From a9a20ddaae010961a39b66a5cc5cb2336142d55c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 09 2005 19:55:01 +0000 Subject: allow all domains to use /dev/{zero,null,tty} --- diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index fcfef78..cdff63f 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -118,8 +118,6 @@ corenetwork_bind_tcp_on_all_nodes(ping_t) filesystem_ignore_get_persistent_filesystem_attributes(ping_t) -terminal_ignore_use_controlling_terminal(ping_t) - domain_use_widely_inheritable_file_descriptors(ping_t) files_read_general_system_config(ping_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 9bb704b..95206f3 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -87,7 +87,6 @@ kernel_compute_reachable_user_contexts(chfn_t) terminal_use_all_users_physical_terminals(chfn_t) terminal_use_all_users_pseudoterminals(chfn_t) -terminal_use_controlling_terminal(chfn_t) filesystem_get_persistent_filesystem_attributes(chfn_t) @@ -167,8 +166,6 @@ devices_get_pseudorandom_data(crack_t) filesystem_get_persistent_filesystem_attributes(crack_t) -terminal_use_controlling_terminal(crack_t) - files_read_general_system_config(crack_t) files_read_runtime_system_config(crack_t) # for dictionaries @@ -310,7 +307,6 @@ filesystem_get_persistent_filesystem_attributes(passwd_t) terminal_use_all_users_physical_terminals(passwd_t) terminal_use_all_users_pseudoterminals(passwd_t) -terminal_use_controlling_terminal(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -411,7 +407,6 @@ filesystem_get_persistent_filesystem_attributes(sysadm_passwd_t) terminal_use_all_users_physical_terminals(sysadm_passwd_t) terminal_use_all_users_pseudoterminals(sysadm_passwd_t) -terminal_use_controlling_terminal(sysadm_passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 35ece3c..aa2b20e 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -104,7 +104,6 @@ logging_send_system_log_message(bootloader_t) filesystem_get_persistent_filesystem_attributes(bootloader_t) -terminal_use_controlling_terminal(bootloader_t) terminal_get_all_users_physical_terminal_attributes(bootloader_t) allow bootloader_t bootloader_etc_t:file { getattr read }; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 5a7713c..1c4f3e7 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -297,15 +297,31 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_discard_data_stream(domain) +# devices_read_dev_null(domain) # -define(`devices_discard_data_stream',` +define(`devices_read_dev_null',` +requires_block_template(`$0'_depend) +allow $1 device_t:dir { getattr read search }; +allow $1 null_device_t:chr_file { getattr read }; +') + +define(`devices_read_dev_null_depend',` +type device_t, null_device_t; +class device_t:dir { getattr read search }; +class chr_file { getattr read }; +') + +######################################## +# +# devices_write_dev_null(domain) +# +define(`devices_write_dev_null',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 null_device_t:chr_file { getattr append write }; ') -define(`devices_discard_data_stream_depend',` +define(`devices_write_dev_null_depend',` type device_t, null_device_t; class device_t:dir { getattr read search }; class chr_file { getattr append write }; @@ -313,15 +329,24 @@ class chr_file { getattr append write }; ######################################## # -# devices_get_zeros(domain) +# devices_use_dev_null(domain) +# +define(`devices_use_dev_null',` +devices_read_dev_null($1) +devices_write_dev_null($1) +') + +######################################## +# +# devices_read_dev_zero(domain) # -define(`devices_get_zeros',` +define(`devices_read_dev_zero',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 zero_device_t:chr_file { getattr read }; ') -define(`devices_get_zeros_depend',` +define(`devices_read_dev_zero_depend',` type device_t, zero_device_t; class device_t:dir { getattr read search }; class chr_file { getattr read }; @@ -329,6 +354,31 @@ class chr_file { getattr read }; ######################################## # +# devices_write_dev_zero(domain) +# +define(`devices_write_dev_zero',` +requires_block_template(`$0'_depend) +allow $1 device_t:dir { getattr read search }; +allow $1 zero_device_t:chr_file { getattr append write }; +') + +define(`devices_write_dev_zero_depend',` +type device_t, zero_device_t; +class device_t:dir { getattr read search }; +class chr_file { getattr append write }; +') + +######################################## +# +# devices_use_dev_zero(domain) +# +define(`devices_use_dev_zero',` +devices_read_dev_zero($1) +devices_write_dev_zero($1) +') + +######################################## +# # devices_read_realtime_clock(domain) # define(`devices_read_realtime_clock',` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index f92ae16..d6222a6 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -15,8 +15,8 @@ domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) role $1_r types $1_chkpwd_t; role $1_r types system_chkpwd_t; -# Use capabilities. allow $1_chkpwd_t self:capability setuid; +allow $1_chkpwd_t self:process getattr; authlogin_read_shadow_passwords($1_chkpwd_t) logging_send_system_log_message($1_chkpwd_t) @@ -30,11 +30,23 @@ filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t) # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) -#can_getcon($1_chkpwd_t) #can_ypbind($1_chkpwd_t) #can_kerberos($1_chkpwd_t) #can_ldap($1_chkpwd_t) -#can_resolve($1_chkpwd_t) + +tunable_policy(`use_dns',` +allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +corenetwork_network_udp_on_all_interfaces($1_chkpwd_t) +corenetwork_network_raw_on_all_interfaces($1_chkpwd_t) +corenetwork_network_udp_on_all_nodes($1_chkpwd_t) +corenetwork_network_raw_on_all_nodes($1_chkpwd_t) +corenetwork_bind_udp_on_all_nodes($1_chkpwd_t) +corenetwork_network_udp_on_dns_port($1_chkpwd_t) +sysnetwork_read_network_config($1_chkpwd_t) +') dnl end use_dns + +# for nscd +files_ignore_search_system_state_data_directory($1_chkpwd_t) # Transition from the user domain to this domain. ifelse($1, system, ` @@ -44,6 +56,7 @@ terminal_use_general_physical_terminal($1_chkpwd_t) # Transition from the user domain to this domain. allow $1_t chkpwd_exec_t:file { getattr read execute }; allow $1_t $1_chkpwd_t:process transition; +type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t; #allow $1_t sbin_t:dir search; @@ -59,16 +72,15 @@ domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) optional_policy(`selinux.te',` selinux_newrole_use_file_descriptors($1_chkpwd_t) ') + ') dnl ifelse system -# for nscd -dontaudit $1_chkpwd_t var_t:dir search; -') +') dnl end authlogin_per_userdomain_template define(`authlogin_per_userdomain_template_depend',` type chkpwd_exec_t, system_chkpwd_t; class file { getattr read execute }; -class process transition; +class process { getattr transition }; class capability setuid; class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; @@ -96,18 +108,32 @@ define(`authlogin_check_password_transition',` requires_block_template(`$0'_depend) allow $1 chkpwd_exec_t:file { getattr read execute }; allow $1 system_chkpwd_t:process transition; +type_transition $1 chkpwd_exec_t:process system_chkpwd_t; + dontaudit $1 shadow_t:file { getattr read }; -#allow auth_chkpwd sbin_t:dir search; -#can_ypbind(auth_chkpwd) -#can_kerberos(auth_chkpwd) -#can_ldap(auth_chkpwd) -#can_resolve(auth_chkpwd) -') +#allow $1_t sbin_t:dir search; +#can_ypbind($1_t) +#can_kerberos($1_t) +#can_ldap($1_t) + +tunable_policy(`use_dns',` +allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +corenetwork_network_udp_on_all_interfaces($1) +corenetwork_network_raw_on_all_interfaces($1) +corenetwork_network_udp_on_all_nodes($1) +corenetwork_network_raw_on_all_nodes($1) +corenetwork_bind_udp_on_all_nodes($1) +corenetwork_network_udp_on_dns_port($1) +sysnetwork_read_network_config($1) +') dnl end use_dns + +') dnl end check_password_transition define(`authlogin_check_password_transition_depend',` type system_chkpwd_t, chkpwd_exec_t, shadow_t; class file { getattr read execute }; class process transition; +class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; ') ####################################### diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 2ed9474..3929d8f 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -87,7 +87,6 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) -terminal_use_controlling_terminal(pam_t) terminal_use_all_users_physical_terminals(pam_t) terminal_use_all_users_pseudoterminals(pam_t) @@ -137,8 +136,6 @@ kernel_read_system_state(pam_console_t) kernel_read_hardware_state(pam_console_t) kernel_use_file_descriptors(pam_console_t) -devices_discard_data_stream(pam_console_t) - # Allow to set attributes on /dev entries storage_get_fixed_disk_attributes(pam_console_t) storage_set_fixed_disk_attributes(pam_console_t) @@ -192,7 +189,6 @@ allow pam_console_t rhgb_t:process sigchld; allow pam_console_t rhgb_t:fd use; allow pam_console_t rhgb_t:fifo_file { read write }; ') -allow pam_console_t null_device_t:chr_file r_file_perms; dontaudit pam_console_t unpriv_userdomain:fd use; allow pam_console_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 00ee7cb..cf39327 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -33,7 +33,6 @@ allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; kernel_read_kernel_sysctl(hwclock_t) kernel_read_hardware_state(hwclock_t) -devices_discard_data_stream(hwclock_t) devices_modify_realtime_clock(hwclock_t) filesystem_get_persistent_filesystem_attributes(hwclock_t) @@ -80,7 +79,6 @@ allow hwclock_t rhgb_t:fd use; allow hwclock_t rhgb_t:fifo_file { read write }; ') -allow hwclock_t null_device_t:chr_file { read getattr lock ioctl }; dontaudit hwclock_t unpriv_userdomain:fd use; allow hwclock_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index f1ac710..d7a8821 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -30,8 +30,19 @@ class lnk_file { getattr read }; # domain_make_domain(domain) # define(`domain_make_domain',` + +# start with basic domain domain_make_base_domain($1) + +# Use trusted objects in /dev +devices_use_dev_null($1) +devices_use_dev_zero($1) +terminal_use_controlling_terminal($1) + +# read the root directory files_read_root_dir($1) + +# send init a sigchld init_sigchld($1) ') diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index a529979..e51e5a3 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -30,8 +30,6 @@ kernel_read_kernel_sysctl(hostname_t) kernel_read_hardware_state(hostname_t) kernel_ignore_use_file_descriptors(hostname_t) -devices_discard_data_stream(hostname_t) - files_read_general_system_config(hostname_t) files_ignore_search_system_state_data_directory(hostname_t) filesystem_get_persistent_filesystem_attributes(hostname_t) @@ -79,7 +77,6 @@ allow hostname_t rhgb_t:fd use; allow hostname_t rhgb_t:fifo_file { read write }; ') -allow hostname_t null_device_t:chr_file { read getattr lock ioctl }; dontaudit hostname_t unpriv_userdomain:fd use; allow hostname_t autofs_t:dir { search getattr }; ##end daemon_base_domain diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 988aa86..fd60c4f 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -50,7 +50,6 @@ kernel_transition_from(hotplug_t,hotplug_exec_t) bootloader_read_kernel_modules(hotplug_t) -devices_discard_data_stream(hotplug_t) # for SSP devices_get_pseudorandom_data(hotplug_t) @@ -59,7 +58,6 @@ filesystem_get_all_filesystems_attributes(hotplug_t) storage_set_fixed_disk_attributes(hotplug_t) storage_set_removable_device_attributes(hotplug_t) -terminal_use_controlling_terminal(hotplug_t) terminal_ignore_use_console(hotplug_t) init_use_file_descriptors(hotplug_t) @@ -120,7 +118,6 @@ updfstab_transition(hotplug_t) ') ifdef(`TODO',` -allow hotplug_t null_device_t:chr_file r_file_perms; dontaudit hotplug_t unpriv_userdomain:fd use; allow hotplug_t autofs_t:dir { search getattr }; dontaudit hotplug_t sysadm_home_dir_t:dir search; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index e9e4b2c..a805952 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -47,8 +47,6 @@ kernel_use_file_descriptors(iptables_t) filesystem_get_persistent_filesystem_attributes(iptables_t) -devices_discard_data_stream(iptables_t) - terminal_ignore_use_console(iptables_t) init_use_file_descriptors(iptables_t) @@ -94,7 +92,6 @@ allow iptables_t rhgb_t:process sigchld; allow iptables_t rhgb_t:fd use; allow iptables_t rhgb_t:fifo_file { read write }; ') -allow iptables_t null_device_t:chr_file r_file_perms; dontaudit iptables_t unpriv_userdomain:fd use; allow iptables_t autofs_t:dir { search getattr }; tunable_policy(`direct_sysadm_daemon', ` diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 9dade39..0e24740 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -102,9 +102,7 @@ kernel_read_hardware_state(syslogd_t) kernel_read_kernel_sysctl(syslogd_t) devices_create_dev_entry(syslogd_t,devlog_t,sock_file) -devices_discard_data_stream(syslogd_t) -terminal_use_controlling_terminal(syslogd_t) terminal_ignore_use_console(syslogd_t) corenetwork_network_raw_on_all_interfaces(syslogd_t) @@ -169,7 +167,6 @@ ifdef(`TODO',` allow syslogd_t proc_t:dir r_dir_perms; allow syslogd_t proc_t:lnk_file read; -allow syslogd_t null_device_t:chr_file r_file_perms; dontaudit syslogd_t unpriv_userdomain:fd use; allow syslogd_t autofs_t:dir { search getattr }; dontaudit syslogd_t sysadm_home_dir_t:dir search; diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 9b36365..4e2571d 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -55,12 +55,9 @@ kernel_read_hotplug_sysctl(insmod_t) bootloader_read_kernel_modules(insmod_t) -terminal_use_controlling_terminal(insmod_t) - devices_write_mtrr(insmod_t) devices_get_pseudorandom_data(insmod_t) devices_direct_agp_access(insmod_t) -devices_get_zeros(insmod_t) filesystem_get_persistent_filesystem_attributes(insmod_t) @@ -204,7 +201,6 @@ devices_get_pseudorandom_data(update_modules_t) filesystem_get_persistent_filesystem_attributes(update_modules_t) terminal_use_console(update_modules_t) -terminal_use_controlling_terminal(update_modules_t) init_use_file_descriptors(depmod_t) init_script_use_file_descriptors(depmod_t) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 6a0a865..7f03aab 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) -terminal_use_controlling_terminal(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) @@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t) filesystem_get_persistent_filesystem_attributes(load_policy_t) terminal_use_console(load_policy_t) -terminal_use_controlling_terminal(load_policy_t) terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) @@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_users_physical_terminals(newrole_t) terminal_use_all_users_pseudoterminals(newrole_t) -terminal_use_controlling_terminal(newrole_t) # Write to utmp. init_script_modify_runtime_data(newrole_t) @@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr }; # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; - + # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; @@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) -terminal_use_controlling_terminal(setfiles_t) terminal_use_all_users_physical_terminals(setfiles_t) terminal_use_all_users_pseudoterminals(setfiles_t) terminal_use_general_physical_terminal(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 6a0a865..7f03aab 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) -terminal_use_controlling_terminal(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) @@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t) filesystem_get_persistent_filesystem_attributes(load_policy_t) terminal_use_console(load_policy_t) -terminal_use_controlling_terminal(load_policy_t) terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) @@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_users_physical_terminals(newrole_t) terminal_use_all_users_pseudoterminals(newrole_t) -terminal_use_controlling_terminal(newrole_t) # Write to utmp. init_script_modify_runtime_data(newrole_t) @@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr }; # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; - + # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; @@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) -terminal_use_controlling_terminal(setfiles_t) terminal_use_all_users_physical_terminals(setfiles_t) terminal_use_all_users_pseudoterminals(setfiles_t) terminal_use_general_physical_terminal(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 26e7817..97c9722 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -84,13 +84,11 @@ corenetwork_bind_tcp_on_all_nodes(dhcpc_t) corenetwork_bind_udp_on_all_nodes(dhcpc_t) corenetwork_bind_udp_on_dhcpc_port(dhcpc_t) -devices_discard_data_stream(dhcpc_t) # for SSP devices_get_pseudorandom_data(dhcpc_t) filesystem_get_all_filesystems_attributes(dhcpc_t) -terminal_use_controlling_terminal(dhcpc_t) terminal_ignore_use_console(dhcpc_t) terminal_ignore_use_all_users_physical_terminals(dhcpc_t) terminal_ignore_use_all_users_pseudoterminals(dhcpc_t) @@ -156,7 +154,6 @@ ntpd_transition(dhcpc_t) ') ifdef(`TODO',` -allow dhcpc_t null_device_t:chr_file r_file_perms; allow dhcpc_t autofs_t:dir { search getattr }; dontaudit dhcpc_t sysadm_home_dir_t:dir search;