From a1fcff33f2daf2c4e978ed7bbb25e6412908c235 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 19 2005 21:17:45 +0000 Subject: final updates from nsa cvs --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 2c80653..fb54e81 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -5,9 +5,11 @@ - Added policies: ktalk portmap + postgresql samba snmp tftp + vpn zebra * Wed Sep 07 2005 Chris PeBenito - 20050907 diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 1bed344..b8a1b9e 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -46,6 +46,11 @@ gen_tunable(named_write_master_zones,false) ## Allow reading of default_t files. gen_tunable(read_default_t,false) +## Allow applications to read untrusted content +## If this is disallowed, Internet content has +## to be manually relabeled for read access to be granted +gen_tunable(read_untrusted_content,false) + ## Allow ssh to run from inetd instead of as a daemon. gen_tunable(run_ssh_inetd,false) @@ -97,3 +102,8 @@ gen_tunable(user_tcp_server,false) ## Allow w to display everyone gen_tunable(user_ttyfile_stat,false) + +## Allow applications to write untrusted content +## If this is disallowed, no Internet content +## will be stored. +gen_tunable(write_untrusted_content,false) diff --git a/refpolicy/policy/modules/admin/vpn.fc b/refpolicy/policy/modules/admin/vpn.fc new file mode 100644 index 0000000..b529d6c --- /dev/null +++ b/refpolicy/policy/modules/admin/vpn.fc @@ -0,0 +1,9 @@ +# +# /usr +# +/usr/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0) + +# +# sbin +# +/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/vpn.if b/refpolicy/policy/modules/admin/vpn.if new file mode 100644 index 0000000..6d6a3e3 --- /dev/null +++ b/refpolicy/policy/modules/admin/vpn.if @@ -0,0 +1,51 @@ +## Virtual Private Networking client + +######################################## +## +## Execute VPN clients in the vpnc domain. +## +## +## The type of the process performing this action. +## +# +interface(`vpn_domtrans',` + gen_require(` + type vpnc_t, vpnc_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,vpnc_exec_t,vpnc_t) + + allow $1 vpnc_t:fd use; + allow vpnc_t $1:fd use; + allow vpnc_t $1:fifo_file rw_file_perms; + allow vpnc_t $1:process sigchld; +') + +######################################## +## +## Execute VPN clients in the vpnc domain, and +## allow the specified role the vpnc domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the vpnc domain. +## +## +## The type of the terminal allow the vpnc domain to use. +## +# +interface(`vpn_run',` + gen_require(` + type vpnc_t; + class chr_file rw_term_perms; + ') + + vpn_domtrans($1) + role $2 types vpnc_t; + allow vpnc_t $3:chr_file rw_term_perms; +') diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te new file mode 100644 index 0000000..0eba8d1 --- /dev/null +++ b/refpolicy/policy/modules/admin/vpn.te @@ -0,0 +1,114 @@ + +policy_module(vpnc,1.0) + +######################################## +# +# Declarations +# + +type vpnc_t; +domain_type(vpnc_t) + +type vpnc_exec_t; +domain_entry_file(vpnc_t,vpnc_exec_t) + +type vpnc_tmp_t; +files_tmp_file(vpnc_tmp_t) + +type vpnc_var_run_t; +files_pid_file(vpnc_var_run_t) + +######################################## +# +# Local policy +# + +allow vpnc_t self:capability { net_admin ipc_lock net_raw }; +allow vpnc_t self:fifo_file { getattr ioctl read write }; +allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +allow vpnc_t self:tcp_socket create_stream_socket_perms; +allow vpnc_t self:udp_socket create_socket_perms; +allow vpnc_t self:rawip_socket create_socket_perms; +allow vpnc_t self:unix_dgram_socket create_socket_perms; +allow vpnc_t self:unix_stream_socket create_socket_perms; +# cjp: this needs to be fixed +allow vpnc_t self:socket create_socket_perms; + +allow vpnc_t vpnc_tmp_t:dir create_dir_perms; +allow vpnc_t vpnc_tmp_t:file create_file_perms; +files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir }) + +allow vpnc_t vpnc_var_run_t:file create_file_perms; +allow vpnc_t vpnc_var_run_t:dir rw_dir_perms; +files_create_pid(vpnc_t,vpnc_var_run_t) + +kernel_read_system_state(vpnc_t) +kernel_read_network_state(vpnc_t) +kernel_read_kernel_sysctl(vpnc_t) +kernel_rw_net_sysctl(vpnc_t) + +corenet_tcp_sendrecv_all_if(vpnc_t) +corenet_udp_sendrecv_all_if(vpnc_t) +corenet_raw_sendrecv_all_if(vpnc_t) +corenet_tcp_sendrecv_all_nodes(vpnc_t) +corenet_udp_sendrecv_all_nodes(vpnc_t) +corenet_raw_sendrecv_all_nodes(vpnc_t) +corenet_tcp_sendrecv_all_ports(vpnc_t) +corenet_udp_sendrecv_all_ports(vpnc_t) +corenet_tcp_bind_all_nodes(vpnc_t) +corenet_udp_bind_all_nodes(vpnc_t) +corenet_udp_bind_generic_port(vpnc_t) +corenet_udp_bind_isakmp_port(vpnc_t) +corenet_tcp_connect_all_ports(vpnc_t) +corenet_use_tun_tap_device(vpnc_t) + +dev_read_rand(vpnc_t) +dev_read_urand(vpnc_t) +dev_read_sysfs(vpnc_t) + +fs_getattr_xattr_fs(vpnc_t) + +term_use_all_user_ptys(vpnc_t) +term_use_all_user_ttys(vpnc_t) + +corecmd_exec_bin(vpnc_t) +corecmd_exec_sbin(vpnc_t) +corecmd_exec_shell(vpnc_t) + +domain_exec_all_entry_files(vpnc_t) + +files_exec_etc_files(vpnc_t) +files_read_etc_runtime_files(vpnc_t) +files_read_etc_files(vpnc_t) +files_dontaudit_search_home(vpnc_t) + +libs_exec_ld_so(vpnc_t) +libs_exec_lib_files(vpnc_t) +libs_use_ld_so(vpnc_t) +libs_use_shared_libs(vpnc_t) + +miscfiles_read_localization(vpnc_t) + +seutil_dontaudit_search_config(vpnc_t) + +sysnet_exec_ifconfig(vpnc_t) +sysnet_create_config(vpnc_t) +sysnet_manage_config(vpnc_t) + +userdom_use_all_user_fd(vpnc_t) + +optional_policy(`mount.te',` + mount_send_nfs_client_request(vpnc_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(vpnc_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(vpnc_t) +') + +ifdef(`TODO',` +dontaudit vpnc_t user_home_dir_type:dir search; +') diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 1097ac2..c9bf387 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -20,5 +20,7 @@ files_type(gpg_agent_exec_t) type pinentry_exec_t; files_type(pinentry_exec_t) -#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; -#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; +ifdef(`TODO',` +allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search; +allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; +') diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index e987e51..d174806 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -474,6 +474,23 @@ interface(`fs_list_cifs',` ######################################## ## +## Do not audit attempts to list the contents +## of directories on a CIFS or SMB filesystem. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_list_cifs',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:dir r_dir_perms; +') + +######################################## +## ## Read files on a CIFS or SMB filesystem. ## ## @@ -483,8 +500,6 @@ interface(`fs_list_cifs',` interface(`fs_read_cifs_files',` gen_require(` type cifs_t; - class dir r_dir_perms; - class file r_file_perms; ') allow $1 cifs_t:dir r_dir_perms; @@ -493,6 +508,23 @@ interface(`fs_read_cifs_files',` ######################################## ## +## Do not audit attempts to read +## files on a CIFS or SMB filesystem. +## +## +## The type of the domain to not audit. +## +# +interface(`fs_dontaudit_read_cifs_files',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:file r_file_perms; +') + +######################################## +## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## @@ -503,7 +535,6 @@ interface(`fs_read_cifs_files',` interface(`fs_dontaudit_rw_cifs_files',` gen_require(` type cifs_t; - class file { read write }; ') dontaudit $1 cifs_t:file { read write }; @@ -578,10 +609,27 @@ interface(`fs_read_cifs_files',` interface(`fs_manage_cifs_dirs',` gen_require(` type cifs_t; - class dir create_dir_perms; ') - allow $1 cifs_t:dir create_file_perms; + allow $1 cifs_t:dir create_dir_perms; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete directories +## on a CIFS or SMB network filesystem. +## +## +## The type of the domain managing the directories. +## +# +interface(`fs_dontaudit_manage_cifs_dirs',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:dir create_dir_perms; ') ######################################## @@ -606,6 +654,24 @@ interface(`fs_manage_cifs_files',` ######################################## ## +## Do not audit attempts to create, read, +## write, and delete files +## on a CIFS or SMB network filesystem. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_manage_cifs_files',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:file create_file_perms; +') + +######################################## +## ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. ## @@ -961,6 +1027,23 @@ interface(`fs_search_nfs',` ######################################## ## +## Do not audit attempts to list the contents +## of directories on a NFS filesystem. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_list_nfs',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:dir r_dir_perms; +') + +######################################## +## ## Read files on a NFS filesystem. ## ## @@ -980,6 +1063,23 @@ interface(`fs_read_nfs_files',` ######################################## ## +## Do not audit attempts to read +## files on a NFS filesystem. +## +## +## The type of the domain to not audit. +## +# +interface(`fs_dontaudit_read_nfs_files',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:file r_file_perms; +') + +######################################## +## ## Execute files on a NFS filesystem. ## ## @@ -1008,7 +1108,6 @@ interface(`fs_execute_nfs_files',` interface(`fs_dontaudit_rw_nfs_files',` gen_require(` type nfs_t; - class file { read write }; ') dontaudit $1 nfs_t:file { read write }; @@ -1053,6 +1152,24 @@ interface(`fs_manage_nfs_dirs',` ######################################## ## +## Do not audit attempts to create, read, +## write, and delete directories +## on a NFS filesystem. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_manage_nfs_dirs',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:dir create_dir_perms; +') + +######################################## +## ## Create, read, write, and delete files ## on a NFS filesystem. ## @@ -1071,6 +1188,24 @@ interface(`fs_manage_nfs_files',` allow $1 nfs_t:file create_file_perms; ') +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a NFS filesystem. +## +## +## Domain to not audit. +## +# +interface(`fs_dontaudit_manage_nfs_files',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:file create_file_perms; +') + ######################################### ## ## Create, read, write, and delete symbolic links @@ -1986,6 +2121,23 @@ interface(`fs_relabelfrom_all_fs',` ######################################## ## +## Search all directories with a filesystem type. +## +## +## Domain allowed access. +## +# +interface(`fs_search_all',` + gen_require(` + attribute filesystem_type; + class dir { getattr search }; + ') + + allow $1 filesystem_type:dir { getattr search }; +') + +######################################## +## ## List all directories with a filesystem type. ## ## @@ -2001,7 +2153,6 @@ interface(`fs_list_all',` allow $1 filesystem_type:dir r_dir_perms; ') - ######################################## # # fs_getattr_all_files(type) diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index e6e9584..15082ed 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -44,9 +44,6 @@ type binfmt_misc_fs_t, filesystem_type; files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0) -type debugfs_t, filesystem_type; -allow debugfs_t self:filesystem associate; - type eventpollfs_t, filesystem_type; genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 89f26ff..39193e7 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -345,6 +345,86 @@ interface(`kernel_get_sysvipc_info',` ######################################## ## +## Get the attributes of a kernel debugging filesystem. +## +## +## Domain allowed access. +## +# +interface(`kernel_getattr_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:filesystem getattr; +') + +######################################## +## +## Mount a kernel debugging filesystem. +## +## +## The type of the domain mounting the filesystem. +## +# +interface(`kernel_mount_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:filesystem mount; +') + +######################################## +## +## Unmount a kernel debugging filesystem. +## +## +## The type of the domain unmounting the filesystem. +## +# +interface(`kernel_unmount_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:filesystem unmount; +') + +######################################## +## +## Remount a kernel debugging filesystem. +## +## +## The type of the domain remounting the filesystem. +## +# +interface(`kernel_remount_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:filesystem remount; +') + +######################################## +## +## Search the contents of a kernel debugging filesystem. +## +## +## Domain allowed access. +## +# +interface(`kernel_search_debugfs',` + gen_require(` + type debugfs_t; + ') + + allow $1 debugfs_t:dir search; +') + +######################################## +## ## Get the attributes of the proc filesystem. ## ## diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 78e4cfe..987a40a 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -31,6 +31,15 @@ domain_base_type(kernel_t) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127) # +# DebugFS +# + +type debugfs_t; +fs_type(debugfs_t) +allow debugfs_t self:filesystem associate; +genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0) + +# # Procfs types # diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index d33b92d..c8f3573 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -152,6 +152,11 @@ optional_policy(`rpm.te',` rpm_read_pipe(crond_t) ') +optional_policy(`postgresql.te', ` + # allow crond to find /usr/lib/postgresql/bin/do.maintenance + postgresql_search_db_dir(crond_t) +') + optional_policy(`udev.te', ` udev_read_db(crond_t) ') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 0ceff77..5524cc8 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -1,6 +1,10 @@ policy_module(dbus,1.0) +gen_require(` + class dbus { send_msg acquire_svc }; +') + ############################## # # Delcarations @@ -29,8 +33,9 @@ files_pid_file(system_dbusd_var_run_t) allow system_dbusd_t self:capability { dac_override setgid setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process getattr; +allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket create_stream_socket_perms; +allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -75,6 +80,7 @@ corecmd_read_sbin_symlink(system_dbusd_t) corecmd_read_sbin_file(system_dbusd_t) corecmd_read_sbin_pipe(system_dbusd_t) corecmd_read_sbin_socket(system_dbusd_t) +corecmd_exec_sbin(system_dbusd_t) domain_use_wide_inherit_fd(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8963214..8b9f2d9 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -16,6 +16,11 @@ files_tmp_file(hald_tmp_t) type hald_var_run_t; files_pid_file(hald_var_run_t) +######################################## +# +# Local policy +# + allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:fifo_file rw_file_perms; @@ -46,15 +51,17 @@ corenet_tcp_sendrecv_all_ports(hald_t) corenet_tcp_bind_all_nodes(hald_t) dev_read_sysfs(hald_t) -dev_read_usbfs(hald_t) +dev_rw_usbfs(hald_t) dev_read_urand(hald_t) dev_read_input(hald_t) dev_read_mouse(hald_t) dev_rw_printer(hald_t) +dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_file(hald_t) fs_getattr_all_fs(hald_t) +fs_search_all(hald_t) fs_search_auto_mountpoints(hald_t) selinux_get_fs_mount(hald_t) @@ -120,6 +127,10 @@ optional_policy(`hotplug.te',` hotplug_read_config(hald_t) ') +optional_policy(`mount.te',` + mount_domtrans(hald_t) +') + optional_policy(`nis.te',` nis_use_ypbind(hald_t) ') @@ -164,4 +175,18 @@ allow udev_t hald_t:unix_dgram_socket sendto; allow hald_t initrc_t:dbus send_msg; allow initrc_t hald_t:dbus send_msg; + +# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket +ifdef(`apmd.te', ` +allow hald_t apmd_var_run_t:sock_file write; +allow hald_t apmd_t:unix_stream_socket connectto; +') + +# For /usr/libexec/hald-probe-smbios +domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) + +ifdef(`targeted_policy', ` +allow unconfined_t hald_t:dbus send_msg; +allow hald_t unconfined_t:dbus send_msg; +') ') dnl end TODO diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc new file mode 100644 index 0000000..d037cbb --- /dev/null +++ b/refpolicy/policy/modules/services/postgresql.fc @@ -0,0 +1,36 @@ +# +# /etc +# +/etc/postgresql(/.*)? context_template(system_u:object_r:postgresql_etc_t,s0) + +# +# /usr +# +/usr/bin/initdb -- context_template(system_u:object_r:postgresql_exec_t,s0) +/usr/bin/postgres -- context_template(system_u:object_r:postgresql_exec_t,s0) + +/usr/lib/pgsql/test/regres(/.*)? context_template(system_u:object_r:postgresql_db_t,s0) +/usr/lib/pgsql/test/regress/pg_regress -- context_template(system_u:object_r:postgresql_exec_t,s0) + +/usr/lib(64)?/postgresql/bin/.* -- context_template(system_u:object_r:postgresql_exec_t,s0) + +ifdef(`distro_redhat', ` +/usr/share/jonas/pgsql(/.*)? context_template(system_u:object_r:postgresql_db_t,s0) +') + +# +# /var +# +/var/lib/postgres(ql)?(/.*)? context_template(system_u:object_r:postgresql_db_t,s0) + +/var/lib/pgsql/data(/.*)? context_template(system_u:object_r:postgresql_db_t,s0) +/var/lib/pgsql/pgstartup.log context_template(system_u:object_r:postgresql_log_t,s0) + +/var/log/postgres\.log.* -- context_template(system_u:object_r:postgresql_log_t,s0) +/var/log/postgresql(/.*)? context_template(system_u:object_r:postgresql_log_t,s0) + +ifdef(`distro_redhat', ` +/var/log/rhdb/rhdb(/.*)? context_template(system_u:object_r:postgresql_log_t,s0) +') + +/var/run/postgresql(/.*)? context_template(system_u:object_r:postgresql_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if new file mode 100644 index 0000000..692d8b1 --- /dev/null +++ b/refpolicy/policy/modules/services/postgresql.if @@ -0,0 +1,110 @@ +## PostgreSQL relational database + +######################################## +## +## Allow the specified domain to search postgresql's database directory. +## +## +## Domain allowed access. +## +# +interface(`postgresql_search_db_dir',` + gen_require(` + type postgresql_db_t; + ') + + allow $1 postgresql_db_t:dir search; +') + +######################################## +## +## Allow the specified domain to manage postgresql's database. +## +## +## Domain allowed access. +## +interface(`postgresql_manage_db',` + gen_require(` + type postgresql_db_t; + ') + + allow $1 postgresql_db_t:dir rw_dir_perms; + allow $1 postgresql_db_t:file rw_file_perms; + allow $1 postgresql_db_t:lnk_file { getattr read }; +') + +######################################## +## +## Execute postgresql in the postgresql domain. +## +## +## The type of the process performing this action. +## +# +interface(`postgresql_domtrans',` + gen_require(` + type postgresql_t, postgresql_exec_t; + ') + + domain_auto_trans($1,postgresql_exec_t,postgresql_t) + + allow $1 postgresql_t:fd use; + allow postgresql_t $1:fd use; + allow postgresql_t $1:fifo_file rw_file_perms; + allow postgresql_t $1:process sigchld; +') + +######################################## +## +## Allow the specified domain to read postgresql's etc. +## +## +## Domain allowed access. +## +# +interface(`postgresql_read_config',` + gen_require(` + type postgresql_etc_t; + ') + + files_search_etc($1) + allow $1 postgresql_etc_t:dir { getattr read search }; + allow $1 postgresql_etc_t:file { read getattr }; + allow $1 postgresql_etc_t:lnk_file { getattr read }; +') + +######################################## +## +## Allow the specified domain to connect to postgresql with a tcp socket. +## +## +## Domain allowed access. +## +# +interface(`postgresql_tcp_connect',` + gen_require(` + type postgresql_t; + ') + + kernel_tcp_recvfrom($1) + allow $1 postgresql_t:tcp_socket { connectto recvfrom }; + allow postgresql_t $1:tcp_socket { acceptfrom recvfrom }; +') + +######################################## +## +## Allow the specified domain to connect to postgresql with a unix socket. +## +## +## Domain allowed access. +## +# +interface(`postgresql_unix_connect',` + gen_require(` + type postgresql_t, postgresql_var_run_t; + ') + + files_search_pids($1) + allow $1 postgresql_t:unix_stream_socket connectto; + allow $1 postgresql_var_run_t:sock_file write; +') diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te new file mode 100644 index 0000000..40823d6 --- /dev/null +++ b/refpolicy/policy/modules/services/postgresql.te @@ -0,0 +1,223 @@ + +policy_module(postgresql,1.0) + +################################# +# +# Declarations +# +type postgresql_t; +type postgresql_exec_t; +init_daemon_domain(postgresql_t,postgresql_exec_t) + +type postgresql_db_t; +files_type(postgresql_db_t) + +type postgresql_etc_t; #, usercanread; +files_type(postgresql_etc_t) + +type postgresql_lock_t; +files_lock_file(postgresql_lock_t) + +type postgresql_log_t; +logging_log_file(postgresql_log_t) + +type postgresql_tmp_t; +files_tmp_file(postgresql_tmp_t) + +type postgresql_var_run_t; +files_pid_file(postgresql_var_run_t) + +######################################## +# +# postgresql Local policy +# +allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; +allow postgresql_t self:fifo_file { getattr read write ioctl }; +allow postgresql_t self:file { getattr read }; +allow postgresql_t self:sem create_sem_perms; +allow postgresql_t self:shm create_shm_perms; +allow postgresql_t self:tcp_socket create_stream_socket_perms; +allow postgresql_t self:udp_socket create_stream_socket_perms; +allow postgresql_t self:unix_dgram_socket create_socket_perms; +allow postgresql_t self:unix_stream_socket create_stream_socket_perms; +dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; + +allow postgresql_t postgresql_db_t:dir create_dir_perms; +allow postgresql_t postgresql_db_t:fifo_file create_file_perms; +allow postgresql_t postgresql_db_t:file create_file_perms; +allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms; +allow postgresql_t postgresql_db_t:sock_file create_file_perms; +files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) + +allow postgresql_t postgresql_etc_t:dir r_dir_perms; +allow postgresql_t postgresql_etc_t:file r_file_perms; +allow postgresql_t postgresql_etc_t:lnk_file { getattr read }; + +allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +can_exec(postgresql_t, postgresql_exec_t ) + +allow postgresql_t postgresql_lock_t:file create_file_perms; +files_create_lock(postgresql_t,postgresql_lock_t) + +allow postgresql_t postgresql_log_t:dir rw_dir_perms; +allow postgresql_t postgresql_log_t:file create_file_perms; +logging_create_log(postgresql_t,postgresql_log_t,{ file dir }) + +allow postgresql_t postgresql_tmp_t:dir create_dir_perms; +allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms; +allow postgresql_t postgresql_tmp_t:file create_file_perms; +allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms; +allow postgresql_t postgresql_tmp_t:sock_file create_file_perms; +files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file }) +fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + +allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; +allow postgresql_t postgresql_var_run_t:file create_file_perms; +allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; +files_create_pid(postgresql_t,postgresql_var_run_t) + +kernel_read_kernel_sysctl(postgresql_t) +kernel_read_system_state(postgresql_t) +kernel_list_proc(postgresql_t) +kernel_read_all_sysctl(postgresql_t) +kernel_read_proc_symlinks(postgresql_t) +kernel_tcp_recvfrom(postgresql_t) + +corenet_tcp_sendrecv_all_if(postgresql_t) +corenet_udp_sendrecv_all_if(postgresql_t) +corenet_raw_sendrecv_all_if(postgresql_t) +corenet_tcp_sendrecv_all_nodes(postgresql_t) +corenet_udp_sendrecv_all_nodes(postgresql_t) +corenet_raw_sendrecv_all_nodes(postgresql_t) +corenet_tcp_sendrecv_all_ports(postgresql_t) +corenet_udp_sendrecv_all_ports(postgresql_t) +corenet_tcp_bind_all_nodes(postgresql_t) +corenet_udp_bind_all_nodes(postgresql_t) +corenet_tcp_bind_postgresql_port(postgresql_t) +corenet_tcp_connect_auth_port(postgresql_t) + +dev_read_sysfs(postgresql_t) +dev_read_urand(postgresql_t) + +fs_getattr_all_fs(postgresql_t) +fs_search_auto_mountpoints(postgresql_t) + +term_use_controlling_term(postgresql_t) +term_dontaudit_use_console(postgresql_t) + +corecmd_exec_bin(postgresql_t) +corecmd_exec_ls(postgresql_t) +corecmd_exec_sbin(postgresql_t) +corecmd_exec_shell(postgresql_t) + +domain_dontaudit_list_all_domains_proc(postgresql_t) +domain_use_wide_inherit_fd(postgresql_t) + +files_dontaudit_search_home(postgresql_t) +files_manage_etc_files(postgresql_t) +files_search_etc(postgresql_t) +files_read_etc_runtime_files(postgresql_t) +files_read_usr_files(postgresql_t) + +init_read_script_pid(postgresql_t) +init_use_fd(postgresql_t) +init_use_script_pty(postgresql_t) + +libs_use_ld_so(postgresql_t) +libs_use_shared_libs(postgresql_t) + +logging_send_syslog_msg(postgresql_t) + +miscfiles_read_localization(postgresql_t) + +seutil_dontaudit_search_config(postgresql_t) + +sysnet_read_config(postgresql_t) + +userdom_dontaudit_search_sysadm_home_dir(postgresql_t) +userdom_dontaudit_use_sysadm_tty(postgresql_t) +userdom_dontaudit_use_unpriv_user_fd(postgresql_t) + +mta_getattr_spool(postgresql_t) + +ifdef(`targeted_policy', ` + files_dontaudit_read_root_file(postgresql_t) + term_dontaudit_use_generic_pty(postgresql_t) + term_dontaudit_use_unallocated_tty(postgresql_t) +') + +tunable_policy(`allow_execmem',` + allow postgresql_t self:process execmem; +') + +optional_policy(`consoletype.te', ` + consoletype_exec(postgresql_t) +') + +optional_policy(`cron.te',` + cron_search_spool(postgresql_t) + cron_system_entry(postgresql_t,postgresql_exec_t) +') + +optional_policy(`hostname.te', ` + hostname_exec(postgresql_t) +') + +optional_policy(`kerberos.te',` + kerberos_use(postgresql_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(postgresql_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(postgresql_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(postgresql_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(postgresql_t) +') + +optional_policy(`udev.te', ` + udev_read_db(postgresql_t) +') + +ifdef(`TODO',` +ifdef(`targeted_policy', `', ` +bool allow_user_postgresql_connect false; + +if (allow_user_postgresql_connect) { +# allow any user domain to connect to the database server +can_tcp_connect(userdomain, postgresql_t) +allow userdomain postgresql_t:unix_stream_socket connectto; +allow userdomain postgresql_var_run_t:sock_file write; +allow userdomain postgresql_tmp_t:sock_file write; +} +') +ifdef(`distro_debian', ` + init_exec_script(postgresql_t) + # gross hack + postgresql_domtrans(dpkg_t) + can_exec(postgresql_t, dpkg_exec_t) +') + +ifdef(`distro_gentoo', ` + allow postgresql_t initrc_su_t:process { sigchld }; + # "su - postgres ..." is called from initrc_t + postgresql_search_db_dir(initrc_su_t) + dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; +') + +# Goes to apache.te: +# Allow httpd to work with postgresql +optional_policy(`postgresql.te', ` + # Original policy had apache connecting to postgresql_tmp_t:sock_file + # instead of what is assumed to be correct: postgresql_var_run_t. -Don + postgresql_unix_connect(httpd_t) +') +') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 20850a0..1e34ffc 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -600,6 +600,25 @@ interface(`auth_manage_pam_console_data',` allow $1 pam_var_console_t:lnk_file create_lnk_perms; ') +####################################### +## +## Delete pam_console data. +## +## +## Domain allowed access. +## +# +interface(`auth_delete_pam_console_data',` + gen_require(` + type pam_var_console_t; + ') + + files_search_var($1) + files_search_pids($1) + allow $1 pam_var_console_t:dir rw_dir_perms; + allow $1 pam_var_console_t:file unlink; +') + ######################################## ## ## Relabel all files on the filesystem, except diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 850b48d..e993eb9 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -69,6 +69,8 @@ ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0) ') +/usr/lib/pgsql/test/regress/.*\.sh -- context_template(system_u:object_r:bin_t,s0) + /usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0) /usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index c22f519..6a8e214 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -74,6 +74,85 @@ interface(`files_pid_file',` ######################################## ## +## Make the specified type a +## polyinstantiated directory. +## +## +## Type of the file to be used as a +## polyinstantiated directory. +## +# +interface(`files_poly',` + gen_require(` + attribute polydir; + ') + + files_type($1) + typeattribute $1 polydir; +') + +######################################## +## +## Make the specified type a parent +## of a polyinstantiated directory. +## +## +## Type of the file to be used as a +## parent directory. +## +# +interface(`files_poly_parent',` + gen_require(` + attribute polyparent; + ') + + files_type($1) + typeattribute $1 polyparent; +') + +######################################## +## +## Make the specified type a +## polyinstantiation member directory. +## +## +## Type of the file to be used as a +## member directory. +## +# +interface(`files_poly_member',` + gen_require(` + attribute polymember; + ') + + files_type($1) + typeattribute $1 polymember; +') + +######################################## +## +## Make the domain use the specified +## type of polyinstantiated directory. +## +## +## Domain using the polyinstantiated +## directory. +## +## +## Type of the file to be used as a +## member directory. +## +# +interface(`files_poly_member_tmp',` + gen_require(` + type tmp_t; + ') + + type_member $1 tmp_t:dir $2; +') + +######################################## +## ## Make the specified type a file ## used for temporary files. ## @@ -81,14 +160,18 @@ interface(`files_pid_file',` ## Type of the file to be used as a ## temporary file. ## +# interface(`files_tmp_file',` gen_require(` attribute tmpfile; + type tmp_t; ') files_type($1) + files_poly_member($1) fs_associate_tmpfs($1) typeattribute $1 tmpfile; + allow $1 tmp_t:filesystem associate; ') ######################################## @@ -648,7 +731,6 @@ interface(`files_unmount_rootfs',` interface(`files_dontaudit_getattr_default_dir',` gen_require(` type default_t; - class dir getattr; ') dontaudit $1 default_t:dir getattr; @@ -665,7 +747,6 @@ interface(`files_dontaudit_getattr_default_dir',` interface(`files_list_default',` gen_require(` type default_t; - class dir r_dir_perms; ') allow $1 default_t:dir r_dir_perms; @@ -673,6 +754,23 @@ interface(`files_list_default',` ######################################## ## +## Do not audit attempts to list contents of +## directories with the default file type. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_list_default',` + gen_require(` + type default_t; + ') + + dontaudit $1 default_t:dir r_dir_perms; +') + +######################################## +## ## Mount a filesystem on a directory with the default file type. ## ## @@ -682,7 +780,6 @@ interface(`files_list_default',` interface(`files_mounton_default',` gen_require(` type default_t; - class dir { getattr search mounton }; ') allow $1 default_t:dir { getattr search mounton }; @@ -716,7 +813,6 @@ interface(`files_dontaudit_getattr_default_files',` interface(`files_read_default_files',` gen_require(` type default_t; - class file r_file_perms; ') allow $1 default_t:file r_file_perms; @@ -724,6 +820,23 @@ interface(`files_read_default_files',` ######################################## ## +## Do not audit attempts to read files +## with the default file type. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_read_default_files',` + gen_require(` + type default_t; + ') + + dontaudit $1 default_t:file r_file_perms; +') + +######################################## +## ## Read symbolic links with the default file type. ## ## @@ -1533,6 +1646,24 @@ interface(`files_read_world_readable_sockets',` ######################################## ## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). +## +## +## Type of the file to associate. +## +# +interface(`files_associate_tmp',` + gen_require(` + type tmp_t; + ') + + allow $1 tmp_t:filesystem associate; +') + +######################################## +## ## Do not audit attempts to get the ## attributes of the tmp directory (/tmp). ## @@ -2324,6 +2455,20 @@ interface(`files_delete_all_pids',` ######################################## # +# files_delete_all_pid_dirs(domain) +# +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; + type var_t; + ') + + allow $1 var_t:dir search; + allow $1 pidfile:dir { rw_dir_perms rmdir }; +') + +######################################## +# # files_search_spool(domain) # interface(`files_search_spool',` diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 94c867c..281fac4 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -10,6 +10,18 @@ attribute file_type; attribute lockfile; attribute mountpoint; attribute pidfile; + +# For labeling types that are to be polyinstantiated +attribute polydir; + +# And for labeling the parent directories of those polyinstantiated directories +# This is necessary for remounting the original in the parent to give +# security aware apps access +attribute polyparent; + +# And labeling for the member directories +attribute polymember; + attribute tmpfile; attribute tmpfsfile; diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 845b705..8dd1fe8 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -55,6 +55,7 @@ kernel_getattr_proc(fsadm_t) kernel_rw_unlabeled_dir(fsadm_t) kernel_use_unlabeled_blk_dev(fsadm_t) +dev_getattr_all_chr_files(fsadm_t) # mkreiserfs and other programs need this for UUID dev_read_rand(fsadm_t) dev_read_urand(fsadm_t) @@ -145,5 +146,7 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` +allow fsadm_t tmpfs_t:file { read write }; +allow fsadm_t ramfs_t:fifo_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 471b076..e298a69 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -21,7 +21,6 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal }; allow hostname_t self:capability sys_admin; dontaudit hostname_t self:capability sys_tty_config; -kernel_read_kernel_sysctl(hostname_t) kernel_dontaudit_use_fd(hostname_t) kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) @@ -84,9 +83,3 @@ optional_policy(`udev.te',` udev_dontaudit_use_fd(hostname_t) udev_read_db(hostname_t) ') - -ifdef(`TODO',` -optional_policy(`rhgb.te', ` -rhgb_domain(hostname_t) -') -') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 5533bc8..edf52af 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -51,15 +51,15 @@ type initrc_devpts_t; term_pty(initrc_devpts_t) files_type(initrc_devpts_t) -type initrc_var_run_t; -files_pid_file(initrc_var_run_t) - type initrc_state_t; files_type(initrc_state_t) type initrc_tmp_t; files_tmp_file(initrc_tmp_t) +type initrc_var_run_t; +files_pid_file(initrc_var_run_t) + ######################################## # # Init local policy @@ -263,7 +263,7 @@ auth_rw_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) -auth_list_pam_console_data(initrc_t) +auth_delete_pam_console_data(initrc_t) corecmd_exec_bin(initrc_t) corecmd_exec_sbin(initrc_t) @@ -297,6 +297,7 @@ files_purge_tmp(initrc_t) files_delete_all_locks(initrc_t) files_read_all_pids(initrc_t) files_delete_all_pids(initrc_t) +files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) files_manage_generic_locks(initrc_t) @@ -477,6 +478,11 @@ optional_policy(`raid.te',` raid_manage_mdadm_pid(initrc_t) ') +optional_policy(`postgresql.te',` + postgresql_manage_db(initrc_t) + postgresql_read_config(initrc_t) +') + optional_policy(`quota.te',` quota_manage_flags(initrc_t) ') @@ -535,6 +541,14 @@ ifdef(`TODO',` allow initrc_t xconsole_device_t:fifo_file setattr; allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; +allow initrc_t system_dbusd_t:unix_stream_socket connectto; +allow initrc_t system_dbusd_var_run_t:sock_file write; + +# rhgb-console writes to ramfs +allow initrc_t ramfs_t:fifo_file write; + +# during boot up initrc needs to do the following +allow initrc_t default_t:dir write; # # These rules are here to allow init scripts to su diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 2730a5e..6629b1a 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -26,10 +26,6 @@ # # /usr # -/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) - -/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) - /usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) @@ -43,8 +39,14 @@ /usr(/.*)?/nvidia/.*\.so(\..*)? -- context_template(system_u:object_r:texrel_shlib_t,s0) +/usr/lib/pgsql/test/regress/.*\.so -- context_template(system_u:object_r:shlib_t,s0) + /usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0) +/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) + +/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) + /usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index e642dba..bcec6d9 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -15,6 +15,7 @@ interface(`logging_log_file',` ') files_type($1) + files_associate_tmp($1) fs_associate_tmpfs($1) typeattribute $1 logfile; ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 1af5ed5..4302a1c 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -51,6 +51,7 @@ files_pid_file(syslogd_var_run_t) type var_log_t, logfile; files_type(var_log_t) +files_associate_tmp(var_log_t) ######################################## # diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index c6de011..2b34fa7 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t) type lvm_metadata_t; files_type(lvm_metadata_t) +type lvm_var_run_t; +files_pid_file(lvm_var_run_t) + type lvm_tmp_t; files_tmp_file(lvm_tmp_t) @@ -148,6 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; files_create_lock(lvm_t,lvm_lock_t) +allow lvm_t lvm_var_run_t:file create_file_perms; +allow lvm_t lvm_var_run_t:dir create_dir_perms; +files_create_pid(lvm_t,lvm_var_run_t) + allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d @@ -213,7 +220,6 @@ domain_use_wide_inherit_fd(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) -files_dontaudit_getattr_pid_dir(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(lvm_t) @@ -258,6 +264,10 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` +# it has no reason to need this +allow lvm_t var_t:dir { search getattr }; +allow lvm_t ramfs_t:filesystem unmount; + optional_policy(`gnome-pty-helper.te', ` allow lvm_t sysadm_gph_t:fd use; ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index ad198c2..cdf9e8b 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -51,6 +51,8 @@ can_exec(insmod_t, insmod_exec_t) kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) +kernel_mount_debugfs(insmod_t) +kernel_search_debugfs(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctl(insmod_t) kernel_rw_kernel_sysctl(insmod_t) @@ -128,6 +130,7 @@ optional_policy(`rpm.te',` ') ifdef(`TODO',` +allow insmod_t proc_t:file rw_file_perms; optional_policy(`xserver.te',` xserver_getattr_log(insmod_t) allow insmod_t xserver_misc_device_t:chr_file { read write }; @@ -182,6 +185,7 @@ optional_policy(`rpm.te',` ') ifdef(`TODO',` +allow depmod_t modules_object_t:file unlink; ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') ') dnl end ifdef TODO diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 461415a..96f4d05 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -140,6 +140,10 @@ optional_policy(`udev.te', ` ifdef(`TODO',` allow cardmgr_t modules_object_t:dir search; +ifdef(`dhcpc.te',` +allow cardmgr_t dhcpc_var_run_t:file unlink; +') + # Create device files in /tmp. # cjp: why is this created all over the place? file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index e4053ca..47293bb 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -27,6 +27,31 @@ interface(`sysnet_domtrans_dhcpc',` ######################################## ## +## Execute DHCP clients in the dhcpc domain, and +## allow the specified role the dhcpc domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the clock domain. +## +## +## The type of the terminal allow the clock domain to use. +## +# +interface(`sysnet_run_dhcpc',` + gen_require(` + type dhcpc_t; + ') + + sysnet_domtrans_dhcpc($1) + role $2 types dhcpc_t; + allow dhcpc_t $3:chr_file { getattr read write ioctl }; +') + +######################################## +## ## Send a SIGCHLD signal to the dhcp client. ## ## @@ -227,9 +252,6 @@ interface(`sysnet_read_dhcpc_pid',` interface(`sysnet_domtrans_ifconfig',` gen_require(` type ifconfig_t, ifconfig_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -260,7 +282,6 @@ interface(`sysnet_domtrans_ifconfig',` interface(`sysnet_run_ifconfig',` gen_require(` type ifconfig_t; - class chr_file rw_term_perms; ') corecmd_search_sbin($1) @@ -269,6 +290,23 @@ interface(`sysnet_run_ifconfig',` allow ifconfig_t $3:chr_file rw_term_perms; ') +####################################### +## +## Execute ifconfig in the caller domain. +## +## +## Domain allowed access. +## +# +interface(`sysnet_exec_ifconfig',` + gen_require(` + type ifconfig_exec_t; + ') + + corecmd_search_sbin($1) + can_exec($1,ifconfig_exec_t) +') + ######################################## ## ## Read the DHCP configuration files. @@ -280,8 +318,6 @@ interface(`sysnet_run_ifconfig',` interface(`sysnet_read_dhcp_config',` gen_require(` type dhcp_etc_t; - class dir search; - class file { getattr read }; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 7a0554f..9ea6f3f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -112,6 +112,7 @@ term_dontaudit_use_console(dhcpc_t) term_dontaudit_use_all_user_ttys(dhcpc_t) term_dontaudit_use_all_user_ptys(dhcpc_t) term_dontaudit_use_unallocated_tty(dhcpc_t) +term_dontaudit_use_generic_pty(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_sbin(dhcpc_t) @@ -209,6 +210,27 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` +ifdef(`cardmgr.te',` +allow dhcpc_t cardmgr_dev_t:chr_file { read write }; +') + +ifdef(`ypbind.te',` +allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; +') + +ifdef(`dbusd.te', ` +dbusd_client(system, dhcpc) +domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) +allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow dhcpc_t self:dbus send_msg; +allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; +allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; +ifdef(`unconfined.te', ` +allow unconfined_t dhcpc_t:dbus send_msg; +allow dhcpc_t unconfined_t:dbus send_msg; +')dnl end ifdef unconfined.te +') + optional_policy(`rhgb.te',` rhgb_domain(dhcpc_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 85a7b4d..721e51a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -41,11 +41,13 @@ template(`base_user_template',` # type for contents of home directory type $1_home_t, $1_file_type, home_type; files_type($1_home_t) + files_associate_tmp($1_home_t) fs_associate_tmpfs($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; files_type($1_home_dir_t) + files_associate_tmp($1_home_dir_t) fs_associate_tmpfs($1_home_dir_t) type $1_tmp_t, $1_file_type; @@ -54,6 +56,14 @@ template(`base_user_template',` type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) + # types for network-obtained content + type $1_untrusted_content_t, $1_file_type; #, customizable + files_type($1_untrusted_content_t) + files_poly_member($1_untrusted_content_t) + + type $1_untrusted_content_tmp_t, $1_file_type; # customizable + files_tmp_file($1_untrusted_content_tmp_t) + type $1_tty_device_t; term_tty($1_t,$1_tty_device_t) @@ -77,8 +87,7 @@ template(`base_user_template',` allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; dontaudit $1_t self:socket create; - # Irrelevant until we have labeled networking. - #allow $1_t self:udp_socket { sendto recvfrom }; + allow $1_t self:udp_socket { sendto recvfrom }; # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; @@ -93,11 +102,19 @@ template(`base_user_template',` allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; - allow $1_t $1_home_dir_t:dir create_dir_perms; + allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto }; type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; can_exec($1_t,$1_tmp_t) + # user temporary files + allow $1_t $1_tmp_t:file create_file_perms; + allow $1_t $1_tmp_t:lnk_file create_lnk_perms; + allow $1_t $1_tmp_t:dir create_dir_perms; + allow $1_t $1_tmp_t:sock_file create_file_perms; + allow $1_t $1_tmp_t:fifo_file create_file_perms; + files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) + # Bind to a Unix domain socket in /tmp. # cjp: this is combination is not checked and should be removed allow $1_t $1_tmp_t:unix_stream_socket name_bind; @@ -111,6 +128,10 @@ template(`base_user_template',` allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + # Allow user to relabel untrusted content + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; + allow $1_t unpriv_userdomain:fd use; # Instantiate derived domains for a number of programs. @@ -160,7 +181,14 @@ template(`base_user_template',` fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) - fs_exec_noxattr($1_t) + + # cjp: some of this probably can be removed + selinux_get_fs_mount($1_t) + selinux_validate_context($1_t) + selinux_compute_access_vector($1_t) + selinux_compute_create_context($1_t) + selinux_compute_relabel_context($1_t) + selinux_compute_user_contexts($1_t) # for eject storage_getattr_fixed_disk($1_t) @@ -196,10 +224,13 @@ template(`base_user_template',` logging_dontaudit_getattr_all_logs($1_t) miscfiles_read_localization($1_t) + miscfiles_read_fonts($1_t) # for running TeX programs miscfiles_read_tetex_data($1_t) miscfiles_exec_tetex_data($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) mta_rw_spool($1_t) @@ -209,12 +240,29 @@ template(`base_user_template',` allow $1_t self:process execmem; ') + tunable_policy(`allow_execmem && allow_execstack',` + # Allow making the stack executable via mprotect. + allow $1_t self:process execstack; + ') + tunable_policy(`read_default_t',` files_list_default($1_t) files_read_default_files($1_t) files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) + ',` + files_dontaudit_list_default($1_t) + files_dontaudit_read_default_files($1_t) + ') + + tunable_policy(`read_untrusted_content',` + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms; + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms; + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read }; + ',` + dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms; + dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms; ') tunable_policy(`use_nfs_home_dirs',` @@ -224,6 +272,9 @@ template(`base_user_template',` fs_manage_nfs_named_sockets($1_t) fs_manage_nfs_named_pipes($1_t) fs_execute_nfs_files($1_t) + ',` + fs_dontaudit_manage_nfs_dirs($1_t) + fs_dontaudit_manage_nfs_files($1_t) ') tunable_policy(`use_samba_home_dirs',` @@ -233,6 +284,9 @@ template(`base_user_template',` fs_manage_cifs_named_sockets($1_t) fs_manage_cifs_named_pipes($1_t) fs_execute_cifs_files($1_t) + ',` + fs_dontaudit_manage_cifs_dirs($1_t) + fs_dontaudit_manage_cifs_files($1_t) ') tunable_policy(`user_direct_mouse',` @@ -329,36 +383,17 @@ template(`base_user_template',` r_dir_file($1_t, usercanread) - tunable_policy(`allow_execmod',` - # Allow text relocations on system shared libraries, e.g. libGL. - allow $1_t texrel_shlib_t:file execmod; - ') - allow $1_t fs_type:dir getattr; - # old "file_browse_domain": - # Regular files/directories that are not security sensitive - dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; - dontaudit $1_t file_type - secure_file_type:dir { read search }; - # /dev - dontaudit $1_t dev_fs:dir_file_class_set getattr; - dontaudit $1_t dev_fs:dir { read search }; - # /proc - dontaudit $1_t sysctl_t:dir_file_class_set getattr; - dontaudit $1_t proc_fs:dir { read search }; - - tunable_policy(`user_rw_noexattrfile',` - create_dir_file($1_t, noexattrfile) - # Write floppies - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) - # cjp: what does this have to do with removable devices? - allow $1_t usbtty_device_t:chr_file write; - ',` - r_dir_file($1_t, noexattrfile) - r_dir_file($1_t, removable_t) - allow $1_t removable_device_t:blk_file r_file_perms; - ') + dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; + dontaudit $1 file_type - secure_file_type:dir search; + dontaudit $1 file_type - secure_file_type:dir read; + dontaudit $1 unlabeled_t:dir_file_class_set getattr; + dontaudit $1 unlabeled_t:dir search; + dontaudit $1 unlabeled_t:dir read; + dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; + dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; + dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; allow $1_t usbtty_device_t:chr_file read; @@ -390,21 +425,16 @@ template(`base_user_template',` # Connect to portmap. ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') + # Use X + x_client_domain($1, $1) + ifdef(`xserver.te', ` - # for /tmp/.ICE-unix - file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; ') ifdef(`xdm.te', ` # Connect to the X server run by the X Display Manager. can_unix_connect($1_t, xdm_t) - allow $1_t xdm_tmp_t:sock_file rw_file_perms; - allow $1_t xdm_tmp_t:dir r_dir_perms; - allow $1_t xdm_tmp_t:file r_file_perms; - allow $1_t xdm_xserver_tmp_t:sock_file { read write }; - allow $1_t xdm_xserver_tmp_t:dir search; - allow $1_t xdm_xserver_t:unix_stream_socket connectto; # certain apps want to read xdm.pid file r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file r_file_perms; @@ -412,11 +442,25 @@ template(`base_user_template',` ifdef(`xauth.te', ` file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) ') + ') + + # start read_fonts() + + # cjp: this macro is unconditional, though + # its in a conditional file. - # for shared memory - allow xdm_xserver_t $1_tmpfs_t:file { read write }; + # Manipulate the global font cache + create_dir_file($1, $1_fonts_cache_t) + # Read per user fonts and font config + r_dir_file($1, $1_fonts_t) + r_dir_file($1, $1_fonts_config_t) + + # There are some fonts in .gnome2 + ifdef(`gnome.te', ` + allow $1 $2_gnome_settings_t:dir { getattr search }; ') + # end read_fonts() ifdef(`rpcd.te', ` create_dir_file($1_t, nfsd_rw_t) @@ -467,8 +511,13 @@ template(`unpriv_user_template', ` domain_wide_inherit_fd($1_t) typeattribute $1_devpts_t user_ptynode; + typeattribute $1_home_dir_t user_home_dir_type; + files_poly($1_home_dir_t) + typeattribute $1_home_t user_home_type; + files_poly_member($1_home_t) + typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -484,14 +533,6 @@ template(`unpriv_user_template', ` allow $1_home_t self:filesystem associate; allow $1_file_type $1_home_t:filesystem associate; - # user temporary files - allow $1_t $1_tmp_t:file create_file_perms; - allow $1_t $1_tmp_t:lnk_file create_lnk_perms; - allow $1_t $1_tmp_t:dir create_dir_perms; - allow $1_t $1_tmp_t:sock_file create_file_perms; - allow $1_t $1_tmp_t:fifo_file create_file_perms; - files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) - # privileged home directory writers allow privhome $1_home_t:file create_file_perms; allow privhome $1_home_t:lnk_file create_lnk_perms; @@ -537,6 +578,11 @@ template(`unpriv_user_template', ` # so it can be used without privilege to write real binary policy file seutil_exec_checkpol($1_t) + ifdef(`enable_polyinstantiation',` + type_member $1_t $1_home_dir_t:dir $1_home_t; + files_poly_member_tmp($1_t) + ') + tunable_policy(`user_dmesg',` kernel_read_ring_buffer($1_t) ',` @@ -575,6 +621,22 @@ template(`unpriv_user_template', ` ifdef(`TODO',` + ifdef(`enable_mls',`',` + fs_exec_noxattr($1_t) + tunable_policy(`user_rw_noexattrfile',` + create_dir_file($1_t, noexattrfile) + # Write floppies + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) + # cjp: what does this have to do with removable devices? + allow $1_t usbtty_device_t:chr_file write; + ',` + r_dir_file($1_t, noexattrfile) + r_dir_file($1_t, removable_t) + allow $1_t removable_device_t:blk_file r_file_perms; + ') + ') + dontaudit $1_t boot_t:lnk_file read; dontaudit $1_t boot_t:file read; @@ -596,16 +658,20 @@ template(`unpriv_user_template', ` ') ') + ifdef(`useradd.te', ` + # Useradd relabels /etc/skel files so needs these privs + allow useradd_t $1_file_type:dir create_dir_perms; + allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; + ') + # Stat lost+found. allow $1_t lost_found_t:dir getattr; # Read /var, /var/spool, /var/run. - allow $1_t var_t:dir r_dir_perms; - allow $1_t var_t:notdevfile_class_set r_file_perms; - allow $1_t var_spool_t:dir r_dir_perms; - allow $1_t var_spool_t:notdevfile_class_set r_file_perms; - allow $1_t var_run_t:dir r_dir_perms; - allow $1_t var_run_t:{ file lnk_file } r_file_perms; + r_dir_file($1_t, var_t) + # what about pipes and sockets under /var/spool? + r_dir_file($1_t, var_spool_t) + r_dir_file($1_t, var_run_t) allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; @@ -631,23 +697,6 @@ template(`unpriv_user_template', ` allow $1_t initrc_t:fifo_file write; - ifdef(`user_can_mount', ` - # - # Allow users to mount file systems like floppies and cdrom - # - mount_domain($1, $1_mount, `, fs_domain') - r_dir_file($1_t, mnt_t) - allow $1_mount_t device_t:lnk_file read; - allow $1_mount_t removable_device_t:blk_file read; - allow $1_mount_t iso9660_t:filesystem relabelfrom; - allow $1_mount_t removable_t:filesystem { mount relabelto }; - allow $1_mount_t removable_t:dir mounton; - ifdef(`xdm.te', ` - allow $1_mount_t xdm_t:fd use; - allow $1_mount_t xdm_t:fifo_file { read write }; - ') - ') - ') dnl end TODO ') @@ -721,16 +770,11 @@ template(`admin_user_template',` # for the administrator to run TCP servers directly allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; + allow $1_t self:netlink_audit_socket nlmsg_readpriv; + allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; term_create_pty($1_t,$1_devpts_t) - allow $1_t $1_tmp_t:dir create_dir_perms; - allow $1_t $1_tmp_t:file create_file_perms; - allow $1_t $1_tmp_t:lnk_file create_file_perms; - allow $1_t $1_tmp_t:fifo_file create_file_perms; - allow $1_t $1_tmp_t:sock_file create_file_perms; - files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) - kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) @@ -761,6 +805,7 @@ template(`admin_user_template',` fs_getattr_all_fs($1_t) fs_set_all_quotas($1_t) + fs_exec_noxattr($1_t) selinux_set_enforce_mode($1_t) selinux_set_boolean($1_t) @@ -847,7 +892,7 @@ template(`admin_user_template',` allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; ') - allow $1_t xdm_t:fifo_file rw_file_perms; + can_pipe_xdm($1_t) ') # Connect data port to ftpd. @@ -877,6 +922,21 @@ template(`admin_user_template',` # Run programs from staff home directories. # Not ideal, but typical if users want to login as both sysadm_t or staff_t. can_exec($1_t, staff_home_t) + + tunable_policy(`user_rw_noexattrfile',` + create_dir_file($1_t, noexattrfile) + # Write floppies + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) + # cjp: what does this have to do with removable devices? + allow $1_t usbtty_device_t:chr_file write; + ',` + r_dir_file($1_t, noexattrfile) + r_dir_file($1_t, removable_t) + allow $1_t removable_device_t:blk_file r_file_perms; + ') + allow $1 removable_t:filesystem getattr; + ') dnl endif TODO ') @@ -2037,7 +2097,7 @@ interface(`userdom_sigcld_all_users',` class process sigchld; ') - allow $1 userdomain:process sigghld; + allow $1 userdomain:process sigchld; ') ######################################## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 6f89062..be596dc 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -223,6 +223,7 @@ ifdef(`targeted_policy',` optional_policy(`sysnetwork.te',` sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) + sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`unconfined.te',` @@ -233,4 +234,8 @@ ifdef(`targeted_policy',` usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ') + + optional_policy(`vpn.te',` + vpn_run(sysadm_t,sysadm_r,admin_terminal) + ') ') diff --git a/strict/domains/admin.te b/strict/domains/admin.te index b88654f..bc29a78 100644 --- a/strict/domains/admin.te +++ b/strict/domains/admin.te @@ -17,19 +17,27 @@ general_proc_read_access(sysadm_t) # sysadm_t is also granted permissions specific to administrator domains. admin_domain(sysadm) -# Allow administrator domains to set the enforcing flag. -can_setenforce(sysadm_t) - -# Allow administrator domains to set policy booleans. -can_setbool(sysadm_t) - -# Allow administrator domains to set security parameters -can_setsecparam(sysadm_t) - # for su allow sysadm_t userdomain:fd use; -define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }') +ifdef(`separate_secadm', `', ` +security_manager_domain(sysadm_t) +') # Add/remove user home directories file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) + +limited_user_role(secadm) +typeattribute secadm_t admin; +role secadm_r types secadm_t; +security_manager_domain(secadm_t) +r_dir_file(secadm_t, { var_t var_log_t }) + +typeattribute secadm_tty_device_t admin_tty_type; +typeattribute secadm_devpts_t admin_tty_type; + +bool allow_ptrace false; + +if (allow_ptrace) { +can_ptrace(sysadm_t, domain) +} diff --git a/strict/domains/misc/screensaver.te b/strict/domains/misc/screensaver.te deleted file mode 100644 index d420266..0000000 --- a/strict/domains/misc/screensaver.te +++ /dev/null @@ -1,18 +0,0 @@ -# -# Alias file to stop blow up during policy upgrade, since -# screensaver policy is being removed. -# -typealias bin_t alias screensaver_exec_t; -typealias sysadm_home_t alias sysadm_screensaver_t; -typealias sysadm_home_t alias sysadm_screensaver_rw_t; -typealias sysadm_home_t alias sysadm_screensaver_ro_t; -typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t; -typealias user_home_t alias user_screensaver_t; -typealias user_home_t alias user_screensaver_rw_t; -typealias user_home_t alias user_screensaver_ro_t; -typealias user_home_t alias user_screensaver_tmpfs_t; -typealias staff_home_t alias staff_screensaver_t; -typealias staff_home_t alias staff_screensaver_rw_t; -typealias staff_home_t alias staff_screensaver_ro_t; -typealias staff_home_t alias staff_screensaver_tmpfs_t; - diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te index 8216b06..4c72b6b 100644 --- a/strict/domains/program/dbusd.te +++ b/strict/domains/program/dbusd.te @@ -17,4 +17,9 @@ can_ypbind(system_dbusd_t) # I expect we need more than this allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; +allow initrc_t system_dbusd_t:unix_stream_socket connectto; +allow initrc_t system_dbusd_var_run_t:sock_file write; +can_exec(system_dbusd_t, sbin_t) +allow system_dbusd_t self:fifo_file { read write }; +allow system_dbusd_t self:unix_stream_socket connectto; diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te index 442d46f..0308ed9 100644 --- a/strict/domains/program/dhcpc.te +++ b/strict/domains/program/dhcpc.te @@ -43,6 +43,8 @@ ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read }; allow cardmgr_t dhcpc_t:process signal_perms; +allow cardmgr_t dhcpc_var_run_t:file unlink; +allow dhcpc_t cardmgr_dev_t:chr_file { read write }; ') ifdef(`hotplug.te', ` domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) @@ -126,7 +128,7 @@ can_exec(dhcpc_t, { bin_t shell_exec_t }) ifdef(`hostname.te', ` domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) ') -dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write }; +dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms; allow dhcpc_t { userdomain kernel_t }:fd use; allow dhcpc_t home_root_t:dir search; @@ -142,7 +144,22 @@ allow dhcpc_t initrc_var_run_t:file rw_file_perms; can_exec(dhcpc_t, initrc_exec_t) ifdef(`ypbind.te', ` domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) +allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; ') ifdef(`ntpd.te', ` domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) ') +role sysadm_r types dhcpc_t; +domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t) +ifdef(`dbusd.te', ` +dbusd_client(system, dhcpc) +domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) +allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow dhcpc_t self:dbus send_msg; +allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; +allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; +ifdef(`unconfined.te', ` +allow unconfined_t dhcpc_t:dbus send_msg; +allow dhcpc_t unconfined_t:dbus send_msg; +')dnl end ifdef unconfined.te +') diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te index 56295e3..5611451 100644 --- a/strict/domains/program/fsadm.te +++ b/strict/domains/program/fsadm.te @@ -29,6 +29,7 @@ read_sysctl(fsadm_t) # for /dev/shm allow fsadm_t tmpfs_t:dir { getattr search }; +allow fsadm_t tmpfs_t:file { read write }; base_file_read_access(fsadm_t) @@ -115,3 +116,5 @@ system_crond_entry(fsadm_exec_t, fsadm_t) allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; allow fsadm_t usbfs_t:dir { getattr search }; +allow fsadm_t ramfs_t:fifo_file rw_file_perms; +allow fsadm_t device_type:chr_file getattr; diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te index 65e2ca5..b9cadb5 100644 --- a/strict/domains/program/gpg.te +++ b/strict/domains/program/gpg.te @@ -8,11 +8,8 @@ type gpg_exec_t, file_type, sysadmfile, exec_type; type gpg_helper_exec_t, file_type, sysadmfile, exec_type; -allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; +allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search; allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; -# Allow gpg exec stack -bool allow_gpg_execstack false; - # Everything else is in the gpg_domain macro in # macros/program/gpg_macros.te. diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te index 1d1ce66..5cd42b1 100644 --- a/strict/domains/program/hald.te +++ b/strict/domains/program/hald.te @@ -65,10 +65,9 @@ allow hald_t udev_tbl_t:file { getattr read }; ifdef(`hotplug.te', ` r_dir_file(hald_t, hotplug_etc_t) ') -allow hald_t usbdevfs_t:dir search; -allow hald_t usbdevfs_t:file { getattr read }; -allow hald_t usbfs_t:dir search; -allow hald_t usbfs_t:file { getattr read }; +allow hald_t fs_type:dir { search getattr }; +allow hald_t usbfs_t:dir r_dir_perms; +allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms; allow hald_t bin_t:lnk_file read; r_dir_file(hald_t, { selinux_config_t default_context_t } ) allow hald_t initrc_t:dbus send_msg; @@ -80,3 +79,25 @@ allow hald_t device_t:chr_file create_file_perms; tmp_domain(hald) allow hald_t mnt_t:dir search; r_dir_file(hald_t, proc_net_t) + +# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket +ifdef(`apmd.te', ` +allow hald_t apmd_var_run_t:sock_file write; +allow hald_t apmd_t:unix_stream_socket connectto; +') + +# For /usr/libexec/hald-probe-smbios +domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) + +# ?? +ifdef(`lvm.te', ` +allow hald_t lvm_control_t:chr_file r_file_perms; +') +ifdef(`targeted_policy', ` +allow unconfined_t hald_t:dbus send_msg; +allow hald_t unconfined_t:dbus send_msg; +') +ifdef(`mount.te', ` +domain_auto_trans(hald_t, mount_exec_t, mount_t) +') + diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te index 579cd97..07169c8 100644 --- a/strict/domains/program/hostname.te +++ b/strict/domains/program/hostname.te @@ -4,9 +4,7 @@ # X-Debian-Packages: hostname # for setting the hostname -daemon_base_domain(hostname, , nosysadm) -role sysadm_r types hostname_t; - +daemon_core_rules(hostname, , nosysadm) allow hostname_t self:capability sys_admin; allow hostname_t etc_t:file { getattr read }; diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te index 8832423..2715d03 100644 --- a/strict/domains/program/initrc.te +++ b/strict/domains/program/initrc.te @@ -123,7 +123,10 @@ allow initrc_t fs_type:filesystem mount_fs_perms; allow initrc_t file_t:dir { read search getattr mounton }; # during boot up initrc needs to do the following -allow initrc_t default_t:dir { read search getattr mounton }; +allow initrc_t default_t:dir { write read search getattr mounton }; + +# rhgb-console writes to ramfs +allow initrc_t ramfs_t:fifo_file write; # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) @@ -233,7 +236,7 @@ allow initrc_t home_type:file r_file_perms; allow initrc_t pidfile:file { getattr read unlink }; # for system start scripts -allow initrc_t pidfile:dir rw_dir_perms; +allow initrc_t pidfile:dir { rmdir rw_dir_perms }; allow initrc_t pidfile:sock_file unlink; rw_dir_create_file(initrc_t, var_lib_t) @@ -316,3 +319,6 @@ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) ') allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t device_t:lnk_file create_file_perms; +ifdef(`dbusd.te', ` +allow initrc_t system_dbusd_var_run_t:sock_file write; +') diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te index c5ce785..b2e47eb 100644 --- a/strict/domains/program/lvm.te +++ b/strict/domains/program/lvm.te @@ -108,11 +108,11 @@ dontaudit lvm_t gpmctl_t:sock_file getattr; ') dontaudit lvm_t initctl_t:fifo_file getattr; allow lvm_t sbin_t:dir search; -dontaudit lvm_t sbin_t:file getattr; +dontaudit lvm_t sbin_t:file { getattr read }; allow lvm_t lvm_control_t:chr_file rw_file_perms; allow initrc_t lvm_control_t:chr_file { getattr read unlink }; allow initrc_t device_t:chr_file create; -dontaudit lvm_t var_run_t:dir getattr; +var_run_domain(lvm) # for when /usr is not mounted dontaudit lvm_t file_t:dir search; @@ -122,6 +122,8 @@ r_dir_file(lvm_t, selinux_config_t) # it has no reason to need this dontaudit lvm_t proc_kcore_t:file getattr; +allow lvm_t var_t:dir { search getattr }; +allow lvm_t ramfs_t:filesystem unmount; # cluster LVM daemon daemon_domain(clvmd) diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te index dbdae1b..0af4cf5 100644 --- a/strict/domains/program/modutil.te +++ b/strict/domains/program/modutil.te @@ -56,6 +56,7 @@ file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) # Read module objects. allow depmod_t modules_object_t:dir r_dir_perms; allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; +allow depmod_t modules_object_t:file unlink; # Access terminals. allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; @@ -137,15 +138,15 @@ allow insmod_t initrc_t:fifo_file { getattr read write }; allow insmod_t fs_t:filesystem getattr; allow insmod_t sysfs_t:dir search; -allow insmod_t { usbfs_t usbdevfs_t }:dir search; -allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount; +allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search; +allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; # Rules for /proc/sys/kernel/tainted read_sysctl(insmod_t) allow insmod_t proc_t:dir search; allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; -allow insmod_t proc_t:file { getattr read }; +allow insmod_t proc_t:file rw_file_perms; allow insmod_t proc_t:lnk_file read; # Write to /proc/mtrr. diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te index ed85882..488bed3 100644 --- a/strict/domains/program/pamconsole.te +++ b/strict/domains/program/pamconsole.te @@ -45,5 +45,6 @@ allow pam_console_t hotplug_t:fd use; ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') -allow initrc_t pam_var_console_t:dir r_dir_perms; +allow initrc_t pam_var_console_t:dir rw_dir_perms; +allow initrc_t pam_var_console_t:file unlink; allow pam_console_t file_context_t:file { getattr read }; diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te index f46ac65..a86d9d4 100644 --- a/strict/domains/program/postgresql.te +++ b/strict/domains/program/postgresql.te @@ -10,7 +10,6 @@ # # postgresql_exec_t is the type of the postgresql executable. # -type postgresql_port_t, port_type; daemon_domain(postgresql) allow initrc_t postgresql_exec_t:lnk_file read; allow postgresql_t usr_t:file { getattr read }; @@ -37,7 +36,6 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow dontaudit postgresql_t self:capability sys_admin; etcdir_domain(postgresql) -typealias postgresql_etc_t alias etc_postgresql_t; type postgresql_db_t, file_type, sysadmfile; logdir_domain(postgresql) @@ -52,7 +50,7 @@ tmp_domain(postgresql, `', `{ dir file sock_file }') file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) # Use the network. -can_network_server(postgresql_t) +can_network(postgresql_t) can_ypbind(postgresql_t) allow postgresql_t self:fifo_file { getattr read write ioctl }; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; @@ -69,6 +67,7 @@ if (allow_user_postgresql_connect) { can_tcp_connect(userdomain, postgresql_t) allow userdomain postgresql_t:unix_stream_socket connectto; allow userdomain postgresql_var_run_t:sock_file write; +allow userdomain postgresql_tmp_t:sock_file write; } ') ifdef(`consoletype.te', ` @@ -80,6 +79,7 @@ can_exec(postgresql_t, hostname_exec_t) ') allow postgresql_t postgresql_port_t:tcp_socket name_bind; +allow postgresql_t auth_port_t:tcp_socket name_connect; allow postgresql_t { proc_t self }:file { getattr read }; @@ -110,9 +110,9 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; allow postgresql_t self:sem create_sem_perms; allow postgresql_t initrc_var_run_t:file { getattr read lock }; -dontaudit postgresql_t selinux_config_t:dir { search }; -allow postgresql_t mail_spool_t:dir { search }; -rw_dir_create_file(postgresql_t, var_lock_t) +dontaudit postgresql_t selinux_config_t:dir search; +allow postgresql_t mail_spool_t:dir search; +lock_domain(postgresql) can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) ifdef(`apache.te', ` # @@ -124,11 +124,15 @@ can_unix_connect(httpd_t, postgresql_t) ifdef(`distro_gentoo', ` # "su - postgres ..." is called from initrc_t -allow initrc_su_t postgresql_db_t:dir { search }; -allow postgresql_t initrc_su_t:process { sigchld }; +allow initrc_su_t postgresql_db_t:dir search; +allow postgresql_t initrc_su_t:process sigchld; dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') dontaudit postgresql_t home_root_t:dir search; can_kerberos(postgresql_t) allow postgresql_t urandom_device_t:chr_file { getattr read }; + +if (allow_execmem) { +allow postgresql_t self:process execmem; +} diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te index b2fff63..01ddac1 100644 --- a/strict/domains/program/vpnc.te +++ b/strict/domains/program/vpnc.te @@ -10,9 +10,9 @@ # vpnc_t is the domain for the vpnc program. # vpnc_exec_t is the type of the vpnc executable. # -daemon_domain(vpnc, `, sysctl_net_writer') +application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain') -allow vpnc_t { random_device_t urandom_device_t }:chr_file read; +allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read }; # Use the network. can_network(vpnc_t) @@ -31,7 +31,7 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write }; allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; +allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms; allow vpnc_t port_t:udp_socket name_bind; allow vpnc_t etc_runtime_t:file { getattr read }; allow vpnc_t proc_t:file { getattr read }; @@ -42,6 +42,8 @@ allow vpnc_t sysctl_net_t:file write; allow vpnc_t sbin_t:dir search; allow vpnc_t bin_t:dir search; allow vpnc_t bin_t:lnk_file read; +allow vpnc_t self:dir search; +r_dir_file(vpnc_t, proc_t) r_dir_file(vpnc_t, proc_net_t) tmp_domain(vpnc) allow vpnc_t self:fifo_file { getattr ioctl read write }; @@ -49,3 +51,12 @@ allow vpnc_t self:file { getattr read }; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file) allow vpnc_t etc_t:file { execute execute_no_trans ioctl }; +dontaudit vpnc_t home_root_t:dir search; +dontaudit vpnc_t user_home_dir_type:dir search; +var_run_domain(vpnc) +allow vpnc_t userdomain:fd use; +r_dir_file(vpnc_t, sysfs_t) +allow vpnc_t self:process { fork sigchld }; +read_locale(vpnc_t) +read_sysctl(vpnc_t) +allow vpnc_t fs_t:filesystem getattr; diff --git a/strict/domains/user.te b/strict/domains/user.te index 39a76d6..d86e5d4 100644 --- a/strict/domains/user.te +++ b/strict/domains/user.te @@ -4,6 +4,16 @@ # Booleans for user domains. +# Allow applications to read untrusted content +# If this is disallowed, Internet content has +# to be manually relabeled for read access to be granted +bool read_untrusted_content false; + +# Allow applications to write untrusted content +# If this is disallowed, no Internet content +# will be stored. +bool write_untrusted_content false; + # Allow users to read system messages. bool user_dmesg false; @@ -54,54 +64,6 @@ bool read_default_t false; # files (such as ~/.bashrc) bool staff_read_sysadm_file false; -# change from role $1_r to $2_r and relabel tty appropriately -define(`role_tty_type_change', ` -allow $1_r $2_r; -type_change $2_t $1_devpts_t:chr_file $2_devpts_t; -type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; -# avoid annoying messages on terminal hangup -dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; -') - -# Reach sysadm_t via programs like userhelper/sudo/su -undefine(`reach_sysadm') -define(`reach_sysadm', ` -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') -ifdef(`su.te', ` -su_domain($1) -# When an ordinary user domain runs su, su may try to -# update the /root/.Xauthority file, and the user shell may -# try to update the shell history. This is not allowed, but -# we dont need to audit it. -dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; -') dnl ifdef su.te -') - -# Privileged user domain -undefine(`priv_user') -define(`priv_user', ` -# Reach sysadm_t -reach_sysadm($1) - -# Read file_contexts for rpm and get security decisions. -r_dir_file($1_t, file_context_t) -can_getsecurity($1_t) - -# Signal and see information about unprivileged user domains. -allow $1_t unpriv_userdomain:process signal_perms; -can_ps($1_t, unpriv_userdomain) -allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; - -# Read /root files if boolean is enabled. -if (staff_read_sysadm_file) { -allow $1_t sysadm_home_dir_t:dir { getattr search }; -allow $1_t sysadm_home_t:file { getattr read }; -} - -') dnl priv_user full_user_role(user) diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc index 1feef35..b433c60 100644 --- a/strict/file_contexts/program/postgresql.fc +++ b/strict/file_contexts/program/postgresql.fc @@ -14,3 +14,7 @@ /usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t /usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t /usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t +ifdef(`distro_redhat', ` +/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t +/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t +') diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te index ebd92a9..aaa816e 100644 --- a/strict/macros/admin_macros.te +++ b/strict/macros/admin_macros.te @@ -20,15 +20,19 @@ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; # Type and access for pty devices. -can_create_pty($1) +can_create_pty($1, `, admin_tty_type') -tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }') +# Transition manually for { lnk sock fifo }. The rest is in content macros. +tmp_domain_notrans($1, `, $1_file_type') +file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) +allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; # Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, dev_fs; +type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type; # Inherit rules for ordinary users. base_user_domain($1) +access_removable_media($1_t) allow $1_t self:capability setuid; @@ -36,11 +40,6 @@ ifdef(`su.te', `su_domain($1)') ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') -# Violates the goal of limiting write access to checkpolicy. -# But presently necessary for installing the file_contexts file. -create_dir_file($1_t, policy_config_t) -r_dir_file($1_t, selinux_config_t) - # Let admin stat the shadow file. allow $1_t shadow_t:file getattr; @@ -51,12 +50,12 @@ allow $1_crond_t var_log_t:file r_file_perms; # Allow system log read allow $1_t kernel_t:system syslog_read; +# Allow autrace +# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv; + # Use capabilities other than sys_module. allow $1_t self:capability ~sys_module; -# Get security policy decisions. -can_getsecurity($1_t) - # Use system operations. allow $1_t kernel_t:system *; @@ -82,12 +81,6 @@ allow $1_t sysadmfile:dir create_dir_perms; allow $1_t mtrr_device_t:file getattr; allow $1_t fs_type:dir getattr; -# Set an exec context, e.g. for runcon. -can_setexec($1_t) - -# Set a context other than the default one for newly created files. -can_setfscreate($1_t) - # Access removable devices. allow $1_t removable_device_t:devfile_class_set rw_file_perms; @@ -124,18 +117,6 @@ can_exec($1_t, staff_home_t) # Run programs from /usr/src. can_exec($1_t, src_t) -# Run admin programs that require different permissions in their own domain. -# These rules were moved into the appropriate program domain file. - -# added by mayerf@tresys.com -# The following rules are temporary until such time that a complete -# policy management infrastructure is in place so that an administrator -# cannot directly manipulate policy files with arbitrary programs. -# -allow $1_t policy_src_t:file create_file_perms; -allow $1_t policy_src_t:lnk_file create_lnk_perms; -allow $1_t policy_src_t:dir create_dir_perms; - # Relabel all files. # Actually this will not allow relabeling ALL files unless you change # sysadmfile to file_type (and change the assertion in assert.te that @@ -157,7 +138,7 @@ if (xdm_sysadm_login) { allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; } -allow $1_t xdm_t:fifo_file rw_file_perms; +can_pipe_xdm($1_t) ')dnl end ifdef xauth.te ')dnl end ifdef xdm.te @@ -205,3 +186,42 @@ allow $1_t device_t:lnk_file { create read }; allow $1_t domain:socket_class_set getattr; allow $1_t eventpollfs_t:file getattr; ') + +define(`security_manager_domain', ` + +typeattribute $1 secadmin; +# Allow administrator domains to set the enforcing flag. +can_setenforce($1) + +# Allow administrator domains to set policy booleans. +can_setbool($1) + +# Get security policy decisions. +can_getsecurity($1) + +# Allow administrator domains to set security parameters +can_setsecparam($1) + +# Run admin programs that require different permissions in their own domain. +# These rules were moved into the appropriate program domain file. + +# added by mayerf@tresys.com +# The following rules are temporary until such time that a complete +# policy management infrastructure is in place so that an administrator +# cannot directly manipulate policy files with arbitrary programs. +# +allow $1 secadmfile:file { relabelto relabelfrom create_file_perms }; +allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms }; +allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms }; + +# Set an exec context, e.g. for runcon. +can_setexec($1) + +# Set a context other than the default one for newly created files. +can_setfscreate($1) + +allow $1 self:netlink_audit_socket nlmsg_readpriv; + +') + + diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te index 6281fca..4db1e62 100644 --- a/strict/macros/base_user_macros.te +++ b/strict/macros/base_user_macros.te @@ -2,12 +2,6 @@ # Macros for all user login domains. # -define(`network_home_dir', ` -create_dir_file($1, $2) -can_exec($1, $2) -allow $1 $2:{ sock_file fifo_file } create_file_perms; -') - # # base_user_domain(domain_prefix) # @@ -22,6 +16,30 @@ allow $1 $2:{ sock_file fifo_file } create_file_perms; undefine(`base_user_domain') define(`base_user_domain', ` +# Type for network-obtained content +type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember; +type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember; + +# Allow user to relabel untrusted content +allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; +allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; + +# Read content +read_content($1_t, $1) + +# Write trusted content. This includes proper transition +# for /home, and /tmp, so no other transition is necessary (or allowed) +write_trusted($1_t, $1) + +# Maybe the home directory is networked +network_home($1_t) + +# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted. +# Relabel files in the home directory +file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); +allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; +can_setfscreate($1_t) + allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; @@ -40,10 +58,13 @@ if (allow_execmem) { allow $1_t self:process execmem; } -if (allow_execmod) { +if (allow_execmem && allow_execstack) { +# Allow making the stack executable via mprotect. +allow $1_t self:process execstack; +} + # Allow text relocations on system shared libraries, e.g. libGL. allow $1_t texrel_shlib_t:file execmod; -} # # kdeinit wants this access @@ -63,38 +84,23 @@ allow $1_t event_device_t:chr_file { getattr read ioctl }; allow $1_t dri_device_t:chr_file getattr; dontaudit $1_t dri_device_t:chr_file rw_file_perms; -file_browse_domain($1_t) +# Supress ls denials: +# getattr() - ls -l +# search_dir() - symlink path resolution +# read_dir() - deep ls: ls parent/... + +dontaudit_getattr($1_t) +dontaudit_search_dir($1_t) +dontaudit_read_dir($1_t) # allow ptrace can_ptrace($1_t, $1_t) -# Create, access, and remove files in home directory. -file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t) -allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto }; -can_setfscreate($1_t) - -allow $1_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -network_home_dir($1_t, nfs_t) -} - -if (use_samba_home_dirs) { -network_home_dir($1_t, cifs_t) -} +# Allow user to run restorecon and relabel files +can_getsecurity($1_t) +r_dir_file($1_t, default_context_t) +r_dir_file($1_t, file_context_t) -can_exec($1_t, { removable_t noexattrfile } ) -if (user_rw_noexattrfile) { -create_dir_file($1_t, noexattrfile) -create_dir_file($1_t, removable_t) -# Write floppies -allow $1_t removable_device_t:blk_file rw_file_perms; -allow $1_t usbtty_device_t:chr_file write; -} else { -r_dir_file($1_t, noexattrfile) -r_dir_file($1_t, removable_t) -allow $1_t removable_device_t:blk_file r_file_perms; -} allow $1_t usbtty_device_t:chr_file read; # GNOME checks for usb and other devices @@ -104,16 +110,9 @@ can_exec($1_t, noexattrfile) # Bind to a Unix domain socket in /tmp. allow $1_t $1_tmp_t:unix_stream_socket name_bind; -# Access ttys. -allow $1_t privfd:fd use; -allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - # Use the type when relabeling terminal devices. type_change $1_t tty_device_t:chr_file $1_tty_device_t; -# read localization information -read_locale($1_t) - # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! type_change $1_t ttyfile:chr_file $1_tty_device_t; @@ -297,21 +296,16 @@ dontaudit $1_t domain:process { getattr getsession }; # dontaudit $1_t usr_t:file setattr; +# Use X +x_client_domain($1, $1) + ifdef(`xserver.te', ` -# for /tmp/.ICE-unix -file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; ') ifdef(`xdm.te', ` # Connect to the X server run by the X Display Manager. can_unix_connect($1_t, xdm_t) -allow $1_t xdm_tmp_t:sock_file rw_file_perms; -allow $1_t xdm_tmp_t:dir r_dir_perms; -allow $1_t xdm_tmp_t:file { getattr read }; -allow $1_t xdm_xserver_tmp_t:sock_file { read write }; -allow $1_t xdm_xserver_tmp_t:dir search; -allow $1_t xdm_xserver_t:unix_stream_socket connectto; # certain apps want to read xdm.pid file r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file { getattr read }; @@ -320,9 +314,6 @@ ifdef(`xauth.te', ` file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) ') -# for shared memory -allow xdm_xserver_t $1_tmpfs_t:file { read write }; - ')dnl end ifdef xdm.te # Access the sound device. @@ -375,6 +366,9 @@ allow $1_t default_t:dir r_dir_perms; allow $1_t default_t:notdevfile_class_set r_file_perms; } +# Read fonts +read_fonts($1_t, $1) + read_sysctl($1_t); # diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te index cdde6aa..8bd5d7b 100644 --- a/strict/macros/global_macros.te +++ b/strict/macros/global_macros.te @@ -437,7 +437,7 @@ allow $2_t device_t:dir getattr; # by default, only plain files and dirs may be stored there. # This can be overridden with a third parameter define(`tmp_domain', ` -type $1_tmp_t, file_type, sysadmfile, tmpfile $2; +type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; ifelse($3, `', `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te index d6f34f2..dfc6c17 100644 --- a/strict/macros/user_macros.te +++ b/strict/macros/user_macros.te @@ -2,6 +2,76 @@ # Macros for all user login domains. # +# role_tty_type_change(starting_role, ending_role) +# +# change from role $1_r to $2_r and relabel tty appropriately +# + +undefine(`role_tty_type_change') +define(`role_tty_type_change', ` +allow $1_r $2_r; +type_change $2_t $1_devpts_t:chr_file $2_devpts_t; +type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; +# avoid annoying messages on terminal hangup +dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; +') + +# +# reach_sysadm(user) +# +# Reach sysadm_t via programs like userhelper/sudo/su +# + +undefine(`reach_sysadm') +define(`reach_sysadm', ` +ifdef(`userhelper.te', `userhelper_domain($1)') +ifdef(`sudo.te', `sudo_domain($1)') +ifdef(`su.te', ` +su_domain($1) +# When an ordinary user domain runs su, su may try to +# update the /root/.Xauthority file, and the user shell may +# try to update the shell history. This is not allowed, but +# we dont need to audit it. +dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; +') dnl ifdef su.te +ifdef(`xauth.te', ` +file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) +ifdef(`userhelper.te', ` +file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) +') dnl userhelper.te +') dnl xauth.te +') dnl reach_sysadm + +# +# priv_user(user) +# +# Privileged user domain +# + +undefine(`priv_user') +define(`priv_user', ` +# Reach sysadm_t +reach_sysadm($1) + +# Read file_contexts for rpm and get security decisions. +r_dir_file($1_t, file_context_t) +can_getsecurity($1_t) + +# Signal and see information about unprivileged user domains. +allow $1_t unpriv_userdomain:process signal_perms; +can_ps($1_t, unpriv_userdomain) +allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; + +# Read /root files if boolean is enabled. +if (staff_read_sysadm_file) { +allow $1_t sysadm_home_dir_t:dir { getattr search }; +allow $1_t sysadm_home_t:file { getattr read }; +} + +') dnl priv_user + # # user_domain(domain_prefix) # @@ -18,18 +88,23 @@ define(`user_domain', ` # Use capabilities # Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir; +type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember; -tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }') +# Transition manually for { lnk sock fifo }. The rest is in content macros. +tmp_domain_notrans($1, `, user_tmpfile, $1_file_type') +file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) +allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; -# Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') +ifdef(`support_polyinstantiation', ` +type_member $1_t tmp_t:dir $1_tmp_t; +type_member $1_t $1_home_dir_t:dir $1_home_t; +') -#Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; - base_user_domain($1) +ifdef(`mls_policy', `', ` +access_removable_media($1_t) +') # do not allow privhome access to sysadm_home_dir_t file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) @@ -44,7 +119,9 @@ allow $1_t system_map_t:file { getattr read }; # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. -ifdef(`apache.te', `apache_domain($1)') +ifelse($1, sysadm, `',` +ifdef(`apache.te', `apache_user_domain($1)') +') ifdef(`slocate.te', `locate_domain($1)') ifdef(`lockdev.te', `lockdev_domain($1)') @@ -110,19 +187,73 @@ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) # # Domains for ordinary users. # -undefine(`full_user_role') -define(`full_user_role', ` - +undefine(`limited_user_role') +define(`limited_user_role', ` # user_t/$1_t is an unprivileged users domain. -type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; +type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd; + +#Type for tty devices. +type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; +# Type and access for pty devices. +can_create_pty($1, `, userpty_type, user_tty_type') + +# Access ttys. +allow $1_t privfd:fd use; +allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; -attribute $1_file_type; # Grant read/search permissions to some of /proc. r_dir_file($1_t, proc_t) r_dir_file($1_t, proc_net_t) base_file_read_access($1_t) +# Execute from the system shared libraries. +uses_shlib($1_t) + +# Read /etc. +r_dir_file($1_t, etc_t) +allow $1_t etc_runtime_t:file r_file_perms; +allow $1_t etc_runtime_t:lnk_file { getattr read }; + +allow $1_t self:process { fork sigchld setpgid signal_perms }; + +# read localization information +read_locale($1_t) + +read_sysctl($1_t) +can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t }) + +allow $1_t self:dir search; +allow $1_t self:file { getattr read }; +allow secadm_t self:fifo_file rw_file_perms; + +allow $1_t self:lnk_file read; +allow $1_t self:unix_stream_socket create_socket_perms; +allow $1_t urandom_device_t:chr_file { getattr read }; +dontaudit $1_t { var_spool_t var_log_t }:dir search; + +# Read /dev directories and any symbolic links. +allow $1_t device_t:dir r_dir_perms; +allow $1_t device_t:lnk_file { getattr read }; +allow $1_t devtty_t:chr_file { read write }; + +') + +undefine(`full_user_role') +define(`full_user_role', ` + +limited_user_role($1) + +typeattribute $1_t web_client_domain; + +attribute $1_file_type; + +ifdef(`useradd.te', ` +# Useradd relabels /etc/skel files so needs these privs +allow useradd_t $1_file_type:dir create_dir_perms; +allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; +') + can_exec($1_t, usr_t) # Read directories and files with the readable_t type. @@ -134,28 +265,18 @@ allow $1_t readable_t:notdevfile_class_set r_file_perms; allow $1_t lost_found_t:dir getattr; # Read /var, /var/spool, /var/run. -allow $1_t var_t:dir r_dir_perms; -allow $1_t var_t:notdevfile_class_set r_file_perms; -allow $1_t var_spool_t:dir r_dir_perms; -allow $1_t var_spool_t:notdevfile_class_set r_file_perms; -allow $1_t var_run_t:dir r_dir_perms; -allow $1_t var_run_t:{ file lnk_file } r_file_perms; +r_dir_file($1_t, var_t) +# what about pipes and sockets under /var/spool? +r_dir_file($1_t, var_spool_t) +r_dir_file($1_t, var_run_t) allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; -read_sysctl($1_t) - -# Read /etc. -allow $1_t etc_t:dir r_dir_perms; -allow $1_t etc_t:notdevfile_class_set r_file_perms; -allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms; - # for running depmod as part of the kernel packaging process allow $1_t modules_conf_t:file { getattr read }; # Read man directories and files. -allow $1_t man_t:dir r_dir_perms; -allow $1_t man_t:notdevfile_class_set r_file_perms; +r_dir_file($1_t, man_t) # Allow users to rw usb devices if (user_rw_usb) { @@ -166,16 +287,9 @@ r_dir_file($1_t,usbdevfs_t) r_dir_file($1_t,sysfs_t) -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; -allow $1_t device_t:lnk_file r_file_perms; - # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; -# Execute from the system shared libraries. -uses_shlib($1_t); - # $1_t is also granted permissions specific to user domains. user_domain($1) @@ -193,22 +307,6 @@ dontaudit $1_t syslogd_t:unix_dgram_socket sendto; dontaudit $1_t init_t:fd use; dontaudit $1_t initrc_t:fd use; allow $1_t initrc_t:fifo_file write; -ifdef(`user_can_mount', ` -# -# Allow users to mount file systems like floppies and cdrom -# -mount_domain($1, $1_mount, `, fs_domain') -r_dir_file($1_t, mnt_t) -allow $1_mount_t device_t:lnk_file read; -allow $1_mount_t removable_device_t:blk_file read; -allow $1_mount_t iso9660_t:filesystem relabelfrom; -allow $1_mount_t removable_t:filesystem { mount relabelto }; -allow $1_mount_t removable_t:dir mounton; -ifdef(`xdm.te', ` -allow $1_mount_t xdm_t:fd use; -allow $1_mount_t xdm_t:fifo_file { read write }; -') -') # # Rules used to associate a homedir as a mountpoint diff --git a/strict/types/file.te b/strict/types/file.te index 5b319e5..24d0023 100644 --- a/strict/types/file.te +++ b/strict/types/file.te @@ -278,7 +278,7 @@ allow devpts_t self:filesystem associate; type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; -allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; +allow { logfile tmpfile home_type } tmp_t:filesystem associate; ifdef(`distro_redhat', ` allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; ')