From 9e91381a2615b42f6c9b4f70c63bf7ff82d77abc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 14 2005 20:26:41 +0000 Subject: change dmesg and loadkeys behavior to aliasing, and enable modules --- diff --git a/refpolicy/policy/modules.conf b/refpolicy/policy/modules.conf index 7bf62f1..fa7af3c 100644 --- a/refpolicy/policy/modules.conf +++ b/refpolicy/policy/modules.conf @@ -175,7 +175,7 @@ quota = off # # Policy for dmesg. # -dmesg = off +dmesg = base # Layer: admin # Module: logrotate @@ -231,7 +231,7 @@ webalizer = base # # Load keyboard mappings. # -loadkeys = off +loadkeys = base # Layer: apps # Module: gpg diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index baa7769..4471ed6 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -9,20 +9,22 @@ ## # interface(`dmesg_domtrans',` - gen_require(` - type dmesg_t, dmesg_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; - ') + ifdef(`targeted_policy',` + # $0(): disabled in targeted policy as there + # is no dmesg domain. + ',` + gen_require(` + type dmesg_t, dmesg_exec_t; + ') - corecmd_search_sbin($1) - domain_auto_trans($1,dmesg_exec_t,dmesg_t) + corecmd_search_sbin($1) + domain_auto_trans($1,dmesg_exec_t,dmesg_t) - allow $1 dmesg_t:fd use; - allow dmesg_t $1:fd use; - allow dmesg_t $1:fifo_file rw_file_perms; - allow dmesg_t $1:process sigchld; + allow $1 dmesg_t:fd use; + allow dmesg_t $1:fd use; + allow dmesg_t $1:fifo_file rw_file_perms; + allow dmesg_t $1:process sigchld; + ') ') ######################################## @@ -34,11 +36,17 @@ interface(`dmesg_domtrans',` ## # interface(`dmesg_exec',` - gen_require(` - type dmesg_exec_t; - ') + ifdef(`targeted_policy',` + # $0(): the dmesg program is an alias + # of generic bin programs. + corecmd_exec_bin($1) + ',` + gen_require(` + type dmesg_exec_t; + ') - corecmd_search_sbin($1) - can_exec($1,dmesg_exec_t) + corecmd_search_sbin($1) + can_exec($1,dmesg_exec_t) + ') ') diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 409a6c9..51f2be7 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -6,70 +6,73 @@ policy_module(dmesg, 1.0) # Declarations # -type dmesg_t; -type dmesg_exec_t; -init_system_domain(dmesg_t,dmesg_exec_t) -role system_r types dmesg_t; +ifdef(`targeted_policy',` + # for compatibility with strict: + corecmd_bin_alias(dmesg_exec_t) +',` + type dmesg_t; + type dmesg_exec_t; + init_system_domain(dmesg_t,dmesg_exec_t) + role system_r types dmesg_t; +') ######################################## # # Local policy # -allow dmesg_t self:capability sys_admin; -dontaudit dmesg_t self:capability sys_tty_config; +ifdef(`targeted_policy',` + # dmesg domain disabled in targeted policy +',` + allow dmesg_t self:capability sys_admin; + dontaudit dmesg_t self:capability sys_tty_config; -allow dmesg_t self:process signal_perms; + allow dmesg_t self:process signal_perms; -kernel_read_kernel_sysctl(dmesg_t) -kernel_read_ring_buffer(dmesg_t) -kernel_clear_ring_buffer(dmesg_t) -kernel_change_ring_buffer_level(dmesg_t) -kernel_list_proc(dmesg_t) -kernel_read_proc_symlinks(dmesg_t) + kernel_read_kernel_sysctl(dmesg_t) + kernel_read_ring_buffer(dmesg_t) + kernel_clear_ring_buffer(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) + kernel_list_proc(dmesg_t) + kernel_read_proc_symlinks(dmesg_t) -dev_read_sysfs(dmesg_t) + dev_read_sysfs(dmesg_t) -fs_search_auto_mountpoints(dmesg_t) + fs_search_auto_mountpoints(dmesg_t) -term_dontaudit_use_console(dmesg_t) + term_dontaudit_use_console(dmesg_t) -domain_use_wide_inherit_fd(dmesg_t) + domain_use_wide_inherit_fd(dmesg_t) -files_list_etc(dmesg_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dir(dmesg_t) + files_list_etc(dmesg_t) + # for when /usr is not mounted: + files_dontaudit_search_isid_type_dir(dmesg_t) -init_use_fd(dmesg_t) -init_use_script_pty(dmesg_t) + init_use_fd(dmesg_t) + init_use_script_pty(dmesg_t) -libs_use_ld_so(dmesg_t) -libs_use_shared_libs(dmesg_t) + libs_use_ld_so(dmesg_t) + libs_use_shared_libs(dmesg_t) -logging_send_syslog_msg(dmesg_t) -logging_write_generic_logs(dmesg_t) + logging_send_syslog_msg(dmesg_t) + logging_write_generic_logs(dmesg_t) -miscfiles_read_localization(dmesg_t) + miscfiles_read_localization(dmesg_t) -userdom_use_sysadm_terms(dmesg_t) -userdom_dontaudit_use_unpriv_user_fd(dmesg_t) + userdom_use_sysadm_terms(dmesg_t) + userdom_dontaudit_use_unpriv_user_fd(dmesg_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_tty(dmesg_t) - term_dontaudit_use_generic_pty(dmesg_t) - files_dontaudit_read_root_file(dmesg_t) -') + optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(dmesg_t) + ') -optional_policy(`selinuxutil.te',` - seutil_sigchld_newrole(dmesg_t) -') - -optional_policy(`udev.te', ` - udev_read_db(dmesg_t) -') + optional_policy(`udev.te', ` + udev_read_db(dmesg_t) + ') -ifdef(`TODO',` -optional_policy(`rhgb.te',` -rhgb_domain(dmesg_t) + ifdef(`TODO',` + optional_policy(`rhgb.te',` + rhgb_domain(dmesg_t) + ') + ') dnl endif TODO ') -') dnl endif TODO diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if index cf97b11..7f6a666 100644 --- a/refpolicy/policy/modules/apps/loadkeys.if +++ b/refpolicy/policy/modules/apps/loadkeys.if @@ -9,20 +9,22 @@ ## # interface(`loadkeys_domtrans',` - gen_require(` - type loadkeys_t, loadkeys_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; - ') + ifdef(`targeted_policy',` + # $0(): disabled in targeted policy as there + # is no loadkeys domain. + ',` + gen_require(` + type loadkeys_t, loadkeys_exec_t; + ') - corecmd_search_bin($1) - domain_auto_trans($1, loadkeys_exec_t, loadkeys_t) + corecmd_search_bin($1) + domain_auto_trans($1, loadkeys_exec_t, loadkeys_t) - allow $1 loadkeys_t:fd use; - allow loadkeys_t $1:fd use; - allow loadkeys_t $1:fifo_file rw_file_perms; - allow loadkeys_t $1:process sigchld; + allow $1 loadkeys_t:fd use; + allow loadkeys_t $1:fd use; + allow loadkeys_t $1:fifo_file rw_file_perms; + allow loadkeys_t $1:process sigchld; + ') ') ######################################## @@ -40,14 +42,18 @@ interface(`loadkeys_domtrans',` ## # interface(`loadkeys_run',` - gen_require(` - type loadkeys_t; - class chr_file rw_term_perms; - ') + ifdef(`targeted_policy',` + # $0(): disabled in targeted policy as there + # is no loadkeys domain. + ',` + gen_require(` + type loadkeys_t; + ') - loadkeys_domtrans($1) - role $2 types loadkeys_t; - allow loadkeys_t $3:chr_file rw_term_perms; + loadkeys_domtrans($1) + role $2 types loadkeys_t; + allow loadkeys_t $3:chr_file rw_term_perms; + ') ') ######################################## @@ -59,9 +65,15 @@ interface(`loadkeys_run',` ## # interface(`loadkeys_exec',` - gen_require(` - type loadkeys_exec_t; - ') + ifdef(`targeted_policy',` + # $0(): the loadkeys program is an alias + # of generic bin programs. + corecmd_exec_bin($1) + ',` + gen_require(` + type loadkeys_exec_t; + ') - can_exec($1,loadkeys_exec_t) + can_exec($1,loadkeys_exec_t) + ') ') diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te index 7e58c33..602c9b1 100644 --- a/refpolicy/policy/modules/apps/loadkeys.te +++ b/refpolicy/policy/modules/apps/loadkeys.te @@ -6,34 +6,43 @@ policy_module(loadkeys,1.0) # Declarations # -# cjp: this should probably be rewritten -# per user domain, since it can rw -# all user domain ttys +ifdef(`targeted_policy',` + # for compatibility with strict: + corecmd_bin_alias(loadkeys_exec_t) +',` + # cjp: this should probably be rewritten + # per user domain, since it can rw + # all user domain ttys -type loadkeys_t; -domain_type(loadkeys_t) + type loadkeys_t; + domain_type(loadkeys_t) -type loadkeys_exec_t; -domain_entry_file(loadkeys_t,loadkeys_exec_t) + type loadkeys_exec_t; + domain_entry_file(loadkeys_t,loadkeys_exec_t) +') ######################################## # # Local policy # -allow loadkeys_t self:capability { setuid sys_tty_config }; -allow loadkeys_t self:fifo_file rw_file_perms; +ifdef(`targeted_policy',` + # loadkeys domain disabled in targeted policy +',` + allow loadkeys_t self:capability { setuid sys_tty_config }; + allow loadkeys_t self:fifo_file rw_file_perms; -kernel_read_system_state(loadkeys_t) + kernel_read_system_state(loadkeys_t) -corecmd_exec_bin(loadkeys_t) -corecmd_exec_shell(loadkeys_t) + corecmd_exec_bin(loadkeys_t) + corecmd_exec_shell(loadkeys_t) -files_dontaudit_read_etc_runtime_files(loadkeys_t) + files_dontaudit_read_etc_runtime_files(loadkeys_t) -libs_use_ld_so(loadkeys_t) -libs_use_shared_libs(loadkeys_t) + libs_use_ld_so(loadkeys_t) + libs_use_shared_libs(loadkeys_t) -locallogin_use_fd(loadkeys_t) + locallogin_use_fd(loadkeys_t) -miscfiles_read_localization(loadkeys_t) + miscfiles_read_localization(loadkeys_t) +') diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index a1b9b4e..9301bf2 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -10,6 +10,21 @@ ######################################## ## +## Create a aliased type to bin_t. +## +## +## Alias type for bin_t. +## +interface(`corecmd_bin_alias',` + gen_require(` + type bin_t; + ') + + typealias bin_t alias $1; +') + +######################################## +## ## Make the shell an entrypoint for the specified domain. ## ## diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 0ea0bd7..9aaca9f 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -13,7 +13,8 @@ type bin_t; files_type(bin_t) ifdef(`targeted_policy',` - typealias bin_t alias { procmail_exec_t dmesg_exec_t loadkeys_exec_t }; + # cjp: temporary until procmail is added + typealias bin_t alias procmail_exec_t; ') #