From dce68dc48dca9224be7a67731e2d6dd4fdc92808 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 08 2005 15:51:15 +0000 Subject: add updfstab --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 6bb8ea8..b04973a 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -9,6 +9,7 @@ acct mysql tmpreaper + updfstab 20050802 (2 Aug 2005) * Fix comparison bug in fc_sort. diff --git a/refpolicy/policy/modules/admin/updfstab.fc b/refpolicy/policy/modules/admin/updfstab.fc new file mode 100644 index 0000000..a30d237 --- /dev/null +++ b/refpolicy/policy/modules/admin/updfstab.fc @@ -0,0 +1,3 @@ + +/usr/sbin/fstab-sync -- context_template(system_u:object_r:updfstab_exec_t,s0) +/usr/sbin/updfstab -- context_template(system_u:object_r:updfstab_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if new file mode 100644 index 0000000..ec216aa --- /dev/null +++ b/refpolicy/policy/modules/admin/updfstab.if @@ -0,0 +1,27 @@ +## Red Hat utility to change /etc/fstab. + +######################################## +## +## Execute updfstab in the updfstab domain. +## +## +## The type of the process performing this action. +## +# +interface(`updfstab_domtrans',` + gen_require(` + type updfstab_t, updfstab_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + files_search_usr($1) + corecmd_search_sbin($1) + domain_auto_trans($1,updfstab_exec_t,updfstab_t) + + allow $1 updfstab_t:fd use; + allow updfstab_t $1:fd use; + allow updfstab_t $1:fifo_file rw_file_perms; + allow updfstab_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te new file mode 100644 index 0000000..7b59329 --- /dev/null +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -0,0 +1,119 @@ + +policy_module(updfstab,1.0) + +######################################## +# +# Declarations +# + +type updfstab_t; +type updfstab_exec_t; +init_daemon_domain(updfstab_t,updfstab_exec_t) + +######################################## +# +# Local policy +# + +allow updfstab_t self:capability dac_override; +dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; +allow updfstab_t self:process signal_perms; +allow updfstab_t self:fifo_file { getattr read write ioctl }; + +kernel_use_fd(updfstab_t) +kernel_read_kernel_sysctl(updfstab_t) +kernel_dontaudit_write_kernel_sysctl(updfstab_t) +# for /proc/partitions +kernel_read_system_state(updfstab_t) +# cjp: why is this required +kernel_change_ring_buffer_level(updfstab_t) + +dev_read_sysfs(updfstab_t) +dev_manage_generic_symlinks(updfstab_t) + +fs_getattr_xattr_fs(updfstab_t) +fs_search_auto_mountpoints(updfstab_t) + +selinux_get_fs_mount(updfstab_t) +selinux_validate_context(updfstab_t) +selinux_compute_access_vector(updfstab_t) +selinux_compute_create_context(updfstab_t) +selinux_compute_relabel_context(updfstab_t) +selinux_compute_user_contexts(updfstab_t) + +storage_raw_read_fixed_disk(updfstab_t) +storage_raw_write_fixed_disk(updfstab_t) +storage_raw_read_fixed_disk(updfstab_t) +storage_raw_write_fixed_disk(updfstab_t) +storage_read_scsi_generic(updfstab_t) +storage_write_scsi_generic(updfstab_t) + +term_dontaudit_use_console(updfstab_t) + +corecmd_exec_bin(updfstab_t) +corecmd_exec_sbin(updfstab_t) +corecmd_exec_ls(updfstab_t) + +domain_use_wide_inherit_fd(updfstab_t) + +files_manage_mnt_files(updfstab_t) +files_manage_mnt_dirs(updfstab_t) +files_manage_mnt_symlinks(updfstab_t) +files_manage_etc_files(updfstab_t) +files_dontaudit_search_home(updfstab_t) +# for /etc/mtab +files_read_etc_runtime_files(updfstab_t) + +init_use_fd(updfstab_t) +init_use_script_pty(updfstab_t) + +libs_use_ld_so(updfstab_t) +libs_use_shared_libs(updfstab_t) + +logging_send_syslog_msg(updfstab_t) +logging_search_logs(updfstab_t) + +miscfiles_read_localization(updfstab_t) + +seutil_read_config(updfstab_t) +seutil_read_default_contexts(updfstab_t) +seutil_read_file_contexts(updfstab_t) + +userdom_use_sysadm_tty(updfstab_t) +userdom_dontaudit_search_all_users_home(updfstab_t) +userdom_dontaudit_use_unpriv_user_fd(updfstab_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(updfstab_t) + term_dontaudit_use_generic_pty(updfstab_t) + files_dontaudit_read_root_file(updfstab_t) +') + +optional_policy(`authlogin.te',` + auth_domtrans_pam_console(updfstab_t) +') + +optional_policy(`modutils.te',` + modutils_read_module_conf(updfstab_t) + modutils_exec_insmod(updfstab_t) + modutils_read_mods_deps(updfstab_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(updfstab_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(updfstab_t) +') + +optional_policy(`udev.te',` + udev_read_db(updfstab_t) +') + +ifdef(`TODO',` +ifdef(`dbusd.te', ` +dbusd_client(system, updfstab) +allow updfstab_t system_dbusd_t:dbus { send_msg }; +') +') dnl end TODO diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 1b121ff..f4de889 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -885,6 +885,23 @@ interface(`kernel_read_kernel_sysctl',` ######################################## ## +## Do not audit attempts to write generic kernel sysctls. +## +## +## Domain to not audit. +## +# +interface(`kernel_dontaudit_write_kernel_sysctl',` + gen_require(` + type sysctl_kernel_t; + class file write; + ') + + dontaudit $1 sysctl_kernel_t:file write; +') + +######################################## +## ## Read and write generic kernel sysctls. ## ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index bbf0384..a45bfbe 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1120,7 +1120,7 @@ interface(`files_manage_isid_type_chr_node',` ######################################## ## -## Search home directories. +## Search home directories root. ## ## ## The type of the process performing this action. @@ -1137,6 +1137,23 @@ interface(`files_search_home',` ######################################## ## +## Do not audit attempts to search home directories root. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_search_home',` + gen_require(` + type home_root_t; + class dir search; + ') + + dontaudit $1 home_root_t:dir search; +') + +######################################## +## ## Get listing of home directories. ## ## @@ -1244,6 +1261,44 @@ interface(`files_manage_mnt_dirs',` ######################################## ## +## Create, read, write, and delete files in /mnt. +## +## +## Domain allowed access. +## +# +interface(`files_manage_mnt_files',` + gen_require(` + type mnt_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + allow $1 mnt_t:dir rw_dir_perms; + allow $1 mnt_t:file create_file_perms; +') + +######################################## +## +## Create, read, write, and delete symbolic links in /mnt. +## +## +## Domain allowed access. +## +# +interface(`files_manage_mnt_symlinks',` + gen_require(` + type mnt_t; + class dir rw_dir_perms; + class lnk_file create_lnk_perms; + ') + + allow $1 mnt_t:dir rw_dir_perms; + allow $1 mnt_t:lnk_file create_lnk_perms; +') + +######################################## +## ## List world-readable directories. ## ## diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 8991f7d..88b9a5b 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -172,7 +172,7 @@ optional_policy(`udev.te', ` ') optional_policy(`updfstab.te', ` - updfstab_transition(hotplug_t) + updfstab_domtrans(hotplug_t) ') ifdef(`TODO',`