From fcfe684b16feb6a5d2dacd1b706e20f834953fdd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Feb 16 2006 16:44:00 +0000 Subject: remove unneeded dep --- diff --git a/refpolicy/Makefile b/refpolicy/Makefile index d8f1011..e101e2a 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -284,6 +284,10 @@ else include $(ROOT)/Rules.modular endif +test: + # $(MODDIR) + # $(ALL_LAYERS) + ######################################## # # Generated files diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index b383186..d324c0b 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -105,7 +105,7 @@ $(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES) @test -d $(TMPDIR) || mkdir -p $(TMPDIR) $(verbose) cat $^ > $@ -$(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) +$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES) # per-userdomain templates: @test -d $(TMPDIR) || mkdir -p $(TMPDIR) $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@ diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index ce5ad18..9a39f46 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -137,15 +137,24 @@ level s0:c0.c255; # Only files are constrained by MCS at this stage. # mlsconstrain file { write setattr append unlink link rename - create ioctl lock execute } (h1 dom h2); + ioctl lock execute relabelfrom } (h1 dom h2); + +mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); mlsconstrain file { read } ((h1 dom h2) or ( t1 == mlsfileread )); # new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } ( h1 dom h2 ); +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + +mlsconstrain process { ptrace } ( h1 dom h2 ); + +mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or + ( t1 == mcskillall ); define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append link unlink rename relabelfrom relabelto }') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 01e8551..bf59940 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2656,3 +2656,22 @@ interface(`dev_unconfined',` typeattribute $1 memory_raw_write, memory_raw_read; ') + +######################################## +## +## Read and write the USB device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_usb',` + gen_require(` + type usb_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 usb_device_t:chr_file { read write }; +') diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc new file mode 100644 index 0000000..fa8a4b1 --- /dev/null +++ b/refpolicy/policy/modules/kernel/mcs.fc @@ -0,0 +1 @@ +# no MCS file contexts diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if new file mode 100644 index 0000000..1ceab9f --- /dev/null +++ b/refpolicy/policy/modules/kernel/mcs.if @@ -0,0 +1,23 @@ +## Multicategory security policy +## +## Contains attributes used in MCS policy. +## + +######################################## +## +## This domain is allowed to sigkill and sigstop +## all domains regardless of their MCS level. +## +## +## +## Domain target for user exemption. +## +## +# +interface(`mcs_killall',` + gen_require(` + attribute mcskillall; + ') + + typeattribute $1 mcskillall; +') diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te new file mode 100644 index 0000000..260d950 --- /dev/null +++ b/refpolicy/policy/modules/kernel/mcs.te @@ -0,0 +1,47 @@ + +policy_module(mcs,1.0.0) + +######################################## +# +# Declarations +# + +attribute mcskillall; + +######################################## +# +# THIS IS A HACK +# +# Only the base module can have range_transitions, so we +# temporarily have to break encapsulation to work around this. +# + +type auditd_exec_t; +type crond_exec_t; +type cupsd_exec_t; +type getty_t; +type init_t; +type init_exec_t; +type initrc_t; +type initrc_exec_t; +type login_exec_t; +type sshd_exec_t; +type su_exec_t; +type udev_exec_t; +type unconfined_t; +type xdm_exec_t; + +ifdef(`enable_mcs',` +range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition init_t xdm_exec_t s0 - s0:c0.c255; +range_transition initrc_t crond_exec_t s0 - s0:c0.c255; +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; + +# these might be targeted_policy only +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +range_transition unconfined_t initrc_exec_t s0; +') diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 0b66165..765b065 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -53,38 +53,10 @@ attribute mlsrangetrans; # # Only the base module can have range_transitions, so we # temporarily have to break encapsulation to work around this. +# Other types are declared in the mcs module. # -type auditd_exec_t; -type crond_exec_t; -type cupsd_exec_t; -type getty_t; -type init_t; -type init_exec_t; -type initrc_t; -type initrc_exec_t; -type login_exec_t; type lvm_exec_t; -type sshd_exec_t; -type su_exec_t; -type udev_exec_t; -type unconfined_t; -type xdm_exec_t; - -ifdef(`enable_mcs',` -range_transition getty_t login_exec_t s0 - s0:c0.c255; -range_transition init_t xdm_exec_t s0 - s0:c0.c255; -range_transition initrc_t crond_exec_t s0 - s0:c0.c255; -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; - -# these might be targeted_policy only -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -range_transition unconfined_t initrc_exec_t s0; -') ifdef(`enable_mls',` range_transition initrc_t auditd_exec_t s15:c0.c255; diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index b8305fd..143dd7e 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -101,6 +101,7 @@ corenet_udp_bind_all_nodes(bluetooth_t) dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) +dev_rw_usb(bluetooth_t) dev_read_urand(bluetooth_t) fs_getattr_all_fs(bluetooth_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8e85e00..62131f9 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -97,6 +97,8 @@ fs_search_auto_mountpoints(hald_t) mls_file_read_up(hald_t) +modutils_domtrans_insmod(hald_t) + selinux_get_fs_mount(hald_t) selinux_validate_context(hald_t) selinux_compute_access_vector(hald_t) @@ -128,6 +130,7 @@ libs_exec_ld_so(hald_t) libs_exec_lib_files(hald_t) logging_send_syslog_msg(hald_t) +logging_search_logs(hald_t) miscfiles_read_localization(hald_t) miscfiles_read_hwdata(hald_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 91c90a8..5cae9f4 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -44,6 +44,9 @@ role system_r types system_mail_t; # System mail local policy # +# newalias required this, not sure if it is needed in 'if' file +allow system_mail_t self:capability { dac_override }; + allow system_mail_t etc_mail_t:dir { getattr search }; allow system_mail_t etc_mail_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index d257644..8cafe53 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid dontaudit NetworkManager_t self:capability sys_tty_config; allow NetworkManager_t self:process { setcap getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index f54a670..37d09ee 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -273,6 +273,8 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) corecmd_exec_bin(postfix_local_t) +files_read_etc_files(postfix_local_t) + mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin @@ -395,6 +397,8 @@ allow postfix_pipe_t self:fifo_file { read write }; allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:sock_file write; +allow postfix_pipe_t postfix_public_t:fifo_file { getattr write }; + allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index 8a11fb6..4515bbb 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -22,7 +22,8 @@ ifdef(`targeted_policy', `', ` # # /sbin # -/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0) +/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 2df8025..6d00dd6 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -155,6 +155,8 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) +mcs_killall(init_t) + mls_file_read_up(init_t) mls_file_write_down(init_t) mls_rangetrans_target(init_t) @@ -360,6 +362,8 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_certs(initrc_t) +mcs_killall(initrc_t) + mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) mls_process_read_up(initrc_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index a53d338..3d646fe 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -283,6 +283,7 @@ interface(`libs_manage_lib_files',` allow $1 lib_t:dir search_dir_perms; allow $1 lib_t:file manage_file_perms; + allow $1 lib_t:lnk_file unlink; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc index 8364ca4..dec2ff1 100644 --- a/refpolicy/policy/modules/system/selinuxutil.fc +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -10,6 +10,7 @@ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) +/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) @@ -39,3 +40,5 @@ ifdef(`distro_debian', ` /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) ') + +/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 606c511..70792e9 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -586,6 +586,28 @@ interface(`seutil_read_file_contexts',` ') ######################################## +## +## Read and write the file_contexts files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_rw_file_contexts',` + gen_require(` + type selinux_config_t, file_context_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search; + allow $1 file_context_t:dir r_dir_perms; + allow $1 file_context_t:file rw_file_perms; + allow $1 file_context_t:lnk_file { getattr read }; +') + +######################################## # # seutil_read_bin_policy(domain) # @@ -683,4 +705,3 @@ interface(`seutil_manage_src_policy',` allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') - diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index e63d827..bc32cd7 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -55,10 +55,11 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; + auditallow $1 self:process execstack; ', ` # These are fairly common but seem to be harmless # caused by using shared libraries built with old tool chains - dontaudit $1 self:process execstack; + #dontaudit $1 self:process execstack; ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index ac593ef..c227152 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -165,9 +165,13 @@ ifdef(`targeted_policy',` ') ifdef(`enable_mls',` + corecmd_exec_shell(secadm_t) + mls_process_read_up(secadm_t) + mls_file_write_down(secadm_t) + mls_file_upgrade(secadm_t) + mls_file_downgrade(secadm_t) logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) - mls_process_read_up(secadm_t) userdom_dontaudit_append_staff_home_files(secadm_t) ', ` logging_domtrans_auditctl(sysadm_t) @@ -354,6 +358,7 @@ ifdef(`targeted_policy',` seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) + seutil_run_restorecon(secadm_t,secadm_r,admin_terminal) ', ` selinux_set_enforce_mode(sysadm_t) selinux_set_boolean(sysadm_t)