayer_domains', ` +mplayer_domain($1) +mencoder_domain($1) +') dnl end mplayer_domains + diff --git a/mls/macros/program/mta_macros.te b/mls/macros/program/mta_macros.te new file mode 100644 index 0000000..b221f54 --- /dev/null +++ b/mls/macros/program/mta_macros.te @@ -0,0 +1,121 @@ +# Macros for MTA domains. +# + +# +# Author: Russell Coker +# Based on the work of: Stephen Smalley +# Timothy Fraser +# + +# +# mail_domain(domain_prefix) +# +# Define a derived domain for the sendmail program when executed by +# a user domain to send outgoing mail. These domains are separate and +# independent of the domain used for the sendmail daemon process. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/mta.te. +# +undefine(`mail_domain') +define(`mail_domain',` +# Derived domain based on the calling user domain and the program. +type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; + +ifdef(`sendmail.te', ` +sendmail_user_domain($1) +') + +can_exec($1_mail_t, sendmail_exec_t) +allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; + +# The user role is authorized for this domain. +role $1_r types $1_mail_t; + +uses_shlib($1_mail_t) +can_network_client_tcp($1_mail_t) +allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect; +can_resolve($1_mail_t) +can_ypbind($1_mail_t) +allow $1_mail_t self:unix_dgram_socket create_socket_perms; +allow $1_mail_t self:unix_stream_socket create_socket_perms; + +read_locale($1_mail_t) +read_sysctl($1_mail_t) +allow $1_mail_t device_t:dir search; +allow $1_mail_t { var_t var_spool_t }:dir search; +allow $1_mail_t self:process { fork signal_perms setrlimit }; +allow $1_mail_t sbin_t:dir search; + +# It wants to check for nscd +dontaudit $1_mail_t var_run_t:dir search; + +# Use capabilities +allow $1_mail_t self:capability { setuid setgid chown }; + +# Execute procmail. +can_exec($1_mail_t, bin_t) +ifdef(`procmail.te',` +can_exec($1_mail_t, procmail_exec_t)') + +ifelse(`$1', `system', ` +# Transition from a system domain to the derived domain. +domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) +allow privmail sendmail_exec_t:lnk_file { getattr read }; + +ifdef(`crond.te', ` +# Read cron temporary files. +allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; +allow mta_user_agent system_crond_tmp_t:file { read getattr }; +') +can_access_pty(system_mail_t, initrc) + +', ` +# For when the user wants to send mail via port 25 localhost +can_tcp_connect($1_t, mail_server_domain) + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) +allow $1_t sendmail_exec_t:lnk_file { getattr read }; + +# Read user temporary files. +allow $1_mail_t $1_tmp_t:file r_file_perms; +dontaudit $1_mail_t $1_tmp_t:file append; +ifdef(`postfix.te', ` +# postfix seems to need write access if the file handle is opened read/write +allow $1_mail_t $1_tmp_t:file write; +')dnl end if postfix + +allow mta_user_agent $1_tmp_t:file { read getattr }; + +# Write to the user domain tty. +access_terminal(mta_user_agent, $1) +access_terminal($1_mail_t, $1) + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') +allow $1_mail_t privfd:fd use; + +# Create dead.letter in user home directories. +file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) + +if (use_samba_home_dirs) { +rw_dir_create_file($1_mail_t, cifs_t) +} + +# if you do not want to allow dead.letter then use the following instead +#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; +#allow $1_mail_t $1_home_t:file r_file_perms; + +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) +')dnl end if system + +allow $1_mail_t etc_t:file { getattr read }; +ifdef(`qmail.te', ` +allow $1_mail_t qmail_etc_t:dir search; +allow $1_mail_t qmail_etc_t:{ file lnk_file } read; +')dnl end if qmail + +') diff --git a/mls/macros/program/newrole_macros.te b/mls/macros/program/newrole_macros.te new file mode 100644 index 0000000..0d52282 --- /dev/null +++ b/mls/macros/program/newrole_macros.te @@ -0,0 +1,97 @@ +# Authors: Anthony Colatrella (NSA) Stephen Smalley +# Russell Coker + +# This macro defines the rules for a newrole like program, it is used by +# newrole.te and sudo.te, but may be used by other policy at some later time. + +define(`newrole_domain', ` +# Rules for the $1_t domain. +# +# $1_t is the domain for the program. +# $1_exec_t is the type of the executable. +# +type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; +in_user_role($1_t) +role sysadm_r types $1_t; + +general_domain_access($1_t); + +uses_shlib($1_t) +read_locale($1_t) +read_sysctl($1_t) + +allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read }; + +# for when the user types "exec newrole" at the command line +allow $1_t privfd:process sigchld; + +# Inherit descriptors from the current session. +allow $1_t privfd:fd use; + +# Execute /sbin/pwdb_chkpwd to check the password. +allow $1_t sbin_t:dir r_dir_perms; + +# Execute shells +allow $1_t bin_t:dir r_dir_perms; +allow $1_t bin_t:lnk_file read; +allow $1_t shell_exec_t:file r_file_perms; + +allow $1_t urandom_device_t:chr_file { getattr read }; + +# Allow $1_t to transition to user domains. +domain_trans($1_t, shell_exec_t, unpriv_userdomain) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_t, shell_exec_t, sysadm_t) +} + +can_setexec($1_t) + +allow $1_t autofs_t:dir search; + +# Use capabilities. +allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override }; + +# Read the devpts root directory. +allow $1_t devpts_t:dir r_dir_perms; + +# Read the /etc/security/default_type file +r_dir_file($1_t, default_context_t) +r_dir_file($1_t, selinux_config_t) +allow $1_t etc_t:file r_file_perms; + +# Read /var. +r_dir_file($1_t, var_t) + +# Read /dev directories and any symbolic links. +allow $1_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +ifdef(`distro_debian', ` +# for /etc/alternatives +allow $1_t etc_t:lnk_file read; +') + +# +# Allow newrole to obtain contexts to relabel TTYs +# +can_getsecurity($1_t) + +allow $1_t fs_t:filesystem getattr; + +# for some PAM modules and for cwd +dontaudit $1_t { home_root_t home_type }:dir search; + +allow $1_t proc_t:dir search; +allow $1_t proc_t:file { getattr read }; + +# for when the network connection is killed +dontaudit unpriv_userdomain $1_t:process signal; +') diff --git a/mls/macros/program/orbit_macros.te b/mls/macros/program/orbit_macros.te new file mode 100644 index 0000000..b2dd5d1 --- /dev/null +++ b/mls/macros/program/orbit_macros.te @@ -0,0 +1,44 @@ +# +# ORBit related types +# +# Author: Ivan Gyurdiev +# +# orbit_domain(prefix, role_prefix) - create ORBit sockets +# orbit_connect(type1_prefix, type2_prefix) +# - allow communication through ORBit sockets from type1 to type2 + +define(`orbit_domain', ` + +# Protect against double inclusion for speed and correctness +ifdef(`orbit_domain_$1_$2', `', ` +define(`orbit_domain_$1_$2') + +# Relabel directory (startup script) +allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto }; + +# Type for ORBit sockets +type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile; +file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t) +allow $1_t tmp_t:dir { read search getattr }; + +# Create the sockets +allow $1_t self:unix_stream_socket create_stream_socket_perms; +allow $1_t self:unix_dgram_socket create_socket_perms; + +# Use random device(s) +allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl }; + +# Why do they do that? +dontaudit $1_t $2_orbit_tmp_t:dir setattr; + +') dnl ifdef orbit_domain_args +') dnl orbit_domain + +########################## + +define(`orbit_connect', ` + +can_unix_connect($1_t, $2_t) +allow $1_t $2_orbit_tmp_t:sock_file write; + +') dnl orbit_connect diff --git a/mls/macros/program/pyzor_macros.te b/mls/macros/program/pyzor_macros.te new file mode 100644 index 0000000..af67d30 --- /dev/null +++ b/mls/macros/program/pyzor_macros.te @@ -0,0 +1,69 @@ +# +# Pyzor - Pyzor is a collaborative, networked system to detect and +# block spam using identifying digests of messages. +# +# Author: David Hampton +# + +########## +# common definitions for pyzord and all flavors of pyzor +########## +define(`pyzor_base_domain',` + +# Networking +can_network_client_tcp($1_t, http_port_t); +can_network_udp($1_t, pyzor_port_t); +can_resolve($1_t); + +general_proc_read_access($1_t) + +tmp_domain($1) + +allow $1_t bin_t:dir { getattr search }; +allow $1_t bin_t:file getattr; +allow $1_t lib_t:file { getattr read }; +allow $1_t { var_t var_lib_t var_run_t }:dir search; +uses_shlib($1_t) + +# Python does a getattr on this file +allow $1_t pyzor_exec_t:file getattr; + +# mktemp and other randoms +allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; + +# Allow access to various files in the /etc/directory including mtab +# and nsswitch +allow $1_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale($1_t) +') + + +# +# Define a user domain for a pyzor +# +# Note: expects to be called with an argument of user, sysadm + +define(`pyzor_domain',` +type $1_pyzor_t, domain, privlog, nscd_client_domain; +role $1_r types $1_pyzor_t; +domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t) + +pyzor_base_domain($1_pyzor) + +# Per-user config/data files +home_domain($1, pyzor) +file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir) + +# System config files +r_dir_file($1_pyzor_t, pyzor_etc_t) + +# System data files +r_dir_file($1_pyzor_t, pyzor_var_lib_t); + +allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; + +# Allow pyzor to be run by hand. Needed by any action other than +# invocation from a spam filter. +can_access_pty($1_pyzor_t, $1) +allow $1_pyzor_t sshd_t:fd use; +') diff --git a/mls/macros/program/razor_macros.te b/mls/macros/program/razor_macros.te new file mode 100644 index 0000000..e4c7c55 --- /dev/null +++ b/mls/macros/program/razor_macros.te @@ -0,0 +1,75 @@ +# +# Razor - Razor is a collaborative, networked system to detect and +# block spam using identifying digests of messages. +# +# Author: David Hampton +# + +########## +# common definitions for razord and all flavors of razor +########## +define(`razor_base_domain',` + +# Razor is one executable and several symlinks +allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; + +# Networking +can_network_client_tcp($1_t, razor_port_t) +can_resolve($1_t); + +general_proc_read_access($1_t) + +# Read system config file +r_dir_file($1_t, razor_etc_t) + +# Update razor common files +file_type_auto_trans($1_t, var_log_t, razor_log_t, file) +create_dir_file($1_t, razor_log_t) +allow $1_t var_lib_t:dir search; +create_dir_file($1_t, razor_var_lib_t) + +allow $1_t bin_t:dir { getattr search }; +allow $1_t bin_t:file getattr; +allow $1_t lib_t:file { getattr read }; +allow $1_t { var_t var_run_t }:dir search; +uses_shlib($1_t) + +# Razor forks other programs to do part of its work. +general_domain_access($1_t) +can_exec($1_t, bin_t) + +# mktemp and other randoms +allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; + +# Allow access to various files in the /etc/directory including mtab +# and nsswitch +allow $1_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale($1_t) +') + + +# +# Define a user domain for a razor +# +# Note: expects to be called with an argument of user, sysadm + +define(`razor_domain',` +type $1_razor_t, domain, privlog, nscd_client_domain; +role $1_r types $1_razor_t; +domain_auto_trans($1_t, razor_exec_t, $1_razor_t) + +razor_base_domain($1_razor) + +# Per-user config/data files +home_domain($1, razor) +file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir) + +tmp_domain($1_razor) + +allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; + +# Allow razor to be run by hand. Needed by any action other than +# invocation from a spam filter. +can_access_pty($1_razor_t, $1) +allow $1_razor_t sshd_t:fd use; +') diff --git a/mls/macros/program/resmgrd_macros.te b/mls/macros/program/resmgrd_macros.te new file mode 100644 index 0000000..ec0ac60 --- /dev/null +++ b/mls/macros/program/resmgrd_macros.te @@ -0,0 +1,11 @@ +# Macro for resmgrd + +define(`can_resmgrd_connect', ` +ifdef(`resmgrd.te', ` +allow $1 resmgrd_t:unix_stream_socket connectto; +allow $1 { var_t var_run_t }:dir search; +allow $1 resmgrd_var_run_t:sock_file write; +allow $1 resmgrd_t:fd use; +') +') + diff --git a/mls/macros/program/rhgb_macros.te b/mls/macros/program/rhgb_macros.te new file mode 100644 index 0000000..9700fba --- /dev/null +++ b/mls/macros/program/rhgb_macros.te @@ -0,0 +1,8 @@ + +define(`rhgb_domain', ` +ifdef(`rhgb.te', ` +allow $1 rhgb_t:process sigchld; +allow $1 rhgb_t:fd use; +allow $1 rhgb_t:fifo_file { read write }; +')dnl end ifdef +') diff --git a/mls/macros/program/rssh_macros.te b/mls/macros/program/rssh_macros.te new file mode 100644 index 0000000..33fbdb5 --- /dev/null +++ b/mls/macros/program/rssh_macros.te @@ -0,0 +1,58 @@ +# +# Macros for Rssh domains +# +# Author: Colin Walters +# + +# +# rssh_domain(domain_prefix) +# +# Define a specific rssh domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/rssh.te. +# +undefine(`rssh_domain') +ifdef(`rssh.te', ` +define(`rssh_domain',` +type rssh_$1_t, domain, userdomain, privlog, privfd; +role rssh_$1_r types rssh_$1_t; +allow system_r rssh_$1_r; + +type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; +type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; + +general_domain_access(rssh_$1_t); +uses_shlib(rssh_$1_t); +base_file_read_access(rssh_$1_t); +allow rssh_$1_t var_t:dir r_dir_perms; +r_dir_file(rssh_$1_t, etc_t); +allow rssh_$1_t etc_runtime_t:file { getattr read }; +r_dir_file(rssh_$1_t, locale_t); +can_exec(rssh_$1_t, bin_t); + +allow rssh_$1_t proc_t:dir { getattr search }; +allow rssh_$1_t proc_t:lnk_file { getattr read }; + +r_dir_file(rssh_$1_t, rssh_$1_ro_t); +create_dir_file(rssh_$1_t, rssh_$1_rw_t); + +can_create_pty(rssh_$1, `, userpty_type, user_tty_type') +# Use the type when relabeling pty devices. +type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; + +ifdef(`ssh.te',` +allow rssh_$1_t sshd_t:fd use; +allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; +allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; +# For reading /home/user/.ssh +r_dir_file(sshd_t, rssh_$1_ro_t); +domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); +') +') + +', ` + +define(`rssh_domain',`') + +') diff --git a/mls/macros/program/run_program_macros.te b/mls/macros/program/run_program_macros.te new file mode 100644 index 0000000..c98bbee --- /dev/null +++ b/mls/macros/program/run_program_macros.te @@ -0,0 +1,73 @@ + +# $1 is the source domain (or domains), $2 is the source role (or roles) and $3 +# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is +# normally sysadm_r. $4 is the type of program to run and $5 is the domain to +# transition to. +# sample usage: +# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) +# +# if you have several users who run the same run_init type program for +# different purposes (think of a run_db program used by several database +# administrators to start several databases) then you can list all the source +# domains in $1, all the source roles in $2, but you may not want to list all +# types of programs to run in $4 and target domains in $5 (as that may permit +# entering a domain from the wrong type). In such a situation just specify +# one value for each of $4 and $5 and have some rules such as the following: +# domain_trans(run_whatever_t, whatever_exec_t, whatever_t) + +define(`run_program', ` +type run_$3_exec_t, file_type, exec_type, sysadmfile; + +# domain for program to run in, needs to change role (priv_system_role), change +# identity to system_u (privuser), log failures to syslog (privlog) and +# authenticate users +type run_$3_t, domain, priv_system_role, privuser, privlog; +domain_auto_trans($1, run_$3_exec_t, run_$3_t) +role $2 types run_$3_t; + +domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t) +dontaudit run_$3_t shadow_t:file getattr; + +# for utmp +allow run_$3_t initrc_var_run_t:file rw_file_perms; +allow run_$3_t admin_tty_type:chr_file rw_file_perms; + +dontaudit run_$3_t devpts_t:dir { getattr read }; +dontaudit run_$3_t device_t:dir read; + +# for auth_chkpwd +dontaudit run_$3_t shadow_t:file read; +allow run_$3_t self:process { fork sigchld }; +allow run_$3_t self:fifo_file rw_file_perms; +allow run_$3_t self:capability setuid; +allow run_$3_t self:lnk_file read; + +# often the administrator runs such programs from a directory that is owned +# by a different user or has restrictive SE permissions, do not want to audit +# the failed access to the current directory +dontaudit run_$3_t file_type:dir search; +dontaudit run_$3_t self:capability { dac_override dac_read_search }; + +allow run_$3_t bin_t:lnk_file read; +can_exec(run_$3_t, { bin_t shell_exec_t }) +ifdef(`chkpwd.te', ` +can_exec(run_$3_t, chkpwd_exec_t) +') + +domain_trans(run_$3_t, $4, $5) +can_setexec(run_$3_t) + +allow run_$3_t privfd:fd use; +uses_shlib(run_$3_t) +allow run_$3_t lib_t:file { getattr read }; +can_getsecurity(run_$3_t) +r_dir_file(run_$3_t,selinux_config_t) +r_dir_file(run_$3_t,default_context_t) +allow run_$3_t self:unix_stream_socket create_socket_perms; +allow run_$3_t self:unix_dgram_socket create_socket_perms; +allow run_$3_t etc_t:file { getattr read }; +read_locale(run_$3_t) +allow run_$3_t fs_t:filesystem getattr; +allow run_$3_t { bin_t sbin_t }:dir search; +dontaudit run_$3_t device_t:dir { getattr search }; +') diff --git a/mls/macros/program/samba_macros.te b/mls/macros/program/samba_macros.te new file mode 100644 index 0000000..d766784 --- /dev/null +++ b/mls/macros/program/samba_macros.te @@ -0,0 +1,30 @@ +# +# Macros for samba domains. +# + +# +# Authors: Dan Walsh +# + +# +# samba_domain(domain_prefix) +# +# Define a derived domain for the samba program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/samba.te. +# +undefine(`samba_domain') +ifdef(`samba.te', ` +define(`samba_domain',` +if ( samba_enable_home_dirs ) { +allow smbd_t home_root_t:dir r_dir_perms; +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) +dontaudit smbd_t $1_file_type:dir_file_class_set getattr; +} +') +', ` +define(`samba_domain',`') + +')dnl end if samba.te diff --git a/mls/macros/program/screen_macros.te b/mls/macros/program/screen_macros.te new file mode 100644 index 0000000..e81a90a --- /dev/null +++ b/mls/macros/program/screen_macros.te @@ -0,0 +1,113 @@ +# +# Macros for screen domains. +# + +# +# Author: Russell Coker +# Based on the work of Stephen Smalley +# and Timothy Fraser +# + +# +# screen_domain(domain_prefix) +# +# Define a derived domain for the screen program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/screen.te. +# +undefine(`screen_domain') +ifdef(`screen.te', ` +define(`screen_domain',` +# Derived domain based on the calling user domain and the program. +type $1_screen_t, domain, privlog, privfd, nscd_client_domain; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, screen_exec_t, $1_screen_t) + +tmp_domain($1_screen, `', `{ dir file fifo_file }') +base_file_read_access($1_screen_t) +# The user role is authorized for this domain. +role $1_r types $1_screen_t; + +uses_shlib($1_screen_t) + +# for SSP +allow $1_screen_t urandom_device_t:chr_file read; + +# Revert to the user domain when a shell is executed. +domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t) +domain_auto_trans($1_screen_t, $1_home_t, $1_t) +if (use_nfs_home_dirs) { +domain_auto_trans($1_screen_t, nfs_t, $1_t) +} +if (use_samba_home_dirs) { +domain_auto_trans($1_screen_t, cifs_t, $1_t) +} + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') + +home_domain_ro($1, screen) + +allow $1_screen_t privfd:fd use; + +# Write to utmp. +allow $1_screen_t initrc_var_run_t:file rw_file_perms; +ifdef(`utempter.te', ` +dontaudit $1_screen_t utempter_exec_t:file execute; +') + +# create pty devices +can_create_other_pty($1_screen, $1) +allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms; +allow $1_screen_t device_t:dir { getattr read }; + +allow $1_screen_t fs_t:filesystem getattr; + +# Create fifo +allow $1_screen_t var_t:dir search; +file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) +type $1_screen_var_run_t, file_type, sysadmfile, pidfile; +file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) + +allow $1_screen_t self:process { fork signal_perms }; +allow $1_t $1_screen_t:process signal; +allow $1_screen_t $1_t:process signal; +allow $1_screen_t self:capability { setuid setgid fsetid }; + +dontaudit $1_screen_t shadow_t:file read; + +allow $1_screen_t tmp_t:dir search; +can_network($1_screen_t) +allow $1_screen_t port_type:tcp_socket name_connect; +can_ypbind($1_screen_t) + +# get stats +allow $1_screen_t proc_t:dir search; +allow $1_screen_t proc_t:file { getattr read }; +allow $1_screen_t proc_t:lnk_file read; +allow $1_screen_t etc_t:{ file lnk_file } { read getattr }; +allow $1_screen_t self:dir { search read }; +allow $1_screen_t self:lnk_file read; +allow $1_screen_t device_t:dir search; +allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; + +# Internal screen networking +allow $1_screen_t self:fd use; +allow $1_screen_t self:unix_stream_socket create_socket_perms; +allow $1_screen_t self:unix_dgram_socket create_socket_perms; + +allow $1_screen_t bin_t:dir search; +allow $1_screen_t bin_t:lnk_file read; +read_locale($1_screen_t) + +dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; +')dnl end screen_domain + +', ` + +define(`screen_domain',`') + +') diff --git a/mls/macros/program/sendmail_macros.te b/mls/macros/program/sendmail_macros.te new file mode 100644 index 0000000..540e0a2 --- /dev/null +++ b/mls/macros/program/sendmail_macros.te @@ -0,0 +1,56 @@ +# +# Macros for sendmail domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# + +# +# sendmail_user_domain(domain_prefix) +# +# Define a derived domain for the sendmail program when executed by +# a user domain to send outgoing mail. These domains are separate and +# independent of the domain used for the sendmail daemon process. +# +undefine(`sendmail_user_domain') +define(`sendmail_user_domain', ` + +# Use capabilities +allow $1_mail_t self:capability net_bind_service; + +tmp_domain($1_mail) + +# Write to /var/spool/mail and /var/spool/mqueue. +allow $1_mail_t mail_spool_t:dir rw_dir_perms; +allow $1_mail_t mail_spool_t:file create_file_perms; +allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; +allow $1_mail_t mqueue_spool_t:file create_file_perms; + +# Write to /var/log/sendmail.st +file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t) + +allow $1_mail_t etc_mail_t:dir { getattr search }; + +allow $1_mail_t { var_t var_spool_t }:dir getattr; + +allow $1_mail_t etc_runtime_t:file { getattr read }; + +# Check available space. +allow $1_mail_t fs_t:filesystem getattr; + +allow $1_mail_t sysctl_kernel_t:dir search; + +ifelse(`$1', `sysadm', ` +allow $1_mail_t proc_t:dir { getattr search }; +allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_mail_t proc_net_t:dir search; +allow $1_mail_t sysctl_kernel_t:file { getattr read }; +allow $1_mail_t etc_runtime_t:file { getattr read }; +', ` +dontaudit $1_mail_t proc_t:dir search; +dontaudit $1_mail_t sysctl_kernel_t:file read; +')dnl end if sysadm +') + diff --git a/mls/macros/program/slocate_macros.te b/mls/macros/program/slocate_macros.te new file mode 100644 index 0000000..115022b --- /dev/null +++ b/mls/macros/program/slocate_macros.te @@ -0,0 +1,64 @@ +# +# Macros for locate domains. +# + +# +# Author: Russell Coker +# + +# +# locate_domain(domain_prefix) +# +# Define a derived domain for the locate program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/locate.te. +# +undefine(`locate_domain') +ifdef(`slocate.te', ` +define(`locate_domain',` +# Derived domain based on the calling user domain and the program. +type $1_locate_t, domain; + +allow $1_locate_t self:process signal; + +allow $1_locate_t etc_t:file { getattr read }; +allow $1_locate_t self:unix_stream_socket create_socket_perms; +r_dir_file($1_locate_t,locate_var_lib_t) +allow $1_locate_t var_lib_t:dir search; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, locate_exec_t, $1_locate_t) + +# The user role is authorized for this domain. +role $1_r types $1_locate_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', ` +allow $1_locate_t $1_gph_t:fd use; +') + +allow $1_locate_t privfd:fd use; + +# allow ps to show locate +can_ps($1_t, $1_locate_t) +allow $1_t $1_locate_t:process signal; + +uses_shlib($1_locate_t) +access_terminal($1_locate_t, $1) + +allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; +allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; + +base_file_read_access($1_locate_t) +r_dir_file($1_locate_t, { etc_t lib_t var_t }) +dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; +dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; +') + +', ` + +define(`locate_domain',`') + +') diff --git a/mls/macros/program/spamassassin_macros.te b/mls/macros/program/spamassassin_macros.te new file mode 100644 index 0000000..c85cfc7 --- /dev/null +++ b/mls/macros/program/spamassassin_macros.te @@ -0,0 +1,128 @@ +# +# Macros for spamassassin domains. +# +# Author: Colin Walters + +# spamassassin_domain(domain_prefix) +# +# Define derived domains for various spamassassin tools when executed +# by a user domain. +# +# The type declarations for the executable types of these programs are +# provided separately in domains/program/spamassassin.te and +# domains/program/spamc.te. +# +undefine(`spamassassin_domain') +ifdef(`spamassassin.te', `define(`using_spamassassin', `')') +ifdef(`spamd.te', `define(`using_spamassassin', `')') +ifdef(`spamc.te', `define(`using_spamassassin', `')') + +ifdef(`using_spamassassin',` + +####### +# Macros used internally in these spamassassin macros. +# + +### +# Define a domain for a spamassassin-like program (spamc/spamassassin). +# +# Note: most of this should really be in a generic macro like +# base_user_program($1, foo) +define(`spamassassin_program_domain',` +type $1_$2_t, domain, privlog $3; +domain_auto_trans($1_t, $2_exec_t, $1_$2_t) + +role $1_r types $1_$2_t; +general_domain_access($1_$2_t) + +base_file_read_access($1_$2_t) +r_dir_file($1_$2_t, etc_t) +ifdef(`sendmail.te', ` +r_dir_file($1_$2_t, etc_mail_t) +') +allow $1_$2_t etc_runtime_t:file r_file_perms; +uses_shlib($1_$2_t) +read_locale($1_$2_t) +dontaudit $1_$2_t var_t:dir search; +tmp_domain($1_$2) +allow $1_$2_t privfd:fd use; +allow $1_$2_t userpty_type:chr_file rw_file_perms; +') dnl end spamassassin_program_domain + +### +# Give privileges to a domain for accessing ~/.spamassassin +# and a few other misc things like /dev/random. +# This is granted to /usr/bin/spamassassin and +# /usr/sbin/spamd, but NOT spamc (because it does not need it). +# +define(`spamassassin_agent_privs',` +allow $1 home_root_t:dir r_dir_perms; +file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t) +create_dir_file($1, $2_spamassassin_home_t) + +allow $1 urandom_device_t:chr_file r_file_perms; +') + +####### +# Define the main spamassassin macro. This itself creates a +# domain for /usr/bin/spamassassin, and also spamc/spamd if +# applicable. +# +define(`spamassassin_domain',` +spamassassin_program_domain($1, spamassassin) + +# For perl libraries. +allow $1_spamassassin_t lib_t:file rx_file_perms; +# Ignore perl digging in /proc and /var. +dontaudit $1_spamassassin_t proc_t:dir search; +dontaudit $1_spamassassin_t proc_t:lnk_file read; +dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; + +# For ~/.spamassassin +home_domain($1, spamassassin) +file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir) + +spamassassin_agent_privs($1_spamassassin_t, $1) + +can_resolve($1_spamassassin_t) +# set tunable if you have spamassassin do DNS lookups +if (spamassasin_can_network) { +can_network($1_spamassassin_t) +allow $1_spamassassin_t port_type:tcp_socket name_connect; +} +if (spamassasin_can_network && allow_ypbind) { +uncond_can_ypbind($1_spamassassin_t) +} +### +# Define the domain for /usr/bin/spamc +# +ifdef(`spamc.te',` +spamassassin_program_domain($1, spamc, `, nscd_client_domain') +can_network($1_spamc_t) +allow $1_spamc_t port_type:tcp_socket name_connect; +can_ypbind($1_spamc_t) + +# Allow connecting to a local spamd +ifdef(`spamd.te',` +can_tcp_connect($1_spamc_t, spamd_t) +can_unix_connect($1_spamc_t, spamd_t) +allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; +') dnl endif spamd.te +') dnl endif spamc.te + +### +# Define the domain for /usr/sbin/spamd +# +ifdef(`spamd.te',` + +spamassassin_agent_privs(spamd_t, $1) + +') dnl endif spamd.te + +') dnl end spamassassin_domain + +', ` + +define(`spamassassin_domain',`') + +') diff --git a/mls/macros/program/ssh_agent_macros.te b/mls/macros/program/ssh_agent_macros.te new file mode 100644 index 0000000..7215f5c --- /dev/null +++ b/mls/macros/program/ssh_agent_macros.te @@ -0,0 +1,117 @@ +# +# Macros for ssh agent +# + +# +# Author: Thomas Bleher +# + +# +# ssh_agent_domain(domain_prefix) +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/ssh-agent.te. +# +define(`ssh_agent_domain',` +# Define a derived domain for the ssh-agent program when executed +# by a user domain. +# Derived domain based on the calling user domain and the program. +type $1_ssh_agent_t, domain, privlog; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) + +# The user role is authorized for this domain. +role $1_r types $1_ssh_agent_t; + +allow $1_ssh_agent_t privfd:fd use; + +# Write to the user domain tty. +access_terminal($1_ssh_agent_t, $1) + +# Allow the user shell to signal the ssh program. +allow $1_t $1_ssh_agent_t:process signal; +# allow ps to show ssh +can_ps($1_t, $1_ssh_agent_t) + +can_ypbind($1_ssh_agent_t) +if (use_nfs_home_dirs) { +allow $1_ssh_agent_t autofs_t:dir { search getattr }; +rw_dir_create_file($1_ssh_agent_t, nfs_t) +} +if (use_samba_home_dirs) { +rw_dir_create_file($1_ssh_agent_t, cifs_t) +} + +uses_shlib($1_ssh_agent_t) +read_locale($1_ssh_agent_t) + +allow $1_ssh_agent_t proc_t:dir search; +dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_ssh_agent_t selinux_config_t:dir search; +dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; +read_sysctl($1_ssh_agent_t) + +# Access the ssh temporary files. Should we have an own type here +# to which only ssh, ssh-agent and ssh-add have access? +allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; +file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) +allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; +allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; + +allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; +allow $1_ssh_agent_t self:capability setgid; + +# access the random devices +allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read }; + +# for ssh-add +can_unix_connect($1_t, $1_ssh_agent_t) + +# transition back to normal privs upon exec +domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t) +if (use_nfs_home_dirs) { +domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t) +} +if (use_samba_home_dirs) { +domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t) +} +allow $1_ssh_agent_t bin_t:dir search; + +# allow reading of /usr/bin/X11 (is a symlink) +allow $1_ssh_agent_t bin_t:lnk_file read; + +allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; + +allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; + +allow $1_ssh_t $1_tmp_t:sock_file write; +allow $1_ssh_t $1_t:unix_stream_socket connectto; +allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; + +ifdef(`xdm.te', ` +can_pipe_xdm($1_ssh_agent_t) + +# kdm: sigchld +allow $1_ssh_agent_t xdm_t:process sigchld; +') + +# +# Allow command to ssh-agent > ~/.ssh_agent +# +allow $1_ssh_agent_t $1_home_t:file rw_file_perms; +allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms; + +allow $1_ssh_agent_t etc_runtime_t:file { getattr read }; +allow $1_ssh_agent_t etc_t:file { getattr read }; +allow $1_ssh_agent_t lib_t:file { getattr read }; + +allow $1_ssh_agent_t self:dir search; +allow $1_ssh_agent_t self:file { getattr read }; + +# Allow the ssh program to communicate with ssh-agent. +allow $1_ssh_t $1_tmp_t:sock_file write; +allow $1_ssh_t $1_t:unix_stream_socket connectto; +allow $1_ssh_t sshd_t:unix_stream_socket connectto; +')dnl end if ssh_agent + diff --git a/mls/macros/program/ssh_macros.te b/mls/macros/program/ssh_macros.te new file mode 100644 index 0000000..0f6549f --- /dev/null +++ b/mls/macros/program/ssh_macros.te @@ -0,0 +1,168 @@ +# +# Macros for ssh domains. +# + +# +# Authors: Stephen Smalley +# Russell Coker +# Thomas Bleher +# + +# +# ssh_domain(domain_prefix) +# +# Define a derived domain for the ssh program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/ssh.te. +# +undefine(`ssh_domain') +ifdef(`ssh.te', ` +define(`ssh_domain',` +# Derived domain based on the calling user domain and the program. +type $1_ssh_t, domain, privlog, nscd_client_domain; +type $1_home_ssh_t, file_type, $1_file_type, sysadmfile; + +allow $1_ssh_t autofs_t:dir { search getattr }; +if (use_nfs_home_dirs) { +create_dir_file($1_ssh_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_ssh_t, cifs_t) +} + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) + +# The user role is authorized for this domain. +role $1_r types $1_ssh_t; + +# Grant permissions within the domain. +general_domain_access($1_ssh_t) + +# Use descriptors created by sshd +allow $1_ssh_t privfd:fd use; + +uses_shlib($1_ssh_t) +read_locale($1_ssh_t) + +# Get attributes of file systems. +allow $1_ssh_t fs_type:filesystem getattr; + +base_file_read_access($1_ssh_t) + +# Read /var. +r_dir_file($1_ssh_t, var_t) + +# Read /var/run, /var/log. +allow $1_ssh_t var_run_t:dir r_dir_perms; +allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; +allow $1_ssh_t var_log_t:dir r_dir_perms; +allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; + +# Read /etc. +r_dir_file($1_ssh_t, etc_t) +allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_ssh_t device_t:dir r_dir_perms; +allow $1_ssh_t device_t:lnk_file r_file_perms; + +# Read /dev/urandom. +allow $1_ssh_t urandom_device_t:chr_file r_file_perms; + +# Read and write /dev/null. +allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; + +# Grant permissions needed to create TCP and UDP sockets and +# to access the network. +can_network_client_tcp($1_ssh_t) +allow $1_ssh_t ssh_port_t:tcp_socket name_connect; +can_resolve($1_ssh_t) +can_ypbind($1_ssh_t) +can_kerberos($1_ssh_t) + +# for port forwarding +if (user_tcp_server) { +allow $1_ssh_t port_t:tcp_socket name_bind; +} + +# Use capabilities. +allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; + +# run helper programs - needed eg for x11-ssh-askpass +can_exec($1_ssh_t, { shell_exec_t bin_t }) + +# Read the ssh key file. +allow $1_ssh_t sshd_key_t:file r_file_perms; + +# Access the ssh temporary files. +file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t) +allow $1_ssh_t $1_tmp_t:dir r_dir_perms; + +# for rsync +allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; + +# Access the users .ssh directory. +file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir) +file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file) +allow $1_t $1_home_ssh_t:sock_file create_file_perms; +allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms; +allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read }; +dontaudit $1_ssh_t $1_home_t:dir { getattr search }; +r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) +rw_dir_create_file($1_t, $1_home_ssh_t) + +# for /bin/sh used to execute xauth +dontaudit $1_ssh_t proc_t:dir search; +dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') + +# Write to the user domain tty. +access_terminal($1_ssh_t, $1) + +# Allow the user shell to signal the ssh program. +allow $1_t $1_ssh_t:process signal; +# allow ps to show ssh +can_ps($1_t, $1_ssh_t) + +# Connect to X server +x_client_domain($1_ssh, $1) + +ifdef(`ssh-agent.te', ` +ssh_agent_domain($1) +')dnl end if ssh_agent.te + +#allow ssh to access keys stored on removable media +# Should we have a boolean around this? +allow $1_ssh_t mnt_t:dir search; +r_dir_file($1_ssh_t, removable_t) + +type $1_ssh_keysign_t, domain, nscd_client_domain; +role $1_r types $1_ssh_keysign_t; + +if (allow_ssh_keysign) { +domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) +allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; +allow $1_ssh_keysign_t self:capability { setgid setuid }; +allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; +uses_shlib($1_ssh_keysign_t) +dontaudit $1_ssh_keysign_t selinux_config_t:dir search; +dontaudit $1_ssh_keysign_t proc_t:dir search; +dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; +allow $1_ssh_keysign_t usr_t:dir search; +allow $1_ssh_keysign_t etc_t:file { getattr read }; +allow $1_ssh_keysign_t self:dir search; +allow $1_ssh_keysign_t self:file { getattr read }; +allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; +} + +')dnl end macro definition +', ` + +define(`ssh_domain',`') + +')dnl end if ssh.te diff --git a/mls/macros/program/su_macros.te b/mls/macros/program/su_macros.te new file mode 100644 index 0000000..206f58e --- /dev/null +++ b/mls/macros/program/su_macros.te @@ -0,0 +1,188 @@ +# +# Macros for su domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# su_domain(domain_prefix) +# +# Define a derived domain for the su program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/su.te. +# + +undefine(`su_restricted_domain') +undefine(`su_mini_domain') +undefine(`su_domain') +ifdef(`su.te', ` + +define(`su_restricted_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; +ifdef(`support_polyinstantiation', ` +typeattribute $1_su_t mlsfileread; +typeattribute $1_su_t mlsfilewrite; +typeattribute $1_su_t mlsfileupgrade; +typeattribute $1_su_t mlsfiledowngrade; +typeattribute $1_su_t mlsprocsetsl; +') + +# for SSP +allow $1_su_t urandom_device_t:chr_file { getattr read }; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, su_exec_t, $1_su_t) + +allow $1_su_t sbin_t:dir search; + +uses_shlib($1_su_t) +allow $1_su_t etc_t:file { getattr read }; +read_locale($1_su_t) +read_sysctl($1_su_t) +allow $1_su_t self:unix_dgram_socket { connect create write }; +allow $1_su_t self:unix_stream_socket create_stream_socket_perms; +allow $1_su_t self:fifo_file rw_file_perms; +allow $1_su_t proc_t:dir search; +allow $1_su_t proc_t:lnk_file read; +r_dir_file($1_su_t, self) +allow $1_su_t proc_t:file read; +allow $1_su_t self:process { setsched setrlimit }; +allow $1_su_t device_t:dir search; +allow $1_su_t self:process { fork sigchld }; +nsswitch_domain($1_su_t) +r_dir_file($1_su_t, selinux_config_t) + +dontaudit $1_su_t shadow_t:file { getattr read }; +dontaudit $1_su_t home_root_t:dir search; +dontaudit $1_su_t init_t:fd use; +allow $1_su_t var_lib_t:dir search; +allow $1_t $1_su_t:process signal; + +ifdef(`crond.te', ` +allow $1_su_t crond_t:fifo_file read; +') + +# Use capabilities. +allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write }; +dontaudit $1_su_t self:capability sys_tty_config; +# +# Caused by su - init scripts +# +dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + +# By default, revert to the calling domain when a shell is executed. +domain_auto_trans($1_su_t, shell_exec_t, $1_t) +allow $1_su_t bin_t:dir search; +allow $1_su_t bin_t:lnk_file read; + +# But also allow transitions to unprivileged user domains. +domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) +can_setexec($1_su_t) + +# Get security decisions +can_getsecurity($1_su_t) +r_dir_file($1_su_t, default_context_t) + +allow $1_su_t privfd:fd use; + +# Write to utmp. +allow $1_su_t { var_t var_run_t }:dir search; +allow $1_su_t initrc_var_run_t:file rw_file_perms; +can_kerberos($1_su_t) + +ifdef(`chkpwd.te', ` +domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) +') + +allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + +') dnl end su_restricted_domain + +define(`su_mini_domain', ` +su_restricted_domain($1,$1) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_su_t, shell_exec_t, sysadm_t) +} + +# Relabel ttys and ptys. +allow $1_su_t device_t:dir { getattr read search }; +allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Close and re-open ttys and ptys to get the fd into the correct domain. +allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; + +')dnl end su_mini_domain + +define(`su_domain', ` +su_mini_domain($1) + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + +# The user role is authorized for this domain. +role $1_r types $1_su_t; + +# Write to the user domain tty. +access_terminal($1_su_t, $1) + +allow $1_su_t { home_root_t $1_home_dir_t }:dir search; +allow $1_su_t $1_home_t:file create_file_perms; +ifdef(`user_canbe_sysadm', ` +allow $1_su_t home_dir_type:dir { search write }; +', ` +dontaudit $1_su_t home_dir_type:dir { search write }; +') + +allow $1_su_t autofs_t:dir { search getattr }; +if (use_nfs_home_dirs) { +allow $1_su_t nfs_t:dir search; +} +if (use_samba_home_dirs) { +allow $1_su_t cifs_t:dir search; +} + +ifdef(`support_polyinstantiation', ` +# Su can polyinstantiate +polyinstantiater($1_su_t) +# Su has to unmount polyinstantiated directories (like home) +# that should not be polyinstantiated under the new user +allow $1_su_t fs_t:filesystem unmount; +# Su needs additional permission to mount over a previous mount +allow $1_su_t polymember:dir mounton; +') + +# Modify .Xauthority file (via xauth program). +ifdef(`xauth.te', ` +file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) +file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) +file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) +domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) +') + +ifdef(`cyrus.te', ` +allow $1_su_t cyrus_var_lib_t:dir search; +') +ifdef(`ssh.te', ` +# Access sshd cookie files. +allow $1_su_t sshd_tmp_t:dir rw_dir_perms; +allow $1_su_t sshd_tmp_t:file rw_file_perms; +file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) +') + +allow $1_su_t var_lib_t:dir search; +dontaudit $1_su_t init_t:fd use; +')dnl end su_domain + +', ` + +define(`su_domain',`') + +') + diff --git a/mls/macros/program/sudo_macros.te b/mls/macros/program/sudo_macros.te new file mode 100644 index 0000000..b2b4e1c --- /dev/null +++ b/mls/macros/program/sudo_macros.te @@ -0,0 +1,34 @@ +# Authors: Dan Walsh, Russell Coker +# Maintained by Dan Walsh +define(`sudo_domain',` +newrole_domain($1_sudo, `, privuser') + +# By default, revert to the calling domain when a shell is executed. +domain_auto_trans($1_sudo_t, shell_exec_t, $1_t) + +ifdef(`mta.te', ` +domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms; +') + +allow $1_sudo_t self:capability sys_resource; + +allow $1_sudo_t self:process setrlimit; + +ifdef(`pam.te', ` +allow $1_sudo_t pam_var_run_t:dir create_dir_perms; +allow $1_sudo_t pam_var_run_t:file create_file_perms; +') + +allow $1_sudo_t initrc_var_run_t:file rw_file_perms; +allow $1_sudo_t sysctl_t:dir search; +allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr; +allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read }; +read_sysctl($1_sudo_t) + +allow $1_sudo_t var_run_t:dir search; +r_dir_file($1_sudo_t, default_context_t) +rw_dir_create_file($1_sudo_t, $1_tmp_t) +rw_dir_create_file($1_sudo_t, $1_home_t) +domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) +') diff --git a/mls/macros/program/thunderbird_macros.te b/mls/macros/program/thunderbird_macros.te new file mode 100644 index 0000000..2c0711d --- /dev/null +++ b/mls/macros/program/thunderbird_macros.te @@ -0,0 +1,60 @@ +# +# Thunderbird +# +# Author: Ivan Gyurdiev +# + +####################################### +# thunderbird_domain(role_prefix) +# + +# FIXME: Rules were removed to centralize policy in a gnome_app macro +# A similar thing might be necessary for mozilla compiled without GNOME +# support (is this possible?). + +define(`thunderbird_domain', ` + +# Type for program +type $1_thunderbird_t, domain, nscd_client_domain; + +# Transition from user type +if (! disable_thunderbird_trans) { +domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t) +} +role $1_r types $1_thunderbird_t; + +# FIXME: Why does it try to do that? +dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute }; + +# Why is thunderbird looking in .mozilla ? +# FIXME: there are legitimate uses of invoking the browser - about -> release notes +dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search; + +# .kde/....gtkrc +# FIXME: support properly +dontaudit $1_thunderbird_t $1_home_t:file { getattr read }; + +# X, mail common stuff +x_client_domain($1_thunderbird, $1) +mail_client_domain($1_thunderbird, $1) + +allow $1_thunderbird_t self:process signull; +allow $1_thunderbird_t fs_t:filesystem getattr; + +# GNOME support +ifdef(`gnome.te', ` +gnome_application($1_thunderbird, $1) +gnome_file_dialog($1_thunderbird, $1) +allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; +') + +# Access ~/.thunderbird +home_domain($1, thunderbird) + +# RSS feeds +can_network_client_tcp($1_thunderbird_t, http_port_t) +allow $1_thunderbird_t http_port_t:tcp_socket name_connect; + +allow $1_thunderbird_t self:process { execheap execmem execstack }; + +') diff --git a/mls/macros/program/tvtime_macros.te b/mls/macros/program/tvtime_macros.te new file mode 100644 index 0000000..d965ae1 --- /dev/null +++ b/mls/macros/program/tvtime_macros.te @@ -0,0 +1,64 @@ +# +# Macros for tvtime domains. +# + +# +# Author: Dan Walsh +# + +# +# tvtime_domain(domain_prefix) +# +# Define a derived domain for the tvtime program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/tvtime.te. +# +undefine(`tvtime_domain') +ifdef(`tvtime.te', ` +define(`tvtime_domain',` + +# Type transition +type $1_tvtime_t, domain, nscd_client_domain; +domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t) +role $1_r types $1_tvtime_t; + +# X access, Home files +home_domain($1, tvtime) +file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir) +x_client_domain($1_tvtime, $1) + +uses_shlib($1_tvtime_t) +read_locale($1_tvtime_t) +read_sysctl($1_tvtime_t) +access_terminal($1_tvtime_t, $1) + +# Allow the user domain to signal/ps. +can_ps($1_t, $1_tvtime_t) +allow $1_t $1_tvtime_t:process signal_perms; + +# Read /etc/tvtime +allow $1_tvtime_t etc_t:file { getattr read }; + +# Tmp files +tmp_domain($1_tvtime, `', `{ file dir fifo_file }') + +allow $1_tvtime_t urandom_device_t:chr_file read; +allow $1_tvtime_t clock_device_t:chr_file { ioctl read }; +allow $1_tvtime_t kernel_t:system ipc_info; +allow $1_tvtime_t sound_device_t:chr_file { ioctl read }; +allow $1_tvtime_t $1_home_t:dir { getattr read search }; +allow $1_tvtime_t $1_home_t:file { getattr read }; +allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; +allow $1_tvtime_t self:process setsched; +allow $1_tvtime_t usr_t:file { getattr read }; + +')dnl end tvtime_domain + +', ` + +define(`tvtime_domain',`') + +') + diff --git a/mls/macros/program/uml_macros.te b/mls/macros/program/uml_macros.te new file mode 100644 index 0000000..bc635f8 --- /dev/null +++ b/mls/macros/program/uml_macros.te @@ -0,0 +1,137 @@ +# +# Macros for uml domains. +# + +# +# Author: Russell Coker +# + +# +# uml_domain(domain_prefix) +# +# Define a derived domain for the uml program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/uml.te. +# +undefine(`uml_domain') +ifdef(`uml.te', ` +define(`uml_domain',` + +# Derived domain based on the calling user domain and the program. +type $1_uml_t, domain; +type $1_uml_exec_t, file_type, sysadmfile, $1_file_type; +type $1_uml_ro_t, file_type, sysadmfile, $1_file_type; +type $1_uml_rw_t, file_type, sysadmfile, $1_file_type; + +# for X +ifdef(`startx.te', ` +ifelse($1, sysadm, `', ` +ifdef(`xdm.te', ` +allow $1_uml_t xdm_xserver_tmp_t:dir search; +')dnl end if xdm.te +allow $1_uml_t $1_xserver_tmp_t:sock_file write; +can_unix_connect($1_uml_t, $1_xserver_t) +')dnl end ifelse sysadm +')dnl end ifdef startx + +allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; +allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; +allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; +allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; +r_dir_file($1_t, uml_ro_t) + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t) +can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) + +# The user role is authorized for this domain. +role $1_r types $1_uml_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;') + +# allow ps, ptrace, signal +can_ps($1_t, $1_uml_t) +can_ptrace($1_t, $1_uml_t) +allow $1_t $1_uml_t:process signal_perms; + +# allow the UML thing to happen +allow $1_uml_t self:process { fork signal_perms ptrace }; +can_create_pty($1_uml) +allow $1_uml_t root_t:dir search; +tmp_domain($1_uml) +can_exec($1_uml_t, $1_uml_tmp_t) +tmpfs_domain($1_uml) +can_exec($1_uml_t, $1_uml_tmpfs_t) +create_dir_file($1_t, $1_uml_tmp_t) +allow $1_t $1_uml_tmp_t:sock_file create_file_perms; +allow $1_uml_t self:fifo_file rw_file_perms; +allow $1_uml_t fs_t:filesystem getattr; + +allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl }; + +ifdef(`uml_net.te', ` +# for uml_net +domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) +allow uml_net_t $1_uml_t:unix_stream_socket { read write }; +allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; +dontaudit uml_net_t privfd:fd use; +can_access_pty(uml_net_t, $1_uml) +dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; +')dnl end ifdef uml_net.te + +# for mconsole +allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto; +allow $1_uml_t $1_t:unix_dgram_socket sendto; + +# Use the network. +can_network($1_uml_t) +allow $1_uml_t port_type:tcp_socket name_connect; +can_ypbind($1_uml_t) + +# for xterm +uses_shlib($1_uml_t) +can_exec($1_uml_t, { bin_t sbin_t lib_t }) +allow $1_uml_t { bin_t sbin_t }:dir search; +allow $1_uml_t etc_t:file { getattr read }; +dontaudit $1_uml_t etc_runtime_t:file read; +can_tcp_connect($1_uml_t, sshd_t) +ifdef(`xauth.te', ` +allow $1_uml_t $1_xauth_home_t:file { getattr read }; +') +allow $1_uml_t var_run_t:dir search; +allow $1_uml_t initrc_var_run_t:file { getattr read }; +dontaudit $1_uml_t initrc_var_run_t:file { write lock }; + +allow $1_uml_t device_t:dir search; +allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; +allow $1_uml_t self:unix_dgram_socket create_socket_perms; +allow $1_uml_t privfd:fd use; +allow $1_uml_t proc_t:dir search; +allow $1_uml_t proc_t:file { getattr read }; + +# for SKAS - need something better +allow $1_uml_t proc_t:file write; + +# Write to the user domain tty. +access_terminal($1_uml_t, $1) + +# access config files +allow $1_uml_t home_root_t:dir search; +file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t) +r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t }) + +# putting uml data under /var is usual... +allow $1_uml_t var_t:dir search; +')dnl end macro definition + +', ` + +define(`uml_domain',`') + +') diff --git a/mls/macros/program/userhelper_macros.te b/mls/macros/program/userhelper_macros.te new file mode 100644 index 0000000..2c715d3 --- /dev/null +++ b/mls/macros/program/userhelper_macros.te @@ -0,0 +1,142 @@ +#DESC Userhelper - SELinux utility to run a shell with a new role +# +# Authors: Dan Walsh (Red Hat) +# Maintained by Dan Walsh +# + +# +# userhelper_domain(domain_prefix) +# +# Define a derived domain for the userhelper/userhelper program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/userhelper.te. +# +define(`userhelper_domain',` +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain; + +in_user_role($1_userhelper_t) +role sysadm_r types $1_userhelper_t; + +ifelse($1, sysadm, ` +typealias sysadm_userhelper_t alias userhelper_t; +domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t) +') + +general_domain_access($1_userhelper_t); + +uses_shlib($1_userhelper_t) +read_locale($1_userhelper_t) +read_sysctl($1_userhelper_t) + +# for when the user types "exec userhelper" at the command line +allow $1_userhelper_t privfd:process sigchld; + +domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t) + +# Inherit descriptors from the current session. +allow $1_userhelper_t { init_t privfd }:fd use; + +can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t }) + +# Execute shells +allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms; +allow $1_userhelper_t { sbin_t bin_t }:lnk_file read; +allow $1_userhelper_t shell_exec_t:file r_file_perms; + +# By default, revert to the calling domain when a program is executed. +domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t) + +# Allow $1_userhelper_t to transition to user domains. +domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain) +if (!secure_mode) { + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t) +} +can_setexec($1_userhelper_t) + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +# Allow transitioning to rpm_t, for up2date +allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; +') +') + +# Use capabilities. +allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; + +# Write to utmp. +file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file) + +# Read the devpts root directory. +allow $1_userhelper_t devpts_t:dir r_dir_perms; + +# Read the /etc/security/default_type file +allow $1_userhelper_t etc_t:file r_file_perms; + +# Read /var. +r_dir_file($1_userhelper_t, var_t) + +# Read /dev directories and any symbolic links. +allow $1_userhelper_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;') + +# +# Allow $1_userhelper to obtain contexts to relabel TTYs +# +can_getsecurity($1_userhelper_t) + +allow $1_userhelper_t fs_t:filesystem getattr; + +# for some PAM modules and for cwd +allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search; + +allow $1_userhelper_t proc_t:dir search; +allow $1_userhelper_t proc_t:file { getattr read }; + +# for when the network connection is killed +dontaudit unpriv_userdomain $1_userhelper_t:process signal; + +allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; +allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + +ifdef(`pam.te', ` +allow $1_userhelper_t pam_var_run_t:dir create_dir_perms; +allow $1_userhelper_t pam_var_run_t:file create_file_perms; +') + +allow $1_userhelper_t urandom_device_t:chr_file { getattr read }; + +allow $1_userhelper_t autofs_t:dir search; +role system_r types $1_userhelper_t; +r_dir_file($1_userhelper_t, nfs_t) + +ifdef(`xdm.te', ` +can_pipe_xdm($1_userhelper_t) +allow $1_userhelper_t xdm_var_run_t:dir search; +') + +r_dir_file($1_userhelper_t, selinux_config_t) +r_dir_file($1_userhelper_t, default_context_t) + +ifdef(`xauth.te', ` +domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) +allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; +') + +ifdef(`pamconsole.te', ` +allow $1_userhelper_t pam_var_console_t:dir { search }; +') + +ifdef(`mozilla.te', ` +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) +') + +')dnl end userhelper macro diff --git a/mls/macros/program/vmware_macros.te b/mls/macros/program/vmware_macros.te new file mode 100644 index 0000000..bb0914a --- /dev/null +++ b/mls/macros/program/vmware_macros.te @@ -0,0 +1,128 @@ +# Macro for vmware +# +# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), +# modifications by NAI Labs. +# +# Turned into a macro by Thomas Bleher +# +# vmware_domain(domain_prefix) +# +# Define a derived domain for the vmware program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/vmware.te. This file also +# implements a separate domain vmware_t. +# + +define(`vmware_domain', ` + +# Domain for the user applications to run in. +type $1_vmware_t, domain, privmem; + +role $1_r types $1_vmware_t; + +# The user file type is for files created when the user is running VMWare +type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; + +# The user file type for the VMWare configuration files +type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; + +############################################################# +# User rules for running VMWare +# +# Transition to VMWare user domain +domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) +can_exec($1_vmware_t, vmware_user_exec_t) +uses_shlib($1_vmware_t) +var_run_domain($1_vmware) + +general_domain_access($1_vmware_t); + +# Capabilities needed by VMWare for the user execution. This seems a +# bit too much, so be careful. +allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; + +# Access to ttys +allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; +allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; +allow $1_vmware_t privfd:fd use; + +# Access /proc +r_dir_file($1_vmware_t, proc_t) +allow $1_vmware_t proc_net_t:dir search; +allow $1_vmware_t proc_net_t:file { getattr read }; + +# Access to some files in the user home directory +r_dir_file($1_vmware_t, $1_home_t) + +# Access to runtime files for user +allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; +allow $1_vmware_t $1_vmware_file_t:file create_file_perms; +allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; + +# Allow read access to /etc/vmware and /usr/lib/vmware configuration files +r_dir_file($1_vmware_t, vmware_sys_conf_t) + +# Allow $1_vmware_t to read/write files in the tmp dir +tmp_domain($1_vmware) +allow $1_vmware_t $1_vmware_tmp_t:file execute; + +# Allow read access to several paths +r_dir_file($1_vmware_t, etc_t) +allow $1_vmware_t etc_runtime_t:file r_file_perms; +allow $1_vmware_t device_t:dir r_dir_perms; +allow $1_vmware_t var_t:dir r_dir_perms; +allow $1_vmware_t tmpfs_t:file rw_file_perms; + +# Allow vmware to write to ~/.vmware +rw_dir_create_file($1_vmware_t, $1_vmware_file_t) + +# +# This is bad; VMWare needs execute permission to the .cfg file for the +# configuration to run. +# +allow $1_vmware_t $1_vmware_conf_t:file execute; + +# Access X11 config files +allow $1_vmware_t lib_t:file r_file_perms; + +# Access components of VMWare in /usr/lib/vmware/bin by default +allow $1_vmware_t bin_t:dir r_dir_perms; + +# Allow access to lp port (Need to create an lp device domain ) +allow $1_vmware_t device_t:chr_file r_file_perms; + +# Allow access to /dev/mem +allow $1_vmware_t memory_device_t:chr_file { read write }; + +# Allow access to mouse +allow $1_vmware_t mouse_device_t:chr_file r_file_perms; + +# Allow access the sound device +allow $1_vmware_t sound_device_t:chr_file { ioctl write }; + +# Allow removable media and devices +allow $1_vmware_t removable_device_t:blk_file r_file_perms; +allow $1_vmware_t device_t:lnk_file read; + +# Allow access to the real time clock device +allow $1_vmware_t clock_device_t:chr_file read; + +# Allow to attach to Xserver, and Xserver to attach back +ifdef(`gnome-pty-helper.te', ` +allow $1_vmware_t $1_gph_t:fd use; +') +ifdef(`startx.te', ` +allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; +allow $1_vmware_t $1_xserver_tmp_t:dir search; +allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; +allow $1_xserver_t $1_vmware_t:shm r_shm_perms; +allow $1_xserver_t $1_vmware_t:fd use; +') + +# Allow filesystem read access +allow $1_vmware_t fs_t:filesystem getattr; + +') + diff --git a/mls/macros/program/x_client_macros.te b/mls/macros/program/x_client_macros.te new file mode 100644 index 0000000..adce9f0 --- /dev/null +++ b/mls/macros/program/x_client_macros.te @@ -0,0 +1,96 @@ +# +# Macros for X client programs +# + +# +# Author: Russell Coker +# Based on the work of Stephen Smalley +# and Timothy Fraser +# + +# Allows clients to write to the X server's shm +bool allow_write_xshm false; + +define(`xsession_domain', ` + +# Connect to xserver +can_unix_connect($1_t, $2_xserver_t) + +# Read /tmp/.X0-lock +allow $1_t $2_xserver_tmp_t:file { getattr read }; + +# Signal Xserver +allow $1_t $2_xserver_t:process signal; + +# Xserver read/write client shm +allow $2_xserver_t $1_t:fd use; +allow $2_xserver_t $1_t:shm rw_shm_perms; +allow $2_xserver_t $1_tmpfs_t:file rw_file_perms; + +# Client read xserver shm +allow $1_t $2_xserver_t:fd use; +allow $1_t $2_xserver_t:shm r_shm_perms; +allow $1_t $2_xserver_tmpfs_t:file r_file_perms; + +# Client write xserver shm +if (allow_write_xshm) { +allow $1_t $2_xserver_t:shm rw_shm_perms; +allow $1_t $2_xserver_tmpfs_t:file rw_file_perms; +} + +') + +# +# x_client_domain(client, role) +# +# Defines common X access rules for the client domain +# +define(`x_client_domain',` + +# Create socket to communicate with X server +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +# Read .Xauthority file +ifdef(`xauth.te',` +allow $1_t home_root_t:dir { search getattr }; +allow $1_t $2_home_dir_t:dir { search getattr }; +allow $1_t $2_xauth_home_t:file { getattr read }; +') + +# for .xsession-errors +dontaudit $1_t $2_home_t:file write; + +# for X over a ssh tunnel +ifdef(`ssh.te', ` +can_tcp_connect($1_t, sshd_t) +') + +# Use a separate type for tmpfs/shm pseudo files. +tmpfs_domain($1) +allow $1_t self:shm create_shm_perms; + +# allow X client to read all font files +read_fonts($1_t, $2) + +# Allow connections to X server. +ifdef(`xserver.te', ` +allow $1_t tmp_t:dir search; + +ifdef(`xdm.te', ` +xsession_domain($1, xdm) + +# for when /tmp/.X11-unix is created by the system +can_pipe_xdm($1_t) +allow $1_t xdm_tmp_t:dir search; +allow $1_t xdm_tmp_t:sock_file { read write }; +dontaudit $1_t xdm_t:tcp_socket { read write }; +') + +ifdef(`startx.te', ` +xsession_domain($1, $2) +')dnl end startx + +')dnl end xserver + +')dnl end x_client macro diff --git a/mls/macros/program/xauth_macros.te b/mls/macros/program/xauth_macros.te new file mode 100644 index 0000000..ca7a5ee --- /dev/null +++ b/mls/macros/program/xauth_macros.te @@ -0,0 +1,83 @@ +# +# Macros for xauth domains. +# + +# +# Author: Russell Coker +# + +# +# xauth_domain(domain_prefix) +# +# Define a derived domain for the xauth program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/xauth.te. +# +undefine(`xauth_domain') +ifdef(`xauth.te', ` +define(`xauth_domain',` +# Derived domain based on the calling user domain and the program. +type $1_xauth_t, domain; + +allow $1_xauth_t self:process signal; + +home_domain($1, xauth) +file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file) + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t) +ifdef(`ssh.te', ` +domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) +allow $1_xauth_t sshd_t:fifo_file { getattr read }; +dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; +allow $1_xauth_t sshd_t:process sigchld; +')dnl end if ssh + +# The user role is authorized for this domain. +role $1_r types $1_xauth_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', ` +allow $1_xauth_t $1_gph_t:fd use; +') + +allow $1_xauth_t privfd:fd use; +allow $1_xauth_t ptmx_t:chr_file { read write }; + +# allow ps to show xauth +can_ps($1_t, $1_xauth_t) +allow $1_t $1_xauth_t:process signal; + +uses_shlib($1_xauth_t) + +# allow DNS lookups... +can_resolve($1_xauth_t) +can_ypbind($1_xauth_t) +ifdef(`named.te', ` +can_udp_send($1_xauth_t, named_t) +can_udp_send(named_t, $1_xauth_t) +')dnl end if named.te + +allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; +allow $1_xauth_t etc_t:file { getattr read }; +allow $1_xauth_t fs_t:filesystem getattr; + +# Write to the user domain tty. +access_terminal($1_xauth_t, $1) + +# Scan /var/run. +allow $1_xauth_t var_t:dir search; +allow $1_xauth_t var_run_t:dir search; + +tmp_domain($1_xauth) +allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; + +')dnl end xauth_domain macro + +', ` + +define(`xauth_domain',`') + +')dnl end if xauth.te diff --git a/mls/macros/program/xdm_macros.te b/mls/macros/program/xdm_macros.te new file mode 100644 index 0000000..bea127f --- /dev/null +++ b/mls/macros/program/xdm_macros.te @@ -0,0 +1,13 @@ +######################################## +# +# can_pipe_xdm(domain) +# +# Allow communication to xdm over a pipe +# + +define(`can_pipe_xdm', ` +ifdef(`xdm.te', ` +allow $1 xdm_t:fd use; +allow $1 xdm_t:fifo_file { getattr read write ioctl }; +') +') dnl can_pipe_xdm diff --git a/mls/macros/program/xserver_macros.te b/mls/macros/program/xserver_macros.te new file mode 100644 index 0000000..e2eaf82 --- /dev/null +++ b/mls/macros/program/xserver_macros.te @@ -0,0 +1,274 @@ +# +# Macros for X server domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################# +# +# xserver_domain(domain_prefix) +# +# Define a derived domain for the X server when executed +# by a user domain (e.g. via startx). See the xdm_t domain +# in domains/program/xdm.te if using an X Display Manager. +# +# The type declarations for the executable type for this program +# and the log type are provided separately in domains/program/xserver.te. +# +# FIXME! The X server requires far too many privileges. +# +undefine(`xserver_domain') +ifdef(`xserver.te', ` + +define(`xserver_domain',` +# Derived domain based on the calling user domain and the program. +ifdef(`distro_redhat', ` +type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; +allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; +ifdef(`rpm.te', ` +allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; +allow $1_xserver_t rpm_tmpfs_t:file { read write }; +allow $1_xserver_t rpm_t:fd use; +') + +', ` +type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; +') + +# for SSP +allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; + +# Transition from the user domain to this domain. +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) +') +', ` +domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) +')dnl end ifelse xdm +can_exec($1_xserver_t, xserver_exec_t) + +uses_shlib($1_xserver_t) + +allow $1_xserver_t texrel_shlib_t:file execmod; + +can_network($1_xserver_t) +allow $1_xserver_t port_type:tcp_socket name_connect; +can_ypbind($1_xserver_t) +allow $1_xserver_t xserver_port_t:tcp_socket name_bind; + +# for access within the domain +general_domain_access($1_xserver_t) + +allow $1_xserver_t self:process execmem; +# Until the X module loader is fixed. +allow $1_xserver_t self:process execheap; + +allow $1_xserver_t etc_runtime_t:file { getattr read }; + +ifelse($1, xdm, ` +# The system role is authorised for the xdm and initrc domains +role system_r types xdm_xserver_t; + +allow xdm_xserver_t init_t:fd use; + +dontaudit xdm_xserver_t home_dir_type:dir { read search }; + +# Read all global and per user fonts +read_fonts($1_xserver_t, sysadm) +read_fonts($1_xserver_t, staff) +read_fonts($1_xserver_t, user) + +', ` +# The user role is authorized for this domain. +role $1_r types $1_xserver_t; + +allow $1_xserver_t getty_t:fd use; +allow $1_xserver_t local_login_t:fd use; +allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + +allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; +allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; + +can_unix_connect($1_t, $1_xserver_t) + +# Read fonts +read_fonts($1_xserver_t, $1) + +# Access the home directory. +allow $1_xserver_t home_root_t:dir search; +allow $1_xserver_t $1_home_dir_t:dir { getattr search }; + +ifdef(`xauth.te', ` +domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) +allow $1_xserver_t $1_xauth_home_t:file { getattr read }; +', ` +allow $1_xserver_t $1_home_t:file { getattr read }; +')dnl end ifdef xauth +ifdef(`userhelper.te', ` +allow $1_xserver_t userhelper_conf_t:dir search; +')dnl end ifdef userhelper +')dnl end ifelse xdm + +allow $1_xserver_t self:process setsched; + +allow $1_xserver_t fs_t:filesystem getattr; + +# Xorg wants to check if kernel is tainted +read_sysctl($1_xserver_t) + +# Use capabilities. +# allow setuid/setgid for the wrapper program to change UID +# sys_rawio is for iopl access - should not be needed for frame-buffer +# sys_admin, locking shared mem? chowning IPC message queues or semaphores? +# admin of APM bios? +# sys_nice is so that the X server can set a negative nice value +allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow $1_xserver_t nfs_t:dir { getattr search }; + +# memory_device_t access is needed if not using the frame buffer +#dontaudit $1_xserver_t memory_device_t:chr_file read; +allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; +# net_bind_service is needed if you want your X server to allow TCP connections +# from other hosts, EG an XDM serving a network of X terms +# if you want good security you do not want this +# not sure why some people want chown, fsetid, and sys_tty_config. +#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; +dontaudit $1_xserver_t self:capability chown; + +# for nscd +dontaudit $1_xserver_t var_run_t:dir search; + +allow $1_xserver_t mtrr_device_t:file rw_file_perms; +allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; +allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; +allow $1_xserver_t device_t:lnk_file { getattr read }; +allow $1_xserver_t devtty_t:chr_file rw_file_perms; +allow $1_xserver_t zero_device_t:chr_file { read write execute }; + +# Type for temporary files. +tmp_domain($1_xserver, `', `{ dir file sock_file }') +file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) + +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:unix_stream_socket connectto; +allow xdm_t $1_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_xserver_t xdm_t:process signal; +allow xdm_xserver_t xdm_t:shm rw_shm_perms; +allow xdm_t xdm_xserver_t:shm rw_shm_perms; +dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; +') +', ` +allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; +allow $1_t xdm_xserver_t:unix_stream_socket connectto; +allow $1_t $1_xserver_t:process signal; + +# Allow the user domain to connect to the X server. +can_unix_connect($1_t, $1_xserver_t) +allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; +allow $1_t $1_xserver_tmp_t:dir r_dir_perms; +ifdef(`xdm.te', ` +allow $1_t xdm_tmp_t:sock_file unlink; +allow $1_xserver_t xdm_var_run_t:dir search; +') + +# Signal the user domain. +allow $1_xserver_t $1_t:process signal; + +# Communicate via System V shared memory. +allow $1_xserver_t $1_t:shm rw_shm_perms; +allow $1_t $1_xserver_t:shm rw_shm_perms; +allow $1_xserver_t initrc_t:shm rw_shm_perms; + +')dnl end ifelse xdm + +# Create files in /var/log with the xserver_log_t type. +allow $1_xserver_t var_t:dir search; +file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) +allow $1_xserver_t xserver_log_t:dir r_dir_perms; + +# Access AGP device. +allow $1_xserver_t agp_device_t:chr_file rw_file_perms; + +# for other device nodes such as the NVidia binary-only driver +allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; + +# Access /proc/mtrr +allow $1_xserver_t proc_t:file rw_file_perms; +allow $1_xserver_t proc_t:lnk_file { getattr read }; + +# Access /proc/sys/dev +allow $1_xserver_t sysctl_dev_t:dir search; +allow $1_xserver_t sysctl_dev_t:file { getattr read }; +# Access /proc/bus/pci +allow $1_xserver_t proc_t:dir r_dir_perms; + +# Create and access /dev/dri devices. +allow $1_xserver_t device_t:dir { create setattr }; +file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) +# brought on by rhgb +allow $1_xserver_t mnt_t:dir search; + +allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; + +# Run helper programs in $1_xserver_t. +allow $1_xserver_t { bin_t sbin_t }:dir search; +allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; +allow $1_xserver_t bin_t:lnk_file read; +can_exec($1_xserver_t, { bin_t shell_exec_t }) + +# Connect to xfs. +ifdef(`xfs.te', ` +can_unix_connect($1_xserver_t, xfs_t) +allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; +allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; + +# Bind to the X server socket in /tmp. +allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; +') + +read_locale($1_xserver_t) + +# Type for tmpfs/shm files. +tmpfs_domain($1_xserver) +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +allow xdm_xserver_t xdm_t:shm rw_shm_perms; +allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; +') +', ` +allow $1_xserver_t $1_t:shm rw_shm_perms; +rw_dir_file($1_xserver_t, $1_tmpfs_t) +')dnl end ifelse xdm + + +r_dir_file($1_xserver_t,sysfs_t) + +# Use the mouse. +allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; +# Allow xserver to read events - the synaptics touchpad +# driver reads raw events +allow $1_xserver_t event_device_t:chr_file rw_file_perms; +ifdef(`pamconsole.te', ` +allow $1_xserver_t pam_var_console_t:dir search; +') +dontaudit $1_xserver_t selinux_config_t:dir search; + +allow $1_xserver_t var_lib_t:dir search; +rw_dir_create_file($1_xserver_t, xkb_var_lib_t) + +')dnl end macro definition + +', ` + +define(`xserver_domain',`') + +') + diff --git a/mls/macros/program/ypbind_macros.te b/mls/macros/program/ypbind_macros.te new file mode 100644 index 0000000..04a8f1d --- /dev/null +++ b/mls/macros/program/ypbind_macros.te @@ -0,0 +1,19 @@ +define(`uncond_can_ypbind', ` +can_network($1) +r_dir_file($1,var_yp_t) +allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; +allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect; +dontaudit $1 self:capability net_bind_service; +dontaudit $1 reserved_port_type:tcp_socket name_connect; +dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; +') + +define(`can_ypbind', ` +ifdef(`ypbind.te', ` +if (allow_ypbind) { +uncond_can_ypbind($1) +} else { +dontaudit $1 var_yp_t:dir search; +} +') dnl ypbind.te +') dnl can_ypbind diff --git a/mls/macros/user_macros.te b/mls/macros/user_macros.te new file mode 100644 index 0000000..5575e64 --- /dev/null +++ b/mls/macros/user_macros.te @@ -0,0 +1,326 @@ +# +# Macros for all user login domains. +# + +# role_tty_type_change(starting_role, ending_role) +# +# change from role $1_r to $2_r and relabel tty appropriately +# + +undefine(`role_tty_type_change') +define(`role_tty_type_change', ` +allow $1_r $2_r; +type_change $2_t $1_devpts_t:chr_file $2_devpts_t; +type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; +# avoid annoying messages on terminal hangup +dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; +') + +# +# reach_sysadm(user) +# +# Reach sysadm_t via programs like userhelper/sudo/su +# + +undefine(`reach_sysadm') +define(`reach_sysadm', ` +ifdef(`userhelper.te', `userhelper_domain($1)') +ifdef(`sudo.te', `sudo_domain($1)') +ifdef(`su.te', ` +su_domain($1) +# When an ordinary user domain runs su, su may try to +# update the /root/.Xauthority file, and the user shell may +# try to update the shell history. This is not allowed, but +# we dont need to audit it. +dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; +') dnl ifdef su.te +ifdef(`xauth.te', ` +file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) +ifdef(`userhelper.te', ` +file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) +') dnl userhelper.te +') dnl xauth.te +') dnl reach_sysadm + +# +# priv_user(user) +# +# Privileged user domain +# + +undefine(`priv_user') +define(`priv_user', ` +# Reach sysadm_t +reach_sysadm($1) + +# Read file_contexts for rpm and get security decisions. +r_dir_file($1_t, file_context_t) +can_getsecurity($1_t) + +# Signal and see information about unprivileged user domains. +allow $1_t unpriv_userdomain:process signal_perms; +can_ps($1_t, unpriv_userdomain) +allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; + +# Read /root files if boolean is enabled. +if (staff_read_sysadm_file) { +allow $1_t sysadm_home_dir_t:dir { getattr search }; +allow $1_t sysadm_home_t:file { getattr read }; +} + +') dnl priv_user + +# +# user_domain(domain_prefix) +# +# Define derived types and rules for an ordinary user domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. +# + +# user_domain() is also called by the admin_domain() macro +undefine(`user_domain') +define(`user_domain', ` +# Use capabilities + +# Type for home directory. +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir; +type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember; + +# Transition manually for { lnk sock fifo }. The rest is in content macros. +tmp_domain_notrans($1, `, user_tmpfile, $1_file_type') +file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) +allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; + +ifdef(`support_polyinstantiation', ` +type_member $1_t tmp_t:dir $1_tmp_t; +type_member $1_t $1_home_dir_t:dir $1_home_t; +') + +base_user_domain($1) +ifdef(`mls_policy', `', ` +access_removable_media($1_t) +') + +# do not allow privhome access to sysadm_home_dir_t +file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) + +allow $1_t boot_t:dir { getattr search }; +dontaudit $1_t boot_t:lnk_file read; +dontaudit $1_t boot_t:file read; +allow $1_t system_map_t:file { getattr read }; + +# Instantiate derived domains for a number of programs. +# These derived domains encode both information about the calling +# user domain and the program, and allow us to maintain separation +# between different instances of the program being run by different +# user domains. +ifelse($1, sysadm, `',` +ifdef(`apache.te', `apache_user_domain($1)') +ifdef(`i18n_input.te', `i18n_input_domain($1)') +ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)') +') +ifdef(`slocate.te', `locate_domain($1)') +ifdef(`lockdev.te', `lockdev_domain($1)') + +can_kerberos($1_t) +# allow port_t name binding for UDP because it is not very usable otherwise +allow $1_t port_t:udp_socket name_bind; + +# +# Need the following rule to allow users to run vpnc +# +ifdef(`xserver.te', ` +allow $1_t xserver_port_t:tcp_socket name_bind; +') + +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols +if (user_tcp_server) { +allow $1_t port_t:tcp_socket name_bind; +} +# port access is audited even if dac would not have allowed it, so dontaudit it here +dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind; + +# Allow system log read +if (user_dmesg) { +allow $1_t kernel_t:system syslog_read; +} else { +# else do not log it +dontaudit $1_t kernel_t:system syslog_read; +} + +# Allow read access to utmp. +allow $1_t initrc_var_run_t:file { getattr read lock }; +# The library functions always try to open read-write first, +# then fall back to read-only if it fails. +# Do not audit write denials to utmp to avoid the noise. +dontaudit $1_t initrc_var_run_t:file write; + + +# do not audit read on disk devices +dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; + +ifdef(`xdm.te', ` +allow xdm_t $1_home_t:lnk_file read; +allow xdm_t $1_home_t:dir search; +# +# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp +# +dontaudit xdm_t $1_home_t:file rw_file_perms; +')dnl end ifdef xdm.te + +ifdef(`ftpd.te', ` +if (ftp_home_dir) { +file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) +} +')dnl end ifdef ftpd + + +')dnl end user_domain macro + + +########################################################################### +# +# Domains for ordinary users. +# +undefine(`limited_user_role') +define(`limited_user_role', ` +# user_t/$1_t is an unprivileged users domain. +type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd; + +#Type for tty devices. +type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; +# Type and access for pty devices. +can_create_pty($1, `, userpty_type, user_tty_type') + +# Access ttys. +allow $1_t privfd:fd use; +allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + +# Grant read/search permissions to some of /proc. +r_dir_file($1_t, proc_t) +# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead +r_dir_file($1_t, proc_net_t) + +base_file_read_access($1_t) + +# Execute from the system shared libraries. +uses_shlib($1_t) + +# Read /etc. +r_dir_file($1_t, etc_t) +allow $1_t etc_runtime_t:file r_file_perms; +allow $1_t etc_runtime_t:lnk_file { getattr read }; + +allow $1_t self:process { fork sigchld setpgid signal_perms }; + +# read localization information +read_locale($1_t) + +read_sysctl($1_t) +can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t }) + +allow $1_t self:dir search; +allow $1_t self:file { getattr read }; +allow $1_t self:fifo_file rw_file_perms; + +allow $1_t self:lnk_file read; +allow $1_t self:unix_stream_socket create_socket_perms; +allow $1_t urandom_device_t:chr_file { getattr read }; +dontaudit $1_t { var_spool_t var_log_t }:dir search; + +# Read /dev directories and any symbolic links. +allow $1_t device_t:dir r_dir_perms; +allow $1_t device_t:lnk_file { getattr read }; +allow $1_t devtty_t:chr_file { read write }; + +') + +undefine(`full_user_role') +define(`full_user_role', ` + +limited_user_role($1) + +typeattribute $1_t web_client_domain; + +attribute $1_file_type; + +ifdef(`useradd.te', ` +# Useradd relabels /etc/skel files so needs these privs +allow useradd_t $1_file_type:dir create_dir_perms; +allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; +') + +can_exec($1_t, usr_t) + +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +allow $1_t readable_t:dir r_dir_perms; +allow $1_t readable_t:notdevfile_class_set r_file_perms; + +# Stat lost+found. +allow $1_t lost_found_t:dir getattr; + +# Read /var, /var/spool, /var/run. +r_dir_file($1_t, var_t) +# what about pipes and sockets under /var/spool? +r_dir_file($1_t, var_spool_t) +r_dir_file($1_t, var_run_t) +allow $1_t var_lib_t:dir r_dir_perms; +allow $1_t var_lib_t:file { getattr read }; + +# for running depmod as part of the kernel packaging process +allow $1_t modules_conf_t:file { getattr read }; + +# Read man directories and files. +r_dir_file($1_t, man_t) + +# Allow users to rw usb devices +if (user_rw_usb) { +rw_dir_create_file($1_t,usbdevfs_t) +} else { +r_dir_file($1_t,usbdevfs_t) +} + +r_dir_file($1_t,sysfs_t) + +# Do not audit write denials to /etc/ld.so.cache. +dontaudit $1_t ld_so_cache_t:file write; + +# $1_t is also granted permissions specific to user domains. +user_domain($1) + +dontaudit $1_t sysadm_home_t:file { read append }; + +ifdef(`syslogd.te', ` +# Some programs that are left in $1_t will try to connect +# to syslogd, but we do not want to let them generate log messages. +# Do not audit. +dontaudit $1_t devlog_t:sock_file { read write }; +dontaudit $1_t syslogd_t:unix_dgram_socket sendto; +') + +# Stop warnings about access to /dev/console +dontaudit $1_t init_t:fd use; +dontaudit $1_t initrc_t:fd use; +allow $1_t initrc_t:fifo_file write; + +# +# Rules used to associate a homedir as a mountpoint +# +allow $1_home_t self:filesystem associate; +allow $1_file_type $1_home_t:filesystem associate; +') + +undefine(`in_user_role') +define(`in_user_role', ` +role user_r types $1; +role staff_r types $1; +') + diff --git a/mls/mcs b/mls/mcs new file mode 100644 index 0000000..8a04ae8 --- /dev/null +++ b/mls/mcs @@ -0,0 +1,162 @@ +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +# MCS is single-sensitivity. +# +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; +category c24; category c25; category c26; category c27; +category c28; category c29; category c30; category c31; +category c32; category c33; category c34; category c35; +category c36; category c37; category c38; category c39; +category c40; category c41; category c42; category c43; +category c44; category c45; category c46; category c47; +category c48; category c49; category c50; category c51; +category c52; category c53; category c54; category c55; +category c56; category c57; category c58; category c59; +category c60; category c61; category c62; category c63; +category c64; category c65; category c66; category c67; +category c68; category c69; category c70; category c71; +category c72; category c73; category c74; category c75; +category c76; category c77; category c78; category c79; +category c80; category c81; category c82; category c83; +category c84; category c85; category c86; category c87; +category c88; category c89; category c90; category c91; +category c92; category c93; category c94; category c95; +category c96; category c97; category c98; category c99; +category c100; category c101; category c102; category c103; +category c104; category c105; category c106; category c107; +category c108; category c109; category c110; category c111; +category c112; category c113; category c114; category c115; +category c116; category c117; category c118; category c119; +category c120; category c121; category c122; category c123; +category c124; category c125; category c126; category c127; +category c128; category c129; category c130; category c131; +category c132; category c133; category c134; category c135; +category c136; category c137; category c138; category c139; +category c140; category c141; category c142; category c143; +category c144; category c145; category c146; category c147; +category c148; category c149; category c150; category c151; +category c152; category c153; category c154; category c155; +category c156; category c157; category c158; category c159; +category c160; category c161; category c162; category c163; +category c164; category c165; category c166; category c167; +category c168; category c169; category c170; category c171; +category c172; category c173; category c174; category c175; +category c176; category c177; category c178; category c179; +category c180; category c181; category c182; category c183; +category c184; category c185; category c186; category c187; +category c188; category c189; category c190; category c191; +category c192; category c193; category c194; category c195; +category c196; category c197; category c198; category c199; +category c200; category c201; category c202; category c203; +category c204; category c205; category c206; category c207; +category c208; category c209; category c210; category c211; +category c212; category c213; category c214; category c215; +category c216; category c217; category c218; category c219; +category c220; category c221; category c222; category c223; +category c224; category c225; category c226; category c227; +category c228; category c229; category c230; category c231; +category c232; category c233; category c234; category c235; +category c236; category c237; category c238; category c239; +category c240; category c241; category c242; category c243; +category c244; category c245; category c246; category c247; +category c248; category c249; category c250; category c251; +category c252; category c253; category c254; category c255; + + +# +# Each MCS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c255; + +# +# Define the MCS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# MCS policy for the file classes +# +# Constrain file access so that the high range of the process dominates +# the high range of the file. We use the high range of the process so +# that processes can always simply run at s0. +# +# Only files are constrained by MCS at this stage. +# +mlsconstrain file { write setattr append unlink link rename + create ioctl lock execute } (h1 dom h2); + +mlsconstrain file { read } ((h1 dom h2) or + ( t1 == mlsfileread )); + + +# new file labels must be dominated by the relabeling subject's clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } + ( h1 dom h2 ); + +define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append +link unlink rename relabelfrom relabelto }') + +define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink +rename search add_name remove_name reparent write rmdir relabelfrom +relabelto }') + +# XXX +# +# For some reason, we need to reference the mlsfileread attribute +# or we get a build error. Below is a dummy entry to do this. +mlsconstrain xextension query ( t1 == mlsfileread ); + diff --git a/mls/mls b/mls/mls new file mode 100644 index 0000000..c7d04ef --- /dev/null +++ b/mls/mls @@ -0,0 +1,665 @@ +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +sensitivity s0; +sensitivity s1; +sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; +sensitivity s7; +sensitivity s8; +sensitivity s9; +sensitivity s10; +sensitivity s11; +sensitivity s12; +sensitivity s13; +sensitivity s14; +sensitivity s15; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; +category c24; category c25; category c26; category c27; +category c28; category c29; category c30; category c31; +category c32; category c33; category c34; category c35; +category c36; category c37; category c38; category c39; +category c40; category c41; category c42; category c43; +category c44; category c45; category c46; category c47; +category c48; category c49; category c50; category c51; +category c52; category c53; category c54; category c55; +category c56; category c57; category c58; category c59; +category c60; category c61; category c62; category c63; +category c64; category c65; category c66; category c67; +category c68; category c69; category c70; category c71; +category c72; category c73; category c74; category c75; +category c76; category c77; category c78; category c79; +category c80; category c81; category c82; category c83; +category c84; category c85; category c86; category c87; +category c88; category c89; category c90; category c91; +category c92; category c93; category c94; category c95; +category c96; category c97; category c98; category c99; +category c100; category c101; category c102; category c103; +category c104; category c105; category c106; category c107; +category c108; category c109; category c110; category c111; +category c112; category c113; category c114; category c115; +category c116; category c117; category c118; category c119; +category c120; category c121; category c122; category c123; +category c124; category c125; category c126; category c127; +category c128; category c129; category c130; category c131; +category c132; category c133; category c134; category c135; +category c136; category c137; category c138; category c139; +category c140; category c141; category c142; category c143; +category c144; category c145; category c146; category c147; +category c148; category c149; category c150; category c151; +category c152; category c153; category c154; category c155; +category c156; category c157; category c158; category c159; +category c160; category c161; category c162; category c163; +category c164; category c165; category c166; category c167; +category c168; category c169; category c170; category c171; +category c172; category c173; category c174; category c175; +category c176; category c177; category c178; category c179; +category c180; category c181; category c182; category c183; +category c184; category c185; category c186; category c187; +category c188; category c189; category c190; category c191; +category c192; category c193; category c194; category c195; +category c196; category c197; category c198; category c199; +category c200; category c201; category c202; category c203; +category c204; category c205; category c206; category c207; +category c208; category c209; category c210; category c211; +category c212; category c213; category c214; category c215; +category c216; category c217; category c218; category c219; +category c220; category c221; category c222; category c223; +category c224; category c225; category c226; category c227; +category c228; category c229; category c230; category c231; +category c232; category c233; category c234; category c235; +category c236; category c237; category c238; category c239; +category c240; category c241; category c242; category c243; +category c244; category c245; category c246; category c247; +category c248; category c249; category c250; category c251; +category c252; category c253; category c254; category c255; + + +# +# Each MLS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c255; +level s1:c0.c255; +level s2:c0.c255; +level s3:c0.c255; +level s4:c0.c255; +level s5:c0.c255; +level s6:c0.c255; +level s7:c0.c255; +level s8:c0.c255; +level s9:c0.c255; +level s10:c0.c255; +level s11:c0.c255; +level s12:c0.c255; +level s13:c0.c255; +level s14:c0.c255; +level s15:c0.c255; + + +# +# Define the MLS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# MLS policy for the file classes +# + +# make sure these file classes are "single level" +mlsconstrain { file lnk_file fifo_file } { create relabelto } + ( l2 eq h2 ); + +# new file labels must be dominated by the relabeling subject's clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto + ( h1 dom h2 ); + +# the file "read" ops (note the check is dominance of the low level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir search + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +# the "single level" file "write" ops +mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# the "ranged" file "write" ops +mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir { add_name remove_name reparent rmdir } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# these access vectors have no MLS restrictions +# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } +# +# { file chr_file } { execute_no_trans entrypoint execmod } + +# the file upgrade/downgrade rule +mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } + ((( l1 eq l2 ) or + (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( h1 eq h2 ) or + (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); + +# create can also require the upgrade/downgrade checks if the creating process +# has used setfscreate (note that both the high and low level of the object +# default to the process' sensitivity level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create + ((( l1 eq l2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( l1 eq h2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); + + + + +# +# MLS policy for the filesystem class +# + +# new filesystem labels must be dominated by the relabeling subject's clearance +mlsconstrain filesystem relabelto + ( h1 dom h2 ); + +# the filesystem "read" ops (implicit single level) +mlsconstrain filesystem { getattr quotaget } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread )); + +# all the filesystem "write" ops (implicit single level) +mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite )); + +# these access vectors have no MLS restrictions +# filesystem { transition associate } + + + + +# +# MLS policy for the socket classes +# + +# new socket labels must be dominated by the relabeling subject's clearance +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto + ( h1 dom h2 ); + +# the socket "read" ops (note the check is dominance of the low level) +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +# the socket "write" ops +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsnetwrite )); + +# these access vectors have no MLS restrictions +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } +# +# { tcp_socket udp_socket rawip_socket } node_bind +# +# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } +# +# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write +# + + + + +# +# MLS policy for the ipc classes +# + +# the ipc "read" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { getattr read unix_read } + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +mlsconstrain msg receive + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +# the ipc "write" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msgq enqueue + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain shm lock + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msg send + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +# these access vectors have no MLS restrictions +# { ipc sem msgq shm } associate + + + + +# +# MLS policy for the fd class +# + +# these access vectors have no MLS restrictions +# fd use + + + + +# +# MLS policy for the network object classes +# + +# the netif/node "read" ops (implicit single level socket doing the read) +# (note the check is dominance of the low level) +mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } + (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); + +# the netif/node "write" ops (implicit single level socket doing the write) +mlsconstrain { netif node } { tcp_send udp_send rawip_send } + (( l1 dom l2 ) and ( l1 domby h2 )); + +# these access vectors have no MLS restrictions +# { netif node } { enforce_dest } + + + + +# +# MLS policy for the process class +# + +# new process labels must be dominated by the relabeling subject's clearance +# and sensitivity level changes require privilege +mlsconstrain process transition + (( h1 dom h2 ) and + (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or + (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); +mlsconstrain process dyntransition + (( h1 dom h2 ) and + (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); + +# all the process "read" ops +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (( l1 dom l2 ) or + (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsprocread )); + +# all the process "write" ops (note the check is equality on the low level) +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsprocwrite )); + +# these access vectors have no MLS restrictions +# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem } + + + + +# +# MLS policy for the security class +# + +# these access vectors have no MLS restrictions +# security * + + + + +# +# MLS policy for the system class +# + +# these access vectors have no MLS restrictions +# system * + + + + +# +# MLS policy for the capability class +# + +# these access vectors have no MLS restrictions +# capability * + + + + +# +# MLS policy for the passwd class +# + +# these access vectors have no MLS restrictions +# passwd * + + + + +# +# MLS policy for the drawable class +# + +# the drawable "read" ops (implicit single level) +mlsconstrain drawable { getattr copy } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the drawable "write" ops (implicit single level) +mlsconstrain drawable { create destroy draw copy } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the gc class +# + +# the gc "read" ops (implicit single level) +mlsconstrain gc getattr + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the gc "write" ops (implicit single level) +mlsconstrain gc { create free setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the window class +# + +# the window "read" ops (implicit single level) +mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the window "write" ops (implicit single level) +mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite ) or + ( t2 == mlstrustedobject )); + +# these access vectors have no MLS restrictions +# window { map unmap } + + + + +# +# MLS policy for the font class +# + +# the font "read" ops (implicit single level) +mlsconstrain font { load getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the font "write" ops (implicit single level) +mlsconstrain font free + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# these access vectors have no MLS restrictions +# font use + + + + +# +# MLS policy for the colormap class +# + +# the colormap "read" ops (implicit single level) +mlsconstrain colormap { list read getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinreadcolormap ) or + ( t1 == mlsxwinread )); + +# the colormap "write" ops (implicit single level) +mlsconstrain colormap { create free install uninstall store setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwritecolormap ) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the property class +# + +# the property "read" ops (implicit single level) +mlsconstrain property { read } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinreadproperty ) or + ( t1 == mlsxwinread )); + +# the property "write" ops (implicit single level) +mlsconstrain property { create free write } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwriteproperty ) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the cursor class +# + +# the cursor "write" ops (implicit single level) +mlsconstrain cursor { create createglyph free assign setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xclient class +# + +# the xclient "write" ops (implicit single level) +mlsconstrain xclient kill + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xinput class +# + +# these access vectors have no MLS restrictions +# xinput ~{ relabelinput setattr } + +# the xinput "write" ops (implicit single level) +mlsconstrain xinput { setattr relabelinput } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwritexinput ) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xserver class +# + +# these access vectors have no MLS restrictions +# xserver * + + + + +# +# MLS policy for the xextension class +# + +# these access vectors have no MLS restrictions +# xextension { query use } + + +# +# MLS policy for the pax class +# + +# these access vectors have no MLS restrictions +# pax { pageexec emutramp mprotect randmmap randexec segmexec } + + + + +# +# MLS policy for the dbus class +# + +# these access vectors have no MLS restrictions +# dbus { acquire_svc send_msg } + + + + +# +# MLS policy for the nscd class +# + +# these access vectors have no MLS restrictions +# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } + + + + +# +# MLS policy for the association class +# + +# these access vectors have no MLS restrictions +# association { sendto recvfrom } + diff --git a/mls/net_contexts b/mls/net_contexts new file mode 100644 index 0000000..c15f994 --- /dev/null +++ b/mls/net_contexts @@ -0,0 +1,251 @@ +# FLASK + +# +# Security contexts for network entities +# If no context is specified, then a default initial SID is used. +# + +# Modified by Reino Wallin +# Multi NIC, and IPSEC features + +# Modified by Russell Coker +# ifdefs to encapsulate domains, and many additional port contexts + +# +# Port numbers (default = initial SID "port") +# +# protocol number context +# protocol low-high context +# +portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 +portcon udp 7 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 +portcon udp 9 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 +portcon udp 13 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 +portcon udp 19 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 +portcon udp 37 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 113 system_u:object_r:auth_port_t:s0 +portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 +portcon udp 891 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 +portcon udp 892 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 +portcon tcp 21 system_u:object_r:ftp_port_t:s0 +portcon tcp 22 system_u:object_r:ssh_port_t:s0 +portcon tcp 23 system_u:object_r:telnetd_port_t:s0 + +portcon tcp 25 system_u:object_r:smtp_port_t:s0 +portcon tcp 465 system_u:object_r:smtp_port_t:s0 +portcon tcp 587 system_u:object_r:smtp_port_t:s0 + +portcon udp 500 system_u:object_r:isakmp_port_t:s0 +portcon udp 53 system_u:object_r:dns_port_t:s0 +portcon tcp 53 system_u:object_r:dns_port_t:s0 + +portcon udp 67 system_u:object_r:dhcpd_port_t:s0 +portcon udp 647 system_u:object_r:dhcpd_port_t:s0 +portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 +portcon udp 847 system_u:object_r:dhcpd_port_t:s0 +portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 +portcon udp 68 system_u:object_r:dhcpc_port_t:s0 +portcon udp 70 system_u:object_r:gopher_port_t:s0 +portcon tcp 70 system_u:object_r:gopher_port_t:s0 + +portcon udp 69 system_u:object_r:tftp_port_t:s0 +portcon tcp 79 system_u:object_r:fingerd_port_t:s0 + +portcon tcp 80 system_u:object_r:http_port_t:s0 +portcon tcp 443 system_u:object_r:http_port_t:s0 +portcon tcp 488 system_u:object_r:http_port_t:s0 +portcon tcp 8008 system_u:object_r:http_port_t:s0 +portcon tcp 8090 system_u:object_r:http_port_t:s0 + +portcon tcp 106 system_u:object_r:pop_port_t:s0 +portcon tcp 109 system_u:object_r:pop_port_t:s0 +portcon tcp 110 system_u:object_r:pop_port_t:s0 +portcon tcp 143 system_u:object_r:pop_port_t:s0 +portcon tcp 220 system_u:object_r:pop_port_t:s0 +portcon tcp 993 system_u:object_r:pop_port_t:s0 +portcon tcp 995 system_u:object_r:pop_port_t:s0 +portcon tcp 1109 system_u:object_r:pop_port_t:s0 + +portcon udp 111 system_u:object_r:portmap_port_t:s0 +portcon tcp 111 system_u:object_r:portmap_port_t:s0 + +portcon tcp 119 system_u:object_r:innd_port_t:s0 +portcon udp 123 system_u:object_r:ntp_port_t:s0 + +portcon tcp 137 system_u:object_r:smbd_port_t:s0 +portcon udp 137 system_u:object_r:nmbd_port_t:s0 +portcon tcp 138 system_u:object_r:smbd_port_t:s0 +portcon udp 138 system_u:object_r:nmbd_port_t:s0 +portcon tcp 139 system_u:object_r:smbd_port_t:s0 +portcon udp 139 system_u:object_r:nmbd_port_t:s0 +portcon tcp 445 system_u:object_r:smbd_port_t:s0 + +portcon udp 161 system_u:object_r:snmp_port_t:s0 +portcon udp 162 system_u:object_r:snmp_port_t:s0 +portcon tcp 199 system_u:object_r:snmp_port_t:s0 +portcon udp 512 system_u:object_r:comsat_port_t:s0 + +portcon tcp 389 system_u:object_r:ldap_port_t:s0 +portcon udp 389 system_u:object_r:ldap_port_t:s0 +portcon tcp 636 system_u:object_r:ldap_port_t:s0 +portcon udp 636 system_u:object_r:ldap_port_t:s0 + +portcon tcp 513 system_u:object_r:rlogind_port_t:s0 +portcon tcp 514 system_u:object_r:rsh_port_t:s0 + +portcon tcp 515 system_u:object_r:printer_port_t:s0 +portcon udp 514 system_u:object_r:syslogd_port_t:s0 +portcon udp 517 system_u:object_r:ktalkd_port_t:s0 +portcon udp 518 system_u:object_r:ktalkd_port_t:s0 +portcon tcp 631 system_u:object_r:ipp_port_t:s0 +portcon udp 631 system_u:object_r:ipp_port_t:s0 +portcon tcp 88 system_u:object_r:kerberos_port_t:s0 +portcon udp 88 system_u:object_r:kerberos_port_t:s0 +portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 +portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 +portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 +portcon tcp 750 system_u:object_r:kerberos_port_t:s0 +portcon udp 750 system_u:object_r:kerberos_port_t:s0 +portcon tcp 783 system_u:object_r:spamd_port_t:s0 +portcon tcp 540 system_u:object_r:uucpd_port_t:s0 +portcon tcp 2401 system_u:object_r:cvs_port_t:s0 +portcon udp 2401 system_u:object_r:cvs_port_t:s0 +portcon tcp 873 system_u:object_r:rsync_port_t:s0 +portcon udp 873 system_u:object_r:rsync_port_t:s0 +portcon tcp 901 system_u:object_r:swat_port_t:s0 +portcon tcp 953 system_u:object_r:rndc_port_t:s0 +portcon tcp 1213 system_u:object_r:giftd_port_t:s0 +portcon tcp 1241 system_u:object_r:nessus_port_t:s0 +portcon tcp 1234 system_u:object_r:monopd_port_t:s0 +portcon udp 1645 system_u:object_r:radius_port_t:s0 +portcon udp 1646 system_u:object_r:radacct_port_t:s0 +portcon udp 1812 system_u:object_r:radius_port_t:s0 +portcon udp 1813 system_u:object_r:radacct_port_t:s0 +portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 +portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 +portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 +portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 +portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 +portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 +portcon udp 2427 system_u:object_r:asterisk_port_t:s0 +portcon udp 2727 system_u:object_r:asterisk_port_t:s0 +portcon udp 4569 system_u:object_r:asterisk_port_t:s0 +portcon udp 5060 system_u:object_r:asterisk_port_t:s0 +portcon tcp 2000 system_u:object_r:mail_port_t:s0 +portcon tcp 2601 system_u:object_r:zebra_port_t:s0 +portcon tcp 2605 system_u:object_r:zebra_port_t:s0 +portcon tcp 2628 system_u:object_r:dict_port_t:s0 +portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 +portcon tcp 3632 system_u:object_r:distccd_port_t:s0 +portcon udp 4011 system_u:object_r:pxe_port_t:s0 +portcon udp 5000 system_u:object_r:openvpn_port_t:s0 +portcon tcp 5323 system_u:object_r:imaze_port_t:s0 +portcon udp 5323 system_u:object_r:imaze_port_t:s0 +portcon tcp 5335 system_u:object_r:howl_port_t:s0 +portcon udp 5353 system_u:object_r:howl_port_t:s0 +portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 +portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 +portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 +portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 +portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 5703 system_u:object_r:ptal_port_t:s0 +portcon tcp 9290 system_u:object_r:hplip_port_t:s0 +portcon tcp 9291 system_u:object_r:hplip_port_t:s0 +portcon tcp 9292 system_u:object_r:hplip_port_t:s0 +portcon tcp 50000 system_u:object_r:hplip_port_t:s0 +portcon tcp 50002 system_u:object_r:hplip_port_t:s0 +portcon tcp 5900 system_u:object_r:vnc_port_t:s0 +portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 +portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 +portcon tcp 6000 system_u:object_r:xserver_port_t:s0 +portcon tcp 6001 system_u:object_r:xserver_port_t:s0 +portcon tcp 6002 system_u:object_r:xserver_port_t:s0 +portcon tcp 6003 system_u:object_r:xserver_port_t:s0 +portcon tcp 6004 system_u:object_r:xserver_port_t:s0 +portcon tcp 6005 system_u:object_r:xserver_port_t:s0 +portcon tcp 6006 system_u:object_r:xserver_port_t:s0 +portcon tcp 6007 system_u:object_r:xserver_port_t:s0 +portcon tcp 6008 system_u:object_r:xserver_port_t:s0 +portcon tcp 6009 system_u:object_r:xserver_port_t:s0 +portcon tcp 6010 system_u:object_r:xserver_port_t:s0 +portcon tcp 6011 system_u:object_r:xserver_port_t:s0 +portcon tcp 6012 system_u:object_r:xserver_port_t:s0 +portcon tcp 6013 system_u:object_r:xserver_port_t:s0 +portcon tcp 6014 system_u:object_r:xserver_port_t:s0 +portcon tcp 6015 system_u:object_r:xserver_port_t:s0 +portcon tcp 6016 system_u:object_r:xserver_port_t:s0 +portcon tcp 6017 system_u:object_r:xserver_port_t:s0 +portcon tcp 6018 system_u:object_r:xserver_port_t:s0 +portcon tcp 6019 system_u:object_r:xserver_port_t:s0 +portcon tcp 6667 system_u:object_r:ircd_port_t:s0 +portcon tcp 8000 system_u:object_r:soundd_port_t:s0 +# 9433 is for YIFF +portcon tcp 9433 system_u:object_r:soundd_port_t:s0 +portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 +portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 +portcon udp 3130 system_u:object_r:http_cache_port_t:s0 +# 8118 is for privoxy +portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 + +portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 +portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 +portcon udp 10080 system_u:object_r:amanda_port_t:s0 +portcon tcp 10080 system_u:object_r:amanda_port_t:s0 +portcon udp 10081 system_u:object_r:amanda_port_t:s0 +portcon tcp 10081 system_u:object_r:amanda_port_t:s0 +portcon tcp 10082 system_u:object_r:amanda_port_t:s0 +portcon tcp 10083 system_u:object_r:amanda_port_t:s0 +portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 + +portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 +portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 +portcon tcp 3310 system_u:object_r:clamd_port_t:s0 +portcon udp 6276 system_u:object_r:dcc_port_t:s0 +portcon udp 6277 system_u:object_r:dcc_port_t:s0 +portcon udp 24441 system_u:object_r:pyzor_port_t:s0 +portcon tcp 2703 system_u:object_r:razor_port_t:s0 +portcon tcp 8021 system_u:object_r:zope_port_t:s0 + +# Defaults for reserved ports. Earlier portcon entries take precedence; +# these entries just cover any remaining reserved ports not otherwise +# declared or omitted due to removal of a domain. +portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 +portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 + +# Network interfaces (default = initial SID "netif" and "netmsg") +# +# interface netif_context default_msg_context +# +netifcon lo system_u:object_r:netif_lo_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 + +# Nodes (default = initial SID "node") +# +# address mask context +# +nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0 - s15:c0.c255 +nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0 +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0 +nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0 +nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0 +nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0 +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0 +nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0 + +# FLASK diff --git a/mls/rbac b/mls/rbac new file mode 100644 index 0000000..708f70d --- /dev/null +++ b/mls/rbac @@ -0,0 +1,33 @@ +################################################ +# +# Role-based access control (RBAC) configuration. +# + +# The RBAC configuration was originally centralized in this +# file, but has been decomposed into individual role declarations, +# role allow rules, and role transition rules throughout the TE +# configuration to support easy removal or adding of domains without +# modifying a centralized file each time. This also allowed the macros +# to properly instantiate role declarations and rules for domains. +# Hence, this file is largely unused, except for miscellaneous +# role allow rules. + +######################################## +# +# Role allow rules. +# +# A role allow rule specifies the allowable +# transitions between roles on an execve. +# If no rule is specified, then the change in +# roles will not be permitted. Additional +# controls over role transitions based on the +# type of the process may be specified through +# the constraints file. +# +# The syntax of a role allow rule is: +# allow current_role new_role ; +# +# Allow the admin role to transition to the system +# role for run_init. +# +allow sysadm_r system_r; diff --git a/mls/tunables/distro.tun b/mls/tunables/distro.tun new file mode 100644 index 0000000..00b6eca --- /dev/null +++ b/mls/tunables/distro.tun @@ -0,0 +1,14 @@ +# Distro-specific customizations. + +# Comment out all but the one that matches your distro. +# The policy .te files can then wrap distro-specific customizations with +# appropriate ifdefs. + + +define(`distro_redhat') + +dnl define(`distro_suse') + +dnl define(`distro_gentoo') + +dnl define(`distro_debian') diff --git a/mls/tunables/tunable.tun b/mls/tunables/tunable.tun new file mode 100644 index 0000000..35dd15e --- /dev/null +++ b/mls/tunables/tunable.tun @@ -0,0 +1,35 @@ +# Allow rpm to run unconfined. +define(`unlimitedRPM') + +# Allow privileged utilities like hotplug and insmod to run unconfined. +dnl define(`unlimitedUtils') + +# Allow rc scripts to run unconfined, including any daemon +# started by an rc script that does not have a domain transition +# explicitly defined. +dnl define(`unlimitedRC') + +# Allow sysadm_t to directly start daemons +dnl define(`direct_sysadm_daemon') + +# Do not allow sysadm_t to be in the security manager domain +define(`separate_secadm') + +# Do not audit things that we know to be broken but which +# are not security risks +define(`hide_broken_symptoms') + +# Allow user_r to reach sysadm_r via su, sudo, or userhelper. +# Otherwise, only staff_r can do so. +dnl define(`user_canbe_sysadm') + +# Allow xinetd to run unconfined, including any services it starts +# that do not have a domain transition explicitly defined. +dnl define(`unlimitedInetd') + +# for ndc_t to be used for restart shell scripts +dnl define(`ndc_shell_script') + +# Enable Polyinstantiation support +dnl define(`support_polyinstatiation') +define(`mls_policy') diff --git a/mls/types/device.te b/mls/types/device.te new file mode 100644 index 0000000..aee0a4c --- /dev/null +++ b/mls/types/device.te @@ -0,0 +1,163 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Device types +# + +# +# device_t is the type of /dev. +# +type device_t, file_type, mount_point, dev_fs; + +# +# null_device_t is the type of /dev/null. +# +type null_device_t, device_type, dev_fs, mlstrustedobject; + +# +# zero_device_t is the type of /dev/zero. +# +type zero_device_t, device_type, dev_fs, mlstrustedobject; + +# +# console_device_t is the type of /dev/console. +# +type console_device_t, device_type, dev_fs; + +# +# xconsole_device_t is the type of /dev/xconsole +type xconsole_device_t, file_type, dev_fs; + +# +# memory_device_t is the type of /dev/kmem, +# /dev/mem, and /dev/port. +# +type memory_device_t, device_type, dev_fs; + +# +# random_device_t is the type of /dev/random +# urandom_device_t is the type of /dev/urandom +# +type random_device_t, device_type, dev_fs; +type urandom_device_t, device_type, dev_fs; + +# +# devtty_t is the type of /dev/tty. +# +type devtty_t, device_type, dev_fs, mlstrustedobject; + +# +# tty_device_t is the type of /dev/*tty* +# +type tty_device_t, serial_device, device_type, dev_fs; + +# +# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] +type bsdpty_device_t, device_type, dev_fs; + +# +# usbtty_device_t is the type of /dev/usr/tty* +# +type usbtty_device_t, serial_device, device_type, dev_fs; + +# +# printer_device_t is the type for printer devices +# +type printer_device_t, device_type, dev_fs; + +# +# fixed_disk_device_t is the type of +# /dev/hd* and /dev/sd*. +# +type fixed_disk_device_t, device_type, dev_fs; + +# +# scsi_generic_device_t is the type of /dev/sg* +# it gives access to ALL SCSI devices (both fixed and removable) +# +type scsi_generic_device_t, device_type, dev_fs; + +# +# removable_device_t is the type of +# /dev/scd* and /dev/fd*. +# +type removable_device_t, device_type, dev_fs; + +# +# clock_device_t is the type of +# /dev/rtc. +# +type clock_device_t, device_type, dev_fs; + +# +# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* +# +type tun_tap_device_t, device_type, dev_fs; + +# +# misc_device_t is the type of miscellaneous devices. +# XXX: FIXME! Appropriate access to these devices need to be identified. +# +type misc_device_t, device_type, dev_fs; + +# +# A more general type for mouse devices. +# +type mouse_device_t, device_type, dev_fs; + +# +# For generic /dev/input/event* event devices +# +type event_device_t, device_type, dev_fs; + +# +# Not sure what these devices are for, but X wants access to them. +# +type agp_device_t, device_type, dev_fs; +type dri_device_t, device_type, dev_fs; + +# Type for sound devices. +type sound_device_t, device_type, dev_fs; + +# Type for /dev/ppp. +type ppp_device_t, device_type, dev_fs; + +# Type for frame buffer /dev/fb/* +type framebuf_device_t, device_type, dev_fs; + +# Type for /dev/.devfsd +type devfs_control_t, device_type, dev_fs; + +# Type for /dev/cpu/mtrr and /proc/mtrr +type mtrr_device_t, device_type, dev_fs, proc_fs; + +# Type for /dev/pmu +type power_device_t, device_type, dev_fs; + +# Type for /dev/apm_bios +type apm_bios_t, device_type, dev_fs; + +# Type for v4l +type v4l_device_t, device_type, dev_fs; + +# tape drives +type tape_device_t, device_type, dev_fs; + +# scanners +type scanner_device_t, device_type, dev_fs; + +# cpu control devices /dev/cpu/0/* +type cpu_device_t, device_type, dev_fs; + +# for other device nodes such as the NVidia binary-only driver +type xserver_misc_device_t, device_type, dev_fs; + +# for the IBM zSeries z90crypt hardware ssl accelorator +type crypt_device_t, device_type, dev_fs; + + + + diff --git a/mls/types/devpts.te b/mls/types/devpts.te new file mode 100644 index 0000000..c6982ac --- /dev/null +++ b/mls/types/devpts.te @@ -0,0 +1,23 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Devpts types +# + +# +# ptmx_t is the type for /dev/ptmx. +# +type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; + +# +# devpts_t is the type of the devpts file system and +# the type of the root directory of the file system. +# +type devpts_t, mount_point, fs_type; + +ifdef(`targeted_policy', ` +typeattribute devpts_t ttyfile; +') diff --git a/mls/types/file.te b/mls/types/file.te new file mode 100644 index 0000000..fc03dcd --- /dev/null +++ b/mls/types/file.te @@ -0,0 +1,326 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +####################################### +# +# General file-related types +# + +# +# unlabeled_t is the type of unlabeled objects. +# Objects that have no known labeling information or that +# have labels that are no longer valid are treated as having this type. +# +type unlabeled_t, sysadmfile; + +# +# fs_t is the default type for conventional filesystems. +# +type fs_t, fs_type; + +# needs more work +type eventpollfs_t, fs_type; +type futexfs_t, fs_type; +type bdev_t, fs_type; +type usbfs_t, mount_point, fs_type; +type nfsd_fs_t, fs_type; +type rpc_pipefs_t, fs_type; +type binfmt_misc_fs_t, mount_point, fs_type; + +# +# file_t is the default type of a file that has not yet been +# assigned an extended attribute (EA) value (when using a filesystem +# that supports EAs). +# +type file_t, file_type, mount_point, sysadmfile; + +# default_t is the default type for files that do not +# match any specification in the file_contexts configuration +# other than the generic /.* specification. +type default_t, file_type, mount_point, sysadmfile; + +# +# root_t is the type for the root directory. +# +type root_t, file_type, mount_point, polyparent, sysadmfile; + +# +# mnt_t is the type for mount points such as /mnt/cdrom +type mnt_t, file_type, mount_point, sysadmfile; + +# +# home_root_t is the type for the directory where user home directories +# are created +# +type home_root_t, file_type, mount_point, polyparent, sysadmfile; + +# +# lost_found_t is the type for the lost+found directories. +# +type lost_found_t, file_type, sysadmfile; + +# +# boot_t is the type for files in /boot, +# including the kernel. +# +type boot_t, file_type, mount_point, sysadmfile; +# system_map_t is for the system.map files in /boot +type system_map_t, file_type, sysadmfile; + +# +# boot_runtime_t is the type for /boot/kernel.h, +# which is automatically generated at boot time. +# only for red hat +type boot_runtime_t, file_type, sysadmfile; + +# +# tmp_t is the type of /tmp and /var/tmp. +# +type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; + +# +# etc_t is the type of the system etc directories. +# +type etc_t, file_type, sysadmfile; + +# etc_mail_t is the type of /etc/mail. +type etc_mail_t, file_type, sysadmfile, usercanread; + +# +# shadow_t is the type of the /etc/shadow file +# +type shadow_t, file_type, secure_file_type; +allow auth shadow_t:file { getattr read }; + +# +# ld_so_cache_t is the type of /etc/ld.so.cache. +# +type ld_so_cache_t, file_type, sysadmfile; + +# +# etc_runtime_t is the type of various +# files in /etc that are automatically +# generated during initialization. +# +type etc_runtime_t, file_type, sysadmfile; + +# +# fonts_runtime_t is the type of various +# fonts files in /usr that are automatically +# generated during initialization. +# +type fonts_t, file_type, sysadmfile, usercanread; + +# +# etc_aliases_t is the type of the aliases database. +# +type etc_aliases_t, file_type, sysadmfile; + +# net_conf_t is the type of the /etc/resolv.conf file. +# all DHCP clients and PPP need write access to this file. +type net_conf_t, file_type, sysadmfile; + +# +# lib_t is the type of files in the system lib directories. +# +type lib_t, file_type, sysadmfile; + +# +# shlib_t is the type of shared objects in the system lib +# directories. +# +ifdef(`targeted_policy', ` +typealias lib_t alias shlib_t; +', ` +type shlib_t, file_type, sysadmfile; +') + +# +# texrel_shlib_t is the type of shared objects in the system lib +# directories, which require text relocation. +# +ifdef(`targeted_policy', ` +typealias lib_t alias texrel_shlib_t; +', ` +type texrel_shlib_t, file_type, sysadmfile; +') + +# ld_so_t is the type of the system dynamic loaders. +# +type ld_so_t, file_type, sysadmfile; + +# +# bin_t is the type of files in the system bin directories. +# +type bin_t, file_type, sysadmfile; + +# +# cert_t is the type of files in the system certs directories. +# +type cert_t, file_type, sysadmfile, secure_file_type; + +# +# ls_exec_t is the type of the ls program. +# +type ls_exec_t, file_type, exec_type, sysadmfile; + +# +# shell_exec_t is the type of user shells such as /bin/bash. +# +type shell_exec_t, file_type, exec_type, sysadmfile; + +# +# sbin_t is the type of files in the system sbin directories. +# +type sbin_t, file_type, sysadmfile; + +# +# usr_t is the type for /usr. +# +type usr_t, file_type, mount_point, sysadmfile; + +# +# src_t is the type of files in the system src directories. +# +type src_t, file_type, mount_point, sysadmfile; + +# +# var_t is the type for /var. +# +type var_t, file_type, mount_point, sysadmfile; + +# +# Types for subdirectories of /var. +# +type var_run_t, file_type, sysadmfile; +type var_log_t, file_type, sysadmfile, logfile; +typealias var_log_t alias crond_log_t; +type faillog_t, file_type, sysadmfile, logfile; +type var_lock_t, file_type, sysadmfile, lockfile; +type var_lib_t, mount_point, file_type, sysadmfile; +type var_auth_t, file_type, sysadmfile; +# for /var/{spool,lib}/texmf index files +type tetex_data_t, file_type, sysadmfile, tmpfile; +type var_spool_t, file_type, sysadmfile, tmpfile; +type var_yp_t, file_type, sysadmfile; + +# Type for /var/log/ksyms. +type var_log_ksyms_t, file_type, sysadmfile, logfile; + +# Type for /var/log/lastlog. +type lastlog_t, file_type, sysadmfile, logfile; + +# Type for /var/lib/nfs. +type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; + +# +# wtmp_t is the type of /var/log/wtmp. +# +type wtmp_t, file_type, sysadmfile, logfile; + +# +# cron_spool_t is the type for /var/spool/cron. +# +type cron_spool_t, file_type, sysadmfile; + +# +# print_spool_t is the type for /var/spool/lpd and /var/spool/cups. +# +type print_spool_t, file_type, sysadmfile, tmpfile; + +# +# mail_spool_t is the type for /var/spool/mail. +# +type mail_spool_t, file_type, sysadmfile; + +# +# mqueue_spool_t is the type for /var/spool/mqueue. +# +type mqueue_spool_t, file_type, sysadmfile; + +# +# man_t is the type for the man directories. +# +type man_t, file_type, sysadmfile; +typealias man_t alias catman_t; + +# +# readable_t is a general type for +# files that are readable by all domains. +# +type readable_t, file_type, sysadmfile; + +# +# Base type for the tests directory. +# +type test_file_t, file_type, sysadmfile; + +# +# poly_t is the type for the polyinstantiated directories. +# +type poly_t, file_type, sysadmfile; + +# +# swapfile_t is for swap files +# +type swapfile_t, file_type, sysadmfile; + +# +# locale_t is the type for system localization +# +type locale_t, file_type, sysadmfile; + +# +# Allow each file type to be associated with +# the default file system type. +# +allow { file_type device_type ttyfile } fs_t:filesystem associate; + +type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; +allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; +allow { logfile tmpfile home_type } tmp_t:filesystem associate; +ifdef(`distro_redhat', ` +allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; +') + +type autofs_t, fs_type, noexattrfile, sysadmfile; +type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; +type sysfs_t, mount_point, fs_type, sysadmfile; +type iso9660_t, fs_type, noexattrfile, sysadmfile; +type romfs_t, fs_type, sysadmfile; +type ramfs_t, fs_type, sysadmfile; +type dosfs_t, fs_type, noexattrfile, sysadmfile; +type hugetlbfs_t, mount_point, fs_type, sysadmfile; +typealias file_t alias mqueue_t; + +# udev_runtime_t is the type of the udev table file +type udev_runtime_t, file_type, sysadmfile; + +# krb5_conf_t is the type of the /etc/krb5.conf file +type krb5_conf_t, file_type, sysadmfile; + +type cifs_t, fs_type, noexattrfile, sysadmfile; +type debugfs_t, fs_type, sysadmfile; +type configfs_t, fs_type, sysadmfile; +type inotifyfs_t, fs_type, sysadmfile; +type capifs_t, fs_type, sysadmfile; + +# removable_t is the default type of all removable media +type removable_t, file_type, sysadmfile, usercanread; +allow file_type removable_t:filesystem associate; +allow file_type noexattrfile:filesystem associate; + +# Type for anonymous FTP data, used by ftp and rsync +type public_content_t, file_type, sysadmfile, customizable; +type public_content_rw_t, file_type, sysadmfile, customizable; +typealias public_content_t alias ftpd_anon_t; +typealias public_content_rw_t alias ftpd_anon_rw_t; + +# type for /tmp/.ICE-unix +type ice_tmp_t, file_type, sysadmfile, tmpfile; + +# type for /usr/share/hwdata +type hwdata_t, file_type, sysadmfile; +allow { fs_type file_type } self:filesystem associate; + diff --git a/mls/types/network.te b/mls/types/network.te new file mode 100644 index 0000000..c5965fd --- /dev/null +++ b/mls/types/network.te @@ -0,0 +1,179 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# Modified by Reino Wallin +# Multi NIC, and IPSEC features + +# Modified by Russell Coker +# Move port types to their respective domains, add ifdefs, other cleanups. + +type xserver_port_t, port_type; +# +# Defines used by the te files need to be defined outside of net_constraints +# +type rsh_port_t, port_type, reserved_port_type; +type dns_port_t, port_type, reserved_port_type; +type smtp_port_t, port_type, reserved_port_type; +type dhcpd_port_t, port_type, reserved_port_type; +type smbd_port_t, port_type, reserved_port_type; +type nmbd_port_t, port_type, reserved_port_type; +type http_cache_port_t, port_type; +type http_port_t, port_type, reserved_port_type; +type ipp_port_t, port_type, reserved_port_type; +type gopher_port_t, port_type, reserved_port_type; +type isakmp_port_t, port_type, reserved_port_type; + +allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect; +type pop_port_t, port_type, reserved_port_type; + +type ftp_port_t, port_type, reserved_port_type; +type ftp_data_port_t, port_type, reserved_port_type; + +############################################ +# +# Network types +# + +# +# mail_port_t is for generic mail ports shared by different mail servers +# +type mail_port_t, port_type; + +# +# Ports used to communicate with kerberos server +# +type kerberos_port_t, port_type, reserved_port_type; +type kerberos_admin_port_t, port_type, reserved_port_type; + +# +# Ports used to communicate with portmap server +# +type portmap_port_t, port_type, reserved_port_type; + +# +# Ports used to communicate with ldap server +# +type ldap_port_t, port_type, reserved_port_type; + +# +# port_t is the default type of INET port numbers. +# The *_port_t types are used for specific port +# numbers in net_contexts or net_contexts.mls. +# +type port_t, port_type; + +# reserved_port_t is the default type for INET reserved ports +# that are not otherwise mapped to a specific port type. +type reserved_port_t, port_type; + +# +# netif_t is the default type of network interfaces. +# The netif_*_t types are used for specific network +# interfaces in net_contexts or net_contexts.mls. +# +type netif_t, netif_type; +type netif_lo_t, netif_type; + + +# +# node_t is the default type of network nodes. +# The node_*_t types are used for specific network +# nodes in net_contexts or net_contexts.mls. +# +type node_t, node_type; +type node_lo_t, node_type; +type node_internal_t, node_type; +type node_inaddr_any_t, node_type; +type node_unspec_t, node_type; +type node_link_local_t, node_type; +type node_site_local_t, node_type; +type node_multicast_t, node_type; +type node_mapped_ipv4_t, node_type; +type node_compat_ipv4_t, node_type; + +# Kernel-generated traffic, e.g. ICMP replies. +allow kernel_t netif_type:netif { rawip_send rawip_recv }; +allow kernel_t node_type:node { rawip_send rawip_recv }; + +# Kernel-generated traffic, e.g. TCP resets. +allow kernel_t netif_type:netif { tcp_send tcp_recv }; +allow kernel_t node_type:node { tcp_send tcp_recv }; +type radius_port_t, port_type; +type radacct_port_t, port_type; +type rndc_port_t, port_type, reserved_port_type; +type tftp_port_t, port_type, reserved_port_type; +type printer_port_t, port_type, reserved_port_type; +type mysqld_port_t, port_type; +type postgresql_port_t, port_type; +type ptal_port_t, port_type; +type howl_port_t, port_type; +type dict_port_t, port_type; +type syslogd_port_t, port_type, reserved_port_type; +type spamd_port_t, port_type, reserved_port_type; +type ssh_port_t, port_type, reserved_port_type; +type pxe_port_t, port_type; +type amanda_port_t, port_type; +type fingerd_port_t, port_type, reserved_port_type; +type dhcpc_port_t, port_type, reserved_port_type; +type ntp_port_t, port_type, reserved_port_type; +type stunnel_port_t, port_type; +type zebra_port_t, port_type; +type i18n_input_port_t, port_type; +type vnc_port_t, port_type; +type pegasus_http_port_t, port_type; +type pegasus_https_port_t, port_type; +type openvpn_port_t, port_type; +type clamd_port_t, port_type; +type transproxy_port_t, port_type; +type clockspeed_port_t, port_type; +type pyzor_port_t, port_type; +type postgrey_port_t, port_type; +type asterisk_port_t, port_type; +type utcpserver_port_t, port_type; +type nessus_port_t, port_type; +type razor_port_t, port_type; +type distccd_port_t, port_type; +type socks_port_t, port_type; +type gatekeeper_port_t, port_type; +type dcc_port_t, port_type; +type lrrd_port_t, port_type; +type jabber_client_port_t, port_type; +type jabber_interserver_port_t, port_type; +type ircd_port_t, port_type; +type giftd_port_t, port_type; +type soundd_port_t, port_type; +type imaze_port_t, port_type; +type monopd_port_t, port_type; +# Differentiate between the port where amavisd receives mail, and the +# port where it returns cleaned mail back to the MTA. +type amavisd_recv_port_t, port_type; +type amavisd_send_port_t, port_type; +type innd_port_t, port_type, reserved_port_type; +type snmp_port_t, port_type, reserved_port_type; +type biff_port_t, port_type, reserved_port_type; +type hplip_port_t, port_type; + +#inetd_child_ports + +type rlogind_port_t, port_type, reserved_port_type; +type telnetd_port_t, port_type, reserved_port_type; +type comsat_port_t, port_type, reserved_port_type; +type cvs_port_t, port_type; +type dbskkd_port_t, port_type; +type inetd_child_port_t, port_type, reserved_port_type; +type ktalkd_port_t, port_type, reserved_port_type; +type rsync_port_t, port_type, reserved_port_type; +type uucpd_port_t, port_type, reserved_port_type; +type swat_port_t, port_type, reserved_port_type; +type zope_port_t, port_type; +type auth_port_t, port_type, reserved_port_type; + +# afs ports + +type afs_fs_port_t, port_type; +type afs_pt_port_t, port_type; +type afs_vl_port_t, port_type; +type afs_ka_port_t, port_type; +type afs_bos_port_t, port_type; + diff --git a/mls/types/nfs.te b/mls/types/nfs.te new file mode 100644 index 0000000..e6dd6e0 --- /dev/null +++ b/mls/types/nfs.te @@ -0,0 +1,21 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################# +# +# NFS types +# + +# +# nfs_t is the default type for NFS file systems +# and their files. +# The nfs_*_t types are used for specific NFS +# servers in net_contexts or net_contexts.mls. +# +type nfs_t, mount_point, fs_type; + +# +# Allow NFS files to be associated with an NFS file system. +# +allow file_type nfs_t:filesystem associate; diff --git a/mls/types/procfs.te b/mls/types/procfs.te new file mode 100644 index 0000000..20703ac --- /dev/null +++ b/mls/types/procfs.te @@ -0,0 +1,50 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Procfs types +# + +# +# proc_t is the type of /proc. +# proc_kmsg_t is the type of /proc/kmsg. +# proc_kcore_t is the type of /proc/kcore. +# proc_mdstat_t is the type of /proc/mdstat. +# proc_net_t is the type of /proc/net. +# +type proc_t, fs_type, mount_point, proc_fs; +type proc_kmsg_t, proc_fs; +type proc_kcore_t, proc_fs; +type proc_mdstat_t, proc_fs; +type proc_net_t, proc_fs; + +# +# sysctl_t is the type of /proc/sys. +# sysctl_fs_t is the type of /proc/sys/fs. +# sysctl_kernel_t is the type of /proc/sys/kernel. +# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. +# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. +# sysctl_net_t is the type of /proc/sys/net. +# sysctl_net_unix_t is the type of /proc/sys/net/unix. +# sysctl_vm_t is the type of /proc/sys/vm. +# sysctl_dev_t is the type of /proc/sys/dev. +# sysctl_rpc_t is the type of /proc/net/rpc. +# +# These types are applied to both the entries in +# /proc/sys and the corresponding sysctl parameters. +# +type sysctl_t, mount_point, sysctl_type; +type sysctl_fs_t, sysctl_type; +type sysctl_kernel_t, sysctl_type; +type sysctl_modprobe_t, sysctl_type; +type sysctl_hotplug_t, sysctl_type; +type sysctl_net_t, sysctl_type; +type sysctl_net_unix_t, sysctl_type; +type sysctl_vm_t, sysctl_type; +type sysctl_dev_t, sysctl_type; +type sysctl_rpc_t, sysctl_type; +type sysctl_irq_t, sysctl_type; + + diff --git a/mls/types/security.te b/mls/types/security.te new file mode 100644 index 0000000..cc1574f --- /dev/null +++ b/mls/types/security.te @@ -0,0 +1,60 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Security types +# + +# +# security_t is the target type when checking +# the permissions in the security class. It is also +# applied to selinuxfs inodes. +# +type security_t, mount_point, fs_type, mlstrustedobject; +dontaudit domain security_t:dir search; +dontaudit domain security_t:file { getattr read }; + +# +# policy_config_t is the type of /etc/security/selinux/* +# the security server policy configuration. +# +type policy_config_t, file_type, secadmfile; +# Since libselinux attempts to read these by default, most domains +# do not need it. +dontaudit domain selinux_config_t:dir search; +dontaudit domain selinux_config_t:file { getattr read }; + +# +# policy_src_t is the type of the policy source +# files. +# +type policy_src_t, file_type, secadmfile; + + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t, file_type, login_contexts, secadmfile; + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t, file_type, secadmfile; + +# +# no_access_t is the type for objects that should +# only be accessed administratively. +# +type no_access_t, file_type, sysadmfile; + +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +type selinux_config_t, file_type, secadmfile; + + diff --git a/mls/types/x.te b/mls/types/x.te new file mode 100644 index 0000000..0cee314 --- /dev/null +++ b/mls/types/x.te @@ -0,0 +1,32 @@ +# +# Authors: Eamon Walsh +# + +####################################### +# +# Types for the SELinux-enabled X Window System +# + +# +# X protocol extension types. The SELinux extension in the X server +# has a hardcoded table that maps actual extension names to these types. +# +type accelgraphics_ext_t, xextension; +type debug_ext_t, xextension; +type font_ext_t, xextension; +type input_ext_t, xextension; +type screensaver_ext_t, xextension; +type security_ext_t, xextension; +type shmem_ext_t, xextension; +type std_ext_t, xextension; +type sync_ext_t, xextension; +type unknown_ext_t, xextension; +type video_ext_t, xextension; +type windowmgr_ext_t, xextension; + +# +# X property types. The SELinux extension in the X server has a +# hardcoded table that maps actual extension names to these types. +# +type wm_property_t, xproperty; +type unknown_property_t, xproperty; diff --git a/mls/users b/mls/users new file mode 100644 index 0000000..058c5fb --- /dev/null +++ b/mls/users @@ -0,0 +1,57 @@ +################################## +# +# User configuration. +# +# This file defines each user recognized by the system security policy. +# Only the user identities defined in this file may be used as the +# user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ level default_level range allowed_range ] level s0 range s0 - s15:c0.c255; +# +# The MLS default level and allowed range should only be specified if +# MLS was enabled in the policy. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system_u, +# and a user process should never be assigned the system_u user +# identity. +# +user system_u roles system_r level s0 range s0 - s15:c0.c255; + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +user user_u roles { user_r } level s0 range s0 - s0; + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# + +# The sysadm_r user also needs to be permitted system_r if we are to allow +# direct execution of daemons +user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255; + +# sample for administrative user +#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255; + +# sample for regular user +#user jdoe roles { user_r } level s0 range s0 - s15:c0.c255; + +# +# The following users correspond to special Unix identities +# +ifdef(`nx_server.te', ` +user nx roles nx_server_r level s0 range s0 - s15:c0.c255; +')