diff --git a/strict/COPYING b/strict/COPYING new file mode 100644 index 0000000..5b6e7c6 --- /dev/null +++ b/strict/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/strict/ChangeLog b/strict/ChangeLog new file mode 100644 index 0000000..0e38453 --- /dev/null +++ b/strict/ChangeLog @@ -0,0 +1,165 @@ +1.23.2 2005-03-14 + * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's + gift policy. + * Made sysadm_r the first role for root, so root's home will be labled + as sysadm_home_dir_t instead of staff_home_dir_t. + * Modified fs_use and Makefile to reflect jfs now supporting security + xattrs. + +1.23.1 2005-03-10 + * Merged diffs from Dan Walsh. Dan's patch includes Ivan + Gyurdiev's cleanup of homedir macros and more extensive use of + read_sysctl() + +1.22 2005-03-09 + * Updated version for release. + +1.21 2005-02-24 + * Added secure_file_type attribute from Dan Walsh + * Added access_terminal() macro from Ivan Gyurdiev + * Updated capability access vector for audit capabilities. + * Added mlsconvert Makefile target to help generate MLS policies + (see selinux-doc/README.MLS for instructions). + * Changed policy Makefile to still generate policy.18 as well, + and use it for make load if the kernel doesn't support 19. + * Merged enhanced MLS support from Darrel Goeddel (TCS). + * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris. + * Merged man pages from Dan Walsh. + +1.20 2005-01-04 + * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and + Petre Rodan. + * Merged can_create() macro used for file_type_{,auto_}trans() + from Thomas Bleher. + * Merged dante and stunnel policy by Petre Rodan. + * Merged $1_file_type attribute from Thomas Bleher. + * Merged network_macros from Dan Walsh. + +1.18 2004-10-25 + * Merged diffs from Russell Coker and Dan Walsh. + * Merged mkflask and mkaccess_vector patches from Ulrich Drepper. + * Added reserved_port_t type and portcon entries to map all other + reserved ports to this type. + * Added distro_ prefix to distro tunables to avoid conflicts. + * Merged diffs from Russell Coker. + +1.16 2004-08-16 + * Added nscd definitions. + * Converted many tunables to policy booleans. + * Added crontab permission. + * Merged diffs from Dan Walsh. + This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well. + * Merged diffs from Russell Coker. + * Adjusted constraints for crond restart. + * Merged dbus/userspace object manager policy from Colin Walters. + * Merged dbus definitions from Matthew Rickard. + * Merged dnsmasq policy from Greg Norris. + * Merged gpg-agent policy from Thomas Bleher. + +1.14 2004-06-28 + * Removed vmware-config.pl from vmware.fc. + * Added crond entry to root_default_contexts. + * Merged patch from Dan Walsh. + * Merged mdadm and postfix changes from Colin Walters. + * Merged reiserfs and rpm changes from Russell Coker. + * Merged runaway .* glob fix from Valdis Kletnieks. + * Merged diff from Dan Walsh. + * Merged fine-grained netlink classes and permissions. + * Merged changes for new /etc/selinux layout. + * Changed mkaccess_vector.sh to provide stable order. + * Merged diff from Dan Walsh. + * Fix restorecon path in restorecon.fc. + * Merged pax class and access vector definition from Joshua Brindle. + +1.12 2004-05-12 + * Added targeted policy. + * Merged atd/at into crond/crontab domains. + * Exclude bind mounts from relabeling to avoid aliasing. + * Removed some obsolete types and remapped their initial SIDs to unlabeled. + * Added SE-X related security classes and policy framework. + * Added devnull initial SID and context. + * Merged diffs from Fedora policy. + +1.10 2004-04-07 + * Merged ipv6 support from James Morris of RedHat. + * Merged policy diffs from Dan Walsh. + * Updated call to genhomedircon to reflect new usage. + * Merged policy diffs from Dan Walsh and Russell Coker. + * Removed config-users and config-services per Dan's request. + +1.8 2004-03-09 + * Merged genhomedircon patch from Karl MacMillan of Tresys. + * Added restorecon domain. + * Added unconfined_domain macro. + * Added default_t for /.* file_contexts entry and replaced some + uses of file_t with default_t in the policy. + * Added su_restricted_domain() macro and use it for initrc_t. + * Merged policy diffs from Dan Walsh and Russell Coker. + These included a merge of an earlier patch by Chris PeBenito + to rename the etc types to be consistent with other types. + +1.6 2004-02-18 + * Merged xfs support from Chris PeBenito. + * Merged conditional rules for ping.te. + * Defined setbool permission, added can_setbool macro. + * Partial network policy cleanup. + * Merged with Russell Coker's policy. + * Renamed netscape macro and domain to mozilla and renamed + ipchains domain to iptables for consistency with Russell. + * Merged rhgb macro and domain from Russell Coker. + * Merged tunable.te from Russell Coker. + Only define direct_sysadm_daemon by default in our copy. + * Added rootok permission to passwd class. + * Merged Makefile change from Dan Walsh to generate /home + file_contexts entries for staff users. + * Added automatic role and domain transitions for init scripts and + daemons. Added an optional third argument (nosysadm) to + daemon_domain to omit the direct transition from sysadm_r when + the same executable is also used as an application, in which + case the daemon must be restarted via the init script to obtain + the proper security context. Added system_r to the authorized roles + for admin users at least until support for automatic user identity + transitions exist so that a transition to system_u can be provided + transparently. + * Added support to su domain for using pam_selinux. + Added entries to default_contexts for the su domains to + provide reasonable defaults. Removed user_su_t. + * Tighten restriction on user identity and role transitions in constraints. + * Merged macro for newrole-like domains from Russell Coker. + * Merged stub dbusd domain from Russell Coker. + * Merged stub prelink domain from Dan Walsh. + * Merged updated userhelper and config tool domains from Dan Walsh. + * Added send_msg/recv_msg permissions to can_network macro. + * Merged patch by Chris PeBenito for sshd subsystems. + * Merged patch by Chris PeBenito for passing class to var_run_domain. + * Merged patch by Yuichi Nakamura for append_log_domain macros. + * Merged patch by Chris PeBenito for rpc_pipefs labeling. + * Merged patch by Colin Walters to apply m4 once so that + source file info is preserved for checkpolicy. + +1.4 2003-12-01 + * Merged patches from Russell Coker. + * Revised networking permissions. + * Added new node_bind permission. + * Added new siginh, rlimitinh, and setrlimit permissions. + * Added proc_t:file read permission for new is_selinux_enabled logic. + * Added failsafe_context configuration file to appconfig. + * Moved newrules.pl to policycoreutils, renamed to audit2allow. + * Merged newrules.pl patch from Yuichi Nakamura. + +1.2 2003-09-30 + * More policy merging with Russell Coker. + * Transferred newrules.pl script from the old SELinux. + * Merged MLS configuration patch from Karl MacMillan of Tresys. + * Limit staff_t to reading /proc entries for unpriv_userdomain. + * Updated Makefile and spec file to allow non-root builds, + based on patch by Paul Nasrat. + +1.1 2003-08-13 + * Merged Makefile check-all and te-includes patches from Colin Walters. + * Merged x-debian-packages.patch from Colin Walters. + * Folded read permission into domain_trans. + +1.0 2003-07-11 + * Initial public release. + diff --git a/strict/Makefile b/strict/Makefile new file mode 100644 index 0000000..5a70bc7 --- /dev/null +++ b/strict/Makefile @@ -0,0 +1,331 @@ +# +# Makefile for the security policy. +# +# Targets: +# +# install - compile and install the policy configuration, and context files. +# load - compile, install, and load the policy configuration. +# reload - compile, install, and load/reload the policy configuration. +# relabel - relabel filesystems based on the file contexts configuration. +# policy - compile the policy configuration locally for testing/development. +# +# The default target is 'install'. +# + +# Set to y if MLS is enabled in the policy. +MLS=n + +FLASKDIR = flask/ +PREFIX = /usr +BINDIR = $(PREFIX)/bin +SBINDIR = $(PREFIX)/sbin +LOADPOLICY = $(SBINDIR)/load_policy +CHECKPOLICY = $(BINDIR)/checkpolicy +GENHOMEDIRCON = $(SBINDIR)/genhomedircon +SETFILES = $(SBINDIR)/setfiles +VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') +KERNVERS := $(shell cat /selinux/policyvers) +POLICYVER := policy.$(VERS) +TOPDIR = $(DESTDIR)/etc/selinux +ifeq ($(MLS),y) +TYPE=mls +else +TYPE=strict +endif +INSTALLDIR = $(TOPDIR)/$(TYPE) +POLICYPATH = $(INSTALLDIR)/policy +SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users +CONTEXTPATH = $(INSTALLDIR)/contexts +LOADPATH = $(POLICYPATH)/$(POLICYVER) +FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template + +ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) +ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) +ALL_TYPES := $(wildcard types/*.te) +ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) +ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te +TE_RBAC_FILES := $(ALLTEFILES) rbac +ALL_TUNABLES := $(wildcard tunables/*.tun ) +USER_FILES := users +POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) +ifeq ($(MLS),y) +POLICYFILES += mls +CHECKPOLMLS += -M +endif +DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts +POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) +POLICYFILES += $(USER_FILES) +POLICYFILES += constraints +POLICYFILES += $(DEFCONTEXTFILES) +CONTEXTFILES = $(DEFCONTEXTFILES) +POLICY_DIRS = domains/program domains/misc + +UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) + +FC = file_contexts/file_contexts +HOMEDIR_TEMPLATE = file_contexts/homedir_template +FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) +CONTEXTFILES += $(FCFILES) + +APPDIR=$(CONTEXTPATH) +APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media +CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media + +ROOTFILES = $(addprefix $(APPDIR)/users/,root) + +all: policy + +tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) + @echo "Validating file_contexts ..." + $(SETFILES) -q -c $(LOADPATH) $(FCPATH) + @touch tmp/valid_fc + +install: tmp/valid_fc $(USERPATH)/local.users + +$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf + @mkdir -p $(USERPATH) + @echo "# " > tmp/system.users + @echo "# Do not edit this file. " >> tmp/system.users + @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users + @echo "# Please edit local.users to make local changes." >> tmp/system.users + @echo "#" >> tmp/system.users + m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users + install -m 644 tmp/system.users $@ + +$(USERPATH)/local.users: local.users + @mkdir -p $(USERPATH) + install -C -b -m 644 $< $@ + +$(CONTEXTPATH)/files/media: appconfig/media + mkdir -p $(CONTEXTPATH)/files/ + install -m 644 $< $@ + +$(APPDIR)/default_contexts: appconfig/default_contexts + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/removable_context: appconfig/removable_context + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/customizable_types: policy.conf + mkdir -p $(APPDIR) + @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + install -m 644 tmp/customizable_types $@ + +$(APPDIR)/default_type: appconfig/default_type + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/userhelper_context: appconfig/userhelper_context + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/initrc_context: appconfig/initrc_context + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/failsafe_context: appconfig/failsafe_context + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/dbus_contexts: appconfig/dbus_contexts + mkdir -p $(APPDIR) + install -m 644 $< $@ + +$(APPDIR)/users/root: appconfig/root_default_contexts + mkdir -p $(APPDIR)/users + install -m 644 $< $@ + +$(LOADPATH): policy.conf $(CHECKPOLICY) + mkdir -p $(POLICYPATH) + $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf +ifneq ($(MLS),y) +ifneq ($(VERS),18) + $(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf +endif +endif +# Note: Can't use install, so not sure how to deal with mode, user, and group +# other than by default. + +policy: $(POLICYVER) + +$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) + $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf +ifneq ($(MLS),y) +ifneq ($(VERS),18) + $(CHECKPOLICY) -c 18 -o policy.18 policy.conf +endif +endif + @echo "Validating file_contexts ..." + $(SETFILES) -q -c $(POLICYVER) $(FC) + +reload tmp/load: $(FCPATH) $(LOADPATH) +ifeq ($(VERS), $(KERNVERS)) + $(LOADPOLICY) $(LOADPATH) +else + $(LOADPOLICY) $(POLICYPATH)/policy.18 +endif + touch tmp/load + +load: tmp/load + +enableaudit: policy.conf + grep -v dontaudit policy.conf > policy.audit + mv policy.audit policy.conf + +policy.conf: $(POLICYFILES) $(POLICY_DIRS) + mkdir -p tmp + m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp + mv $@.tmp $@ + +install-src: + rm -rf $(SRCPATH)/policy.old + -mv $(SRCPATH)/policy $(SRCPATH)/policy.old + mkdir -p $(SRCPATH)/policy + cp -R . $(SRCPATH)/policy + +tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program + mkdir -p tmp + ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp + ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp + mv $@.tmp $@ + +FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` + +checklabels: $(SETFILES) + $(SETFILES) -v -n $(FC) $(FILESYSTEMS) + +restorelabels: $(SETFILES) + $(SETFILES) -v $(FC) $(FILESYSTEMS) + +relabel: $(FC) $(SETFILES) + $(SETFILES) $(FC) $(FILESYSTEMS) + +file_contexts/misc: + mkdir -p file_contexts/misc + + +$(FCPATH): $(FC) $(USERPATH)/system.users + @mkdir -p $(CONTEXTPATH)/files + install -m 644 $(FC) $(FCPATH) + install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) + @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) + +$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd + @echo "Building file_contexts ..." + @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp + @grep -v -e HOME -e ROLE $@.tmp > $@ + @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE) + @-rm $@.tmp + +# Create a tags-file for the policy: +# we need exuberant ctags; unfortunately it is named differently on different distros, sigh... +pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs +CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme +ifeq ($(strip $(CTAGS)),) +CTAGS := $(call pathsearch,ctags) # suse naming scheme +endif + +tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) + @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) + @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ + --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ + --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ + --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ + --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ + --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ + +clean: + rm -f policy.conf $(POLICYVER) policy.18 + rm -f tags + rm -f tmp/* + rm -f $(FC) + rm -f flask/*.h +# for the policy regression tester + find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ + +# Policy regression tester. +# Written by Colin Walters +cur_te = $(filter-out %/,$(subst /,/ ,$@)) + +TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) + +define compute_depends + export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') +endef + + +ifeq ($(TE_DEPENDS_DEFINED),) +ifeq ($(MAKECMDGOALS),check-all) + GENRULES := $(TESTED_TE_FILES) + export TE_DEPENDS_DEFINED := yes +else + # Handle the case where checkunused/blah.te is run directly. + ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) + GENRULES := $(TESTED_TE_FILES) + export TE_DEPENDS_DEFINED := yes + endif +endif +endif + +# Test for a new enough version of GNU Make. +$(eval have_eval := yes) +ifneq ($(GENRULES),) + ifeq ($(have_eval),) +$(error Need GNU Make 3.80 or better!) +Need GNU Make 3.80 or better + endif +endif +$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) + +PHONIES := + +define compute_presymlinks +PHONIES += presymlink/$(1) +presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) + @if ! test -L domains/program/$(1); then \ + cd domains/program && ln -s unused/$(1) .; \ + fi +endef + +# Compute dependencies. +$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) + +PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) +$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : + @$(MAKE) -s clean + +$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% + @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ + echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ + fi + @echo "Testing $(cur_te)..."; + @if ! make -s policy 1>/dev/null; then \ + echo "Testing $(cur_te)...FAILED"; \ + exit 1; \ + fi; + @echo "Testing $(cur_te)...success."; \ + +check-all: + @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ + $(MAKE) --no-print-directory $$goal; \ + done + +.PHONY: clean $(PHONIES) + +mlsconvert: + @for file in $(CONTEXTFILES); do \ + echo "Converting $$file"; \ + sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @for file in $(USER_FILES); do \ + echo "Converting $$file"; \ + sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts + @echo "Done" diff --git a/strict/README b/strict/README new file mode 100644 index 0000000..6818b66 --- /dev/null +++ b/strict/README @@ -0,0 +1,125 @@ +The Makefile targets are: +policy - compile the policy configuration. +install - compile and install the policy configuration. +load - compile, install, and load the policy configuration. +relabel - relabel the filesystem. +check-all - check individual additional policy files in domains/program/unused. +checkunused/FILE.te - check individual file FILE from domains/program/unused. + +If you have configured MLS into your module, then set MLS=y in the +Makefile prior to building the policy. Of course, you must have also +built checkpolicy with MLS enabled. + +Three of the configuration files are independent of the particular +security policy: +1) flask/security_classes - + This file has a simple declaration for each security class. + The corresponding symbol definitions are in the automatically + generated header file . + +2) flask/initial_sids - + This file has a simple declaration for each initial SID. + The corresponding symbol definitions are in the automatically + generated header file . + +3) access_vectors - + This file defines the access vectors. Common prefixes for + access vectors may be defined at the beginning of the file. + After the common prefixes are defined, an access vector + may be defined for each security class. + The corresponding symbol definitions are in the automatically + generated header file . + +In addition to being read by the security server, these configuration +files are used during the kernel build to automatically generate +symbol definitions used by the kernel for security classes, initial +SIDs and permissions. Since the symbol definitions generated from +these files are used during the kernel build, the values of existing +security classes and permissions may not be modified by load_policy. +However, new classes may be appended to the list of classes and new +permissions may be appended to the list of permissions associated with +each access vector definition. + +The policy-dependent configuration files are: +1) tmp/all.te - + This file defines the Type Enforcement (TE) configuration. + This file is automatically generated from a collection of files. + + The macros subdirectory contains a collection of m4 macro definitions + used by the TE configuration. The global_macros.te file contains global + macros used throughout the configuration for common groupings of classes + and permissions and for common sets of rules. The user_macros.te file + contains macros used in defining user domains. The admin_macros.te file + contains macros used in defining admin domains. The macros/program + subdirectory contains macros that are used to instantiate derived domains + for certain programs that encode information about both the calling user + domain and the program, permitting the policy to maintain separation + between different instances of the program. + + The types subdirectory contains several files with declarations for + general types (types not associated with a particular domain) and + some rules defining relationships among those types. Related types + are grouped together into each file in this directory, e.g. all + device type declarations are in the device.te file. + + The domains subdirectory contains several files and directories + with declarations and rules for each domain. User domains are defined in + user.te. Administrator domains are defined in admin.te. Domains for + specific programs, including both system daemons and other programs, are + in the .te files within the domains/program subdirectory. The domains/misc + subdirectory is for miscellaneous domains such as the kernel domain and + the kernel module loader domain. + + The assert.te file contains assertions that are checked after evaluating + the entire TE configuration. + +2) rbac - + This file defines the Role-Based Access Control (RBAC) configuration. + +3) mls - + This file defines the Multi-Level Security (MLS) configuration. + +4) users - + This file defines the users recognized by the security policy. + +5) constraints - + This file defines additional constraints on permissions + in the form of boolean expressions that must be satisfied in order + for specified permissions to be granted. These constraints + are used to further refine the type enforcement tables and + the role allow rules. Typically, these constraints are used + to restrict changes in user identity or role to certain domains. + +6) initial_sid_contexts - + This file defines the security context for each initial SID. + A security context consists of a user identity, a role, a type and + optionally a MLS range if the MLS policy is enabled. If left unspecified, + the high MLS level defaults to the low MLS level. The syntax of a valid + security context is: + + user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]] + +7) fs_use - + This file defines the labeling behavior for inodes in particular + filesystem types. + +8) genfs_contexts - + This file defines security contexts for files in filesystems that + cannot support persistent label mappings or use one of the fixed + labeling schemes specified in fs_use. + +8) net_contexts - + This file defines the security contexts of network objects + such as ports, interfaces, and nodes. + +9) file_contexts/{types.fc,program/*.fc} + These files define the security contexts for persistent files. + +It is possible to test the security server functions on a given policy +configuration by running the checkpolicy program with the -d option. +This program is built from the same sources as the security server +component of the kernel, so it may be used both to verify that a +policy configuration will load successfully and to determine how the +security server would respond if it were using that policy +configuration. A menu-based interface is provided for calling any of +the security server functions after the policy is loaded. diff --git a/strict/VERSION b/strict/VERSION new file mode 100644 index 0000000..aa3e574 --- /dev/null +++ b/strict/VERSION @@ -0,0 +1 @@ +1.23.2-1 diff --git a/strict/appconfig/dbus_contexts b/strict/appconfig/dbus_contexts new file mode 100644 index 0000000..116e684 --- /dev/null +++ b/strict/appconfig/dbus_contexts @@ -0,0 +1,6 @@ + + + + + diff --git a/strict/appconfig/default_contexts b/strict/appconfig/default_contexts new file mode 100644 index 0000000..e778f50 --- /dev/null +++ b/strict/appconfig/default_contexts @@ -0,0 +1,12 @@ +system_r:sulogin_t sysadm_r:sysadm_t +system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t +system_r:remote_login_t user_r:user_t staff_r:staff_t +system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t +system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t +system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t +staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t +sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t +user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t +sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t +staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t +user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type new file mode 100644 index 0000000..5212ca4 --- /dev/null +++ b/strict/appconfig/default_type @@ -0,0 +1,3 @@ +sysadm_r:sysadm_t +staff_r:staff_t +user_r:user_t diff --git a/strict/appconfig/failsafe_context b/strict/appconfig/failsafe_context new file mode 100644 index 0000000..2f96c9f --- /dev/null +++ b/strict/appconfig/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t diff --git a/strict/appconfig/initrc_context b/strict/appconfig/initrc_context new file mode 100644 index 0000000..7fcf70b --- /dev/null +++ b/strict/appconfig/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t diff --git a/strict/appconfig/media b/strict/appconfig/media new file mode 100644 index 0000000..de2a652 --- /dev/null +++ b/strict/appconfig/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t +floppy system_u:object_r:removable_device_t +disk system_u:object_r:fixed_disk_device_t diff --git a/strict/appconfig/removable_context b/strict/appconfig/removable_context new file mode 100644 index 0000000..d4921f0 --- /dev/null +++ b/strict/appconfig/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t diff --git a/strict/appconfig/root_default_contexts b/strict/appconfig/root_default_contexts new file mode 100644 index 0000000..acdcc08 --- /dev/null +++ b/strict/appconfig/root_default_contexts @@ -0,0 +1,9 @@ +system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t +staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/strict/appconfig/userhelper_context b/strict/appconfig/userhelper_context new file mode 100644 index 0000000..081e93b --- /dev/null +++ b/strict/appconfig/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t diff --git a/strict/assert.te b/strict/assert.te new file mode 100644 index 0000000..f8b76c8 --- /dev/null +++ b/strict/assert.te @@ -0,0 +1,162 @@ +############################## +# +# Assertions for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################## +# +# Access vector assertions. +# +# An access vector assertion specifies permissions that should not be in +# an access vector based on a source type, a target type, and a class. +# If any of the specified permissions are in the corresponding access +# vector, then the policy compiler will reject the policy configuration. +# Currently, there is only one kind of access vector assertion, neverallow, +# but support for the other kinds of vectors could be easily added. Access +# vector assertions use the same syntax as access vector rules. +# + +# +# Verify that every type that can be entered by +# a domain is also tagged as a domain. +# +neverallow domain ~domain:process { transition dyntransition }; + +# +# Verify that only the insmod_t and kernel_t domains +# have the sys_module capability. +# +neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module; + +# +# Verify that executable types, the system dynamic loaders, and the +# system shared libraries can only be modified by administrators. +# +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename }; +neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto; + +# +# Verify that only appropriate domains can access /etc/shadow +neverallow { domain -auth -auth_write } shadow_t:file ~getattr; +neverallow { domain -auth_write } shadow_t:file ~r_file_perms; + +# +# Verify that only appropriate domains can write to /etc (IE mess with +# /etc/passwd) +neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms; +neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms; +neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms }; + +# +# Verify that other system software can only be modified by administrators. +# +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; +neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename }; + +# +# Verify that only certain domains have access to the raw disk devices. +# +neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append }; + +# +# Verify that only the X server and klogd have access to memory devices. +# +neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append }; + +# +# Verify that only domains with the privlog attribute can actually syslog +# +neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append }; + +# +# Verify that /proc/kmsg is only accessible to klogd. +# +ifdef(`klogd.te', ` +neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms; +', ` +ifdef(`syslogd.te', ` +neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms; +')dnl end if syslogd +')dnl end if klogd + +# +# Verify that /proc/kcore is inaccessible. +# + +neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; + +# +# Verify that sysctl variables are only changeable +# by initrc and administrators. +# +neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append }; +neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append }; +neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append }; +neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append }; +neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append }; +neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append }; +neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append }; +neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append }; + +# +# Verify that certain domains are limited to only being +# entered by their entrypoint types and to only executing +# the dynamic loader without a transition to another domain. +# + +define(`assert_execute', ` + ifelse($#, 0, , + $#, 1, + ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', + `assert_execute($1) assert_execute(shift($@))')') + +ifdef(`getty.te', `assert_execute(getty)') +ifdef(`klogd.te', `assert_execute(klogd)') +ifdef(`tcpd.te', `assert_execute(tcpd)') +ifdef(`portmap.te', `assert_execute(portmap)') +ifdef(`syslogd.te', `assert_execute(syslogd)') +ifdef(`rpcd.te', `assert_execute(rpcd)') +ifdef(`rlogind.te', `assert_execute(rlogind)') +ifdef(`ypbind.te', `assert_execute(ypbind)') +ifdef(`xfs.te', `assert_execute(xfs)') +ifdef(`gpm.te', `assert_execute(gpm)') +ifdef(`ifconfig.te', `assert_execute(ifconfig)') +ifdef(`iptables.te', `assert_execute(iptables)') + +ifdef(`login.te', ` +neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint; +neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans; +') + +# +# Verify that the passwd domain can only be entered by its +# entrypoint type and can only execute the dynamic loader +# and the ordinary passwd program without a transition to another domain. +# +ifdef(`passwd.te', ` +neverallow passwd_t ~passwd_exec_t:file entrypoint; +neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint; +neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans; +') + +# +# Verify that only the admin domains and initrc_t have setenforce. +# +neverallow { domain -admin -initrc_t } security_t:security setenforce; + +# +# Verify that only the kernel and load_policy_t have load_policy. +# + +neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy; + +# +# for gross mistakes in policy +neverallow * domain:dir ~r_dir_perms; +neverallow * domain:file_class_set ~rw_file_perms; +neverallow { domain unlabeled_t } file_type:process *; +neverallow ~{ domain unlabeled_t } *:process *; diff --git a/strict/attrib.te b/strict/attrib.te new file mode 100644 index 0000000..4533bf7 --- /dev/null +++ b/strict/attrib.te @@ -0,0 +1,426 @@ +# +# Declarations for type attributes. +# + +# A type attribute can be used to identify a set of types with a similar +# property. Each type can have any number of attributes, and each +# attribute can be associated with any number of types. Attributes are +# explicitly declared here, and can then be associated with particular +# types in type declarations. Attribute names can then be used throughout +# the configuration to express the set of types that are associated with +# the attribute. Except for the MLS attributes, attributes have no implicit +# meaning to SELinux. The meaning of all other attributes are completely +# defined through their usage within the configuration, but should be +# documented here as comments preceding the attribute declaration. + +##################### +# Attributes for MLS: +# + +attribute mlsfileread; +attribute mlsfilereadtoclr; +attribute mlsfilewrite; +attribute mlsfilewritetoclr; +attribute mlsfileupgrade; +attribute mlsfiledowngrade; + +attribute mlsnetread; +attribute mlsnetreadtoclr; +attribute mlsnetwrite; +attribute mlsnetwritetoclr; +attribute mlsnetupgrade; +attribute mlsnetdowngrade; +attribute mlsnetbindall; + +attribute mlsipcread; +attribute mlsipcreadtoclr; +attribute mlsipcwrite; +attribute mlsipcwritetoclr; + +attribute mlsprocread; +attribute mlsprocreadtoclr; +attribute mlsprocwrite; +attribute mlsprocwritetoclr; +attribute mlsprocsetsl; + +attribute mlsxwinread; +attribute mlsxwinreadtoclr; +attribute mlsxwinwrite; +attribute mlsxwinwritetoclr; +attribute mlsxwinupgrade; +attribute mlsxwindowngrade; + +attribute mlstrustedobject; + +attribute privrangetrans; +attribute mlsrangetrans; + +######################### +# Attributes for domains: +# + +# The domain attribute identifies every type that can be +# assigned to a process. This attribute is used in TE rules +# that should be applied to all domains, e.g. permitting +# init to kill all processes. +attribute domain; + +# The daemon attribute identifies domains for system processes created via +# the daemon_domain, daemon_base_domain, and init_service_domain macros. +attribute daemon; + +# The privuser attribute identifies every domain that can +# change its SELinux user identity. This attribute is used +# in the constraints configuration. NOTE: This attribute +# is not required for domains that merely change the Linux +# uid attributes, only for domains that must change the +# SELinux user identity. Also note that this attribute makes +# no sense without the privrole attribute. +attribute privuser; + +# The privrole attribute identifies every domain that can +# change its SELinux role. This attribute is used in the +# constraints configuration. +attribute privrole; + +# The userspace_objmgr attribute identifies every domain +# which enforces its own policy. +attribute userspace_objmgr; + +# The priv_system_role attribute identifies every domain that can +# change role from a user role to system_r role, and identity from a user +# identity to system_u. It is used in the constraints configuration. +attribute priv_system_role; + +# The privowner attribute identifies every domain that can +# assign a different SELinux user identity to a file, or that +# can create a file with an identity that's not the same as the +# process identity. This attribute is used in the constraints +# configuration. +attribute privowner; + +# The privlog attribute identifies every domain that can +# communicate with syslogd through its Unix domain socket. +# There is an assertion that other domains can not do it, +# and an allow rule to permit it +attribute privlog; + +# The privmodule attribute identifies every domain that can run +# modprobe, there is an assertion that other domains can not do it, +# and an allow rule to permit it +attribute privmodule; + +# The privmem attribute identifies every domain that can +# access kernel memory devices. +# This attribute is used in the TE assertions to verify +# that such access is limited to domains that are explicitly +# tagged with this attribute. +attribute privmem; + +# The privfd attribute identifies every domain that should have +# file handles inherited widely (IE sshd_t and getty_t). +attribute privfd; + +# The privhome attribute identifies every domain that can create files under +# regular user home directories in the regular context (IE act on behalf of +# a user in writing regular files) +attribute privhome; + +# The auth attribute identifies every domain that needs +# to read /etc/shadow, and grants the permission. +attribute auth; + +# The auth_write attribute identifies every domain that can have write or +# relabel access to /etc/shadow, but does not grant it. +attribute auth_write; + +# The auth_chkpwd attribute identifies every system domain that can +# authenticate users by running unix_chkpwd +attribute auth_chkpwd; + +# The change_context attribute identifies setfiles_t, restorecon_t, and other +# system domains that change the context of most/all files on the system +attribute change_context; + +# The etc_writer attribute identifies every domain that can write to etc_t +attribute etc_writer; + +# The sysctl_kernel_writer attribute identifies domains that can write to +# sysctl_kernel_t, in addition the admin attribute is permitted write access +attribute sysctl_kernel_writer; + +# the sysctl_net_writer attribute identifies domains that can write to +# sysctl_net_t files. +attribute sysctl_net_writer; + +# The sysctl_type attribute identifies every type that is assigned +# to a sysctl entry. This can be used in allow rules to grant +# permissions to all sysctl entries without enumerating each individual +# type, but should be used with care. +attribute sysctl_type; + +# The admin attribute identifies every administrator domain. +# It is used in TE assertions when verifying that only administrator +# domains have certain permissions. +# This attribute is presently associated with sysadm_t and +# certain administrator utility domains. +# XXX The use of this attribute should be reviewed for consistency. +# XXX Might want to partition into several finer-grained attributes +# XXX used in different assertions within assert.te. +attribute admin; + +# The userdomain attribute identifies every user domain, presently +# user_t and sysadm_t. It is used in TE rules that should be applied +# to all user domains. +attribute userdomain; + +# for a small domain that can only be used for newrole +attribute user_mini_domain; + +# pty for the mini domain +attribute mini_pty_type; + +# pty created by a server such as sshd +attribute server_pty; + +# attribute for all non-administrative devpts types +attribute userpty_type; + +# The user_tty_type identifies every type for a tty or pty owned by an +# unpriviledged user +attribute user_tty_type; + +# The user_crond_domain attribute identifies every user_crond domain, presently +# user_crond_t and sysadm_crond_t. It is used in TE rules that should be +# applied to all user domains. +attribute user_crond_domain; + +# The unpriv_userdomain identifies non-administrative users (default user_t) +attribute unpriv_userdomain; + +# This attribute is for the main user home directory for unpriv users +attribute user_home_dir_type; + +# The gphdomain attribute identifies every gnome-pty-helper derived +# domain. It is used in TE rules to permit inheritance and use of +# descriptors created by these domains. +attribute gphdomain; + +# The fs_domain identifies every domain that may directly access a fixed disk +attribute fs_domain; + +# This attribute is for all domains for the userhelper program. +attribute userhelperdomain; + +############################ +# Attributes for file types: +# + +# The file_type attribute identifies all types assigned to files +# in persistent filesystems. It is used in TE rules to permit +# the association of all such file types with persistent filesystem +# types, and to permit certain domains to access all such types as +# appropriate. +attribute file_type; + +# The secure_file_type attribute identifies files +# which will be treated with a higer level of security. +# Most domains will be prevented from manipulating files in this domain +attribute secure_file_type; + +# The device_type attribute identifies all types assigned to device nodes +attribute device_type; + +# The proc_fs attribute identifies all types that may be assigned to +# files under /proc. +attribute proc_fs; + +# The dev_fs attribute identifies all types that may be assigned to +# files, sockets, or pipes under /dev. +attribute dev_fs; + +# The sysadmfile attribute identifies all types assigned to files +# that should be completely accessible to administrators. It is used +# in TE rules to grant such access for administrator domains. +attribute sysadmfile; + +# The fs_type attribute identifies all types assigned to filesystems +# (not limited to persistent filesystems). +# It is used in TE rules to permit certain domains to mount +# any filesystem and to permit most domains to obtain the +# overall filesystem statistics. +attribute fs_type; + +# The exec_type attribute identifies all types assigned +# to entrypoint executables for domains. This attribute is +# used in TE rules and assertions that should be applied to all +# such executables. +attribute exec_type; + +# The tmpfile attribute identifies all types assigned to temporary +# files. This attribute is used in TE rules to grant certain +# domains the ability to remove all such files (e.g. init, crond). +attribute tmpfile; + +# The user_tmpfile attribute identifies all types associated with temporary +# files for unpriv_userdomain domains. +attribute user_tmpfile; + +# for the user_xserver_tmp_t etc +attribute xserver_tmpfile; + +# The tmpfsfile attribute identifies all types defined for tmpfs +# type transitions. +# It is used in TE rules to grant certain domains the ability to +# access all such files. +attribute tmpfsfile; + +# The home_type attribute identifies all types assigned to home +# directories. This attribute is used in TE rules to grant certain +# domains the ability to access all home directory types. +attribute home_type; + +# This attribute is for the main user home directory /home/user, to +# distinguish it from sub-dirs. Often you want a process to be able to +# read the user home directory but not read the regular directories under it. +attribute home_dir_type; + +# The ttyfile attribute identifies all types assigned to ttys. +# It is used in TE rules to grant certain domains the ability to +# access all ttys. +attribute ttyfile; + +# The ptyfile attribute identifies all types assigned to ptys. +# It is used in TE rules to grant certain domains the ability to +# access all ptys. +attribute ptyfile; + +# The pidfile attribute identifies all types assigned to pid files. +# It is used in TE rules to grant certain domains the ability to +# access all such files. +attribute pidfile; + + +############################ +# Attributes for network types: +# + +# The socket_type attribute identifies all types assigned to +# kernel-created sockets. Ordinary sockets are assigned the +# domain of the creating process. +# XXX This attribute is unused. Remove? +attribute socket_type; + +# Identifies all types assigned to port numbers to control binding. +attribute port_type; + +# Identifies all types assigned to reserved port (<1024) numbers to control binding. +attribute reserved_port_type; + +# Identifies all types assigned to network interfaces to control +# operations on the interface (XXX obsolete, not supported via LSM) +# and to control traffic sent or received on the interface. +attribute netif_type; + +# Identifies all default types assigned to packets received +# on network interfaces. +attribute netmsg_type; + +# Identifies all types assigned to network nodes/hosts to control +# traffic sent to or received from the node. +attribute node_type; + +# Identifier for log files or directories that only exist for log files. +attribute logfile; + +# Identifier for lock files (/var/lock/*) or directories that only exist for +# lock files. +attribute lockfile; + + + +############################## +# Attributes for security policy types: +# + +# The login_contexts attribute idenitifies the files used +# to define default contexts for login types (e.g., login, cron). +attribute login_contexts; + +# Identifier for a domain used by "sendmail -t" (IE user_mail_t, +# sysadm_mail_t, etc) +attribute user_mail_domain; + +# Identifies domains that can transition to system_mail_t +attribute privmail; + +# Type for non-sysadm home directory +attribute user_home_type; + +# For domains that are part of a mail server and need to read user files and +# fifos, and inherit file handles to enable user email to get to the mail +# spool +attribute mta_user_agent; + +# For domains that are part of a mail server for delivering messages to the +# user +attribute mta_delivery_agent; + +# For domains that make outbound TCP port 25 connections to send mail from the +# mail server. +attribute mail_server_sender; + +# For a mail server process that takes TCP connections on port 25 +attribute mail_server_domain; + +# For web clients such as netscape and squid +attribute web_client_domain; + +# For X Window System server domains +attribute xserver; + +# For X Window System client domains +attribute xclient; + +# For X Window System protocol extensions +attribute xextension; + +# For X Window System property types +attribute xproperty; + +# +# For file systems that do not have extended attributes but need to be +# r/w by users +# +attribute noexattrfile; + +# +# For filetypes that the usercan read +# +attribute usercanread; + +# +# For serial devices +# +attribute serial_device; + +# Attribute to designate unrestricted access +attribute unrestricted; + +# For clients of nscd. +attribute nscd_client_domain; + +# For clients of nscd that can use shmem interface. +attribute nscd_shmem_domain; + +# For labeling of content for httpd +attribute httpdcontent; + +# For labeling of domains whos transition can be disabled +attribute transitionbool; + +# For labeling of file_context domains which users can change files to rather +# then the default file context. These file_context can survive a relabeling +# of the file system. +attribute customizable; + diff --git a/strict/constraints b/strict/constraints new file mode 100644 index 0000000..17fccc0 --- /dev/null +++ b/strict/constraints @@ -0,0 +1,79 @@ +# +# Define m4 macros for the constraints +# + +# +# Define the constraints +# +# constrain class_set perm_set expression ; +# +# validatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for validatetrans) +# | r3 op names (NOTE: this is only available for validatetrans) +# | t3 op names (NOTE: this is only available for validatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name# +# + +# +# Restrict the ability to transition to other users +# or roles to a few privileged types. +# + +constrain process transition + ( u1 == u2 or ( t1 == privuser and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) +') +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') + or (t1 == priv_system_role and u2 == system_u ) + ); + +constrain process transition + ( r1 == r2 or ( t1 == privrole and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and t2 == user_crond_domain) +') +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') + or (t1 == priv_system_role and r2 == system_r ) + ); + +constrain process dyntransition + ( u1 == u2 and r1 == r2); + +# +# Restrict the ability to label objects with other +# user identities to a few privileged types. +# + +constrain dir_file_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == privowner ); + +constrain socket_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == privowner ); diff --git a/strict/domains/admin.te b/strict/domains/admin.te new file mode 100644 index 0000000..b88654f --- /dev/null +++ b/strict/domains/admin.te @@ -0,0 +1,35 @@ +#DESC Admin - Domains for administrators. +# +################################# + +# sysadm_t is the system administrator domain. +type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain +ifdef(`direct_sysadm_daemon', `, priv_system_role') +; dnl end of sysadm_t type declaration + +allow privhome home_root_t:dir { getattr search }; + +# system_r is authorized for sysadm_t for single-user mode. +role system_r types sysadm_t; + +general_proc_read_access(sysadm_t) + +# sysadm_t is also granted permissions specific to administrator domains. +admin_domain(sysadm) + +# Allow administrator domains to set the enforcing flag. +can_setenforce(sysadm_t) + +# Allow administrator domains to set policy booleans. +can_setbool(sysadm_t) + +# Allow administrator domains to set security parameters +can_setsecparam(sysadm_t) + +# for su +allow sysadm_t userdomain:fd use; + +define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }') + +# Add/remove user home directories +file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) diff --git a/strict/domains/misc/auth-net.te b/strict/domains/misc/auth-net.te new file mode 100644 index 0000000..e954a9b --- /dev/null +++ b/strict/domains/misc/auth-net.te @@ -0,0 +1,3 @@ +#DESC Policy for using network servers for authenticating users (IE PAM-LDAP) + +can_network(auth) diff --git a/strict/domains/misc/fcron.te b/strict/domains/misc/fcron.te new file mode 100644 index 0000000..57209be --- /dev/null +++ b/strict/domains/misc/fcron.te @@ -0,0 +1,30 @@ +#DESC fcron - additions to cron policy for a more powerful cron program +# +# Domain for fcron, a more powerful cron program. +# +# Needs cron.te installed. +# +# Author: Russell Coker + +# Use capabilities. +allow crond_t self:capability { dac_override dac_read_search }; + +# differences between r_dir_perms and rw_dir_perms +allow crond_t cron_spool_t:dir { add_name remove_name write }; + +ifdef(`mta.te', ` +# not sure why we need write access, but Postfix does not work without it +# I will have to change fcron to avoid the need for this +allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr }; +') + +ifdef(`distro_debian', ` +can_exec(dpkg_t, crontab_exec_t) +file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file) +') + +rw_dir_create_file(crond_t, cron_spool_t) +can_setfscreate(crond_t) + +# for /var/run/fcron.fifo +file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file) diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te new file mode 100644 index 0000000..4b2cbbb --- /dev/null +++ b/strict/domains/misc/kernel.te @@ -0,0 +1,66 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################# +# +# Rules for the kernel_t domain. +# + +# +# kernel_t is the domain of kernel threads. +# It is also the target type when checking permissions in the system class. +# +type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ; +role system_r types kernel_t; +general_domain_access(kernel_t) +general_proc_read_access(kernel_t) +base_file_read_access(kernel_t) +uses_shlib(kernel_t) +can_exec(kernel_t, shell_exec_t) + +# Use capabilities. +allow kernel_t self:capability *; + +allow kernel_t sysfs_t:dir search; +allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search; + +# Run init in the init_t domain. +domain_auto_trans(kernel_t, init_exec_t, init_t) + +# Share state with the init process. +allow kernel_t init_t:process share; + +# Mount and unmount file systems. +allow kernel_t fs_type:filesystem mount_fs_perms; + +# Send signal to any process. +allow kernel_t domain:process signal; + +# Access the console. +allow kernel_t device_t:dir search; +allow kernel_t console_device_t:chr_file rw_file_perms; + +# Access the initrd filesystem. +allow kernel_t file_t:chr_file rw_file_perms; +can_exec(kernel_t, file_t) +ifdef(`chroot.te', ` +can_exec(kernel_t, chroot_exec_t) +') +allow kernel_t self:capability sys_chroot; + +allow kernel_t { unlabeled_t root_t file_t }:dir mounton; +allow kernel_t file_t:dir rw_dir_perms; +allow kernel_t file_t:blk_file create_file_perms; +allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; + +# Lookup the policy. +allow kernel_t policy_config_t:dir r_dir_perms; + +# Load the policy configuration. +can_loadpol(kernel_t) + +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +can_exec(kernel_t, bin_t) + + diff --git a/strict/domains/misc/screensaver.te b/strict/domains/misc/screensaver.te new file mode 100644 index 0000000..d420266 --- /dev/null +++ b/strict/domains/misc/screensaver.te @@ -0,0 +1,18 @@ +# +# Alias file to stop blow up during policy upgrade, since +# screensaver policy is being removed. +# +typealias bin_t alias screensaver_exec_t; +typealias sysadm_home_t alias sysadm_screensaver_t; +typealias sysadm_home_t alias sysadm_screensaver_rw_t; +typealias sysadm_home_t alias sysadm_screensaver_ro_t; +typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t; +typealias user_home_t alias user_screensaver_t; +typealias user_home_t alias user_screensaver_rw_t; +typealias user_home_t alias user_screensaver_ro_t; +typealias user_home_t alias user_screensaver_tmpfs_t; +typealias staff_home_t alias staff_screensaver_t; +typealias staff_home_t alias staff_screensaver_rw_t; +typealias staff_home_t alias staff_screensaver_ro_t; +typealias staff_home_t alias staff_screensaver_tmpfs_t; + diff --git a/strict/domains/misc/startx.te b/strict/domains/misc/startx.te new file mode 100644 index 0000000..16c4910 --- /dev/null +++ b/strict/domains/misc/startx.te @@ -0,0 +1,7 @@ +#DESC startx - policy for running an X server from a user domain +# +# Author: Russell Coker +# + +# Everything is in the macro files + diff --git a/strict/domains/misc/userspace_objmgr.te b/strict/domains/misc/userspace_objmgr.te new file mode 100644 index 0000000..ae3b205 --- /dev/null +++ b/strict/domains/misc/userspace_objmgr.te @@ -0,0 +1,13 @@ +#DESC Userspace Object Managers +# +################################# + +# Get our own security context. +can_getcon(userspace_objmgr) +# Get security decisions via selinuxfs. +can_getsecurity(userspace_objmgr) +# Read /etc/selinux +r_dir_file(userspace_objmgr, { selinux_config_t default_context_t }) +# Receive notifications of policy reloads and enforcing status changes. +allow userspace_objmgr self:netlink_selinux_socket { create bind read }; + diff --git a/strict/domains/misc/xclient.te b/strict/domains/misc/xclient.te new file mode 100644 index 0000000..ae4552f --- /dev/null +++ b/strict/domains/misc/xclient.te @@ -0,0 +1,14 @@ +# +# Authors: Eamon Walsh +# + +####################################### +# +# Domains for the SELinux-enabled X Window System +# + +# +# Domain for all non-local X clients +# +type remote_xclient_t, domain; +in_user_role(remote_xclient_t) diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te new file mode 100644 index 0000000..3a2447b --- /dev/null +++ b/strict/domains/program/acct.te @@ -0,0 +1,68 @@ +#DESC Acct - BSD process accounting +# +# Author: Russell Coker +# X-Debian-Packages: acct +# + +################################# +# +# Rules for the acct_t domain. +# +# acct_exec_t is the type of the acct executable. +# +daemon_base_domain(acct) +ifdef(`crond.te', ` +system_crond_entry(acct_exec_t, acct_t) + +# for monthly cron job +file_type_auto_trans(acct_t, var_log_t, wtmp_t, file) +') + +# for SSP +allow acct_t urandom_device_t:chr_file read; + +type acct_data_t, file_type, sysadmfile; + +allow acct_t self:capability sys_pacct; + +# gzip needs chown capability for some reason +allow acct_t self:capability chown; + +allow acct_t var_t:dir { getattr search }; +rw_dir_create_file(acct_t, acct_data_t) + +can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t }) +allow acct_t { bin_t sbin_t }:dir search; +allow acct_t bin_t:lnk_file read; + +read_locale(acct_t) + +allow acct_t self:capability fsetid; +allow acct_t fs_t:filesystem getattr; + +allow acct_t self:unix_stream_socket create_socket_perms; + +allow acct_t self:fifo_file { read write getattr }; + +allow acct_t proc_t:file { read getattr }; + +read_sysctl(acct_t) + +dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; + +# for nscd +dontaudit acct_t var_run_t:dir search; + +# not sure why we need this, the command "last" is reported as using it +dontaudit acct_t self:capability kill; + +allow acct_t devtty_t:chr_file { read write }; + +allow acct_t { etc_t etc_runtime_t }:file { read getattr }; + +ifdef(`logrotate.te', ` +domain_auto_trans(logrotate_t, acct_exec_t, acct_t) +rw_dir_create_file(logrotate_t, acct_data_t) +can_exec(logrotate_t, acct_data_t) +') + diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te new file mode 100644 index 0000000..d95725e --- /dev/null +++ b/strict/domains/program/amanda.te @@ -0,0 +1,307 @@ +#DESC Amanda - Automated backup program +# +# This policy file sets the rigths for amanda client started by inetd_t +# and amrecover +# +# X-Debian-Packages: amanda-common amanda-server +# Depends: inetd.te +# Author : Carsten Grohmann +# +# License : GPL +# +# last change: 27. August 2002 +# +# state : complete and tested +# +# Hints : +# - amanda.fc is the appendant file context file +# - If you use amrecover please extract the files and directories to the +# directory speficified in amanda.fc as type amanda_recover_dir_t. +# - The type amanda_user_exec_t is defined to label the files but not used. +# This configuration works only as an client and a amanda client does not need +# this programs. +# +# Enhancements/Corrections: +# - set tighter permissions to /bin/tar instead bin_t + +############################################################################## +# AMANDA CLIENT DECLARATIONS +############################################################################## + +# General declarations +###################### + +type amanda_t, domain, privlog, auth, nscd_client_domain ; +role system_r types amanda_t; + +# type for the amanda executables +type amanda_exec_t, file_type, sysadmfile, exec_type; + +# type for the amanda executables started by inetd +type amanda_inetd_exec_t, file_type, sysadmfile, exec_type; + +# type for amanda configurations files +type amanda_config_t, file_type, sysadmfile; + +# type for files in /usr/lib/amanda +type amanda_usr_lib_t, file_type, sysadmfile; + +# type for all files in /var/lib/amanda +type amanda_var_lib_t, file_type, sysadmfile; + +# type for all files in /var/lib/amanda/gnutar-lists/ +type amanda_gnutarlists_t, file_type, sysadmfile; + +# type for user startable files +type amanda_user_exec_t, file_type, sysadmfile, exec_type; + +# type for same awk and other scripts +type amanda_script_exec_t, file_type, sysadmfile, exec_type; + +# type for the shell configuration files +type amanda_shellconfig_t, file_type, sysadmfile; + +tmp_domain(amanda) + +# type for /etc/amandates +type amanda_amandates_t, file_type, sysadmfile; + +# type for /etc/dumpdates +type amanda_dumpdates_t, file_type, sysadmfile; + +# type for amanda data +type amanda_data_t, file_type, sysadmfile; + +# Domain transitions +#################### + +domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) + + +################## +# File permissions +################## + +# configuration files -> read only +allow amanda_t amanda_config_t:file { getattr read }; +allow amanda_t amanda_config_t:dir search; + +# access to amanda_amandates_t +allow amanda_t amanda_amandates_t:file { getattr lock read write }; + +# access to amanda_dumpdates_t +allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; + +# access to amandas data structure +allow amanda_t amanda_data_t:dir { read search write }; +allow amanda_t amanda_data_t:file { read write }; + +# access to proc_t +allow amanda_t proc_t:dir { getattr search }; +allow amanda_t proc_t:file { getattr read }; + +# access to etc_t and similar +allow amanda_t etc_t:dir { getattr search }; +allow amanda_t etc_t:file { getattr read }; +allow amanda_t etc_runtime_t:file { getattr read }; + +# access to var_t and similar +allow amanda_t var_t:dir search; +allow amanda_t var_lib_t:dir search; +allow amanda_t amanda_var_lib_t:dir search; + +# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) +allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write }; +allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write }; + +# access to var_run_t +allow amanda_t var_run_t:dir search; + +# access to var_log_t +allow amanda_t var_log_t:dir getattr; + +# access to var_spool_t +allow amanda_t var_spool_t:dir getattr; + +# access to amanda_usr_lib_t +allow amanda_t amanda_usr_lib_t:dir search; + +# access to device_t and similar +allow amanda_t device_t:dir search; +allow amanda_t null_device_t:chr_file { getattr read write }; +allow amanda_t devpts_t:dir getattr; +allow amanda_t fixed_disk_device_t:blk_file getattr; +allow amanda_t removable_device_t:blk_file getattr; +allow amanda_t devtty_t:chr_file { read write }; + +# access to boot_t +allow amanda_t boot_t:dir getattr; + +# access to fs_t +allow amanda_t fs_t:filesystem getattr; + +# access to sysctl_kernel_t ( proc/sys/kernel/* ) +read_sysctl(amanda_t) + +##################### +# process permissions +##################### + +# Allow to use shared libs +uses_shlib(amanda_t) + +# Allow to execute a amanda executable file +allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read }; + +# Allow to run a shell +allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read }; + +# access to bin_t (tar) +allow amanda_t bin_t:file { execute execute_no_trans }; + +allow amanda_t self:capability { chown dac_override setuid }; +allow amanda_t self:process { fork sigchld }; +allow amanda_t self:unix_dgram_socket create; + + +################################### +# Network and process communication +################################### + +can_network_server(amanda_t); +can_ypbind(amanda_t); + +allow amanda_t self:fifo_file { getattr read write ioctl lock }; +allow amanda_t self:unix_stream_socket { connect create read write }; + + +########################## +# Communication with inetd +########################## + +allow amanda_t inetd_t:udp_socket { read write }; + + +################### +# inetd permissions +################### + +allow inetd_t amanda_usr_lib_t:dir search; + + +######################## +# Access to to save data +######################## + +# access to user_home_t +allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read }; +allow amanda_t user_home_type:file { getattr read }; + +# access to file_t ( /floppy, /cdrom ) +allow amanda_t mnt_t:dir getattr; + +########### +# Dontaudit +########### +dontaudit amanda_t lost_found_t:dir { getattr read }; + + +############################################################################## +# AMANDA RECOVER DECLARATIONS +############################################################################## + + +# General declarations +###################### + +# type for amrecover +type amanda_recover_t, domain; +role sysadm_r types { amanda_recover_t amanda_recover_dir_t }; + +# exec types for amrecover +type amanda_recover_exec_t, file_type, sysadmfile, exec_type; + +# type for recover files ( restored data ) +type amanda_recover_dir_t, file_type, sysadmfile; +file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t) + +# domain transsition +domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t) + +# file type auto trans to write debug messages +file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) + + +# amanda recover process permissions +#################################### + +uses_shlib(amanda_recover_t) +allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; +allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service }; +allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read }; +allow amanda_recover_t privfd:fd use; + + +# amrecover network and process communication +############################################# + +can_network_server(amanda_recover_t); +can_ypbind(amanda_recover_t); + +allow amanda_recover_t self:fifo_file { getattr ioctl read write }; +allow amanda_recover_t self:unix_stream_socket { connect create read write }; + + +# amrecover file permissions +############################ + +# access to etc_t and similar +allow amanda_recover_t etc_t:dir search; +allow amanda_recover_t etc_t:file { getattr read }; +allow amanda_recover_t etc_runtime_t:file { getattr read }; + +# access to amanda_recover_dir_t +allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write }; +allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink }; + +# access to var_t and var_run_t +allow amanda_recover_t var_t:dir search; +allow amanda_recover_t var_run_t:dir search; + +# access to proc_t +allow amanda_recover_t proc_t:dir search; +allow amanda_recover_t proc_t:file { getattr read }; + +# access to sysctl_kernel_t +read_sysctl(amanda_recover_t) + +# access to dev_t and similar +allow amanda_recover_t device_t:dir search; +allow amanda_recover_t devtty_t:chr_file { read write }; +allow amanda_recover_t null_device_t:chr_file { getattr write }; + +# access to bin_t +allow amanda_recover_t bin_t:file { execute execute_no_trans }; + +# access to sysadm_home_t and sysadm_home_dir_t to start amrecover +# in the sysadm home directory +allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr }; + +# access to use sysadm_tty_device_t (/dev/tty?) +allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write }; + +# access to amanda_tmp_t and tmp_t +allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write }; +allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink }; +allow amanda_recover_t tmp_t:dir search; + +# +# Rules to allow amanda to be run as a service in xinetd +# +type amanda_port_t, port_type; +allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; + +allow amanda_t file_type:dir {getattr read search }; +allow amanda_t file_type:file {getattr read }; +logdir_domain(amanda) + diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te new file mode 100644 index 0000000..981f852 --- /dev/null +++ b/strict/domains/program/anaconda.te @@ -0,0 +1,47 @@ +#DESC Anaconda - Red Hat Installation program +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the anaconda_t domain. +# +# anaconda_t is the domain of the installation program +# +type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer; +role system_r types anaconda_t; +unconfined_domain(anaconda_t) + +role system_r types ldconfig_t; +domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) + +role system_r types sysadm_su_t; +domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t) + +# Run other rc scripts in the anaconda_t domain. +domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) + +domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) + +ifdef(`distro_redhat', ` +file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) +') + +ifdef(`rpm.te', ` +# Access /var/lib/rpm. +domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) +') + +file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) + +ifdef(`udev.te', ` +domain_auto_trans(anaconda_t, udev_exec_t, udev_t) +') + +ifdef(`ssh-agent.te', ` +role system_r types sysadm_ssh_agent_t; +domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) +') +domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te new file mode 100644 index 0000000..b01d3f3 --- /dev/null +++ b/strict/domains/program/apache.te @@ -0,0 +1,354 @@ +#DESC Apache - Web server +# +# X-Debian-Packages: apache2-common apache +# +############################################################################### +# +# Policy file for running the Apache web server +# +# NOTES: +# This policy will work with SUEXEC enabled as part of the Apache +# configuration. However, the user CGI scripts will run under the +# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the +# of the creating user. +# +# The user CGI scripts must be labeled with the httpd_$1_script_exec_t +# type, and the directory containing the scripts should also be labeled +# with these types. This policy allows user_r role to perform that +# relabeling. If it is desired that only sysadm_r should be able to relabel +# the user CGI scripts, then relabel rule for user_r should be removed. +# +############################################################################### + +define(`httpd_home_dirs', ` +r_dir_file(httpd_t, $1) +r_dir_file(httpd_suexec_t, $1) +can_exec(httpd_suexec_t, $1) +') + +type http_port_t, port_type, reserved_port_type; + +bool httpd_unified false; + +# Allow httpd cgi support +bool httpd_enable_cgi false; + +# Allow httpd to read home directories +bool httpd_enable_homedirs false; + +# Run SSI execs in system CGI script domain. +bool httpd_ssi_exec false; + +# Allow http daemon to communicate with the TTY +bool httpd_tty_comm false; + +######################################################### +# Apache types +######################################################### +# httpd_config_t is the type given to the configuration +# files for apache /etc/httpd/conf +# +type httpd_config_t, file_type, sysadmfile; + +append_logdir_domain(httpd) +#can read /etc/httpd/logs +allow httpd_t httpd_log_t:lnk_file read; + +# For /etc/init.d/apache2 reload +can_tcp_connect(httpd_t, httpd_t) + +can_tcp_connect(web_client_domain, httpd_t) + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache +# +type httpd_modules_t, file_type, sysadmfile; + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory +# +type httpd_cache_t, file_type, sysadmfile; + +# httpd_exec_t is the type give to the httpd executable. +# +daemon_domain(httpd, `, privmail') + +can_exec(httpd_t, httpd_exec_t) +file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file) + +general_domain_access(httpd_t) + +allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; + +read_sysctl(httpd_t) + +# for modules that want to access /etc/mtab and /proc/meminfo +allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; + +# setup the system domain for system CGI scripts +apache_domain(sys) + +# The following are types for SUEXEC,which runs user scripts as their +# own user ID +# +daemon_sub_domain(httpd_t, httpd_suexec) +allow httpd_t httpd_suexec_exec_t:file read; + +######################################################### +# Permissions for running child processes and scripts +########################################################## + +allow httpd_suexec_t self:capability { setuid setgid }; + +dontaudit httpd_suexec_t var_run_t:dir search; +allow httpd_suexec_t { var_t var_log_t }:dir search; +allow httpd_suexec_t home_root_t:dir search; + +allow httpd_suexec_t httpd_log_t:dir search; +allow httpd_suexec_t httpd_log_t:file { append getattr }; +allow httpd_suexec_t httpd_t:fifo_file getattr; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +allow httpd_suexec_t etc_t:file { getattr read }; +read_locale(httpd_suexec_t) +read_sysctl(httpd_suexec_t) +allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; + +# for shell scripts +allow httpd_suexec_t bin_t:dir search; +allow httpd_suexec_t bin_t:lnk_file read; +can_exec(httpd_suexec_t, { bin_t shell_exec_t }) + +can_network(httpd_suexec_t) +can_ypbind(httpd_suexec_t) +allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; + +ifdef(`mta.te', ` +# apache should set close-on-exec +dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; +') + +uses_shlib(httpd_t) +allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; +allow httpd_t usr_t:lnk_file { getattr read }; + +# for apache2 memory mapped files +var_lib_domain(httpd) + +# for tomcat +r_dir_file(httpd_t, var_lib_t) + +# execute perl +allow httpd_t { bin_t sbin_t }:dir r_dir_perms; +can_exec(httpd_t, { bin_t sbin_t }) +allow httpd_t bin_t:lnk_file read; + +can_network(httpd_t) +can_ypbind(httpd_t) + +################### +# Allow httpd to search users diretories +###################### +allow httpd_t home_root_t:dir { getattr search }; +dontaudit httpd_t sysadm_home_dir_t:dir getattr; + +############################################################################ +# Allow the httpd_t the capability to bind to a port and various other stuff +############################################################################ +allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +dontaudit httpd_t self:capability net_admin; + +################################################# +# Allow the httpd_t to read the web servers config files +################################################### +r_dir_file(httpd_t, httpd_config_t) +dontaudit httpd_sys_script_t httpd_config_t:dir search; +# allow logrotate to read the config files for restart +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, httpd_config_t) +domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) +allow logrotate_t httpd_t:process signull; +') +r_dir_file(initrc_t, httpd_config_t) +################################################## + +######################################## +# Allow httpd_t to bind to the HTTP port +######################################## +allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; + +############################### +# Allow httpd_t to put files in /var/cache/httpd etc +############################## +create_dir_file(httpd_t, httpd_cache_t) + +############################### +# Allow httpd_t to access the tmpfs file system +############################## +tmpfs_domain(httpd) + +##################### +# Allow httpd_t to access +# libraries for its modules +############################### +allow httpd_t httpd_modules_t:file rx_file_perms; +allow httpd_t httpd_modules_t:dir r_dir_perms; +allow httpd_t httpd_modules_t:lnk_file r_file_perms; + +###################################################################### +# Allow initrc_t to access the Apache modules directory. +###################################################################### +allow initrc_t httpd_modules_t:dir r_dir_perms; + +############################################## +# Allow httpd_t to have access to files +# such as nisswitch.conf +# need ioctl for php +############################################### +allow httpd_t etc_t:file { read getattr ioctl }; +allow httpd_t etc_t:lnk_file { getattr read }; + +# Run SSI execs in system CGI script domain. +if (httpd_ssi_exec) { +domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) +} +r_dir_file(httpd_t, httpd_sys_script_ro_t) +create_dir_file(httpd_t, httpd_sys_script_rw_t) +ra_dir_file(httpd_t, httpd_sys_script_ra_t) +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +################################################## +# +# PHP Directives +################################################## + +type httpd_php_exec_t, file_type, sysadmfile, exec_type; +type httpd_php_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) + +# The system role is authorized for this domain. +role system_r types httpd_php_t; + +general_domain_access(httpd_php_t) +uses_shlib(httpd_php_t) +can_exec(httpd_php_t, lib_t) + +# allow php to read and append to apache logfiles +allow httpd_php_t httpd_log_t:file ra_file_perms; + +# access to /tmp +tmp_domain(httpd) +tmp_domain(httpd_php) +tmp_domain(httpd_suexec) + +# Creation of lock files for apache2 +lock_domain(httpd) + +# connect to mysql +ifdef(`mysqld.te', ` +can_unix_connect(httpd_php_t, mysqld_t) +can_unix_connect(httpd_t, mysqld_t) +can_unix_connect(httpd_sys_script_t, mysqld_t) +allow httpd_php_t mysqld_var_run_t:dir search; +allow httpd_php_t mysqld_var_run_t:sock_file write; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; +allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; +') +allow httpd_t bin_t:dir search; +allow httpd_t sbin_t:dir search; +allow httpd_t httpd_log_t:dir remove_name; + +allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + +allow httpd_t autofs_t:dir { search getattr }; +allow httpd_suexec_t autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs && httpd_enable_homedirs) { +httpd_home_dirs(nfs_t) +} +if (use_samba_home_dirs && httpd_enable_homedirs) { +httpd_home_dirs(cifs_t) +} +r_dir_file(httpd_t, fonts_t) + +# +# Allow users to mount additional directories as http_source +# +allow httpd_t mnt_t:dir r_dir_perms; + +######################################## +# When the admin starts the server, the server wants to acess +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +################################################## +dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; + +can_kerberos(httpd_t) + +ifdef(`targeted_policy', ` +typealias httpd_sys_content_t alias httpd_user_content_t; +typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; + +if (httpd_enable_homedirs) { +allow httpd_sys_script_t user_home_dir_t:dir { getattr search }; +allow httpd_t user_home_dir_t:dir { getattr search }; +} +') dnl targeted policy + +ifdef(`distro_redhat', ` +# +# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat +# This is a bug but it still exists in FC2 +# +typealias httpd_log_t alias httpd_runtime_t; +allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; +dontaudit httpd_t httpd_runtime_t:file ioctl; +') dnl distro_redhat +# +# Customer reported the following +# +ifdef(`snmpd.te', ` +dontaudit httpd_t snmpd_var_lib_t:dir search; +dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; +', ` +dontaudit httpd_t usr_t:dir write; +') + +type httpd_squirrelmail_t, file_type, sysadmfile; +create_dir_file(httpd_t, httpd_squirrelmail_t) +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +# File Type of squirrelmail attachments +type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; +allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; +create_dir_file(httpd_t, squirrelmail_spool_t) +r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) + +ifdef(`mta.te', ` +dontaudit system_mail_t httpd_log_t:file { append getattr }; +allow system_mail_t httpd_squirrelmail_t:file { append read }; +dontaudit system_mail_t httpd_t:tcp_socket { read write }; +') + +application_domain(httpd_helper) +role system_r types httpd_helper_t; +domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) +allow httpd_helper_t httpd_config_t:file { getattr read }; +allow httpd_helper_t httpd_log_t:file { append }; + +if (httpd_tty_comm) { +allow { httpd_t httpd_helper_t } devpts_t:dir { search }; +ifdef(`targeted_policy', ` +allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write }; +') +allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; +} + +read_sysctl(httpd_sys_script_t) +allow httpd_sys_script_t var_lib_t:dir search; +dontaudit httpd_t selinux_config_t:dir search; +r_dir_file(httpd_t, cert_t) diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te new file mode 100644 index 0000000..2f3cf09 --- /dev/null +++ b/strict/domains/program/apmd.te @@ -0,0 +1,134 @@ +#DESC Apmd - Automatic Power Management daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: apmd +# + +################################# +# +# Rules for the apmd_t domain. +# +daemon_domain(apmd, `, privmodule, nscd_client_domain') + +# for SSP +allow apmd_t urandom_device_t:chr_file read; + +type apm_t, domain, privlog; +type apm_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(sysadm_t, apm_exec_t, apm_t) +uses_shlib(apm_t) +allow apm_t privfd:fd use; +allow apm_t admin_tty_type:chr_file rw_file_perms; +allow apm_t device_t:dir search; +allow apm_t self:capability sys_admin; +allow apm_t proc_t:dir search; +allow apm_t proc_t:file { read getattr }; +allow apm_t fs_t:filesystem getattr; +allow apm_t apm_bios_t:chr_file rw_file_perms; +role sysadm_r types apm_t; +role system_r types apm_t; + +allow apmd_t device_t:lnk_file read; +allow apmd_t proc_t:file { getattr read }; +read_sysctl(apmd_t) +allow apmd_t self:unix_dgram_socket create_socket_perms; +allow apmd_t self:unix_stream_socket create_stream_socket_perms; +allow apmd_t self:fifo_file rw_file_perms; +allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; +allow apmd_t etc_t:lnk_file read; + +# acpid wants a socket +file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) + +# acpid also has a logfile +log_domain(apmd) + +ifdef(`distro_suse', ` +var_lib_domain(apmd) +') + +allow apmd_t self:file { getattr read ioctl }; +allow apmd_t self:process getsession; + +# Use capabilities. +allow apmd_t self:capability { sys_admin sys_nice sys_time }; + +# controlling an orderly resume of PCMCIA requires creating device +# nodes 254,{0,1,2} for some reason. +allow apmd_t self:capability mknod; + +# Access /dev/apm_bios. +allow apmd_t apm_bios_t:chr_file rw_file_perms; + +# Run helper programs. +can_exec_any(apmd_t) + +# apmd calls hwclock.sh on suspend and resume +allow apmd_t clock_device_t:chr_file r_file_perms; +ifdef(`hwclock.te', ` +allow apmd_t adjtime_t:file rw_file_perms; +') + + +# to quiet fuser and ps +# setuid for fuser, dac* for ps +dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; +dontaudit apmd_t domain:socket_class_set getattr; +dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; +dontaudit apmd_t device_type:devfile_class_set getattr; +dontaudit apmd_t home_type:dir { search getattr }; +dontaudit apmd_t domain:key_socket getattr; +dontaudit apmd_t domain:dir search; + +ifdef(`distro_redhat', ` +can_exec(apmd_t, apmd_var_run_t) +# for /var/lock/subsys/network +rw_dir_create_file(apmd_t, var_lock_t) + +# ifconfig_exec_t needs to be run in its own domain for Red Hat +ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') +ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') +ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') +', ` +# for ifconfig which is run all the time +dontaudit apmd_t sysctl_t:dir search; +') + +ifdef(`udev.te', ` +allow apmd_t udev_t:file { getattr read }; +allow apmd_t udev_t:lnk_file { getattr read }; +') +# +# apmd tells the machine to shutdown requires the following +# +allow apmd_t initctl_t:fifo_file write; +allow apmd_t initrc_var_run_t:file { read write lock }; + +# +# Allow it to run killof5 and pidof +# +r_dir_file(apmd_t, domain) + +# Same for apm/acpid scripts +domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) +ifdef(`consoletype.te', ` +allow consoletype_t apmd_t:fd use; +allow consoletype_t apmd_t:fifo_file write; +') +ifdef(`mount.te', `allow mount_t apmd_t:fd use;') +ifdef(`crond.te', ` +domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) +allow apmd_t crond_t:fifo_file { getattr read write ioctl }; +') + +ifdef(`mta.te', ` +domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) +') + +# for a find /dev operation that gets /dev/shm +dontaudit apmd_t tmpfs_t:dir r_dir_perms; +dontaudit apmd_t selinux_config_t:dir search; +allow apmd_t user_tty_type:chr_file rw_file_perms; +# Access /dev/apm_bios. +allow initrc_t apm_bios_t:chr_file { setattr getattr read }; diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te new file mode 100644 index 0000000..936d985 --- /dev/null +++ b/strict/domains/program/arpwatch.te @@ -0,0 +1,42 @@ +#DESC arpwatch - keep track of ethernet/ip address pairings +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the arpwatch_t domain. +# +# arpwatch_exec_t is the type of the arpwatch executable. +# +daemon_domain(arpwatch, `, privmail') + +# for files created by arpwatch +type arpwatch_data_t, file_type, sysadmfile; +create_dir_file(arpwatch_t,arpwatch_data_t) +tmp_domain(arpwatch) + +allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; + +can_network_server(arpwatch_t) +allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; +allow arpwatch_t self:udp_socket create_socket_perms; +allow arpwatch_t self:unix_dgram_socket create_socket_perms; +allow arpwatch_t self:packet_socket create_socket_perms; +allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; + +allow arpwatch_t { sbin_t var_lib_t }:dir search; +allow arpwatch_t sbin_t:lnk_file read; +r_dir_file(arpwatch_t, etc_t) +r_dir_file(arpwatch_t, usr_t) +can_ypbind(arpwatch_t) + +ifdef(`qmail.te', ` +allow arpwatch_t bin_t:dir search; +') + +ifdef(`distro_gentoo', ` +allow initrc_t arpwatch_data_t:dir { add_name write }; +allow initrc_t arpwatch_data_t:file create; +')dnl end distro_gentoo + diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te new file mode 100644 index 0000000..ce6210e --- /dev/null +++ b/strict/domains/program/auditd.te @@ -0,0 +1,12 @@ +#DESC auditd - System auditing daemon +# +# Authors: Colin Walters +# + +daemon_domain(auditd) +allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow auditd_t self:capability { audit_write audit_control }; +allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms; +allow auditd_t self:unix_dgram_socket create_socket_perms; +allow auditd_t etc_t:file { getattr read }; +log_domain(auditd) diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te new file mode 100644 index 0000000..dbbe8ef --- /dev/null +++ b/strict/domains/program/automount.te @@ -0,0 +1,69 @@ +#DESC Automount - Automount daemon +# +# Authors: Stephen Smalley +# Modified by Russell Coker +# X-Debian-Packages: amd am-utils autofs +# + +################################# +# +# Rules for the automount_t domain. +# +daemon_domain(automount) + +etc_domain(automount) + +# for SSP +allow automount_t urandom_device_t:chr_file read; + +# for if the mount point is not labelled +allow automount_t file_t:dir getattr; +allow automount_t default_t:dir getattr; + +allow automount_t autofs_t:dir { create_dir_perms ioctl }; +allow automount_t fs_type:dir getattr; + +allow automount_t { etc_t etc_runtime_t }:file { getattr read }; +allow automount_t proc_t:file { getattr read }; +allow automount_t self:process { setpgid setsched }; +allow automount_t self:capability sys_nice; +allow automount_t self:unix_stream_socket create_socket_perms; +allow automount_t self:unix_dgram_socket create_socket_perms; + +# because config files can be shell scripts +can_exec(automount_t, { etc_t automount_etc_t }) + +can_network_server(automount_t) +can_ypbind(automount_t) + +ifdef(`fsadm.te', ` +domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) +') + +lock_domain(automount) + +tmp_domain(automount) +allow automount_t self:fifo_file rw_file_perms; + +# Run mount in the mount_t domain. +domain_auto_trans(automount_t, mount_exec_t, mount_t) +allow mount_t autofs_t:dir { search mounton read }; +allow mount_t automount_tmp_t:dir mounton; + +ifdef(`apmd.te', +`domain_auto_trans(apmd_t, automount_exec_t, automount_t) +can_exec(automount_t, bin_t)') + +allow automount_t { bin_t sbin_t }:dir search; +can_exec(automount_t, mount_exec_t) + +allow mount_t autofs_t:dir getattr; +dontaudit automount_t var_t:dir write; + +allow userdomain autofs_t:dir r_dir_perms; +allow kernel_t autofs_t:dir { getattr ioctl read search }; + +allow automount_t home_root_t:dir getattr; +allow automount_t mnt_t:dir { getattr search }; + +allow initrc_t automount_etc_t:file { getattr read }; diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te new file mode 100644 index 0000000..15ef978 --- /dev/null +++ b/strict/domains/program/bluetooth.te @@ -0,0 +1,42 @@ +#DESC Bluetooth +# +# Authors: Dan Walsh +# RH-Packages: Bluetooth +# + +################################# +# +# Rules for the bluetooth_t domain. +# +daemon_domain(bluetooth) + +file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) + +tmp_domain(bluetooth) + +# Use capabilities. +allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; + +rw_dir_create_file(bluetooth_t, var_lock_t) + +# Use the network. +can_network_server(bluetooth_t) +can_ypbind(bluetooth_t) +ifdef(`dbusd.te', ` +dbusd_client(system, bluetooth) +allow bluetooth_t system_dbusd_t:dbus send_msg; +') +allow bluetooth_t self:socket { create setopt ioctl bind listen }; +allow bluetooth_t self:unix_dgram_socket create_socket_perms; +allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; + +dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; + +# bluetooth_conf_t is the type of the /etc/bluetooth dir. +type bluetooth_conf_t, file_type, sysadmfile; + +# Read /etc/bluetooth +allow bluetooth_t bluetooth_conf_t:dir search; +allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; +#/usr/sbin/hid2hci causes the following +allow initrc_t usbfs_t:file { read }; diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te new file mode 100644 index 0000000..706945f --- /dev/null +++ b/strict/domains/program/bootloader.te @@ -0,0 +1,166 @@ +#DESC Bootloader - Lilo boot loader/manager +# +# Author: Russell Coker +# X-Debian-Packages: lilo +# + +################################# +# +# Rules for the bootloader_t domain. +# +# bootloader_exec_t is the type of the bootloader executable. +# +type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin'); +type bootloader_exec_t, file_type, sysadmfile, exec_type; +etc_domain(bootloader) +typealias bootloader_etc_t alias etc_bootloader_t; + +role sysadm_r types bootloader_t; +role system_r types bootloader_t; + +allow bootloader_t var_t:dir search; +create_append_log_file(bootloader_t, var_log_t) +allow bootloader_t var_log_t:file write; + +# for nscd +dontaudit bootloader_t var_run_t:dir search; + +domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) +allow bootloader_t { initrc_t privfd }:fd use; + +tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file }) + +read_locale(bootloader_t) + +# for tune2fs +file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file) + +# for /vmlinuz sym link +allow bootloader_t root_t:lnk_file read; + +# lilo would need read access to get BIOS data +allow bootloader_t proc_kcore_t:file getattr; + +allow bootloader_t { etc_t device_t }:dir r_dir_perms; +allow bootloader_t etc_t:file r_file_perms; +allow bootloader_t etc_t:lnk_file read; +allow bootloader_t initctl_t:fifo_file getattr; +uses_shlib(bootloader_t) + +ifdef(`distro_debian', ` +allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; +allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; +allow bootloader_t boot_t:file relabelfrom; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; +allow bootloader_t usr_t:lnk_file read; +allow bootloader_t tmpfs_t:dir r_dir_perms; +allow bootloader_t initrc_var_run_t:dir r_dir_perms; +allow bootloader_t var_lib_t:dir search; +allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; +allow bootloader_t dpkg_var_lib_t:file { getattr read }; +# for /usr/share/initrd-tools/scripts +can_exec(bootloader_t, usr_t) +') + +allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; +dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms; +allow bootloader_t device_t:lnk_file { getattr read }; + +# LVM2 / Device Mapper's /dev/mapper/control +# maybe we should change the labeling for this +ifdef(`lvm.te', ` +allow bootloader_t lvm_control_t:chr_file rw_file_perms; +domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) +allow lvm_t bootloader_tmp_t:file rw_file_perms; +r_dir_file(bootloader_t, lvm_etc_t) +') + +# uncomment the following line if you use "lilo -p" +#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); + +can_exec_any(bootloader_t) +allow bootloader_t shell_exec_t:lnk_file read; +allow bootloader_t { bin_t sbin_t }:dir search; +allow bootloader_t { bin_t sbin_t }:lnk_file read; + +allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms; +allow bootloader_t modules_object_t:dir r_dir_perms; +ifdef(`distro_redhat', ` +allow bootloader_t modules_object_t:lnk_file { getattr read }; +') + +# for ldd +ifdef(`fsadm.te', ` +allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; +') +ifdef(`modutil.te', ` +allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans }; +') + +dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; + +allow bootloader_t boot_t:dir { create rw_dir_perms }; +allow bootloader_t boot_t:file create_file_perms; +allow bootloader_t boot_t:lnk_file create_lnk_perms; + +allow bootloader_t load_policy_exec_t:file { getattr read }; + +allow bootloader_t random_device_t:chr_file { getattr read }; + +ifdef(`distro_redhat', ` +# for mke2fs +domain_auto_trans(bootloader_t, mount_exec_t, mount_t); +allow mount_t bootloader_tmp_t:dir mounton; + +# new file system defaults to file_t, granting file_t access is still bad. +allow bootloader_t file_t:dir create_dir_perms; +allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; +allow bootloader_t file_t:lnk_file create_lnk_perms; +allow bootloader_t self:unix_stream_socket create_socket_perms; +allow bootloader_t boot_runtime_t:file { read getattr unlink }; + +# for memlock +allow bootloader_t zero_device_t:chr_file { getattr read }; +allow bootloader_t self:capability ipc_lock; +') + +allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; +# allow bootloader to get attributes of any device node +allow bootloader_t { device_type ttyfile }:chr_file getattr; +allow bootloader_t device_type:blk_file getattr; +dontaudit bootloader_t devpts_t:dir create_dir_perms; + +allow bootloader_t self:process { fork signal_perms }; +allow bootloader_t self:lnk_file read; +allow bootloader_t self:dir search; +allow bootloader_t self:file { getattr read }; +allow bootloader_t self:fifo_file rw_file_perms; + +allow bootloader_t fs_t:filesystem getattr; + +allow bootloader_t proc_t:dir { getattr search }; +allow bootloader_t proc_t:file r_file_perms; +allow bootloader_t proc_t:lnk_file { getattr read }; +allow bootloader_t proc_mdstat_t:file r_file_perms; +allow bootloader_t self:dir { getattr search read }; +read_sysctl(bootloader_t) +allow bootloader_t etc_runtime_t:file r_file_perms; + +allow bootloader_t devtty_t:chr_file rw_file_perms; +allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow bootloader_t initrc_t:fifo_file { read write }; + +# for reading BIOS data +allow bootloader_t memory_device_t:chr_file r_file_perms; + +allow bootloader_t policy_config_t:dir { search read }; +allow bootloader_t policy_config_t:file { getattr read }; + +allow bootloader_t lib_t:file { getattr read }; +allow bootloader_t sysfs_t:dir getattr; +allow bootloader_t urandom_device_t:chr_file read; +allow bootloader_t { usr_t var_t }:file { getattr read }; +r_dir_file(bootloader_t, src_t) +dontaudit bootloader_t selinux_config_t:dir search; +dontaudit bootloader_t sysctl_t:dir search; diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te new file mode 100644 index 0000000..f629788 --- /dev/null +++ b/strict/domains/program/canna.te @@ -0,0 +1,43 @@ +#DESC canna - A Japanese character set input system. +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the canna_t domain. +# +daemon_domain(canna) + +file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file) + +logdir_domain(canna) +var_lib_domain(canna) + +allow canna_t self:capability { setgid setuid net_bind_service }; +allow canna_t tmp_t:dir { search }; +allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; +allow canna_t self:unix_dgram_socket create_stream_socket_perms; +allow canna_t etc_t:file { getattr read }; +allow canna_t usr_t:file { getattr read }; + +allow canna_t proc_t:file r_file_perms; +allow canna_t etc_runtime_t:file r_file_perms; +allow canna_t canna_var_lib_t:dir create; + +rw_dir_create_file(canna_t, canna_var_lib_t) + +can_network_tcp(canna_t) +can_ypbind(canna_t) + +allow userdomain canna_var_run_t:dir search; +allow userdomain canna_var_run_t:sock_file write; +can_unix_connect(userdomain, canna_t) + +ifdef(`i18n_input.te', ` +allow i18n_input_t canna_var_run_t:dir search; +allow i18n_input_t canna_var_run_t:sock_file write; +can_unix_connect(i18n_input_t, canna_t) +') + diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te new file mode 100644 index 0000000..c9a5e97 --- /dev/null +++ b/strict/domains/program/cardmgr.te @@ -0,0 +1,85 @@ +#DESC Cardmgr - PCMCIA control programs +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: pcmcia-cs +# + +################################# +# +# Rules for the cardmgr_t domain. +# +daemon_domain(cardmgr, `, privmodule') + +# for SSP +allow cardmgr_t urandom_device_t:chr_file read; + +type cardctl_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) +role sysadm_r types cardmgr_t; +allow cardmgr_t admin_tty_type:chr_file { read write }; + +allow cardmgr_t sysfs_t:dir search; +allow cardmgr_t home_root_t:dir search; + +# Use capabilities (net_admin for route), setuid for cardctl +allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; + +# for /etc/resolv.conf +file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) + +allow cardmgr_t etc_runtime_t:file { getattr read }; + +allow cardmgr_t modules_object_t:dir search; +allow cardmgr_t self:unix_dgram_socket create_socket_perms; +allow cardmgr_t self:unix_stream_socket create_socket_perms; +allow cardmgr_t self:fifo_file rw_file_perms; + +# Create stab file +var_lib_domain(cardmgr) + +# for /var/lib/misc/pcmcia-scheme +# would be better to have it in a different type if I knew how it was created.. +allow cardmgr_t var_lib_t:file { getattr read }; + +# Create device files in /tmp. +type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; +file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) + +# Create symbolic links in /dev. +type cardmgr_lnk_t, file_type, sysadmfile; +file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) + +# Run a shell, normal commands, /etc/pcmcia scripts. +can_exec_any(cardmgr_t) +allow cardmgr_t etc_t:lnk_file read; + +# Run ifconfig. +domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) +allow ifconfig_t cardmgr_t:fd use; + +allow cardmgr_t proc_t:file { getattr read ioctl }; + +# Read /proc/PID directories for all domains (for fuser). +can_ps(cardmgr_t, domain) +allow cardmgr_t device_type:{ chr_file blk_file } getattr; +allow cardmgr_t ttyfile:chr_file getattr; +dontaudit cardmgr_t ptyfile:chr_file getattr; +dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; +dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; +dontaudit cardmgr_t proc_kmsg_t:file getattr; + +allow cardmgr_t tty_device_t:chr_file rw_file_perms; + +ifdef(`apmd.te', ` +domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) +') + +ifdef(`hide_broken_symptoms', ` +dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; +dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; +') +ifdef(`hald.te', ` +rw_dir_file(hald_t, cardmgr_var_run_t) +allow hald_t cardmgr_var_run_t:chr_file create_file_perms; +') diff --git a/strict/domains/program/cdrecord.te b/strict/domains/program/cdrecord.te new file mode 100644 index 0000000..6460090 --- /dev/null +++ b/strict/domains/program/cdrecord.te @@ -0,0 +1,10 @@ +# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master +# +# Author: Thomas Bleher + +# Type for the cdrecord excutable. +type cdrecord_exec_t, file_type, sysadmfile, exec_type; + +# everything else is in the cdrecord_domain macros in +# macros/program/cdrecord_macros.te. + diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te new file mode 100644 index 0000000..97ea0bc --- /dev/null +++ b/strict/domains/program/checkpolicy.te @@ -0,0 +1,65 @@ +#DESC Checkpolicy - SELinux policy compliler +# +# Authors: Frank Mayer, mayerf@tresys.com +# X-Debian-Packages: checkpolicy +# + +########################### +# +# checkpolicy_t is the domain type for checkpolicy +# checkpolicy_exec_t if file type for the executable + +type checkpolicy_t, domain; +role sysadm_r types checkpolicy_t; +role system_r types checkpolicy_t; + +type checkpolicy_exec_t, file_type, exec_type, sysadmfile; + +########################## +# +# Rules + +domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) + +# able to create and modify binary policy files +allow checkpolicy_t policy_config_t:dir rw_dir_perms; +allow checkpolicy_t policy_config_t:file create_file_perms; + +########################### +# constrain what checkpolicy can use as source files +# + +# only allow read of policy source files +allow checkpolicy_t policy_src_t:dir r_dir_perms; +allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; + +# allow test policies to be created in src directories +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) + +# directory search permissions for path to source and binary policy files +allow checkpolicy_t root_t:dir search; +allow checkpolicy_t etc_t:dir search; + +# Read the devpts root directory. +allow checkpolicy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te', +`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; +uses_shlib(checkpolicy_t) +allow checkpolicy_t self:capability dac_override; + +allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; + +########################## +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +can_exec(unpriv_userdomain, checkpolicy_exec_t) + +allow checkpolicy_t { userdomain privfd }:fd use; + +allow checkpolicy_t fs_t:filesystem getattr; +allow checkpolicy_t console_device_t:chr_file { read write }; +allow checkpolicy_t init_t:fd use; +allow checkpolicy_t selinux_config_t:dir search; diff --git a/strict/domains/program/chkpwd.te b/strict/domains/program/chkpwd.te new file mode 100644 index 0000000..22ac7f2 --- /dev/null +++ b/strict/domains/program/chkpwd.te @@ -0,0 +1,18 @@ +#DESC Chkpwd - PAM password checking programs +# X-Debian-Packages: libpam-modules +# +# Domains for the /sbin/.*_chkpwd utilities. +# + +# +# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables. +# +type chkpwd_exec_t, file_type, sysadmfile, exec_type; + +chkpwd_domain(system) +dontaudit system_chkpwd_t privfd:fd use; +role sysadm_r types system_chkpwd_t; +in_user_role(system_chkpwd_t) + +# Everything else is in the chkpwd_domain macro in +# macros/program/chkpwd_macros.te. diff --git a/strict/domains/program/chroot.te b/strict/domains/program/chroot.te new file mode 100644 index 0000000..8992c66 --- /dev/null +++ b/strict/domains/program/chroot.te @@ -0,0 +1,21 @@ +#DESC Chroot - Establish chroot environments +# +# Author: Russell Coker +# X-Debian-Packages: +# +type chroot_exec_t, file_type, sysadmfile, exec_type; + +# For a chroot environment named potato that can be entered from user_t (so +# the user can run an old version of Debian in a chroot), with the possibility +# of user_devpts_t or user_tty_device_t being the controlling tty type for +# administration. This also defines a mount_domain for the user (so they can +# mount file systems). +#chroot(user, potato) +# For a chroot environment named apache that can be entered from initrc_t for +# running a different version of apache. +# initrc is a special case, uses the system_r role (usually appends "_r" to +# the base name of the parent domain), and has sysadm_devpts_t and +# sysadm_tty_device_t for the controlling terminal +#chroot(initrc, apache) + +# the main code is in macros/program/chroot_macros.te diff --git a/strict/domains/program/comsat.te b/strict/domains/program/comsat.te new file mode 100644 index 0000000..cd0e3f9 --- /dev/null +++ b/strict/domains/program/comsat.te @@ -0,0 +1,20 @@ +#DESC comsat - biff server +# +# Author: Dan Walsh +# Depends: inetd.te +# + +################################# +# +# Rules for the comsat_t domain. +# +# comsat_exec_t is the type of the comsat executable. +# + +inetd_child_domain(comsat, udp) +allow comsat_t initrc_var_run_t:file r_file_perms; +dontaudit comsat_t initrc_var_run_t:file write; +allow comsat_t mail_spool_t:dir r_dir_perms; +allow comsat_t mail_spool_t:lnk_file read; +allow comsat_t var_spool_t:dir search; +dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te new file mode 100644 index 0000000..9836ce4 --- /dev/null +++ b/strict/domains/program/consoletype.te @@ -0,0 +1,64 @@ +#DESC consoletype - determine the type of a console device +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the consoletype_t domain. +# +# consoletype_t is the domain for the consoletype program. +# consoletype_exec_t is the type of the corresponding program. +# +type consoletype_t, domain; +type consoletype_exec_t, file_type, sysadmfile, exec_type; + +role system_r types consoletype_t; + +uses_shlib(consoletype_t) +general_domain_access(consoletype_t) + +domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) + +allow consoletype_t tty_device_t:chr_file { getattr ioctl write }; +allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl }; + +ifdef(`xdm.te', ` +domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) +allow consoletype_t xdm_tmp_t:file { read write }; +') + +allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; +allow consoletype_t admin_tty_type:chr_file rw_file_perms; +ifdef(`hotplug.te', ` +domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) +') + +# Use capabilities. +allow consoletype_t self:capability sys_admin; + +allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; +allow consoletype_t initrc_t:fifo_file write; +allow consoletype_t tty_device_t:chr_file read; +allow consoletype_t nfs_t:file write; +allow consoletype_t sysadm_t:fifo_file rw_file_perms; + +ifdef(`lpd.te', ` +allow consoletype_t printconf_t:file { getattr read }; +') + +ifdef(`pam.te', ` +allow consoletype_t pam_var_run_t:file { getattr read }; +') +ifdef(`distro_redhat', ` +allow consoletype_t tmpfs_t:chr_file rw_file_perms; +') +ifdef(`firstboot.te', ` +allow consoletype_t firstboot_t:fifo_file write; +') +dontaudit consoletype_t proc_t:file read; +dontaudit consoletype_t root_t:file read; +allow consoletype_t crond_t:fifo_file { read getattr ioctl }; +allow consoletype_t system_crond_t:fd use; +allow consoletype_t fs_t:filesystem getattr; diff --git a/strict/domains/program/cpucontrol.te b/strict/domains/program/cpucontrol.te new file mode 100644 index 0000000..23a13b7 --- /dev/null +++ b/strict/domains/program/cpucontrol.te @@ -0,0 +1,17 @@ +#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU +# +# Author: Russell Coker +# + +type cpucontrol_conf_t, file_type, sysadmfile; + +daemon_base_domain(cpucontrol) + +# Access cpu devices. +allow cpucontrol_t cpu_device_t:chr_file rw_file_perms; +allow cpucontrol_t device_t:lnk_file { getattr read }; +allow initrc_t cpu_device_t:chr_file getattr; + +allow cpucontrol_t self:capability sys_rawio; + +r_dir_file(cpucontrol_t, cpucontrol_conf_t) diff --git a/strict/domains/program/cpuspeed.te b/strict/domains/program/cpuspeed.te new file mode 100644 index 0000000..b80f705 --- /dev/null +++ b/strict/domains/program/cpuspeed.te @@ -0,0 +1,17 @@ +#DESC cpuspeed - domain for microcode_ctl, powernowd, etc +# +# Authors: Russell Coker +# Thomas Bleher +# + +daemon_base_domain(cpuspeed) +read_locale(cpuspeed_t) + +allow cpuspeed_t sysfs_t:dir search; +allow cpuspeed_t sysfs_t:file rw_file_perms; +allow cpuspeed_t proc_t:dir r_dir_perms; +allow cpuspeed_t proc_t:file { getattr read }; +allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read }; + +allow cpuspeed_t self:process setsched; +allow cpuspeed_t self:unix_dgram_socket create_socket_perms; diff --git a/strict/domains/program/crack.te b/strict/domains/program/crack.te new file mode 100644 index 0000000..1706f6e --- /dev/null +++ b/strict/domains/program/crack.te @@ -0,0 +1,48 @@ +#DESC Crack - Password cracking application +# +# Author: Russell Coker +# X-Debian-Packages: crack +# + +################################# +# +# Rules for the crack_t domain. +# +# crack_exec_t is the type of the crack executable. +# +system_domain(crack) +ifdef(`crond.te', ` +system_crond_entry(crack_exec_t, crack_t) +') + +# for SSP +allow crack_t urandom_device_t:chr_file read; + +type crack_db_t, file_type, sysadmfile, usercanread; +allow crack_t var_t:dir search; +rw_dir_create_file(crack_t, crack_db_t) + +allow crack_t device_t:dir search; +allow crack_t devtty_t:chr_file rw_file_perms; +allow crack_t self:fifo_file { read write getattr }; + +tmp_domain(crack) + +# for dictionaries +allow crack_t usr_t:file { getattr read }; + +can_exec(crack_t, bin_t) +allow crack_t { bin_t sbin_t }:dir search; + +allow crack_t self:process { fork signal_perms }; + +allow crack_t proc_t:dir { read search }; +allow crack_t proc_t:file { read getattr }; + +# read config files +allow crack_t { etc_t etc_runtime_t }:file { getattr read }; +allow crack_t etc_t:dir r_dir_perms; + +allow crack_t fs_t:filesystem getattr; + +dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te new file mode 100644 index 0000000..10f8a4d --- /dev/null +++ b/strict/domains/program/crond.te @@ -0,0 +1,215 @@ +#DESC Crond - Crond daemon +# +# Domains for the top-level crond daemon process and +# for system cron jobs. The domains for user cron jobs +# are in macros/program/crond_macros.te. +# +# X-Debian-Packages: cron +# Authors: Jonathan Crowley (MITRE) , +# Stephen Smalley and Timothy Fraser +# + +# NB The constraints file has some entries for crond_t, this makes it +# different from all other domains... + +# Domain for crond. It needs auth_chkpwd to check for locked accounts. +daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain') + +# This domain is granted permissions common to most domains (including can_net) +general_domain_access(crond_t) + +# Type for the anacron executable. +type anacron_exec_t, file_type, sysadmfile, exec_type; + +# Type for temporary files. +tmp_domain(crond) + +crond_domain(system) + +allow system_crond_t proc_mdstat_t:file { getattr read }; +allow system_crond_t proc_t:lnk_file read; +allow system_crond_t proc_t:filesystem getattr; +allow system_crond_t usbdevfs_t:filesystem getattr; + +ifdef(`mta.te', ` +allow mta_user_agent system_crond_t:fd use; +') + +# read files in /etc +allow system_crond_t etc_t:file r_file_perms; +allow system_crond_t etc_runtime_t:file read; + +allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; + +read_locale(crond_t) + +log_domain(crond) + +# Use capabilities. +allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice }; +dontaudit crond_t self:capability sys_resource; + +# Get security policy decisions. +can_getsecurity(crond_t) + +# for finding binaries and /bin/sh +allow crond_t { bin_t sbin_t }:dir search; +allow crond_t { bin_t sbin_t }:lnk_file read; + +# Read from /var/spool/cron. +allow crond_t var_lib_t:dir search; +allow crond_t var_spool_t:dir r_dir_perms; +allow crond_t cron_spool_t:dir r_dir_perms; +allow crond_t cron_spool_t:file r_file_perms; + +# Read /etc/security/default_contexts. +r_dir_file(crond_t, default_context_t) + +allow crond_t etc_t:file { getattr read }; +allow crond_t etc_t:lnk_file read; + +allow crond_t default_t:dir search; + +# crond tries to search /root. Not sure why. +allow crond_t sysadm_home_dir_t:dir r_dir_perms; + +# to search /home +allow crond_t home_root_t:dir { getattr search }; +allow crond_t user_home_dir_type:dir r_dir_perms; + +# Run a shell. +can_exec(crond_t, shell_exec_t) + +ifdef(`distro_redhat', ` +# Run the rpm program in the rpm_t domain. Allow creation of RPM log files +# via redirection of standard out. +ifdef(`rpm.te', ` +allow crond_t rpm_log_t: file create_file_perms; + +system_crond_entry(rpm_exec_t, rpm_t) +allow system_crond_t rpm_log_t:file create_file_perms; +') +') + +allow system_crond_t var_log_t:file r_file_perms; + + +# Set exec context. +can_setexec(crond_t) + +# Transition to this domain for anacron as well. +# Still need to study anacron. +domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) + +# Access log files +file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file) + +# Inherit and use descriptors from init for anacron. +allow system_crond_t init_t:fd use; + +# Inherit and use descriptors from initrc for anacron. +allow system_crond_t initrc_t:fd use; +allow system_crond_t initrc_devpts_t:chr_file { read write }; + +# Use capabilities. +allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; + +allow crond_t urandom_device_t:chr_file { getattr read }; + +# Read the system crontabs. +allow system_crond_t system_cron_spool_t:file r_file_perms; + +allow crond_t system_cron_spool_t:dir r_dir_perms; +allow crond_t system_cron_spool_t:file r_file_perms; + +# Read from /var/spool/cron. +allow system_crond_t cron_spool_t:dir r_dir_perms; +allow system_crond_t cron_spool_t:file r_file_perms; + +# Write to /var/lib/slocate.db. +allow system_crond_t var_lib_t:dir rw_dir_perms; +allow system_crond_t var_lib_t:file create_file_perms; + +# Update whatis files. +allow system_crond_t catman_t:dir create_dir_perms; +allow system_crond_t catman_t:file create_file_perms; +allow system_crond_t man_t:file r_file_perms; +allow system_crond_t man_t:lnk_file read; + +# Write /var/lock/makewhatis.lock. +lock_domain(system_crond) + +# for if /var/mail is a symlink +allow { system_crond_t crond_t } mail_spool_t:lnk_file read; +allow crond_t mail_spool_t:dir search; + +ifdef(`mta.te', ` +r_dir_file(system_mail_t, crond_tmp_t) +') + +# Stat any file and search any directory for find. +allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; +allow system_crond_t device_type:{ chr_file blk_file } getattr; +allow system_crond_t file_type:dir { read search getattr }; + +# Create temporary files. +type system_crond_tmp_t, file_type, sysadmfile, tmpfile; +file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) + +# /sbin/runlevel ask for w access to utmp, but will operate +# correctly without it. Do not audit write denials to utmp. +# /sbin/runlevel needs lock access however +dontaudit system_crond_t initrc_var_run_t:file write; +allow system_crond_t initrc_var_run_t:file { getattr read lock }; + +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +allow system_crond_t var_spool_t:file create_file_perms; +allow system_crond_t var_spool_t:dir rw_dir_perms; + +# Do not audit attempts to search unlabeled directories (e.g. slocate). +dontaudit system_crond_t unlabeled_t:dir r_dir_perms; +dontaudit system_crond_t unlabeled_t:file r_file_perms; + +# +# reading /var/spool/cron/mailman +# +allow crond_t var_spool_t:file { getattr read }; +allow system_crond_t devpts_t:filesystem getattr; +allow system_crond_t sysfs_t:filesystem getattr; +allow system_crond_t tmpfs_t:filesystem getattr; +allow system_crond_t rpc_pipefs_t:filesystem getattr; + +# +# These rules are here to allow system cron jobs to su +# +ifdef(`su.te', ` +su_restricted_domain(system_crond,system) +role system_r types system_crond_su_t; +allow system_crond_su_t crond_t:fifo_file ioctl; +') +allow system_crond_t self:passwd rootok; +# +# prelink tells init to restart it self, we either need to allow or dontaudit +# +allow system_crond_t initctl_t:fifo_file write; +dontaudit userdomain system_crond_t:fd use; + +r_dir_file(crond_t, selinux_config_t) + +# Allow system cron jobs to relabel filesystem for restoring file contexts. +bool cron_can_relabel false; +if (cron_can_relabel) { +domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) +} else { +r_dir_file(system_crond_t, file_context_t) +can_getsecurity(system_crond_t) +} +allow system_crond_t removable_t:filesystem { getattr }; +# +# Required for webalizer +# +ifdef(`apache.te', ` +allow system_crond_t httpd_log_t:file { getattr read }; +') +dontaudit crond_t self:capability { sys_tty_config }; diff --git a/strict/domains/program/crontab.te b/strict/domains/program/crontab.te new file mode 100644 index 0000000..48b5fcc --- /dev/null +++ b/strict/domains/program/crontab.te @@ -0,0 +1,12 @@ +#DESC Crontab - Crontab manipulation programs +# +# Domains for the crontab program. +# +# X-Debian-Packages: cron +# + +# Type for the crontab executable. +type crontab_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the crontab_domain macro in +# macros/program/crontab_macros.te. diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te new file mode 100644 index 0000000..684f440 --- /dev/null +++ b/strict/domains/program/cups.te @@ -0,0 +1,257 @@ +#DESC Cups - Common Unix Printing System +# +# Created cups policy from lpd policy: Russell Coker +# X-Debian-Packages: cupsys cupsys-client cupsys-bsd +# Depends: lpd.te lpr.te + +################################# +# +# Rules for the cupsd_t domain. +# +# cupsd_t is the domain of cupsd. +# cupsd_exec_t is the type of the cupsd executable. +# +type ipp_port_t, port_type, reserved_port_type; +daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain') +etcdir_domain(cupsd) +typealias cupsd_etc_t alias etc_cupsd_t; +type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; +typealias cupsd_rw_etc_t alias etc_cupsd_rw_t; + +can_network(cupsd_t) +logdir_domain(cupsd) + +tmp_domain(cupsd) + +allow cupsd_t devpts_t:dir search; + +allow cupsd_t device_t:lnk_file read; +allow cupsd_t printer_device_t:chr_file rw_file_perms; +allow cupsd_t urandom_device_t:chr_file { getattr read }; +dontaudit cupsd_t random_device_t:chr_file ioctl; + +# temporary solution, we need something better +allow cupsd_t serial_device:chr_file rw_file_perms; + +r_dir_file(cupsd_t, usbdevfs_t) +r_dir_file(cupsd_t, usbfs_t) + +ifdef(`logrotate.te', ` +domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) +') + +ifdef(`inetd.te', ` +allow inetd_t printer_port_t:tcp_socket name_bind; +domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) +') + +# write to spool +allow cupsd_t var_spool_t:dir search; + +# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong +file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file) +allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms }; +allow cupsd_t cupsd_etc_t:file setattr; +allow cupsd_t cupsd_etc_t:dir setattr; + +allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl }; +can_exec(cupsd_t, initrc_exec_t) +allow cupsd_t proc_t:file r_file_perms; +allow cupsd_t proc_t:dir r_dir_perms; +allow cupsd_t self:file { getattr read }; +read_sysctl(cupsd_t) +allow cupsd_t sysctl_dev_t:dir search; +allow cupsd_t sysctl_dev_t:file { getattr read }; + +# for /etc/printcap +dontaudit cupsd_t etc_t:file write; + +# allow cups to execute its backend scripts +can_exec(cupsd_t, cupsd_exec_t) +allow cupsd_t cupsd_exec_t:dir search; +allow cupsd_t cupsd_exec_t:lnk_file read; + +allow cupsd_t self:unix_stream_socket create_socket_perms; +allow cupsd_t self:unix_dgram_socket create_socket_perms; +allow cupsd_t self:fifo_file rw_file_perms; + +# Use capabilities. +allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config }; +dontaudit cupsd_t self:capability net_admin; + +allow cupsd_t self:process setsched; + +# for /var/lib/defoma +allow cupsd_t var_lib_t:dir search; +r_dir_file(cupsd_t, readable_t) + +# Bind to the cups/ipp port (631). +allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; + +can_tcp_connect(web_client_domain, cupsd_t) +can_tcp_connect(cupsd_t, cupsd_t) + +# Send to portmap. +ifdef(`portmap.te', ` +can_udp_send(cupsd_t, portmap_t) +can_udp_send(portmap_t, cupsd_t) +') + +# Write to /var/spool/cups. +allow cupsd_t print_spool_t:dir { setattr rw_dir_perms }; +allow cupsd_t print_spool_t:file create_file_perms; +allow cupsd_t print_spool_t:file rw_file_perms; + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +allow cupsd_t { bin_t sbin_t }:dir { search getattr }; +allow cupsd_t bin_t:lnk_file read; +can_exec(cupsd_t, { shell_exec_t bin_t sbin_t }) + +# They will also invoke ghostscript, which needs to read fonts +r_dir_file(cupsd_t, fonts_t) + +# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +allow cupsd_t lib_t:file { read getattr }; + +# read python modules +allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl }; + +# +# lots of errors generated requiring the following +# +allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +# +# Satisfy readahead +# +allow initrc_t cupsd_log_t:file { getattr read }; +r_dir_file(cupsd_t, var_t) + +r_dir_file(cupsd_t, usercanread) +ifdef(`samba.te', ` +rw_dir_file(cupsd_t, samba_var_t) +allow smbd_t cupsd_etc_t:dir search; +') + +ifdef(`pam.te', ` +dontaudit cupsd_t pam_var_run_t:file { getattr read }; +') +dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; +# PTAL +daemon_domain(ptal) +etcdir_domain(ptal) +allow ptal_t ptal_var_run_t:fifo_file create_file_perms; +allow ptal_t ptal_var_run_t:sock_file create_file_perms; +allow ptal_t self:capability chown; +allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; +allow ptal_t self:unix_stream_socket { listen accept }; +allow ptal_t self:fifo_file rw_file_perms; +allow ptal_t device_t:dir read; +allow ptal_t printer_device_t:chr_file { ioctl read write }; +allow initrc_t printer_device_t:chr_file getattr; +allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(ptal_t, usbdevfs_t) +r_dir_file(ptal_t, usbfs_t) +allow cupsd_t ptal_var_run_t:sock_file { write setattr }; +allow cupsd_t ptal_t:unix_stream_socket connectto; +allow cupsd_t ptal_var_run_t:dir search; +dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; + +allow initrc_t ptal_var_run_t:dir rmdir; +allow initrc_t ptal_var_run_t:fifo_file unlink; + +dontaudit cupsd_t selinux_config_t:dir search; +dontaudit cupsd_t selinux_config_t:file { getattr read }; + +allow cupsd_t printconf_t:file { getattr read }; + +dbusd_client(system, cupsd) + +ifdef(`hald.te', ` + +# CUPS configuration daemon +daemon_domain(cupsd_config) + +allow cupsd_config_t devpts_t:dir search; + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; +allow cupsd_config_t rpm_var_lib_t:file { getattr read }; +') +allow cupsd_config_t initrc_exec_t:file getattr; +')dnl end distro_redhat + +allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read }; +allow cupsd_config_t self:file { getattr read }; + +allow cupsd_config_t proc_t:file { getattr read }; +allow cupsd_config_t cupsd_var_run_t:file { getattr read }; +allow cupsd_config_t cupsd_t:process { signal }; +allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; +can_ps(cupsd_config_t, cupsd_t) + +allow cupsd_config_t self:capability chown; + +rw_dir_create_file(cupsd_config_t, cupsd_etc_t) +rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) +file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) + +can_network_tcp(cupsd_config_t) +can_tcp_connect(cupsd_config_t, cupsd_t) +allow cupsd_config_t self:fifo_file rw_file_perms; + +allow cupsd_config_t self:unix_stream_socket create_socket_perms; +ifdef(`dbusd.te', ` +dbusd_client(system, cupsd_config) +allow cupsd_config_t userdomain:dbus send_msg; +allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; +allow cupsd_t system_dbusd_t:dbus send_msg; +allow userdomain cupsd_config_t:dbus send_msg; +allow cupsd_config_t hald_t:dbus send_msg; +allow hald_t cupsd_config_t:dbus send_msg; +allow cupsd_t userdomain:dbus send_msg; +allow cupsd_t hald_t:dbus send_msg; +allow hald_t cupsd_t:dbus send_msg; +')dnl end if dbusd.te + +can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t }) +ifdef(`hostname.te', ` +can_exec(cupsd_t, hostname_exec_t) +can_exec(cupsd_config_t, hostname_exec_t) +') +allow cupsd_config_t { bin_t sbin_t }:dir { search getattr }; +allow cupsd_config_t { bin_t sbin_t }:lnk_file read; +# killall causes the following +dontaudit cupsd_config_t domain:dir { getattr search }; +dontaudit cupsd_config_t selinux_config_t:dir search; + +can_exec(cupsd_config_t, cupsd_config_exec_t) + +allow cupsd_config_t usr_t:file { getattr read }; +allow cupsd_config_t var_lib_t:dir { getattr search }; +allow cupsd_config_t rpm_var_lib_t:file { getattr read }; +allow cupsd_config_t printconf_t:file { getattr read }; + +allow cupsd_config_t urandom_device_t:chr_file { getattr read }; + +domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) +ifdef(`logrotate.te', ` +allow cupsd_config_t logrotate_t:fd use; +')dnl end if logrotate.te +allow cupsd_config_t system_crond_t:fd use; +allow cupsd_config_t crond_t:fifo_file read; +allow cupsd_t crond_t:fifo_file read; + +# Alternatives asks for this +allow cupsd_config_t initrc_exec_t:file getattr; +') dnl end if hald.te +ifdef(`targeted_policy', ` +can_unix_connect(cupsd_t, initrc_t) +allow cupsd_t initrc_t:dbus send_msg; +allow initrc_t cupsd_t:dbus send_msg; +') + +ifdef(`targeted_policy', ` +allow cupsd_t unconfined_t:dbus send_msg; +') diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te new file mode 100644 index 0000000..d101c1a --- /dev/null +++ b/strict/domains/program/cyrus.te @@ -0,0 +1,47 @@ +#DESC cyrus-imapd +# +# Authors: Dan Walsh +# + +# cyrusd_exec_t is the type of the cyrusd executable. +# cyrusd_key_t is the type of the cyrus private key files +daemon_domain(cyrus) + +general_domain_access(cyrus_t) +file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file) + +type cyrus_var_lib_t, file_type, sysadmfile; + +allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +allow cyrus_t self:process setrlimit; + +allow initrc_su_t cyrus_var_lib_t:dir search; + +can_network(cyrus_t) +can_ypbind(cyrus_t) +can_exec(cyrus_t, bin_t) +allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; +allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms; +allow cyrus_t etc_t:file { getattr read }; +allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; +read_locale(cyrus_t) +read_sysctl(cyrus_t) +tmp_domain(cyrus) +ifdef(`use_pop', ` +allow cyrus_t pop_port_t:tcp_socket name_bind; +') +allow cyrus_t proc_t:dir search; +allow cyrus_t proc_t:file { getattr read }; +allow cyrus_t sysadm_devpts_t:chr_file { read write }; + +allow cyrus_t staff_t:fd use; +allow cyrus_t var_lib_t:dir search; + +allow cyrus_t etc_runtime_t:file { read getattr }; +ifdef(`crond.te', ` +system_crond_entry(cyrus_exec_t, cyrus_t) +allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms; +allow system_crond_t cyrus_var_lib_t:file create_file_perms; +allow system_crond_su_t cyrus_var_lib_t:dir search; +') +allow cyrus_t mail_port_t:tcp_socket name_bind; diff --git a/strict/domains/program/dbskkd.te b/strict/domains/program/dbskkd.te new file mode 100644 index 0000000..e75d90b --- /dev/null +++ b/strict/domains/program/dbskkd.te @@ -0,0 +1,14 @@ +#DESC dbskkd - A dictionary server for the SKK Japanese input method system. +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the dbskkd_t domain. +# +# dbskkd_exec_t is the type of the dbskkd executable. +# +# Depends: inetd.te + +inetd_child_domain(dbskkd) diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te new file mode 100644 index 0000000..8216b06 --- /dev/null +++ b/strict/domains/program/dbusd.te @@ -0,0 +1,20 @@ +#DESC dbus-daemon-1 server for dbus desktop bus protocol +# +# Author: Russell Coker + +dbusd_domain(system) + +allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; + +ifdef(`pamconsole.te', ` +r_dir_file(system_dbusd_t, pam_var_console_t) +') + +# dac_override: /var/run/dbus is owned by messagebus on Debian +allow system_dbusd_t self:capability { dac_override setgid setuid }; +can_ypbind(system_dbusd_t) + +# I expect we need more than this + +allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; + diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te new file mode 100644 index 0000000..53f7de4 --- /dev/null +++ b/strict/domains/program/dhcpc.te @@ -0,0 +1,146 @@ +#DESC DHCPC - DHCP client +# +# Authors: Wayne Salamon (NAI Labs) +# Russell Coker +# X-Debian-Packages: pump dhcp-client udhcpc +# + +################################# +# +# Rules for the dhcpc_t domain. +# +# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP +# network configurator daemon started by /etc/sysconfig/network-scripts +# rc scripts, runs in this domain. +# dhcpc_exec_t is the type of the dhcpcd executable. +# The dhcpc_t can be used for other DHCPC related files as well. +# +type dhcpc_port_t, port_type, reserved_port_type; + +daemon_domain(dhcpc) + +# for SSP +allow dhcpc_t urandom_device_t:chr_file read; + +can_network(dhcpc_t) +can_ypbind(dhcpc_t) +allow dhcpc_t self:unix_dgram_socket create_socket_perms; +allow dhcpc_t self:unix_stream_socket create_socket_perms; +allow dhcpc_t self:fifo_file rw_file_perms; + +allow dhcpc_t devpts_t:dir search; + +# for localization +allow dhcpc_t lib_t:file { getattr read }; + +ifdef(`consoletype.te', ` +domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t) +') +ifdef(`nscd.te', ` +domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) +') +ifdef(`cardmgr.te', ` +domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) +allow cardmgr_t dhcpc_var_run_t:file { getattr read }; +allow cardmgr_t dhcpc_t:process signal_perms; +') +ifdef(`hotplug.te', ` +domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) +allow hotplug_t dhcpc_t:process signal_perms; +allow hotplug_t dhcpc_var_run_t:file { getattr read }; +allow hotplug_t dhcp_etc_t:file rw_file_perms; +allow dhcpc_t hotplug_etc_t:dir { getattr search }; +ifdef(`distro_redhat', ` +domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t) +') +')dnl end hotplug.te + +# for the dhcp client to run ping to check IP addresses +ifdef(`ping.te', ` +domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) +ifdef(`hotplug.te', ` +allow ping_t hotplug_t:fd use; +') dnl end if hotplug +ifdef(`cardmgr.te', ` +allow ping_t cardmgr_t:fd use; +') dnl end if cardmgr +') dnl end if ping + +ifdef(`dhcpd.te', `', ` +type dhcp_state_t, file_type, sysadmfile; +type dhcp_etc_t, file_type, sysadmfile, usercanread; +typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; +') +type dhcpc_state_t, file_type, sysadmfile; + +allow dhcpc_t etc_t:lnk_file read; +allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read }; +allow dhcpc_t proc_net_t:dir search; +allow dhcpc_t { proc_t proc_net_t }:file { getattr read }; +allow dhcpc_t self:file { getattr read }; +read_sysctl(dhcpc_t) +allow dhcpc_t userdomain:fd use; +ifdef(`run_init.te', ` +allow dhcpc_t run_init_t:fd use; +') + +# Use capabilities +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; + +# for access("/etc/bashrc", X_OK) on Red Hat +dontaudit dhcpc_t self:capability { dac_read_search sys_module }; + +# for udp port 68 +allow dhcpc_t dhcpc_port_t:udp_socket name_bind; + +# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files +# in /etc created by dhcpcd will be labelled net_conf_t. +file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file) + +# Allow access to the dhcpc file types +r_dir_file(dhcpc_t, dhcp_etc_t) +allow dhcpc_t sbin_t:dir search; +can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t }) +ifdef(`distro_redhat', ` +can_exec(dhcpc_t, etc_t) +allow initrc_t dhcp_etc_t:file rw_file_perms; +') +ifdef(`ifconfig.te', ` +domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) +')dnl end if def ifconfig + + +tmp_domain(dhcpc) + +# Allow dhcpc_t to use packet sockets +allow dhcpc_t self:packet_socket create_socket_perms; +allow dhcpc_t var_lib_t:dir search; +file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) + +allow dhcpc_t bin_t:dir search; +allow dhcpc_t bin_t:lnk_file read; +can_exec(dhcpc_t, { bin_t shell_exec_t }) + +ifdef(`hostname.te', ` +domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) +') +dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write }; +allow dhcpc_t { userdomain kernel_t }:fd use; + +allow dhcpc_t home_root_t:dir search; +allow initrc_t dhcpc_state_t:file { getattr read }; +dontaudit dhcpc_t var_lock_t:dir search; +dontaudit dhcpc_t selinux_config_t:dir search; +allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit dhcpc_t domain:dir getattr; +allow dhcpc_t initrc_var_run_t:file rw_file_perms; +# +# dhclient sometimes starts ypbind and ntdp +# +can_exec(dhcpc_t, initrc_exec_t) +ifdef(`ypbind.te', ` +domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) +') +ifdef(`ntpd.te', ` +domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) +') diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te new file mode 100644 index 0000000..67ae087 --- /dev/null +++ b/strict/domains/program/dhcpd.te @@ -0,0 +1,82 @@ +#DESC DHCPD - DHCP server +# +# Author: Russell Coker +# based on the dhcpc_t policy from: +# Wayne Salamon (NAI Labs) +# X-Debian-Packages: dhcp dhcp3-server +# + +################################# +# +# Rules for the dhcpd_t domain. +# +# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP +# server daemon rc scripts, runs in this domain. +# dhcpd_exec_t is the type of the dhcpdd executable. +# The dhcpd_t can be used for other DHCPC related files as well. +# +daemon_domain(dhcpd) + +allow dhcpd_t dhcpd_port_t:udp_socket name_bind; + +# for UDP port 4011 +ifdef(`pxe.te', `', ` +type pxe_port_t, port_type; +') +allow dhcpd_t pxe_port_t:udp_socket name_bind; + +type dhcp_etc_t, file_type, sysadmfile, usercanread; +typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; + +# Use the network. +can_network(dhcpd_t) +can_ypbind(dhcpd_t) +allow dhcpd_t self:unix_dgram_socket create_socket_perms; +allow dhcpd_t self:unix_stream_socket create_socket_perms; +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; + +allow dhcpd_t var_lib_t:dir search; + +allow dhcpd_t devtty_t:chr_file { read write }; + +# Use capabilities +allow dhcpd_t self:capability { net_raw net_bind_service }; +dontaudit dhcpd_t self:capability net_admin; + +# Allow access to the dhcpd file types +type dhcp_state_t, file_type, sysadmfile; +type dhcpd_state_t, file_type, sysadmfile; +allow dhcpd_t dhcp_etc_t:file { read getattr }; +allow dhcpd_t dhcp_etc_t:dir search; +file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file) + +allow dhcpd_t etc_t:lnk_file read; +allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms; + +# Allow dhcpd_t programs to execute themselves and bin_t (uname etc) +can_exec(dhcpd_t, { dhcpd_exec_t bin_t }) + +# Allow dhcpd_t to use packet sockets +allow dhcpd_t self:packet_socket create_socket_perms; +allow dhcpd_t self:rawip_socket create_socket_perms; + +# allow to run utilities and scripts +allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms; +allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms; +allow dhcpd_t self:fifo_file { read write getattr }; + +# allow reading /proc +allow dhcpd_t proc_t:{ file lnk_file } r_file_perms; +tmp_domain(dhcpd) + +ifdef(`distro_gentoo', ` +allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; +allow initrc_t dhcpd_state_t:file setattr; +') +r_dir_file(dhcpd_t, usr_t) +allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; + +ifdef(`named.te', ` +allow dhcpd_t { named_conf_t named_zone_t }:dir search; +allow dhcpd_t dnssec_t:file { getattr read }; +') diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te new file mode 100644 index 0000000..39df03a --- /dev/null +++ b/strict/domains/program/dictd.te @@ -0,0 +1,49 @@ +#DESC Dictd - Dictionary daemon +# +# Authors: Russell Coker +# X-Debian-Packages: dictd +# + +################################# +# +# Rules for the dictd_t domain. +# +# dictd_exec_t is the type of the dictd executable. +# +type dict_port_t, port_type; +daemon_base_domain(dictd) +type var_lib_dictd_t, file_type, sysadmfile; +etc_domain(dictd) +typealias dictd_etc_t alias etc_dictd_t; + +# for checking for nscd +dontaudit dictd_t var_run_t:dir search; + +# read config files +allow dictd_t { etc_t etc_runtime_t }:file r_file_perms; + +read_locale(dictd_t) + +allow dictd_t { var_t var_lib_t }:dir search; +allow dictd_t var_lib_dictd_t:dir r_dir_perms; +allow dictd_t var_lib_dictd_t:file r_file_perms; + +allow dictd_t self:capability { setuid setgid }; + +allow dictd_t usr_t:file r_file_perms; + +allow dictd_t self:process { setpgid fork sigchld }; + +allow dictd_t proc_t:file r_file_perms; + +allow dictd_t dict_port_t:tcp_socket name_bind; + +allow dictd_t devtty_t:chr_file rw_file_perms; + +allow dictd_t self:unix_stream_socket create_stream_socket_perms; + +can_network_server(dictd_t) +can_ypbind(dictd_t) +can_tcp_connect(userdomain, dictd_t) + +allow dictd_t fs_t:filesystem getattr; diff --git a/strict/domains/program/dmesg.te b/strict/domains/program/dmesg.te new file mode 100644 index 0000000..9f9392e --- /dev/null +++ b/strict/domains/program/dmesg.te @@ -0,0 +1,29 @@ +#DESC dmesg - control kernel ring buffer +# +# Author: Dan Walsh dwalsh@redhat.com +# +# X-Debian-Packages: util-linux + +################################# +# +# Rules for the dmesg_t domain. +# +# dmesg_exec_t is the type of the dmesg executable. +# +# while sysadm_t has the sys_admin capability there is no point in using +# dmesg_t when run from sysadm_t, so we use nosysadm. +# +daemon_base_domain(dmesg, , `nosysadm') + +# +# Rules used for dmesg +# +allow dmesg_t self:capability sys_admin; +allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod }; +allow dmesg_t admin_tty_type:chr_file { getattr read write }; +allow dmesg_t sysadm_tty_device_t:chr_file ioctl; +allow dmesg_t var_log_t:file { getattr write }; +read_locale(dmesg_t) + +# for when /usr is not mounted +dontaudit dmesg_t file_t:dir search; diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te new file mode 100644 index 0000000..9d91688 --- /dev/null +++ b/strict/domains/program/dovecot.te @@ -0,0 +1,55 @@ +#DESC Dovecot POP and IMAP servers +# +# Author: Russell Coker +# X-Debian-Packages: dovecot-imapd, dovecot-pop3d + +daemon_domain(dovecot, `, privhome') + +allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; + +can_exec(dovecot_t, dovecot_exec_t) + +type dovecot_cert_t, file_type, sysadmfile; + +allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; +allow dovecot_t self:process setrlimit; +can_network_tcp(dovecot_t) +can_ypbind(dovecot_t) +allow dovecot_t self:unix_dgram_socket create_socket_perms; +allow dovecot_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(dovecot_t, self) + +allow dovecot_t etc_t:file { getattr read }; +allow dovecot_t initrc_var_run_t:file getattr; +allow dovecot_t bin_t:dir { getattr search }; +can_exec(dovecot_t, bin_t) + +allow dovecot_t pop_port_t:tcp_socket name_bind; +allow dovecot_t urandom_device_t:chr_file read; +allow dovecot_t cert_t:dir search; +allow dovecot_t dovecot_cert_t:file { getattr read }; + +allow dovecot_t { self proc_t }:file { getattr read }; +allow dovecot_t self:fifo_file rw_file_perms; + +can_kerberos(dovecot_t) + +allow dovecot_t tmp_t:dir search; +rw_dir_file(dovecot_t, mail_spool_t) +allow dovecot_t mail_spool_t:lnk_file read; +allow dovecot_t var_spool_t:dir { search }; + +daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd') +allow dovecot_auth_t self:process { fork signal_perms }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; +allow dovecot_auth_t self:fifo_file rw_file_perms; +allow dovecot_auth_t urandom_device_t:chr_file { getattr read }; +allow dovecot_auth_t etc_t:file { getattr read }; +allow dovecot_auth_t { self proc_t }:file { getattr read }; +read_locale(dovecot_auth_t) +read_sysctl(dovecot_auth_t) +allow dovecot_auth_t sysctl_t:dir search; +dontaudit dovecot_auth_t selinux_config_t:dir search; + diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te new file mode 100644 index 0000000..d87c11f --- /dev/null +++ b/strict/domains/program/fetchmail.te @@ -0,0 +1,28 @@ +#DESC fetchmail - remote-mail retrieval utility +# +# Author: Greg Norris +# X-Debian-Packages: fetchmail +# +# Note: This policy is only required when running fetchmail in daemon mode. + +################################# +# +# Rules for the fetchmail_t domain. +# +daemon_domain(fetchmail); +type fetchmail_etc_t, file_type, sysadmfile; +type fetchmail_uidl_cache_t, file_type, sysadmfile; + +# misc. requirements +allow fetchmail_t self:process setrlimit; + +# network-related goodies +can_network(fetchmail_t) +allow fetchmail_t self:unix_dgram_socket create_socket_perms; +allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; + +# file access +allow fetchmail_t etc_t:file r_file_perms; +allow fetchmail_t fetchmail_etc_t:file r_file_perms; +allow fetchmail_t mail_spool_t:dir search; +file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file) diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te new file mode 100644 index 0000000..86705eb --- /dev/null +++ b/strict/domains/program/fingerd.te @@ -0,0 +1,82 @@ +#DESC Fingerd - Finger daemon +# +# Author: Russell Coker +# X-Debian-Packages: fingerd cfingerd efingerd ffingerd +# + +################################# +# +# Rules for the fingerd_t domain. +# +# fingerd_exec_t is the type of the fingerd executable. +# +daemon_domain(fingerd) + +type fingerd_port_t, port_type, reserved_port_type; +etcdir_domain(fingerd) +typealias fingerd_etc_t alias etc_fingerd_t; + +allow fingerd_t etc_t:lnk_file read; +allow fingerd_t { etc_t etc_runtime_t }:file { read getattr }; + +log_domain(fingerd) +system_crond_entry(fingerd_exec_t, fingerd_t) +ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)') + +allow fingerd_t fingerd_port_t:tcp_socket name_bind; +ifdef(`inetd.te', ` +allow inetd_t fingerd_port_t:tcp_socket name_bind; +# can be run from inetd +domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t) +allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl }; +') +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t) +') + +allow fingerd_t self:capability { setgid setuid }; +# for gzip from logrotate +dontaudit fingerd_t self:capability fsetid; + +# cfingerd runs shell scripts +allow fingerd_t { bin_t sbin_t }:dir search; +allow fingerd_t bin_t:lnk_file read; +can_exec(fingerd_t, { shell_exec_t bin_t sbin_t }) +allow fingerd_t devtty_t:chr_file { read write }; + +allow fingerd_t { ttyfile ptyfile }:chr_file getattr; + +# Use the network. +can_network_server(fingerd_t) +can_ypbind(fingerd_t) + +allow fingerd_t self:unix_dgram_socket create_socket_perms; +allow fingerd_t self:unix_stream_socket create_socket_perms; +allow fingerd_t self:fifo_file { read write getattr }; + +# allow any user domain to connect to the finger server +can_tcp_connect(userdomain, fingerd_t) + +# for .finger, .plan. etc +allow fingerd_t { home_root_t user_home_dir_type }:dir search; +# should really have a different type for .plan etc +allow fingerd_t user_home_type:file { getattr read }; +# stop it accessing sub-directories, prevents checking a Maildir for new mail, +# have to change this when we create a type for Maildir +dontaudit fingerd_t user_home_t:dir search; + +# for mail +allow fingerd_t { var_spool_t mail_spool_t }:dir search; +allow fingerd_t mail_spool_t:file getattr; +allow fingerd_t mail_spool_t:lnk_file read; + +# see who is logged in and when users last logged in +allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr }; +dontaudit fingerd_t initrc_var_run_t:file lock; +allow fingerd_t devpts_t:dir search; +allow fingerd_t ptyfile:chr_file getattr; + +allow fingerd_t proc_t:file { read getattr }; + +# for date command +read_sysctl(fingerd_t) diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te new file mode 100644 index 0000000..37b107d --- /dev/null +++ b/strict/domains/program/firstboot.te @@ -0,0 +1,131 @@ +#DESC firstboot +# +# Author: Dan Walsh +# X-Debian-Packages: firstboot +# + +################################# +# +# Rules for the firstboot_t domain. +# +# firstboot_exec_t is the type of the firstboot executable. +# +application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer') +type firstboot_rw_t, file_type, sysadmfile; +role system_r types firstboot_t; + +ifdef(`xserver.te', ` +domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) +') + +etc_domain(firstboot) + +allow firstboot_t proc_t:file r_file_perms; + +allow firstboot_t urandom_device_t:chr_file { getattr read }; +allow firstboot_t proc_t:file { getattr read write }; + +domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) +file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) + +can_exec_any(firstboot_t) +domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) +domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) +allow firstboot_t etc_runtime_t:file { getattr read }; + +r_dir_file(firstboot_t, etc_t) + +allow firstboot_t firstboot_rw_t:dir create_dir_perms; +allow firstboot_t firstboot_rw_t:file create_file_perms; +allow firstboot_t self:fifo_file { getattr read write }; +allow firstboot_t self:process { fork sigchld }; +allow firstboot_t self:unix_stream_socket { connect create }; +allow firstboot_t initrc_exec_t:file { getattr read }; +allow firstboot_t initrc_var_run_t:file r_file_perms; +allow firstboot_t lib_t:file { getattr read }; +allow firstboot_t local_login_t:fd use; +read_locale(firstboot_t) + +allow firstboot_t proc_t:dir search; +allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms; +allow firstboot_t usr_t:file r_file_perms; + +allow firstboot_t etc_t:file write; + +# Allow write to utmp file +allow firstboot_t initrc_var_run_t:file write; + +allow firstboot_t krb5_conf_t:file { getattr read }; +allow firstboot_t net_conf_t:file { getattr read }; + +ifdef(`samba.te', ` +rw_dir_file(firstboot_t, samba_etc_t) +') + +dontaudit firstboot_t shadow_t:file getattr; + +role system_r types initrc_t; +#role_transition firstboot_r initrc_exec_t system_r; +domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t) + +allow firstboot_t self:passwd rootok; + +ifdef(`userhelper.te', ` +role system_r types sysadm_userhelper_t; +domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) +') + +ifdef(`consoletype.te', ` +allow consoletype_t devtty_t:chr_file { read write }; +allow consoletype_t etc_t:file { getattr read }; +allow consoletype_t firstboot_t:fd use; +') + +allow firstboot_t etc_t:{ file lnk_file } create_file_perms; + +allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:dir search; +allow firstboot_t self:file { read write }; +allow firstboot_t self:lnk_file read; +can_setfscreate(firstboot_t) +allow firstboot_t krb5_conf_t:file rw_file_perms; + +allow firstboot_t modules_conf_t:file { getattr read }; +allow firstboot_t modules_dep_t:file { getattr read }; +allow firstboot_t modules_object_t:dir search; +allow firstboot_t net_conf_t:file rw_file_perms; +allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send }; +allow firstboot_t node_t:node { tcp_recv tcp_send }; + +allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; +allow firstboot_t proc_t:lnk_file read; + +can_getsecurity(firstboot_t) + +dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition }; +read_sysctl(firstboot_t) + +allow firstboot_t var_run_t:dir getattr; +allow firstboot_t var_t:dir getattr; +allow hostname_t devtty_t:chr_file { read write }; +allow hostname_t firstboot_t:fd use; +ifdef(`iptables.te', ` +allow iptables_t devtty_t:chr_file { read write }; +allow iptables_t firstboot_t:fd use; +allow iptables_t firstboot_t:fifo_file write; +') +can_network_server(firstboot_t) +can_ypbind(firstboot_t) +ifdef(`printconf.te', ` +can_exec(firstboot_t, printconf_t) +') +create_dir_file(firstboot_t, var_t) +# Add/remove user home directories +file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir) +file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) + +# +# The big hammer +# +unconfined_domain(firstboot_t) + diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te new file mode 100644 index 0000000..6ec6da0 --- /dev/null +++ b/strict/domains/program/fs_daemon.te @@ -0,0 +1,26 @@ +#DESC file system daemons +# +# Author: Russell Coker +# X-Debian-Packages: smartmontools + +daemon_domain(fsdaemon, `, fs_domain, privmail') +allow fsdaemon_t self:unix_dgram_socket create_socket_perms; +allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; + +# for config +allow fsdaemon_t etc_t:file { getattr read }; + +allow fsdaemon_t device_t:dir read; +allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; +allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; +allow fsdaemon_t etc_runtime_t:file { getattr read }; + +can_exec_any(fsdaemon_t) +allow fsdaemon_t self:fifo_file rw_file_perms; +can_network_udp(fsdaemon_t) +tmp_domain(fsdaemon) +allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read }; + +dontaudit fsdaemon_t devpts_t:dir search; +allow fsdaemon_t proc_t:file { getattr read }; +dontaudit system_mail_t fixed_disk_device_t:blk_file read; diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te new file mode 100644 index 0000000..6ae2a67 --- /dev/null +++ b/strict/domains/program/fsadm.te @@ -0,0 +1,117 @@ +#DESC Fsadm - Disk and file system administration +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount +# + +################################# +# +# Rules for the fsadm_t domain. +# +# fsadm_t is the domain for disk and file system +# administration. +# fsadm_exec_t is the type of the corresponding programs. +# +type fsadm_t, domain, privlog, fs_domain; +role system_r types fsadm_t; +role sysadm_r types fsadm_t; + +general_domain_access(fsadm_t) + +# for swapon +allow fsadm_t sysfs_t:dir { search getattr }; + +# Read system information files in /proc. +r_dir_file(fsadm_t, proc_t) + +# Read system variables in /proc/sys +read_sysctl(fsadm_t) + +# for /dev/shm +allow fsadm_t tmpfs_t:dir { getattr search }; + +base_file_read_access(fsadm_t) + +# Read /etc. +allow fsadm_t etc_t:dir r_dir_perms; +allow fsadm_t etc_t:notdevfile_class_set r_file_perms; + +# Read module-related files. +allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow fsadm_t device_t:dir r_dir_perms; +allow fsadm_t device_t:lnk_file r_file_perms; + +uses_shlib(fsadm_t) + +type fsadm_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) +domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) + +tmp_domain(fsadm) + +# remount file system to apply changes +allow fsadm_t fs_t:filesystem remount; + +allow fsadm_t fs_t:filesystem getattr; + +# mkreiserfs needs this +allow fsadm_t proc_t:filesystem getattr; + +# mkreiserfs and other programs need this for UUID +allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; + +# Use capabilities. ipc_lock is for losetup +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; + +# Write to /etc/mtab. +file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) + +# Inherit and use descriptors from init. +allow fsadm_t init_t:fd use; + +# Run other fs admin programs in the fsadm_t domain. +can_exec(fsadm_t, fsadm_exec_t) + +# Access disk devices. +allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; +allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; +allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; + +# Access lost+found. +allow fsadm_t lost_found_t:dir create_dir_perms; +allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; +allow fsadm_t lost_found_t:lnk_file create_lnk_perms; + +allow fsadm_t file_t:dir { search read getattr rmdir create }; + +# Recreate /mnt/cdrom. +allow fsadm_t mnt_t:dir { search read getattr rmdir create }; + +# Recreate /dev/cdrom. +allow fsadm_t device_t:dir rw_dir_perms; +allow fsadm_t device_t:lnk_file { unlink create }; + +# Enable swapping to devices and files +allow fsadm_t swapfile_t:file { getattr swapon }; +allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; + +# Allow console log change (updfstab) +allow fsadm_t kernel_t:system syslog_console; + +# Access terminals. +allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') +allow fsadm_t privfd:fd use; +allow fsadm_t devpts_t:dir { getattr search }; + +read_locale(fsadm_t) + +# for smartctl cron jobs +system_crond_entry(fsadm_exec_t, fsadm_t) + +# Access to /initrd devices +allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; +allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; +allow fsadm_t usbfs_t:dir { getattr search }; diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te new file mode 100644 index 0000000..938899a --- /dev/null +++ b/strict/domains/program/ftpd.te @@ -0,0 +1,116 @@ +#DESC Ftpd - Ftp daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd +# + +################################# +# +# Rules for the ftpd_t domain +# +type ftp_port_t, port_type, reserved_port_type; +type ftp_data_port_t, port_type, reserved_port_type; +daemon_domain(ftpd, `, auth_chkpwd') +etc_domain(ftpd) +typealias ftpd_etc_t alias etc_ftpd_t; + +can_network(ftpd_t) +allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow ftpd_t self:unix_stream_socket create_socket_perms; +allow ftpd_t self:process { getcap setcap setsched setrlimit }; +allow ftpd_t self:fifo_file rw_file_perms; + +allow ftpd_t bin_t:dir search; +can_exec(ftpd_t, bin_t) +allow ftpd_t bin_t:lnk_file read; +read_sysctl(ftpd_t) + +allow ftpd_t urandom_device_t:chr_file { getattr read }; + +ifdef(`crond.te', ` +system_crond_entry(ftpd_exec_t, ftpd_t) +allow system_crond_t xferlog_t:file r_file_perms; +can_exec(ftpd_t, { sbin_t shell_exec_t }) +allow ftpd_t usr_t:file { getattr read }; +ifdef(`logrotate.te', ` +can_exec(ftpd_t, logrotate_exec_t) +')dnl end if logrotate.te +')dnl end if crond.te + +allow ftpd_t ftp_data_port_t:tcp_socket name_bind; +allow ftpd_t port_t:tcp_socket name_bind; + +# Allow ftpd to run directly without inetd. +bool ftpd_is_daemon false; +if (ftpd_is_daemon) { +rw_dir_create_file(ftpd_t, var_lock_t) +allow ftpd_t ftp_port_t:tcp_socket name_bind; +can_tcp_connect(userdomain, ftpd_t) +# Allows it to check exec privs on daemon +allow inetd_t ftpd_exec_t:file x_file_perms; +} +ifdef(`inetd.te', ` +if (!ftpd_is_daemon) { +ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') +domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) + +# Use sockets inherited from inetd. +allow ftpd_t inetd_t:fd use; +allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Send SIGCHLD to inetd on death. +allow ftpd_t inetd_t:process sigchld; +} +') dnl end inetd.te + +# Access shared memory tmpfs instance. +tmpfs_domain(ftpd) + +# Use capabilities. +allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; + +# Append to /var/log/wtmp. +allow ftpd_t wtmp_t:file { getattr append }; +#kerberized ftp requires the following +allow ftpd_t wtmp_t:file { write lock }; + +# Create and modify /var/log/xferlog. +type xferlog_t, file_type, sysadmfile, logfile; +file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) + +# Execute /bin/ls (can comment this out for proftpd) +# also may need rules to allow tar etc... +can_exec(ftpd_t, ls_exec_t) + +allow initrc_t ftpd_etc_t:file { getattr read }; +allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; +allow ftpd_t proc_t:file { getattr read }; + +dontaudit ftpd_t sysadm_home_dir_t:dir getattr; +dontaudit ftpd_t selinux_config_t:dir search; +allow ftpd_t autofs_t:dir search; +allow ftpd_t self:file { getattr read }; +tmp_domain(ftpd) + +# Allow ftp to read/write files in the user home directories. +bool ftp_home_dir false; + +if (ftp_home_dir) { +# allow access to /home +allow ftpd_t home_root_t:dir { getattr search }; +} +if (use_nfs_home_dirs && ftp_home_dir) { + r_dir_file(ftpd_t, nfs_t) +} +if (use_samba_home_dirs && ftp_home_dir) { + r_dir_file(ftpd_t, cifs_t) +} +dontaudit ftpd_t selinux_config_t:dir search; +# +# Type for access to anon ftp +# +type ftpd_anon_t, file_type, sysadmfile, customizable; +r_dir_file(ftpd_t,ftpd_anon_t) +type ftpd_anon_rw_t, file_type, sysadmfile, customizable; +create_dir_file(ftpd_t,ftpd_anon_rw_t) diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te new file mode 100644 index 0000000..6129631 --- /dev/null +++ b/strict/domains/program/games.te @@ -0,0 +1,17 @@ +#DESC Games - Miscellaneous games +# +# Author: Russell Coker +# X-Debian-Packages: bsdgames +# + +# type for shared data from games +type games_data_t, file_type, sysadmfile; + +# domain games_t is for system operation of games, generic games daemons and +# games recovery scripts, also defines games_exec_t +daemon_domain(games,,nosysadm) +rw_dir_create_file(games_t, games_data_t) +r_dir_file(initrc_t, games_data_t) + +# Everything else is in the x_client_domain macro in +# macros/program/x_client_macros.te. diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te new file mode 100644 index 0000000..745d52e --- /dev/null +++ b/strict/domains/program/getty.te @@ -0,0 +1,60 @@ +#DESC Getty - Manage ttys +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty +# + +################################# +# +# Rules for the getty_t domain. +# +init_service_domain(getty, `, privfd') + +etcdir_domain(getty) +typealias getty_etc_t alias etc_getty_t; + +allow getty_t console_device_t:chr_file setattr; + +tmp_domain(getty) +log_domain(getty) + +allow getty_t { etc_t etc_runtime_t }:file { getattr read }; +allow getty_t etc_t:lnk_file read; +allow getty_t self:process { getpgid getsession }; +allow getty_t self:unix_dgram_socket create_socket_perms; +allow getty_t self:unix_stream_socket create_socket_perms; + +# to allow w to display everyone... +bool user_ttyfile_stat false; +if (user_ttyfile_stat) { +allow userdomain ttyfile:chr_file getattr; +} + +# Use capabilities. +allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; + +# fbgetty needs fsetid for some reason +#allow getty_t self:capability fsetid; + +read_locale(getty_t) + +# Run login in local_login_t domain. +allow getty_t bin_t:dir search; +domain_auto_trans(getty_t, login_exec_t, local_login_t) + +# Write to /var/run/utmp. +allow getty_t { var_t var_run_t }:dir search; +allow getty_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow getty_t wtmp_t:file rw_file_perms; + +# Chown, chmod, read and write ttys. +allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; +allow getty_t ttyfile:chr_file { setattr rw_file_perms }; + +# for error condition handling +allow getty_t fs_t:filesystem getattr; + +rw_dir_create_file(getty_t, var_lock_t) +r_dir_file(getty_t, sysfs_t) diff --git a/strict/domains/program/gnome-pty-helper.te b/strict/domains/program/gnome-pty-helper.te new file mode 100644 index 0000000..084aa68 --- /dev/null +++ b/strict/domains/program/gnome-pty-helper.te @@ -0,0 +1,11 @@ +#DESC Gnome Terminal - Helper program for GNOME x-terms +# +# Domains for the gnome-pty-helper program. +# X-Debian-Packages: gnome-terminal +# + +# Type for the gnome-pty-helper executable. +type gph_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the gph_domain macro in +# macros/program/gph_macros.te. diff --git a/strict/domains/program/gpg-agent.te b/strict/domains/program/gpg-agent.te new file mode 100644 index 0000000..2942c6c --- /dev/null +++ b/strict/domains/program/gpg-agent.te @@ -0,0 +1,13 @@ +#DESC gpg-agent - agent to securely store gpg-keys +# +# Author: Thomas Bleher +# + +# Type for the gpg-agent executable. +type gpg_agent_exec_t, file_type, exec_type, sysadmfile; + +# type for the pinentry executable +type pinentry_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the gpg_agent_domain macro in +# macros/program/gpg_agent_macros.te. diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te new file mode 100644 index 0000000..65e2ca5 --- /dev/null +++ b/strict/domains/program/gpg.te @@ -0,0 +1,18 @@ +#DESC GPG - Gnu Privacy Guard (PGP replacement) +# +# Authors: Russell Coker +# X-Debian-Packages: gnupg +# + +# Type for gpg or pgp executables. +type gpg_exec_t, file_type, sysadmfile, exec_type; +type gpg_helper_exec_t, file_type, sysadmfile, exec_type; + +allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; +allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; + +# Allow gpg exec stack +bool allow_gpg_execstack false; + +# Everything else is in the gpg_domain macro in +# macros/program/gpg_macros.te. diff --git a/strict/domains/program/gpm.te b/strict/domains/program/gpm.te new file mode 100644 index 0000000..ff81d69 --- /dev/null +++ b/strict/domains/program/gpm.te @@ -0,0 +1,45 @@ +#DESC Gpm - General Purpose Mouse driver +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: gpm +# + +################################# +# +# Rules for the gpm_t domain. +# +# gpm_t is the domain of the console mouse server. +# gpm_exec_t is the type of the console mouse server program. +# gpmctl_t is the type of the Unix domain socket or pipe created +# by the console mouse server. +# +daemon_domain(gpm) + +type gpmctl_t, file_type, sysadmfile, dev_fs; + +tmp_domain(gpm) + +# Allow to read the /etc/gpm/ conf files +type gpm_conf_t, file_type, sysadmfile; +r_dir_file(gpm_t, gpm_conf_t) + +# Use capabilities. +allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; + +# Create and bind to /dev/gpmctl. +file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file }) +allow gpm_t gpmctl_t:unix_stream_socket name_bind; +allow gpm_t self:unix_dgram_socket create_socket_perms; +allow gpm_t self:unix_stream_socket create_stream_socket_perms; + +# Read and write ttys. +allow gpm_t tty_device_t:chr_file rw_file_perms; + +# Access the mouse. +allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; +allow gpm_t device_t:lnk_file { getattr read }; + +read_locale(gpm_t) + +allow initrc_t gpmctl_t:sock_file setattr; + diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te new file mode 100644 index 0000000..95ebff9 --- /dev/null +++ b/strict/domains/program/hald.te @@ -0,0 +1,74 @@ +#DESC hald - server for device info +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the hald_t domain. +# +# hald_exec_t is the type of the hald executable. +# +daemon_domain(hald, `, fs_domain, nscd_client_domain') + +can_exec_any(hald_t) + +allow hald_t { etc_t etc_runtime_t }:file { getattr read }; +allow hald_t self:unix_stream_socket create_stream_socket_perms; +allow hald_t self:unix_dgram_socket create_socket_perms; + +ifdef(`dbusd.te', ` +allow hald_t system_dbusd_t:dbus { acquire_svc send_msg }; +dbusd_client(system, hald) +allow hald_t self:dbus send_msg; +') + +allow hald_t { self proc_t }:file { getattr read }; + +allow hald_t { bin_t sbin_t }:dir search; +allow hald_t self:fifo_file rw_file_perms; +allow hald_t usr_t:file { getattr read }; + +allow hald_t bin_t:file getattr; +allow hald_t self:netlink_route_socket r_netlink_socket_perms; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; +can_network_server(hald_t) +can_ypbind(hald_t) + +allow hald_t device_t:lnk_file read; +allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; +allow hald_t removable_device_t:blk_file write; +allow hald_t event_device_t:chr_file { getattr read ioctl }; +allow hald_t printer_device_t:chr_file rw_file_perms; +allow hald_t urandom_device_t:chr_file read; + +ifdef(`updfstab.te', ` +domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) +allow updfstab_t hald_t:dbus send_msg; +allow hald_t updfstab_t:dbus send_msg; +') +ifdef(`udev.te', ` +domain_auto_trans(hald_t, udev_exec_t, udev_t) +allow udev_t hald_t:unix_dgram_socket sendto; +allow hald_t udev_tbl_t:file { getattr read }; +') + +ifdef(`hotplug.te', ` +r_dir_file(hald_t, hotplug_etc_t) +') +allow hald_t usbdevfs_t:dir search; +allow hald_t usbdevfs_t:file { getattr read }; +allow hald_t usbfs_t:dir search; +allow hald_t usbfs_t:file { getattr read }; +allow hald_t bin_t:lnk_file read; +r_dir_file(hald_t, { selinux_config_t default_context_t } ) +allow hald_t initrc_t:dbus send_msg; +allow initrc_t hald_t:dbus send_msg; +allow hald_t etc_runtime_t:file rw_file_perms; +allow hald_t var_lib_t:dir search; +allow hald_t device_t:dir create_dir_perms; +allow hald_t device_t:chr_file create_file_perms; +tmp_domain(hald) +allow hald_t mnt_t:dir search; +r_dir_file(hald_t, proc_net_t) diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te new file mode 100644 index 0000000..575833c --- /dev/null +++ b/strict/domains/program/hostname.te @@ -0,0 +1,28 @@ +#DESC hostname - show or set the system host name +# +# Author: Russell Coker +# X-Debian-Packages: hostname + +# for setting the hostname +daemon_base_domain(hostname, , nosysadm) +role sysadm_r types hostname_t; + +allow hostname_t self:capability sys_admin; +allow hostname_t etc_t:file { getattr read }; + +allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write }; +read_locale(hostname_t) +can_resolve(hostname_t) +allow hostname_t userdomain:fd use; +dontaudit hostname_t kernel_t:fd use; +allow hostname_t net_conf_t:file { getattr read }; +allow hostname_t self:unix_stream_socket create_stream_socket_perms; +dontaudit hostname_t var_t:dir search; +allow hostname_t fs_t:filesystem getattr; + +# for when /usr is not mounted +dontaudit hostname_t file_t:dir search; + +ifdef(`distro_redhat', ` +allow hostname_t tmpfs_t:chr_file rw_file_perms; +') diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te new file mode 100644 index 0000000..7fd6a39 --- /dev/null +++ b/strict/domains/program/hotplug.te @@ -0,0 +1,163 @@ +#DESC Hotplug - Hardware event manager +# +# Author: Russell Coker +# X-Debian-Packages: hotplug +# + +################################# +# +# Rules for the hotplug_t domain. +# +# hotplug_exec_t is the type of the hotplug executable. +# +ifdef(`unlimitedUtils', ` +daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer') +', ` +daemon_domain(hotplug, `, privmodule') +') + +etcdir_domain(hotplug) + +allow hotplug_t self:fifo_file { read write getattr ioctl }; +allow hotplug_t self:unix_dgram_socket create_socket_perms; +allow hotplug_t self:unix_stream_socket create_socket_perms; +allow hotplug_t self:udp_socket create_socket_perms; + +read_sysctl(hotplug_t) +allow hotplug_t sysctl_net_t:dir r_dir_perms; +allow hotplug_t sysctl_net_t:file { getattr read }; + +# get info from /proc +r_dir_file(hotplug_t, proc_t) +allow hotplug_t self:file { getattr read }; + +allow hotplug_t devtty_t:chr_file rw_file_perms; + +allow hotplug_t device_t:dir r_dir_perms; + +# for SSP +allow hotplug_t urandom_device_t:chr_file read; + +allow hotplug_t { bin_t sbin_t }:dir search; +allow hotplug_t { bin_t sbin_t }:lnk_file read; +can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t }) +ifdef(`hostname.te', ` +can_exec(hotplug_t, hostname_exec_t) +dontaudit hostname_t hotplug_t:fd use; +') +ifdef(`netutils.te', ` +ifdef(`distro_redhat', ` +# for arping used for static IP addresses on PCMCIA ethernet +domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t) + +allow hotplug_t tmpfs_t:dir search; +allow hotplug_t tmpfs_t:chr_file rw_file_perms; +')dnl end if distro_redhat +')dnl end if netutils.te + +allow initrc_t usbdevfs_t:file { getattr read ioctl }; +allow initrc_t modules_dep_t:file { getattr read ioctl }; +r_dir_file(hotplug_t, usbdevfs_t) +allow hotplug_t usbfs_t:dir r_dir_perms; +allow hotplug_t usbfs_t:file { getattr read }; + +# read config files +allow hotplug_t etc_t:dir r_dir_perms; +allow hotplug_t etc_t:{ file lnk_file } r_file_perms; + +allow hotplug_t kernel_t:process sigchld; + +ifdef(`distro_redhat', ` +allow hotplug_t var_lock_t:dir search; +allow hotplug_t var_lock_t:file getattr; +') + +ifdef(`hald.te', ` +allow hotplug_t hald_t:unix_dgram_socket sendto; +allow hald_t hotplug_etc_t:dir search; +allow hald_t hotplug_etc_t:file { getattr read }; +') + +# for killall +allow hotplug_t self:process { getsession getattr }; +allow hotplug_t self:file getattr; + +domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t) +domain_auto_trans(hotplug_t, mount_exec_t, mount_t) +domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t) +ifdef(`updfstab.te', ` +domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) +') + +# init scripts run /etc/hotplug/usb.rc +domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t) +allow initrc_t hotplug_etc_t:dir r_dir_perms; + +ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)') + +r_dir_file(hotplug_t, modules_object_t) +allow hotplug_t modules_dep_t:file { getattr read ioctl }; + +# for lsmod +dontaudit hotplug_t self:capability { sys_module sys_admin }; + +# for access("/etc/bashrc", X_OK) on Red Hat +dontaudit hotplug_t self:capability { dac_override dac_read_search }; + +ifdef(`fsadm.te', ` +domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) +') + +allow hotplug_t var_log_t:dir search; + +# for ps +dontaudit hotplug_t domain:dir { getattr search }; +dontaudit hotplug_t { init_t kernel_t }:file read; +ifdef(`initrc.te', ` +can_ps(hotplug_t, initrc_t) +') + +# for when filesystems are not mounted early in the boot +dontaudit hotplug_t file_t:dir { search getattr }; + +# kernel threads inherit from shared descriptor table used by init +dontaudit hotplug_t initctl_t:fifo_file { read write }; + +# Read /usr/lib/gconv/.* +allow hotplug_t lib_t:file { getattr read }; + +allow hotplug_t self:capability { net_admin sys_tty_config mknod }; +allow hotplug_t sysfs_t:dir { getattr read search }; +allow hotplug_t sysfs_t:file { getattr read }; +allow hotplug_t sysfs_t:lnk_file { getattr read }; +allow hotplug_t udev_runtime_t:file rw_file_perms; +ifdef(`lpd.te', ` +allow hotplug_t printer_device_t:chr_file setattr; +') +allow hotplug_t fixed_disk_device_t:blk_file setattr; +allow hotplug_t removable_device_t:blk_file setattr; +allow hotplug_t sound_device_t:chr_file setattr; + +ifdef(`udev.te', ` +domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t) +') + +file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) + +can_network_server(hotplug_t) +can_ypbind(hotplug_t) +dbusd_client(system, hotplug) + +# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q +domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) +ifdef(`mta.te', ` +domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) +') + +allow restorecon_t hotplug_t:fd use; + +ifdef(`unlimitedUtils', ` +unconfined_domain(hotplug_t) +') + +allow kernel_t hotplug_etc_t:dir search; diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te new file mode 100644 index 0000000..026790a --- /dev/null +++ b/strict/domains/program/howl.te @@ -0,0 +1,22 @@ +#DESC howl - port of Apple Rendezvous multicast DNS +# +# Author: Russell Coker +# + +daemon_domain(howl) +r_dir_file(howl_t, proc_net_t) +can_network_server(howl_t) +can_ypbind(howl_t) +allow howl_t self:unix_dgram_socket create_socket_perms; +allow howl_t self:capability { kill net_admin sys_module }; + +allow howl_t self:fifo_file rw_file_perms; + +type howl_port_t, port_type; +allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; + +allow howl_t self:unix_dgram_socket create_socket_perms; + +allow howl_t etc_t:file { getattr read }; +allow howl_t initrc_var_run_t:file rw_file_perms; + diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te new file mode 100644 index 0000000..2af68ab --- /dev/null +++ b/strict/domains/program/hwclock.te @@ -0,0 +1,49 @@ +#DESC Hwclock - Hardware clock manager +# +# Author: David A. Wheeler +# Russell Coker +# X-Debian-Packages: util-linux +# + +################################# +# +# Rules for the hwclock_t domain. +# This domain moves time information between the "hardware clock" +# (which runs when the system is off) and the "system clock", +# and it stores adjustment values in /etc/adjtime so that errors in the +# hardware clock are corrected. +# Note that any errors from this domain are NOT recorded by the system logger, +# because the system logger isnt running when this domain is active. +# +daemon_base_domain(hwclock) +role sysadm_r types hwclock_t; +domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) +type adjtime_t, file_type, sysadmfile; +ifdef(`apmd.te', ` +domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) +') + +allow hwclock_t fs_t:filesystem getattr; + +read_locale(hwclock_t) + +# Give hwclock the capabilities it requires. dac_override is a surprise, +# but hwclock does require it. +allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; + +# Allow hwclock to set the hardware clock. +allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms }; + +# Allow hwclock to store & retrieve correction factors. +allow hwclock_t adjtime_t:file { setattr rw_file_perms }; + +# Read and write console and ttys. +allow hwclock_t tty_device_t:chr_file rw_file_perms; +allow hwclock_t ttyfile:chr_file rw_file_perms; +allow hwclock_t ptyfile:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') + +read_locale(hwclock_t) + +# for when /usr is not mounted +dontaudit hwclock_t file_t:dir search; diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te new file mode 100644 index 0000000..8de3839 --- /dev/null +++ b/strict/domains/program/i18n_input.te @@ -0,0 +1,29 @@ +# i18n_input.te +# Security Policy for IIIMF htt server +# Date: 2004, 12th April (Monday) + +# Types for server port +type i18n_input_port_t, port_type; + +# Establish i18n_input as a daemon +daemon_domain(i18n_input) + +can_exec(i18n_input_t, i18n_input_exec_t) +can_network(i18n_input_t) +can_ypbind(i18n_input_t) + +can_tcp_connect(userdomain, i18n_input_t) + +allow i18n_input_t self:fifo_file rw_file_perms; +allow i18n_input_t i18n_input_port_t:tcp_socket name_bind; + +allow i18n_input_t self:capability { kill setgid setuid }; +allow i18n_input_t self:process { setsched setpgid }; + +allow i18n_input_t { bin_t sbin_t }:dir search; + +allow i18n_input_t etc_t:file r_file_perms; +allow i18n_input_t self:unix_dgram_socket create_socket_perms; +allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; +allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; +allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te new file mode 100644 index 0000000..b2039ac --- /dev/null +++ b/strict/domains/program/ifconfig.te @@ -0,0 +1,68 @@ +#DESC Ifconfig - Configure network interfaces +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: net-tools +# + +################################# +# +# Rules for the ifconfig_t domain. +# +# ifconfig_t is the domain for the ifconfig program. +# ifconfig_exec_t is the type of the corresponding program. +# +type ifconfig_t, domain, privlog, privmodule; +type ifconfig_exec_t, file_type, sysadmfile, exec_type; + +role system_r types ifconfig_t; +role sysadm_r types ifconfig_t; + +uses_shlib(ifconfig_t) +general_domain_access(ifconfig_t) + +domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) +domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) + +# for /sbin/ip +allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; +allow ifconfig_t self:tcp_socket { create ioctl }; +allow ifconfig_t etc_t:file { getattr read }; + +allow ifconfig_t self:socket create_socket_perms; + +# Use capabilities. +allow ifconfig_t self:capability net_admin; +dontaudit ifconfig_t self:capability sys_module; + +# Inherit and use descriptors from init. +allow ifconfig_t { kernel_t init_t }:fd use; + +# Access /proc +r_dir_file(ifconfig_t, proc_t) +r_dir_file(ifconfig_t, proc_net_t) + +allow ifconfig_t privfd:fd use; +allow ifconfig_t run_init_t:fd use; + +# Create UDP sockets, necessary when called from dhcpc +allow ifconfig_t self:udp_socket create_socket_perms; + +# Access terminals. +allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') + +allow ifconfig_t tun_tap_device_t:chr_file { read write }; + +# ifconfig attempts to search some sysctl entries. +# Do not audit those attempts; comment out these rules if it is desired to +# see the denials. +dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search; + +allow ifconfig_t fs_t:filesystem getattr; + +read_locale(ifconfig_t) +allow ifconfig_t lib_t:file { getattr read }; + +rhgb_domain(ifconfig_t) +allow ifconfig_t userdomain:fd use; +dontaudit ifconfig_t root_t:file read; diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te new file mode 100644 index 0000000..c0eed55 --- /dev/null +++ b/strict/domains/program/inetd.te @@ -0,0 +1,68 @@ +#DESC Inetd - Internet services daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# re-written with daemon_domain by Russell Coker +# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd +# + +################################# +# +# Rules for the inetd_t domain and +# the inetd_child_t domain. +# +type biff_port_t, port_type, reserved_port_type; + +################################# +# +# Rules for the inetd_t domain. +# + +daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) + +can_network(inetd_t) +allow inetd_t self:unix_dgram_socket create_socket_perms; +allow inetd_t self:unix_stream_socket create_socket_perms; +allow inetd_t self:fifo_file rw_file_perms; +allow inetd_t etc_t:file { getattr read ioctl }; +allow inetd_t self:process setsched; + +log_domain(inetd) +tmp_domain(inetd) + +# Use capabilities. +allow inetd_t self:capability { setuid setgid net_bind_service }; + +# allow any domain to connect to inetd +can_tcp_connect(userdomain, inetd_t) + +# Run each daemon with a defined domain in its own domain. +# These rules have been moved to the individual target domain .te files. + +# Run other daemons in the inetd_child_t domain. +allow inetd_t { bin_t sbin_t }:dir search; +allow inetd_t sbin_t:lnk_file read; + +# Bind to the telnet, ftp, rlogin and rsh ports. +ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') +ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') +ifdef(`talk.te', ` +allow inetd_t talk_port_t:tcp_socket name_bind; +allow inetd_t ntalk_port_t:tcp_socket name_bind; +') + +# Communicate with the portmapper. +ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') + + +inetd_child_domain(inetd_child) +allow inetd_child_t proc_net_t:dir search; +allow inetd_child_t proc_net_t:file { getattr read }; + +ifdef(`unconfined.te', ` +domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) +') + +ifdef(`unlimitedInetd', ` +unconfined_domain(inetd_t) +') + diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te new file mode 100644 index 0000000..3aeb04f --- /dev/null +++ b/strict/domains/program/init.te @@ -0,0 +1,147 @@ +#DESC Init - Process initialization +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysvinit +# + +################################# +# +# Rules for the init_t domain. +# +# init_t is the domain of the init process. +# init_exec_t is the type of the init program. +# initctl_t is the type of the named pipe created +# by init during initialization. This pipe is used +# to communicate with init. +# +type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain; +role system_r types init_t; +uses_shlib(init_t); +type init_exec_t, file_type, sysadmfile, exec_type; +type initctl_t, file_type, sysadmfile, dev_fs; + +# for init to determine whether SE Linux is active so it can know whether to +# activate it +allow init_t security_t:dir search; +allow init_t security_t:file { getattr read }; + +# for mount points +allow init_t file_t:dir search; + +# Use capabilities. +allow init_t self:capability ~sys_module; + +# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. +domain_auto_trans(init_t, initrc_exec_t, initrc_t) + +# Run the shell in the sysadm_t domain for single-user mode. +domain_auto_trans(init_t, shell_exec_t, sysadm_t) + +# Run /sbin/update in the init_t domain. +can_exec(init_t, sbin_t) + +# Run init. +can_exec(init_t, init_exec_t) + +# Run chroot from initrd scripts. +ifdef(`chroot.te', ` +can_exec(init_t, chroot_exec_t) +') + +# Create /dev/initctl. +file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) +ifdef(`distro_redhat', ` +file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) +') + +# Create ioctl.save. +file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) + +# Update /etc/ld.so.cache +allow init_t ld_so_cache_t:file rw_file_perms; + +# Allow access to log files +allow init_t var_t:dir search; +allow init_t var_log_t:dir search; +allow init_t var_log_t:file rw_file_perms; + +read_locale(init_t) + +# Create unix sockets +allow init_t self:unix_dgram_socket create_socket_perms; +allow init_t self:unix_stream_socket create_socket_perms; +allow init_t self:fifo_file rw_file_perms; + +# Permissions required for system startup +allow init_t { bin_t sbin_t }:dir r_dir_perms; +allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; + +# allow init to fork +allow init_t self:process { fork sigchld }; + +# Modify utmp. +allow init_t var_run_t:file rw_file_perms; +allow init_t initrc_var_run_t:file { setattr rw_file_perms }; + +# For /var/run/shutdown.pid. +var_run_domain(init) + +# Shutdown permissions +r_dir_file(init_t, proc_t) +r_dir_file(init_t, self) +allow init_t devpts_t:dir r_dir_perms; + +# Modify wtmp. +allow init_t wtmp_t:file rw_file_perms; + +# Kill all processes. +allow init_t domain:process signal_perms; + +# Allow all processes to send SIGCHLD to init. +allow domain init_t:process { sigchld signull }; + +# If you load a new policy that removes active domains, processes can +# get stuck if you do not allow unlabeled processes to signal init +# If you load an incompatible policy, you should probably reboot, +# since you may have compromised system security. +allow unlabeled_t init_t:process sigchld; + +# for loading policy +allow init_t policy_config_t:file r_file_perms; + +# Set booleans. +can_setbool(init_t) + +# Read and write the console and ttys. +allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; +ifdef(`distro_redhat', ` +allow init_t tmpfs_t:chr_file rw_file_perms; +') +allow init_t ttyfile:chr_file rw_file_perms; +allow init_t ptyfile:chr_file rw_file_perms; + +# Run system executables. +can_exec(init_t,bin_t) +ifdef(`consoletype.te', ` +can_exec(init_t, consoletype_exec_t) +') + +# Run /etc/X11/prefdm. +can_exec(init_t,etc_t) + +allow init_t lib_t:file { getattr read }; + +ifdef(`rhgb.te', ` +allow init_t devtty_t:chr_file { read write }; +allow init_t ramfs_t:dir search; +') +r_dir_file(init_t, sysfs_t) + +r_dir_file(init_t, selinux_config_t) + +# file descriptors inherited from the rootfs. +dontaudit init_t root_t:{ file chr_file } { read write }; +ifdef(`targeted_policy', ` +typeattribute init_t unrestricted; +') + diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te new file mode 100644 index 0000000..86e09cc --- /dev/null +++ b/strict/domains/program/initrc.te @@ -0,0 +1,311 @@ +#DESC Initrc - System initialization scripts +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysvinit policycoreutils +# + +################################# +# +# Rules for the initrc_t domain. +# +# initrc_t is the domain of the init rc scripts. +# initrc_exec_t is the type of the init program. +# +# do not use privmail for sendmail as it creates a type transition conflict +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; + +role system_r types initrc_t; +uses_shlib(initrc_t); +can_network(initrc_t) +can_ypbind(initrc_t) +type initrc_exec_t, file_type, sysadmfile, exec_type; + +# for halt to down interfaces +allow initrc_t self:udp_socket create_socket_perms; + +# read files in /etc/init.d +allow initrc_t etc_t:lnk_file r_file_perms; + +read_locale(initrc_t) + +r_dir_file(initrc_t, usr_t) + +# Read system information files in /proc. +r_dir_file(initrc_t, { proc_t proc_net_t }) +allow initrc_t proc_mdstat_t:file { getattr read }; + +# Allow IPC with self +allow initrc_t self:unix_dgram_socket create_socket_perms; +allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow initrc_t self:fifo_file rw_file_perms; + +# Read the root directory of a usbdevfs filesystem, and +# the devices and drivers files. Permit stating of the +# device nodes, but nothing else. +allow initrc_t usbdevfs_t:dir r_dir_perms; +allow initrc_t usbdevfs_t:lnk_file r_file_perms; +allow initrc_t usbdevfs_t:file getattr; +allow initrc_t usbfs_t:dir r_dir_perms; +allow initrc_t usbfs_t:file getattr; + +# allow initrc to fork and renice itself +allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched }; + +# Can create ptys for open_init_pty +can_create_pty(initrc) + +tmp_domain(initrc) + +var_run_domain(initrc) +allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; +allow initrc_t var_run_t:dir { create rmdir }; + +ifdef(`distro_debian', ` +allow initrc_t { etc_t device_t }:dir setattr; + +# for storing state under /dev/shm +allow initrc_t tmpfs_t:dir setattr; +file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) +file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) +allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; +') + +allow initrc_t framebuf_device_t:chr_file r_file_perms; + +# Use capabilities. +allow initrc_t self:capability ~{ sys_admin sys_module }; + +# Use system operations. +allow initrc_t kernel_t:system *; + +# Set values in /proc/sys. +can_sysctl(initrc_t) + +# Run helper programs in the initrc_t domain. +allow initrc_t {bin_t sbin_t }:dir r_dir_perms; +allow initrc_t {bin_t sbin_t }:lnk_file read; +can_exec(initrc_t, etc_t) +can_exec(initrc_t, lib_t) +can_exec(initrc_t, bin_t) +can_exec(initrc_t, sbin_t) +can_exec(initrc_t, exec_type) +# +# These rules are here to allow init scripts to su +# +ifdef(`su.te', ` +su_restricted_domain(initrc,system) +role system_r types initrc_su_t; +') +allow initrc_t self:passwd rootok; + +# read /lib/modules +allow initrc_t modules_object_t:dir { search read }; + +# Read conf.modules. +allow initrc_t modules_conf_t:file r_file_perms; + +# Run other rc scripts in the initrc_t domain. +can_exec(initrc_t, initrc_exec_t) + +# Run init (telinit) in the initrc_t domain. +can_exec(initrc_t, init_exec_t) + +# Communicate with the init process. +allow initrc_t initctl_t:fifo_file rw_file_perms; + +# Read /proc/PID directories for all domains. +r_dir_file(initrc_t, domain) +allow initrc_t domain:process { getattr getsession }; + +# Mount and unmount file systems. +allow initrc_t fs_type:filesystem mount_fs_perms; +allow initrc_t { file_t default_t }:dir { read search getattr mounton }; + +# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. +file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) + +# Update /etc/ld.so.cache. +allow initrc_t ld_so_cache_t:file rw_file_perms; + +# Update /var/log/wtmp and /var/log/dmesg. +allow initrc_t wtmp_t:file { setattr rw_file_perms }; +allow initrc_t var_log_t:dir rw_dir_perms; +allow initrc_t var_log_t:file { setattr rw_file_perms }; +allow initrc_t lastlog_t:file { setattr rw_file_perms }; +allow initrc_t logfile:file { read append }; + +# remove old locks +allow initrc_t lockfile:dir rw_dir_perms; +allow initrc_t lockfile:file { getattr unlink }; + +# Access /var/lib/random-seed. +allow initrc_t var_lib_t:file rw_file_perms; +allow initrc_t var_lib_t:file unlink; + +# Create lock file. +allow initrc_t var_lock_t:dir create_dir_perms; +allow initrc_t var_lock_t:file create_file_perms; + +# Set the clock. +allow initrc_t clock_device_t:devfile_class_set rw_file_perms; + +# Kill all processes. +allow initrc_t domain:process signal_perms; + +# Read and unlink /var/run/*.pid files. +allow initrc_t pidfile:file { getattr read unlink }; + +# Write to /dev/urandom. +allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; + +# for cryptsetup +allow initrc_t fixed_disk_device_t:blk_file getattr; + +# Set device ownerships/modes. +allow initrc_t framebuf_device_t:chr_file setattr; +allow initrc_t misc_device_t:devfile_class_set setattr; +allow initrc_t device_t:devfile_class_set setattr; +allow initrc_t fixed_disk_device_t:devfile_class_set setattr; +allow initrc_t removable_device_t:devfile_class_set setattr; +allow initrc_t device_t:lnk_file read; +allow initrc_t xconsole_device_t:fifo_file setattr; + +# Stat any file. +allow initrc_t file_type:notdevfile_class_set getattr; +allow initrc_t file_type:dir { search getattr }; + +# Read and write console and ttys. +allow initrc_t devtty_t:chr_file rw_file_perms; +allow initrc_t console_device_t:chr_file rw_file_perms; +allow initrc_t tty_device_t:chr_file rw_file_perms; +allow initrc_t ttyfile:chr_file rw_file_perms; +allow initrc_t ptyfile:chr_file rw_file_perms; + +# Reset tty labels. +allow initrc_t ttyfile:chr_file relabelfrom; +allow initrc_t tty_device_t:chr_file relabelto; + +ifdef(`distro_redhat', ` +# Create and read /boot/kernel.h and /boot/System.map. +# Redhat systems typically create this file at boot time. +allow initrc_t boot_t:lnk_file rw_file_perms; +file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) + +allow initrc_t tmpfs_t:chr_file rw_file_perms; +allow initrc_t tmpfs_t:dir r_dir_perms; + +ifdef(`distro_redhat', ` +# Allow initrc domain to set the enforcing flag. +can_setenforce(initrc_t) +') + +# +# readahead asks for these +# +allow initrc_t etc_aliases_t:file { getattr read }; +allow initrc_t var_lib_nfs_t:file { getattr read }; + +# for /halt /.autofsck and other flag files +file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) + +')dnl end distro_redhat + +allow initrc_t system_map_t:{ file lnk_file } r_file_perms; +allow initrc_t var_spool_t:file rw_file_perms; + +# Allow access to the sysadm TTYs. Note that this will give access to the +# TTYs to any process in the initrc_t domain. Therefore, daemons and such +# started from init should be placed in their own domain. +allow initrc_t admin_tty_type:chr_file rw_file_perms; + +# Access sound device and files. +allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; + +# Read user home directories. +allow initrc_t { home_root_t home_type }:dir r_dir_perms; +allow initrc_t home_type:file r_file_perms; + +# for system start scripts +allow initrc_t pidfile:dir rw_dir_perms; +allow initrc_t pidfile:sock_file unlink; +rw_dir_create_file(initrc_t, var_lib_t) + +# allow start scripts to clean /tmp +allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; +allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; + +# for lsof which is used by alsa shutdown +dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; +dontaudit initrc_t proc_kmsg_t:file getattr; + +################################# +# +# Rules for the run_init_t domain. +# +ifdef(`targeted_policy', ` +type run_init_exec_t, file_type, sysadmfile, exec_type; +type run_init_t, domain; +domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) +allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; +allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; +domain_trans(initrc_t, shell_exec_t, unconfined_t) +', ` +run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) +') +allow initrc_t privfd:fd use; + +# Transition to system_r:initrc_t upon executing init scripts. +ifdef(`direct_sysadm_daemon', ` +role_transition sysadm_r initrc_exec_t system_r; +domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) +') + +# +# Shutting down xinet causes these +# +# Fam +dontaudit initrc_t device_t:dir { read write }; +# Rsync +dontaudit initrc_t mail_spool_t:lnk_file read; + +allow initrc_t sysfs_t:dir { getattr read search }; +allow initrc_t sysfs_t:file { getattr read write }; +allow initrc_t sysfs_t:lnk_file { getattr read }; +allow initrc_t udev_runtime_t:file rw_file_perms; +allow initrc_t device_type:chr_file setattr; +allow initrc_t binfmt_misc_fs_t:dir { getattr search }; +allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; + +# for lsof in shutdown scripts +can_kerberos(initrc_t) + +# +# Wants to remove udev.tbl +# +allow initrc_t device_t:dir rw_dir_perms; +allow initrc_t device_t:lnk_file unlink; + +r_dir_file(initrc_t,selinux_config_t) + +ifdef(`distro_redhat', ` +#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; +') + +ifdef(`unlimitedRC', ` +unconfined_domain(initrc_t) +') +# +# initrc script does a cat /selinux/enforce +# +allow initrc_t security_t:dir { getattr search }; +allow initrc_t security_t:file { getattr read }; + +# init script state +type initrc_state_t, file_type, sysadmfile; +create_dir_file(initrc_t,initrc_state_t) + +ifdef(`distro_gentoo', ` +# Gentoo integrated run_init+open_init_pty-runscript: +domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) +') +allow initrc_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te new file mode 100644 index 0000000..09b7c06 --- /dev/null +++ b/strict/domains/program/innd.te @@ -0,0 +1,81 @@ +#DESC INN - InterNetNews server +# +# Author: Faye Coker +# X-Debian-Packages: inn +# +################################ + +# Types for the server port and news spool. +# +type innd_port_t, port_type, reserved_port_type; +type news_spool_t, file_type, sysadmfile; + + +# need privmail attribute so innd can access system_mail_t +daemon_domain(innd, `, privmail') + +# allow innd to create files and directories of type news_spool_t +create_dir_file(innd_t, news_spool_t) + +# allow user domains to read files and directories these types +r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) + +can_exec(initrc_t, innd_etc_t) +can_exec(innd_t, { innd_exec_t bin_t shell_exec_t }) +ifdef(`hostname.te', ` +can_exec(innd_t, hostname_exec_t) +') + +allow innd_t var_spool_t:dir { getattr search }; + +can_network(innd_t) +can_ypbind(innd_t) + +can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) +allow innd_t self:unix_dgram_socket create_socket_perms; +allow innd_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(innd_t, self) + +allow innd_t self:fifo_file rw_file_perms; +allow innd_t innd_port_t:tcp_socket name_bind; + +allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; +allow innd_t self:process setsched; + +allow innd_t { bin_t sbin_t }:dir search; +allow innd_t usr_t:lnk_file read; +allow innd_t usr_t:file { getattr read ioctl }; +allow innd_t lib_t:file ioctl; +allow innd_t etc_t:file { getattr read }; +allow innd_t { proc_t etc_runtime_t }:file { getattr read }; +allow innd_t urandom_device_t:chr_file read; + +allow innd_t innd_var_run_t:sock_file create_file_perms; + +# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type +etcdir_domain(innd) + +# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that +# it can write to +logdir_domain(innd) + +# allow innd read-write directory permissions to /var/lib/news. +var_lib_domain(innd) + +ifdef(`crond.te', ` +system_crond_entry(innd_exec_t, innd_t) +allow system_crond_t innd_etc_t:file { getattr read }; +rw_dir_create_file(system_crond_t, innd_log_t) +rw_dir_create_file(system_crond_t, innd_var_run_t) +') + +ifdef(`syslogd.te', ` +allow syslogd_t innd_log_t:dir search; +allow syslogd_t innd_log_t:file create_file_perms; +') + +allow innd_t self:file { getattr read }; +dontaudit innd_t selinux_config_t:dir { search }; +allow system_crond_t innd_etc_t:file { getattr read }; +allow innd_t bin_t:lnk_file { read }; +allow innd_t sbin_t:lnk_file { read }; diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te new file mode 100644 index 0000000..dd32f69 --- /dev/null +++ b/strict/domains/program/ipsec.te @@ -0,0 +1,229 @@ +#DESC ipsec - TCP/IP encryption +# +# Authors: Mark Westerman mark.westerman@westcam.com +# massively butchered by paul krumviede +# further massaged by Chris Vance +# X-Debian-Packages: freeswan +# +######################################## +# +# Rules for the ipsec_t domain. +# +# a domain for things that need access to the PF_KEY socket +daemon_base_domain(ipsec, `, privlog') + +# type for ipsec configuration file(s) - not for keys +type ipsec_conf_file_t, file_type, sysadmfile; + +# type for file(s) containing ipsec keys - RSA or preshared +type ipsec_key_file_t, file_type, sysadmfile; + +# type for runtime files, including pluto.ctl +# lots of strange stuff for the ipsec_var_run_t - need to check it +var_run_domain(ipsec) + +type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain; +type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) +file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file) +file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file) + +allow ipsec_mgmt_t modules_object_t:dir search; +allow ipsec_mgmt_t modules_object_t:file getattr; + +allow ipsec_t self:capability { net_admin net_bind_service }; +allow ipsec_t self:process signal; +allow ipsec_t etc_t:lnk_file read; + +domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t) + +# Inherit and use descriptors from init. +# allow access (for, e.g., klipsdebug) to console +allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms; +allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use; + +# I do not know where this pesky pipe is... +allow ipsec_t initrc_t:fifo_file write; + +r_dir_file(ipsec_t, ipsec_conf_file_t) +r_dir_file(ipsec_t, ipsec_key_file_t) +allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; +rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) + +allow ipsec_t self:key_socket { create write read setopt }; + +# for lsof +allow sysadm_t ipsec_t:key_socket getattr; + +# the ipsec wrapper wants to run /usr/bin/logger (should we put +# it in its own domain?) +can_exec(ipsec_mgmt_t, bin_t) +# logger, running in ipsec_mgmt_t needs to use sockets +allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; +allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; + +# also need to run things like whack and shell scripts +can_exec(ipsec_mgmt_t, ipsec_exec_t) +can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) +allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; +can_exec(ipsec_mgmt_t, shell_exec_t) +can_exec(ipsec_t, shell_exec_t) +can_exec(ipsec_t, bin_t) +can_exec(ipsec_t, ipsec_mgmt_exec_t) +# now for a icky part... +# pluto runs an updown script (by calling popen()!); as this is by default +# a shell script, we need to find a way to make things work without +# letting all sorts of stuff possibly be run... +# so try flipping back into the ipsec_mgmt_t domain +domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t) +allow ipsec_mgmt_t ipsec_t:fd use; + +# the default updown script wants to run route +can_exec(ipsec_mgmt_t, sbin_t) +allow ipsec_mgmt_t sbin_t:lnk_file read; +allow ipsec_mgmt_t self:capability { net_admin dac_override }; + +# need access to /proc/sys/net/ipsec/icmp +allow ipsec_mgmt_t sysctl_t:file write; +allow ipsec_mgmt_t sysctl_net_t:dir search; +allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; + +# whack needs to be able to read/write pluto.ctl +allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; +# and it wants to connect to a socket... +allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; + +# allow system administrator to use the ipsec script to look +# at things (e.g., ipsec auto --status) +# probably should create an ipsec_admin role for this kind of thing +can_exec(sysadm_t, ipsec_mgmt_exec_t) +allow sysadm_t ipsec_t:unix_stream_socket connectto; + +# _realsetup needs to be able to cat /var/run/pluto.pid, +# run ps on that pid, and delete the file +allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; + +allow ipsec_mgmt_t boot_t:dir search; +allow ipsec_mgmt_t system_map_t:file { read getattr }; + +# denials when ps tries to search /proc. Do not audit these denials. +dontaudit ipsec_mgmt_t domain:dir r_dir_perms; + +# suppress audit messages about unnecessary socket access +dontaudit ipsec_mgmt_t domain:key_socket { read write }; +dontaudit ipsec_mgmt_t domain:udp_socket { read write }; + +# from rbac +role system_r types { ipsec_t ipsec_mgmt_t }; + +# from initrc.te +domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) +domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t) + + +########## The following rules were added by cvance@tislabs.com ########## + +# allow pluto and startup scripts to access /dev/urandom +allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms; + +# allow pluto to access /proc/net/ipsec_eroute; +general_proc_read_access(ipsec_t) +general_proc_read_access(ipsec_mgmt_t) + +# allow pluto to search the root directory (not sure why, but mostly harmless) +# Are these all really necessary? +allow ipsec_t var_t:dir search; +allow ipsec_t bin_t:dir search; +allow ipsec_t device_t:dir { getattr search }; +allow ipsec_mgmt_t device_t:dir { getattr search read }; +dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; +dontaudit ipsec_mgmt_t devpts_t:dir getattr; +allow ipsec_mgmt_t etc_t:lnk_file read; +allow ipsec_mgmt_t var_t:dir search; +allow ipsec_mgmt_t sbin_t:dir search; +allow ipsec_mgmt_t bin_t:dir search; +allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read }; + +# Startup scripts +# use libraries +uses_shlib({ ipsec_t ipsec_mgmt_t }) +# Read and write /dev/tty +allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms; +# fork +allow ipsec_mgmt_t self:process fork; +# startup script runs /bin/gawk with a pipe +allow ipsec_mgmt_t self:fifo_file rw_file_perms; +# read /etc/mtab Why? +allow ipsec_mgmt_t etc_runtime_t:file { read getattr }; +# read link for /bin/sh +allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; + +# +allow ipsec_mgmt_t self:process { sigchld signal setrlimit }; + +# Allow read/write access to /var/run/pluto.ctl +allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write }; + +# Pluto needs network access +can_network_server(ipsec_t) +can_ypbind(ipsec_t) +allow ipsec_t self:unix_dgram_socket { create connect write }; + +# for sleep +allow ipsec_mgmt_t fs_t:filesystem getattr; + +# for the start script +can_exec(ipsec_mgmt_t, etc_t) + +# allow access to /etc/localtime +allow ipsec_mgmt_t etc_t:file { read getattr }; +allow ipsec_t etc_t:file { read getattr }; + +# allow access to /dev/null +allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; +allow ipsec_t null_device_t:chr_file rw_file_perms; + +# Allow scripts to use /var/locl/subsys/ipsec +allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms; +allow ipsec_mgmt_t var_lock_t:file create_file_perms; + +# allow tncfg to create sockets +allow ipsec_mgmt_t self:udp_socket { create ioctl }; + +#When running ipsec auto --up +allow ipsec_t self:process { fork sigchld }; +allow ipsec_t self:fifo_file { read getattr }; + +# ideally it would not need this. It wants to write to /root/.rnd +file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) + +allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; +allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; +allow ipsec_mgmt_t self:lnk_file read; + +allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search }; +read_locale(ipsec_mgmt_t) +var_run_domain(ipsec_mgmt) +dontaudit ipsec_mgmt_t default_t:dir getattr; +dontaudit ipsec_mgmt_t default_t:file getattr; +allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; +allow ipsec_mgmt_t self:key_socket { create setopt }; +can_exec(ipsec_mgmt_t, initrc_exec_t) +allow ipsec_t self:netlink_xfrm_socket create_socket_perms; +read_locale(ipsec_t) +ifdef(`consoletype.te', ` +can_exec(ipsec_mgmt_t, consoletype_exec_t ) +') +dontaudit ipsec_mgmt_t selinux_config_t:dir search; +dontaudit ipsec_t ttyfile:chr_file { read write }; +allow ipsec_t self:capability { dac_override dac_read_search }; +allow ipsec_t reserved_port_t:udp_socket name_bind; +allow ipsec_mgmt_t dev_fs:file_class_set getattr; +dontaudit ipsec_mgmt_t device_t:lnk_file read; +allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; +allow ipsec_mgmt_t sysctl_net_t:file { getattr read }; +rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t) +rw_dir_create_file(initrc_t, ipsec_var_run_t) +allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; diff --git a/strict/domains/program/iptables.te b/strict/domains/program/iptables.te new file mode 100644 index 0000000..8d83280 --- /dev/null +++ b/strict/domains/program/iptables.te @@ -0,0 +1,63 @@ +#DESC Ipchains - IP packet filter administration +# +# Authors: Justin Smith +# Russell Coker +# X-Debian-Packages: ipchains iptables +# + +# +# Rules for the iptables_t domain. +# +daemon_base_domain(iptables, `, privmodule') +role sysadm_r types iptables_t; +domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) + +ifdef(`modutil.te', ` +# for modprobe +allow iptables_t sbin_t:dir search; +allow iptables_t sbin_t:lnk_file read; +') + +read_locale(iptables_t) + +# to allow rules to be saved on reboot +allow iptables_t initrc_tmp_t:file rw_file_perms; + +domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) +allow iptables_t var_t:dir search; +var_run_domain(iptables) + +allow iptables_t self:process { fork signal_perms }; + +allow iptables_t { sysctl_t sysctl_kernel_t }:dir search; +allow iptables_t sysctl_modprobe_t:file { getattr read }; + +tmp_domain(iptables) + +# for iptables -L +allow iptables_t self:unix_stream_socket create_socket_perms; +can_resolve(iptables_t) +can_ypbind(iptables_t) + +allow iptables_t iptables_exec_t:file execute_no_trans; +allow iptables_t self:capability { net_admin net_raw }; +allow iptables_t self:rawip_socket create_socket_perms; + +allow iptables_t etc_t:file { getattr read }; + +allow iptables_t fs_t:filesystem getattr; +allow iptables_t { userdomain kernel_t }:fd use; + +# Access terminals. +allow iptables_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') + +allow iptables_t proc_t:file { getattr read }; +allow iptables_t proc_net_t:dir search; +allow iptables_t proc_net_t:file { read getattr }; + +# system-config-network appends to /var/log +allow iptables_t var_log_t:file append; +ifdef(`firstboot.te', ` +allow iptables_t firstboot_t:fifo_file write; +') diff --git a/strict/domains/program/irc.te b/strict/domains/program/irc.te new file mode 100644 index 0000000..50c1122 --- /dev/null +++ b/strict/domains/program/irc.te @@ -0,0 +1,12 @@ +#DESC Irc - IRC client +# +# Domains for the irc program. +# X-Debian-Packages: tinyirc ircii + +# +# irc_exec_t is the type of the irc executable. +# +type irc_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the irc_domain macro in +# macros/program/irc_macros.te. diff --git a/strict/domains/program/irqbalance.te b/strict/domains/program/irqbalance.te new file mode 100644 index 0000000..35be192 --- /dev/null +++ b/strict/domains/program/irqbalance.te @@ -0,0 +1,15 @@ +#DESC IRQBALANCE - IRQ balance daemon +# +# Author: Ulrich Drepper +# + +################################# +# +# Rules for the irqbalance_t domain. +# +daemon_domain(irqbalance) + +# irqbalance needs access to /proc. +allow irqbalance_t proc_t:file { read getattr }; +allow irqbalance_t sysctl_irq_t:dir r_dir_perms; +allow irqbalance_t sysctl_irq_t:file rw_file_perms; diff --git a/strict/domains/program/java.te b/strict/domains/program/java.te new file mode 100644 index 0000000..dfd0372 --- /dev/null +++ b/strict/domains/program/java.te @@ -0,0 +1,14 @@ +#DESC Java VM +# +# Authors: Dan Walsh +# X-Debian-Packages: java +# + +# Type for the netscape, java or other browser executables. +type java_exec_t, file_type, sysadmfile, exec_type; + +# Allow java executable stack +bool allow_java_execstack false; + +# Everything else is in the java_domain macro in +# macros/program/java_macros.te. diff --git a/strict/domains/program/kerberos.te b/strict/domains/program/kerberos.te new file mode 100644 index 0000000..19cc3c4 --- /dev/null +++ b/strict/domains/program/kerberos.te @@ -0,0 +1,91 @@ +#DESC Kerberos5 - MIT Kerberos5 +# supports krb5kdc and kadmind daemons +# kinit, kdestroy, klist clients +# ksu support not complete +# +# includes rules for OpenSSH daemon compiled with both +# kerberos5 and SELinux support +# +# Not supported : telnetd, ftpd, kprop/kpropd daemons +# +# Author: Kerry Thompson +# Modified by Colin Walters +# + +################################# +# +# Rules for the krb5kdc_t,kadmind_t domains. +# +daemon_domain(krb5kdc) +daemon_domain(kadmind) + +can_exec(krb5kdc_t, krb5kdc_exec_t) +can_exec(kadmind_t, kadmind_exec_t) + +# types for general configuration files in /etc +type krb5_keytab_t, file_type, sysadmfile, secure_file_type; + +# types for KDC configs and principal file(s) +type krb5kdc_conf_t, file_type, sysadmfile; +type krb5kdc_principal_t, file_type, sysadmfile; + +# Use capabilities. Surplus capabilities may be allowed. +allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice }; +allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; + +# krb5kdc and kadmind can use network +can_network_server( { krb5kdc_t kadmind_t } ) +can_ypbind( { krb5kdc_t kadmind_t } ) + +# allow UDP transfer to/from any program +can_udp_send(kerberos_port_t, krb5kdc_t) +can_udp_send(krb5kdc_t, kerberos_port_t) +can_tcp_connect(kerberos_port_t, krb5kdc_t) +can_tcp_connect(kerberos_admin_port_t, kadmind_t) + +# Bind to the kerberos, kerberos-adm ports. +allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; +allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; +allow kadmind_t reserved_port_t:tcp_socket name_bind; +dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; + +# +# Rules for Kerberos5 KDC daemon +allow krb5kdc_t self:unix_dgram_socket create_socket_perms; +allow krb5kdc_t self:unix_stream_socket create_socket_perms; +allow kadmind_t self:unix_stream_socket create_socket_perms; +allow krb5kdc_t krb5kdc_conf_t:dir search; +allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; +allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; +dontaudit krb5kdc_t krb5kdc_principal_t:file write; +allow krb5kdc_t locale_t:file { getattr read }; +dontaudit krb5kdc_t krb5kdc_conf_t:file write; +allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search }; +allow { kadmind_t krb5kdc_t } etc_t:file { getattr read }; +allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms; +dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write; +tmp_domain(krb5kdc) +log_domain(krb5kdc) +allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read }; +allow kadmind_t random_device_t:chr_file { getattr read }; +allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; +allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; +allow krb5kdc_t proc_t:dir r_dir_perms; +allow krb5kdc_t proc_t:file { getattr read }; + +# +# Rules for Kerberos5 Kadmin daemon +allow kadmind_t self:unix_dgram_socket { connect create write }; +allow kadmind_t krb5kdc_conf_t:dir search; +allow kadmind_t krb5kdc_conf_t:file r_file_perms; +allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; +read_locale(kadmind_t) +dontaudit kadmind_t krb5kdc_conf_t:file write; +tmp_domain(kadmind) +log_domain(kadmind) + +# +# Allow user programs to talk to KDC +allow krb5kdc_t userdomain:udp_socket recvfrom; +allow userdomain krb5kdc_t:udp_socket recvfrom; +allow initrc_t krb5_conf_t:file ioctl; diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te new file mode 100644 index 0000000..b7efff1 --- /dev/null +++ b/strict/domains/program/klogd.te @@ -0,0 +1,45 @@ +#DESC Klogd - Kernel log daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: klogd +# + +################################# +# +# Rules for the klogd_t domain. +# +daemon_domain(klogd, `, privmem') + +tmp_domain(klogd) +allow klogd_t proc_t:dir r_dir_perms; +allow klogd_t proc_t:lnk_file r_file_perms; +allow klogd_t proc_t:file { getattr read }; +allow klogd_t self:dir r_dir_perms; +allow klogd_t self:lnk_file r_file_perms; + +# read /etc/nsswitch.conf +allow klogd_t etc_t:lnk_file read; +allow klogd_t etc_t:file r_file_perms; + +read_locale(klogd_t) + +allow klogd_t etc_runtime_t:file { getattr read }; + +# Create unix sockets +allow klogd_t self:unix_dgram_socket create_socket_perms; + +# Use the sys_admin and sys_rawio capabilities. +allow klogd_t self:capability { sys_admin sys_rawio }; +dontaudit klogd_t self:capability sys_resource; + + +# Read /proc/kmsg and /dev/mem. +allow klogd_t proc_kmsg_t:file r_file_perms; +allow klogd_t memory_device_t:chr_file r_file_perms; + +# Control syslog and console logging +allow klogd_t kernel_t:system { syslog_mod syslog_console }; + +# Read /boot/System.map* +allow klogd_t system_map_t:file r_file_perms; +allow klogd_t boot_t:dir r_dir_perms; diff --git a/strict/domains/program/ktalkd.te b/strict/domains/program/ktalkd.te new file mode 100644 index 0000000..7ae0109 --- /dev/null +++ b/strict/domains/program/ktalkd.te @@ -0,0 +1,14 @@ +#DESC ktalkd - KDE version of the talk server +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the ktalkd_t domain. +# +# ktalkd_exec_t is the type of the ktalkd executable. +# + +inetd_child_domain(ktalkd, udp) diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te new file mode 100644 index 0000000..257c587 --- /dev/null +++ b/strict/domains/program/kudzu.te @@ -0,0 +1,102 @@ +#DESC kudzu - Red Hat utility to recognise new hardware +# +# Author: Russell Coker +# + +daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem') + +read_locale(kudzu_t) + +# for /etc/sysconfig/hwconf - probably need a new type +allow kudzu_t etc_runtime_t:file rw_file_perms; + +# for kmodule +if (allow_execmem) { +allow kudzu_t self:process execmem; +} +allow kudzu_t zero_device_t:chr_file rx_file_perms; +allow kudzu_t memory_device_t:chr_file { read write execute }; + +allow kudzu_t ramfs_t:dir search; +allow kudzu_t ramfs_t:sock_file write; +allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t modules_conf_t:file { getattr read }; +allow kudzu_t modules_object_t:dir r_dir_perms; +allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; +allow kudzu_t mouse_device_t:chr_file { read write }; +allow kudzu_t proc_net_t:dir r_dir_perms; +allow kudzu_t { proc_net_t proc_t }:file { getattr read }; +allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; +allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; +allow kudzu_t { bin_t sbin_t }:dir { getattr search }; +allow kudzu_t { bin_t sbin_t }:lnk_file read; +read_sysctl(kudzu_t) +allow kudzu_t sysctl_dev_t:dir { getattr search read }; +allow kudzu_t sysctl_dev_t:file { getattr read }; +allow kudzu_t sysctl_kernel_t:file write; +allow kudzu_t usbdevfs_t:dir search; +allow kudzu_t usbdevfs_t:file { getattr read }; +allow kudzu_t usbfs_t:dir search; +allow kudzu_t usbfs_t:file { getattr read }; +allow kudzu_t var_t:dir search; +allow kudzu_t kernel_t:system syslog_console; +allow kudzu_t self:udp_socket { create ioctl }; +allow kudzu_t var_lock_t:dir search; +allow kudzu_t devpts_t:dir search; + +# so it can write messages to the console +allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; + +role sysadm_r types kudzu_t; +domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) +ifdef(`anaconda.te', ` +domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) +') + +allow kudzu_t sysadm_home_dir_t:dir search; +rw_dir_create_file(kudzu_t, etc_t) + +rw_dir_create_file(kudzu_t, mnt_t) +can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) +# Read /usr/lib/gconv/gconv-modules.* +allow kudzu_t lib_t:file { read getattr }; +# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux +allow kudzu_t usr_t:file { read getattr }; + +# Communicate with rhgb-client. +allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow kudzu_t self:unix_dgram_socket create_socket_perms; + +ifdef(`rhgb.te', ` +allow kudzu_t rhgb_t:unix_stream_socket connectto; +') + +allow kudzu_t self:file { getattr read }; +allow kudzu_t self:fifo_file rw_file_perms; +ifdef(`gpm.te', ` +allow kudzu_t gpmctl_t:sock_file getattr; +') + +can_exec(kudzu_t, shell_exec_t) + +# Write to /proc/sys/kernel/hotplug. Why? +allow kudzu_t sysctl_hotplug_t:file { read write }; + +allow kudzu_t sysfs_t:dir { getattr read search }; +allow kudzu_t sysfs_t:file { getattr read }; +allow kudzu_t sysfs_t:lnk_file read; +file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file) +allow kudzu_t tape_device_t:chr_file r_file_perms; +tmp_domain(kudzu, `', `{ file dir chr_file }') + +# for file systems that are not yet mounted +dontaudit kudzu_t file_t:dir search; +ifdef(`lpd.te', ` +allow kudzu_t printconf_t:file { getattr read }; +') +allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; +dontaudit kudzu_t src_t:dir search; +ifdef(`xserver.te', ` +allow kudzu_t xserver_exec_t:file getattr; +') + diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te new file mode 100644 index 0000000..083063f --- /dev/null +++ b/strict/domains/program/ldconfig.te @@ -0,0 +1,51 @@ +#DESC Ldconfig - Configure dynamic linker bindings +# +# Author: Russell Coker +# X-Debian-Packages: libc6 +# + +################################# +# +# Rules for the ldconfig_t domain. +# +type ldconfig_t, domain, privlog, etc_writer; +type ldconfig_exec_t, file_type, sysadmfile, exec_type; + +role sysadm_r types ldconfig_t; +role system_r types ldconfig_t; + +domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) +dontaudit ldconfig_t device_t:dir search; +allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow ldconfig_t privfd:fd use; + +uses_shlib(ldconfig_t) + +file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) +allow ldconfig_t lib_t:dir rw_dir_perms; +allow ldconfig_t lib_t:lnk_file create_lnk_perms; + +allow ldconfig_t userdomain:fd use; +# unlink for when /etc/ld.so.cache is mislabeled +allow ldconfig_t etc_t:file { getattr read unlink }; +allow ldconfig_t etc_t:lnk_file read; + +allow ldconfig_t fs_t:filesystem getattr; +allow ldconfig_t tmp_t:dir search; + +ifdef(`apache.te', ` +# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway +dontaudit ldconfig_t httpd_modules_t:dir search; +') + +allow ldconfig_t { var_t var_lib_t }:dir search; +allow ldconfig_t proc_t:file read; +ifdef(`hide_broken_symptoms', ` +ifdef(`unconfined.te',` +dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; +'); +')dnl end hide_broken_symptoms +ifdef(`targeted_policy', ` +allow ldconfig_t lib_t:file r_file_perms; +unconfined_domain(ldconfig_t) +') diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te new file mode 100644 index 0000000..f54c963 --- /dev/null +++ b/strict/domains/program/load_policy.te @@ -0,0 +1,61 @@ +#DESC LoadPolicy - SELinux policy loading utilities +# +# Authors: Frank Mayer, mayerf@tresys.com +# X-Debian-Packages: policycoreutils +# + +########################### +# load_policy_t is the domain type for load_policy +# load_policy_exec_t is the file type for the executable + + +type load_policy_t, domain; +role sysadm_r types load_policy_t; +role system_r types load_policy_t; + +type load_policy_exec_t, file_type, exec_type, sysadmfile; + +########################## +# +# Rules + +domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) + +allow load_policy_t console_device_t:chr_file { read write }; + +# Reload the policy configuration (sysadm_t no longer has this ability) +can_loadpol(load_policy_t) + +# Reset policy boolean values. +can_setbool(load_policy_t) + + +########################### +# constrain from where load_policy can load a policy, specifically +# policy_config_t files +# + +# only allow read of policy config files +allow load_policy_t policy_src_t:dir search; +allow load_policy_t policy_config_t:dir r_dir_perms; +allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; + +# directory search permissions for path to binary policy files +allow load_policy_t root_t:dir search; +allow load_policy_t etc_t:dir search; + +# Read the devpts root directory (needed?) +allow load_policy_t devpts_t:dir r_dir_perms; + +# Other access +allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr }; +uses_shlib(load_policy_t) +allow load_policy_t self:capability dac_override; + +allow load_policy_t { userdomain privfd initrc_t }:fd use; + +allow load_policy_t fs_t:filesystem getattr; + +allow load_policy_t sysadm_tmp_t:file { getattr write } ; +read_locale(load_policy_t) +r_dir_file(load_policy_t, selinux_config_t) diff --git a/strict/domains/program/loadkeys.te b/strict/domains/program/loadkeys.te new file mode 100644 index 0000000..0959762 --- /dev/null +++ b/strict/domains/program/loadkeys.te @@ -0,0 +1,45 @@ +#DESC loadkeys - for changing to unicode at login time +# +# Author: Russell Coker +# +# X-Debian-Packages: console-tools + +# +# loadkeys_exec_t is the type of the wrapper +# +type loadkeys_exec_t, file_type, sysadmfile, exec_type; + +can_exec(initrc_t, loadkeys_exec_t) + +# Derived domain based on the calling user domain and the program. +type loadkeys_t, domain; + +# Transition from the user domain to this domain. +domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t) + +uses_shlib(loadkeys_t) +dontaudit loadkeys_t proc_t:dir search; +allow loadkeys_t proc_t:file { getattr read }; +allow loadkeys_t self:process { fork sigchld }; + +allow loadkeys_t self:fifo_file rw_file_perms; +allow loadkeys_t bin_t:dir search; +allow loadkeys_t bin_t:lnk_file read; +can_exec(loadkeys_t, { shell_exec_t bin_t }) + +read_locale(loadkeys_t) + +dontaudit loadkeys_t etc_runtime_t:file { getattr read }; + +# Use capabilities. +allow loadkeys_t self:capability { setuid sys_tty_config }; + +allow loadkeys_t local_login_t:fd use; +allow loadkeys_t devtty_t:chr_file rw_file_perms; + +# The user role is authorized for this domain. +in_user_role(loadkeys_t) + +# Write to the user domain tty. +allow loadkeys_t ttyfile:chr_file rw_file_perms; + diff --git a/strict/domains/program/lockdev.te b/strict/domains/program/lockdev.te new file mode 100644 index 0000000..adb2a77 --- /dev/null +++ b/strict/domains/program/lockdev.te @@ -0,0 +1,11 @@ +#DESC Lockdev - libblockdev helper application +# +# Authors: Daniel Walsh +# + + +# Type for the lockdev +type lockdev_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the lockdev_domain macro in +# macros/program/lockdev_macros.te. diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te new file mode 100644 index 0000000..569c755 --- /dev/null +++ b/strict/domains/program/login.te @@ -0,0 +1,227 @@ +#DESC Login - Local/remote login utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# Macroised by Russell Coker +# X-Debian-Packages: login +# + +################################# +# +# Rules for the local_login_t domain +# and the remote_login_t domain. +# + +# $1 is the name of the domain (local or remote) +define(`login_domain', ` +type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain; +role system_r types $1_login_t; + +dontaudit $1_login_t shadow_t:file { getattr read }; + +general_domain_access($1_login_t); + +# Read system information files in /proc. +r_dir_file($1_login_t, proc_t) + +base_file_read_access($1_login_t) + +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +allow $1_login_t readable_t:dir r_dir_perms; +allow $1_login_t readable_t:notdevfile_class_set r_file_perms; + +# Read /var, /var/spool +allow $1_login_t { var_t var_spool_t }:dir search; + +# for when /var/mail is a sym-link +allow $1_login_t var_t:lnk_file read; + +# Read /etc. +allow $1_login_t etc_t:dir r_dir_perms; +allow $1_login_t etc_t:notdevfile_class_set r_file_perms; +allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms; + +read_locale($1_login_t) + +# for SSP/ProPolice +allow $1_login_t urandom_device_t:chr_file { getattr read }; + +# Read executable types. +allow $1_login_t exec_type:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_login_t device_t:dir r_dir_perms; +allow $1_login_t device_t:lnk_file r_file_perms; + +uses_shlib($1_login_t); + +tmp_domain($1_login) + +ifdef(`pam.te', ` +can_exec($1_login_t, pam_exec_t) +') + +ifdef(`pamconsole.te', ` +rw_dir_create_file($1_login_t, pam_var_console_t) +') + +# Use capabilities +allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow $1_login_t self:process setrlimit; +dontaudit $1_login_t sysfs_t:dir search; + +# Set exec context. +can_setexec($1_login_t) + +allow $1_login_t autofs_t:dir { search read getattr }; +allow $1_login_t mnt_t:dir r_dir_perms; + +if (use_nfs_home_dirs) { +r_dir_file($1_login_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file($1_login_t, cifs_t) +} + +# FIXME: what is this for? +ifdef(`xdm.te', ` +allow xdm_t $1_login_t:process signull; +') + +ifdef(`crack.te', ` +allow $1_login_t crack_db_t:file r_file_perms; +') + +# Permit login to search the user home directories. +allow $1_login_t home_root_t:dir search; +allow $1_login_t home_dir_type:dir search; + +# Write to /var/run/utmp. +allow $1_login_t var_run_t:dir search; +allow $1_login_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow $1_login_t var_log_t:dir search; +allow $1_login_t wtmp_t:file rw_file_perms; + +# Write to /var/log/lastlog. +allow $1_login_t lastlog_t:file rw_file_perms; + +# Write to /var/log/btmp +allow $1_login_t faillog_t:file { append read write }; + +# Search for mail spool file. +allow $1_login_t mail_spool_t:dir r_dir_perms; +allow $1_login_t mail_spool_t:file getattr; +allow $1_login_t mail_spool_t:lnk_file read; + +# Get security policy decisions. +can_getsecurity($1_login_t) + +# allow read access to default_contexts in /etc/security +allow $1_login_t default_context_t:file r_file_perms; +allow $1_login_t default_context_t:dir search; +r_dir_file($1_login_t, selinux_config_t) + +allow $1_login_t mouse_device_t:chr_file { getattr setattr }; + +ifdef(`targeted_policy',` +unconfined_domain($1_login_t) +domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) +') + +')dnl end login_domain macro +################################# +# +# Rules for the local_login_t domain. +# +# local_login_t is the domain of a login process +# spawned by getty. +# +# remote_login_t is the domain of a login process +# spawned by rlogind. +# +# login_exec_t is the type of the login program +# +type login_exec_t, file_type, sysadmfile, exec_type; + +login_domain(local) + +# But also permit other user domains to be entered by login. +login_spawn_domain(local_login, userdomain) + +# Do not audit denied attempts to access devices. +dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; +dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; +dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; +dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; +dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; +dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; +dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; +dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; +dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; + +# Do not audit denied attempts to access /mnt. +dontaudit local_login_t mnt_t:dir r_dir_perms; + + +# Create lock file. +allow local_login_t var_lock_t:dir rw_dir_perms; +allow local_login_t var_lock_t:file create_file_perms; + + +# Read and write ttys. +allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; +allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; + +# Relabel ttys. +allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; +allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; + +ifdef(`gpm.te', +`allow local_login_t gpmctl_t:sock_file { getattr setattr };') + +# Allow setting of attributes on sound devices. +allow local_login_t sound_device_t:chr_file { getattr setattr }; + +# Allow setting of attributes on power management devices. +allow local_login_t power_device_t:chr_file { getattr setattr }; +dontaudit local_login_t init_t:fd use; + +################################# +# +# Rules for the remote_login_t domain. +# + +login_domain(remote) + +# Only permit unprivileged user domains to be entered via rlogin, +# since very weak authentication is used. +login_spawn_domain(remote_login, unpriv_userdomain) + +allow remote_login_t devpts_t:dir search; +allow remote_login_t userpty_type:chr_file { setattr write }; + +# Use the pty created by rlogind. +ifdef(`rlogind.te', ` +allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms }; + +# Relabel ptys created by rlogind. +allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto }; +') + +# Use the pty created by telnetd. +ifdef(`telnetd.te', ` +allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms }; + +# Relabel ptys created by telnetd. +allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto }; +') + +allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; +allow remote_login_t fs_t:filesystem { getattr }; + +# Allow remote login to resolve host names (passed in via the -h switch) +can_resolve(remote_login_t) + diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te new file mode 100644 index 0000000..6340f28 --- /dev/null +++ b/strict/domains/program/logrotate.te @@ -0,0 +1,145 @@ +#DESC Logrotate - Rotate log files +# +# Authors: Stephen Smalley Timothy Fraser +# Russell Coker +# X-Debian-Packages: logrotate +# Depends: crond.te +# + +################################# +# +# Rules for the logrotate_t domain. +# +# logrotate_t is the domain for the logrotate program. +# logrotate_exec_t is the type of the corresponding program. +# +type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain; +role system_r types logrotate_t; +role sysadm_r types logrotate_t; +uses_shlib(logrotate_t) +general_domain_access(logrotate_t) +type logrotate_exec_t, file_type, sysadmfile, exec_type; + +system_crond_entry(logrotate_exec_t, logrotate_t) +allow logrotate_t cron_spool_t:dir search; +allow crond_t logrotate_var_lib_t:dir search; +domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t) +allow logrotate_t self:unix_stream_socket create_socket_perms; +allow logrotate_t devtty_t:chr_file rw_file_perms; + +ifdef(`distro_debian', ` +allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; +# for savelog +can_exec(logrotate_t, logrotate_exec_t) +') + +# for perl +allow logrotate_t usr_t:file { getattr read ioctl }; +allow logrotate_t usr_t:lnk_file read; + +# access files in /etc +allow logrotate_t etc_t:file { getattr read ioctl }; +allow logrotate_t etc_t:lnk_file { getattr read }; +allow logrotate_t etc_runtime_t:file r_file_perms; + +# it should not require this +allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; + +# create lock files +rw_dir_create_file(logrotate_t, var_lock_t) + +# Create temporary files. +tmp_domain(logrotate) +can_exec(logrotate_t, logrotate_tmp_t) + +# Run helper programs. +allow logrotate_t { bin_t sbin_t }:dir r_dir_perms; +allow logrotate_t { bin_t sbin_t }:lnk_file read; +can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t }) + +# Read PID files. +allow logrotate_t pidfile:file r_file_perms; + +# Read /proc/PID directories for all domains. +read_sysctl(logrotate_t) +allow logrotate_t proc_t:dir r_dir_perms; +allow logrotate_t proc_t:{ file lnk_file } r_file_perms; +allow logrotate_t domain:notdevfile_class_set r_file_perms; +allow logrotate_t domain:dir r_dir_perms; +allow logrotate_t exec_type:file getattr; + +# Read /dev directories and any symbolic links. +allow logrotate_t device_t:dir r_dir_perms; +allow logrotate_t device_t:lnk_file r_file_perms; + +# Signal processes. +allow logrotate_t domain:process signal; + +# Modify /var/log and other log dirs. +allow logrotate_t var_t:dir r_dir_perms; +allow logrotate_t logfile:dir rw_dir_perms; +allow logrotate_t logfile:lnk_file read; + +# Create, rename, and truncate log files. +allow logrotate_t logfile:file create_file_perms; +allow logrotate_t wtmp_t:file create_file_perms; +ifdef(`squid.te', ` +allow squid_t { system_crond_t crond_t }:fd use; +allow squid_t crond_t:fifo_file { read write }; +allow squid_t system_crond_t:fifo_file write; +allow squid_t self:capability kill; +') + +# Set a context other than the default one for newly created files. +can_setfscreate(logrotate_t) + +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; +# for mailx +dontaudit logrotate_t self:capability { setuid setgid }; + +ifdef(`mta.te', ` +allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; +') + +# Access /var/run +allow logrotate_t var_run_t:dir r_dir_perms; + +# for /var/lib/logrotate.status and /var/lib/logcheck +var_lib_domain(logrotate) +allow logrotate_t logrotate_var_lib_t:dir create; + +# Write to /var/spool/slrnpull - should be moved into its own type. +create_dir_file(logrotate_t, var_spool_t) + +allow logrotate_t urandom_device_t:chr_file { getattr read }; + +# Access terminals. +allow logrotate_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') +allow logrotate_t privfd:fd use; + +# for /var/backups on Debian +ifdef(`backup.te', ` +rw_dir_create_file(logrotate_t, backup_store_t) +') + +read_locale(logrotate_t) + +allow logrotate_t fs_t:filesystem getattr; +can_exec(logrotate_t, shell_exec_t) +can_exec(logrotate_t, hostname_exec_t) +can_exec(logrotate_t,logfile) +allow logrotate_t net_conf_t:file { getattr read }; + +ifdef(`consoletype.te', ` +can_exec(logrotate_t, consoletype_exec_t) +dontaudit consoletype_t logrotate_t:fd use; +') + +allow logrotate_t syslogd_t:unix_dgram_socket sendto; + +domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) + +dontaudit logrotate_t selinux_config_t:dir search; + diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te new file mode 100644 index 0000000..75825a3 --- /dev/null +++ b/strict/domains/program/lpd.te @@ -0,0 +1,161 @@ +#DESC Lpd - Print server +# +# Authors: Stephen Smalley and Timothy Fraser +# Modified by David A. Wheeler for LPRng (Red Hat 7.1) +# Modified by Russell Coker +# X-Debian-Packages: lpr +# + +################################# +# +# Rules for the lpd_t domain. +# +# lpd_t is the domain of lpd. +# lpd_exec_t is the type of the lpd executable. +# printer_t is the type of the Unix domain socket created +# by lpd. +# +type printer_port_t, port_type, reserved_port_type; +daemon_domain(lpd) + +allow lpd_t lpd_var_run_t:sock_file create_file_perms; + +r_dir_file(lpd_t, fonts_t) + +type printer_t, file_type, sysadmfile, dev_fs; + +type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. + +tmp_domain(lpd); + +# for postscript include files +allow lpd_t usr_t:{ file lnk_file } { getattr read }; + +# Allow checkpc to access the lpd spool so it can check & fix it. +# This requires that /usr/sbin/checkpc have type checkpc_t. +type checkpc_t, domain, privlog; +role system_r types checkpc_t; +uses_shlib(checkpc_t) +can_network_client(checkpc_t) +can_ypbind(checkpc_t) +log_domain(checkpc) +type checkpc_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) +domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) +role sysadm_r types checkpc_t; +allow checkpc_t admin_tty_type:chr_file { read write }; +allow checkpc_t privfd:fd use; +ifdef(`crond.te', ` +system_crond_entry(checkpc_exec_t, checkpc_t) +') +allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:process { fork signal_perms }; + +allow checkpc_t proc_t:dir search; +allow checkpc_t proc_t:lnk_file read; +allow checkpc_t proc_t:file { getattr read }; +r_dir_file(checkpc_t, self) +allow checkpc_t self:unix_stream_socket create_socket_perms; + +allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; +allow checkpc_t etc_t:lnk_file read; + +allow checkpc_t { var_t var_spool_t }:dir { getattr search }; +allow checkpc_t print_spool_t:file { rw_file_perms unlink }; +allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; +allow checkpc_t device_t:dir search; +allow checkpc_t printer_device_t:chr_file { getattr append }; +allow checkpc_t devtty_t:chr_file rw_file_perms; +allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; + +# Allow access to /dev/console through the fd: +allow checkpc_t init_t:fd use; + +# This is less desirable, but checkpc demands /bin/bash and /bin/chown: +allow checkpc_t { bin_t sbin_t }:dir search; +allow checkpc_t bin_t:lnk_file read; +can_exec(checkpc_t, shell_exec_t) +can_exec(checkpc_t, bin_t) + +# bash wants access to /proc/meminfo +allow lpd_t proc_t:file { getattr read }; + +# gs-gnu wants to read some sysctl entries, it seems to work without though +dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; + +# for defoma +r_dir_file(lpd_t, var_lib_t) + +allow checkpc_t var_run_t:dir search; +allow checkpc_t lpd_var_run_t:dir { search getattr }; + +# This is needed to permit chown to read /var/spool/lpd/lp. +# This is opens up security more than necessary; this means that ANYTHING +# running in the initrc_t domain can read the printer spool directory. +# Perhaps executing /etc/rc.d/init.d/lpd should transition +# to domain lpd_t, instead of waiting for executing lpd. +allow initrc_t print_spool_t:dir read; + +# for defoma +r_dir_file(lpd_t, readable_t) + +# Use capabilities. +allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; + +# Use the network. +can_network_server(lpd_t) +can_ypbind(lpd_t) +allow lpd_t self:fifo_file rw_file_perms; +allow lpd_t self:unix_stream_socket create_stream_socket_perms; +allow lpd_t self:unix_dgram_socket create_socket_perms; + +allow lpd_t self:file { getattr read }; +allow lpd_t etc_runtime_t:file { getattr read }; + +# Bind to the printer port. +allow lpd_t printer_port_t:tcp_socket name_bind; + +# Send to portmap. +ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') + +ifdef(`ypbind.te', +`# Connect to ypbind. +can_tcp_connect(lpd_t, ypbind_t)') + +# Create and bind to /dev/printer. +file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) +allow lpd_t printer_t:unix_stream_socket name_bind; +allow lpd_t printer_t:unix_dgram_socket name_bind; +allow lpd_t printer_device_t:chr_file rw_file_perms; + +# Write to /var/spool/lpd. +allow lpd_t var_spool_t:dir search; +allow lpd_t print_spool_t:dir rw_dir_perms; +allow lpd_t print_spool_t:file create_file_perms; +allow lpd_t print_spool_t:file rw_file_perms; + +# Execute filter scripts. +# can_exec(lpd_t, print_spool_t) + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +allow lpd_t bin_t:dir search; +allow lpd_t bin_t:lnk_file read; +can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) + +# lpd must be able to execute the filter utilities in /usr/share/printconf. +can_exec(lpd_t, printconf_t) +allow lpd_t printconf_t:file rx_file_perms; +allow lpd_t printconf_t:dir { getattr search read }; + +# config files for lpd are of type etc_t, probably should change this +allow lpd_t etc_t:file { getattr read }; +allow lpd_t etc_t:lnk_file read; + +# checkpc needs similar permissions. +allow checkpc_t printconf_t:file getattr; +allow checkpc_t printconf_t:dir { getattr search read }; + +# Read printconf files. +allow initrc_t printconf_t:dir r_dir_perms; +allow initrc_t printconf_t:file r_file_perms; + diff --git a/strict/domains/program/lpr.te b/strict/domains/program/lpr.te new file mode 100644 index 0000000..d8ec0c0 --- /dev/null +++ b/strict/domains/program/lpr.te @@ -0,0 +1,12 @@ +#DESC Lpr - Print client +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: lpr lprng +# + + +# Type for the lpr, lpq, and lprm executables. +type lpr_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the lpr_domain macro in +# macros/program/lpr_macros.te. diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te new file mode 100644 index 0000000..f2cf061 --- /dev/null +++ b/strict/domains/program/lvm.te @@ -0,0 +1,124 @@ +#DESC LVM - Linux Volume Manager +# +# Author: Michael Kaufman +# X-Debian-Packages: lvm10 lvm2 lvm-common +# + +################################# +# +# Rules for the lvm_t domain. +# +# lvm_t is the domain for LVM administration. +# lvm_exec_t is the type of the corresponding programs. +# lvm_etc_t is for read-only LVM configuration files. +# lvm_metadata_t is the type of LVM metadata files in /etc that are +# modified at runtime. +# +type lvm_vg_t, file_type, sysadmfile; +type lvm_metadata_t, file_type, sysadmfile; +type lvm_control_t, device_type, dev_fs; +etcdir_domain(lvm) +allow lvm_t var_t:dir search; +lock_domain(lvm) +allow lvm_t lvm_lock_t:dir rw_dir_perms; + +# needs privowner because it assigns the identity system_u to device nodes +# but runs as the identity of the sysadmin +daemon_base_domain(lvm, `, fs_domain, privowner') +role sysadm_r types lvm_t; +domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t) + +# LVM will complain a lot if it cannot set its priority. +allow lvm_t self:process setsched; + +allow lvm_t self:fifo_file rw_file_perms; +allow lvm_t self:unix_dgram_socket create_socket_perms; + +r_dir_file(lvm_t, proc_t) +allow lvm_t self:file r_file_perms; + +# Read system variables in /proc/sys +read_sysctl(lvm_t) + +# Read /sys/block. Device mapper metadata is kept there. +r_dir_file(lvm_t, sysfs_t) + +allow lvm_t fs_t:filesystem getattr; + +# Read configuration files in /etc. +allow lvm_t { etc_t etc_runtime_t }:file { getattr read }; + +# LVM creates block devices in /dev/mapper or /dev/ +# depending on its version +file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file) + +# LVM(2) needs to create directores (/dev/mapper, /dev/) +# and links from /dev/ to /dev/mapper/- +allow lvm_t device_t:dir create_dir_perms; +allow lvm_t device_t:lnk_file create_lnk_perms; + +# /lib/lvm- holds the actual LVM binaries (and symlinks) +allow lvm_t lvm_exec_t:dir search; +allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; + +tmp_domain(lvm) +allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; + +# DAC overrides and mknod for modifying /dev entries (vgmknodes) +allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod }; + +# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d +file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) + +allow lvm_t lvm_metadata_t:dir rw_dir_perms; + +# Inherit and use descriptors from init. +allow lvm_t init_t:fd use; + +# LVM is split into many individual binaries +can_exec(lvm_t, lvm_exec_t) + +# Access raw devices and old /dev/lvm (c 109,0). Is this needed? +allow lvm_t fixed_disk_device_t:chr_file create_file_perms; + +# relabel devices +allow lvm_t { default_context_t file_context_t }:dir search; +allow lvm_t file_context_t:file { getattr read }; +can_getsecurity(lvm_t) +allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; +allow lvm_t device_t:lnk_file { relabelfrom relabelto }; + +# Access terminals. +allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow lvm_t devtty_t:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;') +allow lvm_t privfd:fd use; +allow lvm_t devpts_t:dir { search getattr read }; + +read_locale(lvm_t) + +# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... +dontaudit lvm_t device_type:{ chr_file blk_file } getattr; +dontaudit lvm_t ttyfile:chr_file getattr; +dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; +dontaudit lvm_t devpts_t:dir { getattr read }; + +ifdef(`gpm.te', ` +dontaudit lvm_t gpmctl_t:sock_file getattr; +') +dontaudit lvm_t initctl_t:fifo_file getattr; +allow lvm_t sbin_t:dir search; +dontaudit lvm_t sbin_t:file getattr; +allow lvm_t lvm_control_t:chr_file rw_file_perms; +allow initrc_t lvm_control_t:chr_file { getattr read unlink }; +allow initrc_t device_t:chr_file create; +dontaudit lvm_t var_run_t:dir getattr; + +# for when /usr is not mounted +dontaudit lvm_t file_t:dir search; + +allow lvm_t tmpfs_t:dir r_dir_perms; +r_dir_file(lvm_t, selinux_config_t) + +# it has no reason to need this +dontaudit lvm_t proc_kcore_t:file getattr; diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te new file mode 100644 index 0000000..588459a --- /dev/null +++ b/strict/domains/program/mailman.te @@ -0,0 +1,110 @@ +#DESC Mailman - GNU Mailman mailing list manager +# +# Author: Russell Coker +# X-Debian-Packages: mailman + +type mailman_data_t, file_type, sysadmfile; +type mailman_archive_t, file_type, sysadmfile; + +type mailman_log_t, file_type, sysadmfile, logfile; +type mailman_lock_t, file_type, sysadmfile, lockfile; + +define(`mailman_domain', ` +type mailman_$1_t, domain, privlog $2; +type mailman_$1_exec_t, file_type, sysadmfile, exec_type; +role system_r types mailman_$1_t; +file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) +allow mailman_$1_t mailman_log_t:dir rw_dir_perms; +create_dir_file(mailman_$1_t, mailman_data_t) +uses_shlib(mailman_$1_t) +can_exec_any(mailman_$1_t) +read_sysctl(mailman_$1_t) +allow mailman_$1_t proc_t:dir search; +allow mailman_$1_t proc_t:file { read getattr }; +allow mailman_$1_t var_lib_t:dir r_dir_perms; +allow mailman_$1_t var_lib_t:lnk_file read; +allow mailman_$1_t device_t:dir search; +allow mailman_$1_t etc_runtime_t:file { read getattr }; +read_locale(mailman_$1_t) +file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file) +allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; +allow mailman_$1_t fs_t:filesystem getattr; +can_network(mailman_$1_t) +can_ypbind(mailman_$1_t) +allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; +allow mailman_$1_t var_t:dir r_dir_perms; +tmp_domain(mailman_$1) +') + +mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') +can_tcp_connect(mailman_queue_t, mail_server_domain) + +can_exec(mailman_queue_t, su_exec_t) +allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:fifo_file rw_file_perms; +dontaudit mailman_queue_t var_run_t:dir search; +allow mailman_queue_t proc_t:lnk_file { getattr read }; + +# for su +dontaudit mailman_queue_t selinux_config_t:dir search; +allow mailman_queue_t self:dir search; +allow mailman_queue_t self:file { getattr read }; +allow mailman_queue_t self:unix_dgram_socket create_socket_perms; +allow mailman_queue_t self:lnk_file { getattr read }; + +# some of the following could probably be changed to dontaudit, someone who +# knows mailman well should test this out and send the changes +allow mailman_queue_t sysadm_home_dir_t:dir { getattr search }; + +mailman_domain(mail) +dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write }; +allow mailman_mail_t mta_delivery_agent:fd use; +ifdef(`qmail.te', ` +allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; +# do we really need this? +allow mailman_mail_t qmail_lspawn_t:fifo_file write; +') + +create_dir_file(mailman_queue_t, mailman_archive_t) + +ifdef(`apache.te', ` +mailman_domain(cgi) +can_tcp_connect(mailman_cgi_t, mail_server_domain) + +domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) +# should have separate types for public and private archives +r_dir_file(httpd_t, mailman_archive_t) +create_dir_file(mailman_cgi_t, mailman_archive_t) +allow httpd_t mailman_data_t:dir { getattr search }; + +dontaudit mailman_cgi_t httpd_log_t:file append; +allow httpd_t mailman_cgi_t:process signal; +allow mailman_cgi_t httpd_t:process sigchld; +allow mailman_cgi_t httpd_t:fd use; +allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl }; +allow mailman_cgi_t httpd_sys_script_t:dir search; +allow mailman_cgi_t devtty_t:chr_file { read write }; +allow mailman_cgi_t self:process { fork sigchld }; +allow mailman_cgi_t var_spool_t:dir search; +') + +allow mta_delivery_agent mailman_data_t:dir search; +allow mta_delivery_agent mailman_data_t:lnk_file read; +domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) +ifdef(`direct_sysadm_daemon', ` +domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) +') +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; + +system_crond_entry(mailman_queue_exec_t, mailman_queue_t) +allow mailman_queue_t devtty_t:chr_file { read write }; +allow mailman_queue_t self:process { fork signal sigchld }; +allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; + +# so MTA can access /var/lib/mailman/mail/wrapper +allow mta_delivery_agent var_lib_t:dir search; + +# Handle mailman log files +rw_dir_create_file(logrotate_t, mailman_log_t) +allow logrotate_t mailman_data_t:dir search; +can_exec(logrotate_t, mailman_mail_exec_t) diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te new file mode 100644 index 0000000..91de77c --- /dev/null +++ b/strict/domains/program/mdadm.te @@ -0,0 +1,43 @@ +#DESC mdadm - Linux RAID tool +# +# Author: Colin Walters +# + +daemon_base_domain(mdadm, `, fs_domain') +role sysadm_r types mdadm_t; + +allow initrc_t mdadm_var_run_t:file create_file_perms; + +# Kernel filesystem permissions +r_dir_file(mdadm_t, proc_t) +allow mdadm_t proc_mdstat_t:file rw_file_perms; +read_sysctl(mdadm_t) +r_dir_file(mdadm_t, sysfs_t) + +# Configuration +allow mdadm_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale(mdadm_t) + +# Linux capabilities +allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; + +# Helper program access +can_exec(mdadm_t, { bin_t sbin_t }) + +# RAID block device access +allow mdadm_t fixed_disk_device_t:blk_file create_file_perms; +allow mdadm_t device_t:lnk_file { getattr read }; + +# Ignore attempts to read every device file +dontaudit mdadm_t device_type:{ chr_file blk_file } getattr; +dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr }; +dontaudit mdadm_t devpts_t:dir r_dir_perms; + +# Ignore attempts to read/write sysadmin tty +dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms; + +# Other random ignores +dontaudit mdadm_t tmpfs_t:dir r_dir_perms; +dontaudit mdadm_t initctl_t:fifo_file getattr; +var_run_domain(mdadm) +allow mdadm_t var_t:dir { getattr search }; diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te new file mode 100644 index 0000000..4643be1 --- /dev/null +++ b/strict/domains/program/modutil.te @@ -0,0 +1,232 @@ +#DESC Modutil - Dynamic module utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: modutils +# + +################################# +# +# Rules for the module utility domains. +# +type modules_dep_t, file_type, sysadmfile; +type modules_conf_t, file_type, sysadmfile; +type modules_object_t, file_type, sysadmfile; + + +ifdef(`IS_INITRD', `', ` +################################# +# +# Rules for the depmod_t domain. +# +type depmod_t, domain; +role system_r types depmod_t; +role sysadm_r types depmod_t; + +uses_shlib(depmod_t) + +r_dir_file(depmod_t, src_t) + +type depmod_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(initrc_t, depmod_exec_t, depmod_t) +allow depmod_t { bin_t sbin_t }:dir search; +can_exec(depmod_t, depmod_exec_t) +domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) + +# Inherit and use descriptors from init and login programs. +allow depmod_t { init_t privfd }:fd use; + +allow depmod_t { etc_t etc_runtime_t }:file { getattr read }; +allow depmod_t { device_t proc_t }:dir search; +allow depmod_t proc_t:file { getattr read }; +allow depmod_t fs_t:filesystem getattr; + +# read system.map +allow depmod_t boot_t:dir search; +allow depmod_t boot_t:file { getattr read }; +allow depmod_t system_map_t:file { getattr read }; + +# Read conf.modules. +allow depmod_t modules_conf_t:file r_file_perms; + +# Create modules.dep. +file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) + +# Read module objects. +allow depmod_t modules_object_t:dir r_dir_perms; +allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; + +# Access terminals. +allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') + +# Read System.map from home directories. +allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; +r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) +')dnl end IS_INITRD + +################################# +# +# Rules for the insmod_t domain. +# + +type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ) +; +role system_r types insmod_t; +role sysadm_r types insmod_t; + +ifdef(`unlimitedUtils', ` +unconfined_domain(insmod_t) +') +can_ypbind(insmod_t) +uses_shlib(insmod_t) +read_locale(insmod_t) + +# for SSP +allow insmod_t urandom_device_t:chr_file read; +allow insmod_t lib_t:file { getattr read }; + +allow insmod_t { bin_t sbin_t }:dir search; +allow insmod_t { bin_t sbin_t }:lnk_file read; + +allow insmod_t self:dir search; +allow insmod_t self:lnk_file read; + +allow insmod_t usr_t:file { getattr read }; + +allow insmod_t privfd:fd use; +allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write }; +ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') + +allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; + +allow insmod_t sound_device_t:chr_file { read ioctl write }; +allow insmod_t zero_device_t:chr_file read; +allow insmod_t memory_device_t:chr_file rw_file_perms; + +# Read module config and dependency information +allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; + +# Read module objects. +r_dir_file(insmod_t, modules_object_t) +# for locking +allow insmod_t modules_object_t:file write; + +allow insmod_t { var_t var_log_t }:dir search; +ifdef(`xserver.te', ` +allow insmod_t xserver_log_t:file getattr; +') +rw_dir_create_file(insmod_t, var_log_ksyms_t) +allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; + +allow insmod_t self:udp_socket create_socket_perms; +allow insmod_t self:unix_dgram_socket create_socket_perms; +allow insmod_t self:unix_stream_socket create_stream_socket_perms; +allow insmod_t self:rawip_socket create_socket_perms; +allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config }; +allow insmod_t domain:process signal; +allow insmod_t self:process { fork signal_perms }; +allow insmod_t device_t:dir search; +allow insmod_t etc_runtime_t:file { getattr read }; + +# for loading modules at boot time +allow insmod_t { init_t initrc_t }:fd use; +allow insmod_t initrc_t:fifo_file { getattr read write }; + +allow insmod_t fs_t:filesystem getattr; +allow insmod_t sysfs_t:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount; + +# Rules for /proc/sys/kernel/tainted +read_sysctl(insmod_t) +allow insmod_t proc_t:dir search; +allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; + +allow insmod_t proc_t:file { getattr read }; +allow insmod_t proc_t:lnk_file read; + +# Write to /proc/mtrr. +allow insmod_t mtrr_device_t:file write; + +# Read /proc/sys/kernel/hotplug. +allow insmod_t sysctl_hotplug_t:file read; + +allow insmod_t device_t:dir read; +allow insmod_t devpts_t:dir { getattr search }; + +type insmod_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(privmodule, insmod_exec_t, insmod_t) +can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) +allow insmod_t devtty_t:chr_file rw_file_perms; +allow update_modules_t devpts_t:dir search; +allow insmod_t privmodule:process sigchld; +dontaudit sysadm_t self:capability sys_module; + +ifdef(`mount.te', ` +# Run mount in the mount_t domain. +domain_auto_trans(insmod_t, mount_exec_t, mount_t) +') +# for when /var is not mounted early in the boot +dontaudit insmod_t file_t:dir search; + +# for nscd +dontaudit insmod_t var_run_t:dir search; + +ifdef(`crond.te', ` +rw_dir_create_file(system_crond_t, var_log_ksyms_t) +') + +ifdef(`IS_INITRD', `', ` +################################# +# +# Rules for the update_modules_t domain. +# +type update_modules_t, domain, privlog; +type update_modules_exec_t, file_type, exec_type, sysadmfile; + +role system_r types update_modules_t; +role sysadm_r types update_modules_t; + +domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) +allow update_modules_t privfd:fd use; +allow update_modules_t init_t:fd use; + +allow update_modules_t device_t:dir { getattr search }; +allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; +allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow update_modules_t devpts_t:dir search; + +can_exec(update_modules_t, insmod_exec_t) +allow update_modules_t urandom_device_t:chr_file { getattr read }; + +dontaudit update_modules_t sysadm_home_dir_t:dir search; + +uses_shlib(update_modules_t) +read_locale(update_modules_t) +allow update_modules_t lib_t:file { getattr read }; +allow update_modules_t self:process { fork sigchld }; +allow update_modules_t self:fifo_file rw_file_perms; +allow update_modules_t self:file { getattr read }; +allow update_modules_t modules_dep_t:file rw_file_perms; +file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file) +domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) +can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t }) +allow update_modules_t { sbin_t bin_t }:lnk_file read; +allow update_modules_t { sbin_t bin_t }:dir search; +allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms; +allow update_modules_t etc_t:lnk_file read; +allow update_modules_t fs_t:filesystem getattr; + +allow update_modules_t proc_t:dir search; +allow update_modules_t proc_t:file r_file_perms; +allow update_modules_t { self proc_t }:lnk_file read; +read_sysctl(update_modules_t) +allow update_modules_t self:dir search; +allow update_modules_t self:unix_stream_socket create_socket_perms; + +file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file) + +tmp_domain(update_modules) +')dnl end IS_INITRD + + diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te new file mode 100644 index 0000000..e79168b --- /dev/null +++ b/strict/domains/program/mount.te @@ -0,0 +1,110 @@ +#DESC Mount - Filesystem mount utilities +# +# Macros for mount +# +# Author: Brian May +# X-Debian-Packages: mount +# +# based on the work of: +# Mark Westerman mark.westerman@csoconline.com +# + +type mount_exec_t, file_type, sysadmfile, exec_type; + +mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain') +mount_loopback_privs(sysadm, mount) +role sysadm_r types mount_t; +role system_r types mount_t; + +allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write }; + +domain_auto_trans(initrc_t, mount_exec_t, mount_t) +allow mount_t init_t:fd use; +allow mount_t privfd:fd use; + +allow mount_t self:capability { ipc_lock dac_override }; +allow mount_t self:process { fork signal_perms }; + +allow mount_t file_type:dir search; + +# Access disk devices. +allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms; +allow mount_t removable_device_t:devfile_class_set rw_file_perms; +allow mount_t device_t:lnk_file read; + +# for when /etc/mtab loses its type +allow mount_t file_t:file { getattr read unlink }; + +# Mount, remount and unmount file systems. +allow mount_t fs_type:filesystem mount_fs_perms; +allow mount_t default_t:dir mounton; +allow mount_t file_t:dir mounton; +allow mount_t usr_t:dir mounton; +allow mount_t var_t:dir mounton; +allow mount_t proc_t:dir mounton; +allow mount_t root_t:dir mounton; +allow mount_t home_root_t:dir mounton; +allow mount_t tmp_t:dir mounton; +allow mount_t mnt_t:dir mounton; +allow mount_t devpts_t:dir mounton; +allow mount_t usbdevfs_t:dir mounton; +allow mount_t sysfs_t:dir mounton; +allow mount_t nfs_t:dir mounton; +allow mount_t nfs_t:dir search; +# nfsv4 has a filesystem to mount for its userspace daemons +allow mount_t var_lib_nfs_t:dir mounton; + +# On some RedHat systems, /boot is a mount point +allow mount_t boot_t:dir mounton; +allow mount_t device_t:dir mounton; +# mount binfmt_misc on /proc/sys/fs/binfmt_misc +allow mount_t sysctl_t:dir { mounton search }; + +allow mount_t root_t:filesystem unmount; + +ifdef(`portmap.te', ` +# for nfs +can_network(mount_t) +can_ypbind(mount_t) +allow mount_t port_t:{ tcp_socket udp_socket } name_bind; +allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +can_udp_send(mount_t, portmap_t) +can_udp_send(portmap_t, mount_t) +allow mount_t rpc_pipefs_t:dir search; +') +dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind; + +# +# required for mount.smbfs +# +allow mount_t sbin_t:lnk_file { getattr read }; + +rhgb_domain(mount_t) + +# for localization +allow mount_t lib_t:file { getattr read }; +allow mount_t autofs_t:dir read; +allow mount_t fs_t:filesystem relabelfrom; +# +# This rule needs to be generalized. Only admin, initrc should have it. +# +allow mount_t file_type:filesystem { unmount mount relabelto }; + +allow mount_t mnt_t:dir getattr; +dontaudit mount_t kernel_t:fd use; +allow mount_t userdomain:fd use; +can_exec(mount_t, { sbin_t bin_t }) +allow mount_t device_t:dir r_dir_perms; +ifdef(`distro_redhat', ` +allow mount_t tmpfs_t:chr_file { read write }; +allow mount_t tmpfs_t:dir mounton; +') + + +# tries to read /init +dontaudit mount_t root_t:file { getattr read }; + +allow kernel_t mount_t:tcp_socket { read write }; +allow mount_t self:capability { setgid setuid }; +allow user_t mount_t:tcp_socket write; +allow mount_t proc_t:lnk_file read; diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te new file mode 100644 index 0000000..3761e0d --- /dev/null +++ b/strict/domains/program/mozilla.te @@ -0,0 +1,18 @@ +#DESC Netscape - Web browser +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: mozilla +# + +# Type for the netscape, mozilla or other browser executables. +type mozilla_exec_t, file_type, sysadmfile, exec_type; +type mozilla_conf_t, file_type, sysadmfile; + +# Allow mozilla to read files in the user home directory +bool mozilla_readhome false; + +# Allow mozilla to write files in the user home directory +bool mozilla_writehome false; + +# Everything else is in the mozilla_domain macro in +# macros/program/mozilla_macros.te. diff --git a/strict/domains/program/mplayer.te b/strict/domains/program/mplayer.te new file mode 100644 index 0000000..194c807 --- /dev/null +++ b/strict/domains/program/mplayer.te @@ -0,0 +1,15 @@ +#DESC mplayer - media player +# +# Author: Ivan Gyurdiev +# + +# Type for the mplayer executable. +type mplayer_exec_t, file_type, exec_type, sysadmfile; +type mencoder_exec_t, file_type, exec_type, sysadmfile; +type mplayer_etc_t, file_type, sysadmfile; + +# Allow mplayer executable stack +bool allow_mplayer_execstack false; + +# Everything else is in the mplayer_domain macro in +# macros/program/mplayer_macros.te. diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te new file mode 100644 index 0000000..112b94d --- /dev/null +++ b/strict/domains/program/mrtg.te @@ -0,0 +1,98 @@ +#DESC MRTG - Network traffic graphing +# +# Author: Russell Coker +# X-Debian-Packages: mrtg +# + +################################# +# +# Rules for the mrtg_t domain. +# +# mrtg_exec_t is the type of the mrtg executable. +# +daemon_base_domain(mrtg) + +allow mrtg_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(mrtg_exec_t, mrtg_t) +allow system_crond_t mrtg_log_t:dir rw_dir_perms; +allow system_crond_t mrtg_log_t:file { create append getattr }; +') + +allow mrtg_t usr_t:{ file lnk_file } { getattr read }; +dontaudit mrtg_t usr_t:file ioctl; + +logdir_domain(mrtg) +etcdir_domain(mrtg) +typealias mrtg_etc_t alias etc_mrtg_t; +type var_lib_mrtg_t, file_type, sysadmfile; +type mrtg_lock_t, file_type, sysadmfile, lockfile; +r_dir_file(mrtg_t, lib_t) + +# Use the network. +can_network_client(mrtg_t) +can_ypbind(mrtg_t) + +allow mrtg_t self:fifo_file { getattr read write ioctl }; +allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms; +allow mrtg_t urandom_device_t:chr_file { getattr read }; +allow mrtg_t self:unix_stream_socket create_socket_perms; +ifdef(`apache.te', ` +rw_dir_create_file(mrtg_t, httpd_sys_content_t) +') + +can_exec(mrtg_t, { shell_exec_t bin_t sbin_t }) +allow mrtg_t { bin_t sbin_t }:dir { getattr search }; +allow mrtg_t bin_t:lnk_file read; +allow mrtg_t var_t:dir { getattr search }; + +ifdef(`snmpd.te', ` +can_udp_send(mrtg_t, snmpd_t) +can_udp_send(snmpd_t, mrtg_t) +r_dir_file(mrtg_t, snmpd_var_lib_t) +') + +allow mrtg_t proc_net_t:dir search; +allow mrtg_t { proc_t proc_net_t }:file { read getattr }; +dontaudit mrtg_t proc_t:file ioctl; + +allow mrtg_t { var_lock_t var_lib_t }:dir search; +rw_dir_create_file(mrtg_t, var_lib_mrtg_t) +rw_dir_create_file(mrtg_t, mrtg_lock_t) +ifdef(`distro_redhat', ` +file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) +') + +# read config files +allow mrtg_t etc_t:file { read getattr }; +dontaudit mrtg_t mrtg_etc_t:dir write; +dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; +read_locale(mrtg_t) + +# for /.autofsck +dontaudit mrtg_t root_t:file getattr; + +dontaudit mrtg_t security_t:dir getattr; + +read_sysctl(mrtg_t) + +# for uptime +allow mrtg_t var_run_t:dir search; +allow mrtg_t initrc_var_run_t:file read; +dontaudit mrtg_t initrc_var_run_t:file { write lock }; +allow mrtg_t etc_runtime_t:file { getattr read }; + +allow mrtg_t tmp_t:dir getattr; + +# should not need this! +dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; +dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; +ifdef(`quota.te', ` +dontaudit mrtg_t quota_db_t:file getattr; +') +dontaudit mrtg_t root_t:lnk_file getattr; + +allow mrtg_t self:capability { setgid setuid }; +can_exec(mrtg_t, hostname_exec_t) +allow mrtg_t var_spool_t:dir search; diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te new file mode 100644 index 0000000..096c734 --- /dev/null +++ b/strict/domains/program/mta.te @@ -0,0 +1,84 @@ +#DESC MTA - Mail agents +# +# Author: Russell Coker +# X-Debian-Packages: postfix exim sendmail sendmail-wide +# +# policy for all mail servers, including allowing user to send mail from the +# command-line and for cron jobs to use sendmail -t + +# +# sendmail_exec_t is the type of /usr/sbin/sendmail +# +# define sendmail_exec_t if sendmail.te does not do it for us +ifdef(`sendmail.te', `', ` +type sendmail_exec_t, file_type, exec_type, sysadmfile; +') +type smtp_port_t, port_type, reserved_port_type; + + +# create a system_mail_t domain for daemons, init scripts, etc when they run +# "mail user@domain" +mail_domain(system) + +ifdef(`targeted_policy', ` +# rules are currently defined in sendmail.te, but it is not included in +# targeted policy. We could move these rules permanantly here. +ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') +allow system_mail_t self:dir { search }; +r_dir_file(system_mail_t, { proc_t proc_net_t }) +allow system_mail_t fs_t:filesystem getattr; +allow system_mail_t { var_t var_spool_t }:dir getattr; +create_dir_file(system_mail_t, mqueue_spool_t) +create_dir_file(system_mail_t, mail_spool_t) +allow system_mail_t mail_spool_t:fifo_file rw_file_perms; +allow system_mail_t etc_mail_t:file { getattr read }; +', ` +ifdef(`sendmail.te', ` +# sendmail has an ugly design, the one process parses input from the user and +# then does system things with it. +domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) +', ` +domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) +') +allow initrc_t sendmail_exec_t:lnk_file { getattr read }; + +# allow the sysadmin to do "mail someone < /home/user/whatever" +allow sysadm_mail_t user_home_dir_type:dir search; +r_dir_file(sysadm_mail_t, user_home_type) +') +# for a mail server process that does things in response to a user command +allow mta_user_agent userdomain:process sigchld; +allow mta_user_agent { userdomain privfd }:fd use; +ifdef(`crond.te', ` +allow mta_user_agent crond_t:process sigchld; +') +allow mta_user_agent sysadm_t:fifo_file { read write }; + +allow { system_mail_t mta_user_agent } privmail:fd use; +allow { system_mail_t mta_user_agent } privmail:process sigchld; +allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; +allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; + +ifdef(`arpwatch.te', ` +# why is mail delivered to a directory of type arpwatch_data_t? +allow mta_delivery_agent arpwatch_data_t:dir search; +allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; +ifdef(`hide_broken_symptoms', ` +dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; +') +')dnl end if arpwatch.te + +allow mta_delivery_agent home_root_t:dir { getattr search }; + +# for /var/spool/mail +ra_dir_create_file(mta_delivery_agent, mail_spool_t) + +# for piping mail to a command +can_exec(mta_delivery_agent, shell_exec_t) +allow mta_delivery_agent bin_t:dir search; +allow mta_delivery_agent bin_t:lnk_file read; +allow mta_delivery_agent devtty_t:chr_file rw_file_perms; +allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; + +allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t urandom_device_t:chr_file read; diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te new file mode 100644 index 0000000..84934de --- /dev/null +++ b/strict/domains/program/mysqld.te @@ -0,0 +1,92 @@ +#DESC Mysqld - Database server +# +# Author: Russell Coker +# X-Debian-Packages: mysql-server +# + +################################# +# +# Rules for the mysqld_t domain. +# +# mysqld_exec_t is the type of the mysqld executable. +# +daemon_domain(mysqld) + +type mysqld_port_t, port_type; +allow mysqld_t mysqld_port_t:tcp_socket name_bind; + +allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; + +etcdir_domain(mysqld) +typealias mysqld_etc_t alias etc_mysqld_t; +type mysqld_db_t, file_type, sysadmfile; + +log_domain(mysqld) + +# for temporary tables +tmp_domain(mysqld) + +allow mysqld_t usr_t:file { getattr read }; + +allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:unix_stream_socket create_stream_socket_perms; +allow initrc_t mysqld_t:unix_stream_socket connectto; +allow initrc_t mysqld_var_run_t:sock_file write; + +allow initrc_t mysqld_log_t:file { write append setattr ioctl }; + +allow mysqld_t self:capability { dac_override setgid setuid net_bind_service }; +allow mysqld_t self:process getsched; + +allow mysqld_t proc_t:file { getattr read }; + +# Allow access to the mysqld databases +create_dir_file(mysqld_t, mysqld_db_t) +allow mysqld_t var_lib_t:dir { getattr search }; + +can_network_server(mysqld_t) +can_ypbind(mysqld_t) + +# read config files +r_dir_file(initrc_t, mysqld_etc_t) +allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; + +allow mysqld_t etc_t:dir search; + +read_sysctl(mysqld_t) + +can_unix_connect(sysadm_t, mysqld_t) + +# for /root/.my.cnf - should not be needed +allow mysqld_t sysadm_home_dir_t:dir search; +allow mysqld_t sysadm_home_t:file { read getattr }; + +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, mysqld_etc_t) +allow logrotate_t mysqld_db_t:dir search; +allow logrotate_t mysqld_var_run_t:dir search; +allow logrotate_t mysqld_var_run_t:sock_file write; +can_unix_connect(logrotate_t, mysqld_t) +') + +ifdef(`daemontools.te', ` +domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) +allow svc_start_t mysqld_t:process signal; +svc_ipc_domain(mysqld_t) +')dnl end ifdef daemontools + +ifdef(`distro_redhat', ` +allow initrc_t mysqld_db_t:dir create_dir_perms; + +# because Fedora has the sock_file in the database directory +file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +') +ifdef(`targeted_policy', `', ` +bool allow_user_mysql_connect false; + +if (allow_user_mysql_connect) { +allow userdomain mysqld_var_run_t:dir search; +allow userdomain mysqld_var_run_t:sock_file write; +} +') + diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te new file mode 100644 index 0000000..028667e --- /dev/null +++ b/strict/domains/program/named.te @@ -0,0 +1,157 @@ +#DESC BIND - Name server +# +# Authors: Yuichi Nakamura , +# Russell Coker +# X-Debian-Packages: bind bind9 +# +# + +################################# +# +# Rules for the named_t domain. +# +type rndc_port_t, port_type, reserved_port_type; + +daemon_domain(named, `, nscd_client_domain') +tmp_domain(named) + +# For /var/run/ndc used in BIND 8 +file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) + +# ndc_t is the domain for the ndc program +type ndc_t, domain, privlog, nscd_client_domain; +role sysadm_r types ndc_t; +role system_r types ndc_t; + +ifdef(`targeted_policy', ` +dontaudit ndc_t root_t:file { getattr read }; +dontaudit ndc_t unlabeled_t:file { getattr read }; +') + +can_exec(named_t, named_exec_t) +allow named_t sbin_t:dir search; + +allow named_t self:process { setsched setcap setrlimit }; + +# A type for configuration files of named. +type named_conf_t, file_type, sysadmfile; + +# for primary zone files +type named_zone_t, file_type, sysadmfile; + +# for secondary zone files +type named_cache_t, file_type, sysadmfile; + +# for DNSSEC key files +type dnssec_t, file_type, sysadmfile, secure_file_type; +allow { ndc_t named_t } dnssec_t:file { getattr read }; + +# Use capabilities. Surplus capabilities may be allowed. +allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; + +allow named_t etc_t:file { getattr read }; +allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; + +#Named can use network +can_network(named_t) +can_ypbind(named_t) +# allow UDP transfer to/from any program +can_udp_send(domain, named_t) +can_udp_send(named_t, domain) +can_tcp_connect(domain, named_t) + +# Bind to the named port. +allow named_t dns_port_t:udp_socket name_bind; +allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; + +bool named_write_master_zones false; + +#read configuration files +r_dir_file(named_t, named_conf_t) + +if (named_write_master_zones) { +#create and modify zone files +create_dir_file(named_t, named_zone_t) +} +#read zone files +r_dir_file(named_t, named_zone_t) + +#write cache for secondary zones +rw_dir_create_file(named_t, named_cache_t) + +allow named_t self:unix_stream_socket create_stream_socket_perms; +allow named_t self:unix_dgram_socket create_socket_perms; +allow named_t self:netlink_route_socket r_netlink_socket_perms; + +# Read sysctl kernel variables. +read_sysctl(named_t) + +# Read /proc/cpuinfo and /proc/net +r_dir_file(named_t, proc_t) +r_dir_file(named_t, proc_net_t) + +# Read /dev/random. +allow named_t device_t:dir r_dir_perms; +allow named_t random_device_t:chr_file r_file_perms; + +# Use a pipe created by self. +allow named_t self:fifo_file rw_file_perms; + +# Set own capabilities. +#A type for /usr/sbin/ndc +type ndc_exec_t, file_type,sysadmfile, exec_type; +domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) +uses_shlib(ndc_t) +can_network_client_tcp(ndc_t) +can_ypbind(ndc_t) +can_resolve(ndc_t) +read_locale(ndc_t) +can_tcp_connect(ndc_t, named_t) + +# for /etc/rndc.key +ifdef(`distro_redhat', ` +allow { ndc_t initrc_t } named_conf_t:dir search; +# Allow init script to cp localtime to named_conf_t +allow initrc_t named_conf_t:file { setattr write }; +') +allow { ndc_t initrc_t } named_conf_t:file { getattr read }; + +allow ndc_t etc_t:dir r_dir_perms; +allow ndc_t etc_t:file r_file_perms; +allow ndc_t self:unix_stream_socket create_stream_socket_perms; +allow ndc_t self:unix_stream_socket connect; +allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t var_t:dir search; +allow ndc_t var_run_t:dir search; +allow ndc_t named_var_run_t:sock_file rw_file_perms; +allow ndc_t named_t:unix_stream_socket connectto; +allow ndc_t { privfd init_t }:fd use; +# seems to need read as well for some reason +allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; +allow ndc_t fs_t:filesystem getattr; + +# Read sysctl kernel variables. +read_sysctl(ndc_t) + +allow ndc_t self:process { fork signal_perms }; +allow ndc_t self:fifo_file { read write getattr ioctl }; +allow ndc_t named_zone_t:dir search; + +# for chmod in start script +dontaudit initrc_t named_var_run_t:dir setattr; + +# for ndc_t to be used for restart shell scripts +ifdef(`ndc_shell_script', ` +system_crond_entry(ndc_exec_t, ndc_t) +allow ndc_t devtty_t:chr_file { read write ioctl }; +allow ndc_t etc_runtime_t:file { getattr read }; +allow ndc_t proc_t:dir search; +allow ndc_t proc_t:file { getattr read }; +can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) +allow ndc_t named_var_run_t:file getattr; +allow ndc_t named_zone_t:dir { read getattr }; +allow ndc_t named_zone_t:file getattr; +dontaudit ndc_t sysadm_home_t:dir { getattr search read }; +') +allow ndc_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl }; diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te new file mode 100644 index 0000000..c314eee --- /dev/null +++ b/strict/domains/program/netutils.te @@ -0,0 +1,60 @@ +#DESC Netutils - Network utilities +# +# Authors: Stephen Smalley +# X-Debian-Packages: netbase iputils arping tcpdump +# + +# +# Rules for the netutils_t domain. +# This domain is for network utilities that require access to +# special protocol families. +# +type netutils_t, domain, privlog; +type netutils_exec_t, file_type, sysadmfile, exec_type; +role system_r types netutils_t; +role sysadm_r types netutils_t; + +uses_shlib(netutils_t) +can_network(netutils_t) +can_ypbind(netutils_t) +tmp_domain(netutils) + +domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) +domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) + +# Inherit and use descriptors from init. +allow netutils_t { userdomain init_t }:fd use; + +allow netutils_t self:process { fork signal_perms }; + +# Perform network administration operations and have raw access to the network. +allow netutils_t self:capability { net_admin net_raw setuid setgid }; + +# Create and use netlink sockets. +allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; + +# Create and use packet sockets. +allow netutils_t self:packet_socket create_socket_perms; + +# Create and use UDP sockets. +allow netutils_t self:udp_socket create_socket_perms; + +# Create and use TCP sockets. +allow netutils_t self:tcp_socket create_socket_perms; + +allow netutils_t self:unix_stream_socket create_socket_perms; + +# Read certain files in /etc +allow netutils_t etc_t:file r_file_perms; +read_locale(netutils_t) + +allow netutils_t fs_t:filesystem getattr; + +# Access terminals. +allow netutils_t privfd:fd use; +allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') +allow netutils_t proc_t:dir search; + +# for nscd +dontaudit netutils_t var_t:dir search; diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te new file mode 100644 index 0000000..6f6489e --- /dev/null +++ b/strict/domains/program/newrole.te @@ -0,0 +1,19 @@ +#DESC Newrole - SELinux utility to run a shell with a new role +# +# Authors: Anthony Colatrella (NSA) +# Maintained by Stephen Smalley +# X-Debian-Packages: policycoreutils +# + +# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t +bool secure_mode false; + +type newrole_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(userdomain, newrole_exec_t, newrole_t) + +newrole_domain(newrole) + +# Write to utmp. +allow newrole_t var_run_t:dir r_dir_perms; +allow newrole_t initrc_var_run_t:file rw_file_perms; + diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te new file mode 100644 index 0000000..74db228 --- /dev/null +++ b/strict/domains/program/nscd.te @@ -0,0 +1,74 @@ +#DESC NSCD - Name service cache daemon cache lookup of user-name +# +# Author: Russell Coker +# X-Debian-Packages: nscd +# +define(`nscd_socket_domain', ` +can_unix_connect($1, nscd_t) +allow $1 nscd_var_run_t:sock_file rw_file_perms; +allow $1 { var_run_t var_t }:dir search; +allow $1 nscd_t:nscd { getpwd getgrp gethost }; +dontaudit $1 nscd_t:fd use; +dontaudit $1 nscd_var_run_t:dir { search getattr }; +dontaudit $1 nscd_var_run_t:file { getattr read }; +dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; +') +################################# +# +# Rules for the nscd_t domain. +# +# nscd is both the client program and the daemon. +daemon_domain(nscd, `, userspace_objmgr') + +allow nscd_t etc_t:file r_file_perms; +allow nscd_t etc_t:lnk_file read; +can_network_client(nscd_t) +can_ypbind(nscd_t) + +file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) + +allow nscd_t self:unix_stream_socket create_stream_socket_perms; + +nscd_socket_domain(nscd_client_domain) +nscd_socket_domain(daemon) + +# Clients that are allowed to map the database via a fd obtained from nscd. +nscd_socket_domain(nscd_shmem_domain) +allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms; +allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; +# Receive fd from nscd and map the backing file with read access. +allow nscd_shmem_domain nscd_t:fd use; + +# For client program operation, invoked from sysadm_t. +# Transition occurs to nscd_t due to direct_sysadm_daemon. +allow nscd_t self:nscd { admin getstat }; +allow nscd_t admin_tty_type:chr_file rw_file_perms; + +read_sysctl(nscd_t) +allow nscd_t self:process { getattr setsched }; +allow nscd_t self:unix_dgram_socket create_socket_perms; +allow nscd_t self:fifo_file { read write }; +allow nscd_t self:capability { kill setgid setuid net_bind_service }; + +# for when /etc/passwd has just been updated and has the wrong type +allow nscd_t shadow_t:file getattr; + +dontaudit nscd_t sysadm_home_dir_t:dir search; + +ifdef(`winbind.te', ` +# +# Handle winbind for samba, Might only be needed for targeted policy +# +allow nscd_t winbind_var_run_t:sock_file { read write getattr }; +can_unix_connect(nscd_t, winbind_t) +allow nscd_t samba_var_t:dir search; +allow nscd_t winbind_var_run_t:dir { getattr search }; +') + +r_dir_file(nscd_t, selinux_config_t) +can_getsecurity(nscd_t) +allow nscd_t self:netlink_selinux_socket create_socket_perms; +allow nscd_t self:netlink_route_socket r_netlink_socket_perms; +allow nscd_t tmp_t:dir { search getattr }; +allow nscd_t tmp_t:lnk_file read; +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te new file mode 100644 index 0000000..1598c23 --- /dev/null +++ b/strict/domains/program/ntpd.te @@ -0,0 +1,86 @@ +#DESC NTPD - Time synchronisation daemon +# +# Author: Russell Coker +# X-Debian-Packages: ntp ntp-simple +# + +################################# +# +# Rules for the ntpd_t domain. +# +daemon_domain(ntpd, `, nscd_client_domain') +type ntp_drift_t, file_type, sysadmfile; +type ntp_port_t, port_type, reserved_port_type; + +type ntpdate_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) + +logdir_domain(ntpd) + +allow ntpd_t var_lib_t:dir r_dir_perms; +allow ntpd_t usr_t:file r_file_perms; +# reading /usr/share/ssl/cert.pem requires +allow ntpd_t usr_t:lnk_file read; +allow ntpd_t ntp_drift_t:dir rw_dir_perms; +allow ntpd_t ntp_drift_t:file create_file_perms; + +# for SSP +allow ntpd_t urandom_device_t:chr_file read; + +allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; +dontaudit ntpd_t self:capability { net_admin }; +allow ntpd_t self:process { setcap setsched }; +# ntpdate wants sys_nice +dontaudit ntpd_t self:capability { fsetid sys_nice }; + +# for some reason it creates a file in /tmp +tmp_domain(ntpd) + +allow ntpd_t etc_t:dir r_dir_perms; +allow ntpd_t etc_t:file { read getattr }; + +# Use the network. +can_network(ntpd_t) +can_ypbind(ntpd_t) +allow ntpd_t ntp_port_t:udp_socket name_bind; +allow ntpd_t self:unix_dgram_socket create_socket_perms; +allow ntpd_t self:unix_stream_socket create_socket_perms; +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; + +# so the start script can change firewall entries +allow initrc_t net_conf_t:file { getattr read ioctl }; + +# for cron jobs +# system_crond_t is not right, cron is not doing what it should +ifdef(`crond.te', ` +system_crond_entry(ntpd_exec_t, ntpd_t) +') + +can_exec(ntpd_t, initrc_exec_t) +allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t etc_runtime_t:file r_file_perms; +can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t }) +allow ntpd_t { sbin_t bin_t }:dir search; +allow ntpd_t bin_t:lnk_file read; +read_sysctl(ntpd_t); +allow ntpd_t proc_t:file r_file_perms; +allow ntpd_t sysadm_home_dir_t:dir r_dir_perms; +allow ntpd_t self:file { getattr read }; +dontaudit ntpd_t domain:dir search; +ifdef(`logrotate.te', ` +can_exec(ntpd_t, logrotate_exec_t) +') + +allow ntpd_t devtty_t:chr_file rw_file_perms; + +can_udp_send(ntpd_t, sysadm_t) +can_udp_send(sysadm_t, ntpd_t) +can_udp_send(ntpd_t, ntpd_t) +ifdef(`firstboot.te', ` +dontaudit ntpd_t firstboot_t:fd use; +') +ifdef(`winbind.te', ` +allow ntpd_t winbind_var_run_t:dir r_dir_perms; +allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; +') + diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te new file mode 100644 index 0000000..7c5710f --- /dev/null +++ b/strict/domains/program/pam.te @@ -0,0 +1,40 @@ +#DESC Pam - PAM +# X-Debian-Packages: +# +# /sbin/pam_timestamp_check +type pam_exec_t, file_type, exec_type, sysadmfile; +type pam_t, domain, privlog, nscd_client_domain; +general_domain_access(pam_t); + +type pam_var_run_t, file_type, sysadmfile; +allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; +allow pam_t pam_var_run_t:file { getattr read unlink }; + +role system_r types pam_t; +in_user_role(pam_t) +domain_auto_trans(userdomain, pam_exec_t, pam_t) + +uses_shlib(pam_t) +# Read the devpts root directory. +allow pam_t devpts_t:dir r_dir_perms; + +# Access terminals. +allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') + +allow pam_t proc_t:dir search; +allow pam_t proc_t:{ lnk_file file } { getattr read }; + +# Read the /etc/nsswitch file +allow pam_t etc_t:file r_file_perms; + +# Read /var/run. +allow pam_t { var_t var_run_t }:dir r_dir_perms; +tmp_domain(pam) + +allow pam_t local_login_t:fd use; +dontaudit pam_t self:capability sys_tty_config; + +allow initrc_t pam_var_run_t:dir rw_dir_perms; +allow initrc_t pam_var_run_t:file { getattr read unlink }; +dontaudit pam_t initrc_var_run_t:file { read write }; diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te new file mode 100644 index 0000000..7270442 --- /dev/null +++ b/strict/domains/program/pamconsole.te @@ -0,0 +1,44 @@ +#DESC Pamconsole - PAM console +# X-Debian-Packages: +# +# pam_console_apply + +daemon_base_domain(pam_console, `, nscd_client_domain') + +type pam_var_console_t, file_type, sysadmfile; + +allow pam_console_t etc_t:file { getattr read ioctl }; +allow pam_console_t self:unix_stream_socket create_stream_socket_perms; + +allow pam_console_t self:capability { chown fowner fsetid }; + +# Allow access to /dev/console through the fd: +allow pam_console_t console_device_t:chr_file { read write }; +allow pam_console_t { kernel_t init_t }:fd use; + +# for /var/run/console.lock checking +allow pam_console_t { var_t var_run_t }:dir search; +r_dir_file(pam_console_t, pam_var_console_t) + +# Allow to set attributes on /dev entries +allow pam_console_t device_t:dir { getattr read }; +allow pam_console_t device_t:lnk_file { getattr read }; +# mouse_device_t is for joy sticks +allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; +allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; + +allow pam_console_t mnt_t:dir r_dir_perms; + +ifdef(`gpm.te', ` +allow pam_console_t gpmctl_t:sock_file { getattr setattr }; +') +ifdef(`hotplug.te', ` +dontaudit pam_console_t hotplug_etc_t:dir search; +allow pam_console_t hotplug_t:fd use; +') +allow pam_console_t proc_t:file read; +ifdef(`xdm.te', ` +allow pam_console_t xdm_var_run_t:file { getattr read }; +') +allow initrc_t pam_var_console_t:dir r_dir_perms; +allow pam_console_t file_context_t:file { getattr read }; diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te new file mode 100644 index 0000000..efae37c --- /dev/null +++ b/strict/domains/program/passwd.te @@ -0,0 +1,150 @@ +#DESC Passwd - Password utilities +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: passwd +# + +################################# +# +# Rules for the passwd_t domain. +# +define(`base_passwd_domain', ` +type $1_t, domain, privlog, $2; + +# for SSP +allow $1_t urandom_device_t:chr_file read; + +allow $1_t self:process setrlimit; + +general_domain_access($1_t); +uses_shlib($1_t); + +# Inherit and use descriptors from login. +allow $1_t privfd:fd use; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +read_locale($1_t) + +allow $1_t fs_t:filesystem getattr; + +# allow checking if a shell is executable +allow $1_t shell_exec_t:file execute; + +# Obtain contexts +can_getsecurity($1_t) + +allow $1_t etc_t:file create_file_perms; + +# read /etc/mtab +allow $1_t etc_runtime_t:file { getattr read }; + +# Allow etc_t symlinks for /etc/alternatives on Debian. +allow $1_t etc_t:lnk_file read; + +# Use capabilities. +allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; + +# Access terminals. +allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; +allow $1_t devtty_t:chr_file rw_file_perms; + +dontaudit $1_t devpts_t:dir getattr; + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +dontaudit $1_t initrc_var_run_t:file { read write }; + +# user generally runs this from their home directory, so do not audit a search +# on user home dir +dontaudit $1_t { user_home_dir_type user_home_type }:dir search; + +# When the wrong current passwd is entered, passwd, for some reason, +# attempts to access /proc and /dev, but handles failure appropriately. So +# do not audit those denials. +dontaudit $1_t { proc_t device_t }:dir { search read }; + +allow $1_t device_t:dir getattr; +') + +################################# +# +# Rules for the passwd_t domain. +# +define(`passwd_domain', ` +base_passwd_domain($1, `auth_write, privowner') +# Update /etc/shadow and /etc/passwd +file_type_auto_trans($1_t, etc_t, shadow_t, file) +allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; +can_setfscreate($1_t) +') + +passwd_domain(passwd) +passwd_domain(sysadm_passwd) +base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') +can_setfscreate(chfn_t) + +# can exec /sbin/unix_chkpwd +allow chfn_t { bin_t sbin_t }:dir search; + +# uses unix_chkpwd for checking passwords +dontaudit chfn_t shadow_t:file read; +allow chfn_t etc_t:dir rw_dir_perms; +allow chfn_t etc_t:file create_file_perms; +allow chfn_t proc_t:file { getattr read }; +allow chfn_t self:file write; + +in_user_role(passwd_t) +in_user_role(chfn_t) +role sysadm_r types passwd_t; +role sysadm_r types sysadm_passwd_t; +role sysadm_r types chfn_t; +role system_r types passwd_t; +role system_r types chfn_t; + +type admin_passwd_exec_t, file_type, sysadmfile; +type passwd_exec_t, file_type, sysadmfile, exec_type; +type chfn_exec_t, file_type, sysadmfile, exec_type; + +domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) +domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) +domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) + +dontaudit chfn_t var_t:dir search; + +ifdef(`crack.te', ` +allow passwd_t var_t:dir search; +dontaudit passwd_t var_run_t:dir search; +allow passwd_t crack_db_t:dir r_dir_perms; +allow passwd_t crack_db_t:file r_file_perms; +', ` +dontaudit passwd_t var_t:dir search; +') + +# allow vipw to exec the editor +allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; +allow sysadm_passwd_t bin_t:lnk_file read; +can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) +r_dir_file(sysadm_passwd_t, usr_t) + +# allow vipw to create temporary files under /var/tmp/vi.recover +allow sysadm_passwd_t var_t:dir search; +tmp_domain(sysadm_passwd) +# for vipw - vi looks in the root home directory for config +dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; +# for /etc/alternatives/vi +allow sysadm_passwd_t etc_t:lnk_file read; + +# for nscd lookups +dontaudit sysadm_passwd_t var_run_t:dir search; + +# for /proc/meminfo +allow sysadm_passwd_t proc_t:file { getattr read }; + +dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; +dontaudit sysadm_passwd_t devpts_t:dir search; + +# make sure that getcon succeeds +allow passwd_t userdomain:dir search; +allow passwd_t userdomain:file read; +allow passwd_t userdomain:process getattr; + diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te new file mode 100644 index 0000000..c23d92b --- /dev/null +++ b/strict/domains/program/ping.te @@ -0,0 +1,59 @@ +#DESC Ping - Send ICMP messages to network hosts +# +# Author: David A. Wheeler +# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 +# + +################################# +# +# Rules for the ping_t domain. +# +# ping_t is the domain for the ping program. +# ping_exec_t is the type of the corresponding program. +# +type ping_t, domain, privlog, nscd_client_domain; +role sysadm_r types ping_t; +role system_r types ping_t; +in_user_role(ping_t) +type ping_exec_t, file_type, sysadmfile, exec_type; + +bool user_ping false; + +if (user_ping) { + domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) + # allow access to the terminal + allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; + ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') +} + +# Transition into this domain when you run this program. +domain_auto_trans(sysadm_t, ping_exec_t, ping_t) +domain_auto_trans(initrc_t, ping_exec_t, ping_t) + +uses_shlib(ping_t) +can_network_client(ping_t) +can_ypbind(ping_t) +allow ping_t etc_t:file { getattr read }; +allow ping_t self:unix_stream_socket create_socket_perms; + +# Let ping create raw ICMP packets. +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; + +allow ping_t netif_type:netif { rawip_send rawip_recv }; +allow ping_t node_type:node { rawip_send rawip_recv }; + +# Use capabilities. +allow ping_t self:capability { net_raw setuid }; + +# Access the terminal. +allow ping_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') +allow ping_t privfd:fd use; + +dontaudit ping_t fs_t:filesystem getattr; + +# it tries to access /var/run +dontaudit ping_t var_t:dir search; +dontaudit ping_t devtty_t:chr_file { read write }; +dontaudit ping_t self:capability sys_tty_config; + diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te new file mode 100644 index 0000000..134b200 --- /dev/null +++ b/strict/domains/program/portmap.te @@ -0,0 +1,70 @@ +#DESC Portmap - Maintain RPC program number map +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: portmap +# + + + +################################# +# +# Rules for the portmap_t domain. +# +daemon_domain(portmap, `, nscd_client_domain') + +can_network(portmap_t) +can_ypbind(portmap_t) +allow portmap_t self:unix_dgram_socket create_socket_perms; +allow portmap_t self:unix_stream_socket create_stream_socket_perms; + +type portmap_port_t, port_type, reserved_port_type; + +tmp_domain(portmap) + +allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; + +# portmap binds to arbitary ports +allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; +allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; + +allow portmap_t etc_t:file { getattr read }; + +# Send to ypbind, initrc, rpc.statd, xinetd. +ifdef(`ypbind.te', +`can_udp_send(portmap_t, ypbind_t)') +can_udp_send(portmap_t, { initrc_t init_t }) +can_udp_send(init_t, portmap_t) +ifdef(`rpcd.te', +`can_udp_send(portmap_t, rpcd_t)') +ifdef(`inetd.te', +`can_udp_send(portmap_t, inetd_t)') +ifdef(`lpd.te', +`can_udp_send(portmap_t, lpd_t)') +ifdef(`tcpd.te', ` +can_udp_send(tcpd_t, portmap_t) +') +can_udp_send(portmap_t, kernel_t) +can_udp_send(kernel_t, portmap_t) +can_udp_send(sysadm_t, portmap_t) +can_udp_send(portmap_t, sysadm_t) + +# Use capabilities +allow portmap_t self:capability { net_bind_service setuid setgid }; +allow portmap_t self:netlink_route_socket r_netlink_socket_perms; + +application_domain(portmap_helper) +role system_r types portmap_helper_t; +domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) +dontaudit portmap_helper_t self:capability { net_admin }; +allow portmap_helper_t self:capability { net_bind_service }; +allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; +allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; +can_network(portmap_helper_t) +can_ypbind(portmap_helper_t) +dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; +allow portmap_helper_t etc_t:file { getattr read }; +dontaudit portmap_helper_t userdomain:fd use; +allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te new file mode 100644 index 0000000..7d62e01 --- /dev/null +++ b/strict/domains/program/postfix.te @@ -0,0 +1,349 @@ +#DESC Postfix - Mail server +# +# Author: Russell Coker +# X-Debian-Packages: postfix +# Depends: mta.te +# + +# Type for files created during execution of postfix. +type postfix_var_run_t, file_type, sysadmfile, pidfile; + +type postfix_etc_t, file_type, sysadmfile; +typealias postfix_etc_t alias etc_postfix_t; +type postfix_exec_t, file_type, sysadmfile, exec_type; +type postfix_public_t, file_type, sysadmfile; +type postfix_private_t, file_type, sysadmfile; +type postfix_spool_t, file_type, sysadmfile; +type postfix_spool_maildrop_t, file_type, sysadmfile; +type postfix_spool_flush_t, file_type, sysadmfile; +type postfix_prng_t, file_type, sysadmfile; + +# postfix needs this for newaliases +allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; + +################################# +# +# Rules for the postfix_$1_t domain. +# +# postfix_$1_exec_t is the type of the postfix_$1 executables. +# +define(`postfix_domain', ` +daemon_core_rules(postfix_$1, `$2') +allow postfix_$1_t self:process setpgid; +allow postfix_$1_t postfix_master_t:process sigchld; +allow postfix_master_t postfix_$1_t:process signal; + +allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; +allow postfix_$1_t postfix_etc_t:file r_file_perms; +read_locale(postfix_$1_t) +allow postfix_$1_t etc_t:file { getattr read }; +allow postfix_$1_t self:unix_dgram_socket create_socket_perms; +allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; +allow postfix_$1_t self:unix_stream_socket connectto; + +allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; +allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; +allow postfix_$1_t shell_exec_t:file rx_file_perms; +allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; +allow postfix_$1_t postfix_exec_t:file rx_file_perms; +allow postfix_$1_t devtty_t:chr_file rw_file_perms; +allow postfix_$1_t etc_runtime_t:file r_file_perms; +allow postfix_$1_t proc_t:dir r_dir_perms; +allow postfix_$1_t proc_t:file r_file_perms; +allow postfix_$1_t postfix_exec_t:dir r_dir_perms; +allow postfix_$1_t fs_t:filesystem getattr; +allow postfix_$1_t proc_net_t:dir search; +allow postfix_$1_t proc_net_t:file { getattr read }; +can_exec(postfix_$1_t, postfix_$1_exec_t) + +allow postfix_$1_t tmp_t:dir getattr; + +file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) + +read_sysctl(postfix_$1_t) + +')dnl end postfix_domain + +ifdef(`crond.te', +`allow system_mail_t crond_t:tcp_socket { read write create };') + +postfix_domain(master, `, mail_server_domain') +rhgb_domain(postfix_master_t) + +read_sysctl(postfix_master_t) + +domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) +allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; + +ifdef(`direct_sysadm_daemon', ` + +domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) +allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; +role_transition sysadm_r postfix_master_exec_t system_r; +allow postfix_master_t postfix_etc_t:file rw_file_perms; +dontaudit postfix_master_t admin_tty_type:chr_file { read write }; +allow postfix_master_t devpts_t:dir search; + +domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) +allow system_mail_t sysadm_t:process sigchld; +allow system_mail_t privfd:fd use; + +')dnl end direct_sysadm_daemon + +allow postfix_master_t privfd:fd use; +ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') +allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; + +# postfix does a "find" on startup for some reason - keep it quiet +dontaudit postfix_master_t selinux_config_t:dir search; +can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) +ifdef(`distro_redhat', ` +file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) +', ` +file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) +') +allow postfix_master_t sendmail_exec_t:file r_file_perms; +allow postfix_master_t sbin_t:lnk_file { getattr read }; +ifdef(`pppd.te', ` +domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) +') +can_exec(postfix_master_t, { ls_exec_t sbin_t }) +allow postfix_master_t self:fifo_file rw_file_perms; +allow postfix_master_t usr_t:file r_file_perms; +can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +allow postfix_master_t postfix_public_t:fifo_file create_file_perms; +allow postfix_master_t postfix_public_t:sock_file create_file_perms; +allow postfix_master_t postfix_public_t:dir rw_dir_perms; +allow postfix_master_t postfix_private_t:dir rw_dir_perms; +allow postfix_master_t postfix_private_t:sock_file create_file_perms; +allow postfix_master_t postfix_private_t:fifo_file create_file_perms; +can_network(postfix_master_t) +can_ypbind(postfix_master_t) +allow postfix_master_t smtp_port_t:tcp_socket name_bind; +allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; +allow postfix_master_t postfix_prng_t:file getattr; +allow postfix_master_t privfd:fd use; +allow postfix_master_t etc_aliases_t:file rw_file_perms; + +ifdef(`saslauthd.te',` +allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; +allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; +can_unix_connect(postfix_smtpd_t,saslauthd_t) +') + +create_dir_file(postfix_master_t, postfix_spool_flush_t) +allow postfix_master_t random_device_t:chr_file { read getattr }; +allow postfix_master_t postfix_prng_t:file rw_file_perms; +# for ls to get the current context +allow postfix_master_t self:file { getattr read }; + +# for SSP +allow postfix_master_t urandom_device_t:chr_file read; + +# allow access to deferred queue and allow removing bogus incoming entries +allow postfix_master_t postfix_spool_t:dir create_dir_perms; +allow postfix_master_t postfix_spool_t:file create_file_perms; + +dontaudit postfix_master_t man_t:dir search; + +define(`postfix_server_domain', ` +postfix_domain($1, `$2') +domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) +allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow postfix_$1_t self:capability { setuid setgid dac_override }; +can_network_client(postfix_$1_t) +can_ypbind(postfix_$1_t) +') + +postfix_server_domain(smtp, `, mail_server_sender') +allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; +allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; +allow postfix_smtp_t urandom_device_t:chr_file { getattr read }; +allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; +# if you have two different mail servers on the same host let them talk via +# SMTP, also if one mail server wants to talk to itself then allow it and let +# the SMTP protocol sort it out (SE Linux is not to prevent mail server +# misconfiguration) +can_tcp_connect(postfix_smtp_t, mail_server_domain) + +postfix_server_domain(smtpd) +allow postfix_smtpd_t urandom_device_t:chr_file { getattr read }; +allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; +allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; +allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; +allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; +# for OpenSSL certificates +r_dir_file(postfix_smtpd_t,usr_t) +allow postfix_smtpd_t etc_aliases_t:file r_file_perms; + +# for prng_exch +allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; + +allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; + +postfix_server_domain(local, `, mta_delivery_agent') +ifdef(`procmail.te', ` +domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) +# for a bug in the postfix local program +dontaudit procmail_t postfix_local_t:tcp_socket { read write }; +dontaudit procmail_t postfix_master_t:fd use; +') +allow postfix_local_t etc_aliases_t:file r_file_perms; +allow postfix_local_t self:fifo_file rw_file_perms; +allow postfix_local_t self:process setrlimit; +allow postfix_local_t postfix_spool_t:file rw_file_perms; +# for .forward - maybe we need a new type for it? +allow postfix_local_t postfix_private_t:dir search; +allow postfix_local_t postfix_private_t:sock_file rw_file_perms; +allow postfix_local_t postfix_master_t:unix_stream_socket connectto; +allow postfix_local_t postfix_public_t:dir search; +allow postfix_local_t postfix_public_t:sock_file write; +can_exec(postfix_local_t, shell_exec_t) + +define(`postfix_public_domain',` +postfix_server_domain($1) +allow postfix_$1_t postfix_public_t:dir search; +') + +postfix_public_domain(cleanup) +create_dir_file(postfix_cleanup_t, postfix_spool_t) +allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; +allow postfix_cleanup_t postfix_private_t:dir search; +allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; +allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; +allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; +allow postfix_cleanup_t self:process setrlimit; + +allow user_mail_domain postfix_spool_t:dir r_dir_perms; +allow user_mail_domain postfix_etc_t:dir r_dir_perms; +allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; +allow user_mail_domain self:capability dac_override; + +define(`postfix_user_domain', ` +postfix_domain($1, `$2') +domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) +in_user_role(postfix_$1_t) +role sysadm_r types postfix_$1_t; +allow postfix_$1_t userdomain:process sigchld; +allow postfix_$1_t userdomain:fifo_file { write getattr }; +allow postfix_$1_t { userdomain privfd }:fd use; +allow postfix_$1_t self:capability dac_override; +') + +postfix_user_domain(postqueue) +allow postfix_postqueue_t postfix_public_t:dir search; +allow postfix_postqueue_t postfix_public_t:fifo_file getattr; +allow postfix_postqueue_t self:udp_socket { create ioctl }; +allow postfix_master_t postfix_postqueue_exec_t:file getattr; +domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +allow postfix_postqueue_t initrc_t:process sigchld; +allow postfix_postqueue_t initrc_t:fd use; + +# to write the mailq output, it really should not need read access! +allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; +ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') + +# wants to write to /var/spool/postfix/public/showq +allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; +allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; +# write to /var/spool/postfix/public/qmgr +allow postfix_postqueue_t postfix_public_t:fifo_file write; +dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; + +postfix_user_domain(showq) +# the following auto_trans is usually in postfix server domain +domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +allow postfix_showq_t self:udp_socket { create ioctl }; +r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) +domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) +allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; +allow postfix_showq_t postfix_spool_t:file r_file_perms; +allow postfix_showq_t self:tcp_socket create_socket_perms; +allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; +dontaudit postfix_showq_t net_conf_t:file r_file_perms; + +postfix_user_domain(postdrop, `, mta_user_agent') +allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; +allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; +allow postfix_postdrop_t postfix_public_t:dir search; +allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; +dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; +dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; +allow postfix_master_t postfix_postdrop_exec_t:file getattr; +ifdef(`crond.te', +`allow postfix_postdrop_t { crond_t system_crond_t }:fd use; +allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') +# usually it does not need a UDP socket +allow postfix_postdrop_t self:udp_socket create_socket_perms; +allow postfix_postdrop_t self:capability sys_resource; + +postfix_public_domain(pickup) +allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; +allow postfix_pickup_t postfix_private_t:dir search; +allow postfix_pickup_t postfix_private_t:sock_file write; +allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; +allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; +allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; +allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; +allow postfix_pickup_t self:tcp_socket create_socket_perms; + +postfix_public_domain(qmgr) +allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; +allow postfix_qmgr_t postfix_public_t:sock_file write; +allow postfix_qmgr_t postfix_private_t:dir search; +allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; +allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; + +# for /var/spool/postfix/active +create_dir_file(postfix_qmgr_t, postfix_spool_t) + +postfix_public_domain(bounce) +type postfix_spool_bounce_t, file_type, sysadmfile; +create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) +create_dir_file(postfix_bounce_t, postfix_spool_t) +allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; +allow postfix_master_t postfix_spool_bounce_t:file getattr; +allow postfix_bounce_t self:capability dac_read_search; +allow postfix_bounce_t postfix_public_t:sock_file write; +allow postfix_bounce_t self:tcp_socket create_socket_perms; + +r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) + +postfix_public_domain(pipe) +allow postfix_pipe_t postfix_spool_t:dir search; +allow postfix_pipe_t postfix_spool_t:file rw_file_perms; +allow postfix_pipe_t self:fifo_file { read write }; +allow postfix_pipe_t postfix_private_t:dir search; +allow postfix_pipe_t postfix_private_t:sock_file write; +ifdef(`procmail.te', ` +domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) +') +ifdef(`sendmail.te', ` +allow sendmail_t postfix_etc_t:dir search; +') + +# Program for creating database files +application_domain(postfix_map) +base_file_read_access(postfix_map_t) +allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; +tmp_domain(postfix_map) +create_dir_file(postfix_map_t, postfix_etc_t) +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; +dontaudit postfix_map_t proc_t:dir { getattr read search }; +dontaudit postfix_map_t local_login_t:fd use; +allow postfix_master_t postfix_map_exec_t:file rx_file_perms; +read_locale(postfix_map_t) +allow postfix_map_t self:capability setgid; +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +dontaudit postfix_map_t var_t:dir search; +can_network_server(postfix_map_t) +allow postfix_local_t mail_spool_t:dir { remove_name }; +allow postfix_local_t mail_spool_t:file { unlink }; diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te new file mode 100644 index 0000000..f46ac65 --- /dev/null +++ b/strict/domains/program/postgresql.te @@ -0,0 +1,134 @@ +#DESC Postgresql - Database server +# +# Author: Russell Coker +# X-Debian-Packages: postgresql +# + +################################# +# +# Rules for the postgresql_t domain. +# +# postgresql_exec_t is the type of the postgresql executable. +# +type postgresql_port_t, port_type; +daemon_domain(postgresql) +allow initrc_t postgresql_exec_t:lnk_file read; +allow postgresql_t usr_t:file { getattr read }; + +allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; + +ifdef(`distro_debian', ` +can_exec(postgresql_t, initrc_exec_t) +# gross hack +domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) +can_exec(postgresql_t, dpkg_exec_t) +') + +dontaudit postgresql_t sysadm_home_dir_t:dir search; + +# quiet ps and killall +dontaudit postgresql_t domain:dir { getattr search }; + +# for currect directory of scripts +allow postgresql_t { var_spool_t cron_spool_t }:dir search; + +# capability kill is for shutdown script +allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; +dontaudit postgresql_t self:capability sys_admin; + +etcdir_domain(postgresql) +typealias postgresql_etc_t alias etc_postgresql_t; +type postgresql_db_t, file_type, sysadmfile; + +logdir_domain(postgresql) + +ifdef(`crond.te', ` +# allow crond to find /usr/lib/postgresql/bin/do.maintenance +allow crond_t postgresql_db_t:dir search; +system_crond_entry(postgresql_exec_t, postgresql_t) +') + +tmp_domain(postgresql, `', `{ dir file sock_file }') +file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) + +# Use the network. +can_network_server(postgresql_t) +can_ypbind(postgresql_t) +allow postgresql_t self:fifo_file { getattr read write ioctl }; +allow postgresql_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(postgresql_t, self) +allow postgresql_t self:unix_dgram_socket create_socket_perms; + +allow postgresql_t self:shm create_shm_perms; + +ifdef(`targeted_policy', `', ` +bool allow_user_postgresql_connect false; + +if (allow_user_postgresql_connect) { +# allow any user domain to connect to the database server +can_tcp_connect(userdomain, postgresql_t) +allow userdomain postgresql_t:unix_stream_socket connectto; +allow userdomain postgresql_var_run_t:sock_file write; +} +') +ifdef(`consoletype.te', ` +can_exec(postgresql_t, consoletype_exec_t) +') + +ifdef(`hostname.te', ` +can_exec(postgresql_t, hostname_exec_t) +') + +allow postgresql_t postgresql_port_t:tcp_socket name_bind; + +allow postgresql_t { proc_t self }:file { getattr read }; + +# Allow access to the postgresql databases +create_dir_file(postgresql_t, postgresql_db_t) +file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) +allow postgresql_t var_lib_t:dir { getattr search }; + +# because postgresql start scripts are broken and put the pid file in the DB +# directory +rw_dir_file(initrc_t, postgresql_db_t) + +# read config files +allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; +r_dir_file(initrc_t, postgresql_etc_t) + +allow postgresql_t etc_t:dir rw_dir_perms; + +read_sysctl(postgresql_t) + +allow postgresql_t devtty_t:chr_file { read write }; +allow postgresql_t devpts_t:dir search; + +allow postgresql_t { bin_t sbin_t }:dir search; +allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; + +allow postgresql_t self:sem create_sem_perms; + +allow postgresql_t initrc_var_run_t:file { getattr read lock }; +dontaudit postgresql_t selinux_config_t:dir { search }; +allow postgresql_t mail_spool_t:dir { search }; +rw_dir_create_file(postgresql_t, var_lock_t) +can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) +ifdef(`apache.te', ` +# +# Allow httpd to work with postgresql +# +allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; +can_unix_connect(httpd_t, postgresql_t) +') + +ifdef(`distro_gentoo', ` +# "su - postgres ..." is called from initrc_t +allow initrc_su_t postgresql_db_t:dir { search }; +allow postgresql_t initrc_su_t:process { sigchld }; +dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; +') + +dontaudit postgresql_t home_root_t:dir search; +can_kerberos(postgresql_t) +allow postgresql_t urandom_device_t:chr_file { getattr read }; diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te new file mode 100644 index 0000000..f664e03 --- /dev/null +++ b/strict/domains/program/pppd.te @@ -0,0 +1,99 @@ +#DESC PPPD - PPP daemon +# +# Author: Russell Coker +# X-Debian-Packages: ppp +# + +################################# +# +# Rules for the pppd_t domain, et al. +# +# pppd_t is the domain for the pppd program. +# pppd_exec_t is the type of the pppd executable. +# pppd_secret_t is the type of the pap and chap password files +# +bool pppd_for_user false; + +daemon_domain(pppd, `, privmail') +type pppd_secret_t, file_type, sysadmfile; + +# Define a separate type for /etc/ppp +etcdir_domain(pppd) +# Define a separate type for writable files under /etc/ppp +type pppd_etc_rw_t, file_type, sysadmfile; +# Automatically label newly created files under /etc/ppp with this type +file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + +# for SSP +allow pppd_t urandom_device_t:chr_file read; + +allow pppd_t sysfs_t:dir search; + +log_domain(pppd) + +# Use the network. +can_network_server(pppd_t) +can_ypbind(pppd_t) + +# Use capabilities. +allow pppd_t self:capability { net_admin setuid setgid fsetid }; + +allow pppd_t var_lock_t:dir rw_dir_perms; +allow pppd_t var_lock_t:file create_file_perms; + +# Access secret files +allow pppd_t pppd_secret_t:file r_file_perms; + +ifdef(`postfix.te', ` +allow pppd_t postfix_etc_t:dir search; +allow pppd_t postfix_etc_t:file r_file_perms; +allow pppd_t postfix_master_exec_t:file read; +allow postfix_postqueue_t pppd_t:fd use; +allow postfix_postqueue_t pppd_t:process sigchld; +') + +# allow running ip-up and ip-down scripts and running chat. +can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) +allow pppd_t { bin_t sbin_t }:dir search; +allow pppd_t bin_t:lnk_file read; + +# Access /dev/ppp. +allow pppd_t ppp_device_t:chr_file rw_file_perms; +allow pppd_t devtty_t:chr_file { read write }; + +allow pppd_t self:unix_dgram_socket create_socket_perms; +allow pppd_t self:unix_stream_socket create_socket_perms; + +allow pppd_t proc_t:dir search; +allow pppd_t proc_t:{ file lnk_file } r_file_perms; + +allow pppd_t etc_runtime_t:file r_file_perms; + +allow pppd_t self:socket create_socket_perms; + +allow pppd_t tty_device_t:chr_file { setattr rw_file_perms }; + +allow pppd_t devpts_t:dir search; + +# for scripts +allow pppd_t self:fifo_file rw_file_perms; +allow pppd_t etc_t:lnk_file read; + +# for ~/.ppprc - if it actually exists then you need some policy to read it +allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; + +in_user_role(pppd_t) +if (pppd_for_user) { +# Run pppd in pppd_t by default for user +domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) +allow unpriv_userdomain pppd_t:process signal; +} + +# for pppoe +can_create_pty(pppd) +allow pppd_t self:file { read getattr }; +allow pppd_t self:capability { fowner net_raw }; +allow pppd_t self:packet_socket create_socket_perms; + +file_type_auto_trans(pppd_t, etc_t, net_conf_t, file) +tmp_domain(pppd) diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te new file mode 100644 index 0000000..2d36473 --- /dev/null +++ b/strict/domains/program/prelink.te @@ -0,0 +1,55 @@ +#DESC PRELINK - Security Enhanced version of the GNU Prelink +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the prelink_t domain. +# +# prelink_exec_t is the type of the prelink executable. +# +daemon_base_domain(prelink, `, admin') + +if (allow_execmem) { +allow prelink_t self:process execmem; +} +if (allow_execmod) { +allow prelink_t texrel_shlib_t:file execmod; +} + +allow prelink_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(prelink_exec_t, prelink_t) +allow system_crond_t prelink_log_t:dir rw_dir_perms; +allow system_crond_t prelink_log_t:file create_file_perms; +allow system_crond_t prelink_cache_t:file { getattr read unlink }; +allow prelink_t crond_log_t:file append; +') + +logdir_domain(prelink) +type etc_prelink_t, file_type, sysadmfile; +type var_lock_prelink_t, file_type, sysadmfile, lockfile; + +allow prelink_t etc_prelink_t:file { getattr read }; +allow prelink_t file_type:dir rw_dir_perms; +allow prelink_t file_type:lnk_file r_file_perms; +allow prelink_t file_type:file getattr; +allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom }; +allow prelink_t ld_so_t:file execute_no_trans; + +allow prelink_t self:capability { chown dac_override fowner fsetid }; +allow prelink_t self:fifo_file rw_file_perms; +allow prelink_t self:file { getattr read }; +dontaudit prelink_t sysctl_kernel_t:dir search; +dontaudit prelink_t sysctl_t:dir search; +allow prelink_t etc_runtime_t:file { getattr read }; +read_locale(prelink_t) +allow prelink_t urandom_device_t:chr_file read; +allow prelink_t proc_t:file { getattr read }; +# +# prelink_cache_t is the type of /etc/prelink.cache. +# +type prelink_cache_t, file_type, sysadmfile; +file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file) diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te new file mode 100644 index 0000000..5762592 --- /dev/null +++ b/strict/domains/program/privoxy.te @@ -0,0 +1,25 @@ +#DESC privoxy - privacy enhancing proxy +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the privoxy_t domain. +# +daemon_domain(privoxy) + +logdir_domain(privoxy) + +# Use capabilities. +allow privoxy_t self:capability net_bind_service; + +# Use the network. +can_network(privoxy_t) +allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind; +allow privoxy_t etc_t:file { getattr read }; +allow privoxy_t self:capability { setgid setuid }; +allow privoxy_t self:unix_stream_socket create_socket_perms ; +allow privoxy_t admin_tty_type:chr_file { read write }; + diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te new file mode 100644 index 0000000..81af770 --- /dev/null +++ b/strict/domains/program/procmail.te @@ -0,0 +1,78 @@ +#DESC Procmail - Mail delivery agent for mail servers +# +# Author: Russell Coker +# X-Debian-Packages: procmail +# + +################################# +# +# Rules for the procmail_t domain. +# +# procmail_exec_t is the type of the procmail executable. +# +# privhome only works until we define a different type for maildir +type procmail_t, domain, privlog, privhome, nscd_client_domain; +type procmail_exec_t, file_type, sysadmfile, exec_type; + +role system_r types procmail_t; + +uses_shlib(procmail_t) +allow procmail_t device_t:dir search; +can_network_server(procmail_t) +can_ypbind(procmail_t) + +allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; + +allow procmail_t etc_t:dir r_dir_perms; +allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; +allow procmail_t etc_t:lnk_file read; +read_locale(procmail_t) +read_sysctl(procmail_t) + +allow procmail_t sysctl_t:dir search; + +allow procmail_t self:process { setsched fork sigchld signal }; +dontaudit procmail_t sbin_t:dir { getattr search }; +can_exec(procmail_t, { bin_t shell_exec_t }) +allow procmail_t bin_t:dir { getattr search }; +allow procmail_t bin_t:lnk_file read; +allow procmail_t self:fifo_file rw_file_perms; + +allow procmail_t self:unix_stream_socket create_socket_perms; +allow procmail_t self:unix_dgram_socket create_socket_perms; + +# for /var/mail +rw_dir_create_file(procmail_t, mail_spool_t) + +allow procmail_t var_t:dir { getattr search }; +allow procmail_t var_spool_t:dir r_dir_perms; + +allow procmail_t fs_t:filesystem getattr; +allow procmail_t { self proc_t }:dir search; +allow procmail_t proc_t:file { getattr read }; +allow procmail_t { self proc_t }:lnk_file read; + +# for if /var/mail is a symlink to /var/spool/mail +#allow procmail_t mail_spool_t:lnk_file r_file_perms; + +# for spamassasin +allow procmail_t usr_t:file { getattr ioctl read }; + +# Search /var/run. +allow procmail_t var_run_t:dir { getattr search }; + +# Do not audit attempts to access /root. +dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; + +allow procmail_t devtty_t:chr_file { read write }; + +allow procmail_t urandom_device_t:chr_file { getattr read }; + +ifdef(`sendmail.te', ` +r_dir_file(procmail_t, etc_mail_t) +allow procmail_t sendmail_t:tcp_socket { read write }; +') + +ifdef(`hide_broken_symptoms', ` +dontaudit procmail_t mqueue_spool_t:file { getattr read write }; +') diff --git a/strict/domains/program/quota.te b/strict/domains/program/quota.te new file mode 100644 index 0000000..7374053 --- /dev/null +++ b/strict/domains/program/quota.te @@ -0,0 +1,59 @@ +#DESC Quota - File system quota management utilities +# +# Author: Russell Coker +# X-Debian-Packages: quota quotatool +# + +################################# +# +# Rules for the quota_t domain. +# +# needs auth attribute because it has read access to shadow_t because checkquota +# is buggy +daemon_base_domain(quota, `, auth, fs_domain') + +# so the administrator can run quotacheck +domain_auto_trans(sysadm_t, quota_exec_t, quota_t) +role sysadm_r types quota_t; +allow quota_t admin_tty_type:chr_file { read write }; + +type quota_flag_t, file_type, sysadmfile; +type quota_db_t, file_type, sysadmfile; + +rw_dir_create_file(initrc_t, quota_flag_t) + +allow quota_t fs_t:filesystem { getattr quotaget quotamod remount }; +# quotacheck creates new quota_db_t files +file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) +# for some reason it wants dac_override not dac_read_search +allow quota_t self:capability { sys_admin dac_override }; +allow quota_t file_type:{ fifo_file sock_file } getattr; +allow quota_t file_t:file quotaon; + +# for quotacheck +allow quota_t file_type:dir r_dir_perms; +# The following line is apparently necessary, although read and +# ioctl seem to be more than should be required. +allow quota_t file_type:file { getattr read ioctl }; +allow quota_t file_type:{ fifo_file sock_file } getattr; +allow quota_t file_type:lnk_file { read getattr }; +allow quota_t device_type:{ chr_file blk_file } getattr; + +allow quota_t fixed_disk_device_t:blk_file { getattr read }; + +# for /quota.* +allow quota_t quota_db_t:file { read write }; +dontaudit unpriv_userdomain quota_db_t:file getattr; +allow quota_t quota_db_t:file quotaon; + +# Read /etc/mtab. +allow quota_t etc_runtime_t:file { read getattr }; + +allow quota_t device_t:dir r_dir_perms; +allow quota_t fixed_disk_device_t:blk_file getattr; +allow quota_t boot_t:dir r_dir_perms; +allow quota_t sysctl_t:dir { getattr search }; + +allow quota_t initrc_devpts_t:chr_file rw_file_perms; + +allow quota_t proc_t:file getattr; diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te new file mode 100644 index 0000000..4e7f194 --- /dev/null +++ b/strict/domains/program/radius.te @@ -0,0 +1,69 @@ +#DESC RADIUS - Radius server +# +# Author: Russell Coker +# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius +# + +################################# +# +# Rules for the radiusd_t domain. +# +# radiusd_exec_t is the type of the radiusd executable. +# +type radius_port_t, port_type; +type radacct_port_t, port_type; +daemon_domain(radiusd, `, auth') + +etcdir_domain(radiusd) +typealias radiusd_etc_t alias etc_radiusd_t; + +system_crond_entry(radiusd_exec_t, radiusd_t) + +allow radiusd_t self:process setsched; + +allow radiusd_t proc_t:file { read getattr }; + +dontaudit radiusd_t sysadm_home_dir_t:dir getattr; + +# allow pthreads to read kernel version +read_sysctl(radiusd_t) + +# read config files +allow radiusd_t etc_t:dir r_dir_perms; +allow radiusd_t { etc_t etc_runtime_t }:file { read getattr }; +allow radiusd_t etc_t:lnk_file read; + +# write log files +logdir_domain(radiusd) +allow radiusd_t radiusd_log_t:dir create; + +allow radiusd_t usr_t:file r_file_perms; + +can_exec(radiusd_t, lib_t) +can_exec(radiusd_t, { bin_t shell_exec_t }) +allow radiusd_t { bin_t sbin_t }:dir search; +allow radiusd_t bin_t:lnk_file read; + +allow radiusd_t devtty_t:chr_file { read write }; +allow radiusd_t self:fifo_file rw_file_perms; +# fsetid is for gzip which needs it when run from scripts +# gzip also needs chown access to preserve GID for radwtmp files +allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; + +can_network_server(radiusd_t) +can_ypbind(radiusd_t) +allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; + +# for RADIUS proxy port +allow radiusd_t port_t:udp_socket name_bind; + +ifdef(`snmpd.te', ` +can_tcp_connect(radiusd_t, snmpd_t) +') +ifdef(`logrotate.te', ` +can_exec(radiusd_t, logrotate_exec_t) +') +can_udp_send(sysadm_t, radiusd_t) +can_udp_send(radiusd_t, sysadm_t) + +allow radiusd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te new file mode 100644 index 0000000..1e8b3ff --- /dev/null +++ b/strict/domains/program/radvd.te @@ -0,0 +1,29 @@ +#DESC Radv - IPv6 route advisory daemon +# +# Author: Russell Coker +# X-Debian-Packages: radvd +# + +################################# +# +# Rules for the radvd_t domain. +# +daemon_domain(radvd) + +etc_domain(radvd) +allow radvd_t etc_t:file { getattr read }; + +allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; + +allow radvd_t self:capability net_raw; +allow radvd_t self:{ unix_dgram_socket rawip_socket } create; +allow radvd_t self:unix_stream_socket create_socket_perms; + +can_network_server(radvd_t) + +allow radvd_t proc_t:dir r_dir_perms; +allow radvd_t proc_t:file { getattr read }; +allow radvd_t etc_t:lnk_file read; + +allow radvd_t sysctl_net_t:file r_file_perms; +allow radvd_t sysctl_net_t:dir r_dir_perms; diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te new file mode 100644 index 0000000..fb014d7 --- /dev/null +++ b/strict/domains/program/restorecon.te @@ -0,0 +1,63 @@ +#DESC restorecon - Restore or check the context of a file +# +# Authors: Russell Coker +# X-Debian-Packages: policycoreutils +# + +################################# +# +# Rules for the restorecon_t domain. +# +# restorecon_exec_t is the type of the restorecon executable. +# +# needs auth_write attribute because it has relabelfrom/relabelto +# access to shadow_t +type restorecon_t, domain, privlog, privowner, auth_write, change_context; +type restorecon_exec_t, file_type, sysadmfile, exec_type; + +role system_r types restorecon_t; +role sysadm_r types restorecon_t; + +allow restorecon_t initrc_devpts_t:chr_file { read write ioctl }; +allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; + +domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t) +allow restorecon_t { userdomain init_t privfd }:fd use; + +uses_shlib(restorecon_t) +allow restorecon_t self:capability { dac_override dac_read_search fowner }; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that restorecon can not be run! +allow restorecon_t lib_t:file { read execute }; + +# Get security policy decisions. +can_getsecurity(restorecon_t) + +r_dir_file(restorecon_t, policy_config_t) + +allow restorecon_t file_type:dir r_dir_perms; +allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto }; +allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; +allow restorecon_t unlabeled_t:dir read; +allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto }; +ifdef(`distro_redhat', ` +allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +') + +allow restorecon_t ptyfile:chr_file getattr; + +allow restorecon_t fs_t:filesystem getattr; +allow restorecon_t fs_type:dir r_dir_perms; + +allow restorecon_t etc_runtime_t:file read; +allow restorecon_t etc_t:file read; +allow restorecon_t proc_t:file { getattr read }; +dontaudit restorecon_t proc_t:lnk_file { getattr read }; + +allow restorecon_t device_t:file { read write }; +allow restorecon_t kernel_t:fd use; +allow restorecon_t kernel_t:fifo_file { read write }; +allow restorecon_t kernel_t:unix_dgram_socket { read write }; +r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) + diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te new file mode 100644 index 0000000..cc15ff1 --- /dev/null +++ b/strict/domains/program/rhgb.te @@ -0,0 +1,101 @@ +#DESC rhgb - Red Hat Graphical Boot +# +# Author: Russell Coker +# Depends: xdm.te gnome-pty-helper.te xserver.te + +daemon_base_domain(rhgb) + +allow rhgb_t { bin_t sbin_t }:dir search; +allow rhgb_t bin_t:lnk_file read; + +domain_auto_trans(rhgb_t, shell_exec_t, initrc_t) +domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t) +can_exec(rhgb_t, { bin_t sbin_t gph_exec_t }) + +allow rhgb_t self:unix_stream_socket create_stream_socket_perms; +allow rhgb_t self:fifo_file rw_file_perms; + +# for gnome-pty-helper +gph_domain(rhgb, system) +allow initrc_t rhgb_gph_t:fd use; + +allow rhgb_t proc_t:file { getattr read }; + +allow rhgb_t devtty_t:chr_file { read write }; +allow rhgb_t tty_device_t:chr_file rw_file_perms; + +read_locale(rhgb_t) +allow rhgb_t { etc_t etc_runtime_t }:file { getattr read }; + +# for ramfs file systems +allow rhgb_t ramfs_t:dir { setattr rw_dir_perms }; +allow rhgb_t ramfs_t:sock_file create_file_perms; +allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms; +allow insmod_t ramfs_t:file write; +allow insmod_t rhgb_t:fd use; + +allow rhgb_t ramfs_t:filesystem { mount unmount }; +allow rhgb_t mnt_t:dir { search mounton }; +allow rhgb_t self:capability { sys_admin sys_tty_config }; +dontaudit rhgb_t var_run_t:dir search; + +can_network_client(rhgb_t) +can_ypbind(rhgb_t) + +# for fonts +allow rhgb_t usr_t:{ file lnk_file } { getattr read }; + +# for running setxkbmap +r_dir_file(rhgb_t, var_lib_xkb_t) + +# for localization +allow rhgb_t lib_t:file { getattr read }; + +allow rhgb_t initctl_t:fifo_file write; + +ifdef(`hide_broken_symptoms', ` +# it should not do this +dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +')dnl end hide_broken_symptoms + +can_create_pty(rhgb) + +allow rhgb_t self:shm create_shm_perms; +allow xdm_xserver_t rhgb_t:shm rw_shm_perms; + +can_unix_connect(initrc_t, rhgb_t) +tmpfs_domain(rhgb) +allow xdm_xserver_t rhgb_tmpfs_t:file { read write }; + +allow rhgb_t fonts_t:dir { getattr read search }; +allow rhgb_t fonts_t:file { getattr read }; + +# for nscd +dontaudit rhgb_t var_t:dir search; + +ifdef(`hide_broken_symptoms', ` +# for a bug in the X server +dontaudit insmod_t xdm_xserver_t:tcp_socket { read write }; +dontaudit insmod_t serial_device:chr_file { read write }; +dontaudit mount_t rhgb_gph_t:fd use; +dontaudit mount_t rhgb_t:unix_stream_socket { read write }; +dontaudit mount_t ptmx_t:chr_file { read write }; +')dnl end hide_broken_symptoms + +ifdef(`firstboot.te', ` +allow rhgb_t firstboot_rw_t:file r_file_perms; +') +allow rhgb_t tmp_t:dir search; +allow rhgb_t xdm_xserver_t:process sigkill; +allow domain rhgb_devpts_t:chr_file { read write }; +ifdef(`fsadm.te', ` +dontaudit fsadm_t ramfs_t:fifo_file write; +') +allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; +dontaudit rhgb_t default_t:file read; + +allow initrc_t ramfs_t:dir search; +allow initrc_t ramfs_t:sock_file write; +allow initrc_t rhgb_t:unix_stream_socket { read write }; + +allow rhgb_t default_t:file { getattr read }; diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te new file mode 100644 index 0000000..0c896cf --- /dev/null +++ b/strict/domains/program/rlogind.te @@ -0,0 +1,37 @@ +#DESC Rlogind - Remote login daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: rsh-client rsh-redone-client +# Depends: inetd.te +# + +################################# +# +# Rules for the rlogind_t domain. +# +remote_login_daemon(rlogind) +typeattribute rlogind_t auth_chkpwd; + +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t) +') + +# for /usr/lib/telnetlogin +can_exec(rlogind_t, rlogind_exec_t) + +# Use capabilities. +allow rlogind_t self:capability { net_bind_service }; + +# Run login in remote_login_t. +allow remote_login_t inetd_t:fd use; +allow remote_login_t inetd_t:tcp_socket rw_file_perms; + +# Send SIGCHLD to inetd on death. +allow rlogind_t inetd_t:process sigchld; + +allow rlogind_t home_dir_type:dir search; +allow rlogind_t home_type:file { getattr read }; +allow rlogind_t self:file { getattr read }; +allow rlogind_t default_t:dir search; +typealias rlogind_port_t alias rlogin_port_t; +read_sysctl(rlogind_t); diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te new file mode 100644 index 0000000..d921e3c --- /dev/null +++ b/strict/domains/program/rpcd.te @@ -0,0 +1,141 @@ +#DESC Rpcd - RPC daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# Depends: portmap.te +# X-Debian-Packages: nfs-common +# + +################################# +# +# Rules for the rpcd_t and nfsd_t domain. +# +define(`rpc_domain', ` +daemon_base_domain($1) +can_network($1_t) +can_ypbind($1_t) +allow $1_t etc_t:file { getattr read }; +read_locale($1_t) +allow $1_t self:capability net_bind_service; +dontaudit $1_t self:capability net_admin; + +allow $1_t var_t:dir { getattr search }; +allow $1_t var_lib_t:dir search; +allow $1_t var_lib_nfs_t:dir create_dir_perms; +allow $1_t var_lib_nfs_t:file create_file_perms; +# do not log when it tries to bind to a port belonging to another domain +dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +allow $1_t self:netlink_route_socket r_netlink_socket_perms; +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_stream_socket_perms; +# bind to arbitary unused ports +allow $1_t port_t:{ tcp_socket udp_socket } name_bind; +allow $1_t sysctl_rpc_t:dir search; +allow $1_t sysctl_rpc_t:file rw_file_perms; +') + +type exports_t, file_type, sysadmfile; +dontaudit userdomain exports_t:file getattr; + +# rpcd_t is the domain of rpc daemons. +# rpcd_exec_t is the type of rpc daemon programs. +# +rpc_domain(rpcd) +var_run_domain(rpcd) +allow rpcd_t rpcd_var_run_t:dir setattr; + +# for rpc.rquotad +allow rpcd_t sysctl_t:dir r_dir_perms; +allow rpcd_t self:fifo_file rw_file_perms; + +# rpcd_t needs to talk to the portmap_t domain +can_udp_send(rpcd_t, portmap_t) + +allow initrc_t exports_t:file r_file_perms; +ifdef(`distro_redhat', ` +allow rpcd_t self:capability { chown dac_override setgid setuid }; +# for /etc/rc.d/init.d/nfs to create /etc/exports +allow initrc_t exports_t:file write; +') + +allow rpcd_t self:file { getattr read }; + +# nfs kernel server needs kernel UDP access. It is less risky and painful +# to just give it everything. +can_network_server(kernel_t) +#can_udp_send(kernel_t, rpcd_t) +#can_udp_send(rpcd_t, kernel_t) + +rpc_domain(nfsd) +domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) +role sysadm_r types nfsd_t; + +# for /proc/fs/nfs/exports - should we have a new type? +allow nfsd_t proc_t:file r_file_perms; +allow nfsd_t proc_net_t:dir search; +allow nfsd_t exports_t:file { getattr read }; + +allow nfsd_t nfsd_fs_t:filesystem mount; +allow nfsd_t nfsd_fs_t:dir search; +allow nfsd_t nfsd_fs_t:file rw_file_perms; +allow initrc_t sysctl_rpc_t:dir search; +allow initrc_t sysctl_rpc_t:file rw_file_perms; + +type nfsd_rw_t, file_type, sysadmfile, usercanread; +type nfsd_ro_t, file_type, sysadmfile, usercanread; + +bool nfs_export_all_rw false; + +if(nfs_export_all_rw) { +allow nfsd_t { file_type -shadow_t }:dir r_dir_perms; +create_dir_file(kernel_t,{ file_type -shadow_t }) +} + +dontaudit kernel_t shadow_t:file getattr; + +bool nfs_export_all_ro false; + +if(nfs_export_all_ro) { +allow nfsd_t { file_type -shadow_t }:dir r_dir_perms; +r_dir_file(kernel_t,{ file_type -shadow_t }) +} + +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; +create_dir_file(kernel_t, nfsd_rw_t); +r_dir_file(kernel_t, nfsd_ro_t); + +allow kernel_t nfsd_t:udp_socket rw_socket_perms; +can_udp_send(kernel_t, nfsd_t) +can_udp_send(nfsd_t, kernel_t) + +# does not really need this, but it is easier to just allow it +allow nfsd_t var_run_t:dir search; + +allow nfsd_t self:capability { sys_admin sys_resource }; +allow nfsd_t fs_t:filesystem getattr; + +can_udp_send(nfsd_t, portmap_t) +can_udp_send(portmap_t, nfsd_t) + +can_tcp_connect(nfsd_t, portmap_t) + +# for exportfs and rpc.mountd +allow nfsd_t tmp_t:dir getattr; + +r_dir_file(rpcd_t, rpc_pipefs_t) +allow rpcd_t rpc_pipefs_t:sock_file { read write }; +dontaudit rpcd_t selinux_config_t:dir { search }; +allow rpcd_t proc_net_t:dir search; + + +rpc_domain(gssd) +can_kerberos(gssd_t) +allow gssd_t krb5_keytab_t:file r_file_perms; +allow gssd_t urandom_device_t:chr_file { getattr read }; +r_dir_file(gssd_t, tmp_t) +tmp_domain(gssd) +allow gssd_t self:fifo_file { read write }; +r_dir_file(gssd_t, proc_net_t) +allow gssd_t rpc_pipefs_t:dir r_dir_perms; +allow gssd_t rpc_pipefs_t:sock_file { read write }; diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te new file mode 100644 index 0000000..c964b14 --- /dev/null +++ b/strict/domains/program/rpm.te @@ -0,0 +1,255 @@ +#DESC RPM - Red Hat package management +# +# X-Debian-Packages: +################################# +# +# Rules for running the Redhat Package Manager (RPM) tools. +# +# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm +# rpm_exec_t is the type of the rpm executables. +# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*) +# var_lib_rpm_t is the type for rpm files in /var/lib +# +type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd; +role system_r types rpm_t; +uses_shlib(rpm_t) +type rpm_exec_t, file_type, sysadmfile, exec_type; + +general_domain_access(rpm_t) +can_ps(rpm_t, domain) +allow rpm_t self:process setrlimit; +system_crond_entry(rpm_exec_t, rpm_t) +role sysadm_r types rpm_t; +domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t) + +type rpm_file_t, file_type, sysadmfile; + +tmp_domain(rpm) + +tmpfs_domain(rpm) + +log_domain(rpm) + +can_network(rpm_t) +can_ypbind(rpm_t) + +# Allow the rpm domain to execute other programs +can_exec_any(rpm_t) + +# Capabilties needed by rpm utils +allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod }; + +# Access /var/lib/rpm files +var_lib_domain(rpm) +allow userdomain var_lib_t:dir { getattr search }; +r_dir_file(userdomain, rpm_var_lib_t) +r_dir_file(rpm_t, proc_t) + +allow rpm_t sysfs_t:dir r_dir_perms; +allow rpm_t usbdevfs_t:dir r_dir_perms; + +# for installing kernel packages +allow rpm_t fixed_disk_device_t:blk_file { getattr read }; + +# Access terminals. +allow rpm_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;') +allow rpm_t privfd:fd use; +allow rpm_t devtty_t:chr_file rw_file_perms; + +domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t) +domain_auto_trans(rpm_t, initrc_exec_t, initrc_t) + +ifdef(`cups.te', ` +r_dir_file(cupsd_t, rpm_var_lib_t) +allow cupsd_t initrc_exec_t:file { getattr read }; +domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) +') + +# for a bug in rm +dontaudit initrc_t pidfile:file write; + +# bash tries to access a block device in the initrd +dontaudit initrc_t unlabeled_t:blk_file getattr; + +# bash tries ioctl for some reason +dontaudit initrc_t pidfile:file ioctl; + +allow rpm_t autofs_t:dir { search getattr }; +allow rpm_t autofs_t:filesystem getattr; +allow rpm_script_t autofs_t:dir { search getattr }; +allow rpm_t devpts_t:dir { setattr r_dir_perms }; +allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr; +dontaudit rpm_t security_t:filesystem getattr; +can_getcon(rpm_t) +can_setfscreate(rpm_t) +can_setexec(rpm_t) +read_sysctl(rpm_t) +general_domain_access(rpm_script_t) + +# read/write/create any files in the system +allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; +allow rpm_t { file_type - shadow_t }:dir create_dir_perms; +allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; +allow rpm_t sysfs_t:filesystem getattr; +allow rpm_t tmpfs_t:filesystem getattr; +dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; +# needs rw permission to the directory for an rpm package that includes a mount +# point +allow rpm_t fs_type:dir { setattr rw_dir_perms }; +allow rpm_t fs_type:filesystem getattr; + +# allow compiling and loading new policy +create_dir_file(rpm_t, { policy_src_t policy_config_t }) + +can_getsecurity({ rpm_t rpm_script_t }) +dontaudit rpm_t shadow_t:file { getattr read }; +allow rpm_t urandom_device_t:chr_file read; +allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; +allow rpm_t ttyfile:chr_file unlink; +allow rpm_script_t tty_device_t:chr_file getattr; +allow rpm_script_t devpts_t:dir search; +allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms; + +allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; + +type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role; +# policy for rpm scriptlet +role system_r types rpm_script_t; +uses_shlib(rpm_script_t) +read_locale(rpm_script_t) + +can_ps(rpm_script_t, domain) + +ifdef(`lpd.te', ` +can_exec(rpm_script_t, printconf_t) +') + +read_sysctl(rpm_script_t) + +type rpm_script_exec_t, file_type, sysadmfile, exec_type; + +role sysadm_r types rpm_script_t; +domain_trans(rpm_t, shell_exec_t, rpm_script_t) +ifdef(`hide_broken_symptoms', ` +ifdef(`pamconsole.te', ` +domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) +') +') + +tmp_domain(rpm_script) + +tmpfs_domain(rpm_script) + +# Allow the rpm domain to execute other programs +can_exec_any(rpm_script_t) + +# Capabilties needed by rpm scripts utils +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; + +# ideally we would not need this +allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms; +allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; +allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms; + +# for kernel package installation +ifdef(`mount.te', ` +allow mount_t rpm_t:fifo_file rw_file_perms; +') + +# Commonly used from postinst scripts +ifdef(`consoletype.te', ` +allow consoletype_t rpm_t:fifo_file r_file_perms; +') +ifdef(`crond.te', ` +allow crond_t rpm_t:fifo_file r_file_perms; +') + +allow rpm_script_t proc_t:dir r_dir_perms; +allow rpm_script_t proc_t:{ file lnk_file } r_file_perms; + +allow rpm_script_t devtty_t:chr_file rw_file_perms; +allow rpm_script_t devpts_t:dir r_dir_perms; +allow rpm_script_t admin_tty_type:chr_file rw_file_perms; +allow rpm_script_t etc_runtime_t:file { getattr read }; +allow rpm_script_t privfd:fd use; +allow rpm_script_t rpm_tmp_t:file { getattr read ioctl }; + +allow rpm_script_t urandom_device_t:chr_file read; + +ifdef(`ssh-agent.te', ` +domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) +') + +ifdef(`useradd.te', ` +domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t) +domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t) +role system_r types { useradd_t groupadd_t }; +allow { useradd_t groupadd_t } rpm_t:fd use; +allow { useradd_t groupadd_t } rpm_t:fifo_file { read write }; +') + +domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t) + +domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t) +domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t) +domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t) +ifdef(`bootloader.te', ` +domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t) +allow bootloader_t rpm_t:fifo_file rw_file_perms; +') + +domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t) + +rw_dir_file(rpm_script_t, nfs_t) +allow rpm_script_t nfs_t:filesystem getattr; + +allow rpm_script_t fs_t:filesystem { getattr mount unmount }; +allow rpm_script_t rpm_script_tmp_t:dir mounton; +can_exec(rpm_script_t, usr_t) +can_exec(rpm_script_t, sbin_t) + +allow rpm_t mount_t:tcp_socket write; +create_dir_file(rpm_t, nfs_t) +allow rpm_t { removable_t nfs_t }:filesystem getattr; + +allow rpm_script_t userdomain:fd use; + +allow domain rpm_t:fifo_file r_file_perms; +allow domain rpm_t:fd use; + +ifdef(`ssh.te', ` +allow sshd_t rpm_script_t:fd use; +allow sshd_t rpm_t:fd use; +') + +dontaudit rpm_script_t shadow_t:file getattr; +allow rpm_script_t sysfs_t:dir r_dir_perms; + +ifdef(`prelink.te', ` +domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) +') + +allow rpm_t rpc_pipefs_t:dir search; +allow rpm_script_t init_t:dir search; + +type rpmbuild_exec_t, file_type, sysadmfile, exec_type; +type rpmbuild_t, domain; +allow rpmbuild_t policy_config_t:dir search; +allow rpmbuild_t policy_src_t:dir search; +allow rpmbuild_t policy_src_t:file { getattr read }; +can_getsecurity(rpmbuild_t) + +allow rpm_script_t domain:process { signal signull }; + +# Access /var/lib/rpm. +allow initrc_t rpm_var_lib_t:dir rw_dir_perms; +allow initrc_t rpm_var_lib_t:file create_file_perms; + +ifdef(`unlimitedRPM', ` +typeattribute rpm_t auth_write; +unconfined_domain(rpm_t) +typeattribute rpm_script_t auth_write; +unconfined_domain(rpm_script_t) +') + diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te new file mode 100644 index 0000000..f1da21e --- /dev/null +++ b/strict/domains/program/rshd.te @@ -0,0 +1,69 @@ +#DESC RSHD - RSH daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: rsh-server rsh-redone-server +# Depends: inetd.te +# + +################################# +# +# Rules for the rshd_t domain. +# +type rsh_port_t, port_type, reserved_port_type; +daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole') + +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t) +') + +# Use sockets inherited from inetd. +allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Use capabilities. +allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; + +# Use the network. +can_network_server(rshd_t) +allow rshd_t reserved_port_t:tcp_socket name_bind; +dontaudit rshd_t reserved_port_type:tcp_socket name_bind; + +can_ypbind(rshd_t) + +allow rshd_t etc_t:file { getattr read }; +read_locale(rshd_t) +allow rshd_t self:unix_dgram_socket create_socket_perms; +allow rshd_t self:unix_stream_socket create_stream_socket_perms; +allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; +can_kerberos(rshd_t) +allow rshd_t { bin_t sbin_t tmp_t}:dir { search }; +allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms; +ifdef(`rlogind.te', ` +allow rshd_t rlogind_tmp_t:file rw_file_perms; +') +allow rshd_t urandom_device_t:chr_file { getattr read }; + +# Read the user's .rhosts file. +allow rshd_t home_type:file r_file_perms ; + +# Random reasons +can_getsecurity(rshd_t) +can_setexec(rshd_t) +r_dir_file(rshd_t, selinux_config_t) +r_dir_file(rshd_t, default_context_t) +read_sysctl(rshd_t); + +if (use_nfs_home_dirs) { +r_dir_file(rshd_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file(rshd_t, cifs_t) +} + +allow rshd_t self:process { fork signal setsched setpgid }; +allow rshd_t self:fifo_file rw_file_perms; + +ifdef(`targeted_policy', ` +unconfined_domain(rshd_t) +domain_auto_trans(rshd_t,shell_exec_t,unconfined_t) +') diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te new file mode 100644 index 0000000..1090463 --- /dev/null +++ b/strict/domains/program/rsync.te @@ -0,0 +1,19 @@ +#DESC rsync - flexible replacement for rcp +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the rsync_t domain. +# +# rsync_exec_t is the type of the rsync executable. +# + +inetd_child_domain(rsync) +type rsync_data_t, file_type, sysadmfile; +r_dir_file(rsync_t, rsync_data_t) +ifdef(`ftpd.te', ` +r_dir_file(rsync_t, ftpd_anon_t) +') diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te new file mode 100644 index 0000000..43b31ef --- /dev/null +++ b/strict/domains/program/samba.te @@ -0,0 +1,182 @@ +#DESC SAMBA - SMB file server +# +# Author: Ryan Bergauer (bergauer@rice.edu) +# X-Debian-Packages: samba +# + +################################# +# +# Declarations for Samba +# + +daemon_domain(smbd, `, auth_chkpwd') +daemon_domain(nmbd) +type samba_etc_t, file_type, sysadmfile, usercanread; +type samba_log_t, file_type, sysadmfile, logfile; +type samba_var_t, file_type, sysadmfile; +type samba_share_t, file_type, sysadmfile, customizable; +type samba_secrets_t, file_type, sysadmfile; +typealias samba_var_t alias samba_spool_t; + +# for /var/run/samba/messages.tdb +allow smbd_t nmbd_var_run_t:file rw_file_perms; + +allow smbd_t self:process setrlimit; + +# not sure why it needs this +tmp_domain(smbd) + +ifdef(`crond.te', ` +allow system_crond_t samba_etc_t:file { read getattr lock }; +allow system_crond_t samba_log_t:file { read getattr lock }; +#allow system_crond_t samba_secrets_t:file { read getattr lock }; +') + +################################# +# +# Rules for the smbd_t domain. +# + +# Permissions normally found in every_domain. +general_domain_access(smbd_t) +general_proc_read_access(smbd_t) + +type smbd_port_t, port_type, reserved_port_type; +allow smbd_t smbd_port_t:tcp_socket name_bind; + +# Use capabilities. +allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; + +# Use the network. +can_network_server(smbd_t) + +allow smbd_t urandom_device_t:chr_file { getattr read }; + +# Permissions for Samba files in /etc/samba +# either allow read access to the directory or allow the auto_trans rule to +# allow creation of the secrets.tdb file and the MACHINE.SID file +#allow smbd_t samba_etc_t:dir { search getattr }; +file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file) + +allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; + +# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba +allow smbd_t var_lib_t:dir search; +allow smbd_t samba_var_t:dir create_dir_perms; +allow smbd_t samba_var_t:file create_file_perms; + +# Permissions to write log files. +allow smbd_t samba_log_t:file { create ra_file_perms }; +allow smbd_t var_log_t:dir search; +allow smbd_t samba_log_t:dir ra_dir_perms; + +allow smbd_t usr_t:file { getattr read }; + +# Access Samba shares. +create_dir_file(smbd_t, samba_share_t) + +ifdef(`logrotate.te', ` +# the application should be changed +can_exec(logrotate_t, samba_log_t) +') +################################# +# +# Rules for the nmbd_t domain. +# + +# Permissions normally found in every_domain. +general_domain_access(nmbd_t) +general_proc_read_access(nmbd_t) + +type nmbd_port_t, port_type, reserved_port_type; +allow nmbd_t nmbd_port_t:udp_socket name_bind; + +# Use capabilities. +allow nmbd_t self:capability net_bind_service; + +# Use the network. +can_network_server(nmbd_t) + +# Permissions for Samba files in /etc/samba +allow nmbd_t samba_etc_t:file { getattr read }; +allow nmbd_t samba_etc_t:dir { search getattr }; + +# Permissions for Samba cache files in /var/cache/samba +allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search }; +allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; + +allow nmbd_t usr_t:file { getattr read }; + +# Permissions to write log files. +allow nmbd_t samba_log_t:file { create ra_file_perms }; +allow nmbd_t var_log_t:dir search; +allow nmbd_t samba_log_t:dir ra_dir_perms; +ifdef(`cups.te', ` +allow smbd_t cupsd_rw_etc_t:file { getattr read }; +') +# Needed for winbindd +allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; + +# Support Samba sharing of home directories +bool samba_enable_home_dirs false; + +ifdef(`mount.te', ` +# +# Domain for running smbmount +# + +# Derive from app. domain. Transition from mount. +application_domain(smbmount, `, fs_domain, nscd_client_domain') +domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) + +# Capabilities +# FIXME: is all of this really necessary? +allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; + +# Access samba config +allow smbmount_t samba_etc_t:file r_file_perms; +allow smbmount_t samba_etc_t:dir r_dir_perms; + +# Write samba log +allow smbmount_t samba_log_t:file create_file_perms; +allow smbmount_t samba_log_t:dir r_dir_perms; + +# Write stuff in var +allow smbmount_t var_log_t:dir r_dir_perms; +rw_dir_create_file(smbmount_t, samba_var_t) + +# Access mtab +file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) + +# Read nsswitch.conf +allow smbmount_t etc_t:file r_file_perms; + +# Networking +can_network(smbmount_t) +can_ypbind(smbmount_t) +allow smbmount_t self:unix_dgram_socket create_socket_perms; +allow smbmount_t self:unix_stream_socket create_socket_perms; +allow kernel_t smbmount_t:tcp_socket { read write }; +allow userdomain smbmount_t:tcp_socket write; + +# Proc +# FIXME: is this necessary? +r_dir_file(smbmount_t, proc_t) + +# Fork smbmnt +allow smbmount_t bin_t:dir r_dir_perms; +can_exec(smbmount_t, smbmount_exec_t) +allow smbmount_t self:process { fork signal_perms }; + +# Mount +allow smbmount_t cifs_t:filesystem mount_fs_perms; +allow smbmount_t cifs_t:dir r_dir_perms; +allow smbmount_t mnt_t:dir r_dir_perms; +allow smbmount_t mnt_t:dir mounton; + +# Terminal +read_locale(smbmount_t) +access_terminal(smbmount_t, sysadm) +allow smbmount_t userdomain:fd use; +allow smbmount_t local_login_t:fd use; +') diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te new file mode 100644 index 0000000..f51ccd0 --- /dev/null +++ b/strict/domains/program/saslauthd.te @@ -0,0 +1,23 @@ +#DESC saslauthd - Authentication daemon for SASL +# +# Author: Colin Walters +# + +daemon_domain(saslauthd, `, auth_chkpwd') + +allow saslauthd_t self:fifo_file { read write }; +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; + +allow saslauthd_t etc_t:dir { getattr search }; +allow saslauthd_t etc_t:file r_file_perms; +allow saslauthd_t net_conf_t:file r_file_perms; + +allow saslauthd_t self:file r_file_perms; +allow saslauthd_t proc_t:file read; + +allow saslauthd_t urandom_device_t:chr_file { getattr read }; + +# Needs investigation +dontaudit saslauthd_t home_root_t:dir getattr; diff --git a/strict/domains/program/screen.te b/strict/domains/program/screen.te new file mode 100644 index 0000000..e9be1a0 --- /dev/null +++ b/strict/domains/program/screen.te @@ -0,0 +1,13 @@ +#DESC screen - Program to detach sessions +# +# X-Debian-Packages: screen +# Domains for the screen program. + +# +# screen_exec_t is the type of the screen executable. +# +type screen_exec_t, file_type, sysadmfile, exec_type; +type screen_dir_t, file_type, sysadmfile, pidfile; + +# Everything else is in the screen_domain macro in +# macros/program/screen_macros.te. diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te new file mode 100644 index 0000000..958d13e --- /dev/null +++ b/strict/domains/program/sendmail.te @@ -0,0 +1,111 @@ +#DESC Sendmail - Mail server +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sendmail sendmail-wide +# Depends: mta.te +# + +################################# +# +# Rules for the sendmail_t domain. +# +# sendmail_t is the domain for the sendmail +# daemon started by the init rc scripts. +# + +# etc_mail_t is the type of /etc/mail. +type etc_mail_t, file_type, sysadmfile, usercanread; + +daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm) + +tmp_domain(sendmail) +logdir_domain(sendmail) + +# Use capabilities +allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; + +# Use the network. +can_network(sendmail_t) +can_ypbind(sendmail_t) + +allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:fifo_file rw_file_perms; + +# Bind to the SMTP port. +allow sendmail_t smtp_port_t:tcp_socket name_bind; + +allow sendmail_t etc_t:file { getattr read }; + +# Write to /etc/aliases and /etc/mail. +allow sendmail_t etc_aliases_t:file { setattr rw_file_perms }; +# +# Need this transition to create /etc/aliases.db +# +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t) +') +') + +allow sendmail_t etc_mail_t:dir rw_dir_perms; +allow sendmail_t etc_mail_t:file create_file_perms; +# for the start script to run make -C /etc/mail +allow initrc_t etc_mail_t:dir rw_dir_perms; +allow initrc_t etc_mail_t:file create_file_perms; +allow system_mail_t initrc_t:fd use; +allow system_mail_t initrc_t:fifo_file write; + +# Write to /var/spool/mail and /var/spool/mqueue. +allow sendmail_t var_spool_t:dir { getattr search }; +allow sendmail_t mail_spool_t:dir rw_dir_perms; +allow sendmail_t mail_spool_t:file create_file_perms; +allow sendmail_t mqueue_spool_t:dir rw_dir_perms; +allow sendmail_t mqueue_spool_t:file create_file_perms; +allow sendmail_t urandom_device_t:chr_file { getattr read }; + +# Read /usr/lib/sasl2/.* +allow sendmail_t lib_t:file { getattr read }; + +# When sendmail runs as user_mail_domain, it needs some extra permissions +# to update /etc/mail/statistics. +allow user_mail_domain etc_mail_t:file rw_file_perms; + +# Silently deny attempts to access /root. +dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; + +# Run procmail in its own domain, if defined. +ifdef(`procmail.te',` +domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t) +domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) +allow sendmail_t bin_t:dir { getattr search }; +') + +read_sysctl(sendmail_t) +read_sysctl(system_mail_t) + +allow system_mail_t etc_mail_t:dir { getattr search }; +allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t proc_t:dir search; +allow system_mail_t proc_t:file { getattr read }; +allow system_mail_t proc_t:lnk_file read; +dontaudit system_mail_t proc_net_t:dir search; +allow system_mail_t fs_t:filesystem getattr; +allow system_mail_t self:dir { getattr search }; +allow system_mail_t var_t:dir getattr; +allow system_mail_t var_spool_t:dir getattr; +dontaudit system_mail_t userpty_type:chr_file { getattr read write }; + +# sendmail -q +allow system_mail_t mqueue_spool_t:dir rw_dir_perms; +allow system_mail_t mqueue_spool_t:file create_file_perms; + +ifdef(`crond.te', ` +dontaudit system_mail_t system_crond_tmp_t:file append; +') +dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; + +# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console +allow sendmail_t initrc_var_run_t:file { getattr read }; +dontaudit sendmail_t initrc_var_run_t:file { lock write }; + diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te new file mode 100644 index 0000000..26c275f --- /dev/null +++ b/strict/domains/program/setfiles.te @@ -0,0 +1,62 @@ +#DESC Setfiles - SELinux filesystem labeling utilities +# +# Authors: Russell Coker +# X-Debian-Packages: policycoreutils +# + +################################# +# +# Rules for the setfiles_t domain. +# +# setfiles_exec_t is the type of the setfiles executable. +# +# needs auth_write attribute because it has relabelfrom/relabelto +# access to shadow_t +type setfiles_t, domain, privlog, privowner, auth_write, change_context; +type setfiles_exec_t, file_type, sysadmfile, exec_type; + +role system_r types setfiles_t; +role sysadm_r types setfiles_t; + +allow setfiles_t initrc_devpts_t:chr_file { read write ioctl }; +allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; + +allow setfiles_t self:unix_dgram_socket create_socket_perms; + +domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) +allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; + +uses_shlib(setfiles_t) +allow setfiles_t self:capability { dac_override dac_read_search fowner }; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that setfiles can not be run! +allow setfiles_t lib_t:file { read execute }; + +# Get security policy decisions. +can_getsecurity(setfiles_t) + +r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) + +allow setfiles_t file_type:dir r_dir_perms; +allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; +allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; +allow setfiles_t unlabeled_t:dir read; +allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto }; +allow setfiles_t { ttyfile ptyfile }:chr_file getattr; +# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal +dontaudit setfiles_t ttyfile:chr_file relabelfrom; + +allow setfiles_t fs_t:filesystem getattr; +allow setfiles_t fs_type:dir r_dir_perms; + +read_locale(setfiles_t) + +allow setfiles_t etc_runtime_t:file read; +allow setfiles_t etc_t:file read; +allow setfiles_t proc_t:file { getattr read }; +dontaudit setfiles_t proc_t:lnk_file { getattr read }; + +# for config files in a home directory +allow setfiles_t home_type:file r_file_perms; +dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom; diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te new file mode 100644 index 0000000..bab118a --- /dev/null +++ b/strict/domains/program/slapd.te @@ -0,0 +1,61 @@ +#DESC Slapd - OpenLDAP server +# +# Author: Russell Coker +# X-Debian-Packages: slapd +# + +################################# +# +# Rules for the slapd_t domain. +# +# slapd_exec_t is the type of the slapd executable. +# +daemon_domain(slapd) + +type ldap_port_t, port_type, reserved_port_type; +allow slapd_t ldap_port_t:tcp_socket name_bind; + +etc_domain(slapd) +typealias slapd_etc_t alias etc_slapd_t; +type slapd_db_t, file_type, sysadmfile; +type slapd_replog_t, file_type, sysadmfile; + +tmp_domain(slapd) + +# Use the network. +can_network(slapd_t) +can_ypbind(slapd_t) +allow slapd_t self:fifo_file { read write }; +allow slapd_t self:unix_stream_socket create_socket_perms; +allow slapd_t self:unix_dgram_socket create_socket_perms; +# allow any domain to connect to the LDAP server +can_tcp_connect(domain, slapd_t) + +# Use capabilities should not need kill... +allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw }; +allow slapd_t self:process setsched; + +allow slapd_t proc_t:file r_file_perms; + +# Allow access to the slapd databases +create_dir_file(slapd_t, slapd_db_t) +allow initrc_t slapd_db_t:dir r_dir_perms; +allow slapd_t var_lib_t:dir r_dir_perms; + +# Allow access to write the replication log (should tighten this) +create_dir_file(slapd_t, slapd_replog_t) + +# read config files +allow slapd_t etc_t:{ file lnk_file } { getattr read }; +allow slapd_t etc_runtime_t:file { getattr read }; + +# for startup script +allow initrc_t slapd_etc_t:file read; + +allow slapd_t etc_t:dir r_dir_perms; + +read_sysctl(slapd_t) + +allow slapd_t usr_t:file { read getattr }; +allow slapd_t urandom_device_t:chr_file { getattr read }; +allow slapd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te new file mode 100644 index 0000000..da3219c --- /dev/null +++ b/strict/domains/program/slocate.te @@ -0,0 +1,76 @@ +#DESC LOCATE - Security Enhanced version of the GNU Locate +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the locate_t domain. +# +# locate_exec_t is the type of the locate executable. +# +daemon_base_domain(locate) + +allow locate_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(locate_exec_t, locate_t) +allow system_crond_t locate_log_t:dir rw_dir_perms; +allow system_crond_t locate_log_t:file { create append getattr }; +allow system_crond_t locate_etc_t:file { getattr read }; +') + +allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; + +allow locate_t { fs_type file_type }:dir r_dir_perms; +allow locate_t file_type:lnk_file r_file_perms; +allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; +dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; +dontaudit locate_t security_t:dir getattr; +dontaudit locate_t shadow_t:file getattr; + +allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr; +allow locate_t unlabeled_t:dir_file_class_set getattr; +allow locate_t unlabeled_t:dir read; + +logdir_domain(locate) +etcdir_domain(locate) +typealias locate_etc_t alias etc_locate_t; + +type var_lib_locate_t, file_type, sysadmfile; + +create_dir_file(locate_t, var_lib_locate_t) +dontaudit locate_t sysadmfile:file getattr; + +allow locate_t proc_t:file { getattr read }; +allow locate_t self:unix_stream_socket create_socket_perms; +# +# Need to be able to exec renice +# +can_exec(locate_t, bin_t) + +dontaudit locate_t rpc_pipefs_t:dir r_dir_perms; +dontaudit locate_t rpc_pipefs_t:file getattr; + +# +# Read Mtab file +# +allow locate_t etc_runtime_t:file { getattr read }; + +# +# Read nsswitch file +# +allow locate_t etc_t:file { getattr read }; +dontaudit locate_t self:capability dac_override; +allow locate_t self:capability dac_read_search; + +# sysadm_t runs locate in his own domain. +# We use a type alias to simplify the rest of the policy, +# which often refers to $1_locate_t for the user domains. +typealias sysadm_t alias sysadm_locate_t; + +allow locate_t userdomain:fd use; +ifdef(`cardmgr.te', ` +allow locate_t cardmgr_var_run_t:chr_file getattr; +') diff --git a/strict/domains/program/slrnpull.te b/strict/domains/program/slrnpull.te new file mode 100644 index 0000000..25edb93 --- /dev/null +++ b/strict/domains/program/slrnpull.te @@ -0,0 +1,24 @@ +#DESC slrnpull +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the slrnpull_t domain. +# +# slrnpull_exec_t is the type of the slrnpull executable. +# +daemon_domain(slrnpull) +type slrnpull_spool_t, file_type, sysadmfile; + +log_domain(slrnpull) + +ifdef(`logrotate.te', ` +create_dir_file(logrotate_t, slrnpull_spool_t) +') +system_crond_entry(slrnpull_exec_t, slrnpull_t) +allow userdomain slrnpull_spool_t:dir search; +rw_dir_create_file(slrnpull_t, slrnpull_spool_t) +allow slrnpull_t var_spool_t:dir search; +allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te new file mode 100644 index 0000000..5b794ed --- /dev/null +++ b/strict/domains/program/snmpd.te @@ -0,0 +1,80 @@ +#DESC SNMPD - Simple Network Management Protocol daemon +# +# Author: Russell Coker +# X-Debian-Packages: snmpd +# + +################################# +# +# Rules for the snmpd_t domain. +# +daemon_domain(snmpd) + +#temp +allow snmpd_t var_t:dir getattr; + +can_network_server(snmpd_t) +can_ypbind(snmpd_t) + +type snmp_port_t, port_type, reserved_port_type; +allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; + +etc_domain(snmpd) +typealias snmpd_etc_t alias etc_snmpd_t; + +# for the .index file +var_lib_domain(snmpd) +file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir) +file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) +typealias snmpd_var_lib_t alias snmpd_var_rw_t; + +log_domain(snmpd) +# for /usr/share/snmp/mibs +allow snmpd_t usr_t:file { getattr read }; + +can_udp_send(sysadm_t, snmpd_t) +can_udp_send(snmpd_t, sysadm_t) + +allow snmpd_t self:unix_dgram_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket create_socket_perms; +allow snmpd_t etc_t:lnk_file read; +allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; +allow snmpd_t urandom_device_t:chr_file read; +allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; + +allow snmpd_t proc_t:dir search; +allow snmpd_t proc_t:file r_file_perms; +allow snmpd_t self:file { getattr read }; +allow snmpd_t self:fifo_file { read write }; + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +r_dir_file(snmpd_t, rpm_var_lib_t) +dontaudit snmpd_t rpm_var_lib_t:dir write; +dontaudit snmpd_t rpm_var_lib_t:file write; +') +') + +allow snmpd_t home_root_t:dir search; +allow snmpd_t initrc_var_run_t:file r_file_perms; +dontaudit snmpd_t initrc_var_run_t:file write; +dontaudit snmpd_t rpc_pipefs_t:dir getattr; +allow snmpd_t rpc_pipefs_t:dir getattr; +read_sysctl(snmpd_t) +dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; +allow snmpd_t sysfs_t:dir { getattr read search }; +ifdef(`amanda.te', ` +dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; +') +ifdef(`cupsd.te', ` +allow snmpd_t cupsd_rw_etc_t:file { getattr read }; +') +allow snmpd_t var_lib_nfs_t:dir search; + +# needed in order to retrieve net traffic data +allow snmpd_t proc_net_t:dir search; +allow snmpd_t proc_net_t:file r_file_perms; + +dontaudit snmpd_t domain:dir { getattr search }; + +dontaudit snmpd_t selinux_config_t:dir search; diff --git a/strict/domains/program/sound.te b/strict/domains/program/sound.te new file mode 100644 index 0000000..01f7355 --- /dev/null +++ b/strict/domains/program/sound.te @@ -0,0 +1,26 @@ +#DESC Sound - Sound utilities +# +# Authors: Mark Westerman +# X-Debian-Packages: esound +# +################################# +# +# Rules for the sound_t domain. +# +daemon_base_domain(sound) +type sound_file_t, file_type, sysadmfile; +allow initrc_t sound_file_t:file { getattr read }; +allow sound_t sound_file_t:file rw_file_perms; + +# Use capabilities. +# Commented out by default. +#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override }; +dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override }; + +# Read and write the sound device. +allow sound_t sound_device_t:chr_file rw_file_perms; + +# Read and write ttys. +allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; +read_locale(sound_t) +allow initrc_t sound_file_t:file { setattr write }; diff --git a/strict/domains/program/spamassassin.te b/strict/domains/program/spamassassin.te new file mode 100644 index 0000000..d08eaa3 --- /dev/null +++ b/strict/domains/program/spamassassin.te @@ -0,0 +1,11 @@ +#DESC Spamassassin +# +# Author: Colin Walters +# X-Debian-Packages: spamassassin +# + +type spamassassin_exec_t, file_type, sysadmfile, exec_type; + +bool spamassasin_can_network false; + +# Everything else is in spamassassin_macros.te. diff --git a/strict/domains/program/spamc.te b/strict/domains/program/spamc.te new file mode 100644 index 0000000..9b49fbf --- /dev/null +++ b/strict/domains/program/spamc.te @@ -0,0 +1,10 @@ +#DESC Spamc - Spamassassin client +# +# Author: Colin Walters +# X-Debian-Packages: spamc +# Depends: spamassassin.te +# + +type spamc_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in spamassassin_macros.te. diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te new file mode 100644 index 0000000..c54d771 --- /dev/null +++ b/strict/domains/program/spamd.te @@ -0,0 +1,72 @@ +#DESC Spamd - Spamassassin daemon +# +# Author: Colin Walters +# X-Debian-Packages: spamassassin +# Depends: spamassassin.te +# + +daemon_domain(spamd) + +tmp_domain(spamd) + +type spamd_port_t, port_type, reserved_port_type; +allow spamd_t spamd_port_t:tcp_socket name_bind; + +general_domain_access(spamd_t) +uses_shlib(spamd_t) +can_ypbind(spamd_t) +read_sysctl(spamd_t) + +# Various Perl bits +allow spamd_t lib_t:file rx_file_perms; +dontaudit spamd_t shadow_t:file { getattr read }; +dontaudit spamd_t initrc_var_run_t:file { read write lock }; +dontaudit spamd_t sysadm_home_dir_t:dir getattr; + +can_network_server(spamd_t) +allow spamd_t self:capability net_bind_service; + +allow spamd_t proc_t:file { getattr read }; + +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not +# using this ability. +allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; + +allow spamd_t { bin_t sbin_t }:dir { getattr search }; +can_exec(spamd_t, bin_t) + +ifdef(`sendmail.te', ` +allow spamd_t etc_mail_t:dir { getattr read search }; +allow spamd_t etc_mail_t:file { getattr ioctl read }; +') +allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read }; + +ifdef(`amavis.te', ` +# for bayes tokens +allow spamd_t var_lib_t:dir { getattr search }; +rw_dir_create_file(spamd_t, amavisd_lib_t) +') + +allow spamd_t usr_t:file { getattr ioctl read }; +allow spamd_t usr_t:lnk_file { getattr read }; +allow spamd_t urandom_device_t:chr_file { getattr read }; + +system_crond_entry(spamd_exec_t, spamd_t) + +allow spamd_t autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs) { +allow spamd_t nfs_t:dir rw_dir_perms; +allow spamd_t nfs_t:file create_file_perms; +} + +if (use_samba_home_dirs) { +allow spamd_t cifs_t:dir rw_dir_perms; +allow spamd_t cifs_t:file create_file_perms; +} + +allow spamd_t home_root_t:dir getattr; +allow spamd_t user_home_dir_type:dir { search getattr }; + + diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te new file mode 100644 index 0000000..b0810b1 --- /dev/null +++ b/strict/domains/program/squid.te @@ -0,0 +1,76 @@ +#DESC Squid - Web cache +# +# Author: Russell Coker +# X-Debian-Packages: squid +# + +################################# +# +# Rules for the squid_t domain. +# +# squid_t is the domain the squid process runs in +ifdef(`apache.te',` +can_tcp_connect(squid_t, httpd_t) +') + +daemon_domain(squid, `, web_client_domain, nscd_client_domain') +type squid_conf_t, file_type, sysadmfile; +general_domain_access(squid_t) +allow { squid_t initrc_t } squid_conf_t:file r_file_perms; +allow squid_t squid_conf_t:dir r_dir_perms; +allow squid_t squid_conf_t:lnk_file read; + +logdir_domain(squid) +rw_dir_create_file(initrc_t, squid_log_t) + +allow squid_t usr_t:file { getattr read }; + +# type for /var/cache/squid +type squid_cache_t, file_type, sysadmfile; + +allow squid_t self:capability { setgid setuid net_bind_service }; +allow squid_t { etc_t etc_runtime_t }:file r_file_perms; +allow squid_t etc_t:lnk_file read; +allow squid_t self:unix_stream_socket create_socket_perms; +allow squid_t self:unix_dgram_socket create_socket_perms; +allow squid_t self:fifo_file rw_file_perms; + +read_sysctl(squid_t) + +allow squid_t devtty_t:chr_file rw_file_perms; + +allow squid_t { self proc_t }:file { read getattr }; + +# for when we use /var/spool/cache +allow squid_t var_spool_t:dir search; + +# Grant permissions to create, access, and delete cache files. +# No type transitions required, as the files inherit the parent directory type. +create_dir_file(squid_t, squid_cache_t) +ifdef(`logrotate.te', +`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') +ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') + +# Use the network +can_network(squid_t) +can_ypbind(squid_t) +can_tcp_connect(web_client_domain, squid_t) + +# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) +allow squid_t http_cache_port_t:tcp_socket name_bind; +allow squid_t http_cache_port_t:udp_socket name_bind; + +# to allow running programs from /usr/lib/squid (IE unlinkd) +# also allow exec()ing itself +can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) +allow squid_t { bin_t sbin_t }:dir search; +allow squid_t { bin_t sbin_t }:lnk_file read; + +dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr; +ifdef(`targeted_policy', ` +dontaudit squid_t tty_device_t:chr_file { read write }; +') +allow squid_t urandom_device_t:chr_file { getattr read }; + +#squid requires the following when run in diskd mode, the recommended setting +allow squid_t tmpfs_t:file { read write }; diff --git a/strict/domains/program/ssh-agent.te b/strict/domains/program/ssh-agent.te new file mode 100644 index 0000000..f2e3d84 --- /dev/null +++ b/strict/domains/program/ssh-agent.te @@ -0,0 +1,13 @@ +#DESC ssh-agent - agent to securely store ssh-keys +# +# Authors: Thomas Bleher +# +# X-Debian-Packages: ssh +# + +# Type for the ssh-agent executable. +type ssh_agent_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the ssh_agent_domain macro in +# macros/program/ssh_agent_macros.te. + diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te new file mode 100644 index 0000000..d07b314 --- /dev/null +++ b/strict/domains/program/ssh.te @@ -0,0 +1,228 @@ +#DESC SSH - SSH daemon +# +# Authors: Anthony Colatrella (NSA) +# Stephen Smalley +# Russell Coker +# X-Debian-Packages: ssh +# + +# Allow ssh logins as sysadm_r:sysadm_t +bool ssh_sysadm_login false; + +ifdef(`inetd.te', ` +# Allow ssh to run from inetd instead of as a daemon. +bool run_ssh_inetd false; +') + +# sshd_exec_t is the type of the sshd executable. +# sshd_key_t is the type of the ssh private key files +type sshd_exec_t, file_type, exec_type, sysadmfile; +type sshd_key_t, file_type, sysadmfile; + +type ssh_port_t, port_type, reserved_port_type; + +define(`sshd_program_domain', ` +# privowner is for changing the identity on the terminal device +# privfd is for passing the terminal file handle to the user process +# auth_chkpwd is for running unix_chkpwd and unix_verify. +type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain; +can_exec($1_t, sshd_exec_t) +r_dir_file($1_t, self) +role system_r types $1_t; +dontaudit $1_t shadow_t:file { getattr read }; +uses_shlib($1_t) +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_stream_socket_perms; +allow $1_t self:fifo_file rw_file_perms; +allow $1_t self:process { fork sigchld signal setsched setrlimit }; + +dontaudit $1_t self:lnk_file read; + +# do not allow statfs() +dontaudit $1_t fs_type:filesystem getattr; + +allow $1_t bin_t:dir search; +allow $1_t bin_t:lnk_file read; + +# for sshd subsystems, such as sftp-server. +allow $1_t bin_t:file getattr; + +# Read /var. +allow $1_t var_t:dir { getattr search }; + +# Read /var/log. +allow $1_t var_log_t:dir search; + +# Read /etc. +allow $1_t etc_t:dir search; +# ioctl is for pam_console +dontaudit $1_t etc_t:file ioctl; +allow $1_t etc_t:file { getattr read }; +allow $1_t etc_t:lnk_file { getattr read }; +allow $1_t etc_runtime_t:file { getattr read }; + +# Read and write /dev/tty and /dev/null. +allow $1_t devtty_t:chr_file rw_file_perms; +allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; + +# Read /dev/urandom +allow $1_t urandom_device_t:chr_file { getattr read }; + +can_network($1_t) + +allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; +allow $1_t { home_root_t home_dir_type }:dir { search getattr }; +if (use_nfs_home_dirs) { +allow $1_t autofs_t:dir { search getattr }; +allow $1_t nfs_t:dir { search getattr }; +allow $1_t nfs_t:file { getattr read }; +} + +if (use_samba_home_dirs) { +allow $1_t cifs_t:dir { search getattr }; +allow $1_t cifs_t:file { getattr read }; +} + +# Set exec context. +can_setexec($1_t) + +# Update utmp. +allow $1_t initrc_var_run_t:file rw_file_perms; + +# Update wtmp. +allow $1_t wtmp_t:file rw_file_perms; + +# Get security policy decisions. +can_getsecurity($1_t) + +# Allow read access to login context +r_dir_file( $1_t, default_context_t) + +# Access key files +allow $1_t sshd_key_t:file { getattr read }; + +# Update /var/log/lastlog. +allow $1_t lastlog_t:file rw_file_perms; + +read_locale($1_t) +read_sysctl($1_t) + +# Can create ptys +can_create_pty($1, `, server_pty') +allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; +dontaudit sshd_t userpty_type:chr_file relabelfrom; +')dnl end sshd_program_domain + +# macro for defining which domains a sshd can spawn +# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the +# type of the pty for the child +define(`sshd_spawn_domain', ` +login_spawn_domain($1, $2) +ifdef(`xauth.te', ` +domain_trans($1_t, xauth_exec_t, $2) +') + +# Relabel and access ptys created by sshd +# ioctl is necessary for logout() processing for utmp entry and for w to +# display the tty. +# some versions of sshd on the new SE Linux require setattr +allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr }; + +# inheriting stream sockets is needed for "ssh host command" as no pty +# is allocated +allow $2 $1_t:unix_stream_socket rw_stream_socket_perms; +')dnl end sshd_spawn_domain definition + +################################# +# +# Rules for the sshd_t domain, et al. +# +# sshd_t is the domain for the sshd program. +# sshd_extern_t is the domain for ssh from outside our network +# +sshd_program_domain(sshd) +if (ssh_sysadm_login) { +sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type }) +} else { +sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type) +} + +ifdef(`use_x_ports', ` +# for X forwarding +allow sshd_t xserver_port_t:tcp_socket name_bind; +') + +r_dir_file(sshd_t, selinux_config_t) +sshd_program_domain(sshd_extern) +sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type) + +# for when the network connection breaks after running newrole -r sysadm_r +dontaudit sshd_t sysadm_devpts_t:chr_file setattr; + +# Allow checking users mail at login +allow sshd_t { var_spool_t mail_spool_t }:dir search; +allow sshd_t mail_spool_t:lnk_file read; +allow sshd_t mail_spool_t:file getattr; + +ifdef(`inetd.te', ` +if (run_ssh_inetd) { +allow inetd_t ssh_port_t:tcp_socket name_bind; +domain_auto_trans(inetd_t, sshd_exec_t, sshd_t) +domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) +allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms; +allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search }; +allow { sshd_t sshd_extern_t } self:process signal; +} else { +') +allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms; +allow { sshd_t sshd_extern_t } self:capability net_bind_service; +allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind; + +# for port forwarding +can_tcp_connect(userdomain, sshd_t) + +domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) +domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) +dontaudit initrc_t sshd_key_t:file { getattr read }; + +# Inherit and use descriptors from init. +allow { sshd_t sshd_extern_t } init_t:fd use; +ifdef(`inetd.te', ` +} +') + +# Create /var/run/sshd.pid +var_run_domain(sshd) +var_run_domain(sshd_extern) + +ifdef(`direct_sysadm_daemon', ` +# Direct execution by sysadm_r. +domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) +role_transition sysadm_r sshd_exec_t system_r; +') + +undefine(`sshd_program_domain') + +# so a tunnel can point to another ssh tunnel... +can_tcp_connect(sshd_t, sshd_t) + +tmp_domain(sshd, `', { dir file sock_file }) +ifdef(`pam.te', ` +can_exec(sshd_t, pam_exec_t) +') + +# ssh_keygen_t is the type of the ssh-keygen program when run at install time +# and by sysadm_t +daemon_base_domain(ssh_keygen) +allow ssh_keygen_t etc_t:file { getattr read }; +file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) + +# Type for the ssh executable. +type ssh_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in the ssh_domain macro in +# macros/program/ssh_macros.te. + +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; +allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; +allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te new file mode 100644 index 0000000..1b3a937 --- /dev/null +++ b/strict/domains/program/stunnel.te @@ -0,0 +1,33 @@ +# DESC: selinux policy for stunnel +# +# Author: petre rodan +# +ifdef(`distro_gentoo', ` +type stunnel_port_t, port_type; + +daemon_domain(stunnel) + +can_network(stunnel_t) + +allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:fifo_file { read write }; +allow stunnel_t self:tcp_socket { read write }; +allow stunnel_t self:unix_stream_socket { connect create }; + +r_dir_file(stunnel_t, etc_t) +', ` +inetd_child_domain(stunnel, tcp) +allow stunnel_t self:capability sys_chroot; + +bool stunnel_is_daemon false; +if (stunnel_is_daemon) { +# Policy to run stunnel as a daemon should go here. +allow stunnel_t self:tcp_socket rw_stream_socket_perms; +allow stunnel_t stunnel_port_t:tcp_socket name_bind; +} +') + +type stunnel_etc_t, file_type, sysadmfile; +r_dir_file(stunnel_t, stunnel_etc_t) +allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; + diff --git a/strict/domains/program/su.te b/strict/domains/program/su.te new file mode 100644 index 0000000..3a277f7 --- /dev/null +++ b/strict/domains/program/su.te @@ -0,0 +1,14 @@ +#DESC Su - Run shells with substitute user and group +# +# Domains for the su program. +# X-Debian-Packages: login + +# +# su_exec_t is the type of the su executable. +# +type su_exec_t, file_type, sysadmfile; + +allow sysadm_su_t user_home_dir_type:dir search; + +# Everything else is in the su_domain macro in +# macros/program/su_macros.te. diff --git a/strict/domains/program/sudo.te b/strict/domains/program/sudo.te new file mode 100644 index 0000000..a1fad31 --- /dev/null +++ b/strict/domains/program/sudo.te @@ -0,0 +1,11 @@ +#DESC sudo - execute a command as another user +# +# Authors: Dan Walsh, Russell Coker +# Maintained by Dan Walsh +# + +# Type for the sudo executable. +type sudo_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the sudo_domain macro in +# macros/program/sudo_macros.te. diff --git a/strict/domains/program/sulogin.te b/strict/domains/program/sulogin.te new file mode 100644 index 0000000..0bed085 --- /dev/null +++ b/strict/domains/program/sulogin.te @@ -0,0 +1,56 @@ +#DESC sulogin - Single-User login +# +# Authors: Dan Walsh +# +# X-Debian-Packages: sysvinit + +################################# +# +# Rules for the sulogin_t domain +# + +type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth; +type sulogin_exec_t, file_type, exec_type, sysadmfile; +role system_r types sulogin_t; + +general_domain_access(sulogin_t) + +domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t) +allow sulogin_t initrc_t:process getpgid; +uses_shlib(sulogin_t) + +# suse and debian do not use pam with sulogin... +ifdef(`distro_suse', ` +define(`sulogin_no_pam', `') +') +ifdef(`distro_debian', ` +define(`sulogin_no_pam', `') +') + +ifdef(`sulogin_no_pam', ` +domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) +allow sulogin_t init_t:process getpgid; +allow sulogin_t self:capability sys_tty_config; +', ` +domain_trans(sulogin_t, shell_exec_t, sysadm_t) +allow sulogin_t shell_exec_t:file r_file_perms; + +can_setexec(sulogin_t) +can_getsecurity(sulogin_t) +') + +r_dir_file(sulogin_t, etc_t) + +allow sulogin_t bin_t:dir r_dir_perms; +r_dir_file(sulogin_t, proc_t) +allow sulogin_t root_t:dir search; + +allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; +allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +allow sulogin_t default_context_t:dir search; +allow sulogin_t default_context_t:file { getattr read }; + +r_dir_file(sulogin_t, selinux_config_t) + +# because file systems are not mounted +dontaudit sulogin_t file_t:dir search; diff --git a/strict/domains/program/swat.te b/strict/domains/program/swat.te new file mode 100644 index 0000000..aa94d2f --- /dev/null +++ b/strict/domains/program/swat.te @@ -0,0 +1,14 @@ +#DESC swat - Samba Web Administration Tool +# +# Author: Dan Walsh +# +# Depends: inetd.te + +################################# +# +# Rules for the swat_t domain. +# +# swat_exec_t is the type of the swat executable. +# + +inetd_child_domain(swat) diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te new file mode 100644 index 0000000..76d518e --- /dev/null +++ b/strict/domains/program/syslogd.te @@ -0,0 +1,107 @@ +#DESC Syslogd - System log daemon +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: sysklogd syslog-ng +# + +################################# +# +# Rules for the syslogd_t domain. +# +# syslogd_t is the domain of syslogd. +# syslogd_exec_t is the type of the syslogd executable. +# devlog_t is the type of the Unix domain socket created +# by syslogd. +# +ifdef(`klogd.te', ` +daemon_domain(syslogd) +', ` +daemon_domain(syslogd, `, privmem') +') + +# can_network is for the UDP socket +can_network_udp(syslogd_t) +can_ypbind(syslogd_t) + +r_dir_file(syslogd_t, sysfs_t) + +type devlog_t, file_type, sysadmfile, dev_fs; + +# if something can log to syslog they should be able to log to the console +allow privlog console_device_t:chr_file { ioctl read write getattr }; + +tmp_domain(syslogd) + +# read files in /etc +allow syslogd_t etc_t:file r_file_perms; + +# Use capabilities. +allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config }; + +# Modify/create log files. +create_append_log_file(syslogd_t, var_log_t) + +# Create and bind to /dev/log or /var/run/log. +file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) +ifdef(`distro_suse', ` +# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel +file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) +') +allow syslogd_t self:unix_dgram_socket create_socket_perms; +allow syslogd_t self:unix_dgram_socket sendto; +allow syslogd_t self:unix_stream_socket create_stream_socket_perms; +allow syslogd_t self:fifo_file rw_file_perms; +allow syslogd_t devlog_t:unix_stream_socket name_bind; +allow syslogd_t devlog_t:unix_dgram_socket name_bind; +# log to the xconsole +allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; + +# Domains with the privlog attribute may log to syslogd. +allow privlog devlog_t:sock_file rw_file_perms; +can_unix_send(privlog,syslogd_t) +can_unix_connect(privlog,syslogd_t) +# allow /dev/log to be a link elsewhere for chroot setup +allow privlog devlog_t:lnk_file read; + +ifdef(`crond.te', ` +# Write to the cron log. +allow syslogd_t crond_log_t:file rw_file_perms; +# for daemon re-start +allow system_crond_t syslogd_t:lnk_file read; +') + +ifdef(`logrotate.te', ` +allow logrotate_t syslogd_exec_t:file r_file_perms; +') + +# for sending messages to logged in users +allow syslogd_t initrc_var_run_t:file { read lock }; +dontaudit syslogd_t initrc_var_run_t:file write; +allow syslogd_t ttyfile:chr_file { getattr write }; + +ifdef(`klogd.te', `', ` +# Allow access to /proc/kmsg for syslog-ng +allow syslogd_t proc_t:dir search; +allow syslogd_t proc_kmsg_t:file { getattr read }; +allow syslogd_t kernel_t:system { syslog_mod syslog_console }; +') +# +# Special case to handle crashes +# +allow syslogd_t { device_t file_t }:sock_file unlink; + +# Allow syslog to a terminal +allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; + +# Allow name_bind for remote logging +type syslogd_port_t, port_type, reserved_port_type; +allow syslogd_t syslogd_port_t:udp_socket name_bind; +# +# /initrd is not umounted before minilog starts +# +dontaudit syslogd_t file_t:dir search; +allow syslogd_t { tmpfs_t devpts_t }:dir search; +dontaudit syslogd_t unlabeled_t:file read; +dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; +allow syslogd_t self:capability net_admin; +allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te new file mode 100644 index 0000000..4010c95 --- /dev/null +++ b/strict/domains/program/sysstat.te @@ -0,0 +1,66 @@ +#DESC Sysstat - Sar and similar programs +# +# Authors: Russell Coker +# X-Debian-Packages: sysstat +# + +################################# +# +# Rules for the sysstat_t domain. +# +# sysstat_exec_t is the type of the sysstat executable. +# +type sysstat_t, domain, privlog; +type sysstat_exec_t, file_type, sysadmfile, exec_type; + +role system_r types sysstat_t; + +allow sysstat_t device_t:dir search; + +allow sysstat_t self:process { sigchld fork }; + +#for date +can_exec(sysstat_t, { sysstat_exec_t bin_t }) +allow sysstat_t bin_t:dir r_dir_perms; +dontaudit sysstat_t sbin_t:dir search; + +dontaudit sysstat_t self:capability sys_admin; +allow sysstat_t self:capability sys_resource; + +allow sysstat_t devtty_t:chr_file rw_file_perms; + +allow sysstat_t urandom_device_t:chr_file read; + +# for mtab +allow sysstat_t etc_runtime_t:file { read getattr }; +# for fstab +allow sysstat_t etc_t:file { read getattr }; + +dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms; + +allow sysstat_t self:fifo_file rw_file_perms; + +# Type for files created during execution of sysstatd. +logdir_domain(sysstat) +typealias sysstat_log_t alias var_log_sysstat_t; +allow sysstat_t var_t:dir search; + +allow sysstat_t etc_t:dir r_dir_perms; +read_locale(sysstat_t) + +allow sysstat_t fs_t:filesystem getattr; + +# get info from /proc +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; + +domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t) +allow sysstat_t init_t:fd use; +allow sysstat_t console_device_t:chr_file { read write }; + +uses_shlib(sysstat_t) + +system_crond_entry(sysstat_exec_t, sysstat_t) +allow system_crond_t sysstat_log_t:dir { write remove_name add_name }; +allow system_crond_t sysstat_log_t:file create_file_perms; +allow sysstat_t initrc_devpts_t:chr_file { read write }; diff --git a/strict/domains/program/tcpd.te b/strict/domains/program/tcpd.te new file mode 100644 index 0000000..af135be --- /dev/null +++ b/strict/domains/program/tcpd.te @@ -0,0 +1,43 @@ +#DESC Tcpd - Access control facilities from internet services +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: tcpd +# Depends: inetd.te +# + +################################# +# +# Rules for the tcpd_t domain. +# +type tcpd_t, domain, privlog; +role system_r types tcpd_t; +uses_shlib(tcpd_t) +type tcpd_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t) + +allow tcpd_t fs_t:filesystem getattr; + +# no good reason for this, probably nscd +dontaudit tcpd_t var_t:dir search; + +can_network_server(tcpd_t) +can_ypbind(tcpd_t) +allow tcpd_t self:unix_dgram_socket create_socket_perms; +allow tcpd_t self:unix_stream_socket create_socket_perms; +allow tcpd_t etc_t:file { getattr read }; +read_locale(tcpd_t) + +tmp_domain(tcpd) + +# Use sockets inherited from inetd. +allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms; + +# Run each daemon with a defined domain in its own domain. +# These rules have been moved to each target domain .te file. + +# Run other daemons in the inetd_child_t domain. +allow tcpd_t { bin_t sbin_t }:dir search; +domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t) + +allow tcpd_t device_t:dir search; diff --git a/strict/domains/program/telnetd.te b/strict/domains/program/telnetd.te new file mode 100644 index 0000000..bbbb2c1 --- /dev/null +++ b/strict/domains/program/telnetd.te @@ -0,0 +1,10 @@ +# telnet server daemon +# + +################################# +# +# Rules for the telnetd_t domain +# + +remote_login_daemon(telnetd) +typealias telnetd_port_t alias telnet_port_t; diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te new file mode 100644 index 0000000..3e9de29 --- /dev/null +++ b/strict/domains/program/tftpd.te @@ -0,0 +1,43 @@ +#DESC TFTP - UDP based file server for boot loaders +# +# Author: Russell Coker +# X-Debian-Packages: tftpd atftpd +# Depends: inetd.te +# + +################################# +# +# Rules for the tftpd_t domain. +# +# tftpd_exec_t is the type of the tftpd executable. +# +daemon_domain(tftpd) + +type tftp_port_t, port_type, reserved_port_type; + +# tftpdir_t is the type of files in the /tftpboot directories. +type tftpdir_t, file_type, sysadmfile; +r_dir_file(tftpd_t, tftpdir_t) + +domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) + +# Use the network. +can_network_udp(tftpd_t) +allow tftpd_t tftp_port_t:udp_socket name_bind; +ifdef(`inetd.te', ` +allow inetd_t tftp_port_t:udp_socket name_bind; +') +allow tftpd_t self:unix_dgram_socket create_socket_perms; +allow tftpd_t self:unix_stream_socket create_stream_socket_perms; + +# allow any domain to connect to the TFTP server +allow tftpd_t inetd_t:udp_socket rw_socket_perms; + +# Use capabilities +allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot }; + +allow tftpd_t etc_t:dir r_dir_perms; +allow tftpd_t etc_t:file r_file_perms; + +allow tftpd_t var_t:dir r_dir_perms; +allow tftpd_t var_t:{ file lnk_file } r_file_perms; diff --git a/strict/domains/program/timidity.te b/strict/domains/program/timidity.te new file mode 100644 index 0000000..e007d3f --- /dev/null +++ b/strict/domains/program/timidity.te @@ -0,0 +1,34 @@ +# DESC timidity - MIDI to WAV converter and player +# +# Author: Thomas Bleher +# +# Note: You only need this policy if you want to run timidity as a server + +daemon_base_domain(timidity) +can_network_server(timidity_t) + +allow timidity_t device_t:lnk_file read; + +# read /usr/share/alsa/alsa.conf +allow timidity_t usr_t:file { getattr read }; +# read /etc/esd.conf and /proc/cpuinfo +allow timidity_t { etc_t proc_t }:file { getattr read }; +# read libartscbackend.la - should these be shlib_t? +allow timidity_t lib_t:file { getattr read }; + +allow timidity_t sound_device_t:chr_file { read write ioctl }; + +# stupid timidity won't start if it can't search its current directory. +# allow this so /etc/init.d/alsasound start works from /root +allow timidity_t sysadm_home_dir_t:dir search; + +allow timidity_t tmp_t:dir search; +tmpfs_domain(timidity) + +allow timidity_t self:shm create_shm_perms; + +allow timidity_t self:unix_stream_socket create_stream_socket_perms; + +allow timidity_t devpts_t:dir search; +allow timidity_t self:capability { dac_override dac_read_search }; +allow timidity_t self:process getsched; diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te new file mode 100644 index 0000000..8b2111b --- /dev/null +++ b/strict/domains/program/tmpreaper.te @@ -0,0 +1,33 @@ +#DESC Tmpreaper - Monitor and maintain temporary files +# +# Author: Russell Coker +# X-Debian-Packages: tmpreaper +# + +################################# +# +# Rules for the tmpreaper_t domain. +# +type tmpreaper_t, domain, privlog; +type tmpreaper_exec_t, file_type, sysadmfile, exec_type; + +role system_r types tmpreaper_t; + +system_crond_entry(tmpreaper_exec_t, tmpreaper_t) +uses_shlib(tmpreaper_t) +# why does it need setattr? +allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir }; +allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink }; +allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; +allow tmpreaper_t self:process { fork sigchld }; +allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; +allow tmpreaper_t fs_t:filesystem getattr; + +r_dir_file(tmpreaper_t, etc_t) +allow tmpreaper_t var_t:dir { getattr search }; +r_dir_file(tmpreaper_t, var_lib_t) +allow tmpreaper_t device_t:dir { getattr search }; +allow tmpreaper_t urandom_device_t:chr_file { getattr read }; + +read_locale(tmpreaper_t) + diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te new file mode 100644 index 0000000..ed9106a --- /dev/null +++ b/strict/domains/program/traceroute.te @@ -0,0 +1,65 @@ +#DESC Traceroute - Display network routes +# +# Author: Russell Coker +# based on the work of David A. Wheeler +# X-Debian-Packages: traceroute lft +# + +################################# +# +# Rules for the traceroute_t domain. +# +# traceroute_t is the domain for the traceroute program. +# traceroute_exec_t is the type of the corresponding program. +# +type traceroute_t, domain, privlog, nscd_client_domain; +role sysadm_r types traceroute_t; +role system_r types traceroute_t; +# for user_ping: +in_user_role(traceroute_t) +uses_shlib(traceroute_t) +can_network_client(traceroute_t) +can_ypbind(traceroute_t) +allow traceroute_t node_t:rawip_socket node_bind; +type traceroute_exec_t, file_type, sysadmfile, exec_type; + +# Transition into this domain when you run this program. +domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t) +domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) + +allow traceroute_t etc_t:file { getattr read }; + +# Use capabilities. +allow traceroute_t self:capability { net_admin net_raw setuid setgid }; + +allow traceroute_t self:rawip_socket create_socket_perms; +allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow traceroute_t self:unix_stream_socket create_socket_perms; +allow traceroute_t device_t:dir search; + +# for lft +allow traceroute_t self:packet_socket create_socket_perms; +r_dir_file(traceroute_t, proc_t) +r_dir_file(traceroute_t, proc_net_t) + +# Access the terminal. +allow traceroute_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') +allow traceroute_t privfd:fd use; + +# dont need this +dontaudit traceroute_t fs_t:filesystem getattr; +dontaudit traceroute_t var_t:dir search; + +ifdef(`ping.te', ` +if (user_ping) { + domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) + # allow access to the terminal + allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; +} +') +#rules needed for nmap +allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms; +allow traceroute_t usr_t:file { getattr read }; +read_locale(traceroute_t) +dontaudit traceroute_t userdomain:dir search; diff --git a/strict/domains/program/tvtime.te b/strict/domains/program/tvtime.te new file mode 100644 index 0000000..fa72021 --- /dev/null +++ b/strict/domains/program/tvtime.te @@ -0,0 +1,12 @@ +#DESC tvtime - a high quality television application +# +# Domains for the tvtime program. +# Author : Dan Walsh +# +# tvtime_exec_t is the type of the tvtime executable. +# +type tvtime_exec_t, file_type, sysadmfile, exec_type; +type tvtime_dir_t, file_type, sysadmfile, pidfile; + +# Everything else is in the tvtime_domain macro in +# macros/program/tvtime_macros.te. diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te new file mode 100644 index 0000000..74c368d --- /dev/null +++ b/strict/domains/program/udev.te @@ -0,0 +1,141 @@ +#DESC udev - Linux configurable dynamic device naming support +# +# Author: Dan Walsh dwalsh@redhat.com +# + +################################# +# +# Rules for the udev_t domain. +# +# udev_exec_t is the type of the udev executable. +# +daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner') + +general_domain_access(udev_t) + +if (allow_execmem) { +# for alsactl +allow udev_t self:process execmem; +} + +etc_domain(udev) +typealias udev_etc_t alias etc_udev_t; +type udev_helper_exec_t, file_type, sysadmfile, exec_type; +can_exec_any(udev_t) + +# +# Rules used for udev +# +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; +allow udev_t self:file { getattr read }; +allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; +allow udev_t self:unix_dgram_socket create_socket_perms; +allow udev_t self:fifo_file rw_file_perms; +allow udev_t device_t:sock_file create_file_perms; +allow udev_t device_t:lnk_file create_lnk_perms; +allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; +ifdef(`distro_redhat', ` +allow udev_t tmpfs_t:dir rw_dir_perms; +allow udev_t tmpfs_t:sock_file create_file_perms; +allow udev_t tmpfs_t:lnk_file create_lnk_perms; +allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; +allow udev_t tmpfs_t:dir search; + +# for arping used for static IP addresses on PCMCIA ethernet +domain_auto_trans(udev_t, netutils_exec_t, netutils_t) +') +allow udev_t etc_t:file { getattr read ioctl }; +allow udev_t { bin_t sbin_t }:dir r_dir_perms; +allow udev_t { sbin_t bin_t }:lnk_file read; +allow udev_t bin_t:lnk_file read; +can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) +can_exec(udev_t, udev_exec_t) +r_dir_file(udev_t, sysfs_t) +allow udev_t sysadm_tty_device_t:chr_file { read write }; + +# to read the file_contexts file +r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) + +allow udev_t policy_config_t:dir search; +allow udev_t proc_t:file { getattr read ioctl }; +allow udev_t proc_kcore_t:file getattr; + +# Get security policy decisions. +can_getsecurity(udev_t) + +# set file system create context +can_setfscreate(udev_t) + +allow udev_t kernel_t:fd use; +allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; + +allow udev_t initrc_var_run_t:file r_file_perms; +dontaudit udev_t initrc_var_run_t:file write; + +domain_auto_trans(initrc_t, udev_exec_t, udev_t) +domain_auto_trans(kernel_t, udev_exec_t, udev_t) +domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t) +ifdef(`hide_broken_symptoms', ` +dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; +') +allow udev_t devpts_t:dir { getattr search }; +allow udev_t etc_runtime_t:file { getattr read }; +ifdef(`xdm.te', ` +allow udev_t xdm_var_run_t:file { getattr read }; +') +dontaudit udev_t staff_home_dir_t:dir search; + +ifdef(`hotplug.te', ` +r_dir_file(udev_t, hotplug_etc_t) +') +allow udev_t var_log_t:dir search; + +ifdef(`consoletype.te', ` +can_exec(udev_t, consoletype_exec_t) +') +ifdef(`pamconsole.te', ` +allow udev_t pam_var_console_t:dir search; +allow udev_t pam_var_console_t:file { getattr read }; +domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) +') +allow udev_t var_lock_t:dir search; +allow udev_t var_lock_t:file getattr; +domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) +ifdef(`hide_broken_symptoms', ` +dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; +') + +dontaudit udev_t file_t:dir search; +ifdef(`dhcpc.te', ` +domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) +') + +allow udev_t udev_helper_exec_t:dir r_dir_perms; + +dbusd_client(system, udev) + +allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; +allow udev_t sysctl_dev_t:dir search; +allow udev_t mnt_t:dir search; +allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read }; +allow udev_t self:rawip_socket create_socket_perms; +dontaudit udev_t domain:dir r_dir_perms; +dontaudit udev_t ttyfile:chr_file unlink; +ifdef(`hotplug.te', ` +r_dir_file(udev_t, hotplug_var_run_t) +') +r_dir_file(udev_t, modules_object_t) +# +# Udev is now writing dhclient-eth*.conf* files. +# +ifdef(`dhcpd.te', `define(`use_dhcp')') +ifdef(`dhcpc.te', `define(`use_dhcp')') +ifdef(`use_dhcp', ` +allow udev_t dhcp_etc_t:file rw_file_perms; +file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) +') +r_dir_file(udev_t, domain) +allow udev_t modules_dep_t:file r_file_perms; diff --git a/strict/domains/program/uml.te b/strict/domains/program/uml.te new file mode 100644 index 0000000..75ae501 --- /dev/null +++ b/strict/domains/program/uml.te @@ -0,0 +1,14 @@ + +# Author: Russell Coker +# +type uml_exec_t, file_type, sysadmfile, exec_type; +type uml_ro_t, file_type, sysadmfile; + +# the main code is in macros/program/uml_macros.te + +daemon_domain(uml_switch) +allow uml_switch_t self:unix_dgram_socket create_socket_perms; +allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; +allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; +allow initrc_t uml_switch_var_run_t:sock_file setattr; +rw_dir_create_file(initrc_t, uml_switch_var_run_t) diff --git a/strict/domains/program/unconfined.te b/strict/domains/program/unconfined.te new file mode 100644 index 0000000..9497a3c --- /dev/null +++ b/strict/domains/program/unconfined.te @@ -0,0 +1,15 @@ +#DESC Unconfined - Use to essentially disable SELinux for a particular program +# This domain will be useful as a workaround for e.g. third-party daemon software +# that has no policy, until one can be written for it. +# +# To use, label the executable with unconfined_exec_t, e.g.: +# chcon -t unconfined_exec_t /usr/local/bin/appsrv +# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc + +type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write; +type unconfined_exec_t, file_type, sysadmfile, exec_type; +role sysadm_r types unconfined_t; +domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t) +role system_r types unconfined_t; +domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t) +unconfined_domain(unconfined_t) diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te new file mode 100644 index 0000000..eb029f7 --- /dev/null +++ b/strict/domains/program/unused/amavis.te @@ -0,0 +1,85 @@ +#DESC Amavis - Anti-virus +# +# Author: Brian May +# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper +# Depends: clamav.te +# + +################################# +# +# Rules for the amavisd_t domain. +# +type amavisd_etc_t, file_type, sysadmfile; +type amavisd_lib_t, file_type, sysadmfile; + +type amavis_port_t, port_type; +daemon_domain(amavisd) +tmp_domain(amavisd) + +allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink }; +allow initrc_t amavisd_lib_t:file unlink; +allow initrc_t amavisd_var_run_t:dir setattr; +allow amavisd_t self:capability { chown dac_override setgid setuid }; +dontaudit amavisd_t self:capability sys_tty_config; + +allow amavisd_t usr_t:{ file lnk_file } { getattr read }; +dontaudit amavisd_t usr_t:file ioctl; + +# networking +can_network(amavisd_t) +can_ypbind(amavisd_t); +can_tcp_connect(mail_server_sender, amavisd_t); +can_tcp_connect(amavisd_t, mail_server_domain) +allow amavisd_t amavis_port_t:tcp_socket name_bind; + +ifdef(`scannerdaemon.te', ` +can_tcp_connect(amavisd_t, scannerdaemon_t); +allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms; +allow scannerdaemon_t amavisd_lib_t:file r_file_perms; +') + +ifdef(`clamav.te', ` +clamscan_domain(amavisd) +role system_r types amavisd_clamscan_t; +domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t) +allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms; +allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms; +can_clamd_connect(amavisd) +allow clamd_t amavisd_lib_t:dir r_dir_perms; +allow clamd_t amavisd_lib_t:file r_file_perms; +') + +# Can create unix sockets +allow amavisd_t self:unix_stream_socket create_stream_socket_perms; +allow amavisd_t self:unix_dgram_socket create_socket_perms; +allow amavisd_t self:fifo_file getattr; + +read_locale(amavisd_t) + +# Access config files (amavisd). +allow amavisd_t amavisd_etc_t:file r_file_perms; + +log_domain(amavisd) + +# Access amavisd var/lib files. +create_dir_file(amavisd_t, amavisd_lib_t) + +# Run helper programs. +can_exec_any(amavisd_t,bin_t) +allow amavisd_t bin_t:dir { getattr search }; +allow amavisd_t sbin_t:dir search; +allow amavisd_t var_lib_t:dir search; + +# allow access to files for scanning (required for amavis): +allow clamd_t self:capability { dac_override dac_read_search }; + +# unknown stuff +allow amavisd_t self:fifo_file { ioctl read write }; +allow amavisd_t { random_device_t urandom_device_t }:chr_file read; +allow amavisd_t proc_t:file { getattr read }; +allow amavisd_t etc_runtime_t:file { getattr read }; + +# broken stuff +dontaudit amavisd_t sysadm_home_dir_t:dir search; +dontaudit amavisd_t shadow_t:file { getattr read }; +dontaudit amavisd_t sysadm_devpts_t:chr_file { read write }; diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te new file mode 100644 index 0000000..c8d182d --- /dev/null +++ b/strict/domains/program/unused/asterisk.te @@ -0,0 +1,58 @@ +#DESC Asterisk IP telephony server +# +# Author: Russell Coker +# +# X-Debian-Packages: asterisk + +type asterisk_port_t, port_type; + +daemon_domain(asterisk) +allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms; +allow initrc_t asterisk_var_run_t:fifo_file unlink; + +allow asterisk_t self:process setsched; +allow asterisk_t self:fifo_file rw_file_perms; + +allow asterisk_t proc_t:file { getattr read }; + +allow asterisk_t { bin_t sbin_t }:dir search; +allow asterisk_t bin_t:lnk_file read; +can_exec(asterisk_t, bin_t) + +etcdir_domain(asterisk) +logdir_domain(asterisk) +var_lib_domain(asterisk) + +allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind; + +# for VOIP voice channels. +allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind; + +allow asterisk_t device_t:lnk_file read; +allow asterisk_t sound_device_t:chr_file rw_file_perms; + +type asterisk_spool_t, file_type, sysadmfile; +create_dir_file(asterisk_t, asterisk_spool_t) +allow asterisk_t var_spool_t:dir search; + +# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm +# are labeled usr_t +allow asterisk_t usr_t:file r_file_perms; + +can_network_server(asterisk_t) +can_ypbind(asterisk_t) +allow asterisk_t etc_t:file { getattr read }; + +allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow asterisk_t self:sem create_sem_perms; +allow asterisk_t self:shm create_shm_perms; + +# dac_override for /var/run/asterisk +allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; + +# for shutdown +dontaudit asterisk_t self:capability sys_tty_config; + +tmpfs_domain(asterisk) +tmp_domain(asterisk) diff --git a/strict/domains/program/unused/audio-entropyd.te b/strict/domains/program/unused/audio-entropyd.te new file mode 100644 index 0000000..216108a --- /dev/null +++ b/strict/domains/program/unused/audio-entropyd.te @@ -0,0 +1,12 @@ +#DESC audio-entropyd - Generate entropy from audio input +# +# Author: Chris PeBenito +# + +daemon_domain(entropyd) + +allow entropyd_t self:capability { ipc_lock sys_admin }; + +allow entropyd_t random_device_t:chr_file rw_file_perms; +allow entropyd_t device_t:dir r_dir_perms; +allow entropyd_t sound_device_t:chr_file r_file_perms; diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te new file mode 100644 index 0000000..d34e659 --- /dev/null +++ b/strict/domains/program/unused/authbind.te @@ -0,0 +1,30 @@ +#DESC Authbind - Program to bind to low ports as non-root +# +# Authors: Russell Coker +# X-Debian-Packages: authbind +# + +################################# +# +# Rules for the authbind_t domain. +# +# authbind_exec_t is the type of the authbind executable. +# +type authbind_t, domain, privlog; +type authbind_exec_t, file_type, sysadmfile, exec_type; + +role system_r types authbind_t; + +etcdir_domain(authbind) +typealias authbind_etc_t alias etc_authbind_t; + +can_exec(authbind_t, authbind_etc_t) +allow authbind_t etc_t:dir r_dir_perms; + +uses_shlib(authbind_t) + +allow authbind_t self:capability net_bind_service; + +allow authbind_t domain:fd use; + +allow authbind_t console_device_t:chr_file { read write }; diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te new file mode 100644 index 0000000..211e761 --- /dev/null +++ b/strict/domains/program/unused/backup.te @@ -0,0 +1,59 @@ +#DESC Backup - Backup scripts +# +# Author: Russell Coker +# X-Debian-Packages: dpkg +# + +################################# +# +# Rules for the backup_t domain. +# +type backup_t, domain, privlog, auth; +type backup_exec_t, file_type, sysadmfile, exec_type; + +type backup_store_t, file_type, sysadmfile; + +role system_r types backup_t; +role sysadm_r types backup_t; + +domain_auto_trans(sysadm_t, backup_exec_t, backup_t) +allow backup_t privfd:fd use; +ifdef(`crond.te', ` +system_crond_entry(backup_exec_t, backup_t) +rw_dir_create_file(system_crond_t, backup_store_t) +') + +# for SSP +allow backup_t urandom_device_t:chr_file read; + +can_network_client(backup_t) +can_ypbind(backup_t) +uses_shlib(backup_t) + +allow backup_t devtty_t:chr_file rw_file_perms; + +allow backup_t { file_type fs_type }:dir r_dir_perms; +allow backup_t file_type:{ file lnk_file } r_file_perms; +allow backup_t file_type:{ sock_file fifo_file } getattr; +allow backup_t { device_t device_type ttyfile }:chr_file getattr; +allow backup_t { device_t device_type }:blk_file getattr; +allow backup_t var_t:file create_file_perms; + +allow backup_t proc_t:dir r_dir_perms; +allow backup_t proc_t:file r_file_perms; +allow backup_t proc_t:lnk_file { getattr read }; +read_sysctl(backup_t) + +allow backup_t self:fifo_file rw_file_perms; +allow backup_t self:process { signal sigchld fork }; +allow backup_t self:capability dac_override; + +rw_dir_file(backup_t, backup_store_t) +allow backup_t backup_store_t:file { create setattr }; + +allow backup_t fs_t:filesystem getattr; + +allow backup_t self:unix_stream_socket create_socket_perms; + +can_exec(backup_t, bin_t) +ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)') diff --git a/strict/domains/program/unused/calamaris.te b/strict/domains/program/unused/calamaris.te new file mode 100644 index 0000000..1bfce36 --- /dev/null +++ b/strict/domains/program/unused/calamaris.te @@ -0,0 +1,72 @@ +#DESC Calamaris - Squid log analysis +# +# Author: Russell Coker +# X-Debian-Packages: calamaris +# Depends: squid.te +# + +################################# +# +# Rules for the calamaris_t domain. +# +# calamaris_t is the domain the calamaris process runs in + +system_domain(calamaris, `, privmail') + +ifdef(`crond.te', ` +system_crond_entry(calamaris_exec_t, calamaris_t) +') + +allow calamaris_t { var_t var_run_t }:dir { getattr search }; +allow calamaris_t squid_log_t:dir search; +allow calamaris_t squid_log_t:file { getattr read }; +allow calamaris_t { usr_t lib_t }:file { getattr read }; +allow calamaris_t usr_t:lnk_file { getattr read }; +dontaudit calamaris_t usr_t:file ioctl; + +type calamaris_www_t, file_type, sysadmfile; +ifdef(`apache.te', ` +allow calamaris_t httpd_sys_content_t:dir search; +') +rw_dir_create_file(calamaris_t, calamaris_www_t) + +# for when squid has a different UID +allow calamaris_t self:capability dac_override; + +logdir_domain(calamaris) + +allow calamaris_t device_t:dir search; +allow calamaris_t devtty_t:chr_file { read write }; + +allow calamaris_t urandom_device_t:chr_file { getattr read }; + +allow calamaris_t self:process { fork signal_perms setsched }; +read_sysctl(calamaris_t) +allow calamaris_t proc_t:dir search; +allow calamaris_t proc_t:file { getattr read }; +allow calamaris_t { proc_t self }:lnk_file read; +allow calamaris_t self:dir search; + +allow calamaris_t { bin_t sbin_t }:dir search; +allow calamaris_t bin_t:lnk_file read; +allow calamaris_t etc_runtime_t:file { getattr read }; +allow calamaris_t self:fifo_file { getattr read write ioctl }; +read_locale(calamaris_t) + +can_exec(calamaris_t, bin_t) +allow calamaris_t self:unix_stream_socket create_stream_socket_perms; +allow calamaris_t self:udp_socket create_socket_perms; +allow calamaris_t etc_t:file { getattr read }; +allow calamaris_t etc_t:lnk_file read; +dontaudit calamaris_t etc_t:file ioctl; +dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search }; +can_network_server(calamaris_t) +can_ypbind(calamaris_t) +ifdef(`named.te', ` +can_udp_send(calamaris_t, named_t) +can_udp_send(named_t, calamaris_t) +') + +ifdef(`apache.te', ` +r_dir_file(httpd_t, calamaris_www_t) +') diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te new file mode 100644 index 0000000..91ed9f3 --- /dev/null +++ b/strict/domains/program/unused/ciped.te @@ -0,0 +1,32 @@ + + +daemon_base_domain(ciped) + +# for SSP +allow ciped_t urandom_device_t:chr_file read; + +type cipe_port_t, port_type; + +can_network_udp(ciped_t) +can_ypbind(ciped_t) +allow ciped_t cipe_port_t:udp_socket name_bind; + +allow ciped_t devpts_t:dir search; +allow ciped_t devtty_t:chr_file { read write }; +allow ciped_t etc_runtime_t:file { getattr read }; +allow ciped_t etc_t:file { getattr read }; +allow ciped_t proc_t:file { getattr read }; +allow ciped_t { bin_t sbin_t }:dir { getattr search read }; +allow ciped_t bin_t:lnk_file read; +can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t }) +allow ciped_t self:fifo_file rw_file_perms; + +read_locale(ciped_t) + +allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; +allow ciped_t self:unix_dgram_socket create_socket_perms; +allow ciped_t self:unix_stream_socket create_socket_perms; + +allow ciped_t random_device_t:chr_file { getattr read }; + +dontaudit ciped_t var_t:dir search; diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te new file mode 100644 index 0000000..47407db --- /dev/null +++ b/strict/domains/program/unused/clamav.te @@ -0,0 +1,88 @@ +#DESC CLAM - Anti-virus program +# +# Author: Brian May +# X-Debian-Packages: clamav +# + +################################# +# +# Rules for the clamscan_t domain. +# + +# Virus database +type clamav_var_lib_t, file_type, sysadmfile; + +# clamscan_t is the domain of the clamscan virus scanner +type clamscan_exec_t, file_type, sysadmfile, exec_type; + +daemon_base_domain(freshclam) +read_locale(freshclam_t) + +# not sure why it needs this +read_sysctl(freshclam_t) + +can_network_server(freshclam_t) +can_ypbind(freshclam_t) + +# Access virus signatures +allow freshclam_t { var_t var_lib_t }:dir search; +rw_dir_create_file(freshclam_t, clamav_var_lib_t) + +allow freshclam_t devtty_t:chr_file { read write }; +allow freshclam_t devpts_t:dir search; +allow freshclam_t etc_t:file { getattr read }; +allow freshclam_t proc_t:file { getattr read }; + +allow freshclam_t urandom_device_t:chr_file { getattr read }; +dontaudit freshclam_t urandom_device_t:chr_file ioctl; + +# for nscd +dontaudit freshclam_t var_run_t:dir search; + +# setuid/getuid used (although maybe not required...) +allow freshclam_t self:capability { setgid setuid }; + +allow freshclam_t sbin_t:dir search; + +# Allow notification to daemon that virus database has changed +can_clamd_connect(freshclam) + +allow freshclam_t etc_runtime_t:file { read getattr }; +allow freshclam_t self:unix_stream_socket create_stream_socket_perms; +allow freshclam_t self:unix_dgram_socket create_socket_perms; +allow freshclam_t self:fifo_file rw_file_perms; + +# Log files for freshclam executable +logdir_domain(freshclam) +allow initrc_t freshclam_log_t:file append; + +system_crond_entry(freshclam_exec_t, freshclam_t) +domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t) + +domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t) +role sysadm_r types freshclam_t; + +# macros/program/clamav_macros.te. +user_clamscan_domain(sysadm) + +# clamd executable +daemon_domain(clamd) + +tmp_domain(clamd) +logdir_domain(clamd) + +file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file) + +allow clamd_t self:capability { kill setgid setuid }; + +allow clamd_t var_lib_t:dir search; +r_dir_file(clamd_t, clamav_var_lib_t) +r_dir_file(clamd_t, etc_t) +# allow access /proc/sys/kernel/version +read_sysctl(clamd_t) +allow clamd_t self:unix_stream_socket create_stream_socket_perms; +allow clamd_t self:unix_dgram_socket create_stream_socket_perms; +allow clamd_t self:fifo_file rw_file_perms; + +allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read }; +dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl; diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te new file mode 100644 index 0000000..d2e9ad0 --- /dev/null +++ b/strict/domains/program/unused/courier.te @@ -0,0 +1,140 @@ +#DESC Courier - POP and IMAP servers +# +# Author: Russell Coker +# X-Debian-Packages: courier-base +# + +# Type for files created during execution of courier. +type courier_var_run_t, file_type, sysadmfile, pidfile; +type courier_var_lib_t, file_type, sysadmfile; + +type courier_etc_t, file_type, sysadmfile; +typealias courier_etc_t alias etc_courier_t; + +# allow start scripts to read the config +allow initrc_t courier_etc_t:file r_file_perms; + +type courier_exec_t, file_type, sysadmfile, exec_type; +type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type; + +define(`courier_domain', ` +################################# +# +# Rules for the courier_$1_t domain. +# +# courier_$1_exec_t is the type of the courier_$1 executables. +# +daemon_base_domain(courier_$1, `$2') + +allow courier_$1_t var_run_t:dir search; +rw_dir_create_file(courier_$1_t, courier_var_run_t) +allow courier_$1_t courier_var_run_t:sock_file create_file_perms; + +# allow it to read config files etc +allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms; +allow courier_$1_t courier_etc_t:file r_file_perms; +allow courier_$1_t etc_t:dir r_dir_perms; +allow courier_$1_t etc_t:file r_file_perms; + +# execute scripts etc +allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms; +allow courier_$1_t bin_t:dir r_dir_perms; +allow courier_$1_t fs_t:filesystem getattr; + +# set process group and allow permissions over-ride +allow courier_$1_t self:process setpgid; +allow courier_$1_t self:capability dac_override; + +# Use the network. +can_network_server(courier_$1_t) +allow courier_$1_t self:fifo_file { read write getattr }; +allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; +allow courier_$1_t self:unix_dgram_socket create_socket_perms; + +allow courier_$1_t null_device_t:chr_file rw_file_perms; + +# allow it to log to /dev/tty +allow courier_$1_t devtty_t:chr_file rw_file_perms; + +allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms; +allow courier_$1_t usr_t:dir r_dir_perms; +allow courier_$1_t root_t:dir r_dir_perms; +can_exec(courier_$1_t, courier_$1_exec_t) +can_exec(courier_$1_t, bin_t) +allow courier_$1_t bin_t:dir search; + +allow courier_$1_t proc_t:dir r_dir_perms; +allow courier_$1_t proc_t:file r_file_perms; + +')dnl + +courier_domain(authdaemon, `, auth_chkpwd') +allow courier_authdaemon_t sbin_t:dir search; +allow courier_authdaemon_t lib_t:file { read getattr }; +allow courier_authdaemon_t tmp_t:dir getattr; +allow courier_authdaemon_t self:file { getattr read }; +read_locale(courier_authdaemon_t) +can_exec(courier_authdaemon_t, courier_exec_t) +dontaudit courier_authdaemon_t selinux_config_t:dir search; + +# for SSP +allow courier_authdaemon_t urandom_device_t:chr_file read; + +# should not be needed! +allow courier_authdaemon_t home_root_t:dir search; +allow courier_authdaemon_t user_home_dir_type:dir search; +dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search; +allow courier_authdaemon_t self:unix_stream_socket connectto; +allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; + +courier_domain(tcpd) +allow courier_tcpd_t self:capability { kill net_bind_service }; +allow courier_tcpd_t pop_port_t:tcp_socket name_bind; +allow courier_tcpd_t sbin_t:dir search; +allow courier_tcpd_t var_lib_t:dir search; +# for TLS +allow courier_tcpd_t urandom_device_t:chr_file read; +read_locale(courier_tcpd_t) +can_exec(courier_tcpd_t, courier_exec_t) +allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:process sigchld; + +can_tcp_connect(userdomain, courier_tcpd_t) +rw_dir_create_file(courier_tcpd_t, courier_var_lib_t) + +# domain for pop and imap +courier_domain(pop) +read_locale(courier_pop_t) +domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) +allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; +domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) +allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; +allow courier_pop_t courier_authdaemon_t:process sigchld; +domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) + +# inherits file handle - should it? +allow courier_pop_t courier_var_lib_t:file { read write }; + +# do the actual work (read the Maildir) +# imap needs to write files +allow courier_pop_t home_root_t:dir { getattr search }; +allow courier_pop_t user_home_dir_type:dir { getattr search }; +# pop does not need to create subdirs, IMAP does +#rw_dir_create_file(courier_pop_t, user_home_type) +create_dir_file(courier_pop_t, user_home_type) + +# for calendaring +courier_domain(pcp) + +allow courier_pcp_t self:capability { setuid setgid }; +allow courier_pcp_t random_device_t:chr_file r_file_perms; + +# for webmail +courier_domain(sqwebmail) +ifdef(`crond.te', ` +system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t) +') +read_sysctl(courier_sqwebmail_t) diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te new file mode 100644 index 0000000..ca1649a --- /dev/null +++ b/strict/domains/program/unused/dante.te @@ -0,0 +1,20 @@ +#DESC dante - socks daemon +# +# Author: petre rodan +# + +type dante_conf_t, file_type, sysadmfile; +type socks_port_t, port_type; + +daemon_domain(dante) +can_network_server(dante_t) + +allow dante_t self:fifo_file { read write }; +allow dante_t self:capability { setuid }; +allow dante_t self:unix_dgram_socket { connect create write }; +allow dante_t self:unix_stream_socket { connect create read setopt write }; + +allow dante_t socks_port_t:tcp_socket name_bind; + +allow dante_t { etc_t etc_runtime_t }:file r_file_perms; +r_dir_file(dante_t, dante_conf_t) diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te new file mode 100644 index 0000000..8b134dc --- /dev/null +++ b/strict/domains/program/unused/ddclient.te @@ -0,0 +1,41 @@ +#DESC ddclient - Update dynamic IP address at DynDNS.org +# +# Author: Greg Norris +# X-Debian-Packages: ddclient +# + +################################# +# +# Rules for the ddclient_t domain. +# +daemon_domain(ddclient); +type ddclient_etc_t, file_type, sysadmfile; +type ddclient_var_t, file_type, sysadmfile; +log_domain(ddclient) +var_lib_domain(ddclient) + +base_file_read_access(ddclient_t) +can_exec(ddclient_t, { shell_exec_t bin_t }) + +# ddclient can be launched by pppd +ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)') + +# misc. requirements +allow ddclient_t self:fifo_file rw_file_perms; +allow ddclient_t self:socket create_socket_perms; +allow ddclient_t etc_t:file { getattr read }; +allow ddclient_t etc_runtime_t:file r_file_perms; +allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans }; +allow ddclient_t urandom_device_t:chr_file { read }; +general_proc_read_access(ddclient_t) +allow ddclient_t sysctl_net_t:dir { search }; + +# network-related goodies +can_network_client(ddclient_t) +allow ddclient_t self:unix_dgram_socket create_socket_perms; +allow ddclient_t self:unix_stream_socket create_socket_perms; + +# allow access to ddclient.conf and ddclient.cache +allow ddclient_t ddclient_etc_t:file r_file_perms; +allow ddclient_t ddclient_var_t:dir rw_dir_perms; +allow ddclient_t ddclient_var_t:file create_file_perms; diff --git a/strict/domains/program/unused/devfsd.te b/strict/domains/program/unused/devfsd.te new file mode 100644 index 0000000..7bbc314 --- /dev/null +++ b/strict/domains/program/unused/devfsd.te @@ -0,0 +1,93 @@ +#DESC Devfsd - Control daemon for devfs device file system +# +# Author: Russell Coker +# X-Debian-Packages: devfsd +# + +################################# +# +# Rules for the devfsd_t domain. +# +etcdir_domain(devfsd) +typealias devfsd_etc_t alias etc_devfsd_t; + +allow kernel_t { device_t root_t }:dir mounton; + +daemon_domain(devfsd, `, privmodule') + +allow devfsd_t urandom_device_t:chr_file read; + +# for startup scripts +can_exec(devfsd_t, bin_t) +allow devfsd_t self:fifo_file rw_file_perms; +allow devfsd_t proc_t:dir r_dir_perms; +allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms; +allow devfsd_t devtty_t:chr_file rw_file_perms; + +# for alsa +allow devfsd_t proc_t:file setattr; + +# for /sbin/modprobe +allow devfsd_t { bin_t sbin_t }:dir r_dir_perms; + +ifdef(`distro_debian', ` +# for the makedev script - this may be a bad idea +domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t) + +# for package upgrade +allow devfsd_t lib_t:file execute; +') + +# mknod capability is for the startup scripts +allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod }; + +# allow devfsd to change any object from type devfsd_t to any other type +# also allow to unlink +allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink }; +# allow devfsd to get and set attributes of any device node and to change the +# type to any device type +allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto }; +allow devfsd_t mtrr_device_t:file { getattr setattr relabelto }; +allow devfsd_t initctl_t:fifo_file getattr; +allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr; +allow devfsd_t device_t:dir { r_dir_perms setattr }; + +allow devfsd_t devpts_t:dir { r_dir_perms relabelto }; +allow devfsd_t devpts_t:chr_file { getattr setattr }; +allow devpts_t device_t:filesystem associate; +allow initctl_t device_t:filesystem associate; +allow device_t device_t:filesystem associate; +allow devlog_t device_t:filesystem associate; + +# allow all devices to be under device_t +allow { device_type ttyfile ptyfile } device_t:filesystem associate; + +allow domain device_t:lnk_file r_file_perms; + +# read the config files +allow devfsd_t etc_t:dir r_dir_perms; + +# allow the permissions and symlinks to be done +allow devfsd_t device_t:lnk_file create_file_perms; +allow devfsd_t device_t:dir rw_dir_perms; +allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr; +allow devfsd_t file_type:lnk_file r_file_perms; + +allow devfsd_t self:unix_dgram_socket create_socket_perms; +allow devfsd_t self:unix_stream_socket create_stream_socket_perms; +allow devfsd_t self:unix_dgram_socket sendto; +allow devfsd_t self:unix_stream_socket connect; + +allow devfsd_t devfs_control_t:chr_file { getattr read ioctl }; +dontaudit userdomain devfs_control_t:chr_file getattr; + +# allow resolv.conf and UDP access for LDAP or other NSS data source +allow devfsd_t self:udp_socket create_socket_perms; + +allow devfsd_t privfd:fd use; + +allow kernel_t device_t:filesystem mount; + +# for nss-ldap etc +can_network_client_tcp(devfsd_t) +can_ypbind(devfsd_t) diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te new file mode 100644 index 0000000..dee96a7 --- /dev/null +++ b/strict/domains/program/unused/distcc.te @@ -0,0 +1,35 @@ +#DESC distcc - Distributed compiler daemon +# +# Author: Chris PeBenito +# + +daemon_domain(distccd) +can_network_server(distccd_t) +can_ypbind(distccd_t) +log_domain(distccd) +tmp_domain(distccd) + +type distccd_port_t, port_type; +allow distccd_t distccd_port_t:tcp_socket name_bind; +allow distccd_t self:capability { setgid setuid }; + +# distccd can renice +allow distccd_t self:process setsched; + +# compiler stuff +allow distccd_t { bin_t sbin_t }:dir { search getattr }; +allow distccd_t { bin_t sbin_t }:lnk_file { getattr read }; +can_exec(distccd_t,bin_t) +can_exec(distccd_t,lib_t) + +# comm stuff +allow distccd_t net_conf_t:file r_file_perms; +allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write }; +allow distccd_t self:fifo_file { read write getattr }; + +# config access +allow distccd_t { etc_t etc_runtime_t }:file r_file_perms; +allow distccd_t proc_t:file r_file_perms; + +allow distccd_t var_t:dir search; +allow distccd_t admin_tty_type:chr_file { ioctl read write }; diff --git a/strict/domains/program/unused/dnsmasq.te b/strict/domains/program/unused/dnsmasq.te new file mode 100644 index 0000000..bdef592 --- /dev/null +++ b/strict/domains/program/unused/dnsmasq.te @@ -0,0 +1,38 @@ +#DESC dnsmasq - DNS forwarder and DHCP server +# +# Author: Greg Norris +# X-Debian-Packages: dnsmasq +# + +################################# +# +# Rules for the dnsmasq_t domain. +# +daemon_domain(dnsmasq); +type dnsmasq_lease_t, file_type, sysadmfile; + +# misc. requirements +allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw }; +allow dnsmasq_t urandom_device_t:chr_file read; + +# network-related goodies +can_network_server(dnsmasq_t) +can_ypbind(dnsmasq_t) +allow dnsmasq_t self:packet_socket create_socket_perms; +allow dnsmasq_t self:rawip_socket create_socket_perms; +allow dnsmasq_t self:unix_dgram_socket create_socket_perms; +allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms; + +# UDP ports 53 and 67 +allow dnsmasq_t dhcpd_port_t:udp_socket name_bind; +allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind; + +# By default, dnsmasq binds to the wildcard address to listen for DNS requests. +# Comment out the following entry if you do not want to allow this behaviour. +allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind; + +# allow access to dnsmasq.conf +allow dnsmasq_t etc_t:file r_file_perms; + +# dhcp leases +file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file) diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te new file mode 100644 index 0000000..89458ef --- /dev/null +++ b/strict/domains/program/unused/dpkg.te @@ -0,0 +1,413 @@ +#DESC Dpkg - Debian package manager +# +# Author: Russell Coker +# X-Debian-Packages: dpkg +# + +################################# +# +# Rules for the dpkg_t domain. +# +type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule; +type dpkg_exec_t, file_type, sysadmfile, exec_type; +type dpkg_var_lib_t, file_type, sysadmfile; +type dpkg_etc_t, file_type, sysadmfile, usercanread; +typealias dpkg_etc_t alias etc_dpkg_t; +type dpkg_lock_t, file_type, sysadmfile; +type debconf_cache_t, file_type, sysadmfile; + +tmp_domain(dpkg) +can_setfscreate(dpkg_t) +can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t }) + +ifdef(`load_policy.te', ` +domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t) +') +ifdef(`rlogind.te', ` +# for ssh +can_exec(dpkg_t, rlogind_exec_t) +') +can_exec(dpkg_t, { init_exec_t etc_t }) +ifdef(`hostname.te', ` +can_exec(dpkg_t, hostname_exec_t) +') +ifdef(`mta.te', ` +allow system_mail_t dpkg_tmp_t:file { getattr read }; +') +ifdef(`logrotate.te', ` +allow logrotate_t dpkg_var_lib_t:file create_file_perms; +') + +# for open office +can_exec(dpkg_t, usr_t) + +allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read; + +# for upgrading policycoreutils and loading policy +allow dpkg_t security_t:dir { getattr search }; +allow dpkg_t security_t:file { getattr read }; + +ifdef(`setfiles.te', +`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)') +ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)') +ifdef(`modutil.te', ` +domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t) +domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t) + +# for touch +allow initrc_t modules_dep_t:file write; +') +ifdef(`ipsec.te', ` +allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use; +allow ipsec_mgmt_t dpkg_t:fifo_file write; +allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write }; +allow ipsec_t dpkg_t:fifo_file { read write }; +domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) +') +ifdef(`cardmgr.te', ` +allow cardmgr_t dpkg_t:fd use; +allow cardmgr_t dpkg_t:fifo_file write; +domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) +# for start-stop-daemon +allow dpkg_t cardmgr_t:process signull; +') +ifdef(`mount.te', ` +domain_auto_trans(dpkg_t, mount_exec_t, mount_t) +') +ifdef(`mozilla.te', ` +# hate to do this, for mozilla install scripts +can_exec(dpkg_t, mozilla_exec_t) +') +ifdef(`postfix.te', ` +domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t) +') +ifdef(`apache.te', ` +domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t) +') +ifdef(`named.te', ` +file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file) +') +ifdef(`nsd.te', ` +allow nsd_crond_t initrc_t:fd use; +allow nsd_crond_t initrc_devpts_t:chr_file { read write }; +domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t) +') +# because the syslogd package is broken and does not use the start scripts +ifdef(`klogd.te', ` +domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t) +') +ifdef(`syslogd.te', ` +domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t) +allow system_crond_t syslogd_t:dir search; +allow system_crond_t syslogd_t:file { getattr read }; +allow system_crond_t syslogd_t:process signal; +') +# mysqld is broken too +ifdef(`mysqld.te', ` +domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t) +can_unix_connect(dpkg_t, mysqld_t) +allow mysqld_t dpkg_tmp_t:file { getattr read }; +') +ifdef(`postgresql.te', ` +# because postgresql postinst creates scripts in /tmp and then runs them +# also the init scripts do more than they should +allow { initrc_t postgresql_t } dpkg_tmp_t:file write; +# for "touch" when it tries to create the log file +# this works for upgrades, maybe we should allow create access for first install +allow initrc_t postgresql_log_t:file { write setattr }; +# for dumpall +can_exec(postgresql_t, postgresql_db_t) +') +ifdef(`sysstat.te', ` +domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t) +') +ifdef(`rpcd.te', ` +allow rpcd_t dpkg_t:fd use; +allow rpcd_t dpkg_t:fifo_file { read write }; +') +ifdef(`load_policy.te', ` +allow load_policy_t initrc_t:fifo_file { read write }; +') +ifdef(`checkpolicy.te', ` +domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t) +role system_r types checkpolicy_t; +allow checkpolicy_t initrc_t:fd use; +allow checkpolicy_t initrc_t:fifo_file write; +allow checkpolicy_t initrc_devpts_t:chr_file { read write }; +') +ifdef(`amavis.te', ` +r_dir_file(initrc_t, dpkg_var_lib_t) +') +ifdef(`nessusd.te', ` +domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t) +') +ifdef(`crack.te', ` +allow crack_t initrc_t:fd use; +domain_auto_trans(dpkg_t, crack_exec_t, crack_t) +') +ifdef(`xdm.te', ` +domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t) +') +ifdef(`clamav.te', ` +domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t) +') +ifdef(`squid.te', ` +domain_auto_trans(dpkg_t, squid_exec_t, squid_t) +') +ifdef(`useradd.te', ` +domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t) +domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t) +role system_r types { useradd_t groupadd_t }; +') +ifdef(`passwd.te', ` +domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t) +') +ifdef(`ldconfig.te', ` +domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t) +') +ifdef(`portmap.te', ` +# for pmap_dump +domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t) +') + +# for apt +type apt_t, domain, admin, privmail, web_client_domain; +type apt_exec_t, file_type, sysadmfile, exec_type; +type apt_var_lib_t, file_type, sysadmfile; +type var_cache_apt_t, file_type, sysadmfile; +etcdir_domain(apt) +typealias apt_etc_t alias etc_apt_t; +type apt_rw_etc_t, file_type, sysadmfile; +typealias apt_rw_etc_t alias etc_apt_rw_t; +tmp_domain(apt, `', `{ dir file lnk_file }') +can_exec(apt_t, apt_tmp_t) + +rw_dir_create_file(apt_t, apt_rw_etc_t) + +allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search }; + +dontaudit apt_t var_log_t:dir getattr; +dontaudit apt_t var_run_t:dir search; + +# for rc files such as ~/.less +r_dir_file(apt_t, sysadm_home_t) +allow apt_t sysadm_home_dir_t:dir { search getattr }; + +allow apt_t bin_t:lnk_file r_file_perms; + +rw_dir_create_file(apt_t, debconf_cache_t) +r_dir_file(userdomain, debconf_cache_t) + +# for python +read_sysctl(apt_t) +read_sysctl(dpkg_t) + +allow dpkg_t console_device_t:chr_file rw_file_perms; + +allow apt_t self:unix_stream_socket create_socket_perms; + +allow dpkg_t domain:dir r_dir_perms; +allow dpkg_t domain:{ file lnk_file } r_file_perms; + +# for shared objects that are not yet labelled (upgrades) +allow { apt_t dpkg_t } lib_t:file execute; + +# when dpkg runs postinst scripts run them in initrc_t domain so that the +# daemons are started in the correct context +domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t) + +ifdef(`bootloader.te', ` +domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t) +# for mkinitrd +can_exec(bootloader_t, dpkg_exec_t) +# for lilo to run dpkg +allow bootloader_t dpkg_etc_t:file { getattr read }; +') + +# for kernel-image postinst +dontaudit dpkg_t fixed_disk_device_t:blk_file read; + +# for /usr/lib/dpkg/controllib.pl calling getpwnam(3) +dontaudit dpkg_t shadow_t:file { getattr read }; + +# allow user domains to execute dpkg +allow userdomain dpkg_exec_t:dir r_dir_perms; +can_exec(userdomain, { dpkg_exec_t apt_exec_t }) + +# allow everyone to read dpkg database +allow userdomain var_lib_t:dir search; +r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t }) + +# for /var/lib/dpkg/lock +rw_dir_create_file(apt_t, dpkg_var_lib_t) + +ifdef(`crond.te', ` +rw_dir_create_file(system_crond_t, dpkg_var_lib_t) +allow system_crond_t dpkg_etc_t:file r_file_perms; + +# for Debian cron job +create_dir_file(system_crond_t, tetex_data_t) +can_exec(dpkg_t, tetex_data_t) +') + +r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t }) +allow install_menu_t initrc_t:fifo_file { read write }; +allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms; +can_exec(sysadm_t, dpkg_etc_t) + +# Inherit and use descriptors from open_init_pty +allow { apt_t dpkg_t install_menu_t } initrc_t:fd use; +dontaudit dpkg_t privfd:fd use; +allow { apt_t dpkg_t install_menu_t } devpts_t:dir search; +allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms; + +allow ifconfig_t dpkg_t:fd use; +allow ifconfig_t dpkg_t:fifo_file { read write }; + +uses_shlib({ dpkg_t apt_t }) +allow dpkg_t proc_t:dir r_dir_perms; +allow dpkg_t proc_t:{ file lnk_file } r_file_perms; +allow dpkg_t fs_t:filesystem getattr; + +allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable }; + +# for fgconsole - need policy for it +allow dpkg_t self:capability sys_tty_config; + +allow dpkg_t self:unix_dgram_socket create_socket_perms; +allow dpkg_t self:unix_stream_socket create_stream_socket_perms; +can_unix_connect(dpkg_t, self) +allow dpkg_t self:unix_dgram_socket sendto; +allow dpkg_t self:unix_stream_socket connect; + +allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms; +allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms; + +# dpkg really needs to be able to kill any process, unfortunate but true +allow dpkg_t domain:process signal; +allow dpkg_t sysadm_t:process sigchld; +allow dpkg_t self:process { setpgid signal_perms fork getsched }; + +# read/write/create any files in the system +allow dpkg_t sysadmfile:dir create_dir_perms; +allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms; +allow dpkg_t sysadmfile:lnk_file create_lnk_perms; +allow dpkg_t device_type:{ chr_file blk_file } getattr; +dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; +allow dpkg_t proc_kmsg_t:file getattr; +allow dpkg_t fs_type:dir getattr; + +# allow compiling and loading new policy +create_dir_file(dpkg_t, { policy_src_t policy_config_t }) + +# change to the apt_t domain on exec from dpkg_t (dselect) +domain_auto_trans(dpkg_t, apt_exec_t, apt_t) + +# allow apt to change /var/lib/apt files +allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms; +allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms; + +# allow apt to create /usr/lib/site-python/DebianControlParser.pyc +rw_dir_create_file(apt_t, lib_t) + +# for apt-listbugs +allow apt_t usr_t:file { getattr read ioctl }; +allow apt_t usr_t:lnk_file read; + +# allow /var/cache/apt/archives to be owned by non-root +allow apt_t self:capability { chown dac_override fowner fsetid }; + +can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t }) +allow apt_t { bin_t sbin_t }:dir search; +allow apt_t self:process { signal sigchld fork }; +allow apt_t sysadm_t:process sigchld; +can_network({ apt_t dpkg_t }) +can_ypbind({ apt_t dpkg_t }) + +allow { apt_t dpkg_t } var_t:dir { search getattr }; +dontaudit apt_t { fs_type file_type }:dir getattr; +allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms; + +allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms }; + +# for /proc/meminfo and for "ps" +allow apt_t { proc_t apt_t }:dir r_dir_perms; +allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms; +allow apt_t self:fifo_file rw_file_perms; +allow dpkg_t self:fifo_file rw_file_perms; + +allow apt_t etc_t:dir r_dir_perms; +allow apt_t etc_t:file r_file_perms; +allow apt_t etc_t:lnk_file read; +read_locale(apt_t) +r_dir_file(userdomain, apt_etc_t) + +# apt wants to check available disk space +allow apt_t fs_t:filesystem getattr; +allow apt_t etc_runtime_t:file r_file_perms; + +# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you +# have apt run dpkg. +# This means that getting apt_t access is almost as good as dpkg_t which has +# as much power as sysadm_t... +domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t) + +# hack to allow update-menus/install-menu to manage menus +type install_menu_t, domain, admin, etc_writer; +type install_menu_exec_t, file_type, sysadmfile, exec_type; +var_run_domain(install_menu) + +allow install_menu_t self:unix_stream_socket create_socket_perms; + +type debian_menu_t, file_type, sysadmfile; + +r_dir_file(userdomain, debian_menu_t) +dontaudit install_menu_t sysadm_home_dir_t:dir search; +create_dir_file(install_menu_t, debian_menu_t) +allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms }; +allow install_menu_t self:process signal; +allow install_menu_t proc_t:dir search; +allow install_menu_t proc_t:file r_file_perms; +can_getcon(install_menu_t) +can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t }) +allow install_menu_t { bin_t sbin_t }:dir search; +allow install_menu_t bin_t:lnk_file read; + +# for menus +allow install_menu_t usr_t:file r_file_perms; + +# for /etc/kde3/debian/kde-update-menu.sh +can_exec(install_menu_t, etc_t) + +allow install_menu_t var_t:dir search; +tmp_domain(install_menu) + +create_dir_file(install_menu_t, var_lib_t) +ifdef(`xdm.te', ` +create_dir_file(install_menu_t, xdm_var_lib_t) +') +allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms; +allow install_menu_t { var_spool_t etc_t }:file create_file_perms; +allow install_menu_t self:fifo_file rw_file_perms; +allow install_menu_t etc_runtime_t:file r_file_perms; +allow install_menu_t devtty_t:chr_file rw_file_perms; +allow install_menu_t fs_t:filesystem getattr; + +domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t) +allow dpkg_t install_menu_t:process signal_perms; + +allow install_menu_t privfd:fd use; +uses_shlib(install_menu_t) + +allow install_menu_t self:process { fork sigchld }; + +role system_r types { dpkg_t apt_t install_menu_t }; + +################################# +# +# Rules for the run_deb_t domain. +# +#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t) +#domain_trans(run_deb_t, apt_exec_t, apt_t) +domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t) +domain_auto_trans(initrc_t, apt_exec_t, apt_t) diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te new file mode 100644 index 0000000..161f474 --- /dev/null +++ b/strict/domains/program/unused/gatekeeper.te @@ -0,0 +1,53 @@ +#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper +# +# Author: Russell Coker +# X-Debian-Packages: opengate openh323gk +# + +################################# +# +# Rules for the gatekeeper_t domain. +# +# gatekeeper_exec_t is the type of the gk executable. +# +daemon_domain(gatekeeper) + +# for SSP +allow gatekeeper_t urandom_device_t:chr_file read; + +type gatekeeper_port_t, port_type; +etc_domain(gatekeeper) +typealias gatekeeper_etc_t alias etc_gatekeeper_t; +allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; +logdir_domain(gatekeeper) + +# Use the network. +can_network_server(gatekeeper_t) +can_ypbind(gatekeeper_t) +allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind; +allow gatekeeper_t self:unix_stream_socket create_socket_perms; + +# for stupid symlinks +tmp_domain(gatekeeper) + +# pthreads wants to know the kernel version +read_sysctl(gatekeeper_t) + +allow gatekeeper_t etc_t:file { getattr read }; + +allow gatekeeper_t etc_t:dir r_dir_perms; +allow gatekeeper_t sbin_t:dir r_dir_perms; + +allow gatekeeper_t self:process setsched; +allow gatekeeper_t self:fifo_file rw_file_perms; + +allow gatekeeper_t proc_t:file read; + +# for local users to run VOIP software +can_udp_send(userdomain, gatekeeper_t) +can_udp_send(gatekeeper_t, userdomain) +can_tcp_connect(gatekeeper_t, userdomain) + +# this is crap, gk wants to create symlinks in /etc every time it starts and +# remove them when it exits. +#allow gatekeeper_t etc_t:dir rw_dir_perms; diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te new file mode 100644 index 0000000..90e19ea --- /dev/null +++ b/strict/domains/program/unused/gift.te @@ -0,0 +1,9 @@ +# DESC - giFT file sharing tool +# +# Author: Ivan Gyurdiev +# + +type gift_exec_t, file_type, exec_type, sysadmfile; +type giftd_exec_t, file_type, exec_type, sysadmfile; + +# Everything else is in macros/gift_macros.te diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te new file mode 100644 index 0000000..af18409 --- /dev/null +++ b/strict/domains/program/unused/imazesrv.te @@ -0,0 +1,30 @@ +#DESC Imazesrv - Imaze Server +# +# Author: Torsten Knodt +# based on games.te by Russell Coker +# + +# type for shared data from imazesrv +type imazesrv_data_t, file_type, sysadmfile; +type imazesrv_data_labs_t, file_type, sysadmfile; + +# domain imazesrv_t is for system operation of imazesrv +# also defines imazesrv_exec_t +daemon_domain(imazesrv) +log_domain(imazesrv); + +r_dir_file(imazesrv_t, imazesrv_data_t) + +type imaze_port_t, port_type; +allow imazesrv_t imaze_port_t:tcp_socket name_bind; +allow imazesrv_t imaze_port_t:udp_socket name_bind; + +create_append_log_file(imazesrv_t,imazesrv_log_t) + +can_network_server(imazesrv_t) + +allow imazesrv_t self:capability net_bind_service; + +r_dir_file(imazesrv_t, etc_t) + +general_domain_access(imazesrv_t) diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te new file mode 100644 index 0000000..1b9c5fd --- /dev/null +++ b/strict/domains/program/unused/ircd.te @@ -0,0 +1,45 @@ +#DESC Ircd - IRC server +# +# Author: Russell Coker +# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu +# + +################################# +# +# Rules for the ircd_t domain. +# +# ircd_exec_t is the type of the slapd executable. +# +daemon_domain(ircd) + +type ircd_port_t, port_type; +allow ircd_t ircd_port_t:tcp_socket name_bind; + +etcdir_domain(ircd) +typealias ircd_etc_t alias etc_ircd_t; + +logdir_domain(ircd) + +var_lib_domain(ircd) + +# Use the network. +can_network_server(ircd_t) +can_ypbind(ircd_t) +#allow ircd_t self:fifo_file { read write }; +allow ircd_t self:unix_stream_socket create_socket_perms; +allow ircd_t self:unix_dgram_socket create_socket_perms; + +allow ircd_t devtty_t:chr_file rw_file_perms; + +allow ircd_t sbin_t:dir search; + +allow ircd_t proc_t:file { getattr read }; + +# read config files +allow ircd_t { etc_t etc_runtime_t }:file { getattr read }; +allow ircd_t etc_t:lnk_file read; + +ifdef(`logrotate.te', ` +allow logrotate_t ircd_var_run_t:dir search; +allow logrotate_t ircd_var_run_t:file { getattr read }; +') diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te new file mode 100644 index 0000000..55f0819 --- /dev/null +++ b/strict/domains/program/unused/jabberd.te @@ -0,0 +1,32 @@ +#DESC jabberd - Jabber daemon +# +# Author: Colin Walters +# X-Debian-Packages: jabber + +daemon_domain(jabberd) +logdir_domain(jabberd) +var_lib_domain(jabberd) + +type jabber_client_port_t, port_type; +type jabber_interserver_port_t, port_type; + +allow jabberd_t jabber_client_port_t:tcp_socket name_bind; +allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind; + +allow jabberd_t etc_t:lnk_file read; +allow jabberd_t { etc_t etc_runtime_t }:file { read getattr }; + +# For SSL +allow jabberd_t random_device_t:file r_file_perms; + +can_network_server(jabberd_t) +can_ypbind(jabberd_t) + +allow jabberd_t self:unix_dgram_socket create_socket_perms; +allow jabberd_t self:unix_stream_socket create_socket_perms; +allow jabberd_t self:fifo_file { read write getattr }; + +allow jabberd_t self:capability dac_override; + +# allow any user domain to connect to jabber +can_tcp_connect(userdomain, jabberd_t) diff --git a/strict/domains/program/unused/lcd.te b/strict/domains/program/unused/lcd.te new file mode 100644 index 0000000..2e2eddf --- /dev/null +++ b/strict/domains/program/unused/lcd.te @@ -0,0 +1,35 @@ +#DESC lcd - program for Cobalt LCD device +# +# Author: Russell Coker +# + +################################# +# +# Rules for the lcd_t domain. +# +# lcd_t is the domain for the lcd program. +# lcd_exec_t is the type of the corresponding program. +# +type lcd_t, domain, privlog; +role sysadm_r types lcd_t; +role system_r types lcd_t; +uses_shlib(lcd_t) +type lcd_exec_t, file_type, sysadmfile, exec_type; +type lcd_device_t, file_type; + +# Transition into this domain when you run this program. +domain_auto_trans(initrc_t, lcd_exec_t, lcd_t) +domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t) + +allow lcd_t lcd_device_t:chr_file rw_file_perms; + +# for /etc/locks/.lcd_lock +lock_domain(lcd) +allow lcd_t etc_t:lnk_file read; +allow lcd_t var_t:dir search; + +# Access the terminal. +allow lcd_t admin_tty_type:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;') +allow lcd_t privfd:fd use; + diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te new file mode 100644 index 0000000..3059c03 --- /dev/null +++ b/strict/domains/program/unused/lrrd.te @@ -0,0 +1,70 @@ +#DESC LRRD - network-wide load graphing +# +# Author: Erich Schubert +# X-Debian-Packages: lrrd-client, lrrd-server +# + +################################# +# +# Rules for the lrrd_t domain. +# +# lrrd_exec_t is the type of the lrrd executable. +# +daemon_domain(lrrd) + +allow lrrd_t lrrd_var_run_t:sock_file create_file_perms; + +etcdir_domain(lrrd) +typealias lrrd_etc_t alias etc_lrrd_t; +type lrrd_var_lib_t, file_type, sysadmfile; +type lrrd_port_t, port_type; + +log_domain(lrrd) +tmp_domain(lrrd) + +# has cron jobs +system_crond_entry(lrrd_exec_t, lrrd_t) +allow crond_t lrrd_var_lib_t:dir search; + +# init script +allow initrc_t lrrd_log_t:file { write append setattr ioctl }; + +# allow to drop privileges and renice +allow lrrd_t self:capability { setgid setuid }; +allow lrrd_t self:process { getsched setsched }; + +allow lrrd_t urandom_device_t:chr_file { getattr read }; +allow lrrd_t proc_t:file { getattr read }; +allow lrrd_t usr_t:file { read ioctl }; + +can_exec(lrrd_t, bin_t) +allow lrrd_t bin_t:dir search; +allow lrrd_t usr_t:lnk_file read; + +# Allow access to the lrrd databases +create_dir_file(lrrd_t, lrrd_var_lib_t) +allow lrrd_t var_lib_t:dir search; + +# read config files +r_dir_file(initrc_t, lrrd_etc_t) +allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; +# for accessing the output directory +ifdef(`apache.te', ` +allow lrrd_t httpd_sys_content_t:dir search; +') + +allow lrrd_t etc_t:dir search; + +can_unix_connect(sysadm_t, lrrd_t) +can_unix_connect(lrrd_t, lrrd_t) +can_unix_send(lrrd_t, lrrd_t) +can_network_server(lrrd_t) +can_ypbind(lrrd_t) + +ifdef(`logrotate.te', ` +r_dir_file(logrotate_t, lrrd_etc_t) +allow logrotate_t lrrd_var_lib_t:dir search; +allow logrotate_t lrrd_var_run_t:dir search; +allow logrotate_t lrrd_var_run_t:sock_file write; +can_unix_connect(logrotate_t, lrrd_t) +') diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te new file mode 100644 index 0000000..56ced81 --- /dev/null +++ b/strict/domains/program/unused/monopd.te @@ -0,0 +1,30 @@ +#DESC MonopD - Monopoly Daemon +# +# Author: Torsten Knodt +# based on the dhcpd_t policy from: +# Russell Coker +# + +################################# +# +# Rules for the monopd_t domain. +# +daemon_domain(monopd) + +type etc_monopd_t, file_type, sysadmfile; +type share_monopd_t, file_type, sysadmfile; + +# Use the network. +can_network_server(monopd_t) +can_ypbind(monopd_t) + +type monopd_port_t, port_type; +allow monopd_t monopd_port_t:tcp_socket name_bind; + +r_dir_file(monopd_t,etc_monopd_t) +r_dir_file(monopd_t,share_monopd_t) + +allow monopd_t self:unix_dgram_socket create_socket_perms; +allow monopd_t self:unix_stream_socket create_socket_perms; + +r_dir_file(monopd_t, etc_t) diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te new file mode 100644 index 0000000..fb5fd14 --- /dev/null +++ b/strict/domains/program/unused/nagios.te @@ -0,0 +1,91 @@ +#DESC Net Saint / NAGIOS - network monitoring server +# +# Author: Russell Coker +# X-Debian-Packages: netsaint, nagios +# Depends: mta.te +# + +################################# +# +# Rules for the nagios_t domain. +# +# nagios_exec_t is the type of the netsaint/nagios executable. +# +daemon_domain(nagios, `, privmail') + +etcdir_domain(nagios) +typealias nagios_etc_t alias etc_nagios_t; + +logdir_domain(nagios) +allow nagios_t nagios_log_t:fifo_file create_file_perms; +allow initrc_t nagios_log_t:dir rw_dir_perms; + +tmp_domain(nagios) +allow system_mail_t nagios_tmp_t:file { getattr read }; +# for open file handles +dontaudit system_mail_t nagios_etc_t:file read; +dontaudit system_mail_t nagios_log_t:fifo_file read; + +# Use the network. +allow nagios_t self:fifo_file rw_file_perms; +allow nagios_t self:unix_stream_socket create_socket_perms; +allow nagios_t self:unix_dgram_socket create_socket_perms; + +# Use capabilities +allow nagios_t self:capability { dac_override setgid setuid }; +allow nagios_t self:process setpgid; + +allow nagios_t { bin_t sbin_t }:dir search; +allow nagios_t bin_t:lnk_file read; +can_exec(nagios_t, { shell_exec_t bin_t }) + +allow nagios_t proc_t:file { getattr read }; + +can_network_server(nagios_t) +can_ypbind(nagios_t) + +# read config files +allow nagios_t { etc_t etc_runtime_t }:file { getattr read }; +allow nagios_t etc_t:lnk_file read; + +allow nagios_t etc_t:dir r_dir_perms; + +# for ps +r_dir_file(nagios_t, domain) +allow nagios_t boot_t:dir search; +allow nagios_t system_map_t:file { getattr read }; + +# for who +allow nagios_t initrc_var_run_t:file { getattr read lock }; + +system_domain(nagios_cgi) +allow nagios_cgi_t device_t:dir search; +r_dir_file(nagios_cgi_t, nagios_etc_t) +allow nagios_cgi_t var_log_t:dir search; +r_dir_file(nagios_cgi_t, nagios_log_t) +allow nagios_cgi_t self:process { fork signal_perms }; +allow nagios_cgi_t self:fifo_file rw_file_perms; +allow nagios_cgi_t bin_t:dir search; +can_exec(nagios_cgi_t, bin_t) +read_locale(nagios_cgi_t) + +# for ps +allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read }; +r_dir_file(nagios_cgi_t, { proc_t self nagios_t }) +allow nagios_cgi_t boot_t:dir search; +allow nagios_cgi_t system_map_t:file { getattr read }; +dontaudit nagios_cgi_t domain:dir getattr; +allow nagios_cgi_t self:unix_stream_socket create_socket_perms; + +ifdef(`apache.te', ` +r_dir_file(httpd_t, nagios_etc_t) +domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t) +allow nagios_cgi_t httpd_log_t:file append; +') + +ifdef(`ping.te', ` +domain_auto_trans(nagios_t, ping_exec_t, ping_t) +allow nagios_t ping_t:process { sigkill signal }; +dontaudit ping_t nagios_etc_t:file read; +dontaudit ping_t nagios_log_t:fifo_file read; +') diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te new file mode 100644 index 0000000..e0f71fd --- /dev/null +++ b/strict/domains/program/unused/nessusd.te @@ -0,0 +1,55 @@ +#DESC Nessus network scanning daemon +# +# Author: Russell Coker +# X-Debian-Packages: nessus +# + +################################# +# +# Rules for the nessusd_t domain. +# +# nessusd_exec_t is the type of the nessusd executable. +# +daemon_domain(nessusd) + +etc_domain(nessusd) +typealias nessusd_etc_t alias etc_nessusd_t; +type nessusd_db_t, file_type, sysadmfile; + +type nessus_port_t, port_type; +allow nessusd_t nessus_port_t:tcp_socket name_bind; + +#tmp_domain(nessusd) + +# Use the network. +can_network(nessusd_t) +can_ypbind(nessusd_t) +allow nessusd_t self:unix_stream_socket create_socket_perms; +#allow nessusd_t self:unix_dgram_socket create_socket_perms; + +# why ioctl on /dev/urandom? +allow nessusd_t random_device_t:chr_file { getattr read ioctl }; +allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms; +allow nessusd_t self:capability net_raw; + +# for nmap etc +allow nessusd_t { bin_t sbin_t }:dir search; +allow nessusd_t bin_t:lnk_file read; +can_exec(nessusd_t, bin_t) +allow nessusd_t self:fifo_file { getattr read write }; + +# allow user domains to connect to nessusd +can_tcp_connect(userdomain, nessusd_t) + +allow nessusd_t self:process setsched; + +allow nessusd_t proc_t:file { getattr read }; + +# Allow access to the nessusd authentication database +create_dir_file(nessusd_t, nessusd_db_t) +allow nessusd_t var_lib_t:dir r_dir_perms; + +# read config files +allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms; + +logdir_domain(nessusd) diff --git a/strict/domains/program/unused/nrpe.te b/strict/domains/program/unused/nrpe.te new file mode 100644 index 0000000..87d1a02 --- /dev/null +++ b/strict/domains/program/unused/nrpe.te @@ -0,0 +1,40 @@ +# DESC nrpe - Nagios Remote Plugin Execution +# +# Author: Thomas Bleher +# +# Depends: tcpd.te +# X-Debian-Packages: nagios-nrpe-server +# +# This policy assumes that nrpe is called from inetd + +daemon_base_domain(nrpe) +ifdef(`tcpd.te', ` +domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t) +') +domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t) + +allow nrpe_t urandom_device_t:chr_file { getattr ioctl read }; + +allow nrpe_t self:fifo_file rw_file_perms; +allow nrpe_t self:unix_dgram_socket create_socket_perms; +# use sockets inherited from inetd +allow nrpe_t inetd_t:tcp_socket { ioctl read write }; +allow nrpe_t devtty_t:chr_file { read write }; + +allow nrpe_t self:process setpgid; + +etc_domain(nrpe) +read_locale(nrpe_t) + +# permissions for the scripts executed by nrpe +# +# call shell programs +can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t }) +allow nrpe_t { bin_t sbin_t }:dir search; +# for /bin/sh +allow nrpe_t bin_t:lnk_file read; + +# read /proc/meminfo, /proc/self/mounts and /etc/mtab +allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read }; + +# you will have to add more permissions here, depending on the scripts you call! diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te new file mode 100644 index 0000000..2711cdd --- /dev/null +++ b/strict/domains/program/unused/nsd.te @@ -0,0 +1,101 @@ +#DESC Authoritative only name server +# +# Author: Russell Coker +# X-Debian-Packages: nsd +# +# + +################################# +# +# Rules for the nsd_t domain. +# + +daemon_domain(nsd) + +# a type for nsd.db +type nsd_db_t, file_type, sysadmfile; + +# for zone update cron job +type nsd_crond_t, domain, privlog; +role system_r types nsd_crond_t; +uses_shlib(nsd_crond_t) +can_network_client(nsd_crond_t) +can_ypbind(nsd_crond_t) +allow nsd_crond_t self:unix_dgram_socket create_socket_perms; +allow nsd_crond_t self:process { fork signal_perms }; +system_crond_entry(nsd_exec_t, nsd_crond_t) +allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read }; +allow nsd_crond_t proc_t:lnk_file { getattr read }; +allow nsd_crond_t { bin_t sbin_t }:dir search; +can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t }) +allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr; +allow nsd_crond_t bin_t:lnk_file read; +read_locale(nsd_crond_t) +allow nsd_crond_t self:fifo_file rw_file_perms; +# kill capability for root cron job and non-root daemon +allow nsd_crond_t self:capability { dac_override kill }; +allow nsd_crond_t nsd_t:process signal; +dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr }; +dontaudit nsd_crond_t self:capability sys_nice; +dontaudit nsd_crond_t domain:dir search; +allow nsd_crond_t self:process setsched; +can_ps(nsd_crond_t, nsd_t) + +file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) +file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file) +allow nsd_crond_t var_lib_t:dir search; + +allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; +allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; +allow nsd_crond_t proc_t:dir r_dir_perms; +allow nsd_crond_t device_t:dir search; +allow nsd_crond_t devtty_t:chr_file rw_file_perms; +allow nsd_crond_t etc_t:file { getattr read }; +allow nsd_crond_t etc_t:lnk_file read; +allow nsd_crond_t { var_t var_run_t }:dir search; +allow nsd_crond_t nsd_var_run_t:file { getattr read }; + +# for SSP +allow nsd_crond_t urandom_device_t:chr_file read; + +# A type for configuration files of nsd +type nsd_conf_t, file_type, sysadmfile; +# A type for zone files +type nsd_zone_t, file_type, sysadmfile; + +r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t }) +# zone files may be in /var/lib/nsd +allow nsd_t var_lib_t:dir search; +r_dir_file(initrc_t, nsd_conf_t) +allow nsd_t etc_runtime_t:file { getattr read }; +allow nsd_t proc_t:file { getattr read }; +allow nsd_t { sbin_t bin_t }:dir search; +can_exec(nsd_t, { nsd_exec_t bin_t }) + +# Use capabilities. chown is for chowning /var/run/nsd.pid +allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service }; + +allow nsd_t etc_t:{ file lnk_file } { getattr read }; + +# nsd can use network +can_network_server(nsd_t) +can_ypbind(nsd_t) +# allow client access from caching BIND +ifdef(`named.te', ` +can_udp_send(named_t, nsd_t) +can_udp_send(nsd_t, named_t) +can_tcp_connect(named_t, nsd_t) +') + +# if you want to allow all programs to contact the primary name server +#can_udp_send(domain, nsd_t) +#can_udp_send(nsd_t, domain) +#can_tcp_connect(domain, nsd_t) + +# Bind to the named port. +allow nsd_t dns_port_t:udp_socket name_bind; +allow nsd_t dns_port_t:tcp_socket name_bind; + +allow nsd_t self:unix_stream_socket create_stream_socket_perms; +allow nsd_t self:unix_dgram_socket create_socket_perms; + diff --git a/strict/domains/program/unused/oav-update.te b/strict/domains/program/unused/oav-update.te new file mode 100644 index 0000000..a9843c6 --- /dev/null +++ b/strict/domains/program/unused/oav-update.te @@ -0,0 +1,38 @@ +#DESC Oav - Anti-virus update program +# +# Author: Brian May +# X-Debian-Packages: +# + +type oav_update_var_lib_t, file_type, sysadmfile; +type oav_update_exec_t, file_type, sysadmfile, exec_type; +type oav_update_etc_t, file_type, sysadmfile; + +# Derived domain based on the calling user domain and the program. +type oav_update_t, domain, privlog; + +# Transition from the sysadm domain to the derived domain. +role sysadm_r types oav_update_t; +domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t) + +# Transition from the sysadm domain to the derived domain. +role system_r types oav_update_t; +system_crond_entry(oav_update_exec_t, oav_update_t) + +# Uses shared librarys +uses_shlib(oav_update_t) + +# Run helper programs. +can_exec_any(oav_update_t,bin_t) + +# Can read /etc/oav-update/* files +allow oav_update_t oav_update_etc_t:dir r_dir_perms; +allow oav_update_t oav_update_etc_t:file r_file_perms; + +# Can read /var/lib/oav-update/current +allow oav_update_t oav_update_var_lib_t:dir create_dir_perms; +allow oav_update_t oav_update_var_lib_t:file create_file_perms; +allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; + +# Can download via network +can_network_server(oav_update_t) diff --git a/strict/domains/program/unused/openca-ca.te b/strict/domains/program/unused/openca-ca.te new file mode 100644 index 0000000..411c61d --- /dev/null +++ b/strict/domains/program/unused/openca-ca.te @@ -0,0 +1,134 @@ +#DESC OpenCA - Open Certificate Authority +# +# Author: Brian May +# X-Debian-Packages: +# Depends: apache.te +# + +################################# +# +# domain for openCA cgi-bin scripts. +# +# Type that system CGI scripts run as +# +type openca_ca_t, domain; +role system_r types openca_ca_t; +uses_shlib(openca_ca_t) + +# Types that system CGI scripts on the disk are +# labeled with +# +type openca_ca_exec_t, file_type, sysadmfile; + +# When the server starts the script it needs to get the proper context +# +domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t) + +# +# Allow httpd daemon to search /usr/share/openca +# +allow httpd_t openca_usr_share_t:dir { getattr search }; + +################################################################ +# Allow the web server to run scripts and serve pages +############################################################## +allow httpd_t bin_t:file { read execute }; # execute perl + +allow httpd_t openca_ca_exec_t:file {execute getattr read}; +allow httpd_t openca_ca_t:process {signal sigkill sigstop}; +allow httpd_t openca_ca_t:process transition; +allow httpd_t openca_ca_exec_t:dir r_dir_perms; + +################################################################## +# Allow the script to get the file descriptor from the http deamon +# and send sigchild to http deamon +################################################################# +allow openca_ca_t httpd_t:process sigchld; +allow openca_ca_t httpd_t:fd use; +allow openca_ca_t httpd_t:fifo_file {getattr write}; + +############################################ +# Allow scripts to append to http logs +######################################### +allow openca_ca_t httpd_log_t:file { append getattr }; + +############################################################# +# Allow the script access to the library files so it can run +############################################################# +can_exec(openca_ca_t, lib_t) + +######################################################################## +# The script needs to inherit the file descriptor and find the script it +# needs to run +######################################################################## +allow openca_ca_t initrc_t:fd use; +allow openca_ca_t init_t:fd use; +allow openca_ca_t default_t:dir r_dir_perms; +allow openca_ca_t random_device_t:chr_file r_file_perms; + +####################################################################### +# Allow the script to return its output +###################################################################### +#allow openca_ca_t httpd_var_run_t: file rw_file_perms; +allow openca_ca_t null_device_t: chr_file rw_file_perms; +allow openca_ca_t httpd_cache_t: file rw_file_perms; + +########################################################################### +# Allow the script interpreters to run the scripts. So +# the perl executable will be able to run a perl script +######################################################################### +can_exec(openca_ca_t, bin_t) + +############################################################################ +# Allow the script process to search the cgi directory, and users directory +############################################################################## +allow openca_ca_t openca_ca_exec_t:dir search; + +# +# Allow access to writeable files under /etc/openca +# +allow openca_ca_t openca_etc_writeable_t:file create_file_perms; +allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms; + +# +# Allow access to other files under /etc/openca +# +allow openca_ca_t openca_etc_t:file r_file_perms; +allow openca_ca_t openca_etc_t:dir r_dir_perms; + +# +# Allow access to private CA key +# +allow openca_ca_t openca_var_lib_keys_t:file create_file_perms; +allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms; + +# +# Allow access to other /var/lib/openca files +# +allow openca_ca_t openca_var_lib_t:file create_file_perms; +allow openca_ca_t openca_var_lib_t:dir create_dir_perms; + +# +# Allow access to other /usr/share/openca files +# +allow openca_ca_t openca_usr_share_t:file r_file_perms; +allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; +allow openca_ca_t openca_usr_share_t:dir r_dir_perms; + +# /etc/openca standard files +type openca_etc_t, file_type, sysadmfile; + +# /etc/openca template files +type openca_etc_in_t, file_type, sysadmfile; + +# /etc/openca writeable (from CGI script) files +type openca_etc_writeable_t, file_type, sysadmfile; + +# /var/lib/openca +type openca_var_lib_t, file_type, sysadmfile; + +# /var/lib/openca/crypto/keys +type openca_var_lib_keys_t, file_type, sysadmfile; + +# /usr/share/openca/crypto/keys +type openca_usr_share_t, file_type, sysadmfile; diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te new file mode 100644 index 0000000..241c8f2 --- /dev/null +++ b/strict/domains/program/unused/openvpn.te @@ -0,0 +1,41 @@ +#DESC OpenVPN - Firewall-friendly SSL-based VPN +# +# Author: Colin Walters +# +######################################## +# + +daemon_domain(openvpn) +etcdir_domain(openvpn) + +type openvpn_port_t, port_type; + +allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; + +allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr }; +allow openvpn_t devpts_t:dir { search getattr }; +allow openvpn_t tun_tap_device_t:chr_file rw_file_perms; +allow openvpn_t proc_t:file { getattr read }; + +allow openvpn_t self:unix_dgram_socket create_socket_perms; +allow openvpn_t self:unix_stream_socket create_stream_socket_perms; +allow openvpn_t self:unix_dgram_socket sendto; +allow openvpn_t self:unix_stream_socket connectto; +allow openvpn_t self:capability { net_admin setgid setuid }; +r_dir_file(openvpn_t, sysctl_net_t) + +can_network_server(openvpn_t) +allow openvpn_t openvpn_port_t:udp_socket name_bind; + +# OpenVPN executes a lot of helper programs and scripts +allow openvpn_t { bin_t sbin_t }:dir { search getattr }; +allow openvpn_t bin_t:lnk_file { getattr read }; +can_exec(openvpn_t, { bin_t sbin_t shell_exec_t }) +# Do not transition to ifconfig_t, since then it needs +# permission to access openvpn_t:udp_socket, which seems +# worse. +can_exec(openvpn_t, ifconfig_exec_t) + +# The Fedora init script iterates over /etc/openvpn/*.conf, and +# starts a daemon for each file. +r_dir_file(initrc_t, openvpn_etc_t) diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te new file mode 100644 index 0000000..c75a8e9 --- /dev/null +++ b/strict/domains/program/unused/perdition.te @@ -0,0 +1,30 @@ +#DESC Perdition POP and IMAP proxy +# +# Author: Russell Coker +# X-Debian-Packages: perdition +# + +################################# +# +# Rules for the perdition_t domain. +# +daemon_domain(perdition) + +allow perdition_t pop_port_t:tcp_socket name_bind; + +etc_domain(perdition) +typealias perdition_etc_t alias etc_perdition_t; + +# Use the network. +can_network_server(perdition_t) +allow perdition_t self:unix_stream_socket create_socket_perms; +allow perdition_t self:unix_dgram_socket create_socket_perms; + +# allow any domain to connect to the proxy +can_tcp_connect(userdomain, perdition_t) + +# Use capabilities +allow perdition_t self:capability { setgid setuid net_bind_service }; + +allow perdition_t etc_t:file { getattr read }; +allow perdition_t etc_t:lnk_file read; diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te new file mode 100644 index 0000000..a70597f --- /dev/null +++ b/strict/domains/program/unused/portslave.te @@ -0,0 +1,85 @@ +#DESC Portslave - Terminal server software +# +# Author: Russell Coker +# X-Debian-Packages: portslave +# Depends: pppd.te +# + +################################# +# +# Rules for the portslave_t domain. +# +daemon_base_domain(portslave, `, privmail, auth_chkpwd') + +type portslave_etc_t, file_type, sysadmfile; + +general_domain_access(portslave_t) +domain_auto_trans(init_t, portslave_exec_t, portslave_t) +ifdef(`rlogind.te', ` +domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t) +') +ifdef(`inetd.te', ` +domain_auto_trans(inetd_t, portslave_exec_t, portslave_t) +allow portslave_t inetd_t:tcp_socket { getattr read write }; +') + +allow portslave_t { etc_t etc_runtime_t }:file { read getattr }; +read_locale(portslave_t) +r_dir_file(portslave_t, portslave_etc_t) + +allow portslave_t pppd_etc_t:dir r_dir_perms; +allow portslave_t pppd_etc_rw_t:file { getattr read }; + +allow portslave_t proc_t:file { getattr read }; + +allow portslave_t { var_t var_log_t devpts_t }:dir search; + +allow portslave_t devtty_t:chr_file { setattr rw_file_perms }; + +allow portslave_t pppd_secret_t:file r_file_perms; + +can_network_server(portslave_t) +allow portslave_t fs_t:filesystem getattr; +ifdef(`radius.te', ` +can_udp_send(portslave_t, radiusd_t) +can_udp_send(radiusd_t, portslave_t) +') +# for rlogin etc +can_exec(portslave_t, { bin_t ssh_exec_t }) +# net_bind_service for rlogin +allow portslave_t self:capability { net_bind_service sys_tty_config }; +# for ssh +allow portslave_t urandom_device_t:chr_file read; +ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)') + +# for pppd +allow portslave_t self:capability { setuid setgid net_admin fsetid }; +allow portslave_t ppp_device_t:chr_file rw_file_perms; + +# for ~/.ppprc - if it actually exists then you need some policy to read it +allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; + +# for ctlportslave +dontaudit portslave_t self:capability sys_admin; + +file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file) +can_exec(portslave_t, { etc_t shell_exec_t }) + +# Run login in local_login_t domain. +#domain_auto_trans(portslave_t, login_exec_t, local_login_t) + +# Write to /var/run/utmp. +allow portslave_t initrc_var_run_t:file rw_file_perms; + +# Write to /var/log/wtmp. +allow portslave_t wtmp_t:file rw_file_perms; + +# Read and write ttys. +allow portslave_t tty_device_t:chr_file { setattr rw_file_perms }; +allow portslave_t ttyfile:chr_file rw_file_perms; + + +rw_dir_create_file(portslave_t, var_lock_t) +can_exec(portslave_t, pppd_exec_t) +allow portslave_t { bin_t sbin_t }:dir search; +allow portslave_t bin_t:lnk_file read; diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te new file mode 100644 index 0000000..5176665 --- /dev/null +++ b/strict/domains/program/unused/postgrey.te @@ -0,0 +1,32 @@ +#DESC postgrey - Postfix Grey-listing server +# +# Author: Russell Coker +# X-Debian-Packages: postgrey + +type postgrey_port_t, port_type; + +daemon_domain(postgrey) + +allow postgrey_t urandom_device_t:chr_file { getattr read }; + +# for perl +allow postgrey_t sbin_t:dir search; +allow postgrey_t usr_t:{ file lnk_file } { getattr read }; +dontaudit postgrey_t usr_t:file ioctl; + +allow postgrey_t { etc_t etc_runtime_t }:file { getattr read }; +etcdir_domain(postgrey) + +can_network_server_tcp(postgrey_t) +can_ypbind(postgrey_t) +allow postgrey_t postgrey_port_t:tcp_socket name_bind; +allow postgrey_t self:unix_dgram_socket create_socket_perms; +allow postgrey_t self:unix_stream_socket create_stream_socket_perms; +allow postgrey_t proc_t:file { getattr read }; + +allow postgrey_t self:capability { chown setgid setuid }; +dontaudit postgrey_t self:capability sys_tty_config; + +var_lib_domain(postgrey) + +allow postgrey_t tmp_t:dir getattr; diff --git a/strict/domains/program/unused/pump.te b/strict/domains/program/unused/pump.te new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/strict/domains/program/unused/pump.te diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te new file mode 100644 index 0000000..27d39d2 --- /dev/null +++ b/strict/domains/program/unused/pxe.te @@ -0,0 +1,22 @@ +#DESC PXE - a server for the PXE network boot protocol +# +# Author: Russell Coker +# X-Debian-Packages: pxe +# + +################################# +# +# Rules for the pxe_t domain. +# +daemon_domain(pxe) + +type pxe_port_t, port_type; +allow pxe_t pxe_port_t:udp_socket name_bind; + +allow pxe_t etc_t:file { getattr read }; + +allow pxe_t self:capability { chown setgid setuid }; + +allow pxe_t zero_device_t:chr_file rw_file_perms; + +log_domain(pxe) diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te new file mode 100644 index 0000000..b93321b --- /dev/null +++ b/strict/domains/program/unused/qmail.te @@ -0,0 +1,198 @@ +#DESC Qmail - Mail server +# +# Author: Russell Coker +# X-Debian-Packages: qmail-src qmail +# Depends: inetd.te mta.te +# + + +# Type for files created during execution of qmail. +type qmail_var_run_t, file_type, sysadmfile, pidfile; + +type qmail_etc_t, file_type, sysadmfile; +typealias qmail_etc_t alias etc_qmail_t; + +allow inetd_t smtp_port_t:tcp_socket name_bind; + +type qmail_exec_t, file_type, sysadmfile, exec_type; +type qmail_spool_t, file_type, sysadmfile; +type var_qmail_t, file_type, sysadmfile; + +define(`qmaild_sub_domain', ` +daemon_sub_domain($1, $2, `$3') +allow $2_t qmail_etc_t:dir { getattr search }; +allow $2_t qmail_etc_t:{ lnk_file file } { getattr read }; +allow $2_t { var_t var_spool_t }:dir search; +allow $2_t console_device_t:chr_file rw_file_perms; +allow $2_t fs_t:filesystem getattr; +') + +################################# +# +# Rules for the qmail_$1_t domain. +# +# qmail_$1_exec_t is the type of the qmail_$1 executables. +# +define(`qmail_daemon_domain', ` +qmaild_sub_domain(qmail_start_t, qmail_$1, `$2') +allow qmail_$1_t qmail_start_t:fifo_file { read write }; +')dnl + + +daemon_base_domain(qmail_start) + +allow qmail_start_t self:capability { setgid setuid }; +allow qmail_start_t { bin_t sbin_t }:dir search; +allow qmail_start_t qmail_etc_t:dir search; +allow qmail_start_t qmail_etc_t:file { getattr read }; +can_exec(qmail_start_t, qmail_start_exec_t) +allow qmail_start_t self:fifo_file { getattr read write }; + +qmail_daemon_domain(lspawn, `, mta_delivery_agent') +allow qmail_lspawn_t self:fifo_file { read write }; +allow qmail_lspawn_t self:capability { setuid setgid }; +allow qmail_lspawn_t self:process { fork signal_perms }; +allow qmail_lspawn_t sbin_t:dir search; +can_exec(qmail_lspawn_t, qmail_exec_t) +allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; +allow qmail_lspawn_t qmail_spool_t:dir search; +allow qmail_lspawn_t qmail_spool_t:file { read getattr }; +allow qmail_lspawn_t etc_t:file { getattr read }; +allow qmail_lspawn_t tmp_t:dir getattr; +dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search }; + +qmail_daemon_domain(send, `, mail_server_sender') +rw_dir_create_file(qmail_send_t, qmail_spool_t) +allow qmail_send_t qmail_spool_t:fifo_file read; +allow qmail_send_t self:process { fork signal_perms }; +allow qmail_send_t self:fifo_file write; +domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_send_t sbin_t:dir search; + +qmail_daemon_domain(splogger) +allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; +allow qmail_splogger_t etc_t:lnk_file read; +dontaudit qmail_splogger_t initrc_t:fd use; +read_locale(qmail_splogger_t) + +qmail_daemon_domain(rspawn) +allow qmail_rspawn_t qmail_spool_t:dir search; +allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; +allow qmail_rspawn_t self:process { fork signal_perms }; +allow qmail_rspawn_t self:fifo_file read; +allow qmail_rspawn_t { bin_t sbin_t }:dir search; + +qmaild_sub_domain(qmail_rspawn_t, qmail_remote) +allow qmail_rspawn_t qmail_remote_exec_t:file read; +can_network_server(qmail_remote_t) +can_ypbind(qmail_remote_t) +allow qmail_remote_t qmail_spool_t:dir search; +allow qmail_remote_t qmail_spool_t:file rw_file_perms; +allow qmail_remote_t self:tcp_socket create_socket_perms; +allow qmail_remote_t self:udp_socket create_socket_perms; + +qmail_daemon_domain(clean) +allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; +allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; + +# privhome will do until we get a separate maildir type +qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent') +allow qmail_lspawn_t qmail_local_exec_t:file read; +allow qmail_local_t self:process { fork signal_perms }; +domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_local_t qmail_queue_exec_t:file read; +allow qmail_local_t qmail_spool_t:file { ioctl read }; +allow qmail_local_t self:fifo_file write; +allow qmail_local_t sbin_t:dir search; +allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; +allow qmail_local_t etc_t:file { getattr read }; + +# for piping mail to a command +can_exec(qmail_local_t, shell_exec_t) +allow qmail_local_t bin_t:dir search; +allow qmail_local_t bin_t:lnk_file read; +allow qmail_local_t devtty_t:chr_file rw_file_perms; +allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read }; + +ifdef(`tcpd.te', ` +qmaild_sub_domain(tcpd_t, qmail_tcp_env) +# bug +can_exec(tcpd_t, tcpd_exec_t) +', ` +qmaild_sub_domain(inetd_t, qmail_tcp_env) +') +allow qmail_tcp_env_t inetd_t:fd use; +allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; +allow qmail_tcp_env_t inetd_t:process sigchld; +allow qmail_tcp_env_t sbin_t:dir search; +can_network_server(qmail_tcp_env_t) +can_ypbind(qmail_tcp_env_t) + +qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) +allow qmail_tcp_env_t qmail_smtpd_exec_t:file read; +can_network_server(qmail_smtpd_t) +can_ypbind(qmail_smtpd_t) +allow qmail_smtpd_t inetd_t:fd use; +allow qmail_smtpd_t inetd_t:tcp_socket { read write }; +allow qmail_smtpd_t inetd_t:process sigchld; +allow qmail_smtpd_t self:process { fork signal_perms }; +allow qmail_smtpd_t self:fifo_file write; +allow qmail_smtpd_t self:tcp_socket create_socket_perms; +allow qmail_smtpd_t sbin_t:dir search; +domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t) +allow qmail_smtpd_t qmail_queue_exec_t:file read; + +qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent') +allow qmail_inject_t self:process { fork signal_perms }; +allow qmail_inject_t self:fifo_file write; +allow qmail_inject_t sbin_t:dir search; +role sysadm_r types qmail_inject_t; +in_user_role(qmail_inject_t) + +qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent') +in_user_role(qmail_qread_t) +role sysadm_r types qmail_qread_t; +r_dir_file(qmail_qread_t, qmail_spool_t) +allow qmail_qread_t self:capability dac_override; +allow qmail_qread_t privfd:fd use; + +qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent') +role sysadm_r types qmail_queue_t; +in_user_role(qmail_queue_t) +allow qmail_inject_t qmail_queue_exec_t:file read; +rw_dir_create_file(qmail_queue_t, qmail_spool_t) +allow qmail_queue_t qmail_spool_t:fifo_file { read write }; +allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use; +allow qmail_queue_t qmail_lspawn_t:fifo_file write; +allow qmail_queue_t qmail_start_t:fifo_file { read write }; +allow qmail_queue_t privfd:fd use; +allow qmail_queue_t crond_t:fifo_file { read write }; +allow qmail_queue_t inetd_t:fd use; +allow qmail_queue_t inetd_t:tcp_socket { read write }; +allow qmail_queue_t sysadm_t:fd use; +allow qmail_queue_t sysadm_t:fifo_file write; + +allow user_crond_t qmail_etc_t:dir search; +allow user_crond_t qmail_etc_t:file read; + +qmaild_sub_domain(user_crond_t, qmail_serialmail) +in_user_role(qmail_serialmail_t) +can_network_server(qmail_serialmail_t) +can_ypbind(qmail_serialmail_t) +can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) +allow qmail_serialmail_t self:process { fork signal_perms }; +allow qmail_serialmail_t proc_t:file { getattr read }; +allow qmail_serialmail_t etc_runtime_t:file { getattr read }; +allow qmail_serialmail_t home_root_t:dir search; +allow qmail_serialmail_t user_home_dir_type:dir { search read getattr }; +rw_dir_create_file(qmail_serialmail_t, user_home_type) +allow qmail_serialmail_t self:fifo_file { read write }; +allow qmail_serialmail_t self:udp_socket create_socket_perms; +allow qmail_serialmail_t self:tcp_socket create_socket_perms; +allow qmail_serialmail_t privfd:fd use; +allow qmail_serialmail_t crond_t:fifo_file { read write ioctl }; +allow qmail_serialmail_t devtty_t:chr_file { read write }; + +# for tcpclient +can_exec(qmail_serialmail_t, bin_t) +allow qmail_serialmail_t bin_t:dir search; diff --git a/strict/domains/program/unused/resmgrd.te b/strict/domains/program/unused/resmgrd.te new file mode 100644 index 0000000..9224ad3 --- /dev/null +++ b/strict/domains/program/unused/resmgrd.te @@ -0,0 +1,25 @@ +# DESC resmgrd - resource manager daemon +# +# Author: Thomas Bleher + +daemon_base_domain(resmgrd) +var_run_domain(resmgrd, { file sock_file }) +etc_domain(resmgrd) +read_locale(resmgrd_t) +allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio }; + +allow resmgrd_t etc_t:file { getattr read }; +allow resmgrd_t self:unix_stream_socket create_stream_socket_perms; +allow resmgrd_t self:unix_dgram_socket create_socket_perms; + +# hardware access +allow resmgrd_t device_t:lnk_file { getattr read }; +# not sure if it needs write access, needs to be investigated further... +allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write }; +allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write }; +allow resmgrd_t scanner_device_t:chr_file { getattr }; +# I think a dontaudit should be enough there +dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read }; + +# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te + diff --git a/strict/domains/program/unused/rssh.te b/strict/domains/program/unused/rssh.te new file mode 100644 index 0000000..73bab4a --- /dev/null +++ b/strict/domains/program/unused/rssh.te @@ -0,0 +1,13 @@ +#DESC Rssh - Restricted (scp/sftp) only shell +# +# Authors: Colin Walters +# X-Debian-Package: rssh +# + +type rssh_exec_t, file_type, sysadmfile, exec_type; + +ifdef(`ssh.te',` +allow sshd_t rssh_exec_t:file r_file_perms; +') + +# See rssh_macros.te for the rest. diff --git a/strict/domains/program/unused/scannerdaemon.te b/strict/domains/program/unused/scannerdaemon.te new file mode 100644 index 0000000..6245e8b --- /dev/null +++ b/strict/domains/program/unused/scannerdaemon.te @@ -0,0 +1,58 @@ +#DESC Scannerdaemon - Virus scanner daemon +# +# Author: Brian May +# X-Debian-Packages: +# + +################################# +# +# Rules for the scannerdaemon_t domain. +# +type scannerdaemon_etc_t, file_type, sysadmfile; + +#networking +daemon_domain(scannerdaemon) +can_network_server(scannerdaemon_t) +ifdef(`postfix.te', +`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);') + +# for testing +can_tcp_connect(sysadm_t,scannerdaemon_t) + +# Can create unix sockets +allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms; + +# Access config files (libc6). +allow scannerdaemon_t etc_t:file r_file_perms; +allow scannerdaemon_t etc_t:lnk_file r_file_perms; +allow scannerdaemon_t proc_t:file r_file_perms; +allow scannerdaemon_t etc_runtime_t:file r_file_perms; + +# Access config files (scannerdaemon). +allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms; + +# Access signature files. +ifdef(`oav-update.te',` +allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms; +allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms; +') + +log_domain(scannerdaemon) +ifdef(`logrotate.te', ` +allow logrotate_t scannerdaemon_log_t:file create_file_perms; +') + +# Can run kaffe +# Run helper programs. +can_exec_any(scannerdaemon_t) +allow scannerdaemon_t var_lib_t:dir search; +allow scannerdaemon_t { sbin_t bin_t }:dir search; +allow scannerdaemon_t bin_t:lnk_file read; + +# unknown stuff +allow scannerdaemon_t self:fifo_file { read write }; + +# broken stuff +dontaudit scannerdaemon_t sysadm_home_dir_t:dir search; +dontaudit scannerdaemon_t devtty_t:chr_file { read write }; +dontaudit scannerdaemon_t shadow_t:file { read getattr }; diff --git a/strict/domains/program/unused/seuser.te b/strict/domains/program/unused/seuser.te new file mode 100644 index 0000000..dc87742 --- /dev/null +++ b/strict/domains/program/unused/seuser.te @@ -0,0 +1,148 @@ +#DESC SE Linux User Manager (seuser) +#DEPENDS checkpolicy.te load_policy.te +# +# Authors: don.patterson@tresys.com, mayerf@tresys.com +# Additions: wsalamon@tislabs.com, dac@tresys.com + +# + +################################# +# +# Rules for the seuser_t domain. +# +# seuser_t is the domain of the seuser application when it is executed. +# seuser_conf_t is the type of the seuser configuration file. +# seuser_exec_t is the type of the seuser executable. +# seuser_tmp_t is the type of the temporary file(s) created by seuser. +# +############################################## +# Define types, and typical rules including +# access to execute and transition +############################################## + +# Defined seuser types +type seuser_t, domain, privhome ; +type seuser_conf_t, file_type, sysadmfile ; +type seuser_exec_t, file_type, sysadmfile, exec_type ; +tmp_domain(seuser) + +# Authorize roles +role sysadm_r types seuser_t ; + +# Allow sysadm_t to run with privilege +domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t) + +# Grant the new domain permissions to many common operations +# FIX: Should be more resticted than this. +#every_domain(seuser_t) +allow seuser_t self:process { fork sigchld }; +allow seuser_t self:fifo_file read; +allow seuser_t self:unix_stream_socket {create connect}; +allow seuser_t self:dir search; +allow seuser_t self:file { read getattr }; + +allow seuser_t etc_t:dir search; +allow seuser_t etc_t:{lnk_file file} { read getattr}; +read_locale(seuser_t) +allow seuser_t { var_run_t var_t}:dir search; + +uses_shlib(seuser_t) + +allow seuser_t devtty_t:chr_file {read write }; +allow seuser_t proc_t:dir search; +allow seuser_t proc_t:{lnk_file file} { getattr read }; + +allow seuser_t root_t:dir search; +allow seuser_t staff_home_dir_t:dir search; +allow seuser_t home_root_t:dir { getattr search }; +allow seuser_t staff_home_dir_t:dir getattr; +allow seuser_t default_t:file {read getattr}; + +allow seuser_t bin_t:dir { getattr search read} ; +allow seuser_t bin_t:lnk_file { read getattr }; +allow seuser_t sbin_t:dir search; + +# Inherit and use descriptors from login. +allow seuser_t privfd:fd use; + +############################################### + +# Use capabilities to self +allow seuser_t self:capability { dac_override setuid setgid } ; + +# Grant the seuser domain ability to change passwords for a user. +allow seuser_t self:passwd { passwd chfn chsh } ; + +# Read permissions for seuser.conf file +allow seuser_t seuser_conf_t:file r_file_perms ; + + +################################################################### +# Policy section: Define the ability to change and load policies +################################################################### + +# seuser_t domain needs to transition to the checkpolicy and loadpolicy +# domains in order to install and load new policies. +domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t) +domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t) + +# allow load_policy and checkpolicy domains access to seuser_tmp_t +# files in order for their stdout/stderr able to be put into +# seuser's tmp files. +# +# Since both these domains carefully try to limit where the +# assoicated program can read from, we won't use the standard +# rw_file_perm macro, but instead only grant the minimum needed +# to redirect output, write and getattr. +allow checkpolicy_t seuser_tmp_t:file { getattr write } ; +allow load_policy_t seuser_tmp_t:file { getattr write } ; +allow useradd_t seuser_tmp_t:file { getattr write } ; + + +# FIX: Temporarily allow seuser_t permissions for executing programs with a +# bint_t type without changing domains. We have to give seuser_t the following +# access because we use the policy make process to build new plicy.conf files. +# At some point, a new policy management infrastructure should remove the ability +# to modify policy source files with arbitrary progams +# +can_exec(seuser_t, bin_t) +can_exec(seuser_t, shell_exec_t) + + +# Read/write permission to the login context files in /etc/security +allow seuser_t login_contexts:file create_file_perms ; + +# Read/write permission to the policy source and its' directory +allow seuser_t policy_src_t:dir create_dir_perms ; +allow seuser_t policy_src_t:file create_file_perms ; + +# Allow search and stat for policy_config_t +allow seuser_t policy_config_t:dir { search getattr } ; +allow seuser_t policy_config_t:file stat_file_perms; + + +#ifdef(`xserver.te', ` +############################################################ +# Xserver section - To support our GUI interface, +############################################################ +# Permission to create files in /tmp/.X11-Unix +#allow seuser_t sysadm_xserver_tmp_t:dir search ; +#allow seuser_t sysadm_xserver_tmp_t:sock_file write ; +#allow seuser_t user_xserver_tmp_t:dir search ; +#allow seuser_t user_xserver_tmp_t:sock_file write ; + +# Permission to establish a Unix stream connection to X server +#can_unix_connect(seuser_t, user_xserver_t) +#can_unix_connect(seuser_t, sysadm_xserver_t) +#') +ifdef(`xdm.te', ` +can_unix_connect(seuser_t, xdm_xserver_t) +') + +# seuser_t domain needs execute access to the library files so that it can run. +can_exec(seuser_t, lib_t) + +# Access ttys +allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ; +allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ; + diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te new file mode 100644 index 0000000..d0ddd69 --- /dev/null +++ b/strict/domains/program/unused/snort.te @@ -0,0 +1,33 @@ +#DESC Snort - Network sniffer +# +# Author: Shaun Savage +# Modified by Russell Coker +# X-Debian-Packages: snort-common +# + +daemon_domain(snort) + +logdir_domain(snort) +allow snort_t snort_log_t:dir create; +can_network_server(snort_t) +type snort_etc_t, file_type, sysadmfile; + +# Create temporary files. +tmp_domain(snort) + +# use iptable netlink +allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; + +r_dir_file(snort_t, snort_etc_t) +allow snort_t etc_t:file { getattr read }; +allow snort_t etc_t:lnk_file read; + +allow snort_t self:unix_dgram_socket create_socket_perms; +allow snort_t self:unix_stream_socket create_socket_perms; + +# for start script +allow initrc_t snort_etc_t:file read; + +dontaudit snort_t { etc_runtime_t proc_t }:file read; diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te new file mode 100644 index 0000000..09894f0 --- /dev/null +++ b/strict/domains/program/unused/sound-server.te @@ -0,0 +1,43 @@ +#DESC sound server - for network audio server programs, nasd, yiff, etc +# +# Author: Russell Coker +# + +################################# +# +# Rules for the soundd_t domain. +# +# soundd_exec_t is the type of the soundd executable. +# +daemon_domain(soundd) + +type soundd_port_t, port_type; +allow soundd_t soundd_port_t:tcp_socket name_bind; + +type etc_soundd_t, file_type, sysadmfile; +type soundd_state_t, file_type, sysadmfile; + +tmp_domain(soundd) +rw_dir_create_file(soundd_t, soundd_state_t) + +allow soundd_t sound_device_t:chr_file rw_file_perms; +allow soundd_t device_t:lnk_file read; + +# Use the network. +can_network_server(soundd_t) +allow soundd_t self:unix_stream_socket create_stream_socket_perms; +allow soundd_t self:unix_dgram_socket create_socket_perms; +# allow any domain to connect to the sound server +can_tcp_connect(userdomain, soundd_t) + +allow soundd_t self:process setpgid; + +# read config files +allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; + +allow soundd_t etc_t:dir r_dir_perms; +r_dir_file(soundd_t, etc_soundd_t) + +# for yiff - probably need some rules for the client support too +allow soundd_t self:shm create_shm_perms; +tmpfs_domain(soundd) diff --git a/strict/domains/program/unused/speedmgmt.te b/strict/domains/program/unused/speedmgmt.te new file mode 100644 index 0000000..6d399fb --- /dev/null +++ b/strict/domains/program/unused/speedmgmt.te @@ -0,0 +1,26 @@ +#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem +# +# Author: Russell Coker +# + +################################# +# +# Rules for the speedmgmt_t domain. +# +# speedmgmt_exec_t is the type of the speedmgmt executable. +# +daemon_domain(speedmgmt) +tmp_domain(speedmgmt) + +# for accessing USB +allow speedmgmt_t proc_t:dir r_dir_perms; +allow speedmgmt_t usbdevfs_t:file rw_file_perms; +allow speedmgmt_t usbdevfs_t:dir r_dir_perms; + +allow speedmgmt_t usr_t:file r_file_perms; + +allow speedmgmt_t self:unix_dgram_socket create_socket_perms; + +# allow time +allow speedmgmt_t etc_t:dir r_dir_perms; +allow speedmgmt_t etc_t:lnk_file r_file_perms; diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te new file mode 100644 index 0000000..c827eae --- /dev/null +++ b/strict/domains/program/unused/sxid.te @@ -0,0 +1,61 @@ +#DESC Sxid - SUID/SGID program monitoring +# +# Author: Russell Coker +# X-Debian-Packages: sxid +# + +################################# +# +# Rules for the sxid_t domain. +# +# sxid_exec_t is the type of the sxid executable. +# +daemon_base_domain(sxid, `, privmail') +tmp_domain(sxid) + +allow sxid_t fs_t:filesystem getattr; + +ifdef(`crond.te', ` +system_crond_entry(sxid_exec_t, sxid_t) +') +#allow system_crond_t sxid_log_t:file create_file_perms; + +read_locale(sxid_t) + +can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t }) +allow sxid_t bin_t:lnk_file read; + +log_domain(sxid) + +allow sxid_t file_type:notdevfile_class_set getattr; +allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr; +allow sxid_t ttyfile:chr_file getattr; +allow sxid_t file_type:dir { getattr read search }; +allow sxid_t sysadmfile:file read; +allow sxid_t fs_type:dir { getattr read search }; + +# Use the network. +can_network_server(sxid_t) +allow sxid_t self:fifo_file rw_file_perms; +allow sxid_t self:unix_stream_socket create_socket_perms; + +allow sxid_t { proc_t self }:{ file lnk_file } { read getattr }; +read_sysctl(sxid_t) +allow sxid_t devtty_t:chr_file rw_file_perms; + +allow sxid_t self:capability { dac_override dac_read_search fsetid }; +dontaudit sxid_t self:capability { setuid setgid }; + +ifdef(`mta.te', ` +# sxid leaves an open file handle to /proc/mounts +dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr }; + +# allow mta to read the log files +allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read }; +# stop warnings if mailx is passed a read/write file handle +dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write; +') + +allow logrotate_t sxid_t:file { getattr write }; + +dontaudit sxid_t security_t:dir { getattr read search }; diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te new file mode 100644 index 0000000..a8c101a --- /dev/null +++ b/strict/domains/program/unused/tinydns.te @@ -0,0 +1,58 @@ +#DESC TINYDNS - Name server for djbdns +# +# Authors: Matthew J. Fanto +# +# Based off Named policy file written by +# Yuichi Nakamura , +# Russell Coker +# X-Debian-Packages: djbdns-installer djbdns +# +# + +################################# +# +# Rules for the tinydns_t domain. +# +daemon_domain(tinydns) + +can_exec(tinydns_t, tinydns_exec_t) +allow tinydns_t sbin_t:dir search; + +allow tinydns_t self:process setsched; + +# A type for configuration files of tinydns. +type tinydns_conf_t, file_type, sysadmfile; + +# for primary zone files - the data file +type tinydns_zone_t, file_type, sysadmfile; + +allow tinydns_t etc_t:file { getattr read }; +allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; + +#tinydns can use network +can_network_server(tinydns_t) +allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind; +# allow UDP transfer to/from any program +can_udp_send(domain, tinydns_t) +can_udp_send(tinydns_t, domain) +# tinydns itself doesn't do zone transfers +# so we don't need to have it tcp_connect + +#read configuration files +r_dir_file(tinydns_t, tinydns_conf_t) + +r_dir_file(tinydns_t, tinydns_zone_t) + +# allow tinydns to create datagram sockets (udp) +# allow tinydns_t self:unix_stream_socket create_stream_socket_perms; +allow tinydns_t self:unix_dgram_socket create_socket_perms; + +# Read /dev/random. +allow tinydns_t device_t:dir r_dir_perms; +allow tinydns_t random_device_t:chr_file r_file_perms; + +# Set own capabilities. +allow tinydns_t self:process setcap; + +# for chmod in start script +dontaudit initrc_t tinydns_var_run_t:dir setattr; diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te new file mode 100644 index 0000000..fb0710f --- /dev/null +++ b/strict/domains/program/unused/transproxy.te @@ -0,0 +1,38 @@ +#DESC Transproxy - Transparent proxy for web access +# +# Author: Russell Coker +# X-Debian-Packages: transproxy +# + +################################# +# +# Rules for the transproxy_t domain. +# +# transproxy_exec_t is the type of the transproxy executable. +# +daemon_domain(transproxy) + +type transproxy_port_t, port_type; + +# Use the network. +can_network_server_tcp(transproxy_t) +allow transproxy_t transproxy_port_t:tcp_socket name_bind; + +#allow transproxy_t self:fifo_file { read write }; +allow transproxy_t self:unix_stream_socket create_socket_perms; +allow transproxy_t self:unix_dgram_socket create_socket_perms; + +# Use capabilities +allow transproxy_t self:capability { setgid setuid }; +#allow transproxy_t self:process setsched; + +#allow transproxy_t proc_t:file r_file_perms; + +# read config files +allow transproxy_t etc_t:lnk_file read; +allow transproxy_t etc_t:file { read getattr }; + +#allow transproxy_t etc_t:dir r_dir_perms; + +#read_sysctl(transproxy_t) + diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te new file mode 100644 index 0000000..63ae6b7 --- /dev/null +++ b/strict/domains/program/unused/uml_net.te @@ -0,0 +1,30 @@ +#DESC uml_net helper program for user-mode Linux +# +# Author: Russell Coker +# +# WARNING: Do not install this file on any machine that has hostile users. + +type uml_net_t, domain, privlog; +type uml_net_exec_t, file_type, sysadmfile, exec_type; +in_user_role(uml_net_t) +allow uml_net_t self:process { fork signal_perms }; +allow uml_net_t { bin_t sbin_t }:dir search; +allow uml_net_t self:fifo_file { read write }; +allow uml_net_t device_t:dir search; +allow uml_net_t self:udp_socket { create ioctl }; +uses_shlib(uml_net_t) +allow uml_net_t devtty_t:chr_file { read write }; +allow uml_net_t etc_runtime_t:file { getattr read }; +allow uml_net_t etc_t:file read; +allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search; +allow uml_net_t proc_t:file { getattr read }; + +# if you want ip_forward to be set then you should set it yourself +dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search; +dontaudit uml_net_t sysctl_net_t:file write; + +dontaudit ifconfig_t uml_net_t:udp_socket { read write }; +dontaudit uml_net_t self:capability sys_module; + +allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl }; +can_exec(uml_net_t, { shell_exec_t sbin_t }) diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te new file mode 100644 index 0000000..c4bd79e --- /dev/null +++ b/strict/domains/program/unused/uptimed.te @@ -0,0 +1,36 @@ +#DESC uptimed - a uptime daemon +# +# Author: Carsten Grohmann +# +# Date: 19. June 2003 +# + +################################# +# +# General Types +# + +type etc_uptimed_t, file_type, sysadmfile; +type uptimed_spool_t, file_type, sysadmfile; + +################################# +# +# Rules for the uptimed_t domain. +# +daemon_domain(uptimed, `,privmail') +file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t) +allow uptimed_t { etc_uptimed_t proc_t }:file { getattr read }; +read_locale(uptimed_t) +allow uptimed_t uptimed_spool_t:file create_file_perms; +allow uptimed_t self:unix_dgram_socket create_socket_perms; + +# to send mail +can_exec(uptimed_t, shell_exec_t) +allow uptimed_t { bin_t sbin_t }:dir search; +allow uptimed_t bin_t:lnk_file read; +allow uptimed_t etc_runtime_t:file { getattr read }; +allow uptimed_t self:fifo_file { getattr write }; + +# rules for uprecords - it runs in the user context +allow userdomain uptimed_spool_t:dir search; +allow userdomain uptimed_spool_t:file { getattr read }; diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te new file mode 100644 index 0000000..7274d38 --- /dev/null +++ b/strict/domains/program/unused/uwimapd.te @@ -0,0 +1,46 @@ +#DESC uw-imapd-ssl server +# +# Author: Ed Street +# X-Debian-Packages: uw-imapd (was uw-imapd-ssl) +# Depends: inetd.te +# + +daemon_domain(imapd, `, auth_chkpwd, privhome') +tmp_domain(imapd) + +can_network_server_tcp(imapd_t) + +#declare our own services +allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +allow imapd_t pop_port_t:tcp_socket name_bind; + +#declare this a socket from inetd +allow imapd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow imapd_t self:unix_stream_socket create_socket_perms; +domain_auto_trans(inetd_t, imapd_exec_t, imapd_t) +ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)') + +#friendly stuff we dont want to see :) +dontaudit imapd_t bin_t:dir search; + +#read /etc/ for hostname nsswitch.conf +allow imapd_t etc_t:file { getattr read }; + +#socket i/o stuff +allow imapd_t inetd_t:tcp_socket { read write ioctl getattr }; + +#read resolv.conf +allow imapd_t net_conf_t:file { getattr read }; + +#urandom, for ssl +allow imapd_t random_device_t:chr_file read; +allow imapd_t urandom_device_t:chr_file { read getattr }; + +allow imapd_t self:fifo_file rw_file_perms; + +#mail directory +rw_dir_file(imapd_t, mail_spool_t) + +#home directory +allow imapd_t home_root_t:dir search; +allow imapd_t self:file { read getattr }; diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te new file mode 100644 index 0000000..2693382 --- /dev/null +++ b/strict/domains/program/unused/watchdog.te @@ -0,0 +1,52 @@ +#DESC Watchdog - Software watchdog daemon +# +# Author: Russell Coker +# X-Debian-Packages: watchdog +# + +################################# +# +# Rules for the watchdog_t domain. +# + +daemon_domain(watchdog, `, privmail') +type watchdog_device_t, device_type, dev_fs; + +log_domain(watchdog) + +allow watchdog_t etc_t:file r_file_perms; +allow watchdog_t etc_t:lnk_file read; +allow watchdog_t self:unix_dgram_socket create_socket_perms; + +allow watchdog_t proc_t:file r_file_perms; + +allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource }; +allow watchdog_t self:fifo_file rw_file_perms; +allow watchdog_t self:unix_stream_socket create_socket_perms; +can_network(watchdog_t) +can_ypbind(watchdog_t) +allow watchdog_t bin_t:dir search; +allow watchdog_t bin_t:lnk_file read; +allow watchdog_t init_t:process signal; +allow watchdog_t kernel_t:process sigstop; + +allow watchdog_t watchdog_device_t:chr_file { getattr write }; + +# for orderly shutdown +can_exec(watchdog_t, shell_exec_t) +allow watchdog_t domain:process { signal_perms getsession }; +allow watchdog_t self:capability kill; +allow watchdog_t sbin_t:dir search; + +# for updating mtab on umount +file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file) + +allow watchdog_t self:capability { sys_admin net_admin sys_boot }; +allow watchdog_t fixed_disk_device_t:blk_file swapon; +allow watchdog_t { proc_t fs_t }:filesystem unmount; + +# record the fact that we are going down +allow watchdog_t wtmp_t:file append; + +# do not care about saving the random seed +dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read; diff --git a/strict/domains/program/unused/xprint.te b/strict/domains/program/unused/xprint.te new file mode 100644 index 0000000..e1af323 --- /dev/null +++ b/strict/domains/program/unused/xprint.te @@ -0,0 +1,50 @@ +#DESC X print server +# +# Author: Russell Coker +# X-Debian-Packages: xprt-xprintorg +# + +################################# +# +# Rules for the xprint_t domain. +# +# xprint_exec_t is the type of the xprint executable. +# +daemon_domain(xprint) + +allow initrc_t readable_t:dir r_dir_perms; +allow initrc_t fonts_t:dir r_dir_perms; + +allow xprint_t var_lib_t:dir search; +allow xprint_t fonts_t:dir r_dir_perms; +allow xprint_t fonts_t:file { getattr read }; + +allow xprint_t { bin_t sbin_t }:dir search; +can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t }) +allow xprint_t bin_t:lnk_file { getattr read }; + +allow xprint_t tmp_t:dir { getattr search }; +ifdef(`xdm.te', ` +allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms; +allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms; +') + +# Use the network. +can_network_server(xprint_t) +can_ypbind(xprint_t) +allow xprint_t self:fifo_file rw_file_perms; +allow xprint_t self:unix_stream_socket create_stream_socket_perms; + +allow xprint_t proc_t:file { getattr read }; +allow xprint_t self:file { getattr read }; + +# read config files +allow xprint_t { etc_t etc_runtime_t }:file { getattr read }; +ifdef(`cups.te', ` +allow xprint_t cupsd_etc_t:dir search; +allow xprint_t cupsd_etc_t:file { getattr read }; +') + +r_dir_file(xprint_t, usr_t) + +allow xprint_t urandom_device_t:chr_file { getattr read }; diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te new file mode 100644 index 0000000..5c5c452 --- /dev/null +++ b/strict/domains/program/updfstab.te @@ -0,0 +1,74 @@ +#DESC updfstab - Red Hat utility to change /etc/fstab +# +# Author: Russell Coker +# + +daemon_base_domain(updfstab, `, fs_domain, etc_writer') + +rw_dir_create_file(updfstab_t, etc_t) +create_dir_file(updfstab_t, mnt_t) + +# Read /dev directories and modify sym-links +allow updfstab_t device_t:dir rw_dir_perms; +allow updfstab_t device_t:lnk_file create_file_perms; + +# Access disk devices. +allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms; +allow updfstab_t removable_device_t:blk_file rw_file_perms; +allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms; + +# for /proc/partitions +allow updfstab_t proc_t:file { getattr read }; + +# for /proc/self/mounts +r_dir_file(updfstab_t, self) + +# for /etc/mtab +allow updfstab_t etc_runtime_t:file { getattr read }; + +read_locale(updfstab_t) + +ifdef(`dbusd.te', ` +dbusd_client(system, updfstab) +allow updfstab_t system_dbusd_t:dbus { send_msg }; +') + +# not sure what the sysctl_kernel_t file is, or why it wants to write it, so +# I will not allow it +read_sysctl(updfstab_t) +dontaudit updfstab_t sysctl_kernel_t:file write; +allow updfstab_t modules_conf_t:file { getattr read }; +allow updfstab_t sbin_t:dir search; +allow updfstab_t sbin_t:lnk_file read; +allow updfstab_t { var_t var_log_t }:dir search; + +allow updfstab_t kernel_t:fd use; + +allow updfstab_t self:unix_stream_socket create_stream_socket_perms; +allow updfstab_t self:unix_dgram_socket create_socket_perms; + +ifdef(`modutil.te', ` +dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t) +can_exec(updfstab_t, insmod_exec_t) +allow updfstab_t modules_object_t:dir search; +allow updfstab_t modules_dep_t:file { getattr read }; +') + +ifdef(`pamconsole.te', ` +domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t) +') +allow updfstab_t kernel_t:system syslog_console; +allow updfstab_t sysadm_tty_device_t:chr_file { read write }; +allow updfstab_t self:capability dac_override; +dontaudit updfstab_t self:capability sys_admin; + +r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } ) +can_getsecurity(updfstab_t) + +allow updfstab_t { sbin_t bin_t }:dir { search getattr }; +dontaudit updfstab_t devtty_t:chr_file { read write }; +allow updfstab_t self:fifo_file { getattr read write ioctl }; +can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) +dontaudit updfstab_t home_root_t:dir { getattr search }; +dontaudit updfstab_t { home_dir_type home_type }:dir search; +allow updfstab_t fs_t:filesystem { getattr }; diff --git a/strict/domains/program/usbmodules.te b/strict/domains/program/usbmodules.te new file mode 100644 index 0000000..f76f56b --- /dev/null +++ b/strict/domains/program/usbmodules.te @@ -0,0 +1,35 @@ +#DESC USBModules - List kernel modules for USB devices +# +# Author: Russell Coker +# X-Debian-Packages: +# + +################################# +# +# Rules for the usbmodules_t domain. +# +type usbmodules_t, domain, privlog; +type usbmodules_exec_t, file_type, sysadmfile, exec_type; + +in_user_role(usbmodules_t) +role sysadm_r types usbmodules_t; +role system_r types usbmodules_t; + +domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t) +ifdef(`hotplug.te',` +domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t) +allow usbmodules_t hotplug_etc_t:file r_file_perms; +allow usbmodules_t hotplug_etc_t:dir search; +') +allow usbmodules_t init_t:fd use; +allow usbmodules_t console_device_t:chr_file { read write }; + +uses_shlib(usbmodules_t) + +# allow usb device access +allow usbmodules_t usbdevfs_t:file rw_file_perms; + +allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms; + +# needs etc_t read access for the hotplug config, maybe should have a new type +allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms; diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te new file mode 100644 index 0000000..2b1118f --- /dev/null +++ b/strict/domains/program/useradd.te @@ -0,0 +1,100 @@ +#DESC Useradd - Manage system user accounts +# +# Authors: Chris Vance David Caplan +# Russell Coker +# X-Debian-Packages: passwd +# + +################################# +# +# Rules for the useradd_t and groupadd_t domains. +# +# useradd_t is the domain of the useradd/userdel programs. +# groupadd_t is for adding groups (can not create home dirs) +# +define(`user_group_add_program', ` +type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain; +role sysadm_r types $1_t; +role system_r types $1_t; + +general_domain_access($1_t) +uses_shlib($1_t) + +type $1_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +domain_auto_trans(initrc_t, $1_exec_t, $1_t) + +# Use capabilities. +allow $1_t self:capability { dac_override chown kill }; + +# Allow access to context for shadow file +can_getsecurity($1_t) + +# Inherit and use descriptors from login. +allow $1_t { init_t privfd }:fd use; + +# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +allow $1_t { bin_t sbin_t }:dir r_dir_perms; +can_exec($1_t, { bin_t sbin_t }) + +# Update /etc/shadow and /etc/passwd +file_type_auto_trans($1_t, etc_t, shadow_t, file) +allow $1_t etc_t:file create_file_perms; + +# some apps ask for these accesses, but seems to work regardless +dontaudit $1_t var_run_t:dir search; +r_dir_file($1_t, selinux_config_t) + +# Set fscreate context. +can_setfscreate($1_t) + +allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; + +read_locale($1_t) + +# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, +# but will operate without them. +dontaudit $1_t { device_t var_t var_log_t }:dir search; +allow useradd_t lastlog_t:file { read write }; + +# For userdel and groupadd +allow $1_t fs_t:filesystem getattr; + +# Access terminals. +allow $1_t ttyfile:chr_file rw_file_perms; +allow $1_t ptyfile:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +# for when /root is the cwd +dontaudit $1_t sysadm_home_dir_t:dir search; +') +user_group_add_program(useradd) + +# for getting the number of groups +read_sysctl(useradd_t) + +# Add/remove user home directories +file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) +file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) + +# create/delete mail spool file in /var/mail +allow useradd_t var_spool_t:dir search; +allow useradd_t mail_spool_t:dir { search write add_name remove_name }; +allow useradd_t mail_spool_t:file create_file_perms; +# /var/mail is a link to /var/spool/mail +allow useradd_t mail_spool_t:lnk_file read; + +allow useradd_t self:capability { fowner fsetid setuid sys_resource }; +can_exec(useradd_t, shell_exec_t) + +# /usr/bin/userdel locks the user being deleted, allow write access to utmp +allow useradd_t initrc_var_run_t:file { read write lock }; + +user_group_add_program(groupadd) + +dontaudit groupadd_t self:capability fsetid; + +allow groupadd_t self:capability { setuid sys_resource }; +allow groupadd_t self:process setrlimit; +allow groupadd_t initrc_var_run_t:file r_file_perms; +dontaudit groupadd_t initrc_var_run_t:file write; diff --git a/strict/domains/program/userhelper.te b/strict/domains/program/userhelper.te new file mode 100644 index 0000000..cab6c70 --- /dev/null +++ b/strict/domains/program/userhelper.te @@ -0,0 +1,22 @@ +#DESC Userhelper - SELinux utility to run a shell with a new role +# +# Authors: Dan Walsh (Red Hat) +# Maintained by Dan Walsh +# + +################################# +# +# Rules for the userhelper_t domain. +# +# userhelper_exec_t is the type of the userhelper executable. +# userhelper_conf_t is the type of the userhelper configuration files. +# +type userhelper_exec_t, file_type, exec_type, sysadmfile; +type userhelper_conf_t, file_type, sysadmfile; + +# Everything else is in the userhelper_domain macro in +# macros/program/userhelper_macros.te. + +ifdef(`xdm.te', ` +dontaudit xdm_t userhelper_conf_t:dir search; +') diff --git a/strict/domains/program/usernetctl.te b/strict/domains/program/usernetctl.te new file mode 100644 index 0000000..6a2c64f --- /dev/null +++ b/strict/domains/program/usernetctl.te @@ -0,0 +1,64 @@ +#DESC usernetctl - User network interface configuration helper +# +# Author: Colin Walters + +type usernetctl_exec_t, file_type, sysadmfile, exec_type; + +type usernetctl_t, domain, privfd; + +if (user_net_control) { +domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t) +} else { +can_exec(userdomain, usernetctl_exec_t) +} +in_user_role(usernetctl_t) +role sysadm_r types usernetctl_t; + +define(`usernetctl_transition',` +domain_auto_trans(usernetctl_t, $1_exec_t, $1_t) +in_user_role($1_t) +allow $1_t userpty_type:chr_file { getattr read write }; +') + +ifdef(`ifconfig.te',` +usernetctl_transition(ifconfig) +') +ifdef(`iptables.te',` +usernetctl_transition(iptables) +') +ifdef(`dhcpc.te',` +usernetctl_transition(dhcpc) +allow usernetctl_t dhcp_etc_t:file ra_file_perms; +') +ifdef(`modutil.te',` +usernetctl_transition(insmod) +') +ifdef(`consoletype.te',` +usernetctl_transition(consoletype) +') +ifdef(`hostname.te',` +usernetctl_transition(hostname) +') + +allow usernetctl_t self:capability { setuid setgid dac_override }; + +base_file_read_access(usernetctl_t) +base_pty_perms(usernetctl) +allow usernetctl_t devtty_t:chr_file rw_file_perms; +uses_shlib(usernetctl_t) +read_locale(usernetctl_t) +general_domain_access(usernetctl_t) + +r_dir_file(usernetctl_t, proc_t) +dontaudit usernetctl_t { domain - usernetctl_t }:dir search; + +allow usernetctl_t userpty_type:chr_file rw_file_perms; + +can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t}) +can_exec(usernetctl_t, etc_t) + +r_dir_file(usernetctl_t, etc_t) +allow usernetctl_t { var_t var_run_t }:dir { getattr read search }; +allow usernetctl_t etc_runtime_t:file r_file_perms; +allow usernetctl_t net_conf_t:file r_file_perms; + diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te new file mode 100644 index 0000000..eb1af02 --- /dev/null +++ b/strict/domains/program/utempter.te @@ -0,0 +1,52 @@ +#DESC Utempter - Privileged helper for utmp/wtmp updates +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: +# + +################################# +# +# Rules for the utempter_t domain. +# +# This is the domain for the utempter program. utempter is +# executed by xterm to update utmp and wtmp. +# utempter_exec_t is the type of the utempter binary. +# +type utempter_t, domain, nscd_client_domain; +in_user_role(utempter_t) +role sysadm_r types utempter_t; +uses_shlib(utempter_t) +type utempter_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(userdomain, utempter_exec_t, utempter_t) + +# Use capabilities. +allow utempter_t self:capability setgid; + +allow utempter_t etc_t:file { getattr read }; + +# Update /var/run/utmp and /var/log/wtmp. +allow utempter_t initrc_var_run_t:file rw_file_perms; +allow utempter_t var_log_t:dir search; +allow utempter_t wtmp_t:file rw_file_perms; + +# dontaudit access to /dev/ptmx. +dontaudit utempter_t ptmx_t:chr_file rw_file_perms; +dontaudit utempter_t sysadm_devpts_t:chr_file { read write }; + +# Allow utemper to write to /tmp/.xses-* +allow utempter_t user_tmpfile:file { getattr write append }; + +# Inherit and use descriptors from login. +allow utempter_t privfd:fd use; +ifdef(`xdm.te', ` +allow utempter_t xdm_t:fd use; +allow utempter_t xdm_t:fifo_file { write getattr }; +') + +allow utempter_t self:unix_stream_socket create_stream_socket_perms; + +# Access terminals. +allow utempter_t ttyfile:chr_file getattr; +allow utempter_t ptyfile:chr_file getattr; +allow utempter_t devpts_t:dir search; +dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write }; diff --git a/strict/domains/program/vmware.te b/strict/domains/program/vmware.te new file mode 100644 index 0000000..fcda9b8 --- /dev/null +++ b/strict/domains/program/vmware.te @@ -0,0 +1,52 @@ +#DESC VMWare - Virtual machine +# +# Domains,types and permissions for running VMWare (the program) and for +# running a SELinux system in a VMWare session (the VMWare-tools). +# +# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), +# modifications by NAI Labs. +# +# Domain is for the VMWare admin programs and daemons. +# X-Debian-Packages: +# +# NOTE: The user vmware domain is provided separately in +# macros/program/vmware_macros.te +# +# Next two domains are create by the daemon_domain() macro. +# The vmware_t domain is for running VMWare daemons +# The vmware_exec_t type is for the VMWare daemon and admin programs. +# +# quick hack making it privhome, should have a domain for each user in a macro +daemon_domain(vmware, `, privhome') + +# +# The vmware_user_exec_t type is for the user programs. +# +type vmware_user_exec_t, file_type, sysadmfile, exec_type; + +# Type for vmware devices. +type vmware_device_t, device_type, dev_fs; + +# The sys configuration used for the /etc/vmware configuration files +type vmware_sys_conf_t, file_type, sysadmfile; + +######################################################################### +# Additional rules to start/stop VMWare +# + +# Give init access to VMWare configuration files +allow initrc_t vmware_sys_conf_t:file { ioctl read append }; + +# +# Rules added to kernel_t domain for VMWare to start up +# +# VMWare need access to pcmcia devices for network +ifdef(`cardmgr.te', ` +allow kernel_t cardmgr_var_lib_t:dir { getattr search }; +allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; +') + +# Vmware create network devices +allow kernel_t self:capability net_admin; +allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow kernel_t self:socket create; diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te new file mode 100644 index 0000000..4ba342e --- /dev/null +++ b/strict/domains/program/vpnc.te @@ -0,0 +1,41 @@ +#DESC vpnc +# +# Author: Dan Walsh +# + +################################# +# +# Rules for the vpnc_t domain, et al. +# +# vpnc_t is the domain for the vpnc program. +# vpnc_exec_t is the type of the vpnc executable. +# +daemon_domain(vpnc) + +allow vpnc_t { random_device_t urandom_device_t }:chr_file read; + +# Use the network. +can_network(vpnc_t) +can_ypbind(vpnc_t) +allow vpnc_t self:socket create_socket_perms; + +# Use capabilities. +allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw }; + +allow vpnc_t devpts_t:dir search; +allow vpnc_t etc_t:file { getattr read }; +allow vpnc_t tun_tap_device_t:chr_file { ioctl read write }; +allow vpnc_t self:rawip_socket create_socket_perms; +allow vpnc_t self:unix_dgram_socket create_socket_perms; +allow vpnc_t self:unix_stream_socket create_socket_perms; +allow vpnc_t admin_tty_type:chr_file rw_file_perms; +allow vpnc_t port_t:udp_socket name_bind; +allow vpnc_t etc_runtime_t:file { getattr read }; +allow vpnc_t proc_t:file { getattr read }; +dontaudit vpnc_t selinux_config_t:dir search; +can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t }) +allow vpnc_t sysctl_net_t:dir search; +allow vpnc_t sbin_t:dir search; +allow vpnc_t bin_t:dir search; +allow vpnc_t bin_t:lnk_file read; +r_dir_file(vpnc_t, proc_net_t) diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te new file mode 100644 index 0000000..73b1902 --- /dev/null +++ b/strict/domains/program/webalizer.te @@ -0,0 +1,48 @@ +# DESC webalizer - webalizer +# +# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp) +# +# Depends: apache.te + +application_domain(webalizer) +# to use from cron +system_crond_entry(webalizer_exec_t,webalizer_t) +role system_r types webalizer_t; + +##type definision +# type for usage file +type webalizer_usage_t,file_type,sysadmfile; +# type for /var/lib/webalizer +type webalizer_write_t,file_type,sysadmfile; +# type for webalizer.conf +etc_domain(webalizer) + +#read apache log +allow webalizer_t var_log_t:dir r_dir_perms; +r_dir_file(webalizer_t, httpd_log_t) + +#r/w /var/lib/webalizer +var_lib_domain(webalizer) + +#read /var/www/usage +create_dir_file(webalizer_t, httpd_sys_content_t) + +#read system files under /etc +allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; +read_locale(webalizer_t) + +# can use tmp file +tmp_domain(webalizer) + +# can read /proc +read_sysctl(webalizer_t) +allow webalizer_t proc_t:dir search; +allow webalizer_t proc_t:file r_file_perms; + +# network +can_network_server(webalizer_t) + +#process communication inside webalizer itself +general_domain_access(webalizer_t) + +allow webalizer_t self:capability dac_override; diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te new file mode 100644 index 0000000..36cef3e --- /dev/null +++ b/strict/domains/program/winbind.te @@ -0,0 +1,33 @@ +#DESC winbind - Name Service Switch daemon for resolving names from NT servers +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for winbind +# + +daemon_domain(winbind, `, privhome, auth_chkpwd') +log_domain(winbind) +allow winbind_t etc_t:file r_file_perms; +allow winbind_t etc_t:lnk_file read; +can_network(winbind_t) +ifdef(`samba.te', `', ` +type samba_etc_t, file_type, sysadmfile, usercanread; +type samba_log_t, file_type, sysadmfile, logfile; +type samba_var_t, file_type, sysadmfile; +type samba_secrets_t, file_type, sysadmfile; +') +rw_dir_file(winbind_t, samba_etc_t) +rw_dir_create_file(winbind_t, samba_log_t) +allow winbind_t samba_secrets_t:file rw_file_perms; +allow winbind_t self:unix_dgram_socket create_socket_perms; +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t urandom_device_t:chr_file { getattr read }; +allow winbind_t self:fifo_file { read write }; +rw_dir_create_file(winbind_t, samba_var_t) +allow winbind_t krb5_conf_t:file { getattr read }; +dontaudit winbind_t krb5_conf_t:file { write }; +allow winbind_t self:netlink_route_socket r_netlink_socket_perms; +allow winbind_t winbind_var_run_t:sock_file create_file_perms; diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te new file mode 100644 index 0000000..020aa8d --- /dev/null +++ b/strict/domains/program/xauth.te @@ -0,0 +1,15 @@ +#DESC Xauth - X authority file utility +# +# Domains for the xauth program. +# X-Debian-Packages: xbase-clients + +# Author: Russell Coker +# +# xauth_exec_t is the type of the xauth executable. +# +type xauth_exec_t, file_type, sysadmfile, exec_type; + +file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t) + +# Everything else is in the xauth_domain macro in +# macros/program/xauth_macros.te. diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te new file mode 100644 index 0000000..4b116e4 --- /dev/null +++ b/strict/domains/program/xdm.te @@ -0,0 +1,344 @@ +#DESC XDM - X Display Manager +# +# Authors: Mark Westerman mark.westerman@westcam.com +# Russell Coker +# X-Debian-Packages: gdm xdm wdm kdm +# Depends: xserver.te +# +# Some wdm-specific changes by Tom Vogt +# +# Some alterations and documentation by Stephen Smalley +# + +################################# +# +# Rules for the xdm_t domain. +# +# xdm_t is the domain of a X Display Manager process +# spawned by getty. +# xdm_exec_t is the type of the [xgkw]dm program +# +daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') + +# for running xdm from init +domain_auto_trans(init_t, xdm_exec_t, xdm_t) + +allow xdm_t xdm_var_run_t:dir setattr; + +# for xdmctl +allow xdm_t xdm_var_run_t:fifo_file create_file_perms; +allow initrc_t xdm_var_run_t:fifo_file unlink; +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) + +tmp_domain(xdm, `', `{ file dir sock_file }') +var_lib_domain(xdm) +# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open +# handle of a file inside the dir!!! +allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; +dontaudit xdm_xserver_t xdm_var_lib_t:dir search; +allow xdm_xserver_t xdm_var_run_t:file { getattr read }; +type xsession_exec_t, file_type, sysadmfile, exec_type; +type xdm_rw_etc_t, file_type, sysadmfile; +typealias xdm_rw_etc_t alias etc_xdm_t; + +allow xdm_t default_context_t:dir search; +allow xdm_t default_context_t:{ file lnk_file } { read getattr }; + +can_network(xdm_t) +allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:fifo_file rw_file_perms; + +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; +allow xdm_xserver_t xdm_t:process signal; +# for reboot +allow xdm_t initctl_t:fifo_file write; + +# init script wants to check if it needs to update windowmanagerlist +allow initrc_t xdm_rw_etc_t:file { getattr read }; +ifdef(`distro_suse', ` +# set permissions on /tmp/.X11-unix +allow initrc_t xdm_tmp_t:dir setattr; +') + +# +# Use capabilities. +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner }; + +allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl }; + +# Transition to user domains for user sessions. +domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) +allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; +allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; +allow unpriv_userdomain xdm_xserver_t:fd use; +allow unpriv_userdomain xdm_xserver_tmpfs_t:file read; +allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; +allow xdm_xserver_t unpriv_userdomain:fd use; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# gnome-session creates socket under /tmp/.ICE-unix/ +allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; +allow unpriv_userdomain xdm_tmp_t:sock_file create; + +# Allow xdm logins as sysadm_r:sysadm_t +bool xdm_sysadm_login false; +if (xdm_sysadm_login) { +domain_trans(xdm_t, xsession_exec_t, sysadm_t) +allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; +allow sysadm_t xdm_xserver_t:shm r_shm_perms; +allow sysadm_t xdm_xserver_t:fd use; +allow sysadm_t xdm_xserver_tmpfs_t:file read; +allow xdm_xserver_t sysadm_t:shm rw_shm_perms; +allow xdm_xserver_t sysadm_t:fd use; +} +can_setexec(xdm_t) + +# Label pid and temporary files with derived types. +rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) +allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; + +# Run helper programs. +allow xdm_t etc_t:file { getattr read }; +allow xdm_t bin_t:dir { getattr search }; +# lib_t is for running cpp +can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) +allow xdm_t { bin_t sbin_t }:lnk_file read; +ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') +ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') +allow xdm_t xdm_xserver_t:process sigkill; +allow xdm_t xdm_xserver_tmp_t:file unlink; + +# Access devices. +allow xdm_t device_t:dir { read search }; +allow xdm_t console_device_t:chr_file setattr; +allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t framebuf_device_t:chr_file { getattr setattr }; +allow xdm_t mouse_device_t:chr_file { getattr setattr }; +allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; +allow xdm_t dri_device_t:chr_file rw_file_perms; +allow xdm_t device_t:dir rw_dir_perms; +allow xdm_t agp_device_t:chr_file rw_file_perms; +allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; +allow xdm_t v4l_device_t:chr_file { setattr getattr }; +allow xdm_t scanner_device_t:chr_file { setattr getattr }; +allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; +allow xdm_t device_t:lnk_file read; +can_resmgrd_connect(xdm_t) + +# Access xdm log files. +file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) +allow xdm_t xserver_log_t:dir rw_dir_perms; +allow xdm_t xserver_log_t:dir setattr; +# Access /var/gdm/.gdmfifo. +allow xdm_t xserver_log_t:fifo_file create_file_perms; + +allow xdm_t self:shm create_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; +allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file read; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; + +# Remove /tmp/.X11-unix/X0. +allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; +allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + +ifdef(`gpm.te', ` +# Talk to the console mouse server. +allow xdm_t gpmctl_t:sock_file { getattr setattr write }; +allow xdm_t gpm_t:unix_stream_socket connectto; +') + +allow xdm_t sysfs_t:dir search; + +# Update utmp and wtmp. +allow xdm_t initrc_var_run_t: file { read write lock }; +allow xdm_t wtmp_t:file append; + +# Update lastlog. +allow xdm_t lastlog_t:file rw_file_perms; + +# Ask the security server for SIDs for user sessions. +can_getsecurity(xdm_t) + +tmpfs_domain(xdm) + +# Need to further investigate these permissions and +# perhaps define derived types. +allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +allow xdm_t var_lib_t:file { create write unlink }; +allow xdm_t var_lock_t:dir { write search add_name remove_name }; +allow xdm_t var_lock_t:file { create write unlink }; + +# Connect to xfs. +ifdef(`xfs.te', ` +allow xdm_t xfs_tmp_t:dir search; +allow xdm_t xfs_tmp_t:sock_file write; +can_unix_connect(xdm_t, xfs_t) +') + +allow xdm_t self:process { setpgid setsched }; +allow xdm_t etc_t:lnk_file read; +allow xdm_t etc_runtime_t:file { getattr read }; + +# wdm has its own config dir /etc/X11/wdm +# this is ugly, daemons should not create files under /etc! +allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; +allow xdm_t xdm_rw_etc_t:file create_file_perms; + +# Signal any user domain. +allow xdm_t userdomain:process signal_perms; + +allow xdm_t proc_t:file { getattr read }; + +read_sysctl(xdm_t) + +# Search /proc for any user domain processes. +allow xdm_t userdomain:dir r_dir_perms; +allow xdm_t userdomain:{ file lnk_file } r_file_perms; + +# Allow xdm access to the user domains +allow xdm_t home_root_t:dir search; +allow xdm_xserver_t home_root_t:dir search; + +# Do not audit denied attempts to access devices. +dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; +dontaudit xdm_t device_t:file_class_set rw_file_perms; +dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; +dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; +dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; +dontaudit xdm_t devpts_t:dir search; + +# Do not audit denied probes of /proc. +dontaudit xdm_t domain:dir r_dir_perms; +dontaudit xdm_t domain:{ file lnk_file } r_file_perms; + +# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... +allow xdm_t usr_t:{ lnk_file file } { getattr read }; +r_dir_file(xdm_t, fonts_t) + +# Do not audit attempts to write to index files under /usr +dontaudit xdm_t usr_t:file write; + +# Do not audit access to /root +dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# Do not audit attempts to check whether user root has email +dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; +dontaudit xdm_t mail_spool_t:file getattr; + +# Access sound device. +allow xdm_t sound_device_t:chr_file { setattr getattr }; + +# Allow setting of attributes on power management devices. +allow xdm_t power_device_t:chr_file { getattr setattr }; + +# Run the X server in a derived domain. +xserver_domain(xdm) + +ifdef(`rhgb.te', ` +allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +allow xdm_xserver_t ramfs_t:file create_file_perms; +allow rhgb_t xdm_xserver_t:process signal; +') + +# Unrestricted inheritance. +allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; + +# Run xkbcomp. +allow xdm_xserver_t var_lib_t:dir search; +allow xdm_xserver_t var_lib_xkb_t:lnk_file read; +can_exec(xdm_xserver_t, var_lib_xkb_t) + +# Insert video drivers. +allow xdm_xserver_t self:capability mknod; +allow xdm_xserver_t sysctl_modprobe_t:file read; +domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) +allow insmod_t xdm_t:fd use; +allow insmod_t xserver_log_t:file write; +allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; + +# Read /proc/dri/.* +allow xdm_xserver_t proc_t:dir { search read }; + +# Search /var/run. +allow xdm_xserver_t var_run_t:dir search; + +# Search home directories. +allow xdm_xserver_t user_home_type:dir search; +allow xdm_xserver_t user_home_type:file { getattr read }; + +if (use_nfs_home_dirs) { +allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; +allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, nfs_t) +} + +if (use_samba_home_dirs) { +allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, cifs_t) +} + +# for .dmrc +allow xdm_t user_home_dir_type:dir { getattr search }; +allow xdm_t user_home_type:file { getattr read }; + +allow xdm_t mnt_t:dir { getattr read search }; +# +# Wants to delete .xsession-errors file +# +allow xdm_t user_home_type:file unlink; +# +# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# +ifdef(`pam.te', ` +dontaudit pam_t xdm_t:fd use; +allow xdm_t pam_var_run_t:dir create_dir_perms; +allow xdm_t pam_var_run_t:file create_file_perms; +allow pam_t xdm_t:fifo_file { getattr ioctl write }; +can_exec(xdm_t, pam_exec_t) +# For pam_console +rw_dir_create_file(xdm_t, pam_var_console_t) +') + +allow xdm_t var_log_t:file read; +allow xdm_t self:capability { sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process setrlimit; +allow xdm_t wtmp_t:file { getattr read }; + +domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) +# +# Poweroff wants to create the /root/poweroff directory when run from xdm +# Seems to work without it. +# +dontaudit xdm_t root_t:dir { add_name write }; +dontaudit xdm_t root_t:file create; +# +# xdm tries to bind to biff_port_t +# +dontaudit xdm_t port_type:tcp_socket name_bind; + +# VNC v4 module in X server +type vnc_port_t, port_type; +allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; +ifdef(`crack.te', ` +allow xdm_t crack_db_t:file r_file_perms; +') +r_dir_file(xdm_t, selinux_config_t) + +# Run telinit->init to shutdown. +can_exec(xdm_t, init_exec_t) diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te new file mode 100644 index 0000000..0c9e93f --- /dev/null +++ b/strict/domains/program/xfs.te @@ -0,0 +1,50 @@ +#DESC XFS - X Font Server +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: xfs +# + +################################# +# +# Rules for the xfs_t domain. +# +# xfs_t is the domain of the X font server. +# xfs_exec_t is the type of the xfs executable. +# +daemon_domain(xfs) + +# for /tmp/.font-unix/fs7100 +ifdef(`distro_debian', ` +type xfs_tmp_t, file_type, sysadmfile, tmpfile; +allow xfs_t tmp_t:dir search; +file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file) +', ` +tmp_domain(xfs, `', `{dir sock_file}') +') + +allow xfs_t { etc_t etc_runtime_t }:file { getattr read }; +allow xfs_t proc_t:file { getattr read }; + +allow xfs_t self:process setpgid; +can_ypbind(xfs_t) + +# Use capabilities. +allow xfs_t self:capability { setgid setuid }; + +# Bind to /tmp/.font-unix/fs-1. +allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; +allow xfs_t self:unix_stream_socket create_stream_socket_perms; +allow xfs_t self:unix_dgram_socket create_socket_perms; + +# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.* +allow xfs_t fonts_t:dir search; +allow xfs_t fonts_t:file { getattr read }; + +# Unlink the xfs socket. +allow initrc_t xfs_tmp_t:dir rw_dir_perms; +allow initrc_t xfs_tmp_t:dir rmdir; +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; +allow initrc_t fonts_t:dir create_dir_perms; +allow initrc_t fonts_t:file create_file_perms; + diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te new file mode 100644 index 0000000..7cfce4c --- /dev/null +++ b/strict/domains/program/xserver.te @@ -0,0 +1,21 @@ +#DESC XServer - X Server +# +# Authors: Stephen Smalley and Timothy Fraser +# X-Debian-Packages: xserver-common xserver-xfree86 +# + +# Type for the executable used to start the X server, e.g. Xwrapper. +type xserver_exec_t, file_type, sysadmfile, exec_type; + +# Type for the X server log file. +type xserver_log_t, file_type, sysadmfile, logfile; + +# type for /var/lib/xkb +type var_lib_xkb_t, file_type, sysadmfile, usercanread; + +# Allow the xserver to check for fonts in ~/.gnome or ~/.kde +bool allow_xserver_home_fonts false; + +# Everything else is in the xserver_domain macro in +# macros/program/xserver_macros.te. + diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te new file mode 100644 index 0000000..605afd1 --- /dev/null +++ b/strict/domains/program/ypbind.te @@ -0,0 +1,43 @@ +#DESC Ypbind - NIS/YP +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# X-Debian-Packages: nis +# Depends: portmap.te named.te +# + +################################# +# +# Rules for the ypbind_t domain. +# +daemon_domain(ypbind) + +tmp_domain(ypbind) + +# Use capabilities. +allow ypbind_t self:capability { net_bind_service }; +dontaudit ypbind_t self:capability net_admin; + +# Use the network. +can_network(ypbind_t) +allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; + +allow ypbind_t self:fifo_file rw_file_perms; + +read_sysctl(ypbind_t) + +# Send to portmap and initrc. +can_udp_send(ypbind_t, portmap_t) +can_udp_send(ypbind_t, initrc_t) + +# Read and write /var/yp. +allow ypbind_t var_yp_t:dir rw_dir_perms; +allow ypbind_t var_yp_t:file create_file_perms; +allow initrc_t var_yp_t:dir { getattr read }; +allow ypbind_t etc_t:file { getattr read }; +allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; +allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; +allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_udp_send(initrc_t, ypbind_t) + diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te new file mode 100644 index 0000000..656c15d --- /dev/null +++ b/strict/domains/program/ypserv.te @@ -0,0 +1,41 @@ +#DESC Ypserv - NIS/YP +# +# Authors: Dan Walsh +# Depends: portmap.te +# + +################################# +# +# Rules for the ypserv_t domain. +# +daemon_domain(ypserv) + +tmp_domain(ypserv) + +# Use capabilities. +allow ypserv_t self:capability { net_bind_service }; + +# Use the network. +can_network_server(ypserv_t) + +allow ypserv_t self:fifo_file rw_file_perms; + +read_sysctl(ypserv_t) + +# Send to portmap and initrc. +can_udp_send(ypserv_t, portmap_t) +can_udp_send(ypserv_t, initrc_t) + +type ypserv_conf_t, file_type, sysadmfile; + +# Read and write /var/yp. +allow ypserv_t var_yp_t:dir rw_dir_perms; +allow ypserv_t var_yp_t:file create_file_perms; +allow ypserv_t ypserv_conf_t:file { getattr read }; +allow ypserv_t self:unix_dgram_socket create_socket_perms; +allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +ifdef(`rpcd.te', ` +allow rpcd_t ypserv_conf_t:file { getattr read }; +') +allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; +dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te new file mode 100644 index 0000000..12ef473 --- /dev/null +++ b/strict/domains/program/zebra.te @@ -0,0 +1,33 @@ +#DESC Zebra - BGP server +# +# Author: Russell Coker +# X-Debian-Packages: zebra +# +type zebra_port_t, port_type; + +daemon_domain(zebra, `, sysctl_net_writer') +type zebra_conf_t, file_type, sysadmfile; +r_dir_file({ initrc_t zebra_t }, zebra_conf_t) + +can_network_server(zebra_t) +can_ypbind(zebra_t) +allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; + +allow zebra_t self:process setcap; +allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; +file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) + +logdir_domain(zebra) + +# /tmp/.bgpd is such a bad idea! +tmp_domain(zebra, `', sock_file) + +allow zebra_t self:unix_dgram_socket create_socket_perms; +allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow zebra_t self:rawip_socket create_socket_perms; +allow zebra_t self:netlink_route_socket r_netlink_socket_perms; +allow zebra_t zebra_port_t:tcp_socket name_bind; + +allow zebra_t proc_t:file { getattr read }; +allow zebra_t { sysctl_t sysctl_net_t }:dir search; +allow zebra_t sysctl_net_t:file rw_file_perms; diff --git a/strict/domains/user.te b/strict/domains/user.te new file mode 100644 index 0000000..02f6be9 --- /dev/null +++ b/strict/domains/user.te @@ -0,0 +1,132 @@ +#DESC User - Domains for ordinary users. +# +################################# + +# Booleans for user domains. + +# Allow users to read system messages. +bool user_dmesg false; + +# Support NFS home directories +bool use_nfs_home_dirs false; + +# Allow execution of anonymous mappings, e.g. executable stack. +bool allow_execmem false; + +# Support Share libraries with Text Relocation +bool allow_execmod false; + +# Support SAMBA home directories +bool use_samba_home_dirs false; + +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols +bool user_tcp_server false; + +# Allow system to run with NIS +bool allow_ypbind false; + +# Allow system to run with kerberos +bool allow_kerberos false; + +# Allow users to rw usb devices +bool user_rw_usb false; + +# Allow users to control network interfaces (also needs USERCTL=true) +bool user_net_control false; + +# Allow regular users direct mouse access +bool user_direct_mouse false; + +# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) +bool user_rw_noexattrfile false; + +# Allow reading of default_t files. +bool read_default_t false; + +# Allow staff_r users to search the sysadm home dir and read +# files (such as ~/.bashrc) +bool staff_read_sysadm_file false; + +# change from role $1_r to $2_r and relabel tty appropriately +define(`role_tty_type_change', ` +allow $1_r $2_r; +type_change $2_t $1_devpts_t:chr_file $2_devpts_t; +type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; +# avoid annoying messages on terminal hangup +dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; +') + +# Reach sysadm_t via programs like userhelper/sudo/su +undefine(`reach_sysadm') +define(`reach_sysadm', ` +ifdef(`userhelper.te', `userhelper_domain($1)') +ifdef(`sudo.te', `sudo_domain($1)') +ifdef(`su.te', ` +su_domain($1) +# When an ordinary user domain runs su, su may try to +# update the /root/.Xauthority file, and the user shell may +# try to update the shell history. This is not allowed, but +# we dont need to audit it. +dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; +dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; +') dnl ifdef su.te +') + +# Privileged user domain +undefine(`priv_user') +define(`priv_user', ` +# Reach sysadm_t +reach_sysadm($1) + +# Read file_contexts for rpm and get security decisions. +r_dir_file($1_t, file_context_t) +can_getsecurity($1_t) + +# Signal and see information about unprivileged user domains. +allow $1_t unpriv_userdomain:process signal_perms; +can_ps($1_t, unpriv_userdomain) +allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; + +# Read /root files if boolean is enabled. +if (staff_read_sysadm_file) { +allow $1_t sysadm_home_dir_t:dir { getattr search }; +allow $1_t sysadm_home_t:file { getattr read }; +} + +') dnl priv_user + +full_user_role(user) + +ifdef(`user_canbe_sysadm', ` +reach_sysadm(user) +role_tty_type_change(user, sysadm) +') + +# Do not add any rules referring to user_t to this file! That will break +# support for multiple user roles. + +# a role for staff that allows seeing all domains and control over the user_t +# domain +full_user_role(staff) + +priv_user(staff) +# if adding new user roles make sure you edit the in_user_role macro in +# macros/user_macros.te to match + +# lots of user programs accidentally search /root, and also the admin often +# logs in as UID=0 domain=user_t... +dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; + +# +# Allow the user roles to transition +# into each other. +role_tty_type_change(sysadm, user) +role_tty_type_change(staff, sysadm) +role_tty_type_change(sysadm, staff) + +# "ps aux" and "ls -l /dev/pts" make too much noise without this +dontaudit unpriv_userdomain ptyfile:chr_file getattr; + diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc new file mode 100644 index 0000000..2de04ab --- /dev/null +++ b/strict/file_contexts/distros.fc @@ -0,0 +1,153 @@ +ifdef(`distro_redhat', ` +/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t +/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t +/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t +/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t +/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t +/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t +/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t +/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t +/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t +/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t +/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t +/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t +/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t +/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t +/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t +/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t +/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t +/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t +/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t +/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t +/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t +/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t +/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t +/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t +/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t +/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t +/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t +/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t +/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t +/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t +/usr/share/ssl/private(/.*)? system_u:object_r:cert_t +/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t +# +# /emul/ia32-linux/usr +# +/emul(/.*)? system_u:object_r:usr_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/lib +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +# /emul/ia32-linux/bin +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/sbin +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t + +ifdef(`dbusd.te', `', ` +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t +') + +# The following are libraries with text relocations in need of execmod permissions +# Some of them should be fixed and removed from this list + +# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv +# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs +/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t +/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t +/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/libpthread\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgpreload_addrcheck\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgpreload_memcheck\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_addrcheck\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_cachegrind\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_callgrind\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_corecheck\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_helgrind\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_lackey\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t +# Fedora Extras packages: ladspa, imlib2, ocaml +/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t + +# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame +/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t + +# Flash plugin, Macromedia +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t + +# Jai, Sun Microsystems (Jpackage SPRM) +/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t + +') + +ifdef(`distro_suse', ` +/var/lib/samba/bin/.+ system_u:object_r:bin_t +/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t +/usr/lib/samba/classic/.* -- system_u:object_r:bin_t +/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/success -- system_u:object_r:etc_runtime_t +/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t +') diff --git a/strict/file_contexts/homedir_template b/strict/file_contexts/homedir_template new file mode 100644 index 0000000..1206f76 --- /dev/null +++ b/strict/file_contexts/homedir_template @@ -0,0 +1,32 @@ +# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd +# HOME_DIR expands to each user's home directory, +# and to HOME_ROOT/[^/]+ for each HOME_ROOT. +# ROLE expands to each user's role when role != user_r, and to "user" otherwise. +HOME_ROOT -d system_u:object_r:home_root_t +HOME_DIR -d system_u:object_r:ROLE_home_dir_t +HOME_DIR/.+ system_u:object_r:ROLE_home_t +HOME_ROOT/\.journal <> +HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t +HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t +HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t +HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t +HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t +HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t +HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t +HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t +HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t +HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t +HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t diff --git a/strict/file_contexts/program/acct.fc b/strict/file_contexts/program/acct.fc new file mode 100644 index 0000000..7616d8b --- /dev/null +++ b/strict/file_contexts/program/acct.fc @@ -0,0 +1,5 @@ +# berkeley process accounting +/sbin/accton -- system_u:object_r:acct_exec_t +/usr/sbin/accton -- system_u:object_r:acct_exec_t +/var/account(/.*)? system_u:object_r:acct_data_t +/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t diff --git a/strict/file_contexts/program/amanda.fc b/strict/file_contexts/program/amanda.fc new file mode 100644 index 0000000..09dd2fe --- /dev/null +++ b/strict/file_contexts/program/amanda.fc @@ -0,0 +1,70 @@ +# +# Author: Carsten Grohmann +# + +# amanda +/etc/amanda(/.*)? system_u:object_r:amanda_config_t +/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t +/etc/amandates system_u:object_r:amanda_amandates_t +/etc/dumpdates system_u:object_r:amanda_dumpdates_t +/root/restore -d system_u:object_r:amanda_recover_dir_t +/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t +/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t +/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t +/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t +/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t +/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t +/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t +/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t +/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t +/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t +/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t +/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t +/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t +/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t +/var/lib/amanda -d system_u:object_r:amanda_var_lib_t +/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t +/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t +/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t +/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t +/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t +/var/lib/amanda/index system_u:object_r:amanda_data_t +/var/log/amanda(/.*)? system_u:object_r:amanda_log_t diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc new file mode 100644 index 0000000..12a2064 --- /dev/null +++ b/strict/file_contexts/program/amavis.fc @@ -0,0 +1,6 @@ +# amavis +/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t +/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t +/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t +/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t +/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t diff --git a/strict/file_contexts/program/anaconda.fc b/strict/file_contexts/program/anaconda.fc new file mode 100644 index 0000000..a0cbc0e --- /dev/null +++ b/strict/file_contexts/program/anaconda.fc @@ -0,0 +1,5 @@ +# +# Anaconda file context +# currently anaconda does not have any file context since it is started during install +# This is a placeholder to stop makefile from complaining +# diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc new file mode 100644 index 0000000..4fe5dac --- /dev/null +++ b/strict/file_contexts/program/apache.fc @@ -0,0 +1,46 @@ +# apache +HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t +/var/www(/.*)? system_u:object_r:httpd_sys_content_t +/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t +/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t +/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t +/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t +/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t +/etc/httpd -d system_u:object_r:httpd_config_t +/etc/httpd/conf.* system_u:object_r:httpd_config_t +/etc/httpd/logs system_u:object_r:httpd_log_t +/etc/httpd/modules system_u:object_r:httpd_modules_t +/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t +/etc/vhosts -- system_u:object_r:httpd_config_t +/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t +/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t +/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t +/usr/sbin/httpd -- system_u:object_r:httpd_exec_t +/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t +/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t +/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t +/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t +/var/log/httpd(/.*)? system_u:object_r:httpd_log_t +/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t +/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t +/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t +/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t +/var/run/apache(2)?\.pid.* -- system_u:object_r:httpd_var_run_t +/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t +/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t +/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t +/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t +/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t +/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t +/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t +/var/run/gcache_port -s system_u:object_r:httpd_var_run_t +ifdef(`distro_suse', ` +# suse puts shell scripts there :-( +/usr/share/apache2/[^/]* -- system_u:object_r:bin_t +') +/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t +/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t +/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t +/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t +/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t +/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc new file mode 100644 index 0000000..da3c93a --- /dev/null +++ b/strict/file_contexts/program/apmd.fc @@ -0,0 +1,11 @@ +# apmd +/usr/sbin/apmd -- system_u:object_r:apmd_exec_t +/usr/sbin/acpid -- system_u:object_r:apmd_exec_t +/usr/bin/apm -- system_u:object_r:apm_exec_t +/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t +/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t +/var/log/acpid -- system_u:object_r:apmd_log_t +ifdef(`distro_suse', ` +/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t +') + diff --git a/strict/file_contexts/program/arpwatch.fc b/strict/file_contexts/program/arpwatch.fc new file mode 100644 index 0000000..5b2aa5a --- /dev/null +++ b/strict/file_contexts/program/arpwatch.fc @@ -0,0 +1,4 @@ +# arpwatch - keep track of ethernet/ip address pairings +/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t +/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t +/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t diff --git a/strict/file_contexts/program/asterisk.fc b/strict/file_contexts/program/asterisk.fc new file mode 100644 index 0000000..6f4eb4b --- /dev/null +++ b/strict/file_contexts/program/asterisk.fc @@ -0,0 +1,7 @@ +# asterisk +/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t +/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t +/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t +/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t +/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t +/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t diff --git a/strict/file_contexts/program/audio-entropyd.fc b/strict/file_contexts/program/audio-entropyd.fc new file mode 100644 index 0000000..a8f616a --- /dev/null +++ b/strict/file_contexts/program/audio-entropyd.fc @@ -0,0 +1 @@ +/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc new file mode 100644 index 0000000..32401bb --- /dev/null +++ b/strict/file_contexts/program/auditd.fc @@ -0,0 +1,3 @@ +# auditd +/sbin/auditd -- system_u:object_r:auditd_exec_t +/var/log/audit.log -- system_u:object_r:auditd_log_t diff --git a/strict/file_contexts/program/authbind.fc b/strict/file_contexts/program/authbind.fc new file mode 100644 index 0000000..9fed63e --- /dev/null +++ b/strict/file_contexts/program/authbind.fc @@ -0,0 +1,3 @@ +# authbind +/etc/authbind(/.*)? system_u:object_r:authbind_etc_t +/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t diff --git a/strict/file_contexts/program/automount.fc b/strict/file_contexts/program/automount.fc new file mode 100644 index 0000000..f7b56f7 --- /dev/null +++ b/strict/file_contexts/program/automount.fc @@ -0,0 +1,5 @@ +# automount +/usr/sbin/automount -- system_u:object_r:automount_exec_t +/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t +/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t +/etc/auto\..+ -- system_u:object_r:automount_etc_t diff --git a/strict/file_contexts/program/backup.fc b/strict/file_contexts/program/backup.fc new file mode 100644 index 0000000..ed82809 --- /dev/null +++ b/strict/file_contexts/program/backup.fc @@ -0,0 +1,6 @@ +# backup +# label programs that do backups to other files on disk (IE a cron job that +# calls tar) in backup_exec_t and label the directory for storing them as +# backup_store_t, Debian uses /var/backups +#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t +/var/backups(/.*)? system_u:object_r:backup_store_t diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc new file mode 100644 index 0000000..258ff2b --- /dev/null +++ b/strict/file_contexts/program/bluetooth.fc @@ -0,0 +1,7 @@ +# bluetooth +/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t +/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t +/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t +/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t +/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t +/var/run/sdp -- system_u:object_r:bluetooth_var_run_t diff --git a/strict/file_contexts/program/bootloader.fc b/strict/file_contexts/program/bootloader.fc new file mode 100644 index 0000000..90f8e85 --- /dev/null +++ b/strict/file_contexts/program/bootloader.fc @@ -0,0 +1,11 @@ +# bootloader +/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t +/initrd\.img.* -l system_u:object_r:boot_t +/sbin/lilo.* -- system_u:object_r:bootloader_exec_t +/sbin/grub.* -- system_u:object_r:bootloader_exec_t +/vmlinuz.* -l system_u:object_r:boot_t +/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t +/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t +/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t +/sbin/ybin.* -- system_u:object_r:bootloader_exec_t +/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t diff --git a/strict/file_contexts/program/calamaris.fc b/strict/file_contexts/program/calamaris.fc new file mode 100644 index 0000000..36d8c87 --- /dev/null +++ b/strict/file_contexts/program/calamaris.fc @@ -0,0 +1,4 @@ +# squid +/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t +/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t +/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t diff --git a/strict/file_contexts/program/canna.fc b/strict/file_contexts/program/canna.fc new file mode 100644 index 0000000..4b207a8 --- /dev/null +++ b/strict/file_contexts/program/canna.fc @@ -0,0 +1,12 @@ +# canna.fc +/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t +/usr/sbin/jserver -- system_u:object_r:canna_exec_t +/usr/bin/cannaping -- system_u:object_r:canna_exec_t +/usr/bin/catdic -- system_u:object_r:canna_exec_t +/var/log/canna(/.*)? system_u:object_r:canna_log_t +/var/log/wnn(/.*)? system_u:object_r:canna_log_t +/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t +/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t +/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t +/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t +/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t diff --git a/strict/file_contexts/program/cardmgr.fc b/strict/file_contexts/program/cardmgr.fc new file mode 100644 index 0000000..2e4b109 --- /dev/null +++ b/strict/file_contexts/program/cardmgr.fc @@ -0,0 +1,7 @@ +# cardmgr +/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t +/sbin/cardctl -- system_u:object_r:cardctl_exec_t +/var/run/stab -- system_u:object_r:cardmgr_var_run_t +/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t +/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t +/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t diff --git a/strict/file_contexts/program/cdrecord.fc b/strict/file_contexts/program/cdrecord.fc new file mode 100644 index 0000000..d03d3bc --- /dev/null +++ b/strict/file_contexts/program/cdrecord.fc @@ -0,0 +1,3 @@ +# cdrecord +/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t + diff --git a/strict/file_contexts/program/checkpolicy.fc b/strict/file_contexts/program/checkpolicy.fc new file mode 100644 index 0000000..8c0c732 --- /dev/null +++ b/strict/file_contexts/program/checkpolicy.fc @@ -0,0 +1,2 @@ +# checkpolicy +/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t diff --git a/strict/file_contexts/program/chkpwd.fc b/strict/file_contexts/program/chkpwd.fc new file mode 100644 index 0000000..444e3e5 --- /dev/null +++ b/strict/file_contexts/program/chkpwd.fc @@ -0,0 +1,6 @@ +# chkpwd +/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t +/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t +ifdef(`distro_suse', ` +/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t +') diff --git a/strict/file_contexts/program/chroot.fc b/strict/file_contexts/program/chroot.fc new file mode 100644 index 0000000..aa61acc --- /dev/null +++ b/strict/file_contexts/program/chroot.fc @@ -0,0 +1 @@ +/usr/sbin/chroot -- system_u:object_r:chroot_exec_t diff --git a/strict/file_contexts/program/ciped.fc b/strict/file_contexts/program/ciped.fc new file mode 100644 index 0000000..e3a12a1 --- /dev/null +++ b/strict/file_contexts/program/ciped.fc @@ -0,0 +1,3 @@ +/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t +/etc/cipe/ip-up.* -- system_u:object_r:bin_t +/etc/cipe/ip-down.* -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc new file mode 100644 index 0000000..f08b276 --- /dev/null +++ b/strict/file_contexts/program/clamav.fc @@ -0,0 +1,12 @@ +# clamscan +/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t +/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t +/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t +/usr/sbin/clamd -- system_u:object_r:clamd_exec_t +/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t +/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t +/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t +/var/run/clamd\.ctl -s system_u:object_r:clamd_var_run_t +/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t +/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t +/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t diff --git a/strict/file_contexts/program/comsat.fc b/strict/file_contexts/program/comsat.fc new file mode 100644 index 0000000..7026d56 --- /dev/null +++ b/strict/file_contexts/program/comsat.fc @@ -0,0 +1,2 @@ +# biff server +/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t diff --git a/strict/file_contexts/program/consoletype.fc b/strict/file_contexts/program/consoletype.fc new file mode 100644 index 0000000..f310f37 --- /dev/null +++ b/strict/file_contexts/program/consoletype.fc @@ -0,0 +1,2 @@ +# consoletype +/sbin/consoletype -- system_u:object_r:consoletype_exec_t diff --git a/strict/file_contexts/program/courier.fc b/strict/file_contexts/program/courier.fc new file mode 100644 index 0000000..16f6adb --- /dev/null +++ b/strict/file_contexts/program/courier.fc @@ -0,0 +1,18 @@ +# courier pop, imap, and webmail +/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t +/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t +/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t +/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t +/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t +/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t +/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t +/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t +/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t +/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t +/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t +/var/run/courier(/.*)? system_u:object_r:courier_var_run_t +/etc/courier(/.*)? system_u:object_r:courier_etc_t diff --git a/strict/file_contexts/program/cpucontrol.fc b/strict/file_contexts/program/cpucontrol.fc new file mode 100644 index 0000000..e2275c6 --- /dev/null +++ b/strict/file_contexts/program/cpucontrol.fc @@ -0,0 +1,3 @@ +# cpucontrol +/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t +/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t diff --git a/strict/file_contexts/program/cpuspeed.fc b/strict/file_contexts/program/cpuspeed.fc new file mode 100644 index 0000000..60d8465 --- /dev/null +++ b/strict/file_contexts/program/cpuspeed.fc @@ -0,0 +1,3 @@ +# cpuspeed +/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t +/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc new file mode 100644 index 0000000..fac9bd6 --- /dev/null +++ b/strict/file_contexts/program/crack.fc @@ -0,0 +1,4 @@ +# crack - for password checking +/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t +/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t +/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc new file mode 100644 index 0000000..90869cf --- /dev/null +++ b/strict/file_contexts/program/crond.fc @@ -0,0 +1,29 @@ +# crond +/etc/crontab -- system_u:object_r:system_cron_spool_t +/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t +/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t +/usr/sbin/anacron -- system_u:object_r:anacron_exec_t +/var/spool/cron -d system_u:object_r:cron_spool_t +/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t +/var/spool/cron/crontabs/.* -- <> +/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron/[^/]* -- <> +/var/log/cron.* -- system_u:object_r:crond_log_t +/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t +/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t +# fcron +/usr/sbin/fcron -- system_u:object_r:crond_exec_t +/var/spool/fcron -d system_u:object_r:cron_spool_t +/var/spool/fcron/.* <> +/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t +/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t +/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t +/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t +/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t +# atd +/usr/sbin/atd -- system_u:object_r:crond_exec_t +/var/spool/at -d system_u:object_r:cron_spool_t +/var/spool/at/spool -d system_u:object_r:cron_spool_t +/var/spool/at/[^/]* -- <> +/var/run/atd\.pid -- system_u:object_r:crond_var_run_t diff --git a/strict/file_contexts/program/crontab.fc b/strict/file_contexts/program/crontab.fc new file mode 100644 index 0000000..5c18699 --- /dev/null +++ b/strict/file_contexts/program/crontab.fc @@ -0,0 +1,3 @@ +# crontab +/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t +/usr/bin/at -- system_u:object_r:crontab_exec_t diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc new file mode 100644 index 0000000..2395746 --- /dev/null +++ b/strict/file_contexts/program/cups.fc @@ -0,0 +1,36 @@ +# cups printing +/etc/cups(/.*)? system_u:object_r:cupsd_etc_t +/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t +/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t +/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t +/etc/cups/client\.conf -- system_u:object_r:etc_t +/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t +/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t +/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t +/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t +/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t +/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t +/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t +/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t +ifdef(`hald.te', ` +# cupsd_config depends on hald +/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t +/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t +/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t +') +/var/log/cups(/.*)? system_u:object_r:cupsd_log_t +/var/spool/cups(/.*)? system_u:object_r:print_spool_t +/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t +/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t +/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t +/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t +/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t +/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t +/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t +/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc new file mode 100644 index 0000000..6129446 --- /dev/null +++ b/strict/file_contexts/program/cyrus.fc @@ -0,0 +1,4 @@ +# cyrus +/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t +/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t +/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t diff --git a/strict/file_contexts/program/dante.fc b/strict/file_contexts/program/dante.fc new file mode 100644 index 0000000..ce7f335 --- /dev/null +++ b/strict/file_contexts/program/dante.fc @@ -0,0 +1,4 @@ +# dante +/usr/sbin/sockd -- system_u:object_r:dante_exec_t +/etc/socks(/.*)? system_u:object_r:dante_conf_t +/var/run/sockd.pid -- system_u:object_r:dante_var_run_t diff --git a/strict/file_contexts/program/dbskkd.fc b/strict/file_contexts/program/dbskkd.fc new file mode 100644 index 0000000..77ff4f1 --- /dev/null +++ b/strict/file_contexts/program/dbskkd.fc @@ -0,0 +1,2 @@ +# A dictionary server for the SKK Japanese input method system. +/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t diff --git a/strict/file_contexts/program/dbusd.fc b/strict/file_contexts/program/dbusd.fc new file mode 100644 index 0000000..9f56c33 --- /dev/null +++ b/strict/file_contexts/program/dbusd.fc @@ -0,0 +1,3 @@ +/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t +/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc new file mode 100644 index 0000000..ba003c9 --- /dev/null +++ b/strict/file_contexts/program/ddclient.fc @@ -0,0 +1,11 @@ +# ddclient +/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t +/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t +/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t +/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t +# ddt - Dynamic DNS client +/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t +/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t +/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t +/var/lib/ddt-client(/.*)? system_u:object_r:var_lib_ddclient_t +/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t diff --git a/strict/file_contexts/program/devfsd.fc b/strict/file_contexts/program/devfsd.fc new file mode 100644 index 0000000..7587e2e --- /dev/null +++ b/strict/file_contexts/program/devfsd.fc @@ -0,0 +1,4 @@ +# devfsd +/etc/devfs(/.*)? system_u:object_r:devfsd_etc_t +/sbin/devfsd.* -- system_u:object_r:devfsd_exec_t +/etc/init\.d/makedev -- system_u:object_r:devfsd_exec_t diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc new file mode 100644 index 0000000..4085e1d --- /dev/null +++ b/strict/file_contexts/program/dhcpc.fc @@ -0,0 +1,16 @@ +# dhcpcd +/etc/dhcpc.* system_u:object_r:dhcp_etc_t +/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t +/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t +/etc/dhclient-script -- system_u:object_r:dhcp_etc_t +/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t +/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t +/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t +/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t +/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t +# pump +/sbin/pump -- system_u:object_r:dhcpc_exec_t +ifdef(`dhcp_defined', `', ` +/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t +define(`dhcp_defined') +') diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc new file mode 100644 index 0000000..4e612cf --- /dev/null +++ b/strict/file_contexts/program/dhcpd.fc @@ -0,0 +1,33 @@ +# dhcpd +/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t +/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t +/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t +/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t +/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t +ifdef(`dhcp_defined', `', ` +/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t +define(`dhcp_defined') +') + +ifdef(`distro_gentoo', ` +/etc/dhcp -d system_u:object_r:dhcp_etc_t +/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t +/var/lib/dhcp -d system_u:object_r:dhcp_state_t +/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t +/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t + +# for the chroot setup +/chroot/dhcp -d system_u:object_r:root_t +/chroot/dhcp/dev -d system_u:object_r:device_t +/chroot/dhcp/etc -d system_u:object_r:etc_t +/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t +/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t +/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t +/chroot/dhcp/var -d system_u:object_r:var_t +/chroot/dhcp/var/run -d system_u:object_r:var_run_t +/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t +/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t +/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t +/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t +') + diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc new file mode 100644 index 0000000..75e4493 --- /dev/null +++ b/strict/file_contexts/program/dictd.fc @@ -0,0 +1,4 @@ +# dictd +/etc/dictd\.conf -- system_u:object_r:dictd_etc_t +/usr/sbin/dictd -- system_u:object_r:dictd_exec_t +/var/lib/dictd(/.*)? system_u:object_r:var_lib_dictd_t diff --git a/strict/file_contexts/program/distcc.fc b/strict/file_contexts/program/distcc.fc new file mode 100644 index 0000000..3ab9797 --- /dev/null +++ b/strict/file_contexts/program/distcc.fc @@ -0,0 +1,2 @@ +# distcc +/usr/bin/distccd -- system_u:object_r:distccd_exec_t diff --git a/strict/file_contexts/program/dmesg.fc b/strict/file_contexts/program/dmesg.fc new file mode 100644 index 0000000..2df5752 --- /dev/null +++ b/strict/file_contexts/program/dmesg.fc @@ -0,0 +1,2 @@ +# dmesg +/bin/dmesg -- system_u:object_r:dmesg_exec_t diff --git a/strict/file_contexts/program/dnsmasq.fc b/strict/file_contexts/program/dnsmasq.fc new file mode 100644 index 0000000..e1b1c35 --- /dev/null +++ b/strict/file_contexts/program/dnsmasq.fc @@ -0,0 +1,4 @@ +# dnsmasq +/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t +/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t +/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc new file mode 100644 index 0000000..83fc652 --- /dev/null +++ b/strict/file_contexts/program/dovecot.fc @@ -0,0 +1,12 @@ +# for Dovecot POP and IMAP server +/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t +ifdef(`distro_redhat', ` +/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t +') +ifdef(`distro_debian', ` +/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t +') +/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t +/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t +/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t +/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc new file mode 100644 index 0000000..44f0f2c --- /dev/null +++ b/strict/file_contexts/program/dpkg.fc @@ -0,0 +1,50 @@ +# dpkg/dselect/apt +/etc/apt(/.*)? system_u:object_r:apt_etc_t +/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t +/usr/bin/apt-cache -- system_u:object_r:apt_exec_t +/usr/bin/apt-config -- system_u:object_r:apt_exec_t +/usr/bin/apt-get -- system_u:object_r:apt_exec_t +/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t +/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t +/usr/bin/dselect -- system_u:object_r:dpkg_exec_t +/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t +/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t +/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t +/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t +/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t +/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t +/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t +/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t +/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t +/usr/share/lintian/.+ -- system_u:object_r:bin_t +/usr/share/kernel-package/.+ -- system_u:object_r:bin_t +/usr/share/smartmontools/selftests -- system_u:object_r:bin_t +/usr/share/bug/[^/]+ -- system_u:object_r:bin_t +/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t +/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t +/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t +/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t +/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t +/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t +/var/lib/kde(/.*)? system_u:object_r:debian_menu_t +/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t +/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t +/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t +/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t +/etc/kde2/.+\.sh -- system_u:object_r:install_menu_exec_t +/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t +/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t +/usr/share/dlint/digparse -- system_u:object_r:bin_t +/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t +/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t +/var/lib/defoma(/.*)? system_u:object_r:fonts_t +/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t +/usr/share/intltool-debian/.* -- system_u:object_r:bin_t +/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t +/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t +/usr/share/shorewall/.* -- system_u:object_r:bin_t +/usr/share/reportbug/.* -- system_u:object_r:bin_t +/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t +/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t +/bin/mountpoint -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc new file mode 100644 index 0000000..fe0fd08 --- /dev/null +++ b/strict/file_contexts/program/fetchmail.fc @@ -0,0 +1,5 @@ +# fetchmail +/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t +/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t +/var/run/fetchmail(/.*)? -- system_u:object_r:fetchmail_var_run_t +/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t diff --git a/strict/file_contexts/program/fingerd.fc b/strict/file_contexts/program/fingerd.fc new file mode 100644 index 0000000..59cc062 --- /dev/null +++ b/strict/file_contexts/program/fingerd.fc @@ -0,0 +1,6 @@ +# fingerd +/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t +/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t +/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t +/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t +/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t diff --git a/strict/file_contexts/program/firstboot.fc b/strict/file_contexts/program/firstboot.fc new file mode 100644 index 0000000..ae3179d --- /dev/null +++ b/strict/file_contexts/program/firstboot.fc @@ -0,0 +1,4 @@ +# firstboot +/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t +/usr/share/firstboot system_u:object_r:firstboot_rw_t +/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t diff --git a/strict/file_contexts/program/fs_daemon.fc b/strict/file_contexts/program/fs_daemon.fc new file mode 100644 index 0000000..19ac531 --- /dev/null +++ b/strict/file_contexts/program/fs_daemon.fc @@ -0,0 +1,4 @@ +# fs admin daemons +/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t +/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t +/etc/smartd\.conf -- system_u:object_r:etc_runtime_t diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc new file mode 100644 index 0000000..f755f4a --- /dev/null +++ b/strict/file_contexts/program/fsadm.fc @@ -0,0 +1,36 @@ +# fs admin utilities +/sbin/fsck.* -- system_u:object_r:fsadm_exec_t +/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t +/sbin/e2fsck -- system_u:object_r:fsadm_exec_t +/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t +/sbin/dosfsck -- system_u:object_r:fsadm_exec_t +/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t +/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t +/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t +/sbin/e2label -- system_u:object_r:fsadm_exec_t +/sbin/findfs -- system_u:object_r:fsadm_exec_t +/sbin/mkfs -- system_u:object_r:fsadm_exec_t +/sbin/mke2fs -- system_u:object_r:fsadm_exec_t +/sbin/mkswap -- system_u:object_r:fsadm_exec_t +/sbin/scsi_info -- system_u:object_r:fsadm_exec_t +/sbin/sfdisk -- system_u:object_r:fsadm_exec_t +/sbin/cfdisk -- system_u:object_r:fsadm_exec_t +/sbin/fdisk -- system_u:object_r:fsadm_exec_t +/sbin/parted -- system_u:object_r:fsadm_exec_t +/sbin/tune2fs -- system_u:object_r:fsadm_exec_t +/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t +/sbin/swapon.* -- system_u:object_r:fsadm_exec_t +/sbin/hdparm -- system_u:object_r:fsadm_exec_t +/sbin/raidstart -- system_u:object_r:fsadm_exec_t +/sbin/mkraid -- system_u:object_r:fsadm_exec_t +/sbin/blockdev -- system_u:object_r:fsadm_exec_t +/sbin/losetup.* -- system_u:object_r:fsadm_exec_t +/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t +/sbin/lsraid -- system_u:object_r:fsadm_exec_t +/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t +/sbin/install-mbr -- system_u:object_r:fsadm_exec_t +/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t +/usr/bin/raw -- system_u:object_r:fsadm_exec_t +/sbin/partx -- system_u:object_r:fsadm_exec_t +/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t +/sbin/partprobe -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc new file mode 100644 index 0000000..0260197 --- /dev/null +++ b/strict/file_contexts/program/ftpd.fc @@ -0,0 +1,15 @@ +# ftpd +/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t +/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t +/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t +/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t +/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t +/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t +/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t +/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t +/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t +/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t +/var/log/xferlog.* -- system_u:object_r:xferlog_t +/var/log/xferreport.* -- system_u:object_r:xferlog_t +/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t +/var/ftp(/.*)? system_u:object_r:ftpd_anon_t diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc new file mode 100644 index 0000000..a4ab933 --- /dev/null +++ b/strict/file_contexts/program/games.fc @@ -0,0 +1,56 @@ +# games +/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t +/var/games(/.*)? system_u:object_r:games_data_t +/usr/games/.* -- system_u:object_r:games_exec_t +/var/lib/games(/.*)? system_u:object_r:games_data_t +/usr/bin/micq -- system_u:object_r:games_exec_t +/usr/bin/blackjack -- system_u:object_r:games_exec_t +/usr/bin/gataxx -- system_u:object_r:games_exec_t +/usr/bin/glines -- system_u:object_r:games_exec_t +/usr/bin/gnect -- system_u:object_r:games_exec_t +/usr/bin/gnibbles -- system_u:object_r:games_exec_t +/usr/bin/gnobots2 -- system_u:object_r:games_exec_t +/usr/bin/gnome-stones -- system_u:object_r:games_exec_t +/usr/bin/gnomine -- system_u:object_r:games_exec_t +/usr/bin/gnotravex -- system_u:object_r:games_exec_t +/usr/bin/gnotski -- system_u:object_r:games_exec_t +/usr/bin/gtali -- system_u:object_r:games_exec_t +/usr/bin/iagno -- system_u:object_r:games_exec_t +/usr/bin/mahjongg -- system_u:object_r:games_exec_t +/usr/bin/same-gnome -- system_u:object_r:games_exec_t +/usr/bin/sol -- system_u:object_r:games_exec_t +/usr/bin/atlantik -- system_u:object_r:games_exec_t +/usr/bin/kasteroids -- system_u:object_r:games_exec_t +/usr/bin/katomic -- system_u:object_r:games_exec_t +/usr/bin/kbackgammon -- system_u:object_r:games_exec_t +/usr/bin/kbattleship -- system_u:object_r:games_exec_t +/usr/bin/kblackbox -- system_u:object_r:games_exec_t +/usr/bin/kbounce -- system_u:object_r:games_exec_t +/usr/bin/kenolaba -- system_u:object_r:games_exec_t +/usr/bin/kfouleggs -- system_u:object_r:games_exec_t +/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t +/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t +/usr/bin/klickety -- system_u:object_r:games_exec_t +/usr/bin/klines -- system_u:object_r:games_exec_t +/usr/bin/kmahjongg -- system_u:object_r:games_exec_t +/usr/bin/kmines -- system_u:object_r:games_exec_t +/usr/bin/kolf -- system_u:object_r:games_exec_t +/usr/bin/konquest -- system_u:object_r:games_exec_t +/usr/bin/kpat -- system_u:object_r:games_exec_t +/usr/bin/kpoker -- system_u:object_r:games_exec_t +/usr/bin/kreversi -- system_u:object_r:games_exec_t +/usr/bin/ksame -- system_u:object_r:games_exec_t +/usr/bin/kshisen -- system_u:object_r:games_exec_t +/usr/bin/ksirtet -- system_u:object_r:games_exec_t +/usr/bin/ksmiletris -- system_u:object_r:games_exec_t +/usr/bin/ksnake -- system_u:object_r:games_exec_t +/usr/bin/ksokoban -- system_u:object_r:games_exec_t +/usr/bin/kspaceduel -- system_u:object_r:games_exec_t +/usr/bin/ktron -- system_u:object_r:games_exec_t +/usr/bin/ktuberling -- system_u:object_r:games_exec_t +/usr/bin/kwin4 -- system_u:object_r:games_exec_t +/usr/bin/kwin4proc -- system_u:object_r:games_exec_t +/usr/bin/lskat -- system_u:object_r:games_exec_t +/usr/bin/lskatproc -- system_u:object_r:games_exec_t +/usr/bin/Maelstrom -- system_u:object_r:games_exec_t + diff --git a/strict/file_contexts/program/gatekeeper.fc b/strict/file_contexts/program/gatekeeper.fc new file mode 100644 index 0000000..e51491a --- /dev/null +++ b/strict/file_contexts/program/gatekeeper.fc @@ -0,0 +1,7 @@ +# gatekeeper +/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t +/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t +/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t +/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t +/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t +/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc new file mode 100644 index 0000000..f908221 --- /dev/null +++ b/strict/file_contexts/program/getty.fc @@ -0,0 +1,3 @@ +# getty +/sbin/.*getty -- system_u:object_r:getty_exec_t +/etc/mgetty(/.*)? system_u:object_r:getty_etc_t diff --git a/strict/file_contexts/program/gift.fc b/strict/file_contexts/program/gift.fc new file mode 100644 index 0000000..88ed5f2 --- /dev/null +++ b/strict/file_contexts/program/gift.fc @@ -0,0 +1,5 @@ +/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t +/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t +/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t +/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t +HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t diff --git a/strict/file_contexts/program/gnome-pty-helper.fc b/strict/file_contexts/program/gnome-pty-helper.fc new file mode 100644 index 0000000..24a0b1b --- /dev/null +++ b/strict/file_contexts/program/gnome-pty-helper.fc @@ -0,0 +1,3 @@ +# gnome-pty-helper +/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t +/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t diff --git a/strict/file_contexts/program/gpg-agent.fc b/strict/file_contexts/program/gpg-agent.fc new file mode 100644 index 0000000..bb25b63 --- /dev/null +++ b/strict/file_contexts/program/gpg-agent.fc @@ -0,0 +1,3 @@ +# gpg-agent +/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t +/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc new file mode 100644 index 0000000..1cc9508 --- /dev/null +++ b/strict/file_contexts/program/gpg.fc @@ -0,0 +1,5 @@ +# gpg +HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t +/usr/bin/gpg -- system_u:object_r:gpg_exec_t +/usr/bin/kgpg -- system_u:object_r:gpg_exec_t +/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t diff --git a/strict/file_contexts/program/gpm.fc b/strict/file_contexts/program/gpm.fc new file mode 100644 index 0000000..b681881 --- /dev/null +++ b/strict/file_contexts/program/gpm.fc @@ -0,0 +1,5 @@ +# gpm +/dev/gpmctl -s system_u:object_r:gpmctl_t +/dev/gpmdata -p system_u:object_r:gpmctl_t +/usr/sbin/gpm -- system_u:object_r:gpm_exec_t +/etc/gpm(/.*)? system_u:object_r:gpm_conf_t diff --git a/strict/file_contexts/program/groupadd.fc b/strict/file_contexts/program/groupadd.fc new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/strict/file_contexts/program/groupadd.fc diff --git a/strict/file_contexts/program/hald.fc b/strict/file_contexts/program/hald.fc new file mode 100644 index 0000000..ca142cf --- /dev/null +++ b/strict/file_contexts/program/hald.fc @@ -0,0 +1,6 @@ +# hald - hardware information daemon +/usr/sbin/hald -- system_u:object_r:hald_exec_t +/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t +/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t +/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t +/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/hostname.fc b/strict/file_contexts/program/hostname.fc new file mode 100644 index 0000000..685e74e --- /dev/null +++ b/strict/file_contexts/program/hostname.fc @@ -0,0 +1 @@ +/bin/hostname -- system_u:object_r:hostname_exec_t diff --git a/strict/file_contexts/program/hotplug.fc b/strict/file_contexts/program/hotplug.fc new file mode 100644 index 0000000..78f844b --- /dev/null +++ b/strict/file_contexts/program/hotplug.fc @@ -0,0 +1,13 @@ +# hotplug +/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t +/sbin/hotplug -- system_u:object_r:hotplug_exec_t +/sbin/netplugd -- system_u:object_r:hotplug_exec_t +/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t +/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t +/etc/netplug\.d(/.*)? system_u:object_r:sbin_t +/etc/hotplug/.*agent -- system_u:object_r:sbin_t +/etc/hotplug/.*rc -- system_u:object_r:sbin_t +/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t +/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t +/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t +/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t diff --git a/strict/file_contexts/program/howl.fc b/strict/file_contexts/program/howl.fc new file mode 100644 index 0000000..bbdb03f --- /dev/null +++ b/strict/file_contexts/program/howl.fc @@ -0,0 +1,3 @@ +/usr/bin/nifd -- system_u:object_r:howl_exec_t +/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t +/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t diff --git a/strict/file_contexts/program/hwclock.fc b/strict/file_contexts/program/hwclock.fc new file mode 100644 index 0000000..2193e15 --- /dev/null +++ b/strict/file_contexts/program/hwclock.fc @@ -0,0 +1,3 @@ +# hwclock +/sbin/hwclock -- system_u:object_r:hwclock_exec_t +/etc/adjtime -- system_u:object_r:adjtime_t diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc new file mode 100644 index 0000000..41379d0 --- /dev/null +++ b/strict/file_contexts/program/i18n_input.fc @@ -0,0 +1,7 @@ +# i18n_input.fc +/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t +/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t +/usr/bin/httx -- system_u:object_r:i18n_input_exec_t +/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t +/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t +/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t diff --git a/strict/file_contexts/program/ifconfig.fc b/strict/file_contexts/program/ifconfig.fc new file mode 100644 index 0000000..547558e --- /dev/null +++ b/strict/file_contexts/program/ifconfig.fc @@ -0,0 +1,12 @@ +# ifconfig +/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t +/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t +/sbin/ip -- system_u:object_r:ifconfig_exec_t +/sbin/tc -- system_u:object_r:ifconfig_exec_t +/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t +/bin/ip -- system_u:object_r:ifconfig_exec_t +/sbin/ethtool -- system_u:object_r:ifconfig_exec_t +/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t diff --git a/strict/file_contexts/program/imazesrv.fc b/strict/file_contexts/program/imazesrv.fc new file mode 100644 index 0000000..dae194e --- /dev/null +++ b/strict/file_contexts/program/imazesrv.fc @@ -0,0 +1,4 @@ +# imazesrv +/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t +/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t +/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t diff --git a/strict/file_contexts/program/inetd.fc b/strict/file_contexts/program/inetd.fc new file mode 100644 index 0000000..64b8c6c --- /dev/null +++ b/strict/file_contexts/program/inetd.fc @@ -0,0 +1,8 @@ +# inetd +/usr/sbin/inetd -- system_u:object_r:inetd_exec_t +/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t +/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t +/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t +/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t +/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t +/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t diff --git a/strict/file_contexts/program/init.fc b/strict/file_contexts/program/init.fc new file mode 100644 index 0000000..6342ad4 --- /dev/null +++ b/strict/file_contexts/program/init.fc @@ -0,0 +1,3 @@ +# init +/dev/initctl -p system_u:object_r:initctl_t +/sbin/init -- system_u:object_r:init_exec_t diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc new file mode 100644 index 0000000..b23d55e --- /dev/null +++ b/strict/file_contexts/program/initrc.fc @@ -0,0 +1,39 @@ +# init rc scripts +ifdef(`targeted_policy', ` +/etc/X11/prefdm -- system_u:object_r:bin_t +', ` +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +') +/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t +/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t +/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t +/etc/init\.d/.* -- system_u:object_r:initrc_exec_t +/etc/init\.d/functions -- system_u:object_r:etc_t +/var/run/utmp -- system_u:object_r:initrc_var_run_t +/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t +/var/run/random-seed -- system_u:object_r:initrc_var_run_t +/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t +ifdef(`distro_suse', ` +/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t +/var/run/keymap -- system_u:object_r:initrc_var_run_t +/var/run/numlock-on -- system_u:object_r:initrc_var_run_t +') + +ifdef(`distro_gentoo', ` +/sbin/rc -- system_u:object_r:initrc_exec_t +/sbin/runscript -- system_u:object_r:initrc_exec_t +/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t +/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t +') + +# run_init +/usr/sbin/run_init -- system_u:object_r:run_init_exec_t +/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t +/etc/nologin.* -- system_u:object_r:etc_runtime_t +/etc/nohotplug -- system_u:object_r:etc_runtime_t +ifdef(`distro_redhat', ` +/halt -- system_u:object_r:etc_runtime_t +/\.autofsck -- system_u:object_r:etc_runtime_t +') diff --git a/strict/file_contexts/program/innd.fc b/strict/file_contexts/program/innd.fc new file mode 100644 index 0000000..f0413f9 --- /dev/null +++ b/strict/file_contexts/program/innd.fc @@ -0,0 +1,49 @@ +# innd +/usr/sbin/innd.* -- system_u:object_r:innd_exec_t +/usr/bin/rpost -- system_u:object_r:innd_exec_t +/usr/bin/suck -- system_u:object_r:innd_exec_t +/var/run/innd(/.*)? system_u:object_r:innd_var_run_t +/etc/news(/.*)? system_u:object_r:innd_etc_t +/etc/news/boot -- system_u:object_r:innd_exec_t +/var/spool/news(/.*)? system_u:object_r:news_spool_t +/var/log/news(/.*)? system_u:object_r:innd_log_t +/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t +/var/run/news(/.*)? system_u:object_r:innd_var_run_t +/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t +/usr/bin/inews -- system_u:object_r:innd_exec_t +/usr/bin/rnews -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t +/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc new file mode 100644 index 0000000..7df06bb --- /dev/null +++ b/strict/file_contexts/program/ipsec.fc @@ -0,0 +1,31 @@ +# IPSEC utilities and daemon. + +/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t +/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t +/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t +/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t +/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t +/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t +/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t +/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t +/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t +/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t +/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t +/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t +/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t +/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t +/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t +/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t +/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t +/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t +/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t +/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t +/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t + +# Kame +/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t +/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t +/sbin/setkey -- system_u:object_r:ipsec_exec_t +/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t +/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t +/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t diff --git a/strict/file_contexts/program/iptables.fc b/strict/file_contexts/program/iptables.fc new file mode 100644 index 0000000..3dcde2e --- /dev/null +++ b/strict/file_contexts/program/iptables.fc @@ -0,0 +1,8 @@ +# iptables +/sbin/ipchains.* -- system_u:object_r:iptables_exec_t +/sbin/iptables.* -- system_u:object_r:iptables_exec_t +/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t +/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t +/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t +/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t + diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc new file mode 100644 index 0000000..5086de7 --- /dev/null +++ b/strict/file_contexts/program/irc.fc @@ -0,0 +1,5 @@ +# irc clients +/usr/bin/[st]irc -- system_u:object_r:irc_exec_t +/usr/bin/ircII -- system_u:object_r:irc_exec_t +/usr/bin/tinyirc -- system_u:object_r:irc_exec_t +HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t diff --git a/strict/file_contexts/program/ircd.fc b/strict/file_contexts/program/ircd.fc new file mode 100644 index 0000000..2ef668c --- /dev/null +++ b/strict/file_contexts/program/ircd.fc @@ -0,0 +1,6 @@ +# ircd - irc server +/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t +/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t +/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t +/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t +/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t diff --git a/strict/file_contexts/program/irqbalance.fc b/strict/file_contexts/program/irqbalance.fc new file mode 100644 index 0000000..c849491 --- /dev/null +++ b/strict/file_contexts/program/irqbalance.fc @@ -0,0 +1,2 @@ +# irqbalance +/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t diff --git a/strict/file_contexts/program/jabberd.fc b/strict/file_contexts/program/jabberd.fc new file mode 100644 index 0000000..c614cb8 --- /dev/null +++ b/strict/file_contexts/program/jabberd.fc @@ -0,0 +1,4 @@ +# jabberd +/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t +/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t +/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t diff --git a/strict/file_contexts/program/java.fc b/strict/file_contexts/program/java.fc new file mode 100644 index 0000000..8edf85b --- /dev/null +++ b/strict/file_contexts/program/java.fc @@ -0,0 +1,2 @@ +# java +/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc new file mode 100644 index 0000000..06adff4 --- /dev/null +++ b/strict/file_contexts/program/kerberos.fc @@ -0,0 +1,11 @@ +# MIT Kerberos krbkdc, kadmind +/etc/krb5\.keytab system_u:object_r:krb5_keytab_t +/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t +/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t +/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t +/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t +/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t +/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t +/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t +/var/log/kadmind\.log system_u:object_r:kadmind_log_t +/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t diff --git a/strict/file_contexts/program/klogd.fc b/strict/file_contexts/program/klogd.fc new file mode 100644 index 0000000..c06679d --- /dev/null +++ b/strict/file_contexts/program/klogd.fc @@ -0,0 +1,4 @@ +# klogd +/sbin/klogd -- system_u:object_r:klogd_exec_t +/usr/sbin/klogd -- system_u:object_r:klogd_exec_t +/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t diff --git a/strict/file_contexts/program/ktalkd.fc b/strict/file_contexts/program/ktalkd.fc new file mode 100644 index 0000000..525c7a2 --- /dev/null +++ b/strict/file_contexts/program/ktalkd.fc @@ -0,0 +1,2 @@ +# kde talk daemon +/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc new file mode 100644 index 0000000..eed8191 --- /dev/null +++ b/strict/file_contexts/program/kudzu.fc @@ -0,0 +1,3 @@ +# kudzu +/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t +/sbin/kmodule -- system_u:object_r:kudzu_exec_t diff --git a/strict/file_contexts/program/lcd.fc b/strict/file_contexts/program/lcd.fc new file mode 100644 index 0000000..4294d44 --- /dev/null +++ b/strict/file_contexts/program/lcd.fc @@ -0,0 +1,2 @@ +# lcd +/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t diff --git a/strict/file_contexts/program/ldconfig.fc b/strict/file_contexts/program/ldconfig.fc new file mode 100644 index 0000000..040a60a --- /dev/null +++ b/strict/file_contexts/program/ldconfig.fc @@ -0,0 +1 @@ +/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t diff --git a/strict/file_contexts/program/load_policy.fc b/strict/file_contexts/program/load_policy.fc new file mode 100644 index 0000000..5a8981c --- /dev/null +++ b/strict/file_contexts/program/load_policy.fc @@ -0,0 +1,3 @@ +# load_policy +/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/sbin/load_policy -- system_u:object_r:load_policy_exec_t diff --git a/strict/file_contexts/program/loadkeys.fc b/strict/file_contexts/program/loadkeys.fc new file mode 100644 index 0000000..f440f3c --- /dev/null +++ b/strict/file_contexts/program/loadkeys.fc @@ -0,0 +1,3 @@ +# loadkeys +/bin/unikeys -- system_u:object_r:loadkeys_exec_t +/bin/loadkeys -- system_u:object_r:loadkeys_exec_t diff --git a/strict/file_contexts/program/lockdev.fc b/strict/file_contexts/program/lockdev.fc new file mode 100644 index 0000000..9185bec --- /dev/null +++ b/strict/file_contexts/program/lockdev.fc @@ -0,0 +1,2 @@ +# lockdev +/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t diff --git a/strict/file_contexts/program/login.fc b/strict/file_contexts/program/login.fc new file mode 100644 index 0000000..2f0ea0c --- /dev/null +++ b/strict/file_contexts/program/login.fc @@ -0,0 +1,3 @@ +# login +/bin/login -- system_u:object_r:login_exec_t +/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --git a/strict/file_contexts/program/logrotate.fc b/strict/file_contexts/program/logrotate.fc new file mode 100644 index 0000000..a7c9ea3 --- /dev/null +++ b/strict/file_contexts/program/logrotate.fc @@ -0,0 +1,13 @@ +# logrotate +/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t +/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t +ifdef(`distro_debian', ` +/usr/bin/savelog -- system_u:object_r:logrotate_exec_t +/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t +', ` +/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t +') +/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t +/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t +# using a hard-coded name under /var/tmp is a bug - new version fixes it +/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t diff --git a/strict/file_contexts/program/lpd.fc b/strict/file_contexts/program/lpd.fc new file mode 100644 index 0000000..eb9f8d9 --- /dev/null +++ b/strict/file_contexts/program/lpd.fc @@ -0,0 +1,8 @@ +# lpd +/dev/printer -s system_u:object_r:printer_t +/usr/sbin/lpd -- system_u:object_r:lpd_exec_t +/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t +/var/spool/lpd(/.*)? system_u:object_r:print_spool_t +/usr/share/printconf/.* -- system_u:object_r:printconf_t +/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t +/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t diff --git a/strict/file_contexts/program/lpr.fc b/strict/file_contexts/program/lpr.fc new file mode 100644 index 0000000..618ddcc --- /dev/null +++ b/strict/file_contexts/program/lpr.fc @@ -0,0 +1,4 @@ +# lp utilities. +/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t diff --git a/strict/file_contexts/program/lrrd.fc b/strict/file_contexts/program/lrrd.fc new file mode 100644 index 0000000..08494fc --- /dev/null +++ b/strict/file_contexts/program/lrrd.fc @@ -0,0 +1,10 @@ +# lrrd +/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t +/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t +/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t +/var/log/lrrd.* -- system_u:object_r:lrrd_log_t +/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t +/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t +/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc new file mode 100644 index 0000000..fc65c44 --- /dev/null +++ b/strict/file_contexts/program/lvm.fc @@ -0,0 +1,67 @@ +# lvm +/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t +/etc/lvm(/.*)? system_u:object_r:lvm_etc_t +/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t +/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t +/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t +/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t +/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t +# LVM creates lock files in /var before /var is mounted +# configure LVM to put lockfiles in /etc/lvm/lock instead +# for this policy to work (unless you have no separate /var) +/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t +/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t +/dev/lvm -c system_u:object_r:fixed_disk_device_t +/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t +/dev/mapper/control -c system_u:object_r:lvm_control_t +/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t +/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t +/sbin/e2fsadm -- system_u:object_r:lvm_exec_t +/sbin/lvchange -- system_u:object_r:lvm_exec_t +/sbin/lvcreate -- system_u:object_r:lvm_exec_t +/sbin/lvdisplay -- system_u:object_r:lvm_exec_t +/sbin/lvextend -- system_u:object_r:lvm_exec_t +/sbin/lvmchange -- system_u:object_r:lvm_exec_t +/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t +/sbin/lvmsadc -- system_u:object_r:lvm_exec_t +/sbin/lvmsar -- system_u:object_r:lvm_exec_t +/sbin/lvreduce -- system_u:object_r:lvm_exec_t +/sbin/lvremove -- system_u:object_r:lvm_exec_t +/sbin/lvrename -- system_u:object_r:lvm_exec_t +/sbin/lvscan -- system_u:object_r:lvm_exec_t +/sbin/pvchange -- system_u:object_r:lvm_exec_t +/sbin/pvcreate -- system_u:object_r:lvm_exec_t +/sbin/pvdata -- system_u:object_r:lvm_exec_t +/sbin/pvdisplay -- system_u:object_r:lvm_exec_t +/sbin/pvmove -- system_u:object_r:lvm_exec_t +/sbin/pvscan -- system_u:object_r:lvm_exec_t +/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t +/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t +/sbin/vgchange -- system_u:object_r:lvm_exec_t +/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t +/sbin/vgck -- system_u:object_r:lvm_exec_t +/sbin/vgcreate -- system_u:object_r:lvm_exec_t +/sbin/vgdisplay -- system_u:object_r:lvm_exec_t +/sbin/vgexport -- system_u:object_r:lvm_exec_t +/sbin/vgextend -- system_u:object_r:lvm_exec_t +/sbin/vgimport -- system_u:object_r:lvm_exec_t +/sbin/vgmerge -- system_u:object_r:lvm_exec_t +/sbin/vgmknodes -- system_u:object_r:lvm_exec_t +/sbin/vgreduce -- system_u:object_r:lvm_exec_t +/sbin/vgremove -- system_u:object_r:lvm_exec_t +/sbin/vgrename -- system_u:object_r:lvm_exec_t +/sbin/vgscan -- system_u:object_r:lvm_exec_t +/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t +/sbin/vgsplit -- system_u:object_r:lvm_exec_t +/sbin/vgwrapper -- system_u:object_r:lvm_exec_t +/sbin/cryptsetup -- system_u:object_r:lvm_exec_t +/sbin/dmsetup -- system_u:object_r:lvm_exec_t +/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t +/sbin/lvm -- system_u:object_r:lvm_exec_t +/sbin/lvm\.static -- system_u:object_r:lvm_exec_t +/usr/sbin/lvm -- system_u:object_r:lvm_exec_t +/sbin/lvresize -- system_u:object_r:lvm_exec_t +/sbin/lvs -- system_u:object_r:lvm_exec_t +/sbin/pvremove -- system_u:object_r:lvm_exec_t +/sbin/pvs -- system_u:object_r:lvm_exec_t +/sbin/vgs -- system_u:object_r:lvm_exec_t diff --git a/strict/file_contexts/program/mailman.fc b/strict/file_contexts/program/mailman.fc new file mode 100644 index 0000000..68fa8dd --- /dev/null +++ b/strict/file_contexts/program/mailman.fc @@ -0,0 +1,24 @@ +# mailman list server +/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t +/var/log/mailman(/.*)? system_u:object_r:mailman_log_t +/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t +/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t +/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t +/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t + +ifdef(`distro_debian', ` +/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t +/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t +/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t +/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t +/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t +') + +ifdef(`distro_redhat', ` +/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t +/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t +/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t +/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t +/etc/mailman(/.*)? system_u:object_r:mailman_data_t +/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t +') diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc new file mode 100644 index 0000000..7ca9f0d --- /dev/null +++ b/strict/file_contexts/program/mdadm.fc @@ -0,0 +1,4 @@ +# mdadm - manage MD devices aka Linux Software Raid. +/sbin/mdmpd -- system_u:object_r:mdadm_exec_t +/sbin/mdadm -- system_u:object_r:mdadm_exec_t +/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t diff --git a/strict/file_contexts/program/modutil.fc b/strict/file_contexts/program/modutil.fc new file mode 100644 index 0000000..8fd81e1 --- /dev/null +++ b/strict/file_contexts/program/modutil.fc @@ -0,0 +1,14 @@ +# module utilities +/etc/modules\.conf.* -- system_u:object_r:modules_conf_t +/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t +/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t +/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t +/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t +/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t +/sbin/depmod.* -- system_u:object_r:depmod_exec_t +/sbin/modprobe.* -- system_u:object_r:insmod_exec_t +/sbin/insmod.* -- system_u:object_r:insmod_exec_t +/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t +/sbin/rmmod.* -- system_u:object_r:insmod_exec_t +/sbin/update-modules -- system_u:object_r:update_modules_exec_t +/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc new file mode 100644 index 0000000..0c00ab6 --- /dev/null +++ b/strict/file_contexts/program/monopd.fc @@ -0,0 +1,4 @@ +# monopd +/etc/monopd\.conf -- system_u:object_r:etc_monopd_t +/usr/sbin/monopd -- system_u:object_r:monopd_exec_t +/usr/share/monopd/games(/.*)? system_u:object_r:share_monopd_t diff --git a/strict/file_contexts/program/mount.fc b/strict/file_contexts/program/mount.fc new file mode 100644 index 0000000..7b1ca14 --- /dev/null +++ b/strict/file_contexts/program/mount.fc @@ -0,0 +1,3 @@ +# mount +/bin/mount.* -- system_u:object_r:mount_exec_t +/bin/umount.* -- system_u:object_r:mount_exec_t diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc new file mode 100644 index 0000000..7a8c13c --- /dev/null +++ b/strict/file_contexts/program/mozilla.fc @@ -0,0 +1,25 @@ +# netscape/mozilla +HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t +HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t +/usr/bin/netscape -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t +/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t +/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t +/etc/mozpluggerrc system_u:object_r:mozilla_conf_t diff --git a/strict/file_contexts/program/mplayer.fc b/strict/file_contexts/program/mplayer.fc new file mode 100644 index 0000000..10465aa --- /dev/null +++ b/strict/file_contexts/program/mplayer.fc @@ -0,0 +1,6 @@ +# mplayer +/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t +/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t + +/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t +HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc new file mode 100644 index 0000000..9d00476 --- /dev/null +++ b/strict/file_contexts/program/mrtg.fc @@ -0,0 +1,7 @@ +# mrtg - traffic grapher +/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t +/var/lib/mrtg(/.*)? system_u:object_r:var_lib_mrtg_t +/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t +/etc/mrtg.* system_u:object_r:mrtg_etc_t +/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t +/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t diff --git a/strict/file_contexts/program/mta.fc b/strict/file_contexts/program/mta.fc new file mode 100644 index 0000000..88aa3f6 --- /dev/null +++ b/strict/file_contexts/program/mta.fc @@ -0,0 +1,12 @@ +# types for general mail servers +/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t +/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t +/etc/aliases -- system_u:object_r:etc_aliases_t +/etc/aliases\.db -- system_u:object_r:etc_aliases_t +/var/spool/mail(/.*)? system_u:object_r:mail_spool_t +/var/mail(/.*)? system_u:object_r:mail_spool_t +ifdef(`postfix.te', `', ` +/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t +/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t +') + diff --git a/strict/file_contexts/program/mysqld.fc b/strict/file_contexts/program/mysqld.fc new file mode 100644 index 0000000..0ad8746 --- /dev/null +++ b/strict/file_contexts/program/mysqld.fc @@ -0,0 +1,12 @@ +# mysql database server +/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t +/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t +/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t +/var/log/mysql.* -- system_u:object_r:mysqld_log_t +/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t +/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t +/etc/my\.cnf -- system_u:object_r:mysqld_etc_t +/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t +ifdef(`distro_debian', ` +/etc/mysql/debian-start -- system_u:object_r:bin_t +') diff --git a/strict/file_contexts/program/nagios.fc b/strict/file_contexts/program/nagios.fc new file mode 100644 index 0000000..6a8a22d --- /dev/null +++ b/strict/file_contexts/program/nagios.fc @@ -0,0 +1,15 @@ +# nagios - network monitoring server +/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t +/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t +/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t +# nagios +ifdef(`distro_debian', ` +/usr/sbin/nagios -- system_u:object_r:nagios_exec_t +/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t +', ` +/usr/bin/nagios -- system_u:object_r:nagios_exec_t +/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t +') +/etc/nagios(/.*)? system_u:object_r:nagios_etc_t +/var/log/nagios(/.*)? system_u:object_r:nagios_log_t +/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc new file mode 100644 index 0000000..b39ec8f --- /dev/null +++ b/strict/file_contexts/program/named.fc @@ -0,0 +1,46 @@ +# named +ifdef(`distro_redhat', ` +/var/named(/.*)? system_u:object_r:named_zone_t +/var/named/slaves(/.*)? system_u:object_r:named_cache_t +/var/named/data(/.*)? system_u:object_r:named_cache_t +/etc/named\.conf -- system_u:object_r:named_conf_t +') dnl end distro_redhat + +ifdef(`distro_debian', ` +/etc/bind(/.*)? system_u:object_r:named_zone_t +/etc/bind/named\.conf -- system_u:object_r:named_conf_t +/etc/bind/rndc\.key -- system_u:object_r:named_conf_t +/var/cache/bind(/.*)? system_u:object_r:named_cache_t +') dnl distro_debian + +/etc/rndc.* -- system_u:object_r:named_conf_t +/etc/rndc.key -- system_u:object_r:dnssec_t +/usr/sbin/named -- system_u:object_r:named_exec_t +/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t +/var/run/ndc -s system_u:object_r:named_var_run_t +/var/run/bind(/.*)? system_u:object_r:named_var_run_t +/var/run/named(/.*)? system_u:object_r:named_var_run_t +/usr/sbin/lwresd -- system_u:object_r:named_exec_t +ifdef(`distro_redhat', ` +/var/named/named\.ca -- system_u:object_r:named_conf_t +/var/named/chroot(/.*)? system_u:object_r:named_conf_t +/var/named/chroot/dev/null -c system_u:object_r:null_device_t +/var/named/chroot/dev/random -c system_u:object_r:random_device_t +/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t +/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t +/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t +/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t +/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t +/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t +/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t +/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t +/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t +') dnl distro_redhat + +ifdef(`distro_gentoo', ` +/etc/bind(/.*)? system_u:object_r:named_zone_t +/etc/bind/named\.conf -- system_u:object_r:named_conf_t +/etc/bind/rndc\.key -- system_u:object_r:named_conf_t +/var/bind(/.*)? system_u:object_r:named_cache_t +/var/bind/pri(/.*)? system_u:object_r:named_zone_t +') dnl distro_gentoo diff --git a/strict/file_contexts/program/nessusd.fc b/strict/file_contexts/program/nessusd.fc new file mode 100644 index 0000000..adec00b --- /dev/null +++ b/strict/file_contexts/program/nessusd.fc @@ -0,0 +1,6 @@ +# nessusd - network scanning server +/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t +/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t +/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t +/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t +/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t diff --git a/strict/file_contexts/program/netutils.fc b/strict/file_contexts/program/netutils.fc new file mode 100644 index 0000000..7aa0694 --- /dev/null +++ b/strict/file_contexts/program/netutils.fc @@ -0,0 +1,4 @@ +# network utilities +/sbin/arping -- system_u:object_r:netutils_exec_t +/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t +/etc/network/ifstate -- system_u:object_r:etc_runtime_t diff --git a/strict/file_contexts/program/newrole.fc b/strict/file_contexts/program/newrole.fc new file mode 100644 index 0000000..5535bde --- /dev/null +++ b/strict/file_contexts/program/newrole.fc @@ -0,0 +1,2 @@ +# newrole +/usr/bin/newrole -- system_u:object_r:newrole_exec_t diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc new file mode 100644 index 0000000..be74d33 --- /dev/null +++ b/strict/file_contexts/program/nrpe.fc @@ -0,0 +1,7 @@ +# nrpe +/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t +/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t +ifdef(`nagios.te', `', ` +/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t +/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t +') diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc new file mode 100644 index 0000000..aa24987 --- /dev/null +++ b/strict/file_contexts/program/nscd.fc @@ -0,0 +1,6 @@ +# nscd +/usr/sbin/nscd -- system_u:object_r:nscd_exec_t +/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t +/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t +/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t +/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t diff --git a/strict/file_contexts/program/nsd.fc b/strict/file_contexts/program/nsd.fc new file mode 100644 index 0000000..43b49fe --- /dev/null +++ b/strict/file_contexts/program/nsd.fc @@ -0,0 +1,12 @@ +# nsd +/etc/nsd(/.*)? system_u:object_r:nsd_conf_t +/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t +/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t +/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t +/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t +/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t +/usr/sbin/nsd -- system_u:object_r:nsd_exec_t +/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t +/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t +/usr/sbin/zonec -- system_u:object_r:nsd_exec_t +/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc new file mode 100644 index 0000000..3b178b4 --- /dev/null +++ b/strict/file_contexts/program/ntpd.fc @@ -0,0 +1,12 @@ +/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t +/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t +/etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t +/etc/ntp/step-tickers -- system_u:object_r:net_conf_t +/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t +/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t +/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t +/var/log/ntp.* -- system_u:object_r:ntpd_log_t +/var/log/xntpd.* -- system_u:object_r:ntpd_log_t +/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t +/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t +/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t diff --git a/strict/file_contexts/program/oav-update.fc b/strict/file_contexts/program/oav-update.fc new file mode 100644 index 0000000..5e88a02 --- /dev/null +++ b/strict/file_contexts/program/oav-update.fc @@ -0,0 +1,4 @@ +/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t +/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t +/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t +/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t diff --git a/strict/file_contexts/program/openca-ca.fc b/strict/file_contexts/program/openca-ca.fc new file mode 100644 index 0000000..99ddefe --- /dev/null +++ b/strict/file_contexts/program/openca-ca.fc @@ -0,0 +1,8 @@ +/etc/openca(/.*)? system_u:object_r:openca_etc_t +/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t +/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t +/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t +/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t +/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t +/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t +/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t diff --git a/strict/file_contexts/program/openca-common.fc b/strict/file_contexts/program/openca-common.fc new file mode 100644 index 0000000..b75952f --- /dev/null +++ b/strict/file_contexts/program/openca-common.fc @@ -0,0 +1,7 @@ +/etc/openca(/.*)? system_u:object_r:openca_etc_t +/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t +/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t +/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t +/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t +/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t +/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc new file mode 100644 index 0000000..ba84de2 --- /dev/null +++ b/strict/file_contexts/program/openvpn.fc @@ -0,0 +1,4 @@ +# OpenVPN + +/etc/openvpn(/.*)? -- system_u:object_r:openvpn_etc_t +/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t diff --git a/strict/file_contexts/program/pam.fc b/strict/file_contexts/program/pam.fc new file mode 100644 index 0000000..7209276 --- /dev/null +++ b/strict/file_contexts/program/pam.fc @@ -0,0 +1,3 @@ +/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t +/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t +/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t diff --git a/strict/file_contexts/program/pamconsole.fc b/strict/file_contexts/program/pamconsole.fc new file mode 100644 index 0000000..75c8c55 --- /dev/null +++ b/strict/file_contexts/program/pamconsole.fc @@ -0,0 +1,3 @@ +# pam_console_apply +/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t +/var/run/console(/.*)? system_u:object_r:pam_var_console_t diff --git a/strict/file_contexts/program/passwd.fc b/strict/file_contexts/program/passwd.fc new file mode 100644 index 0000000..e8d3d06 --- /dev/null +++ b/strict/file_contexts/program/passwd.fc @@ -0,0 +1,13 @@ +# spasswd +/usr/bin/passwd -- system_u:object_r:passwd_exec_t +/usr/bin/chage -- system_u:object_r:passwd_exec_t +/usr/bin/chsh -- system_u:object_r:chfn_exec_t +/usr/bin/chfn -- system_u:object_r:chfn_exec_t +/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t +/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t diff --git a/strict/file_contexts/program/perdition.fc b/strict/file_contexts/program/perdition.fc new file mode 100644 index 0000000..a2d2adb --- /dev/null +++ b/strict/file_contexts/program/perdition.fc @@ -0,0 +1,3 @@ +# perdition POP and IMAP proxy +/usr/sbin/perdition -- system_u:object_r:perdition_exec_t +/etc/perdition(/.*)? system_u:object_r:perdition_etc_t diff --git a/strict/file_contexts/program/ping.fc b/strict/file_contexts/program/ping.fc new file mode 100644 index 0000000..f37874f --- /dev/null +++ b/strict/file_contexts/program/ping.fc @@ -0,0 +1,3 @@ +# ping +/bin/ping.* -- system_u:object_r:ping_exec_t +/usr/sbin/hping2 -- system_u:object_r:ping_exec_t diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc new file mode 100644 index 0000000..08802d5 --- /dev/null +++ b/strict/file_contexts/program/portmap.fc @@ -0,0 +1,9 @@ +# portmap +/sbin/portmap -- system_u:object_r:portmap_exec_t +ifdef(`distro_debian', ` +/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t +/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t +', ` +/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t +/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t +') diff --git a/strict/file_contexts/program/portslave.fc b/strict/file_contexts/program/portslave.fc new file mode 100644 index 0000000..873334d --- /dev/null +++ b/strict/file_contexts/program/portslave.fc @@ -0,0 +1,5 @@ +# portslave +/usr/sbin/portslave -- system_u:object_r:portslave_exec_t +/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t +/etc/portslave(/.*)? system_u:object_r:portslave_etc_t +/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc new file mode 100644 index 0000000..08b3c69 --- /dev/null +++ b/strict/file_contexts/program/postfix.fc @@ -0,0 +1,45 @@ +# postfix +/etc/postfix(/.*)? system_u:object_r:postfix_etc_t +ifdef(`distro_redhat', ` +/etc/postfix/aliases.* system_u:object_r:etc_aliases_t +') +/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t +/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t +/usr/lib(exec)?/postfix/.* -- system_u:object_r:postfix_exec_t +/usr/lib(exec)?/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t +/usr/lib(exec)?/postfix/local -- system_u:object_r:postfix_local_exec_t +/usr/lib(exec)?/postfix/master -- system_u:object_r:postfix_master_exec_t +/usr/lib(exec)?/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t +/usr/lib(exec)?/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t +/usr/lib(exec)?/postfix/showq -- system_u:object_r:postfix_showq_exec_t +/usr/lib(exec)?/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t +/usr/lib(exec)?/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t +/usr/lib(exec)?/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t +/usr/lib(exec)?/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t +/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t +/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t +/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t +/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t +/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t +/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t +/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t +/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t +/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t +/var/spool/postfix/pid -d system_u:object_r:var_run_t +/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t +/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t +/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t +/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t +/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t +/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t +/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t +/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t +/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t +/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t +/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc new file mode 100644 index 0000000..1feef35 --- /dev/null +++ b/strict/file_contexts/program/postgresql.fc @@ -0,0 +1,16 @@ +# postgresql - database server +/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t +/usr/bin/postgres -- system_u:object_r:postgresql_exec_t +/usr/bin/initdb -- system_u:object_r:postgresql_exec_t + +/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t +/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t +/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t +/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t +/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t +/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t +/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t +/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t +/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t +/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t +/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t diff --git a/strict/file_contexts/program/postgrey.fc b/strict/file_contexts/program/postgrey.fc new file mode 100644 index 0000000..89e43fd --- /dev/null +++ b/strict/file_contexts/program/postgrey.fc @@ -0,0 +1,5 @@ +# postgrey - postfix grey-listing server +/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t +/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t +/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t +/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc new file mode 100644 index 0000000..48e5b68 --- /dev/null +++ b/strict/file_contexts/program/pppd.fc @@ -0,0 +1,20 @@ +# pppd +/usr/sbin/pppd -- system_u:object_r:pppd_exec_t +/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t +/dev/ppp -c system_u:object_r:ppp_device_t +/dev/pppox.* -c system_u:object_r:ppp_device_t +/dev/ippp.* -c system_u:object_r:ppp_device_t +/var/run/pppd\.tdb -- system_u:object_r:pppd_var_run_t +/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t +/etc/ppp -d system_u:object_r:pppd_etc_t +/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t +/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t +/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t +/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t +/var/log/ppp(/.*)? -- system_u:object_r:pppd_log_t +/etc/ppp/ip-down.* -- system_u:object_r:bin_t +/etc/ppp/ip-up.* -- system_u:object_r:bin_t +/etc/ppp/ipv6-up -- system_u:object_r:bin_t +/etc/ppp/ipv6-down -- system_u:object_r:bin_t +/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t +/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t diff --git a/strict/file_contexts/program/prelink.fc b/strict/file_contexts/program/prelink.fc new file mode 100644 index 0000000..331e315 --- /dev/null +++ b/strict/file_contexts/program/prelink.fc @@ -0,0 +1,8 @@ +# prelink - prelink ELF shared libraries and binaries to speed up startup time +/usr/sbin/prelink -- system_u:object_r:prelink_exec_t +ifdef(`distro_debian', ` +/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t +') +/etc/prelink\.conf -- system_u:object_r:etc_prelink_t +/var/log/prelink\.log -- system_u:object_r:prelink_log_t +/etc/prelink\.cache -- system_u:object_r:prelink_cache_t diff --git a/strict/file_contexts/program/privoxy.fc b/strict/file_contexts/program/privoxy.fc new file mode 100644 index 0000000..84427ab --- /dev/null +++ b/strict/file_contexts/program/privoxy.fc @@ -0,0 +1,3 @@ +# privoxy +/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t +/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t diff --git a/strict/file_contexts/program/procmail.fc b/strict/file_contexts/program/procmail.fc new file mode 100644 index 0000000..543602d --- /dev/null +++ b/strict/file_contexts/program/procmail.fc @@ -0,0 +1,2 @@ +# procmail +/usr/bin/procmail -- system_u:object_r:procmail_exec_t diff --git a/strict/file_contexts/program/pump.fc b/strict/file_contexts/program/pump.fc new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/strict/file_contexts/program/pump.fc diff --git a/strict/file_contexts/program/pxe.fc b/strict/file_contexts/program/pxe.fc new file mode 100644 index 0000000..165076a --- /dev/null +++ b/strict/file_contexts/program/pxe.fc @@ -0,0 +1,5 @@ +# pxe network boot server +/usr/sbin/pxe -- system_u:object_r:pxe_exec_t +/var/log/pxe\.log -- system_u:object_r:pxe_log_t +/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t + diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc new file mode 100644 index 0000000..510f077 --- /dev/null +++ b/strict/file_contexts/program/qmail.fc @@ -0,0 +1,38 @@ +# qmail - Debian locations +/etc/qmail(/.*)? system_u:object_r:qmail_etc_t +/var/qmail(/.*)? system_u:object_r:qmail_etc_t +/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t +/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t +/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t +/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t +/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t +/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t +/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t +/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t +/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t +/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t +/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t +/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t +/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t +/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t +/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t +/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t +# qmail - djb's locations +/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t +/var/qmail/bin -d system_u:object_r:bin_t +/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t +/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t +/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t +/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t +/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t +/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t +/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t +/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t +/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t +/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t +/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t +/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t +/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t +/var/qmail/rc -- system_u:object_r:bin_t +/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t +/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t diff --git a/strict/file_contexts/program/quota.fc b/strict/file_contexts/program/quota.fc new file mode 100644 index 0000000..f91f1a4 --- /dev/null +++ b/strict/file_contexts/program/quota.fc @@ -0,0 +1,10 @@ +# quota system +/var/lib/quota(/.*)? system_u:object_r:quota_flag_t +/sbin/quota(check|on) -- system_u:object_r:quota_exec_t +ifdef(`distro_redhat', ` +/usr/sbin/convertquota -- system_u:object_r:quota_exec_t +', ` +/sbin/convertquota -- system_u:object_r:quota_exec_t +') +HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t +/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t diff --git a/strict/file_contexts/program/radius.fc b/strict/file_contexts/program/radius.fc new file mode 100644 index 0000000..bd25d6d --- /dev/null +++ b/strict/file_contexts/program/radius.fc @@ -0,0 +1,15 @@ +# radius +/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t +/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t +/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t +/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t +/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t +/var/log/radius(/.*)? system_u:object_r:radiusd_log_t +/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t +/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t +/var/log/radutmp -- system_u:object_r:radiusd_log_t +/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t +/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t +/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t +/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t +/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc new file mode 100644 index 0000000..fc8ddcf --- /dev/null +++ b/strict/file_contexts/program/radvd.fc @@ -0,0 +1,4 @@ +# radvd +/etc/radvd\.conf -- system_u:object_r:radvd_etc_t +/usr/sbin/radvd -- system_u:object_r:radvd_exec_t +/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t diff --git a/strict/file_contexts/program/resmgrd.fc b/strict/file_contexts/program/resmgrd.fc new file mode 100644 index 0000000..bee4680 --- /dev/null +++ b/strict/file_contexts/program/resmgrd.fc @@ -0,0 +1,6 @@ +# resmgrd +/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t +/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t +/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t +/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t + diff --git a/strict/file_contexts/program/restorecon.fc b/strict/file_contexts/program/restorecon.fc new file mode 100644 index 0000000..6509a11 --- /dev/null +++ b/strict/file_contexts/program/restorecon.fc @@ -0,0 +1,2 @@ +# restorecon +/sbin/restorecon -- system_u:object_r:restorecon_exec_t diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc new file mode 100644 index 0000000..5f7e63e --- /dev/null +++ b/strict/file_contexts/program/rhgb.fc @@ -0,0 +1,2 @@ +/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t +/etc/rhgb(/.*)? -d system_u:object_r:mnt_t diff --git a/strict/file_contexts/program/rlogind.fc b/strict/file_contexts/program/rlogind.fc new file mode 100644 index 0000000..bc73319 --- /dev/null +++ b/strict/file_contexts/program/rlogind.fc @@ -0,0 +1,4 @@ +# rlogind and telnetd +/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t +/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t +/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc new file mode 100644 index 0000000..7608974 --- /dev/null +++ b/strict/file_contexts/program/rpcd.fc @@ -0,0 +1,11 @@ +# RPC daemons +/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t +/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t +/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t +/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t +/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t +/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t +/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t +/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t +/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t +/etc/exports -- system_u:object_r:exports_t diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc new file mode 100644 index 0000000..7d60837 --- /dev/null +++ b/strict/file_contexts/program/rpm.fc @@ -0,0 +1,25 @@ +# rpm +/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t +/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t +/bin/rpm -- system_u:object_r:rpm_exec_t +/usr/bin/yum -- system_u:object_r:rpm_exec_t +/usr/bin/apt-get -- system_u:object_r:rpm_exec_t +/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t +/usr/bin/synaptic -- system_u:object_r:rpm_exec_t +/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t +/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t +/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t +/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t +/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t +/var/log/yum\.log -- system_u:object_r:rpm_log_t +ifdef(`distro_redhat', ` +/usr/sbin/up2date -- system_u:object_r:rpm_exec_t +/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t +') +# SuSE +ifdef(`distro_suse', ` +/usr/bin/online_update -- system_u:object_r:rpm_exec_t +/sbin/yast2 -- system_u:object_r:rpm_exec_t +/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t +/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t +') diff --git a/strict/file_contexts/program/rshd.fc b/strict/file_contexts/program/rshd.fc new file mode 100644 index 0000000..7f3be6d --- /dev/null +++ b/strict/file_contexts/program/rshd.fc @@ -0,0 +1,3 @@ +# rshd. +/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t +/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t diff --git a/strict/file_contexts/program/rssh.fc b/strict/file_contexts/program/rssh.fc new file mode 100644 index 0000000..16ec3a3 --- /dev/null +++ b/strict/file_contexts/program/rssh.fc @@ -0,0 +1,2 @@ +# rssh +/usr/bin/rssh -- system_u:object_r:rssh_exec_t diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc new file mode 100644 index 0000000..f4539f1 --- /dev/null +++ b/strict/file_contexts/program/rsync.fc @@ -0,0 +1,2 @@ +# rsync program +/usr/bin/rsync -- system_u:object_r:rsync_exec_t diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc new file mode 100644 index 0000000..b8a9439 --- /dev/null +++ b/strict/file_contexts/program/samba.fc @@ -0,0 +1,25 @@ +# samba scripts +/usr/sbin/smbd -- system_u:object_r:smbd_exec_t +/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t +/etc/samba(/.*)? system_u:object_r:samba_etc_t +/var/log/samba(/.*)? system_u:object_r:samba_log_t +/var/cache/samba(/.*)? system_u:object_r:samba_var_t +/var/lib/samba(/.*)? system_u:object_r:samba_var_t +/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t +/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t +# samba really wants write access to smbpasswd +/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t +/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t +/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t +/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t +/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t +/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t +/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t +/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t +/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t +/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t +/var/spool/samba(/.*)? system_u:object_r:samba_var_t +ifdef(`mount.te', ` +/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t +/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t +') diff --git a/strict/file_contexts/program/saslauthd.fc b/strict/file_contexts/program/saslauthd.fc new file mode 100644 index 0000000..7b2460e --- /dev/null +++ b/strict/file_contexts/program/saslauthd.fc @@ -0,0 +1,3 @@ +# saslauthd +/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t +/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t diff --git a/strict/file_contexts/program/scannerdaemon.fc b/strict/file_contexts/program/scannerdaemon.fc new file mode 100644 index 0000000..a43bf87 --- /dev/null +++ b/strict/file_contexts/program/scannerdaemon.fc @@ -0,0 +1,4 @@ +# scannerdaemon +/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t +/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t +/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc new file mode 100644 index 0000000..f1afcf0 --- /dev/null +++ b/strict/file_contexts/program/screen.fc @@ -0,0 +1,5 @@ +# screen +/usr/bin/screen -- system_u:object_r:screen_exec_t +HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t +/var/run/screen/S-[^/]+ -d system_u:object_r:screen_dir_t +/var/run/screen/S-[^/]+/.* <> diff --git a/strict/file_contexts/program/sendmail.fc b/strict/file_contexts/program/sendmail.fc new file mode 100644 index 0000000..0fce2ef --- /dev/null +++ b/strict/file_contexts/program/sendmail.fc @@ -0,0 +1,6 @@ +# sendmail +/etc/mail(/.*)? system_u:object_r:etc_mail_t +/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t +/var/log/mail(/.*)? system_u:object_r:sendmail_log_t +/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t +/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t diff --git a/strict/file_contexts/program/setfiles.fc b/strict/file_contexts/program/setfiles.fc new file mode 100644 index 0000000..c247763 --- /dev/null +++ b/strict/file_contexts/program/setfiles.fc @@ -0,0 +1,3 @@ +# setfiles +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t + diff --git a/strict/file_contexts/program/seuser.fc b/strict/file_contexts/program/seuser.fc new file mode 100644 index 0000000..0c7f71b --- /dev/null +++ b/strict/file_contexts/program/seuser.fc @@ -0,0 +1,4 @@ +# seuser +/usr/bin/seuser -- system_u:object_r:seuser_exec_t +/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t + diff --git a/strict/file_contexts/program/slapd.fc b/strict/file_contexts/program/slapd.fc new file mode 100644 index 0000000..956f441 --- /dev/null +++ b/strict/file_contexts/program/slapd.fc @@ -0,0 +1,7 @@ +# slapd - ldap server +/usr/sbin/slapd -- system_u:object_r:slapd_exec_t +/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t +/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t +/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t +/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t +/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc new file mode 100644 index 0000000..85ea5a4 --- /dev/null +++ b/strict/file_contexts/program/slocate.fc @@ -0,0 +1,4 @@ +# locate - file locater +/usr/bin/slocate -- system_u:object_r:locate_exec_t +/var/lib/slocate(/.*)? system_u:object_r:var_lib_locate_t +/etc/updatedb\.conf -- system_u:object_r:locate_etc_t diff --git a/strict/file_contexts/program/slrnpull.fc b/strict/file_contexts/program/slrnpull.fc new file mode 100644 index 0000000..4c0d36c --- /dev/null +++ b/strict/file_contexts/program/slrnpull.fc @@ -0,0 +1,3 @@ +# slrnpull +/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t +/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t diff --git a/strict/file_contexts/program/snmpd.fc b/strict/file_contexts/program/snmpd.fc new file mode 100644 index 0000000..fcad862 --- /dev/null +++ b/strict/file_contexts/program/snmpd.fc @@ -0,0 +1,10 @@ +# snmpd +/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t +/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t +/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t +/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t +/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t +/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t +/var/run/snmpd -d system_u:object_r:snmpd_var_run_t +/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t +/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t diff --git a/strict/file_contexts/program/snort.fc b/strict/file_contexts/program/snort.fc new file mode 100644 index 0000000..a40670c --- /dev/null +++ b/strict/file_contexts/program/snort.fc @@ -0,0 +1,4 @@ +# SNORT +/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t +/etc/snort(/.*)? system_u:object_r:snort_etc_t +/var/log/snort(/.*)? system_u:object_r:snort_log_t diff --git a/strict/file_contexts/program/sound-server.fc b/strict/file_contexts/program/sound-server.fc new file mode 100644 index 0000000..dfa8245 --- /dev/null +++ b/strict/file_contexts/program/sound-server.fc @@ -0,0 +1,8 @@ +# sound servers, nas, yiff, etc +/usr/sbin/yiff -- system_u:object_r:soundd_exec_t +/usr/bin/nasd -- system_u:object_r:soundd_exec_t +/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t +/etc/nas(/.*)? system_u:object_r:etc_soundd_t +/etc/yiff(/.*)? system_u:object_r:etc_soundd_t +/var/state/yiff(/.*)? system_u:object_r:soundd_state_t +/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t diff --git a/strict/file_contexts/program/sound.fc b/strict/file_contexts/program/sound.fc new file mode 100644 index 0000000..5e6b0d1 --- /dev/null +++ b/strict/file_contexts/program/sound.fc @@ -0,0 +1,3 @@ +# sound +/bin/aumix-minimal -- system_u:object_r:sound_exec_t +/etc/\.aumixrc -- system_u:object_r:sound_file_t diff --git a/strict/file_contexts/program/spamassassin.fc b/strict/file_contexts/program/spamassassin.fc new file mode 100644 index 0000000..a85b8b1 --- /dev/null +++ b/strict/file_contexts/program/spamassassin.fc @@ -0,0 +1,3 @@ +# spamassasin +/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t +HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t diff --git a/strict/file_contexts/program/spamc.fc b/strict/file_contexts/program/spamc.fc new file mode 100644 index 0000000..bf5d033 --- /dev/null +++ b/strict/file_contexts/program/spamc.fc @@ -0,0 +1 @@ +/usr/bin/spamc -- system_u:object_r:spamc_exec_t diff --git a/strict/file_contexts/program/spamd.fc b/strict/file_contexts/program/spamd.fc new file mode 100644 index 0000000..c2f6ee6 --- /dev/null +++ b/strict/file_contexts/program/spamd.fc @@ -0,0 +1,3 @@ +/usr/sbin/spamd -- system_u:object_r:spamd_exec_t +/usr/bin/spamd -- system_u:object_r:spamd_exec_t +/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t diff --git a/strict/file_contexts/program/speedmgmt.fc b/strict/file_contexts/program/speedmgmt.fc new file mode 100644 index 0000000..486906e --- /dev/null +++ b/strict/file_contexts/program/speedmgmt.fc @@ -0,0 +1,2 @@ +# speedmgmt +/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t diff --git a/strict/file_contexts/program/squid.fc b/strict/file_contexts/program/squid.fc new file mode 100644 index 0000000..36fb201 --- /dev/null +++ b/strict/file_contexts/program/squid.fc @@ -0,0 +1,8 @@ +# squid +/usr/sbin/squid -- system_u:object_r:squid_exec_t +/var/cache/squid(/.*)? system_u:object_r:squid_cache_t +/var/spool/squid(/.*)? system_u:object_r:squid_cache_t +/var/log/squid(/.*)? system_u:object_r:squid_log_t +/etc/squid(/.*)? system_u:object_r:squid_conf_t +/var/run/squid\.pid -- system_u:object_r:squid_var_run_t +/usr/share/squid(/.*)? system_u:object_r:squid_conf_t diff --git a/strict/file_contexts/program/ssh-agent.fc b/strict/file_contexts/program/ssh-agent.fc new file mode 100644 index 0000000..512eb47 --- /dev/null +++ b/strict/file_contexts/program/ssh-agent.fc @@ -0,0 +1,2 @@ +# ssh-agent +/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc new file mode 100644 index 0000000..078f8ef --- /dev/null +++ b/strict/file_contexts/program/ssh.fc @@ -0,0 +1,20 @@ +# ssh +/usr/bin/ssh -- system_u:object_r:ssh_exec_t +/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t +# sshd +/etc/ssh/primes -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t +/usr/sbin/sshd -- system_u:object_r:sshd_exec_t +/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t +# subsystems +/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t +/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t +/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t +ifdef(`distro_suse', ` +/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t +') +ifdef(`targeted_policy', `', ` +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t +') diff --git a/strict/file_contexts/program/stunnel.fc b/strict/file_contexts/program/stunnel.fc new file mode 100644 index 0000000..b48384a --- /dev/null +++ b/strict/file_contexts/program/stunnel.fc @@ -0,0 +1,3 @@ +/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t +/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t +/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t diff --git a/strict/file_contexts/program/su.fc b/strict/file_contexts/program/su.fc new file mode 100644 index 0000000..1413dfe --- /dev/null +++ b/strict/file_contexts/program/su.fc @@ -0,0 +1,2 @@ +# su +/bin/su -- system_u:object_r:su_exec_t diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc new file mode 100644 index 0000000..3eed3ff --- /dev/null +++ b/strict/file_contexts/program/sudo.fc @@ -0,0 +1,2 @@ +# sudo +/usr/bin/sudo -- system_u:object_r:sudo_exec_t diff --git a/strict/file_contexts/program/sulogin.fc b/strict/file_contexts/program/sulogin.fc new file mode 100644 index 0000000..eb719dc --- /dev/null +++ b/strict/file_contexts/program/sulogin.fc @@ -0,0 +1,2 @@ +# sulogin +/sbin/sulogin -- system_u:object_r:sulogin_exec_t diff --git a/strict/file_contexts/program/swat.fc b/strict/file_contexts/program/swat.fc new file mode 100644 index 0000000..721c229 --- /dev/null +++ b/strict/file_contexts/program/swat.fc @@ -0,0 +1,2 @@ +# samba management tool +/usr/sbin/swat -- system_u:object_r:swat_exec_t diff --git a/strict/file_contexts/program/sxid.fc b/strict/file_contexts/program/sxid.fc new file mode 100644 index 0000000..e9126bc --- /dev/null +++ b/strict/file_contexts/program/sxid.fc @@ -0,0 +1,6 @@ +# sxid - ldap server +/usr/bin/sxid -- system_u:object_r:sxid_exec_t +/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t +/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t +/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t +/var/log/setuid.* -- system_u:object_r:sxid_log_t diff --git a/strict/file_contexts/program/syslogd.fc b/strict/file_contexts/program/syslogd.fc new file mode 100644 index 0000000..7a01720 --- /dev/null +++ b/strict/file_contexts/program/syslogd.fc @@ -0,0 +1,11 @@ +# syslogd +/sbin/syslogd -- system_u:object_r:syslogd_exec_t +/sbin/minilogd -- system_u:object_r:syslogd_exec_t +/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t +/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t +/dev/log -s system_u:object_r:devlog_t +/var/run/log -s system_u:object_r:devlog_t +ifdef(`distro_suse', ` +/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t +') +/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t diff --git a/strict/file_contexts/program/sysstat.fc b/strict/file_contexts/program/sysstat.fc new file mode 100644 index 0000000..2637b68 --- /dev/null +++ b/strict/file_contexts/program/sysstat.fc @@ -0,0 +1,7 @@ +# sysstat and other sar programs +/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t +/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t +/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t +/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t +/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t +/var/log/sa(/.*)? system_u:object_r:sysstat_log_t diff --git a/strict/file_contexts/program/tcpd.fc b/strict/file_contexts/program/tcpd.fc new file mode 100644 index 0000000..2e84aa8 --- /dev/null +++ b/strict/file_contexts/program/tcpd.fc @@ -0,0 +1,2 @@ +# tcpd +/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t diff --git a/strict/file_contexts/program/telnetd.fc b/strict/file_contexts/program/telnetd.fc new file mode 100644 index 0000000..6b998d1 --- /dev/null +++ b/strict/file_contexts/program/telnetd.fc @@ -0,0 +1,3 @@ +# telnetd +/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t +/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t diff --git a/strict/file_contexts/program/tftpd.fc b/strict/file_contexts/program/tftpd.fc new file mode 100644 index 0000000..f8bf244 --- /dev/null +++ b/strict/file_contexts/program/tftpd.fc @@ -0,0 +1,4 @@ +# tftpd +/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t +/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t +/tftpboot(/.*)? system_u:object_r:tftpdir_t diff --git a/strict/file_contexts/program/timidity.fc b/strict/file_contexts/program/timidity.fc new file mode 100644 index 0000000..2b44dce --- /dev/null +++ b/strict/file_contexts/program/timidity.fc @@ -0,0 +1,2 @@ +# timidity +/usr/bin/timidity -- system_u:object_r:timidity_exec_t diff --git a/strict/file_contexts/program/tinydns.fc b/strict/file_contexts/program/tinydns.fc new file mode 100644 index 0000000..10ea1a3 --- /dev/null +++ b/strict/file_contexts/program/tinydns.fc @@ -0,0 +1,6 @@ +# tinydns +/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t +/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t +/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t +#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t +#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t diff --git a/strict/file_contexts/program/tmpreaper.fc b/strict/file_contexts/program/tmpreaper.fc new file mode 100644 index 0000000..d8ed96e --- /dev/null +++ b/strict/file_contexts/program/tmpreaper.fc @@ -0,0 +1,3 @@ +# tmpreaper or tmpwatch +/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t +/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc new file mode 100644 index 0000000..6a8b259 --- /dev/null +++ b/strict/file_contexts/program/traceroute.fc @@ -0,0 +1,5 @@ +# traceroute +/bin/traceroute.* -- system_u:object_r:traceroute_exec_t +/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t +/usr/bin/lft -- system_u:object_r:traceroute_exec_t +/usr/bin/nmap -- system_u:object_r:traceroute_exec_t diff --git a/strict/file_contexts/program/transproxy.fc b/strict/file_contexts/program/transproxy.fc new file mode 100644 index 0000000..2027eea --- /dev/null +++ b/strict/file_contexts/program/transproxy.fc @@ -0,0 +1,3 @@ +# transproxy - http transperant proxy +/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t +/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t diff --git a/strict/file_contexts/program/tvtime.fc b/strict/file_contexts/program/tvtime.fc new file mode 100644 index 0000000..0969e96 --- /dev/null +++ b/strict/file_contexts/program/tvtime.fc @@ -0,0 +1,3 @@ +# tvtime +/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t + diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc new file mode 100644 index 0000000..40f1fd5 --- /dev/null +++ b/strict/file_contexts/program/udev.fc @@ -0,0 +1,13 @@ +# udev +/sbin/udevsend -- system_u:object_r:udev_exec_t +/sbin/udev -- system_u:object_r:udev_exec_t +/sbin/udevd -- system_u:object_r:udev_exec_t +/sbin/start_udev -- system_u:object_r:udev_exec_t +/usr/bin/udevinfo -- system_u:object_r:udev_exec_t +/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t +/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t +/etc/udev/devices/.* system_u:object_r:device_t +/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t +/dev/udev\.tbl -- system_u:object_r:udev_tbl_t +/dev/\.udev\.tdb(/.*)? -- system_u:object_r:udev_tdb_t +/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --git a/strict/file_contexts/program/uml.fc b/strict/file_contexts/program/uml.fc new file mode 100644 index 0000000..dc1621d --- /dev/null +++ b/strict/file_contexts/program/uml.fc @@ -0,0 +1,4 @@ +# User Mode Linux +/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t +/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t +HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t diff --git a/strict/file_contexts/program/uml_net.fc b/strict/file_contexts/program/uml_net.fc new file mode 100644 index 0000000..67aa1f2 --- /dev/null +++ b/strict/file_contexts/program/uml_net.fc @@ -0,0 +1,3 @@ +# User Mode Linux +# WARNING: Do not install this file on any machine that has hostile users. +/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t diff --git a/strict/file_contexts/program/unconfined.fc b/strict/file_contexts/program/unconfined.fc new file mode 100644 index 0000000..c3a6c12 --- /dev/null +++ b/strict/file_contexts/program/unconfined.fc @@ -0,0 +1,3 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t diff --git a/strict/file_contexts/program/updfstab.fc b/strict/file_contexts/program/updfstab.fc new file mode 100644 index 0000000..dec049f --- /dev/null +++ b/strict/file_contexts/program/updfstab.fc @@ -0,0 +1,3 @@ +# updfstab +/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t +/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc new file mode 100644 index 0000000..e33489c --- /dev/null +++ b/strict/file_contexts/program/uptimed.fc @@ -0,0 +1,4 @@ +# uptimed +/etc/uptimed\.conf -- system_u:object_r:etc_uptimed_t +/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t +/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t diff --git a/strict/file_contexts/program/usbmodules.fc b/strict/file_contexts/program/usbmodules.fc new file mode 100644 index 0000000..52e03a4 --- /dev/null +++ b/strict/file_contexts/program/usbmodules.fc @@ -0,0 +1,3 @@ +# usbmodules +/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t +/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t diff --git a/strict/file_contexts/program/useradd.fc b/strict/file_contexts/program/useradd.fc new file mode 100644 index 0000000..b29351b --- /dev/null +++ b/strict/file_contexts/program/useradd.fc @@ -0,0 +1,10 @@ +#useradd +/usr/sbin/usermod -- system_u:object_r:useradd_exec_t +/usr/sbin/useradd -- system_u:object_r:useradd_exec_t +/usr/sbin/userdel -- system_u:object_r:useradd_exec_t +#groupadd +/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t +/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t +/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t diff --git a/strict/file_contexts/program/userhelper.fc b/strict/file_contexts/program/userhelper.fc new file mode 100644 index 0000000..8623456 --- /dev/null +++ b/strict/file_contexts/program/userhelper.fc @@ -0,0 +1,2 @@ +/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t +/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t diff --git a/strict/file_contexts/program/usernetctl.fc b/strict/file_contexts/program/usernetctl.fc new file mode 100644 index 0000000..b9ef00f --- /dev/null +++ b/strict/file_contexts/program/usernetctl.fc @@ -0,0 +1,2 @@ +# usernetctl +/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t diff --git a/strict/file_contexts/program/utempter.fc b/strict/file_contexts/program/utempter.fc new file mode 100644 index 0000000..4e6670a --- /dev/null +++ b/strict/file_contexts/program/utempter.fc @@ -0,0 +1,2 @@ +# utempter +/usr/sbin/utempter -- system_u:object_r:utempter_exec_t diff --git a/strict/file_contexts/program/uwimapd.fc b/strict/file_contexts/program/uwimapd.fc new file mode 100644 index 0000000..00f9073 --- /dev/null +++ b/strict/file_contexts/program/uwimapd.fc @@ -0,0 +1,2 @@ +# uw-imapd and uw-imapd-ssl +/usr/sbin/imapd -- system_u:object_r:imapd_exec_t diff --git a/strict/file_contexts/program/vmware.fc b/strict/file_contexts/program/vmware.fc new file mode 100644 index 0000000..d015988 --- /dev/null +++ b/strict/file_contexts/program/vmware.fc @@ -0,0 +1,42 @@ +# +# File contexts for VMWare. +# Contributed by Mark Westerman (mark.westerman@westcam.com) +# Changes made by NAI Labs. +# Tested with VMWare 3.1 +# +/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t +/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t +/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t +/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t + +/dev/vmmon -c system_u:object_r:vmware_device_t +/dev/vmnet.* -c system_u:object_r:vmware_device_t +/dev/plex86 -c system_u:object_r:vmware_device_t + +/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t +/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t + +/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t +/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t + +# +# This is only an example of how to protect vmware session configuration +# files. A general user can execute vmware and start a vmware session +# but the user can not modify the session configuration information +#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t +#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t + +# The rules below assume that the user VMWare virtual disks are in the +# ~/vmware, and the preferences and license files are in ~/.vmware. +# +HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t +HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc new file mode 100644 index 0000000..497bc20 --- /dev/null +++ b/strict/file_contexts/program/vpnc.fc @@ -0,0 +1,3 @@ +# vpnc +/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t +/sbin/vpnc -- system_u:object_r:vpnc_exec_t diff --git a/strict/file_contexts/program/watchdog.fc b/strict/file_contexts/program/watchdog.fc new file mode 100644 index 0000000..d7a8c7f --- /dev/null +++ b/strict/file_contexts/program/watchdog.fc @@ -0,0 +1,5 @@ +# watchdog +/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t +/dev/watchdog -c system_u:object_r:watchdog_device_t +/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t +/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/strict/file_contexts/program/webalizer.fc @@ -0,0 +1 @@ +# diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc new file mode 100644 index 0000000..adfbe8e --- /dev/null +++ b/strict/file_contexts/program/winbind.fc @@ -0,0 +1,10 @@ +/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t +/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t +ifdef(`samba.te', `', ` +/var/log/samba(/.*)? system_u:object_r:samba_log_t +/etc/samba(/.*)? system_u:object_r:samba_etc_t +/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t +/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t +/var/cache/samba(/.*)? system_u:object_r:samba_var_t +') +/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc new file mode 100644 index 0000000..935715e --- /dev/null +++ b/strict/file_contexts/program/xauth.fc @@ -0,0 +1,3 @@ +# xauth +/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t +HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc new file mode 100644 index 0000000..5026407 --- /dev/null +++ b/strict/file_contexts/program/xdm.fc @@ -0,0 +1,39 @@ +# X Display Manager +/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t +/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t +/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t +/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t +/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t +/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t +/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t +/var/log/gdm(/.*)? system_u:object_r:xserver_log_t +/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t +/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t +/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t +/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t +/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t +/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t +/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t +/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t +/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t +/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t +/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t +ifdef(`distro_suse', ` +/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t +') + +# +# Additional Xsession scripts +# +/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t +/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t +/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t +/etc/X11/xinit(/.*)? system_u:object_r:bin_t +# +# Rules for kde login +# +/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t +/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t +/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t diff --git a/strict/file_contexts/program/xfs.fc b/strict/file_contexts/program/xfs.fc new file mode 100644 index 0000000..9edae3f --- /dev/null +++ b/strict/file_contexts/program/xfs.fc @@ -0,0 +1,5 @@ +# xfs +/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t +/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t +/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t +/usr/bin/xfstt -- system_u:object_r:xfs_exec_t diff --git a/strict/file_contexts/program/xprint.fc b/strict/file_contexts/program/xprint.fc new file mode 100644 index 0000000..3c72a77 --- /dev/null +++ b/strict/file_contexts/program/xprint.fc @@ -0,0 +1 @@ +/usr/bin/Xprt -- system_u:object_r:xprint_exec_t diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc new file mode 100644 index 0000000..3ef0263 --- /dev/null +++ b/strict/file_contexts/program/xserver.fc @@ -0,0 +1,17 @@ +# X server +/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t +/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t +/var/lib/xkb(/.*)? system_u:object_r:var_lib_xkb_t +/usr/X11R6/lib/X11/xkb -d system_u:object_r:var_lib_xkb_t +/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:var_lib_xkb_t +/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t +/var/log/XFree86.* -- system_u:object_r:xserver_log_t +/var/log/Xorg.* -- system_u:object_r:xserver_log_t +/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t +/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t +/tmp/\.X11-unix/.* -s <> +/tmp/\.ICE-unix -d system_u:object_r:xdm_xserver_tmp_t +/tmp/\.ICE-unix/.* -s <> diff --git a/strict/file_contexts/program/ypbind.fc b/strict/file_contexts/program/ypbind.fc new file mode 100644 index 0000000..c700d92 --- /dev/null +++ b/strict/file_contexts/program/ypbind.fc @@ -0,0 +1,2 @@ +# ypbind +/sbin/ypbind -- system_u:object_r:ypbind_exec_t diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc new file mode 100644 index 0000000..5622afb --- /dev/null +++ b/strict/file_contexts/program/ypserv.fc @@ -0,0 +1,3 @@ +# ypserv +/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t +/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t diff --git a/strict/file_contexts/program/zebra.fc b/strict/file_contexts/program/zebra.fc new file mode 100644 index 0000000..e524355 --- /dev/null +++ b/strict/file_contexts/program/zebra.fc @@ -0,0 +1,13 @@ +# Zebra - BGP daemon +/usr/sbin/zebra -- system_u:object_r:zebra_exec_t +/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t +/var/log/zebra(/.*)? system_u:object_r:zebra_log_t +/etc/zebra(/.*)? system_u:object_r:zebra_conf_t +/var/run/\.zserv -s system_u:object_r:zebra_var_run_t +/var/run/\.zebra -s system_u:object_r:zebra_var_run_t +# Quagga +/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t +/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t +/etc/quagga(/.*)? system_u:object_r:zebra_conf_t +/var/log/quagga(/.*)? system_u:object_r:zebra_log_t +/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc new file mode 100644 index 0000000..4708e08 --- /dev/null +++ b/strict/file_contexts/types.fc @@ -0,0 +1,480 @@ +# +# This file describes the security contexts to be applied to files +# when the security policy is installed. The setfiles program +# reads this file and labels files accordingly. +# +# Each specification has the form: +# regexp [ -type ] ( context | <> ) +# +# By default, the regexp is an anchored match on both ends (i.e. a +# caret (^) is prepended and a dollar sign ($) is appended automatically). +# This default may be overridden by using .* at the beginning and/or +# end of the regular expression. +# +# The optional type field specifies the file type as shown in the mode +# field by ls, e.g. use -d to match only directories or -- to match only +# regular files. +# +# The value of < may be used to indicate that matching files +# should not be relabeled. +# +# The last matching specification is used. +# +# If there are multiple hard links to a file that match +# different specifications and those specifications indicate +# different security contexts, then a warning is displayed +# but the file is still labeled based on the last matching +# specification other than <>. +# +# Some of the files listed here get re-created during boot and therefore +# need type transition rules to retain the correct type. These files are +# listed here anyway so that if the setfiles program is used on a running +# system it does not relabel them to something we do not want. An example of +# this is /var/run/utmp. +# + +# +# The security context for all files not otherwise specified. +# +/.* system_u:object_r:default_t + +# +# The root directory. +# +/ -d system_u:object_r:root_t + +# +# Ordinary user home directories. +# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd +# HOME_DIR expands to each user's home directory, +# and to HOME_ROOT/[^/]+ for each HOME_ROOT. +# ROLE expands to each user's role when role != user_r, and to "user" otherwise. +# +HOME_ROOT -d system_u:object_r:home_root_t +HOME_DIR -d system_u:object_r:ROLE_home_dir_t +HOME_DIR/.+ system_u:object_r:ROLE_home_t + +/root/\.default_contexts -- system_u:object_r:default_context_t + +# +# Mount points; do not relabel subdirectories, since +# we don't want to change any removable media by default. +/mnt(/[^/]*)? -d system_u:object_r:mnt_t +/mnt/[^/]*/.* <> +/media(/[^/]*)? -d system_u:object_r:mnt_t +/media/[^/]*/.* <> + +# +# /var +# +/var(/.*)? system_u:object_r:var_t +/var/catman(/.*)? system_u:object_r:catman_t +/var/cache/man(/.*)? system_u:object_r:catman_t +/var/yp(/.*)? system_u:object_r:var_yp_t +/var/lib(/.*)? system_u:object_r:var_lib_t +/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t +/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t +/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t +/var/lock(/.*)? system_u:object_r:var_lock_t +/var/tmp -d system_u:object_r:tmp_t +/var/tmp/.* <> +/var/tmp/vi\.recover -d system_u:object_r:tmp_t +/var/lib/nfs/rpc_pipefs(/.*)? <> +/var/mailman/bin(/.*)? system_u:object_r:bin_t +/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t + +# +# /var/ftp +# +/var/ftp/bin(/.*)? system_u:object_r:bin_t +/var/ftp/bin/ls -- system_u:object_r:ls_exec_t +/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t +/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/var/ftp/etc(/.*)? system_u:object_r:etc_t + +# +# /bin +# +/bin(/.*)? system_u:object_r:bin_t +/bin/tcsh -- system_u:object_r:shell_exec_t +/bin/bash -- system_u:object_r:shell_exec_t +/bin/bash2 -- system_u:object_r:shell_exec_t +/bin/sash -- system_u:object_r:shell_exec_t +/bin/d?ash -- system_u:object_r:shell_exec_t +/bin/zsh.* -- system_u:object_r:shell_exec_t +/usr/sbin/sesh -- system_u:object_r:shell_exec_t +/bin/ls -- system_u:object_r:ls_exec_t + +# +# /boot +# +/boot(/.*)? system_u:object_r:boot_t +/boot/System\.map-.* -- system_u:object_r:system_map_t + +# +# /dev +# +/dev(/.*)? system_u:object_r:device_t +/dev/pts(/.*)? <> +/dev/cpu/.* -c system_u:object_r:cpu_device_t +/dev/microcode -c system_u:object_r:cpu_device_t +/dev/MAKEDEV -- system_u:object_r:sbin_t +/dev/null -c system_u:object_r:null_device_t +/dev/full -c system_u:object_r:null_device_t +/dev/zero -c system_u:object_r:zero_device_t +/dev/console -c system_u:object_r:console_device_t +/dev/xconsole -p system_u:object_r:xconsole_device_t +/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t +/dev/nvram -c system_u:object_r:memory_device_t +/dev/random -c system_u:object_r:random_device_t +/dev/urandom -c system_u:object_r:urandom_device_t +/dev/capi.* -c system_u:object_r:tty_device_t +/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t +/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t +/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t +/dev/isdn.* -c system_u:object_r:tty_device_t +/dev/.*tty[^/]* -c system_u:object_r:tty_device_t +/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t +/dev/cu.* -c system_u:object_r:tty_device_t +/dev/vcs[^/]* -c system_u:object_r:tty_device_t +/dev/ip2[^/]* -c system_u:object_r:tty_device_t +/dev/hvc.* -c system_u:object_r:tty_device_t +/dev/hvsi.* -c system_u:object_r:tty_device_t +/dev/ttySG.* -c system_u:object_r:tty_device_t +/dev/tty -c system_u:object_r:devtty_t +/dev/lp.* -c system_u:object_r:printer_device_t +/dev/par.* -c system_u:object_r:printer_device_t +/dev/usb/lp.* -c system_u:object_r:printer_device_t +/dev/usblp.* -c system_u:object_r:printer_device_t +ifdef(`distro_redhat', ` +/dev/root -b system_u:object_r:fixed_disk_device_t +') +/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t +/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t +/dev/rd.* -b system_u:object_r:fixed_disk_device_t +/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t +/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t +/dev/loop.* -b system_u:object_r:fixed_disk_device_t +/dev/net/.* -c system_u:object_r:tun_tap_device_t +/dev/ram.* -b system_u:object_r:fixed_disk_device_t +/dev/rawctl -c system_u:object_r:fixed_disk_device_t +/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t +/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t +/dev/initrd -b system_u:object_r:fixed_disk_device_t +/dev/jsfd -b system_u:object_r:fixed_disk_device_t +/dev/js.* -c system_u:object_r:mouse_device_t +/dev/jsflash -c system_u:object_r:fixed_disk_device_t +/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t +/dev/usb/rio500 -c system_u:object_r:removable_device_t +/dev/fd[^/]+ -b system_u:object_r:removable_device_t +# I think a parallel port disk is a removable device... +/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t +/dev/p[fg][0-3] -b system_u:object_r:removable_device_t +/dev/aztcd -b system_u:object_r:removable_device_t +/dev/bpcd -b system_u:object_r:removable_device_t +/dev/gscd -b system_u:object_r:removable_device_t +/dev/hitcd -b system_u:object_r:removable_device_t +/dev/pcd[0-3] -b system_u:object_r:removable_device_t +/dev/mcdx? -b system_u:object_r:removable_device_t +/dev/cdu.* -b system_u:object_r:removable_device_t +/dev/cm20.* -b system_u:object_r:removable_device_t +/dev/optcd -b system_u:object_r:removable_device_t +/dev/sbpcd.* -b system_u:object_r:removable_device_t +/dev/sjcd -b system_u:object_r:removable_device_t +/dev/sonycd -b system_u:object_r:removable_device_t +# parallel port ATAPI generic device +/dev/pg[0-3] -c system_u:object_r:removable_device_t +/dev/rtc -c system_u:object_r:clock_device_t +/dev/psaux -c system_u:object_r:mouse_device_t +/dev/atibm -c system_u:object_r:mouse_device_t +/dev/logibm -c system_u:object_r:mouse_device_t +/dev/.*mouse.* -c system_u:object_r:mouse_device_t +/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t +/dev/input/event.* -c system_u:object_r:event_device_t +/dev/input/mice -c system_u:object_r:mouse_device_t +/dev/input/js.* -c system_u:object_r:mouse_device_t +/dev/ptmx -c system_u:object_r:ptmx_t +/dev/sequencer -c system_u:object_r:misc_device_t +/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t +/dev/apm_bios -c system_u:object_r:apm_bios_t +/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t +/dev/pmu -c system_u:object_r:power_device_t +/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t +/dev/winradio. -c system_u:object_r:v4l_device_t +/dev/vttuner -c system_u:object_r:v4l_device_t +/dev/tlk[0-3] -c system_u:object_r:v4l_device_t +/dev/adsp -c system_u:object_r:sound_device_t +/dev/mixer.* -c system_u:object_r:sound_device_t +/dev/dsp.* -c system_u:object_r:sound_device_t +/dev/audio.* -c system_u:object_r:sound_device_t +/dev/r?midi.* -c system_u:object_r:sound_device_t +/dev/sequencer2 -c system_u:object_r:sound_device_t +/dev/smpte.* -c system_u:object_r:sound_device_t +/dev/sndstat -c system_u:object_r:sound_device_t +/dev/beep -c system_u:object_r:sound_device_t +/dev/patmgr[01] -c system_u:object_r:sound_device_t +/dev/mpu401.* -c system_u:object_r:sound_device_t +/dev/srnd[0-7] -c system_u:object_r:sound_device_t +/dev/aload.* -c system_u:object_r:sound_device_t +/dev/amidi.* -c system_u:object_r:sound_device_t +/dev/amixer.* -c system_u:object_r:sound_device_t +/dev/snd/.* -c system_u:object_r:sound_device_t +/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t +/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t +/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t +/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t +/dev/ht[0-1] -b system_u:object_r:tape_device_t +/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t +/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t +/dev/tape.* -c system_u:object_r:tape_device_t +ifdef(`distro_suse', ` +/dev/usbscanner -c system_u:object_r:scanner_device_t +') +/dev/usb/scanner.* -c system_u:object_r:scanner_device_t +/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t +/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t +/dev/usb/tty.* -c system_u:object_r:usbtty_device_t +/dev/mmetfgrab -c system_u:object_r:scanner_device_t +/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t +/dev/dri/.+ -c system_u:object_r:dri_device_t +/dev/radeon -c system_u:object_r:dri_device_t +/dev/agpgart -c system_u:object_r:agp_device_t + +# +# Misc +# +/proc(/.*)? <> +/sys(/.*)? <> +/selinux(/.*)? <> + +# +# /opt +# +/opt(/.*)? system_u:object_r:usr_t +/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t +/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/opt/.*/libexec(/.*)? system_u:object_r:bin_t +/opt/.*/bin(/.*)? system_u:object_r:bin_t +/opt/.*/sbin(/.*)? system_u:object_r:sbin_t +/opt/.*/man(/.*)? system_u:object_r:man_t +/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t + +# +# /etc +# +/etc(/.*)? system_u:object_r:etc_t +/var/db/.*\.db -- system_u:object_r:etc_t +/etc/\.pwd\.lock -- system_u:object_r:shadow_t +/etc/passwd\.lock -- system_u:object_r:shadow_t +/etc/group\.lock -- system_u:object_r:shadow_t +/etc/shadow.* -- system_u:object_r:shadow_t +/etc/gshadow.* -- system_u:object_r:shadow_t +/var/db/shadow.* -- system_u:object_r:shadow_t +/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t +/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t +/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t +/etc/HOSTNAME -- system_u:object_r:etc_runtime_t +/etc/ioctl\.save -- system_u:object_r:etc_runtime_t +/etc/mtab -- system_u:object_r:etc_runtime_t +/etc/motd -- system_u:object_r:etc_runtime_t +/etc/issue -- system_u:object_r:etc_runtime_t +/etc/issue\.net -- system_u:object_r:etc_runtime_t +/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t +/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t +/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t +/etc/asound\.state -- system_u:object_r:etc_runtime_t +/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t +ifdef(`distro_gentoo', ` +/etc/profile\.env -- system_u:object_r:etc_runtime_t +/etc/csh\.env -- system_u:object_r:etc_runtime_t +/etc/env\.d/.* -- system_u:object_r:etc_runtime_t +') +/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t +/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t +/etc/yp\.conf.* -- system_u:object_r:net_conf_t +/etc/resolv\.conf.* -- system_u:object_r:net_conf_t + +/etc/selinux(/.*)? system_u:object_r:selinux_config_t +/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t +/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t +/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t +/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t + + +# +# /lib(64)? +# +/lib(64)?(/.*)? system_u:object_r:lib_t +/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t + +# +# /sbin +# +/sbin(/.*)? system_u:object_r:sbin_t + +# +# /tmp +# +/tmp -d system_u:object_r:tmp_t +/tmp/.* <> + +# +# /usr +# +/usr(/.*)? system_u:object_r:usr_t +/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t +/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr/lib/win32/.* -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t +/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t +/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t +/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/usr/etc(/.*)? system_u:object_r:etc_t +/usr/inclu.e(/.*)? system_u:object_r:usr_t +/usr/libexec(/.*)? system_u:object_r:bin_t +/usr/src(/.*)? system_u:object_r:src_t +/usr/tmp -d system_u:object_r:tmp_t +/usr/tmp/.* <> +/usr/man(/.*)? system_u:object_r:man_t +/usr/share/man(/.*)? system_u:object_r:man_t +/usr/share/mc/extfs/.* -- system_u:object_r:bin_t +/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t + +# nvidia share libraries +/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t + +# libGL +/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t + +ifdef(`distro_debian', ` +/usr/share/selinux(/.*)? system_u:object_r:policy_src_t +') +ifdef(`distro_gentoo', ` +/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t +') + +# +# /usr/lib(64)? +# +/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t +/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t +/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t + +# +# /usr/local +# +/usr/local/etc(/.*)? system_u:object_r:etc_t +/usr/local/src(/.*)? system_u:object_r:src_t +/usr/local/man(/.*)? system_u:object_r:man_t + +# +# /usr/X11R6/man +# +/usr/X11R6/man(/.*)? system_u:object_r:man_t + +# +# Fonts dir +# +/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t +ifdef(`distro_debian', ` +/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t +') +/usr/share/fonts(/.*)? system_u:object_r:fonts_t +/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t +/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t + +# +# /var/run +# +/var/run(/.*)? system_u:object_r:var_run_t +/var/run/.*\.*pid <> + +# +# /var/spool +# +/var/spool(/.*)? system_u:object_r:var_spool_t +/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t +/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t + +# +# /var/log +# +/var/log(/.*)? system_u:object_r:var_log_t +/var/log/wtmp.* -- system_u:object_r:wtmp_t +/var/log/btmp.* -- system_u:object_r:faillog_t +/var/log/faillog -- system_u:object_r:faillog_t +/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t +/var/log/dmesg -- system_u:object_r:var_log_t +/var/log/lastlog -- system_u:object_r:lastlog_t +/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t +/var/log/syslog -- system_u:object_r:var_log_t + +# +# Journal files +# +/\.journal <> +/usr/\.journal <> +/boot/\.journal <> +HOME_ROOT/\.journal <> +/var/\.journal <> +/tmp/\.journal <> +/usr/local/\.journal <> + +# +# Lost and found directories. +# +/lost\+found(/.*)? system_u:object_r:lost_found_t +/usr/lost\+found(/.*)? system_u:object_r:lost_found_t +/boot/lost\+found(/.*)? system_u:object_r:lost_found_t +HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t +/var/lost\+found(/.*)? system_u:object_r:lost_found_t +/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t +/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t + +# +# system localization +# +/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t +/usr/share/locale(/.*)? system_u:object_r:locale_t +/usr/lib/locale(/.*)? system_u:object_r:locale_t +/etc/localtime -- system_u:object_r:locale_t +/etc/localtime -l system_u:object_r:etc_t + +# +# Gnu Cash +# +/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t +/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t + +# +# initrd mount point, only used during boot +# +/initrd -d system_u:object_r:root_t + +# +# The krb5.conf file is always being tested for writability, so +# we defined a type to dontaudit +# +/etc/krb5\.conf -- system_u:object_r:krb5_conf_t + +# +# Thunderbird +# +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t diff --git a/strict/flask/Makefile b/strict/flask/Makefile new file mode 100644 index 0000000..970b9fe --- /dev/null +++ b/strict/flask/Makefile @@ -0,0 +1,41 @@ +# flask needs to know where to export the libselinux headers. +LIBSEL ?= ../../libselinux + +# flask needs to know where to export the kernel headers. +LINUXDIR ?= ../../../linux-2.6 + +AWK = awk + +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + else if [ -x /bin/bash ]; then echo /bin/bash; \ + else echo sh; fi ; fi) + +FLASK_H_DEPEND = security_classes initial_sids +AV_H_DEPEND = access_vectors + +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) + +all: $(ALL_H_FILES) + +$(FLASK_H_FILES): $(FLASK_H_DEPEND) + $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) + +$(AV_H_FILES): $(AV_H_DEPEND) + $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) + +tolib: all + install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux + install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src + +tokern: all + install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include + +install: all + +relabel: + +clean: + rm -f $(FLASK_H_FILES) + rm -f $(AV_H_FILES) diff --git a/strict/flask/access_vectors b/strict/flask/access_vectors new file mode 100644 index 0000000..22e1358 --- /dev/null +++ b/strict/flask/access_vectors @@ -0,0 +1,599 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class lnk_file +inherits file + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control +} + + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class drawable +{ + create + destroy + draw + copy + getattr +} + +class gc +{ + create + free + getattr + setattr +} + +class window +{ + addchild + create + destroy + map + unmap + chstack + chproplist + chprop + listprop + getattr + setattr + setfocus + move + chselection + chparent + ctrllife + enumerate + transparent + mousemotion + clientcomevent + inputevent + drawevent + windowchangeevent + windowchangerequest + serverchangeevent + extensionevent +} + +class font +{ + load + free + getattr + use +} + +class colormap +{ + create + free + install + uninstall + list + read + store + getattr + setattr +} + +class property +{ + create + free + read + write +} + +class cursor +{ + create + createglyph + free + assign + setattr +} + +class xclient +{ + kill +} + +class xinput +{ + lookup + getattr + setattr + setfocus + warppointer + activegrab + passivegrab + ungrab + bell + mousemotion + relabelinput +} + +class xserver +{ + screensaver + gethostlist + sethostlist + getfontpath + setfontpath + getattr + grab + ungrab +} + +class xextension +{ + query + use +} + +# +# Define the access vector interpretation for controlling +# PaX flags +# +class pax +{ + pageexec # Paging based non-executable pages + emutramp # Emulate trampolines + mprotect # Restrict mprotect() + randmmap # Randomize mmap() base + randexec # Randomize ET_EXEC base + segmexec # Segmentation based non-executable pages +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom +} diff --git a/strict/flask/initial_sids b/strict/flask/initial_sids new file mode 100644 index 0000000..95894eb --- /dev/null +++ b/strict/flask/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/strict/flask/mkaccess_vector.sh b/strict/flask/mkaccess_vector.sh new file mode 100644 index 0000000..b5da734 --- /dev/null +++ b/strict/flask/mkaccess_vector.sh @@ -0,0 +1,227 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="av_permissions.h" +av_inherit="av_inherit.h" +common_perm_to_string="common_perm_to_string.h" +av_perm_to_string="av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + inheritfile = \"$av_inherit\" + cpermfile = \"$common_perm_to_string\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; + printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "common" { + if (nextstate != "COMMON_OR_AV") + { + printf("Parse error: Unexpected COMMON definition on line %d\n", NR); + next; + } + + if ($2 in common_defined) + { + printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); + next; + } + common_defined[$2] = 1; + + tclass = $2; + common_name = $2; + permission = 1; + + printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; + + nextstate = "COMMON-OPENBRACKET"; + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + inherits = ""; + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "inherits" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); + next; + } + + if (!($2 in common_defined)) + { + printf("COMMON %s is not defined (line %d).\n", $2, NR); + next; + } + + inherits = $2; + permission = common_base[$2]; + + for (combined in common_perms) + { + split(combined,separate, SUBSEP); + if (separate[1] == inherits) + { + inherited_perms[common_perms[combined]] = separate[2]; + } + } + + j = 1; + for (i in inherited_perms) { + ind[j] = i + 0; + j++; + } + n = asort(ind); + for (i = 1; i <= n; i++) { + perm = inherited_perms[ind[i]]; + printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; + spaces = 40 - (length(perm) + length(tclass)); + if (spaces < 1) + spaces = 1; + for (j = 0; j < spaces; j++) + printf(" ") > outfile; + printf("0x%08xUL\n", ind[i]) > outfile; + } + printf("\n") > outfile; + for (i in ind) delete ind[i]; + for (i in inherited_perms) delete inherited_perms[i]; + + printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; + + nextstate = "CLASS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + if (inherits != "") + { + if ((inherits,$1) in common_perms) + { + printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); + next; + } + } + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/strict/flask/mkflask.sh b/strict/flask/mkflask.sh new file mode 100644 index 0000000..9c84754 --- /dev/null +++ b/strict/flask/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="flask.h" +debug_file="class_to_string.h" +debug_file2="initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/strict/flask/security_classes b/strict/flask/security_classes new file mode 100644 index 0000000..b370522 --- /dev/null +++ b/strict/flask/security_classes @@ -0,0 +1,83 @@ +# FLASK + +# +# Define the security object classes +# + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd + +# SE-X Windows stuff +class drawable +class window +class gc +class font +class colormap +class property +class cursor +class xclient +class xinput +class xserver +class xextension + +# pax flags +class pax + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus +class nscd + +# IPSec association +class association + +# FLASK diff --git a/strict/fs_use b/strict/fs_use new file mode 100644 index 0000000..8f167a7 --- /dev/null +++ b/strict/fs_use @@ -0,0 +1,31 @@ +# +# Define the labeling behavior for inodes in particular filesystem types. +# This information was formerly hardcoded in the SELinux module. + +# Use xattrs for the following filesystem types. +# Requires that a security xattr handler exist for the filesystem. +fs_use_xattr ext2 system_u:object_r:fs_t; +fs_use_xattr ext3 system_u:object_r:fs_t; +fs_use_xattr xfs system_u:object_r:fs_t; +fs_use_xattr jfs system_u:object_r:fs_t; + +# Use the allocating task SID to label inodes in the following filesystem +# types, and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems that represent objects +# like pipes and sockets, so that these objects are labeled with the same +# type as the creating task. +fs_use_task pipefs system_u:object_r:fs_t; +fs_use_task sockfs system_u:object_r:fs_t; + +# Use a transition SID based on the allocating task SID and the +# filesystem SID to label inodes in the following filesystem types, +# and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems like devpts and tmpfs +# where we want to label objects with a derived type. +fs_use_trans devpts system_u:object_r:devpts_t; +fs_use_trans tmpfs system_u:object_r:tmpfs_t; +fs_use_trans shm system_u:object_r:tmpfs_t; + +# The separate genfs_contexts configuration can be used for filesystem +# types that cannot support persistent label mappings or use +# one of the fixed label schemes specified here. diff --git a/strict/genfs_contexts b/strict/genfs_contexts new file mode 100644 index 0000000..3c2438b --- /dev/null +++ b/strict/genfs_contexts @@ -0,0 +1,105 @@ +# FLASK + +# +# Security contexts for files in filesystems that +# cannot support xattr or use one of the fixed labeling schemes +# specified in fs_use. +# +# Each specifications has the form: +# genfscon fstype pathname-prefix [ -type ] context +# +# The entry with the longest matching pathname prefix is used. +# / refers to the root directory of the file system, and +# everything is specified relative to this root directory. +# If there is no entry with a matching pathname prefix, then +# the unlabeled initial SID is used. +# +# The optional type field specifies the file type as shown in the mode +# field by ls, e.g. use -c to match only character device files, -b +# to match only block device files. +# +# Except for proc, in 2.6 other filesystems are limited to a single entry (/) +# that covers all entries in the filesystem with a default file context. +# For proc, a pathname can be reliably generated from the proc_dir_entry +# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) +# calls. /proc/PID entries are automatically labeled based on the associated +# process. +# +# Support for other filesystem types requires corresponding code to be +# added to the kernel, either as an xattr handler in the filesystem +# implementation (preferred, and necessary if you want to access the labels +# from userspace) or as logic in the SELinux module. + +# proc (excluding /proc/PID) +genfscon proc / system_u:object_r:proc_t +genfscon proc /kmsg system_u:object_r:proc_kmsg_t +genfscon proc /kcore system_u:object_r:proc_kcore_t +genfscon proc /mdstat system_u:object_r:proc_mdstat_t +genfscon proc /mtrr system_u:object_r:mtrr_device_t +genfscon proc /net system_u:object_r:proc_net_t +genfscon proc /sysvipc system_u:object_r:proc_t +genfscon proc /sys system_u:object_r:sysctl_t +genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t +genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t +genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t +genfscon proc /sys/net system_u:object_r:sysctl_net_t +genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t +genfscon proc /sys/vm system_u:object_r:sysctl_vm_t +genfscon proc /sys/dev system_u:object_r:sysctl_dev_t +genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t +genfscon proc /irq system_u:object_r:sysctl_irq_t + +# rootfs +genfscon rootfs / system_u:object_r:root_t + +# sysfs +genfscon sysfs / system_u:object_r:sysfs_t + +# selinuxfs +genfscon selinuxfs / system_u:object_r:security_t + +# autofs +genfscon autofs / system_u:object_r:autofs_t +genfscon automount / system_u:object_r:autofs_t + +# usbdevfs +genfscon usbdevfs / system_u:object_r:usbdevfs_t + +# iso9660 +genfscon iso9660 / system_u:object_r:iso9660_t +genfscon udf / system_u:object_r:iso9660_t + +# romfs +genfscon romfs / system_u:object_r:romfs_t +genfscon cramfs / system_u:object_r:romfs_t + +# ramfs +genfscon ramfs / system_u:object_r:ramfs_t + +# vfat, msdos +genfscon vfat / system_u:object_r:dosfs_t +genfscon msdos / system_u:object_r:dosfs_t +genfscon fat / system_u:object_r:dosfs_t +genfscon ntfs / system_u:object_r:dosfs_t + +# samba +genfscon cifs / system_u:object_r:cifs_t +genfscon smbfs / system_u:object_r:cifs_t + +# nfs +genfscon nfs / system_u:object_r:nfs_t +genfscon nfs4 / system_u:object_r:nfs_t +genfscon afs / system_u:object_r:nfs_t + +# reiserfs - until xattr security support works properly +genfscon reiserfs / system_u:object_r:nfs_t + +# needs more work +genfscon eventpollfs / system_u:object_r:eventpollfs_t +genfscon futexfs / system_u:object_r:futexfs_t +genfscon bdev / system_u:object_r:bdev_t +genfscon usbfs / system_u:object_r:usbfs_t +genfscon nfsd / system_u:object_r:nfsd_fs_t +genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t +genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t + diff --git a/strict/initial_sid_contexts b/strict/initial_sid_contexts new file mode 100644 index 0000000..e276f3f --- /dev/null +++ b/strict/initial_sid_contexts @@ -0,0 +1,46 @@ +# FLASK + +# +# Define the security context for each initial SID +# sid sidname context + +sid kernel system_u:system_r:kernel_t +sid security system_u:object_r:security_t +sid unlabeled system_u:object_r:unlabeled_t +sid fs system_u:object_r:fs_t +sid file system_u:object_r:file_t +# Persistent label mapping is gone. This initial SID can be removed. +sid file_labels system_u:object_r:unlabeled_t +# init_t is still used, but an initial SID is no longer required. +sid init system_u:object_r:unlabeled_t +# any_socket is no longer used. +sid any_socket system_u:object_r:unlabeled_t +sid port system_u:object_r:port_t +sid netif system_u:object_r:netif_t +# netmsg is no longer used. +sid netmsg system_u:object_r:unlabeled_t +sid node system_u:object_r:node_t +# These sockets are now labeled with the kernel SID, +# and do not require their own initial SIDs. +sid igmp_packet system_u:object_r:unlabeled_t +sid icmp_socket system_u:object_r:unlabeled_t +sid tcp_socket system_u:object_r:unlabeled_t +# Most of the sysctl SIDs are now computed at runtime +# from genfs_contexts, so the corresponding initial SIDs +# are no longer required. +sid sysctl_modprobe system_u:object_r:unlabeled_t +# But we still need the base sysctl initial SID as a default. +sid sysctl system_u:object_r:sysctl_t +sid sysctl_fs system_u:object_r:unlabeled_t +sid sysctl_kernel system_u:object_r:unlabeled_t +sid sysctl_net system_u:object_r:unlabeled_t +sid sysctl_net_unix system_u:object_r:unlabeled_t +sid sysctl_vm system_u:object_r:unlabeled_t +sid sysctl_dev system_u:object_r:unlabeled_t +# No longer used, can be removed. +sid kmod system_u:object_r:unlabeled_t +sid policy system_u:object_r:unlabeled_t +sid scmp_packet system_u:object_r:unlabeled_t +sid devnull system_u:object_r:null_device_t + +# FLASK diff --git a/strict/local.users b/strict/local.users new file mode 100644 index 0000000..6dd04d6 --- /dev/null +++ b/strict/local.users @@ -0,0 +1,21 @@ +################################## +# +# User configuration. +# +# This file defines additional users recognized by the system security policy. +# Only the user identities defined in this file and the system.users file +# may be used as the user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ level default_level range allowed_range ]; +# +# The MLS default level and allowed range should only be specified if +# MLS was enabled in the policy. + +# sample for administrative user +# user jadmin roles { staff_r sysadm_r system_r }; + +# sample for regular user +#user jdoe roles { user_r }; diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te new file mode 100644 index 0000000..ebd92a9 --- /dev/null +++ b/strict/macros/admin_macros.te @@ -0,0 +1,207 @@ +# +# Macros for all admin domains. +# + +# +# admin_domain(domain_prefix) +# +# Define derived types and rules for an administrator domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. If the every_domain() rules are desired, +# then these rules must also be specified separately. +# +undefine(`admin_domain') +define(`admin_domain',` +# Type for home directory. +attribute $1_file_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; +type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; + +# Type and access for pty devices. +can_create_pty($1) + +tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }') + +# Type for tty devices. +type $1_tty_device_t, sysadmfile, ttyfile, dev_fs; + +# Inherit rules for ordinary users. +base_user_domain($1) + +allow $1_t self:capability setuid; + +ifdef(`su.te', `su_domain($1)') +ifdef(`userhelper.te', `userhelper_domain($1)') +ifdef(`sudo.te', `sudo_domain($1)') + +# Violates the goal of limiting write access to checkpolicy. +# But presently necessary for installing the file_contexts file. +create_dir_file($1_t, policy_config_t) +r_dir_file($1_t, selinux_config_t) + +# Let admin stat the shadow file. +allow $1_t shadow_t:file getattr; + +ifdef(`crond.te', ` +allow $1_crond_t var_log_t:file r_file_perms; +') + +# Allow system log read +allow $1_t kernel_t:system syslog_read; + +# Use capabilities other than sys_module. +allow $1_t self:capability ~sys_module; + +# Get security policy decisions. +can_getsecurity($1_t) + +# Use system operations. +allow $1_t kernel_t:system *; + +# Set password information for other users. +allow $1_t self:passwd { passwd chfn chsh }; + +# Skip authentication when pam_rootok is specified. +allow $1_t self:passwd rootok; + +# Manipulate other user crontab. +allow $1_t self:passwd crontab; +can_getsecurity(sysadm_crontab_t) + +# Change system parameters. +can_sysctl($1_t) + +# Create and use all files that have the sysadmfile attribute. +allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; +allow $1_t sysadmfile:lnk_file create_lnk_perms; +allow $1_t sysadmfile:dir create_dir_perms; + +# for lsof +allow $1_t mtrr_device_t:file getattr; +allow $1_t fs_type:dir getattr; + +# Set an exec context, e.g. for runcon. +can_setexec($1_t) + +# Set a context other than the default one for newly created files. +can_setfscreate($1_t) + +# Access removable devices. +allow $1_t removable_device_t:devfile_class_set rw_file_perms; + +# Communicate with the init process. +allow $1_t initctl_t:fifo_file rw_file_perms; + +# Examine all processes. +can_ps($1_t, domain) + +# allow renice +allow $1_t domain:process setsched; + +# Send signals to all processes. +allow $1_t { domain unlabeled_t }:process signal_perms; + +# Access all user terminals. +allow $1_t tty_device_t:chr_file rw_file_perms; +allow $1_t ttyfile:chr_file rw_file_perms; +allow $1_t ptyfile:chr_file rw_file_perms; +allow $1_t serial_device:chr_file setattr; + +# allow setting up tunnels +allow $1_t tun_tap_device_t:chr_file rw_file_perms; + +# run ls -l /dev +allow $1_t device_t:dir r_dir_perms; +allow $1_t { device_t device_type }:{ chr_file blk_file } getattr; +allow $1_t ptyfile:chr_file getattr; + +# Run programs from staff home directories. +# Not ideal, but typical if users want to login as both sysadm_t or staff_t. +can_exec($1_t, staff_home_t) + +# Run programs from /usr/src. +can_exec($1_t, src_t) + +# Run admin programs that require different permissions in their own domain. +# These rules were moved into the appropriate program domain file. + +# added by mayerf@tresys.com +# The following rules are temporary until such time that a complete +# policy management infrastructure is in place so that an administrator +# cannot directly manipulate policy files with arbitrary programs. +# +allow $1_t policy_src_t:file create_file_perms; +allow $1_t policy_src_t:lnk_file create_lnk_perms; +allow $1_t policy_src_t:dir create_dir_perms; + +# Relabel all files. +# Actually this will not allow relabeling ALL files unless you change +# sysadmfile to file_type (and change the assertion in assert.te that +# only auth_write can relabel shadow_t) +allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; +allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; + +ifdef(`startx.te', ` +ifdef(`xserver.te', ` +# Create files in /tmp/.X11-unix with our X servers derived +# tmp type rather than user_xserver_tmp_t. +file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) +')dnl end xserver.te +')dnl end startx.te + +ifdef(`xdm.te', ` +ifdef(`xauth.te', ` +if (xdm_sysadm_login) { +allow xdm_t $1_home_t:lnk_file read; +allow xdm_t $1_home_t:dir search; +} +allow $1_t xdm_t:fifo_file rw_file_perms; +')dnl end ifdef xauth.te +')dnl end ifdef xdm.te + +# +# A user who is authorized for sysadm_t may nonetheless have +# a home directory labeled with user_home_t if the user is expected +# to login in either user_t or sysadm_t. Hence, the derived domains +# for programs need to be able to access user_home_t. +# + +# Allow our gph domain to write to .xsession-errors. +ifdef(`gnome-pty-helper.te', ` +allow $1_gph_t user_home_dir_type:dir rw_dir_perms; +allow $1_gph_t user_home_type:file create_file_perms; +') + +# Allow our crontab domain to unlink a user cron spool file. +ifdef(`crontab.te', +`allow $1_crontab_t user_cron_spool_t:file unlink;') + +# for the administrator to run TCP servers directly +can_tcp_connect($1_t, $1_t) +allow $1_t port_t:tcp_socket name_bind; + +# Connect data port to ftpd. +ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') + +# Connect second port to rshd. +ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') + +# +# Allow sysadm to execute quota commands against filesystems and files. +# +allow $1_t fs_type:filesystem quotamod; + +# Grant read and write access to /dev/console. +allow $1_t console_device_t:chr_file rw_file_perms; + +# Allow MAKEDEV to work +allow $1_t device_t:dir rw_dir_perms; +allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; +allow $1_t device_t:lnk_file { create read }; + +# for lsof +allow $1_t domain:socket_class_set getattr; +allow $1_t eventpollfs_t:file getattr; +') diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te new file mode 100644 index 0000000..06bd8b3 --- /dev/null +++ b/strict/macros/base_user_macros.te @@ -0,0 +1,378 @@ +# +# Macros for all user login domains. +# + +define(`network_home_dir', ` +create_dir_file($1, $2) +can_exec($1, $2) +allow $1 $2:{ sock_file fifo_file } create_file_perms; +') + +# +# base_user_domain(domain_prefix) +# +# Define derived types and rules for an ordinary user domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. +# + +# base_user_domain() is also called by the admin_domain() macro +undefine(`base_user_domain') +define(`base_user_domain', ` + +allow $1_t self:capability { setgid chown fowner }; +dontaudit $1_t self:capability { sys_nice fsetid }; + +# $1_r is authorized for $1_t for the initial login domain. +role $1_r types $1_t; +allow system_r $1_r; + +r_dir_file($1_t, usercanread) + +# Grant permissions within the domain. +general_domain_access($1_t) + +if (allow_execmem) { +# Allow loading DSOs that require executable stack. +allow $1_t self:process execmem; +} + +if (allow_execmod) { +# Allow text relocations on system shared libraries, e.g. libGL. +allow $1_t texrel_shlib_t:file execmod; +} + +# +# kdeinit wants this access +# +allow $1_t device_t:dir { getattr search }; + +# Find CDROM devices +r_dir_file($1_t, sysctl_dev_t) +# for eject +allow $1_t fixed_disk_device_t:blk_file getattr; + +allow $1_t fs_type:dir getattr; + +allow $1_t event_device_t:chr_file { getattr read ioctl }; + +# open office is looking for the following +allow $1_t dri_device_t:chr_file getattr; +dontaudit $1_t dri_device_t:chr_file rw_file_perms; + +file_browse_domain($1_t) + +# allow ptrace +can_ptrace($1_t, $1_t) + +# Create, access, and remove files in home directory. +file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t) +allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto }; +can_setfscreate($1_t) + +allow $1_t autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs) { +network_home_dir($1_t, nfs_t) +} + +if (use_samba_home_dirs) { +network_home_dir($1_t, cifs_t) +} + +can_exec($1_t, { removable_t noexattrfile } ) +if (user_rw_noexattrfile) { +create_dir_file($1_t, noexattrfile) +create_dir_file($1_t, removable_t) +# Write floppies +allow $1_t removable_device_t:blk_file rw_file_perms; +allow $1_t usbtty_device_t:chr_file write; +} else { +r_dir_file($1_t, noexattrfile) +r_dir_file($1_t, removable_t) +allow $1_t removable_device_t:blk_file r_file_perms; +} +allow $1_t usbtty_device_t:chr_file read; + +# GNOME checks for usb and other devices +rw_dir_file($1_t,usbfs_t) + +can_exec($1_t, noexattrfile) +# Bind to a Unix domain socket in /tmp. +allow $1_t $1_tmp_t:unix_stream_socket name_bind; + +# Access ttys. +allow $1_t privfd:fd use; +allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + +# Use the type when relabeling terminal devices. +type_change $1_t tty_device_t:chr_file $1_tty_device_t; + +# read localization information +read_locale($1_t) + +# Debian login is from shadow utils and does not allow resetting the perms. +# have to fix this! +type_change $1_t ttyfile:chr_file $1_tty_device_t; + +# for running TeX programs +r_dir_file($1_t, tetex_data_t) +can_exec($1_t, tetex_data_t) + +# Use the type when relabeling pty devices. +type_change $1_t server_pty:chr_file $1_devpts_t; + +tmpfs_domain($1) + +ifdef(`cardmgr.te', ` +# to allow monitoring of pcmcia status +allow $1_t cardmgr_var_run_t:file { getattr read }; +') + +# Read and write /var/catman. +allow $1_t catman_t:dir rw_dir_perms; +allow $1_t catman_t:file create_file_perms; + +# Modify mail spool file. +allow $1_t mail_spool_t:dir r_dir_perms; +allow $1_t mail_spool_t:file rw_file_perms; +allow $1_t mail_spool_t:lnk_file read; + +# +# Allow graphical boot to check battery lifespan +# +ifdef(`apmd.te', ` +allow $1_t apmd_t:unix_stream_socket connectto; +allow $1_t apmd_var_run_t:sock_file write; +') + +# +# Allow the query of filesystem quotas +# +allow $1_t fs_type:filesystem quotaget; + +# Run helper programs. +can_exec_any($1_t) +# Run programs developed by other users in the same domain. +can_exec($1_t, $1_home_t) +can_exec($1_t, $1_tmp_t) + +# Run user programs that require different permissions in their own domain. +# These rules were moved into the individual program domains. + +# Instantiate derived domains for a number of programs. +# These derived domains encode both information about the calling +# user domain and the program, and allow us to maintain separation +# between different instances of the program being run by different +# user domains. +ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') +ifdef(`chkpwd.te', `chkpwd_domain($1)') +ifdef(`fingerd.te', `fingerd_macro($1)') +ifdef(`mta.te', `mail_domain($1)') +ifdef(`crontab.te', `crontab_domain($1)') + +ifdef(`screen.te', `screen_domain($1)') +ifdef(`tvtime.te', `tvtime_domain($1)') +ifdef(`mozilla.te', `mozilla_domain($1)') +ifdef(`samba.te', `samba_domain($1)') +ifdef(`games.te', `games_domain($1)') +ifdef(`gpg.te', `gpg_domain($1)') +ifdef(`xauth.te', `xauth_domain($1)') +ifdef(`startx.te', `xserver_domain($1)') +ifdef(`lpr.te', `lpr_domain($1)') +ifdef(`ssh.te', `ssh_domain($1)') +ifdef(`irc.te', `irc_domain($1)') +ifdef(`using_spamassassin', `spamassassin_domain($1)') +ifdef(`uml.te', `uml_domain($1)') +ifdef(`cdrecord.te', `cdrecord_domain($1)') +ifdef(`mplayer.te', `mplayer_domains($1)') +ifdef(`gift.te', `gift_domains($1)') + +# Instantiate a derived domain for user cron jobs. +ifdef(`crond.te', `crond_domain($1)') + +ifdef(`vmware.te', `vmware_domain($1)') + +if (user_direct_mouse) { +# Read the mouse. +allow $1_t mouse_device_t:chr_file r_file_perms; +} +# Access other miscellaneous devices. +allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; +allow $1_t device_t:lnk_file { getattr read }; + +can_resmgrd_connect($1_t) + +# +# evolution and gnome-session try to create a netlink socket +# +dontaudit $1_t self:netlink_socket create_socket_perms; +dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; + +# Use the network. +can_network($1_t) +can_ypbind($1_t) + +ifdef(`pamconsole.te', ` +allow $1_t pam_var_console_t:dir search; +') + +allow $1_t var_lock_t:dir search; + +# Grant permissions to access the system DBus +ifdef(`dbusd.te', ` +dbusd_client(system, $1) +can_network_server_tcp($1_dbusd_t) +allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; + +allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; +dbusd_client($1, $1) +allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; +dbusd_domain($1) +ifdef(`hald.te', ` +allow $1_t hald_t:dbus send_msg; +allow hald_t $1_t:dbus send_msg; +') dnl end ifdef hald.te +') dnl end ifdef dbus.te + +# allow port_t name binding for UDP because it is not very usable otherwise +allow $1_t port_t:udp_socket name_bind; + +# Gnome pannel binds to the following +ifdef(`cups.te', ` +allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; +') + +# for perl +dontaudit $1_t net_conf_t:file ioctl; + +# Communicate within the domain. +can_udp_send($1_t, self) + +# Connect to inetd. +ifdef(`inetd.te', ` +can_tcp_connect($1_t, inetd_t) +can_udp_send($1_t, inetd_t) +can_udp_send(inetd_t, $1_t) +') + +# Connect to portmap. +ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') + +# Inherit and use sockets from inetd +ifdef(`inetd.te', ` +allow $1_t inetd_t:fd use; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') + +# Very permissive allowing every domain to see every type. +allow $1_t kernel_t:system ipc_info; + +# When the user domain runs ps, there will be a number of access +# denials when ps tries to search /proc. Do not audit these denials. +dontaudit $1_t domain:dir r_dir_perms; +dontaudit $1_t domain:notdevfile_class_set r_file_perms; +dontaudit $1_t domain:process { getattr getsession }; +# +# Cups daemon running as user tries to write /etc/printcap +# +dontaudit $1_t usr_t:file setattr; + +ifdef(`xserver.te', ` +# for /tmp/.ICE-unix +file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) +allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; +') + +ifdef(`xdm.te', ` +# Connect to the X server run by the X Display Manager. +can_unix_connect($1_t, xdm_t) +allow $1_t xdm_tmp_t:sock_file rw_file_perms; +allow $1_t xdm_tmp_t:dir r_dir_perms; +allow $1_t xdm_tmp_t:file { getattr read }; +allow $1_t xdm_xserver_tmp_t:sock_file { read write }; +allow $1_t xdm_xserver_tmp_t:dir search; +allow $1_t xdm_xserver_t:unix_stream_socket connectto; +# certain apps want to read xdm.pid file +r_dir_file($1_t, xdm_var_run_t) +allow $1_t xdm_var_lib_t:file { getattr read }; +allow xdm_t $1_home_dir_t:dir getattr; +ifdef(`xauth.te', ` +file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) +') + +# for shared memory +allow xdm_xserver_t $1_tmpfs_t:file { read write }; + +')dnl end ifdef xdm.te + +# Access the sound device. +allow $1_t sound_device_t:chr_file { getattr read write ioctl }; + +# Access the power device. +allow $1_t power_device_t:chr_file { getattr read write ioctl }; + +allow $1_t var_log_t:dir { getattr search }; +dontaudit $1_t logfile:file getattr; + +# Check to see if cdrom is mounted +allow $1_t mnt_t:dir { getattr search }; + +# Get attributes of file systems. +allow $1_t fs_type:filesystem getattr; +allow $1_t removable_t:filesystem getattr; + +# Read and write /dev/tty and /dev/null. +allow $1_t devtty_t:chr_file rw_file_perms; +allow $1_t null_device_t:chr_file rw_file_perms; +allow $1_t zero_device_t:chr_file { rw_file_perms execute }; +allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; +# +# Added to allow reading of cdrom +# +allow $1_t rpc_pipefs_t:dir getattr; +allow $1_t nfsd_fs_t:dir getattr; +allow $1_t binfmt_misc_fs_t:dir getattr; + +# /initrd is left mounted, various programs try to look at it +dontaudit $1_t ramfs_t:dir getattr; + +# +# Emacs wants this access +# +allow $1_t wtmp_t:file r_file_perms; +dontaudit $1_t wtmp_t:file write; + +# Read the devpts root directory. +allow $1_t devpts_t:dir r_dir_perms; + +allow $1_t src_t:dir r_dir_perms; +allow $1_t src_t:notdevfile_class_set r_file_perms; + +if (read_default_t) { +allow $1_t default_t:dir r_dir_perms; +allow $1_t default_t:notdevfile_class_set r_file_perms; +} + +read_sysctl($1_t); + +# +# Caused by su - init scripts +# +dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; + +# +# Running ifconfig as a user generates the following +# +dontaudit $1_t self:socket create; +dontaudit $1_t sysctl_net_t:dir search; + +dontaudit $1_t default_context_t:dir search; + +ifdef(`rpcd.te', ` +create_dir_file($1_t, nfsd_rw_t) +') + +')dnl end base_user_domain macro + diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te new file mode 100644 index 0000000..6b4e5be --- /dev/null +++ b/strict/macros/core_macros.te @@ -0,0 +1,696 @@ + +############################## +# +# core macros for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley , Timothy Fraser +# Howard Holm (NSA) +# Russell Coker +# + +################################# +# +# Macros for groups of classes and +# groups of permissions. +# + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + + +# +# Permissions for getting file attributes. +# +define(`stat_file_perms', `{ getattr }') + +# +# Permissions for executing files. +# +define(`x_file_perms', `{ getattr execute }') + +# +# Permissions for reading files and their attributes. +# +define(`r_file_perms', `{ read getattr lock ioctl }') + +# +# Permissions for reading and executing files. +# +define(`rx_file_perms', `{ read getattr lock execute ioctl }') + +# +# Permissions for reading and writing files and their attributes. +# +define(`rw_file_perms', `{ ioctl read getattr lock write append }') + +# +# Permissions for reading and appending to files. +# +define(`ra_file_perms', `{ ioctl read getattr lock append }') + +# +# Permissions for linking, unlinking and renaming files. +# +define(`link_file_perms', `{ getattr link unlink rename }') + +# +# Permissions for creating lnk_files. +# +define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') + +# +# Permissions for creating and using files. +# +define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') + +# +# Permissions for reading directories and their attributes. +# +define(`r_dir_perms', `{ read getattr lock search ioctl }') + +# +# Permissions for reading and writing directories and their attributes. +# +define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') + +# +# Permissions for reading and adding names to directories. +# +define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') + + +# +# Permissions for creating and using directories. +# +define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') + +################################# +# +# Macros for type transition rules and +# access vector rules. +# + +# +# Simple combinations for reading and writing both +# directories and files. +# +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:file r_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`rw_dir_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file rw_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`ra_dir_file', ` +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file ra_file_perms; +allow $1 $2:lnk_file { getattr read }; +') + +define(`ra_dir_create_file', ` +allow $1 $2:dir ra_dir_perms; +allow $1 $2:file { create ra_file_perms }; +allow $1 $2:lnk_file { create read getattr }; +') + +define(`rw_dir_create_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_dir_file', ` +allow $1 $2:dir create_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_dir_notdevfile', ` +allow $1 $2:dir create_dir_perms; +allow $1 $2:{ file sock_file fifo_file } create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; +') + +define(`create_append_log_file', ` +allow $1 $2:dir { read getattr search add_name write }; +allow $1 $2:file { create ioctl getattr setattr append link }; +') + +################################## +# +# can_ps(domain1, domain2) +# +# Authorize domain1 to see /proc entries for domain2 (see it in ps output) +# +define(`can_ps',` +allow $1 $2:dir { search getattr read }; +allow $1 $2:{ file lnk_file } { read getattr }; +allow $1 $2:process getattr; +# We need to suppress this denial because procps tries to access +# /proc/pid/environ and this now triggers a ptrace check in recent kernels +# (2.4 and 2.6). Might want to change procps to not do this, or only if +# running in a privileged domain. +dontaudit $1 $2:process ptrace; +') + +################################## +# +# can_getsecurity(domain) +# +# Authorize a domain to get security policy decisions. +# +define(`can_getsecurity',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } { getattr read }; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; +') + +################################## +# +# can_setenforce(domain) +# +# Authorize a domain to set the enforcing flag. +# Due to its sensitivity, always audit this permission. +# +define(`can_setenforce',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setenforce; +auditallow $1 security_t:security setenforce; +') + +################################## +# +# can_setbool(domain) +# +# Authorize a domain to set a policy boolean. +# Due to its sensitivity, always audit this permission. +# +define(`can_setbool',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setbool; +auditallow $1 security_t:security setbool; +') + +################################## +# +# can_setsecparam(domain) +# +# Authorize a domain to set security parameters. +# Due to its sensitivity, always audit this permission. +# +define(`can_setsecparam',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setsecparam; +auditallow $1 security_t:security setsecparam; +') + +################################## +# +# can_loadpol(domain) +# +# Authorize a domain to load a policy configuration. +# Due to its sensitivity, always audit this permission. +# +define(`can_loadpol',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security load_policy; +auditallow $1 security_t:security load_policy; +') + +################################# +# +# domain_trans(parent_domain, program_type, child_domain) +# +# Permissions for transitioning to a new domain. +# + +define(`domain_trans',` + +# +# Allow the process to transition to the new domain. +# +allow $1 $3:process transition; + +# +# Do not audit when glibc secure mode is enabled upon the transition. +# +dontaudit $1 $3:process noatsecure; + +# +# Do not audit when signal-related state is cleared upon the transition. +# +dontaudit $1 $3:process siginh; + +# +# Do not audit when resource limits are reset upon the transition. +# +dontaudit $1 $3:process rlimitinh; + +# +# Allow the process to execute the program. +# +allow $1 $2:file { read x_file_perms }; + +# +# Allow the process to reap the new domain. +# +allow $3 $1:process sigchld; + +# +# Allow the new domain to inherit and use file +# descriptions from the creating process and vice versa. +# +allow $3 $1:fd use; +allow $1 $3:fd use; + +# +# Allow the new domain to write back to the old domain via a pipe. +# +allow $3 $1:fifo_file rw_file_perms; + +# +# Allow the new domain to read and execute the program. +# +allow $3 $2:file rx_file_perms; + +# +# Allow the new domain to be entered via the program. +# +allow $3 $2:file entrypoint; +') + +################################# +# +# domain_auto_trans(parent_domain, program_type, child_domain) +# +# Define a default domain transition and allow it. +# +define(`domain_auto_trans',` +domain_trans($1,$2,$3) +type_transition $1 $2:process $3; +') + +################################# +# +# can_ptrace(domain, domain) +# +# Permissions for running ptrace (strace or gdb) on another domain +# +define(`can_ptrace',` +allow $1 $2:process ptrace; +allow $2 $1:process sigchld; +') + +################################# +# +# can_exec(domain, type) +# +# Permissions for executing programs with +# a specified type without changing domains. +# +define(`can_exec',` +allow $1 $2:file { rx_file_perms execute_no_trans }; +') + +# this is an internal macro used by can_create +define(`can_create_internal', ` +ifelse(`$3', `dir', ` +allow $1 $2:$3 create_dir_perms; +', `$3', `lnk_file', ` +allow $1 $2:$3 create_lnk_perms; +', ` +allow $1 $2:$3 create_file_perms; +')dnl end if dir +')dnl end can_create_internal + + +################################# +# +# can_create(domain, file_type, object_class) +# +# Permissions for creating files of the specified type and class +# +define(`can_create', ` +ifelse(regexp($3, `\w'), -1, `', ` +can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) + +can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) +') +') +################################# +# +# file_type_trans(domain, dir_type, file_type) +# +# Permissions for transitioning to a new file type. +# + +define(`file_type_trans',` + +# +# Allow the process to modify the directory. +# +allow $1 $2:dir rw_dir_perms; + +# +# Allow the process to create the file. +# +ifelse(`$4', `', ` +can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') +', ` +can_create($1, $3, $4) +')dnl end if param 4 specified + +') + +################################# +# +# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) +# +# the object class will default to notdevfile_class_set if not specified as +# the fourth parameter +# +# Define a default file type transition and allow it. +# +define(`file_type_auto_trans',` +ifelse(`$4', `', ` +file_type_trans($1,$2,$3) +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +', ` +file_type_trans($1,$2,$3,$4) +type_transition $1 $2:$4 $3; +')dnl end ifelse + +') + + +################################# +# +# can_unix_connect(client, server) +# +# Permissions for establishing a Unix stream connection. +# +define(`can_unix_connect',` +allow $1 $2:unix_stream_socket connectto; +') + +################################# +# +# can_unix_send(sender, receiver) +# +# Permissions for sending Unix datagrams. +# +define(`can_unix_send',` +allow $1 $2:unix_dgram_socket sendto; +') + +################################# +# +# can_tcp_connect(client, server) +# +# Permissions for establishing a TCP connection. +# Irrelevant until we have labeled networking. +# +define(`can_tcp_connect',` +#allow $1 $2:tcp_socket { connectto recvfrom }; +#allow $2 $1:tcp_socket { acceptfrom recvfrom }; +#allow $2 kernel_t:tcp_socket recvfrom; +#allow $1 kernel_t:tcp_socket recvfrom; +') + +################################# +# +# can_udp_send(sender, receiver) +# +# Permissions for sending/receiving UDP datagrams. +# Irrelevant until we have labeled networking. +# +define(`can_udp_send',` +#allow $1 $2:udp_socket sendto; +#allow $2 $1:udp_socket recvfrom; +') + + +################################## +# +# base_pty_perms(domain_prefix) +# +# Base permissions used for can_create_pty() and can_create_other_pty() +# +define(`base_pty_perms', ` +# Access the pty master multiplexer. +allow $1_t ptmx_t:chr_file rw_file_perms; + +allow $1_t devpts_t:filesystem getattr; + +# allow searching /dev/pts +allow $1_t devpts_t:dir { getattr read search }; + +# ignore old BSD pty devices +dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; +') + + +################################## +# +# pty_slave_label(domain_prefix, attributes) +# +# give access to a slave pty but do not allow creating new ptys +# +define(`pty_slave_label', ` +type $1_devpts_t, file_type, sysadmfile, ptyfile $2; + +# Allow the pty to be associated with the file system. +allow $1_devpts_t devpts_t:filesystem associate; + +# Label pty files with a derived type. +type_transition $1_t devpts_t:chr_file $1_devpts_t; + +# Read and write my pty files. +allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; +') + + +################################## +# +# can_create_pty(domain_prefix, attributes) +# +# Permissions for creating ptys. +# +define(`can_create_pty',` +base_pty_perms($1) +pty_slave_label($1, `$2') +') + + +################################## +# +# can_create_other_pty(domain_prefix,other_domain) +# +# Permissions for creating ptys for another domain. +# +define(`can_create_other_pty',` +base_pty_perms($1) +# Label pty files with a derived type. +type_transition $1_t devpts_t:chr_file $2_devpts_t; + +# Read and write pty files. +allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; +') + + +# +# general_domain_access(domain) +# +# Grant permissions within the domain. +# This includes permissions to processes, /proc/PID files, +# file descriptors, pipes, Unix sockets, and System V IPC objects +# labeled with the domain. +# +define(`general_domain_access',` +# Access other processes in the same domain. +# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem. +# These must be granted separately if desired. +allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem}; + +# Access /proc/PID files for processes in the same domain. +allow $1 self:dir r_dir_perms; +allow $1 self:notdevfile_class_set r_file_perms; + +# Access file descriptions, pipes, and sockets +# created by processes in the same domain. +allow $1 self:fd *; +allow $1 self:fifo_file rw_file_perms; +allow $1 self:unix_dgram_socket create_socket_perms; +allow $1 self:unix_stream_socket create_stream_socket_perms; + +# Allow the domain to communicate with other processes in the same domain. +allow $1 self:unix_dgram_socket sendto; +allow $1 self:unix_stream_socket connectto; + +# Access System V IPC objects created by processes in the same domain. +allow $1 self:sem create_sem_perms; +allow $1 self:msg { send receive }; +allow $1 self:msgq create_msgq_perms; +allow $1 self:shm create_shm_perms; +allow $1 unpriv_userdomain:fd use; +# +# Every app is asking for ypbind so I am adding this here, +# eventually this should become can_nsswitch +# +can_ypbind($1) +allow $1 autofs_t:dir { search getattr }; +')dnl end general_domain_access diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te new file mode 100644 index 0000000..cfb47cd --- /dev/null +++ b/strict/macros/global_macros.te @@ -0,0 +1,739 @@ +############################## +# +# Global macros for the type enforcement (TE) configuration. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# Howard Holm (NSA) +# Russell Coker +# +# +# + +################################## +# +# can_setexec(domain) +# +# Authorize a domain to set its exec context +# (via /proc/pid/attr/exec). +# +define(`can_setexec',` +allow $1 self:process setexec; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################## +# +# can_getcon(domain) +# +# Authorize a domain to get its context +# (via /proc/pid/attr/current). +# +define(`can_getcon',` +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +allow $1 self:process getattr; +') + +################################## +# +# can_setcon(domain) +# +# Authorize a domain to set its current context +# (via /proc/pid/attr/current). +# +define(`can_setcon',` +allow $1 self:process setcurrent; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################## +# read_sysctl(domain) +# +# Permissions for reading sysctl variables. +# If the second parameter is 'full', allow +# reading of any sysctl variables, else only +# sysctl_kernel_t. +# +define(`read_sysctl', ` +# Read system variables in /sys. +ifelse($2,`full', ` +allow $1 sysctl_type:dir r_dir_perms; +allow $1 sysctl_type:file r_file_perms; +', ` +allow $1 sysctl_t:dir search; +allow $1 sysctl_kernel_t:dir search; +allow $1 sysctl_kernel_t:file { getattr read }; +') + +')dnl read_sysctl + +################################## +# +# can_setfscreate(domain) +# +# Authorize a domain to set its fscreate context +# (via /proc/pid/attr/fscreate). +# +define(`can_setfscreate',` +allow $1 self:process setfscreate; +allow $1 proc_t:dir search; +allow $1 proc_t:{ file lnk_file } read; +allow $1 self:dir search; +allow $1 self:file { getattr read write }; +') + +################################# +# +# uses_shlib(domain) +# +# Permissions for using shared libraries. +# +define(`uses_shlib',` +allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; +allow $1 lib_t:lnk_file r_file_perms; +allow $1 ld_so_t:file rx_file_perms; +#allow $1 ld_so_t:file execute_no_trans; +allow $1 ld_so_t:lnk_file r_file_perms; +allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; +allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; +allow $1 ld_so_cache_t:file r_file_perms; +allow $1 device_t:dir search; +allow $1 null_device_t:chr_file rw_file_perms; +') + +################################# +# +# can_exec_any(domain) +# +# Permissions for executing a variety +# of executable types. +# +define(`can_exec_any',` +allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; +allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; +uses_shlib($1) +can_exec($1, etc_t) +can_exec($1, lib_t) +can_exec($1, bin_t) +can_exec($1, sbin_t) +can_exec($1, exec_type) +can_exec($1, ld_so_t) +') + + +################################# +# +# can_sysctl(domain) +# +# Permissions for modifying sysctl parameters. +# +define(`can_sysctl',` +allow $1 sysctl_type:dir r_dir_perms; +allow $1 sysctl_type:file { setattr rw_file_perms }; +') + + +################################## +# +# read_locale(domain) +# +# Permissions for reading the locale data, +# /etc/localtime and the files that it links to +# +define(`read_locale', ` +allow $1 etc_t:lnk_file read; +allow $1 lib_t:file r_file_perms; +r_dir_file($1, locale_t) +') + + +################################### +# +# access_terminal(domain, typeprefix) +# +# Permissions for accessing the terminal +# +define(`access_terminal', ` +allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; +allow $1 devtty_t:chr_file { read write getattr ioctl }; +allow $1 devpts_t:dir { read search getattr }; +allow $1 $2_devpts_t:chr_file { read write getattr ioctl }; +') + +# +# general_proc_read_access(domain) +# +# Grant read/search permissions to most of /proc, excluding +# the /proc/PID directories and the /proc/kmsg and /proc/kcore files. +# The general_domain_access macro grants access to the domain /proc/PID +# directories, but not to other domains. Only permissions to stat +# are granted for /proc/kmsg and /proc/kcore, since these files are more +# sensitive. +# +define(`general_proc_read_access',` +# Read system information files in /proc. +r_dir_file($1, proc_t) +r_dir_file($1, proc_net_t) +allow $1 proc_mdstat_t:file r_file_perms; + +# Stat /proc/kmsg and /proc/kcore. +allow $1 proc_fs:file stat_file_perms; + +# Read system variables in /proc/sys. +read_sysctl($1) +') + +# +# base_file_read_access(domain) +# +# Grant read/search permissions to a few system file types. +# +define(`base_file_read_access',` +# Read /. +allow $1 root_t:dir r_dir_perms; +allow $1 root_t:notdevfile_class_set r_file_perms; + +# Read /home. +allow $1 home_root_t:dir r_dir_perms; + +# Read /usr. +allow $1 usr_t:dir r_dir_perms; +allow $1 usr_t:notdevfile_class_set r_file_perms; + +# Read bin and sbin directories. +allow $1 bin_t:dir r_dir_perms; +allow $1 bin_t:notdevfile_class_set r_file_perms; +allow $1 sbin_t:dir r_dir_perms; +allow $1 sbin_t:notdevfile_class_set r_file_perms; +read_sysctl($1) + +r_dir_file($1, selinux_config_t) + +if (read_default_t) { +# +# Read default_t +#. +allow $1 default_t:dir r_dir_perms; +allow $1 default_t:notdevfile_class_set r_file_perms; +} + +') + +####################### +# daemon_core_rules(domain_prefix, attribs) +# +# Define the core rules for a daemon, used by both daemon_base_domain() and +# init_service_domain(). +# Attribs is the list of attributes which must start with "," if it is not empty +# +# Author: Russell Coker +# +define(`daemon_core_rules', ` +type $1_t, domain, privlog, daemon $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +dontaudit $1_t self:capability sys_tty_config; + +role system_r types $1_t; + +# Inherit and use descriptors from init. +allow $1_t init_t:fd use; +allow $1_t init_t:process sigchld; +allow $1_t self:process { signal_perms fork }; + +uses_shlib($1_t) + +allow $1_t { self proc_t }:dir r_dir_perms; +allow $1_t { self proc_t }:lnk_file read; + +allow $1_t device_t:dir r_dir_perms; +ifdef(`udev.te', ` +allow $1_t udev_tdb_t:file r_file_perms; +')dnl end if udev.te +allow $1_t null_device_t:chr_file rw_file_perms; +dontaudit $1_t console_device_t:chr_file rw_file_perms; +dontaudit $1_t unpriv_userdomain:fd use; + +r_dir_file($1_t, sysfs_t) + +allow $1_t autofs_t:dir { search getattr }; +ifdef(`targeted_policy', ` +dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; +dontaudit $1_t root_t:file { getattr read }; +')dnl end if targeted_policy + +')dnl end macro daemon_core_rules + +####################### +# init_service_domain(domain_prefix, attribs) +# +# Define a domain for a program that is run from init +# Attribs is the list of attributes which must start with "," if it is not empty +# +# Author: Russell Coker +# +define(`init_service_domain', ` +daemon_core_rules($1, `$2') + +domain_auto_trans(init_t, $1_exec_t, $1_t) +')dnl + +####################### +# daemon_base_domain(domain_prefix, attribs) +# +# Define a daemon domain with a base set of type declarations +# and permissions that are common to most daemons. +# attribs is the list of attributes which must start with "," if it is not empty +# +# Author: Russell Coker +# +define(`daemon_base_domain', ` +daemon_core_rules($1, `$2') + +rhgb_domain($1_t) + +read_sysctl($1_t) + +ifdef(`direct_sysadm_daemon', ` +dontaudit $1_t admin_tty_type:chr_file rw_file_perms; +') + +# +# Allows user to define a tunable to disable domain transition +# +ifelse(index(`$2',`transitionbool'), -1, `', ` +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(initrc_t, $1_exec_t) +can_exec(sysadm_t, $1_exec_t) +} else { +') dnl transitionbool +domain_auto_trans(initrc_t, $1_exec_t, $1_t) +allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; +')dnl end direct_sysadm_daemon +')dnl end nosysadm +ifelse(index(`$2', `transitionbool'), -1, `', ` +} +') dnl end transitionbool +ifdef(`direct_sysadm_daemon', ` +ifelse(`$3', `nosysadm', `', ` +role_transition sysadm_r $1_exec_t system_r; +')dnl end nosysadm +')dnl end direct_sysadm_daemon + +allow $1_t privfd:fd use; +ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') +allow $1_t initrc_devpts_t:chr_file rw_file_perms; +')dnl + +# allow a domain to create its own files under /var/run and to create files +# in directories that are created for it. $2 is an optional list of +# classes to use; default is file. +define(`var_run_domain', ` +type $1_var_run_t, file_type, sysadmfile, pidfile; + +ifelse(`$2', `', ` +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) +', ` +file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) +') +allow $1_t var_t:dir search; +allow $1_t $1_var_run_t:dir rw_dir_perms; +') +define(`daemon_domain', ` +ifdef(`targeted_policy', ` +daemon_base_domain($1, `$2, transitionbool', $3) +', ` +daemon_base_domain($1, `$2', $3) +') +# Create pid file. +allow $1_t var_t:dir { getattr search }; +var_run_domain($1) + +allow $1_t devtty_t:chr_file rw_file_perms; + +# for daemons that look at /root on startup +dontaudit $1_t sysadm_home_dir_t:dir search; + +# for df +allow $1_t fs_type:filesystem getattr; +allow $1_t removable_t:filesystem getattr; + +read_locale($1_t) + +# for localization +allow $1_t lib_t:file { getattr read }; +')dnl end daemon_domain macro + +define(`uses_authbind', +`domain_auto_trans($1, authbind_exec_t, authbind_t) +allow authbind_t $1:process sigchld; +allow authbind_t $1:fd use; +allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; +') + +# define a sub-domain, $1_t is the parent domain, $2 is the name +# of the sub-domain. +# +define(`daemon_sub_domain', ` +# $1 is the parent domain (or domains), $2_t is the child domain, +# and $3 is any attributes to apply to the child +type $2_t, domain, privlog, daemon $3; +type $2_exec_t, file_type, sysadmfile, exec_type; + +role system_r types $2_t; + +domain_auto_trans($1, $2_exec_t, $2_t) + +# Inherit and use descriptors from parent. +allow $2_t $1:fd use; +allow $2_t $1:process sigchld; + +allow $2_t self:process signal_perms; + +uses_shlib($2_t) + +allow $2_t { self proc_t }:dir r_dir_perms; +allow $2_t { self proc_t }:lnk_file read; + +allow $2_t device_t:dir getattr; +') + +# grant access to /tmp +# by default, only plain files and dirs may be stored there. +# This can be overridden with a third parameter +define(`tmp_domain', ` +type $1_tmp_t, file_type, sysadmfile, tmpfile $2; +ifelse($3, `', +`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', +`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') +') + +define(`tmpfs_domain', ` +type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; +# Use this type when creating tmpfs/shm objects. +file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) +allow $1_tmpfs_t tmpfs_t:filesystem associate; +') + +define(`var_lib_domain', ` +type $1_var_lib_t, file_type, sysadmfile; +typealias $1_var_lib_t alias var_lib_$1_t; +file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) +allow $1_t $1_var_lib_t:dir rw_dir_perms; +') + +define(`log_domain', ` +type $1_log_t, file_type, sysadmfile, logfile; +file_type_auto_trans($1_t, var_log_t, $1_log_t, file) +') + +define(`logdir_domain', ` +log_domain($1) +allow $1_t $1_log_t:dir { setattr rw_dir_perms }; +') + +define(`etc_domain', ` +type $1_etc_t, file_type, sysadmfile, usercanread; +allow $1_t $1_etc_t:file r_file_perms; +') + +define(`etcdir_domain', ` +etc_domain($1) +allow $1_t $1_etc_t:dir r_dir_perms; +allow $1_t $1_etc_t:lnk_file { getattr read }; +') + +define(`append_log_domain', ` +type $1_log_t, file_type, sysadmfile, logfile; +allow $1_t var_log_t:dir ra_dir_perms; +allow $1_t $1_log_t:file { create ra_file_perms }; +type_transition $1_t var_log_t:file $1_log_t; +') + +define(`append_logdir_domain', ` +append_log_domain($1) +allow $1_t $1_log_t:dir { setattr ra_dir_perms }; +') + +define(`lock_domain', ` +type $1_lock_t, file_type, sysadmfile, lockfile; +file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) +') + +#################################################################### +# home_domain_ro_access(source, user, app) +# +# Gives source access to the read-only home +# domain of app for the given user type +# + +define(`home_domain_ro_access', ` + +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +r_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +r_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; + +r_dir_file($1, $2_$3_ro_home_t) + +') dnl home_domain_ro_access + +#################################################################### +# home_domain_access(source, user, app) +# +# Gives source full access to the home +# domain of app for the given user type +# + +define(`home_domain_access', ` + +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +create_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; + +file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t) + +') dnl home_domain_access + +#################################################################### +# home_domain (prefix, app) +# +# Creates a domain in the prefix home where an application can +# store its settings. It's accessible by the prefix domain. +# + +define(`home_domain', ` + +# Declare home domain +# FIXME: the second alias is problematic because +# home_domain and home_domain_ro cannot be used in parallel +# Remove the second alias when compatibility is no longer an issue + +type $1_$2_home_t, file_type, $1_file_type, sysadmfile; +typealias $1_$2_home_t alias $1_$2_rw_t; +typealias $1_$2_home_t alias $1_home_$2_t; + +# User side access +create_dir_file($1_t, $1_$2_home_t) +allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_access($1_$2_t, $1, $2) +') + +#################################################################### +# home_domain_ro (user, app) +# +# Creates a read-only domain in the user home where an application can +# store its settings. It's fully accessible by the user, but +# it's read-only for the application. +# + +define(`home_domain_ro', ` + +# Declare home domain +# FIXME: the second alias is problematic because +# home_domain and home_domain_ro cannot be used in parallel +# Remove the second alias when compatibility is no longer an issue + +type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; +typealias $1_$2_ro_home_t alias $1_$2_ro_t; +typealias $1_$2_ro_home_t alias $1_home_$2_t; + +# User side access +create_dir_file($1_t, $1_$2_ro_home_t) +allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_ro_access($1_$2_t, $1, $2) +') + +####################### +# application_domain(domain_prefix) +# +# Define a domain with a base set of type declarations +# and permissions that are common to simple applications. +# +# Author: Russell Coker +# +define(`application_domain', ` +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role sysadm_r types $1_t; +domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +uses_shlib($1_t) +') + +define(`user_application_domain', ` +application_domain($1, `$2') +in_user_role($1_t) +domain_auto_trans(userdomain, $1_exec_t, $1_t) +') + +define(`system_domain', ` +type $1_t, domain, privlog $2; +type $1_exec_t, file_type, sysadmfile, exec_type; +role system_r types $1_t; +uses_shlib($1_t) +allow $1_t etc_t:dir r_dir_perms; +') + +# Do not flood message log, if the user does a browse +define(`file_browse_domain', ` + +# Regular files/directories that are not security sensitive +dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; +dontaudit $1 file_type - secure_file_type:dir { read search }; + +# /dev +dontaudit $1 dev_fs:dir_file_class_set getattr; +dontaudit $1 dev_fs:dir { read search }; + +# /proc +dontaudit $1 sysctl_t:dir_file_class_set getattr; +dontaudit $1 proc_fs:dir { read search }; + +')dnl end file_browse_domain + + +# Define legacy_domain for legacy binaries (java) +# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old +# toolchain. They cause the kernel to automatically start translating all +# read protection requests to read|execute for backward compatibility on +# x86. They will all need execmem and execmod, including execmod to +# shlib_t and ld_so_t unlike non-legacy binaries. + +define(`legacy_domain', ` +allow $1_t self:process { execmem }; +allow $1_t { texrel_shlib_t shlib_t }:file execmod; +allow $1_t ld_so_t:file execmod; +allow $1_t ld_so_cache_t:file execute; +') + +# +# Define a domain that can do anything, so that it is +# effectively unconfined by the SELinux policy. This +# means that it is only restricted by the normal Linux +# protections. Note that you may need to add further rules +# to allow other domains to interact with this domain as expected, +# since this macro only allows the specified domain to act upon +# all other domains and types, not vice versa. +# +define(`unconfined_domain', ` + +typeattribute $1 unrestricted; + +# Mount/unmount any filesystem. +allow $1 fs_type:filesystem *; + +# Mount/unmount any filesystem with the context= option. +allow $1 file_type:filesystem *; + +# Create/access any file in a labeled filesystem; +allow $1 file_type:{ file chr_file } ~execmod; +allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; +allow $1 sysctl_t:{ dir file } *; +allow $1 device_type:devfile_class_set *; +allow $1 mtrr_device_t:file *; + +# Create/access other files. fs_type is to pick up various +# pseudo filesystem types that are applied to both the filesystem +# and its files. +allow $1 { unlabeled_t fs_type }:dir_file_class_set *; +allow $1 proc_fs:{ dir file } *; + +# For /proc/pid +r_dir_file($1,domain) +# Write access is for setting attributes under /proc/self/attr. +allow $1 self:file rw_file_perms; + +# Read and write sysctls. +can_sysctl($1) + +# Access the network. +allow $1 node_type:node *; +allow $1 netif_type:netif *; +allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; + +# Bind to any network address. +allow $1 port_type:{ tcp_socket udp_socket } name_bind; +allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; + +# Use/sendto/connectto sockets created by any domain. +allow $1 domain:{ socket_class_set socket key_socket } *; + +# Use descriptors and pipes created by any domain. +allow $1 domain:fd use; +allow $1 domain:fifo_file rw_file_perms; + +# Act upon any other process. +allow $1 domain:process ~{ transition dyntransition execmem }; +# Transition to myself, to make get_ordered_context_list happy. +allow $1 self:process transition; + +if (allow_execmem) { +# Allow loading DSOs that require executable stack. +allow $1 self:process execmem; +} + +if (allow_execmod) { +# Allow text relocations on system shared libraries, e.g. libGL. +allow $1 texrel_shlib_t:file execmod; +} + +# Create/access any System V IPC objects. +allow $1 domain:{ sem msgq shm } *; +allow $1 domain:msg { send receive }; + +# Access the security API. +allow $1 security_t:security *; +auditallow $1 security_t:security { load_policy setenforce setbool }; + +# Perform certain system operations that lacked individual capabilities. +allow $1 kernel_t:system *; + +# Use any Linux capability. +allow $1 self:capability *; + +# Set user information and skip authentication. +allow $1 self:passwd *; + +# Communicate via dbusd. +allow $1 self:dbus *; +ifdef(`dbusd.te', ` +allow $1 system_dbusd_t:dbus *; +') + +# Get info via nscd. +allow $1 self:nscd *; +ifdef(`nscd.te', ` +allow $1 nscd_t:nscd *; +') + +')dnl end unconfined_domain diff --git a/strict/macros/mini_user_macros.te b/strict/macros/mini_user_macros.te new file mode 100644 index 0000000..9f7d994 --- /dev/null +++ b/strict/macros/mini_user_macros.te @@ -0,0 +1,57 @@ +# +# Macros for all user login domains. +# + +# +# mini_user_domain(domain_prefix) +# +# Define derived types and rules for a minimal privs user domain named +# $1_mini_t which is permitted to be in $1_r role and transition to $1_t. +# +undefine(`mini_user_domain') +define(`mini_user_domain',` +# user_t/$1_t is an unprivileged users domain. +type $1_mini_t, domain, user_mini_domain; + +# for ~/.bash_profile and other files that the mini domain should be allowed +# to read (but not write) +type $1_home_mini_t, file_type, sysadmfile; +allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom }; +allow $1_mini_t $1_home_mini_t:file r_file_perms; + +# $1_r is authorized for $1_mini_t for the initial login domain. +role $1_r types $1_mini_t; +uses_shlib($1_mini_t) +pty_slave_label($1_mini, `, userpty_type, mini_pty_type') + +allow $1_mini_t devtty_t:chr_file rw_file_perms; +allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read }; +dontaudit $1_mini_t proc_t:dir { getattr search }; +allow $1_mini_t self:unix_stream_socket create_socket_perms; +allow $1_mini_t self:fifo_file rw_file_perms; +allow $1_mini_t self:process { fork sigchld setpgid }; +dontaudit $1_mini_t var_t:dir search; +allow $1_mini_t { bin_t sbin_t }:dir search; + +dontaudit $1_mini_t device_t:dir { getattr read }; +dontaudit $1_mini_t devpts_t:dir { getattr read }; +dontaudit $1_mini_t proc_t:lnk_file read; + +can_exec($1_mini_t, bin_t) +allow $1_mini_t { home_root_t $1_home_dir_t }:dir search; +dontaudit $1_mini_t home_root_t:dir getattr; +dontaudit $1_mini_t $1_home_dir_t:dir { getattr read }; +dontaudit $1_mini_t $1_home_t:file { append getattr read write }; + +dontaudit $1_mini_t fs_t:filesystem getattr; + +type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t; +# uncomment this if using mini domains for console logins +#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t; + +type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t; +type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t; + +domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t) +')dnl end mini_user_domain definition + diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te new file mode 100644 index 0000000..bf6761f --- /dev/null +++ b/strict/macros/network_macros.te @@ -0,0 +1,168 @@ +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`base_can_network',` +# +# Allow the domain to create and use $2 sockets. +# Other kinds of sockets must be separately authorized for use. +allow $1 self:$2_socket connected_socket_perms; + +# +# Allow the domain to send or receive using any network interface. +# netif_type is a type attribute for all network interface types. +# +allow $1 netif_type:netif { $2_send rawip_send }; +allow $1 netif_type:netif { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any node. +# node_type is a type attribute for all node types. +# +allow $1 node_type:node { $2_send rawip_send }; +allow $1 node_type:node { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any port. +# port_type is a type attribute for all port types. +# +ifelse($3, `', ` +allow $1 port_type:$2_socket { send_msg recv_msg }; +', ` +allow $1 $3:$2_socket { send_msg recv_msg }; +') + +# XXX Allow binding to any node type. Remove once +# individual rules have been added to all domains that +# bind sockets. +allow $1 node_type:$2_socket node_bind; +# +# Allow access to network files including /etc/resolv.conf +# +allow $1 net_conf_t:file r_file_perms; +')dnl end can_network definition + +################################# +# +# can_network_server_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { listen accept }; +') + +################################# +# +# can_network_client_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { connect }; +') + +################################# +# +# can_network_tcp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_tcp',` + +can_network_server_tcp($1, `$2') +can_network_client_tcp($1, `$2') + +') + +################################# +# +# can_network_udp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_udp',` +base_can_network($1, udp, `$2') +allow $1 self:udp_socket { connect }; +') + +################################# +# +# can_network_server(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server',` + +can_network_server_tcp($1, `$2') +can_network_udp($1, `$2') + +')dnl end can_network_server definition + + +################################# +# +# can_network_client(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client',` + +can_network_client_tcp($1, `$2') +can_network_udp($1, `$2') + +')dnl end can_network_client definition + +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network',` + +can_network_tcp($1, `$2') +can_network_udp($1, `$2') + +ifdef(`mount.te', ` +# +# Allow the domain to send NFS client requests via the socket +# created by mount. +# +allow $1 mount_t:udp_socket rw_socket_perms; +') + +')dnl end can_network definition + +define(`can_resolve',` +ifdef(`use_dns',` +can_network_udp($1, `dns_port_t') +') +') + +define(`can_ldap',` +ifdef(`slapd.te',` +can_network_client_tcp($1, `ldap_port_t') +') +') + diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te new file mode 100644 index 0000000..7e3521a --- /dev/null +++ b/strict/macros/program/apache_macros.te @@ -0,0 +1,197 @@ + +define(`apache_domain', ` + +#This type is for webpages +# +type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable; +ifelse($1, sys, ` +typealias httpd_sys_content_t alias httpd_sysadm_content_t; +') + +# This type is used for .htaccess files +# +type httpd_$1_htaccess_t, file_type, sysadmfile; + +# This type is used for executable scripts files +# +type httpd_$1_script_exec_t, file_type, sysadmfile, customizable; + +# Type that CGI scripts run as +type httpd_$1_script_t, domain, privmail, nscd_client_domain; +role system_r types httpd_$1_script_t; +uses_shlib(httpd_$1_script_t) + +if (httpd_enable_cgi) { +domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) +allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; +allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; + +allow httpd_$1_script_t httpd_t:fd use; +allow httpd_$1_script_t httpd_t:process sigchld; + +can_network(httpd_$1_script_t) +allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl }; +allow httpd_$1_script_t usr_t:lnk_file { getattr read }; + +allow httpd_$1_script_t self:process { fork signal_perms }; + +allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; +allow httpd_$1_script_t urandom_device_t:chr_file { getattr read }; +allow httpd_$1_script_t etc_runtime_t:file { getattr read }; +read_locale(httpd_$1_script_t) +allow httpd_$1_script_t fs_t:filesystem getattr; +allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; + +allow httpd_$1_script_t { self proc_t }:file { getattr read }; +allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; +allow httpd_$1_script_t { self proc_t }:lnk_file read; + +allow httpd_$1_script_t device_t:dir { getattr search }; +allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; +} +ifdef(`ypbind.te', ` +if (httpd_enable_cgi && allow_ypbind) { +uncond_can_ypbind(httpd_$1_script_t) +} +') +# The following are the only areas that +# scripts can read, read/write, or append to +# +type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; +type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; +type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; +file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) + +ifdef(`slocate.te', ` +ifelse($1, `sys', `', ` +allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search }; +allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read }; +')dnl end ifelse +')dnl end slocate.te + +######################################################### +# Permissions for running child processes and scripts +########################################################## +allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; + +domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + +allow httpd_$1_script_t httpd_t:fifo_file write; + +allow httpd_$1_script_t self:fifo_file rw_file_perms; + +allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms; + +# for nscd +dontaudit httpd_$1_script_t var_t:dir search; + +########################################################################### +# Allow the script interpreters to run the scripts. So +# the perl executable will be able to run a perl script +######################################################################### +can_exec_any(httpd_$1_script_t) +allow httpd_$1_script_t etc_t:file { getattr read }; +dontaudit httpd_$1_script_t selinux_config_t:dir search; + +############################################################################ +# Allow the script process to search the cgi directory, and users directory +############################################################################## +allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; +can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +allow httpd_$1_script_t home_root_t:dir { getattr search }; +allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; + +############################################################################# +# Allow the scripts to read, read/write, append to the specified directories +# or files +############################################################################ +r_dir_file(httpd_$1_script_t, fonts_t) +r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) +create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) +ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +ifelse($1, sys, ` +domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) +domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) +create_dir_file(httpd_t, httpdcontent) +can_exec(httpd_t, httpdcontent ) +', ` +can_exec(httpd_$1_script_t, httpdcontent ) +domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) +') +create_dir_file(httpd_$1_script_t, httpdcontent) +} + +ifelse($1, sys, ` +# +# If a user starts a script by hand it gets the proper context +# +if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) +} +role sysadm_r types httpd_$1_script_t; +', ` + +if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +# If a user starts a script by hand it gets the proper context +domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) +} +role $1_r types httpd_$1_script_t; + +####################################### +# Allow user to create or edit web content +######################################### + +create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) +create_dir_file($1_crond_t, httpd_$1_content_t) +allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; +ifdef(`mozilla.te', ` +r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) +') + +###################################################################### +# Allow the user to create htaccess files +##################################################################### + +allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; + +######################################################################### +# Allow user to create files or directories +# that scripts are able to read, write, or append to +########################################################################### + +create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) +allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; + +# allow accessing files/dirs below the users home dir +if (httpd_enable_homedirs) { +allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; +ifdef(`nfs_home_dirs', ` +r_dir_file(httpd_$1_script_t, nfs_t) +')dnl end if nfs_home_dirs +} +')dnl end ifelse sys + +dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; +dontaudit httpd_$1_script_t sysctl_t:dir search; + +################################################################ +# Allow the web server to run scripts and serve pages +############################################################## +r_dir_file(httpd_t, httpd_$1_content_t) + +allow httpd_t httpd_$1_htaccess_t: file r_file_perms; + +r_dir_file(httpd_t, httpd_$1_script_rw_t) + +############################################ +# Allow scripts to append to http logs +######################################### +allow httpd_$1_script_t httpd_log_t:file { getattr append }; + +# apache should set close-on-exec +dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + +') diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te new file mode 100644 index 0000000..6af7ddc --- /dev/null +++ b/strict/macros/program/cdrecord_macros.te @@ -0,0 +1,54 @@ +# macros for the cdrecord domain +# Author: Thomas Bleher + +define(`cdrecord_domain', ` +type $1_cdrecord_t, domain, privlog; + +domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) + +# The user role is authorized for this domain. +role $1_r types $1_cdrecord_t; + +uses_shlib($1_cdrecord_t) +read_locale($1_cdrecord_t) + +# allow ps to show cdrecord and allow the user to kill it +can_ps($1_t, $1_cdrecord_t) +allow $1_t $1_cdrecord_t:process signal; + +# write to the user domain tty. +access_terminal($1_cdrecord_t, $1) +allow $1_cdrecord_t privfd:fd use; + +allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; + +allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; +allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; + +can_resmgrd_connect($1_cdrecord_t) + +allow $1_cdrecord_t { tmp_t home_root_t }:dir search; + +# allow cdrecord to read user files +r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t }) +if (use_nfs_home_dirs) { +r_dir_file($1_cdrecord_t, nfs_t) +} +if (use_samba_home_dirs) { +r_dir_file($1_cdrecord_t, cifs_t) +} +allow $1_cdrecord_t etc_t:file { getattr read }; + +# allow searching for cdrom-drive +allow $1_cdrecord_t device_t:dir { getattr search }; +allow $1_cdrecord_t device_t:lnk_file { getattr read }; + +# allow cdrecord to write the CD +allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; +allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; + +allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid }; +allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; + +') + diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te new file mode 100644 index 0000000..806a9cd --- /dev/null +++ b/strict/macros/program/chkpwd_macros.te @@ -0,0 +1,79 @@ +# +# Macros for chkpwd domains. +# + +# +# chkpwd_domain(domain_prefix) +# +# Define a derived domain for the *_chkpwd program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/su.te. +# +undefine(`chkpwd_domain') +ifdef(`chkpwd.te', ` +define(`chkpwd_domain',` +# Derived domain based on the calling user domain and the program. +type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; + +# is_selinux_enabled +allow $1_chkpwd_t proc_t:file read; +can_getcon($1_chkpwd_t) +can_ypbind($1_chkpwd_t) +can_kerberos($1_chkpwd_t) +can_ldap($1_chkpwd_t) +can_resolve($1_chkpwd_t) +# Transition from the user domain to this domain. +ifelse($1, system, ` +domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) +role system_r types system_chkpwd_t; +dontaudit auth_chkpwd shadow_t:file { getattr read }; +allow auth_chkpwd sbin_t:dir search; +dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; +can_ypbind(auth_chkpwd) +can_kerberos(auth_chkpwd) +can_ldap(auth_chkpwd) +can_resolve(auth_chkpwd) +', ` +domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) +allow $1_t sbin_t:dir search; + +# The user role is authorized for this domain. +role $1_r types $1_chkpwd_t; + +# Write to the user domain tty. +access_terminal($1_chkpwd_t, $1) + +allow $1_chkpwd_t privfd:fd use; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') +') + +uses_shlib($1_chkpwd_t) +allow $1_chkpwd_t etc_t:file { getattr read }; +allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; +allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; +read_locale($1_chkpwd_t) + +# Use capabilities. +allow $1_chkpwd_t self:capability setuid; +r_dir_file($1_chkpwd_t, selinux_config_t) + +# for nscd +ifdef(`nscd.te', `', ` +dontaudit $1_chkpwd_t var_t:dir search; +') + +dontaudit $1_chkpwd_t fs_t:filesystem getattr; +') + +', ` + +define(`chkpwd_domain',`') + +') diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te new file mode 100644 index 0000000..d06e6f1 --- /dev/null +++ b/strict/macros/program/chroot_macros.te @@ -0,0 +1,130 @@ + +# macro for chroot environments +# Author Russell Coker + +# chroot(initial_domain, basename, role, tty_device_type) +define(`chroot', ` + +ifelse(`$1', `initrc', ` +define(`chroot_role', `system_r') +define(`chroot_tty_device', `{ console_device_t admin_tty_type }') +define(`chroot_mount_domain', `mount_t') +define(`chroot_fd_use', `{ privfd init_t }') +', ` +define(`chroot_role', `$1_r') +define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }') +define(`chroot_fd_use', `privfd') + +# allow mounting /proc and /dev +ifdef(`$1_mount_def', `', ` +mount_domain($1, $1_mount) +role chroot_role types $1_mount_t; +') +define(`chroot_mount_domain', `$1_mount_t') +ifdef(`ssh.te', ` +can_tcp_connect($1_ssh_t, $2_t) +')dnl end ssh +')dnl end ifelse initrc + +# types for read-only and read-write files in the chroot +type $2_ro_t, file_type, sysadmfile, home_type, user_home_type; +type $2_rw_t, file_type, sysadmfile, home_type, user_home_type; +# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t +# when you execute it +type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type; + +allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton }; +allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton }; + +# entry point for $2_super_t +type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type; +# $2_t is the base domain, has full access to $2_rw_t files +type $2_t, domain; +# $2_super_t is the super-chroot domain, can also write to $2_ro_t +# but still can not access outside the chroot +type $2_super_t, domain; +allow $2_super_t chroot_tty_device:chr_file rw_file_perms; + +ifdef(`$1_chroot_def', `', ` +dnl can not have this defined twice +define(`$1_chroot_def') + +allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount }; + +# $1_chroot_t is the domain for /usr/sbin/chroot +type $1_chroot_t, domain; + +# allow $1_chroot_t to write to the tty device +allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms; +allow $1_chroot_t chroot_fd_use:fd use; +allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use; + +role chroot_role types $1_chroot_t; +uses_shlib($1_chroot_t) +allow $1_chroot_t self:capability sys_chroot; +allow $1_t $1_chroot_t:dir { search getattr read }; +allow $1_t $1_chroot_t:{ file lnk_file } { read getattr }; +domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t) +allow $1_chroot_t fs_t:filesystem getattr; +')dnl End conditional + +role chroot_role types { $2_t $2_super_t }; + +# allow ps to show processes and allow killing them +allow $1_t { $2_super_t $2_t }:dir { search getattr read }; +allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr }; +allow $1_t { $2_super_t $2_t }:process signal_perms; +allow $2_super_t $2_t:dir { search getattr read }; +allow $2_super_t $2_t:{ file lnk_file } { read getattr }; +allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace }; +allow $1_t $2_super_t:process { signal_perms ptrace }; +allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace }; + +allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr; +allow { $2_super_t $2_t } device_t:dir { search getattr }; +allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms; +allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms; +allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config }; +allow $2_super_t self:capability sys_ptrace; + +can_tcp_connect($2_super_t, $2_t) +allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms; + +# quiet ps and killall +dontaudit { $2_super_t $2_t } domain:dir { search getattr }; + +# allow $2_t to write to the owner tty device (should remove this) +allow $2_t chroot_tty_device:chr_file { read write }; + +r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($2_super_t, { $2_ro_t $2_super_entry_t }) +create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +# $2_super_t transitions to $2_t when it executes +# any file that $2_t can write +domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t) +allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read; +r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t }) +create_dir_notdevfile($2_t, $2_rw_t) +allow $2_t $2_rw_t:fifo_file create_file_perms; +allow $2_t $2_ro_t:fifo_file rw_file_perms; +allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms; +create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) +can_exec($1_t, { $2_ro_t $2_dropdown_t }) +domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t) +domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t) +allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto }; +general_proc_read_access({ $2_t $2_super_t }) +general_domain_access({ $2_t $2_super_t }) +can_create_pty($2) +can_create_pty($2_super) +can_network({ $2_t $2_super_t }) +allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms; +allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton; +allow { $2_t $2_super_t } self:capability { dac_override kill }; + +undefine(`chroot_role') +undefine(`chroot_tty_device') +undefine(`chroot_mount_domain') +undefine(`chroot_fd_use') +') diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te new file mode 100644 index 0000000..e5a4a37 --- /dev/null +++ b/strict/macros/program/clamav_macros.te @@ -0,0 +1,57 @@ +# +# Macros for clamscan +# +# Author: Brian May +# + +# +# can_clamd_connect(domain_prefix) +# +# Define a domain that can access clamd +# +define(`can_clamd_connect',` +allow $1_t clamd_var_run_t:dir search; +allow $1_t clamd_var_run_t:sock_file write; +can_unix_connect($1_t, clamd_t) +') + +# clamscan_domain(domain_prefix) +# +# Define a derived domain for the clamscan program when executed +# +define(`clamscan_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_clamscan_t, domain, privlog; + +# Uses shared librarys +uses_shlib($1_clamscan_t) +allow $1_clamscan_t fs_t:filesystem getattr; +r_dir_file($1_clamscan_t, etc_t) +read_locale($1_clamscan_t) + +# Access virus signatures +allow $1_clamscan_t var_lib_t:dir search; +r_dir_file($1_clamscan_t, clamav_var_lib_t) + +# Allow temp files +tmp_domain($1_clamscan) + +# Why is this required? +allow $1_clamscan_t proc_t:dir r_dir_perms; +allow $1_clamscan_t proc_t:file r_file_perms; +read_sysctl($1_clamscan_t) +allow $1_clamscan_t self:unix_stream_socket { connect create read write }; +') + +define(`user_clamscan_domain',` +clamscan_domain($1) +role $1_r types $1_clamscan_t; +domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) +access_terminal($1_clamscan_t, $1) +r_dir_file($1_clamscan_t,$1_home_t); +r_dir_file($1_clamscan_t,$1_home_dir_t); +allow $1_clamscan_t $1_home_t:file r_file_perms; +allow $1_clamscan_t privfd:fd use; +ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;') +') + diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te new file mode 100644 index 0000000..8cd7deb --- /dev/null +++ b/strict/macros/program/crond_macros.te @@ -0,0 +1,125 @@ +# +# Macros for crond domains. +# + +# +# Authors: Jonathan Crowley (MITRE) , +# Stephen Smalley and Timothy Fraser +# Russell Coker +# + +# +# crond_domain(domain_prefix) +# +# Define a derived domain for cron jobs executed by crond on behalf +# of a user domain. These domains are separate from the top-level domain +# defined for the crond daemon and the domain defined for system cron jobs, +# which are specified in domains/program/crond.te. +# +undefine(`crond_domain') +define(`crond_domain',` +# Derived domain for user cron jobs, user user_crond_domain if not system +ifelse(`system', `$1', ` +type $1_crond_t, domain, privlog, privmail, nscd_client_domain; +', ` +type $1_crond_t, domain, user_crond_domain; + +# Access user files and dirs. +allow $1_crond_t home_root_t:dir search; +file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) + +# Run scripts in user home directory and access shared libs. +can_exec($1_crond_t, $1_home_t) + +file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) +') +r_dir_file($1_crond_t, selinux_config_t) + +# Type of user crontabs once moved to cron spool. +type $1_cron_spool_t, file_type, sysadmfile; + +ifdef(`fcron.te', ` +allow crond_t $1_cron_spool_t:file create_file_perms; +') + +allow $1_crond_t urandom_device_t:chr_file { getattr read }; + +allow $1_crond_t usr_t:file { getattr ioctl read }; +allow $1_crond_t usr_t:lnk_file read; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via execve_secure. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +domain_trans(crond_t, shell_exec_t, $1_crond_t) + +ifdef(`mta.te', ` +domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) +allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; + +# $1_mail_t should only be reading from the cron fifo not needing to write +dontaudit $1_mail_t crond_t:fifo_file write; +allow mta_user_agent $1_crond_t:fd use; +') + +# The user role is authorized for this domain. +role $1_r types $1_crond_t; + +# This domain is granted permissions common to most domains. +can_network($1_crond_t) +can_ypbind($1_crond_t) +r_dir_file($1_crond_t, self) +allow $1_crond_t self:fifo_file rw_file_perms; +allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; +allow $1_crond_t self:unix_dgram_socket create_socket_perms; +allow $1_crond_t etc_runtime_t:file { getattr read }; +allow $1_crond_t self:process { fork signal_perms setsched }; +allow $1_crond_t proc_t:dir r_dir_perms; +allow $1_crond_t proc_t:file { getattr read ioctl }; +read_locale($1_crond_t) +read_sysctl($1_crond_t) +allow $1_crond_t var_spool_t:dir search; +allow $1_crond_t fs_type:filesystem getattr; + +allow $1_crond_t devtty_t:chr_file { read write }; +allow $1_crond_t var_t:dir r_dir_perms; +allow $1_crond_t var_t:file { getattr read ioctl }; +allow $1_crond_t var_log_t:dir search; + +# Use capabilities. +allow $1_crond_t self:capability dac_override; + +# Inherit and use descriptors from initrc - I think this is wrong +#allow $1_crond_t initrc_t:fd use; + +# +# Since crontab files are not directly executed, +# crond must ensure that the crontab file has +# a type that is appropriate for the domain of +# the user cron job. It performs an entrypoint +# permission check for this purpose. +# +allow $1_crond_t $1_cron_spool_t:file entrypoint; + +# Run helper programs. +can_exec_any($1_crond_t) + +# ps does not need to access /boot when run from cron +dontaudit $1_crond_t boot_t:dir search; +# quiet other ps operations +dontaudit $1_crond_t domain:dir { getattr search }; +# for nscd +dontaudit $1_crond_t var_run_t:dir search; +') + +# When system_crond_t domain executes a type $1 executable then transition to +# domain $2, allow $2 to interact with crond_t as well. +define(`system_crond_entry', ` +ifdef(`crond.te', ` +domain_auto_trans(system_crond_t, $1, $2) +allow $2 crond_t:fifo_file { getattr read write ioctl }; +# a rule for privfd may make this obsolete +allow $2 crond_t:fd use; +allow $2 crond_t:process sigchld; +')dnl end ifdef +')dnl end system_crond_entry diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te new file mode 100644 index 0000000..352fbe9 --- /dev/null +++ b/strict/macros/program/crontab_macros.te @@ -0,0 +1,99 @@ +# +# Macros for crontab domains. +# + +# +# Authors: Jonathan Crowley (MITRE) +# Revised by Stephen Smalley +# + +# +# crontab_domain(domain_prefix) +# +# Define a derived domain for the crontab program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/crontab.te. +# +undefine(`crontab_domain') +define(`crontab_domain',` +# Derived domain based on the calling user domain and the program. +type $1_crontab_t, domain, privlog; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) + +can_ps($1_t, $1_crontab_t) + +# for ^Z +allow $1_t $1_crontab_t:process signal; + +# The user role is authorized for this domain. +role $1_r types $1_crontab_t; + +uses_shlib($1_crontab_t) +allow $1_crontab_t etc_t:file { getattr read }; +allow $1_crontab_t self:unix_stream_socket create_socket_perms; +allow $1_crontab_t self:unix_dgram_socket create_socket_perms; +read_locale($1_crontab_t) + +# Use capabilities dac_override is to create the file in the directory +# under /tmp +allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override }; +dontaudit $1_crontab_t proc_t:dir search; +dontaudit $1_crontab_t selinux_config_t:dir search; + +# Type for temporary files. +file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) + +# Use the type when creating files in /var/spool/cron. +allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; +allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; +file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) +allow $1_crontab_t self:process { fork signal_perms }; +ifdef(`fcron.te', ` +# fcron wants an instant update of a crontab change for the administrator +# also crontab does a security check for crontab -u +ifelse(`$1', `sysadm', ` +allow $1_crontab_t crond_t:process signal; +can_setfscreate($1_crontab_t) +', ` +dontaudit $1_crontab_t crond_t:process signal; +')dnl end ifelse +')dnl end ifdef fcron + +# for the checks used by crontab -u +dontaudit $1_crontab_t security_t:dir search; + +# crontab signals crond by updating the mtime on the spooldir +allow $1_crontab_t cron_spool_t:dir setattr; +# Allow crond to read those crontabs in cron spool. +allow crond_t $1_cron_spool_t:file r_file_perms; + +# Run helper programs as $1_t +allow $1_crontab_t { bin_t sbin_t }:dir search; +allow $1_crontab_t bin_t:lnk_file read; +domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) + +# Read user crontabs +allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; +allow $1_crontab_t $1_home_t:file r_file_perms; +dontaudit $1_crontab_t $1_home_dir_t:dir write; + +# Access the cron log file. +allow $1_crontab_t crond_log_t:file r_file_perms; +allow $1_crontab_t crond_log_t:file append; + +# Access terminals. +allow $1_crontab_t device_t:dir search; +access_terminal($1_crontab_t, $1); + +allow $1_crontab_t fs_t:filesystem getattr; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') +allow $1_crontab_t privfd:fd use; + +dontaudit $1_crontab_t var_run_t:dir search; +') diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te new file mode 100644 index 0000000..c11784c --- /dev/null +++ b/strict/macros/program/dbusd_macros.te @@ -0,0 +1,88 @@ +# +# Macros for Dbus +# +# Author: Colin Walters + +# dbusd_domain(domain_prefix) +# +# Define a derived domain for the DBus daemon. + +define(`dbusd_domain', ` +ifelse(`system', `$1',` +daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') +# For backwards compatibility +typealias system_dbusd_t alias dbusd_t; +type etc_dbusd_t, file_type, sysadmfile; +',` +type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; +role $1_r types $1_dbusd_t; +domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) +read_locale($1_dbusd_t) +allow $1_t $1_dbusd_t:process { sigkill signal }; +allow $1_dbusd_t self:process { sigkill signal }; +dontaudit $1_dbusd_t var_t:dir { getattr search }; +')dnl end ifelse system + +base_file_read_access($1_dbusd_t) +uses_shlib($1_dbusd_t) +allow $1_dbusd_t etc_t:file { getattr read }; +r_dir_file($1_dbusd_t, etc_dbusd_t) +tmp_domain($1_dbusd) +allow $1_dbusd_t self:process fork; +ifdef(`xdm.te', ` +allow $1_dbusd_t xdm_t:fd use; +allow $1_dbusd_t xdm_t:fifo_file write; +') + +allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; +allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; + +allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; +allow $1_dbusd_t self:file { getattr read }; +allow $1_dbusd_t proc_t:file read; + +ifdef(`pamconsole.te', ` +r_dir_file($1_dbusd_t, pam_var_console_t) +') + +allow $1_dbusd_t self:dbus { send_msg acquire_svc }; + +')dnl end dbusd_domain definition + +# dbusd_client(dbus_type, domain_prefix) +# Example: dbusd_client_domain(system, user) +# +# Define a new derived domain for connecting to dbus_type +# from domain_prefix_t. +undefine(`dbusd_client') +define(`dbusd_client',` + +ifdef(`dbusd.te',` +# Derived type used for connection +type $2_dbusd_$1_t; +type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; + +# SE-DBus specific permissions +allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + +# For connecting to the bus +allow $2_t $1_dbusd_t:unix_stream_socket connectto; + +') dnl endif dbusd.te +ifelse(`system', `$1', ` +allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; +allow { $2_t } system_dbusd_var_run_t:sock_file write; +',`') dnl endif system +') + +# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) +# Example: can_dbusd_converse(system, hald, updfstab) +# Example: can_dbusd_converse(session, user, user) +define(`can_dbusd_converse',`') +ifdef(`dbusd.te',` +undefine(`can_dbusd_converse') +define(`can_dbusd_converse',` +allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; +allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; +') dnl endif dbusd.te +') diff --git a/strict/macros/program/fingerd_macros.te b/strict/macros/program/fingerd_macros.te new file mode 100644 index 0000000..fd56ca7 --- /dev/null +++ b/strict/macros/program/fingerd_macros.te @@ -0,0 +1,15 @@ +# +# Macro for fingerd +# +# Author: Russell Coker +# + +# +# fingerd_macro(domain_prefix) +# +# allow fingerd to create a fingerlog file in the user home dir +# +define(`fingerd_macro', ` +type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type; +file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) +') diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te new file mode 100644 index 0000000..9816896 --- /dev/null +++ b/strict/macros/program/games_domain.te @@ -0,0 +1,58 @@ +#DESC games +# +# Macros for games +# +# +# Authors: Dan Walsh +# +# +# games_domain(domain_prefix) +# +# +define(`games_domain', ` +x_client_domain($1, `games', `, transitionbool') + +allow $1_games_t var_t:dir { search getattr }; +rw_dir_create_file($1_games_t, games_data_t) +allow $1_games_t sound_device_t:chr_file rw_file_perms; +r_dir_file($1_games_t, usr_t) +can_udp_send($1_games_t, $1_games_t) +can_tcp_connect($1_games_t, $1_games_t) + +# Access /home/user/.gnome2 +create_dir_file($1_games_t, $1_home_t) +allow $1_games_t $1_home_dir_t:dir search; +allow $1_games_t $1_home_t:dir { read getattr }; + +create_dir_file($1_games_t, $1_tmp_t) +allow $1_games_t $1_tmp_t:sock_file create_file_perms; + +dontaudit $1_games_t sysctl_t:dir search; + +tmp_domain($1_games) +allow $1_games_t urandom_device_t:chr_file { getattr ioctl read }; +ifdef(`xdm.te', ` +allow $1_games_t xdm_tmp_t:dir rw_dir_perms; +allow $1_games_t xdm_tmp_t:sock_file create_file_perms; +allow $1_games_t xdm_var_lib_t:file { getattr read }; +')dnl end if xdm.te + +can_unix_connect($1_t, $1_games_t) +can_unix_connect($1_games_t, $1_t) + +allow $1_games_t var_lib_t:dir search; +r_dir_file($1_games_t, man_t) +allow $1_games_t proc_t:file { read getattr }; +ifdef(`mozilla.te', ` +dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; +') +allow $1_games_t event_device_t:chr_file getattr; +allow $1_games_t mouse_device_t:chr_file getattr; +allow $1_games_t self:file { getattr read }; + +# kpat spews errors +dontaudit $1_games_t bin_t:dir getattr; +dontaudit $1_games_t var_run_t:dir search; + +')dnl end macro definition + diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te new file mode 100644 index 0000000..3589c05 --- /dev/null +++ b/strict/macros/program/gift_macros.te @@ -0,0 +1,113 @@ +# +# Macros for giFT +# +# Author: Ivan Gyurdiev +# +# gift_domains(domain_prefix) +# declares a domain for giftui and giftd + +######################### +# gift_domain(user) # +######################### + +define(`gift_domain', ` + +# Connect to X +x_client_domain($1, gift, `') + +# Transition +domain_auto_trans($1_t, gift_exec_t, $1_gift_t) +can_exec($1_gift_t, gift_exec_t) +role $1_r types $1_gift_t; + +# Self permissions +allow $1_gift_t self:process getsched; + +# Home files +home_domain($1, gift) + +# Fonts, icons +r_dir_file($1_gift_t, usr_t) +r_dir_file($1_gift_t, fonts_t) + +# Launch gift daemon +allow $1_gift_t self:process fork; +domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) + +# Connect to gift daemon +can_network($1_gift_t) + +# Read /proc/meminfo +allow $1_gift_t proc_t:dir search; +allow $1_gift_t proc_t:file { getattr read }; + +# Tmp/ORBit +tmp_domain($1_gift) +file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t) +can_unix_connect($1_t, $1_gift_t) +can_unix_connect($1_gift_t, $1_t) +allow $1_t $1_gift_tmp_t:sock_file write; +allow $1_gift_t $1_tmp_t:file { getattr read write lock }; +allow $1_gift_t $1_tmp_t:sock_file { read write }; +dontaudit $1_gift_t $1_tmp_t:dir setattr; + +# Access random device +allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl }; + +# giftui looks in .icons, .themes, .fonts-cache. +dontaudit $1_gift_t $1_home_t:dir { getattr read search }; +dontaudit $1_gift_t $1_home_t:file { getattr read }; + +') dnl gift_domain + +########################## +# giftd_domain(user) # +########################## + +define(`giftd_domain', ` + +type $1_giftd_t, domain; + +# Transition from user type +domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) +role $1_r types $1_giftd_t; + +# Self permissions, allow fork +allow $1_giftd_t self:process { fork signal sigchld setsched }; +allow $1_giftd_t self:unix_stream_socket create_socket_perms; + +read_sysctl($1_giftd_t) +read_locale($1_giftd_t) +uses_shlib($1_giftd_t) + +# Access home domain +home_domain_access($1_giftd_t, $1, gift) + +# Allow networking +allow $1_giftd_t port_t:tcp_socket name_bind; +allow $1_giftd_t port_t:udp_socket name_bind; +can_network_server($1_giftd_t) +can_network_client($1_giftd_t) + +# FIXME: ??? +dontaudit $1_giftd_t self:udp_socket listen; + +# Plugins +r_dir_file($1_giftd_t, usr_t) + +# Connect to xdm +ifdef(`xdm.te', ` +allow $1_giftd_t xdm_t:fd use; +allow $1_giftd_t xdm_t:fifo_file write; +') + +') dnl giftd_domain + +########################## +# gift_domains(user) # +########################## + +define(`gift_domains', ` +gift_domain($1) +giftd_domain($1) +') dnl gift_domains diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te new file mode 100644 index 0000000..21a8768 --- /dev/null +++ b/strict/macros/program/gpg_agent_macros.te @@ -0,0 +1,127 @@ +# +# Macros for gpg agent +# +# Author: Thomas Bleher +# +# +# gpg_agent_domain(domain_prefix) +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gpg-agent.te. +# +define(`gpg_agent_domain',` +# Define a derived domain for the gpg-agent program when executed +# by a user domain. +# Derived domain based on the calling user domain and the program. +type $1_gpg_agent_t, domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) + +# The user role is authorized for this domain. +role $1_r types $1_gpg_agent_t; + +allow $1_gpg_agent_t privfd:fd use; +allow $1_gpg_agent_t xdm_t:fd use; + +# Write to the user domain tty. +access_terminal($1_gpg_agent_t, $1) + +# Allow the user shell to signal the gpg-agent program. +allow $1_t $1_gpg_agent_t:process { signal sigkill }; +# allow ps to show gpg-agent +can_ps($1_t, $1_gpg_agent_t) + +uses_shlib($1_gpg_agent_t) +read_locale($1_gpg_agent_t) + +# rlimit: gpg-agent wants to prevent coredumps +allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; + +allow $1_gpg_agent_t { self proc_t }:dir search; +allow $1_gpg_agent_t { self proc_t }:lnk_file read; + +allow $1_gpg_agent_t device_t:dir { getattr read }; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; +create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) +if (use_nfs_home_dirs) { +create_dir_file($1_gpg_agent_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_gpg_agent_t, cifs_t) +} + +allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; +allow $1_gpg_agent_t self:fifo_file { getattr read write }; + +# create /tmp files +tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') + +# gpg connect +allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; +allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; +can_unix_connect($1_gpg_t, $1_gpg_agent_t) + +# policy for pinentry +# =================== +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +# Please note that I didnt use the x_client_domain-macro as it gives too +# much permissions +type $1_gpg_pinentry_t, domain; +role $1_r types $1_gpg_pinentry_t; + +allow $1_gpg_agent_t bin_t:dir search; +domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) + +uses_shlib($1_gpg_pinentry_t) +read_locale($1_gpg_pinentry_t) + +allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; + +ifdef(`xdm.te', ` +allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; +allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; +can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) +allow $1_gpg_pinentry_t xdm_t:fd use; +')dnl end ig xdm.te + +r_dir_file($1_gpg_pinentry_t, fonts_t) +# read kde font cache +allow $1_gpg_pinentry_t usr_t:file { getattr read }; + +allow $1_gpg_pinentry_t { proc_t self }:dir search; +allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; +# read /proc/meminfo +allow $1_gpg_pinentry_t proc_t:file read; + +allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; + +# for .Xauthority +allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; +allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; +# wants to put some lock files into the user home dir, seems to work fine without +dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; +dontaudit $1_gpg_pinentry_t $1_home_t:file write; +if (use_nfs_home_dirs) { +allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; +allow $1_gpg_pinentry_t nfs_t:file { getattr read }; +dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; +dontaudit $1_gpg_pinentry_t nfs_t:file write; +} +if (use_samba_home_dirs) { +allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; +allow $1_gpg_pinentry_t cifs_t:file { getattr read }; +dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; +dontaudit $1_gpg_pinentry_t cifs_t:file write; +} + +# read /etc/X11/qtrc +allow $1_gpg_pinentry_t etc_t:file { getattr read }; + +dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; + +')dnl end if gpg_agent diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te new file mode 100644 index 0000000..124d6e8 --- /dev/null +++ b/strict/macros/program/gpg_macros.te @@ -0,0 +1,144 @@ +# +# Macros for gpg and pgp +# +# Author: Russell Coker +# +# based on the work of: +# Stephen Smalley and Timothy Fraser +# + +# +# gpg_domain(domain_prefix) +# +# Define a derived domain for the gpg/pgp program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gpg.te. +# +define(`gpg_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_gpg_t, domain, privlog; +type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) + +can_network($1_gpg_t) +can_ypbind($1_gpg_t) + +# for a bug in kmail +dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; + +# The user role is authorized for this domain. +role $1_r types $1_gpg_t; + +# Legacy +if (allow_gpg_execstack) { +legacy_domain($1_gpg) +allow $1_gpg_t locale_t:file execute; + +# Not quite sure why this is needed... +allow $1_gpg_t gpg_exec_t:file execmod; +} + +allow $1_t $1_gpg_secret_t:file getattr; + +allow $1_gpg_t device_t:dir r_dir_perms; +allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; + +allow $1_gpg_t etc_t:file r_file_perms; + +allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; +allow $1_gpg_t self:tcp_socket create_stream_socket_perms; + +access_terminal($1_gpg_t, $1) +ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') + +# Inherit and use descriptors +allow $1_gpg_t { privfd $1_t }:fd use; +allow { $1_t $1_gpg_t } $1_gpg_t:process signal; + +# setrlimit is for ulimit -c 0 +allow $1_gpg_t self:process { setrlimit setcap }; + +# allow ps to show gpg +can_ps($1_t, $1_gpg_t) + +uses_shlib($1_gpg_t) + +# should not need read access... +allow $1_gpg_t home_root_t:dir { read search }; + +# use $1_gpg_secret_t for files it creates +# NB we are doing the type transition for directory creation only! +# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as +# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt +# a file and write output to your home directory it will use user_home_t. +file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) +rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) + +file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) +create_dir_file($1_gpg_t, $1_home_t) + +# allow the usual access to /tmp +file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) + +if (use_nfs_home_dirs) { +create_dir_file($1_gpg_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_gpg_t, cifs_t) +} + +allow $1_gpg_t self:capability { ipc_lock setuid }; +rw_dir_create_file($1_gpg_t, $1_file_type) + +allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; +allow $1_gpg_t fs_t:filesystem getattr; +allow $1_gpg_t usr_t:file r_file_perms; +read_locale($1_gpg_t) +allow $1_t $1_gpg_secret_t:dir rw_dir_perms; + +dontaudit $1_gpg_t var_t:dir search; + +ifdef(`gpg-agent.te', `gpg_agent_domain($1)') + +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. +type $1_gpg_helper_t, domain; +role $1_r types $1_gpg_helper_t; + +domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) +uses_shlib($1_gpg_helper_t) + +# allow gpg to fork so it can call the helpers +allow $1_gpg_t self:process { fork sigchld }; +allow $1_gpg_t self:fifo_file { getattr read write }; + +dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; +if (use_nfs_home_dirs) { +dontaudit $1_gpg_helper_t nfs_t:file { read write }; +} +if (use_samba_home_dirs) { +dontaudit $1_gpg_helper_t cifs_t:file { read write }; +} + +# communicate with the user +allow $1_gpg_helper_t $1_t:fd use; +allow $1_gpg_helper_t $1_t:fifo_file write; +# get keys from the network +can_network_client($1_gpg_helper_t) +allow $1_gpg_helper_t etc_t:file { getattr read }; +allow $1_gpg_helper_t urandom_device_t:chr_file read; +allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +# for nscd +dontaudit $1_gpg_helper_t var_t:dir search; + +ifdef(`xdm.te', ` +dontaudit $1_gpg_t xdm_t:fd use; +dontaudit $1_gpg_t xdm_t:fifo_file read; +') + +')dnl end gpg_domain definition diff --git a/strict/macros/program/gph_macros.te b/strict/macros/program/gph_macros.te new file mode 100644 index 0000000..d784fcc --- /dev/null +++ b/strict/macros/program/gph_macros.te @@ -0,0 +1,85 @@ +# +# Macros for gnome-pty-helper domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# gph_domain(domain_prefix, role_prefix) +# +# Define a derived domain for the gnome-pty-helper program when +# executed by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/gnome-pty-helper.te. +# +# The *_gph_t domains are for the gnome_pty_helper program. +# This program is executed by gnome-terminal to handle +# updates to utmp and wtmp. In this regard, it is similar +# to utempter. However, unlike utempter, gnome-pty-helper +# also creates the pty file for the terminal program. +# There is one *_gph_t domain for each user domain. +# +undefine(`gph_domain') +define(`gph_domain',` +# Derived domain based on the calling user domain and the program. +type $1_gph_t, domain, gphdomain, nscd_client_domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, gph_exec_t, $1_gph_t) + +# The user role is authorized for this domain. +role $2_r types $1_gph_t; + +# This domain is granted permissions common to most domains. +uses_shlib($1_gph_t) + +# Use capabilities. +allow $1_gph_t self:capability { chown fsetid setgid setuid }; + +# Update /var/run/utmp and /var/log/wtmp. +allow $1_gph_t { var_t var_run_t }:dir search; +allow $1_gph_t initrc_var_run_t:file rw_file_perms; +allow $1_gph_t wtmp_t:file rw_file_perms; + +# Allow gph to rw to stream sockets of appropriate user type. +# (Need this so gnome-pty-helper can pass pty fd to parent +# gnome-terminal which is running in a user domain.) +allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms; + +allow $1_gph_t self:unix_stream_socket create_stream_socket_perms; + +# Allow user domain to use pty fd from gnome-pty-helper. +allow $1_t $1_gph_t:fd use; + +# Use the network, e.g. for NIS lookups. +can_resolve($1_gph_t) +can_ypbind($1_gph_t) + +allow $1_gph_t etc_t:file { getattr read }; + +# Added by David A. Wheeler: +# Allow gnome-pty-helper to update /var/log/lastlog +# (the gnome-pty-helper in Red Hat Linux 7.1 does this): +allow $1_gph_t lastlog_t:file rw_file_perms; +allow $1_gph_t var_log_t:dir search; +allow $1_t $1_gph_t:process signal; + +ifelse($2, `system', ` +# Create ptys for the system +can_create_other_pty($1_gph, initrc) +', ` +# Create ptys for the user domain. +can_create_other_pty($1_gph, $1) + +# Read and write the users tty. +allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms; + +# Allow gnome-pty-helper to write the .xsession-errors file. +allow $1_gph_t home_root_t:dir search; +allow $1_gph_t $1_home_t:dir { search add_name }; +allow $1_gph_t $1_home_t:file { create write }; +')dnl end ifelse system +')dnl end macro diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te new file mode 100644 index 0000000..1cdaa39 --- /dev/null +++ b/strict/macros/program/inetd_macros.te @@ -0,0 +1,98 @@ +################################# +# +# Rules for the $1_t domain. +# +# $1_t is a general domain for daemons started +# by inetd that do not have their own individual domains yet. +# $1_exec_t is the type of the corresponding +# programs. +# +define(`inetd_child_domain', ` +type $1_t, domain, privlog, nscd_client_domain; +role system_r types $1_t; + +# +# Allows user to define a tunable to disable domain transition +# +bool $1_disable_trans false; +if ($1_disable_trans) { +can_exec(initrc_t, $1_exec_t) +can_exec(sysadm_t, $1_exec_t) +} else { +domain_auto_trans(inetd_t, $1_exec_t, $1_t) +allow inetd_t $1_t:process sigkill; +} + +can_network_server($1_t) +can_ypbind($1_t) +uses_shlib($1_t) +allow $1_t self:unix_dgram_socket create_socket_perms; +allow $1_t self:unix_stream_socket create_socket_perms; +allow $1_t self:fifo_file rw_file_perms; +type $1_exec_t, file_type, sysadmfile, exec_type; +read_locale($1_t) +allow $1_t device_t:dir search; +allow $1_t proc_t:dir search; +allow $1_t proc_t:{ file lnk_file } { getattr read }; +allow $1_t self:process { fork signal_perms }; +allow $1_t fs_t:filesystem getattr; + +read_sysctl($1_t) + +allow $1_t etc_t:file { getattr read }; + +tmp_domain($1) +allow $1_t var_t:dir search; +var_run_domain($1) + +# Inherit and use descriptors from inetd. +allow $1_t inetd_t:fd use; + +# for identd +allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow $1_t self:capability { setuid setgid }; +allow $1_t home_root_t:dir search; +allow $1_t self:dir search; +allow $1_t self:{ lnk_file file } { getattr read }; +can_kerberos($1_t) +allow $1_t urandom_device_t:chr_file r_file_perms; +type $1_port_t, port_type, reserved_port_type; +# Use sockets inherited from inetd. +ifelse($2, `', ` +allow inetd_t $1_port_t:udp_socket name_bind; +allow $1_t inetd_t:udp_socket rw_socket_perms; +allow inetd_t $1_port_t:tcp_socket name_bind; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; +') +ifelse($2, tcp, ` +allow inetd_t $1_port_t:tcp_socket name_bind; +allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; +') +ifelse($2, udp, ` +allow inetd_t $1_port_t:udp_socket name_bind; +allow $1_t inetd_t:udp_socket rw_socket_perms; +') +r_dir_file($1_t, proc_net_t) +') +define(`remote_login_daemon', ` +inetd_child_domain($1) + +# Execute /bin/login on a new PTY +allow $1_t { bin_t sbin_t }:dir search; +domain_auto_trans($1_t, login_exec_t, remote_login_t) +can_create_pty($1, `, server_pty, userpty_type') +allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ; + +# Append to /var/log/wtmp. +allow $1_t var_log_t:dir search; +allow $1_t wtmp_t:file rw_file_perms; +allow $1_t initrc_var_run_t:file rw_file_perms; + +# Allow reading of /etc/issue.net +allow $1_t etc_runtime_t:file r_file_perms; + +# Allow krb5 $1 to use fork and open /dev/tty for use +allow $1_t userpty_type:chr_file setattr; +allow $1_t devtty_t:chr_file rw_file_perms; +dontaudit $1_t selinux_config_t:dir search; +') diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te new file mode 100644 index 0000000..8c9c876 --- /dev/null +++ b/strict/macros/program/irc_macros.te @@ -0,0 +1,83 @@ +# +# Macros for irc domains. +# + +# +# Author: Russell Coker +# + +# +# irc_domain(domain_prefix) +# +# Define a derived domain for the irc program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/irc.te. +# +undefine(`irc_domain') +ifdef(`irc.te', ` +define(`irc_domain',` + +# Home domain +home_domain($1, irc) + +# Derived domain based on the calling user domain and the program. +type $1_irc_t, domain; +type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; + +allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) + +# The user role is authorized for this domain. +role $1_r types $1_irc_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') + +# allow ps to show irc +can_ps($1_t, $1_irc_t) +allow $1_t $1_irc_t:process signal; + +# Use the network. +can_network_client($1_irc_t) +can_ypbind($1_irc_t) + +allow $1_irc_t usr_t:file { getattr read }; + +access_terminal($1_irc_t, $1) +uses_shlib($1_irc_t) +allow $1_irc_t etc_t:file { read getattr }; +read_locale($1_irc_t) +allow $1_irc_t fs_t:filesystem getattr; +allow $1_irc_t var_t:dir search; +allow $1_irc_t device_t:dir search; +allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; +allow $1_irc_t privfd:fd use; +allow $1_irc_t proc_t:dir search; +allow $1_irc_t { self proc_t }:lnk_file read; +allow $1_irc_t self:dir search; +dontaudit $1_irc_t var_run_t:dir search; + +# allow utmp access +allow $1_irc_t initrc_var_run_t:file read; +dontaudit $1_irc_t initrc_var_run_t:file lock; + +# access files under /tmp +file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) + +ifdef(`ircd.te', ` +can_tcp_connect($1_irc_t, ircd_t) +')dnl end ifdef irc.te +')dnl end macro definition + +', ` + +define(`irc_domain',`') + +')dnl end ifdef irc.te diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te new file mode 100644 index 0000000..b7c2be4 --- /dev/null +++ b/strict/macros/program/java_macros.te @@ -0,0 +1,113 @@ +# +# Authors: Dan Walsh +# +# Macros for javaplugin (java plugin) domains. +# +# +# javaplugin_domain(domain_prefix, user) +# +# Define a derived domain for the javaplugin program when executed by +# a web browser. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/java.te. +# +define(`javaplugin_domain',` +type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; + +# The user role is authorized for this domain. +role $2_r types $1_javaplugin_t; +domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) + +allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; +# Unrestricted inheritance from the caller. +allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; +allow $1_javaplugin_t $1_t:process signull; + +can_unix_connect($1_javaplugin_t, $1_t) +allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; + +# This domain is granted permissions common to most domains (including can_net) +can_network_client($1_javaplugin_t) +can_ypbind($1_javaplugin_t) +allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; +allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow $1_javaplugin_t self:fifo_file rw_file_perms; +allow $1_javaplugin_t etc_runtime_t:file { getattr read }; +allow $1_javaplugin_t fs_t:filesystem getattr; +r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) +allow $1_javaplugin_t self:dir search; +allow $1_javaplugin_t self:lnk_file read; +allow $1_javaplugin_t self:file { getattr read }; + +read_sysctl($1_javaplugin_t) + +tmp_domain($1_javaplugin) +r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t }) + +# Search bin directory under javaplugin for javaplugin executable +allow $1_javaplugin_t bin_t:dir search; +can_exec($1_javaplugin_t, java_exec_t) + +# Allow connections to X server. +ifdef(`xserver.te', ` + +ifdef(`xdm.te', ` +# for when /tmp/.X11-unix is created by the system +allow $1_javaplugin_t xdm_xserver_tmp_t:dir search; +allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms; +allow $1_javaplugin_t xdm_tmp_t:dir search; +allow $1_javaplugin_t xdm_tmp_t:sock_file write; +') + +ifdef(`startx.te', ` +# for when /tmp/.X11-unix is created by the X server +allow $1_javaplugin_t $2_xserver_tmp_t:dir search; + +# for /tmp/.X0-lock +allow $1_javaplugin_t $2_xserver_tmp_t:file getattr; + +allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms; +can_unix_connect($1_javaplugin_t, $2_xserver_t) +')dnl end startx + +can_unix_connect($1_javaplugin_t, xdm_xserver_t) +allow xdm_xserver_t $1_javaplugin_t:fd use; +allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read }; +dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write }; + +')dnl end xserver + +allow $1_javaplugin_t self:shm create_shm_perms; + +uses_shlib($1_javaplugin_t) +read_locale($1_javaplugin_t) +rw_dir_file($1_javaplugin_t, $1_home_t) + +if (allow_java_execstack) { +legacy_domain($1_javaplugin) +allow $1_javaplugin_t lib_t:file execute; +allow $1_javaplugin_t locale_t:file execute; +allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; +allow $1_javaplugin_t fonts_t:file execute; +allow $1_javaplugin_t sound_device_t:chr_file execute; +} + +allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; + +allow $1_javaplugin_t home_root_t:dir { getattr search }; +file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) +allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; +allow $1_javaplugin_t $2_tmp_t:sock_file write; +allow $1_javaplugin_t $2_t:fd use; + +allow $1_javaplugin_t var_t:dir getattr; +allow $1_javaplugin_t var_lib_t:dir { getattr search }; + +dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; +dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; +dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; +dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; +dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; + +') diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te new file mode 100644 index 0000000..0be8bee --- /dev/null +++ b/strict/macros/program/kerberos_macros.te @@ -0,0 +1,10 @@ +define(`can_kerberos',` +ifdef(`kerberos.te',` +if (allow_kerberos) { +can_network_client($1, `kerberos_port_t') +can_resolve($1) +} +') dnl kerberos.te +dontaudit $1 krb5_conf_t:file write; +allow $1 krb5_conf_t:file { getattr read }; +') diff --git a/strict/macros/program/lockdev_macros.te b/strict/macros/program/lockdev_macros.te new file mode 100644 index 0000000..28f7c01 --- /dev/null +++ b/strict/macros/program/lockdev_macros.te @@ -0,0 +1,46 @@ +# +# Macros for lockdev domains. +# + +# +# Authors: Daniel Walsh +# + +# +# lockdev_domain(domain_prefix) +# +# Define a derived domain for the lockdev programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/lockdev.te. +# +undefine(`lockdev_domain') +define(`lockdev_domain',` +# Derived domain based on the calling user domain and the program +type $1_lockdev_t, domain, privlog; +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) + +# The user role is authorized for this domain. +role $1_r types $1_lockdev_t; +# Use capabilities. +allow $1_lockdev_t self:capability setgid; +allow $1_lockdev_t $1_t:process signull; + +allow $1_lockdev_t var_t:dir search; + +lock_domain($1_lockdev) + +r_dir_file($1_lockdev_t, lockfile) + +allow $1_lockdev_t device_t:dir search; +allow $1_lockdev_t null_device_t:chr_file rw_file_perms; +access_terminal($1_lockdev_t, $1) +dontaudit $1_lockdev_t root_t:dir search; + +uses_shlib($1_lockdev_t) +allow $1_lockdev_t fs_t:filesystem getattr; + +')dnl end macro definition + diff --git a/strict/macros/program/login_macros.te b/strict/macros/program/login_macros.te new file mode 100644 index 0000000..0d0993c --- /dev/null +++ b/strict/macros/program/login_macros.te @@ -0,0 +1,11 @@ +# Macros for login type programs (/bin/login, sshd, etc). +# +# Author: Russell Coker +# + +define(`login_spawn_domain', ` +domain_trans($1_t, shell_exec_t, $2) + +# Signal the user domains. +allow $1_t $2:process signal; +') diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te new file mode 100644 index 0000000..beb6ca2 --- /dev/null +++ b/strict/macros/program/lpr_macros.te @@ -0,0 +1,134 @@ +# +# Macros for lpr domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# lpr_domain(domain_prefix) +# +# Define a derived domain for the lpr/lpq/lprm programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/lpr.te. +# +undefine(`lpr_domain') +define(`lpr_domain',` +# Derived domain based on the calling user domain and the program +type $1_lpr_t, domain, privlog, nscd_client_domain; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) + +allow $1_t $1_lpr_t:process signull; + +# allow using shared objects, accessing root dir, etc +uses_shlib($1_lpr_t) + +read_locale($1_lpr_t) + +# The user role is authorized for this domain. +role $1_r types $1_lpr_t; + +# This domain is granted permissions common to most domains (including can_net) +can_network_client($1_lpr_t) +can_ypbind($1_lpr_t) + +# Use capabilities. +allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown }; + +allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; + +# for lpd config files (should have a new type) +r_dir_file($1_lpr_t, etc_t) + +# for test print +r_dir_file($1_lpr_t, usr_t) +ifdef(`lpd.te', ` +r_dir_file($1_lpr_t, printconf_t) +') + +tmp_domain($1_lpr) +r_dir_file($1_lpr_t, $1_tmp_t) + +# Type for spool files. +type $1_print_spool_t, file_type, sysadmfile; +# Use this type when creating files in /var/spool/lpd and /var/spool/cups. +file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) +allow $1_lpr_t var_spool_t:dir search; + +# for /dev/null +allow $1_lpr_t device_t:dir search; + +# Access the terminal. +access_terminal($1_lpr_t, $1) + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') +allow $1_lpr_t privfd:fd use; + +# Read user files. +allow sysadm_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search; +allow sysadm_lpr_t $1_home_t:{ file lnk_file } r_file_perms; +allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search; +allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms; + +if (use_nfs_home_dirs) { +r_dir_file($1_lpr_t, nfs_t) +} + +if (use_samba_home_dirs) { +r_dir_file($1_lpr_t, cifs_t) +} + +# Read and write shared files in the spool directory. +allow $1_lpr_t print_spool_t:file rw_file_perms; + +# lpr can run in lightweight mode, without a local print spooler. If the +# lpd policy is present, grant some permissions for this domain and the lpd +# domain to interact. +ifdef(`lpd.te', ` +allow $1_lpr_t { var_t var_run_t }:dir search; +allow $1_lpr_t lpd_var_run_t:dir search; +allow $1_lpr_t lpd_var_run_t:sock_file write; + +# Allow lpd to read, rename, and unlink spool files. +allow lpd_t $1_print_spool_t:file r_file_perms; +allow lpd_t $1_print_spool_t:file link_file_perms; + +# Connect to lpd via a Unix domain socket. +allow $1_lpr_t printer_t:sock_file rw_file_perms; +can_unix_connect($1_lpr_t, lpd_t) +dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; + +# Connect to lpd via a TCP socket. +can_tcp_connect($1_lpr_t, lpd_t) + +allow $1_lpr_t fs_t:filesystem getattr; +# Send SIGHUP to lpd. +allow $1_lpr_t lpd_t:process signal; + +')dnl end if lpd.te + +ifdef(`xdm.te', ` +allow $1_lpr_t xdm_t:fd use; +allow $1_lpr_t xdm_t:fifo_file write; +') + +ifdef(`cups.te', ` +allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; +allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; +can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) +')dnl end ifdef cups.te + +ifdef(`hide_broken_symptoms', ` +# thunderbird causes these +dontaudit $1_lpr_t $1_t:tcp_socket { read write }; +dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write; +') + +')dnl end macro definition + diff --git a/strict/macros/program/mount_macros.te b/strict/macros/program/mount_macros.te new file mode 100644 index 0000000..0aa0577 --- /dev/null +++ b/strict/macros/program/mount_macros.te @@ -0,0 +1,90 @@ +# +# Macros for mount +# +# Author: Brian May +# Extended by Russell Coker +# + +# +# mount_domain(domain_prefix,dst_domain_prefix) +# +# Define a derived domain for the mount program for anyone. +# +define(`mount_domain', ` +# +# Rules for the $2_t domain, used by the $1_t domain. +# +# $2_t is the domain for the mount process. +# +# This macro will not be included by all users and it may be included twice if +# called from other macros, so we need protection for this do not call this +# macro if $2_def is defined +define(`$2_def', `') +# +type $2_t, domain, privlog $3, nscd_client_domain; + +allow $2_t sysfs_t:dir search; + +uses_shlib($2_t) + +role $1_r types $2_t; +# when mount is run by $1 goto $2_t domain +domain_auto_trans($1_t, mount_exec_t, $2_t) + +allow $2_t proc_t:dir search; +allow $2_t proc_t:file { getattr read }; + +# +# Allow mounting of cdrom by user +# +allow $2_t device_type:blk_file getattr; + +tmp_domain($2) + +# Use capabilities. +allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; + +allow $2_t self:unix_stream_socket create_socket_perms; + +# Create and modify /etc/mtab. +file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) + +allow $2_t etc_t:file { getattr read }; + +read_locale($2_t) + +allow $2_t home_root_t:dir search; +allow $2_t $1_home_dir_t:dir search; +allow $2_t noexattrfile:filesystem { mount unmount }; +allow $2_t fs_t:filesystem getattr; +allow $2_t removable_t:filesystem { mount unmount }; +allow $2_t mnt_t:dir { mounton search }; +allow $2_t sbin_t:dir search; + +# Access the terminal. +access_terminal($2_t, $1) +ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') +allow $2_t var_t:dir search; +allow $2_t var_run_t:dir search; + +ifdef(`distro_redhat',` +ifdef(`pamconsole.te',` +r_dir_file($2_t,pam_var_console_t) +# mount config by default sets fscontext=removable_t +allow $2_t dosfs_t:filesystem relabelfrom; +') dnl end pamconsole.te +') dnl end distro_redhat +') dnl end mount_domain + +# mount_loopback_privs(domain_prefix,dst_domain_prefix) +# +# Add loopback mounting privileges to a particular derived +# mount domain. +# +define(`mount_loopback_privs',` +type $1_$2_source_t, file_type, sysadmfile, $1_file_type; +allow $1_t $1_$2_source_t:file create_file_perms; +allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; +allow $2_t $1_$2_source_t:file rw_file_perms; +') + diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te new file mode 100644 index 0000000..c53ab4f --- /dev/null +++ b/strict/macros/program/mozilla_macros.te @@ -0,0 +1,137 @@ +# +# Macros for mozilla/mozilla (or other browser) domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# mozilla_domain(domain_prefix) +# +# Define a derived domain for the mozilla/mozilla program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/mozilla.te. +# +define(`mozilla_domain',` +x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool') + +# Configuration +home_domain($1, mozilla) + +# Allow mozilla to browse files +file_browse_domain($1_mozilla_t) + +allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; + +# Unrestricted inheritance from the caller. +allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; +allow $1_mozilla_t $1_t:process signull; + +# Set resource limits and scheduling info. +allow $1_mozilla_t self:process { setrlimit setsched }; + +allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read }; +allow $1_mozilla_t var_lib_t:file { getattr read }; +allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; +allow $1_mozilla_t self:socket create_socket_perms; +allow $1_mozilla_t self:file { getattr read }; + +# for bash +allow $1_mozilla_t device_t:dir r_dir_perms; +allow $1_mozilla_t devpts_t:dir r_dir_perms; +allow $1_mozilla_t proc_t:file { getattr read }; +r_dir_file($1_mozilla_t, proc_net_t) + +allow $1_mozilla_t { var_t var_lib_t }:dir search; + +# interacting with gstreamer +r_dir_file($1_mozilla_t, var_t) + +# Write files to tmp +tmp_domain($1_mozilla) + +# Execute downloaded programs. +can_exec($1_mozilla_t, $1_mozilla_tmp_t) + +# Use printer +ifdef(`lpr.te', ` +domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) + +# Print document +allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms; + +# Suppress history.fop denial +dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; + +dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; +dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write }; +') + +# ORBit sockets +file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t) +can_unix_connect($1_t, $1_mozilla_t) +allow $1_t $1_mozilla_tmp_t:sock_file write; +allow $1_mozilla_t $1_tmp_t:file { read write lock }; +allow $1_mozilla_t $1_tmp_t:sock_file { read write }; +dontaudit $1_mozilla_t $1_tmp_t:dir setattr; + +# Allow mozilla to read user home content +if (mozilla_readhome || mozilla_writehome) { +r_dir_file($1_mozilla_t, $1_home_t) +} else { +dontaudit $1_mozilla_t $1_home_t:dir setattr; +dontaudit $1_mozilla_t $1_home_t:file setattr; +} + +if (mozilla_writehome) { +file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_home_t) +allow $1_mozilla_t $1_home_t:dir setattr; +allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms; +} dnl end if writehome + +allow $1_mozilla_t $1_t:unix_stream_socket connectto; +allow $1_mozilla_t sysctl_net_t:dir search; +allow $1_mozilla_t sysctl_t:dir search; +ifdef(`cups.te', ` +allow $1_mozilla_t cupsd_etc_t:dir search; +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; +') +allow $1_mozilla_t $1_t:tcp_socket { read write }; + +allow $1_mozilla_t mozilla_conf_t:file r_file_perms; +dontaudit $1_mozilla_t port_type:tcp_socket name_bind; +dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; +# Mozilla tries to delete .fonts.cache-1 +dontaudit $1_mozilla_t $1_home_t:file unlink; +allow $1_mozilla_t self:sem create_sem_perms; + +# Java plugin +ifdef(`java.te', ` +javaplugin_domain($1_mozilla, $1) +') + +# Mplayer plugin +ifdef(`mplayer.te', ` +domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) + +# Read mozilla content in /tmp +r_dir_file($1_mplayer_t, $1_mozilla_tmp_t); + +# FIXME: why does it need this? +dontaudit $1_mplayer_t $1_mozilla_home_t:file write; +allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; +')dnl end if mplayer.te + +if (allow_execmem) { +allow $1_mozilla_t self:process { execmem }; +} +if (allow_execmod) { +allow $1_mozilla_t texrel_shlib_t:file execmod; +} +dbusd_client(system, $1_mozilla) + +')dnl end mozilla macro + diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te new file mode 100644 index 0000000..323edca --- /dev/null +++ b/strict/macros/program/mplayer_macros.te @@ -0,0 +1,125 @@ +# +# Macros for mplayer +# +# Author: Ivan Gyurdiev +# +# mplayer_domains(user) declares domains for mplayer, gmplayer, +# and mencoder + +############################################## +# mplayer_common(user, mplayer domain) # +############################################## + +define(`mplayer_common',` + +# Read global config +r_dir_file($1_$2_t, mplayer_etc_t) + +# Read data in /usr/share (fonts, icons..) +r_dir_file($1_$2_t, usr_t) + +# Read /proc files and directories +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +allow $1_$2_t proc_t:dir search; +allow $1_$2_t proc_t:file { getattr read }; + +# Sysctl on kernel version +read_sysctl($1_$2_t) + +# Allow ps, shared libs, locale, terminal access +can_ps($1_t, $1_$2_t) +uses_shlib($1_$2_t) +read_locale($1_$2_t) +access_terminal($1_$2_t, $1) + +# Required for win32 binary loader +allow $1_$2_t zero_device_t:chr_file { read write execute }; +if (allow_execmem) { +allow $1_$2_t self:process execmem; +} + +if (allow_execmod) { +allow $1_$2_t zero_device_t:chr_file execmod; +allow $1_$2_t texrel_shlib_t:file execmod; +} + +# Access to DVD/CD/V4L +allow $1_$2_t device_t:dir r_dir_perms; +allow $1_$2_t device_t:lnk_file { getattr read }; +allow $1_$2_t removable_device_t:blk_file { getattr read }; +allow $1_$2_t v4l_device_t:chr_file { getattr read }; + +# Legacy domain issues +if (allow_mplayer_execstack) { +legacy_domain($1_$2) +allow $1_$2_t lib_t:file execute; +allow $1_$2_t locale_t:file execute; +allow $1_$2_t sound_device_t:chr_file execute; +} +') + +############################ +# mplayer_domain(user) # +############################ + +define(`mplayer_domain',` + +# Derive from X client domain +x_client_domain($1, `mplayer', `') + +# Mplayer configuration here +home_domain($1, mplayer) + +# Allow mplayer to browse files +file_browse_domain($1_mplayer_t) + +# Mplayer common stuff +mplayer_common($1, mplayer) + +# Audio +allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; + +# RTC clock +allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; + +# Read home directory content +r_dir_file($1_mplayer_t, $1_home_t); + +# Legacy domain issues +if (allow_mplayer_execstack) { +allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; +} + +') dnl end mplayer_domain + +############################ +# mencoder_domain(user) # +############################ + +define(`mencoder_domain',` + +# FIXME: privhome temporarily removed... +type $1_mencoder_t, domain; + +# Transition +domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) +can_exec($1_mencoder_t, mencoder_exec_t) +role $1_r types $1_mencoder_t; + +# Read home config +home_domain_access($1_mencoder_t, $1, mplayer) + +# Mplayer common stuff +mplayer_common($1, mencoder) + +') dnl end mencoder_domain + +############################# +# mplayer_domains(user) # +############################# + +define(`mplayer_domains', ` +mplayer_domain($1) +mencoder_domain($1) +') dnl end mplayer_domains + diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te new file mode 100644 index 0000000..6778d6e --- /dev/null +++ b/strict/macros/program/mta_macros.te @@ -0,0 +1,120 @@ +# Macros for MTA domains. +# + +# +# Author: Russell Coker +# Based on the work of: Stephen Smalley +# Timothy Fraser +# + +# +# mail_domain(domain_prefix) +# +# Define a derived domain for the sendmail program when executed by +# a user domain to send outgoing mail. These domains are separate and +# independent of the domain used for the sendmail daemon process. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/mta.te. +# +undefine(`mail_domain') +define(`mail_domain',` +# Derived domain based on the calling user domain and the program. +type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; + +ifdef(`sendmail.te', ` +sendmail_user_domain($1) +') + +can_exec($1_mail_t, sendmail_exec_t) +allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; + +# The user role is authorized for this domain. +role $1_r types $1_mail_t; + +uses_shlib($1_mail_t) +can_network_client_tcp($1_mail_t) +can_resolve($1_mail_t) +can_ypbind($1_mail_t) +allow $1_mail_t self:unix_dgram_socket create_socket_perms; +allow $1_mail_t self:unix_stream_socket create_socket_perms; + +read_locale($1_mail_t) +read_sysctl($1_mail_t) +allow $1_mail_t device_t:dir search; +allow $1_mail_t { var_t var_spool_t }:dir search; +allow $1_mail_t self:process { fork signal_perms setrlimit }; +allow $1_mail_t sbin_t:dir search; + +# It wants to check for nscd +dontaudit $1_mail_t var_run_t:dir search; + +# Use capabilities +allow $1_mail_t self:capability { setuid setgid chown }; + +# Execute procmail. +can_exec($1_mail_t, bin_t) +ifdef(`procmail.te',` +can_exec($1_mail_t, procmail_exec_t)') + +ifelse(`$1', `system', ` +# Transition from a system domain to the derived domain. +domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) +allow privmail sendmail_exec_t:lnk_file { getattr read }; + +ifdef(`crond.te', ` +# Read cron temporary files. +allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; +allow mta_user_agent system_crond_tmp_t:file { read getattr }; +') +allow system_mail_t initrc_devpts_t:chr_file { read write getattr }; + +', ` +# For when the user wants to send mail via port 25 localhost +can_tcp_connect($1_t, mail_server_domain) + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) +allow $1_t sendmail_exec_t:lnk_file { getattr read }; + +# Read user temporary files. +allow $1_mail_t $1_tmp_t:file r_file_perms; +dontaudit $1_mail_t $1_tmp_t:file append; +ifdef(`postfix.te', ` +# postfix seems to need write access if the file handle is opened read/write +allow $1_mail_t $1_tmp_t:file write; +')dnl end if postfix + +allow mta_user_agent $1_tmp_t:file { read getattr }; + +# Write to the user domain tty. +access_terminal(mta_user_agent, $1) +access_terminal($1_mail_t, $1) + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') +allow $1_mail_t privfd:fd use; + +# Create dead.letter in user home directories. +file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) + +if (use_samba_home_dirs) { +rw_dir_create_file($1_mail_t, cifs_t) +} + +# if you do not want to allow dead.letter then use the following instead +#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; +#allow $1_mail_t $1_home_t:file r_file_perms; + +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) +')dnl end if system + +allow $1_mail_t etc_t:file { getattr read }; +ifdef(`qmail.te', ` +allow $1_mail_t qmail_etc_t:dir search; +allow $1_mail_t qmail_etc_t:{ file lnk_file } read; +')dnl end if qmail + +') diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te new file mode 100644 index 0000000..b19e2de --- /dev/null +++ b/strict/macros/program/newrole_macros.te @@ -0,0 +1,96 @@ +# Authors: Anthony Colatrella (NSA) Stephen Smalley +# Russell Coker + +# This macro defines the rules for a newrole like program, it is used by +# newrole.te and sudo.te, but may be used by other policy at some later time. + +define(`newrole_domain', ` +# Rules for the $1_t domain. +# +# $1_t is the domain for the program. +# $1_exec_t is the type of the executable. +# +type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; +in_user_role($1_t) +role sysadm_r types $1_t; + +general_domain_access($1_t); + +uses_shlib($1_t) +read_locale($1_t) +read_sysctl($1_t) + +# for when the user types "exec newrole" at the command line +allow $1_t privfd:process sigchld; + +# Inherit descriptors from the current session. +allow $1_t privfd:fd use; + +# Execute /sbin/pwdb_chkpwd to check the password. +allow $1_t sbin_t:dir r_dir_perms; + +# Execute shells +allow $1_t bin_t:dir r_dir_perms; +allow $1_t bin_t:lnk_file read; +allow $1_t shell_exec_t:file r_file_perms; + +allow $1_t urandom_device_t:chr_file { getattr read }; + +# Allow $1_t to transition to user domains. +domain_trans($1_t, shell_exec_t, unpriv_userdomain) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_t, shell_exec_t, sysadm_t) +} + +can_setexec($1_t) + +allow $1_t autofs_t:dir search; + +# Use capabilities. +allow $1_t self:capability { setuid setgid net_bind_service dac_override }; + +# Read the devpts root directory. +allow $1_t devpts_t:dir r_dir_perms; + +# Read the /etc/security/default_type file +r_dir_file($1_t, default_context_t) +r_dir_file($1_t, selinux_config_t) +allow $1_t etc_t:file r_file_perms; + +# Read /var. +allow $1_t var_t:dir r_dir_perms; +allow $1_t var_t:notdevfile_class_set r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') + +ifdef(`distro_debian', ` +# for /etc/alternatives +allow $1_t etc_t:lnk_file read; +') + +# +# Allow newrole to obtain contexts to relabel TTYs +# +can_getsecurity($1_t) + +allow $1_t fs_t:filesystem getattr; + +# for some PAM modules and for cwd +dontaudit $1_t { home_root_t home_type }:dir search; + +allow $1_t proc_t:dir search; +allow $1_t proc_t:file { getattr read }; + +# for when the network connection is killed +dontaudit unpriv_userdomain $1_t:process signal; +') diff --git a/strict/macros/program/resmgrd_macros.te b/strict/macros/program/resmgrd_macros.te new file mode 100644 index 0000000..ec0ac60 --- /dev/null +++ b/strict/macros/program/resmgrd_macros.te @@ -0,0 +1,11 @@ +# Macro for resmgrd + +define(`can_resmgrd_connect', ` +ifdef(`resmgrd.te', ` +allow $1 resmgrd_t:unix_stream_socket connectto; +allow $1 { var_t var_run_t }:dir search; +allow $1 resmgrd_var_run_t:sock_file write; +allow $1 resmgrd_t:fd use; +') +') + diff --git a/strict/macros/program/rhgb_macros.te b/strict/macros/program/rhgb_macros.te new file mode 100644 index 0000000..9700fba --- /dev/null +++ b/strict/macros/program/rhgb_macros.te @@ -0,0 +1,8 @@ + +define(`rhgb_domain', ` +ifdef(`rhgb.te', ` +allow $1 rhgb_t:process sigchld; +allow $1 rhgb_t:fd use; +allow $1 rhgb_t:fifo_file { read write }; +')dnl end ifdef +') diff --git a/strict/macros/program/rssh_macros.te b/strict/macros/program/rssh_macros.te new file mode 100644 index 0000000..33fbdb5 --- /dev/null +++ b/strict/macros/program/rssh_macros.te @@ -0,0 +1,58 @@ +# +# Macros for Rssh domains +# +# Author: Colin Walters +# + +# +# rssh_domain(domain_prefix) +# +# Define a specific rssh domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/rssh.te. +# +undefine(`rssh_domain') +ifdef(`rssh.te', ` +define(`rssh_domain',` +type rssh_$1_t, domain, userdomain, privlog, privfd; +role rssh_$1_r types rssh_$1_t; +allow system_r rssh_$1_r; + +type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; +type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; + +general_domain_access(rssh_$1_t); +uses_shlib(rssh_$1_t); +base_file_read_access(rssh_$1_t); +allow rssh_$1_t var_t:dir r_dir_perms; +r_dir_file(rssh_$1_t, etc_t); +allow rssh_$1_t etc_runtime_t:file { getattr read }; +r_dir_file(rssh_$1_t, locale_t); +can_exec(rssh_$1_t, bin_t); + +allow rssh_$1_t proc_t:dir { getattr search }; +allow rssh_$1_t proc_t:lnk_file { getattr read }; + +r_dir_file(rssh_$1_t, rssh_$1_ro_t); +create_dir_file(rssh_$1_t, rssh_$1_rw_t); + +can_create_pty(rssh_$1, `, userpty_type, user_tty_type') +# Use the type when relabeling pty devices. +type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; + +ifdef(`ssh.te',` +allow rssh_$1_t sshd_t:fd use; +allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; +allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; +# For reading /home/user/.ssh +r_dir_file(sshd_t, rssh_$1_ro_t); +domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); +') +') + +', ` + +define(`rssh_domain',`') + +') diff --git a/strict/macros/program/run_program_macros.te b/strict/macros/program/run_program_macros.te new file mode 100644 index 0000000..c98bbee --- /dev/null +++ b/strict/macros/program/run_program_macros.te @@ -0,0 +1,73 @@ + +# $1 is the source domain (or domains), $2 is the source role (or roles) and $3 +# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is +# normally sysadm_r. $4 is the type of program to run and $5 is the domain to +# transition to. +# sample usage: +# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) +# +# if you have several users who run the same run_init type program for +# different purposes (think of a run_db program used by several database +# administrators to start several databases) then you can list all the source +# domains in $1, all the source roles in $2, but you may not want to list all +# types of programs to run in $4 and target domains in $5 (as that may permit +# entering a domain from the wrong type). In such a situation just specify +# one value for each of $4 and $5 and have some rules such as the following: +# domain_trans(run_whatever_t, whatever_exec_t, whatever_t) + +define(`run_program', ` +type run_$3_exec_t, file_type, exec_type, sysadmfile; + +# domain for program to run in, needs to change role (priv_system_role), change +# identity to system_u (privuser), log failures to syslog (privlog) and +# authenticate users +type run_$3_t, domain, priv_system_role, privuser, privlog; +domain_auto_trans($1, run_$3_exec_t, run_$3_t) +role $2 types run_$3_t; + +domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t) +dontaudit run_$3_t shadow_t:file getattr; + +# for utmp +allow run_$3_t initrc_var_run_t:file rw_file_perms; +allow run_$3_t admin_tty_type:chr_file rw_file_perms; + +dontaudit run_$3_t devpts_t:dir { getattr read }; +dontaudit run_$3_t device_t:dir read; + +# for auth_chkpwd +dontaudit run_$3_t shadow_t:file read; +allow run_$3_t self:process { fork sigchld }; +allow run_$3_t self:fifo_file rw_file_perms; +allow run_$3_t self:capability setuid; +allow run_$3_t self:lnk_file read; + +# often the administrator runs such programs from a directory that is owned +# by a different user or has restrictive SE permissions, do not want to audit +# the failed access to the current directory +dontaudit run_$3_t file_type:dir search; +dontaudit run_$3_t self:capability { dac_override dac_read_search }; + +allow run_$3_t bin_t:lnk_file read; +can_exec(run_$3_t, { bin_t shell_exec_t }) +ifdef(`chkpwd.te', ` +can_exec(run_$3_t, chkpwd_exec_t) +') + +domain_trans(run_$3_t, $4, $5) +can_setexec(run_$3_t) + +allow run_$3_t privfd:fd use; +uses_shlib(run_$3_t) +allow run_$3_t lib_t:file { getattr read }; +can_getsecurity(run_$3_t) +r_dir_file(run_$3_t,selinux_config_t) +r_dir_file(run_$3_t,default_context_t) +allow run_$3_t self:unix_stream_socket create_socket_perms; +allow run_$3_t self:unix_dgram_socket create_socket_perms; +allow run_$3_t etc_t:file { getattr read }; +read_locale(run_$3_t) +allow run_$3_t fs_t:filesystem getattr; +allow run_$3_t { bin_t sbin_t }:dir search; +dontaudit run_$3_t device_t:dir { getattr search }; +') diff --git a/strict/macros/program/samba_macros.te b/strict/macros/program/samba_macros.te new file mode 100644 index 0000000..d766784 --- /dev/null +++ b/strict/macros/program/samba_macros.te @@ -0,0 +1,30 @@ +# +# Macros for samba domains. +# + +# +# Authors: Dan Walsh +# + +# +# samba_domain(domain_prefix) +# +# Define a derived domain for the samba program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/samba.te. +# +undefine(`samba_domain') +ifdef(`samba.te', ` +define(`samba_domain',` +if ( samba_enable_home_dirs ) { +allow smbd_t home_root_t:dir r_dir_perms; +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) +dontaudit smbd_t $1_file_type:dir_file_class_set getattr; +} +') +', ` +define(`samba_domain',`') + +')dnl end if samba.te diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te new file mode 100644 index 0000000..ebfc619 --- /dev/null +++ b/strict/macros/program/screen_macros.te @@ -0,0 +1,112 @@ +# +# Macros for screen domains. +# + +# +# Author: Russell Coker +# Based on the work of Stephen Smalley +# and Timothy Fraser +# + +# +# screen_domain(domain_prefix) +# +# Define a derived domain for the screen program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/screen.te. +# +undefine(`screen_domain') +ifdef(`screen.te', ` +define(`screen_domain',` +# Derived domain based on the calling user domain and the program. +type $1_screen_t, domain, privlog, privfd; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, screen_exec_t, $1_screen_t) + +tmp_domain($1_screen, `', `{ dir file fifo_file }') +base_file_read_access($1_screen_t) +# The user role is authorized for this domain. +role $1_r types $1_screen_t; + +uses_shlib($1_screen_t) + +# for SSP +allow $1_screen_t urandom_device_t:chr_file read; + +# Revert to the user domain when a shell is executed. +domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t) +domain_auto_trans($1_screen_t, $1_home_t, $1_t) +if (use_nfs_home_dirs) { +domain_auto_trans($1_screen_t, nfs_t, $1_t) +} +if (use_samba_home_dirs) { +domain_auto_trans($1_screen_t, cifs_t, $1_t) +} + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') + +home_domain_ro($1, screen) + +allow $1_screen_t privfd:fd use; + +# Write to utmp. +allow $1_screen_t initrc_var_run_t:file rw_file_perms; +ifdef(`utempter.te', ` +dontaudit $1_screen_t utempter_exec_t:file execute; +') + +# create pty devices +can_create_other_pty($1_screen, $1) +allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms; +allow $1_screen_t device_t:dir { getattr read }; + +allow $1_screen_t fs_t:filesystem getattr; + +# Create fifo +allow $1_screen_t var_t:dir search; +file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) +type $1_screen_var_run_t, file_type, sysadmfile, pidfile; +file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) + +allow $1_screen_t self:process { fork signal_perms }; +allow $1_t $1_screen_t:process signal; +allow $1_screen_t $1_t:process signal; +allow $1_screen_t self:capability { setuid setgid fsetid }; + +dontaudit $1_screen_t shadow_t:file read; + +allow $1_screen_t tmp_t:dir search; +can_network($1_screen_t) +can_ypbind($1_screen_t) + +# get stats +allow $1_screen_t proc_t:dir search; +allow $1_screen_t proc_t:file { getattr read }; +allow $1_screen_t proc_t:lnk_file read; +allow $1_screen_t etc_t:{ file lnk_file } { read getattr }; +allow $1_screen_t self:dir { search read }; +allow $1_screen_t self:lnk_file read; +allow $1_screen_t device_t:dir search; +allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; + +# Internal screen networking +allow $1_screen_t self:fd use; +allow $1_screen_t self:unix_stream_socket create_socket_perms; +allow $1_screen_t self:unix_dgram_socket create_socket_perms; + +allow $1_screen_t bin_t:dir search; +allow $1_screen_t bin_t:lnk_file read; +read_locale($1_screen_t) + +dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; +')dnl end screen_domain + +', ` + +define(`screen_domain',`') + +') diff --git a/strict/macros/program/sendmail_macros.te b/strict/macros/program/sendmail_macros.te new file mode 100644 index 0000000..540e0a2 --- /dev/null +++ b/strict/macros/program/sendmail_macros.te @@ -0,0 +1,56 @@ +# +# Macros for sendmail domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# Russell Coker +# + +# +# sendmail_user_domain(domain_prefix) +# +# Define a derived domain for the sendmail program when executed by +# a user domain to send outgoing mail. These domains are separate and +# independent of the domain used for the sendmail daemon process. +# +undefine(`sendmail_user_domain') +define(`sendmail_user_domain', ` + +# Use capabilities +allow $1_mail_t self:capability net_bind_service; + +tmp_domain($1_mail) + +# Write to /var/spool/mail and /var/spool/mqueue. +allow $1_mail_t mail_spool_t:dir rw_dir_perms; +allow $1_mail_t mail_spool_t:file create_file_perms; +allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; +allow $1_mail_t mqueue_spool_t:file create_file_perms; + +# Write to /var/log/sendmail.st +file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t) + +allow $1_mail_t etc_mail_t:dir { getattr search }; + +allow $1_mail_t { var_t var_spool_t }:dir getattr; + +allow $1_mail_t etc_runtime_t:file { getattr read }; + +# Check available space. +allow $1_mail_t fs_t:filesystem getattr; + +allow $1_mail_t sysctl_kernel_t:dir search; + +ifelse(`$1', `sysadm', ` +allow $1_mail_t proc_t:dir { getattr search }; +allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_mail_t proc_net_t:dir search; +allow $1_mail_t sysctl_kernel_t:file { getattr read }; +allow $1_mail_t etc_runtime_t:file { getattr read }; +', ` +dontaudit $1_mail_t proc_t:dir search; +dontaudit $1_mail_t sysctl_kernel_t:file read; +')dnl end if sysadm +') + diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te new file mode 100644 index 0000000..acd6195 --- /dev/null +++ b/strict/macros/program/slocate_macros.te @@ -0,0 +1,64 @@ +# +# Macros for locate domains. +# + +# +# Author: Russell Coker +# + +# +# locate_domain(domain_prefix) +# +# Define a derived domain for the locate program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/locate.te. +# +undefine(`locate_domain') +ifdef(`slocate.te', ` +define(`locate_domain',` +# Derived domain based on the calling user domain and the program. +type $1_locate_t, domain; + +allow $1_locate_t self:process signal; + +allow $1_locate_t etc_t:file { getattr read }; +allow $1_locate_t self:unix_stream_socket create_socket_perms; +r_dir_file($1_locate_t,var_lib_locate_t) +allow $1_locate_t var_lib_t:dir search; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, locate_exec_t, $1_locate_t) + +# The user role is authorized for this domain. +role $1_r types $1_locate_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', ` +allow $1_locate_t $1_gph_t:fd use; +') + +allow $1_locate_t privfd:fd use; + +# allow ps to show locate +can_ps($1_t, $1_locate_t) +allow $1_t $1_locate_t:process signal; + +uses_shlib($1_locate_t) +access_terminal($1_locate_t, $1) + +allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; +allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; + +base_file_read_access($1_locate_t) +r_dir_file($1_locate_t, { etc_t lib_t var_t }) +dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; +dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; +') + +', ` + +define(`locate_domain',`') + +') diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te new file mode 100644 index 0000000..2ded42a --- /dev/null +++ b/strict/macros/program/spamassassin_macros.te @@ -0,0 +1,122 @@ +# +# Macros for spamassassin domains. +# +# Author: Colin Walters + +# spamassassin_domain(domain_prefix) +# +# Define derived domains for various spamassassin tools when executed +# by a user domain. +# +# The type declarations for the executable types of these programs are +# provided separately in domains/program/spamassassin.te and +# domains/program/spamc.te. +# +undefine(`spamassassin_domain') +ifdef(`spamassassin.te', `define(`using_spamassassin', `')') +ifdef(`spamd.te', `define(`using_spamassassin', `')') +ifdef(`spamc.te', `define(`using_spamassassin', `')') + +ifdef(`using_spamassassin',` + +####### +# Macros used internally in these spamassassin macros. +# + +### +# Define a domain for a spamassassin-like program (spamc/spamassassin). +# +# Note: most of this should really be in a generic macro like +# base_user_program($1, foo) +define(`spamassassin_program_domain',` +type $1_$2_t, domain, privlog; +domain_auto_trans($1_t, $2_exec_t, $1_$2_t) + +role $1_r types $1_$2_t; +general_domain_access($1_$2_t) + +base_file_read_access($1_$2_t) +r_dir_file($1_$2_t, etc_t) +ifdef(`sendmail.te', ` +r_dir_file($1_$2_t, etc_mail_t) +') +allow $1_$2_t etc_runtime_t:file r_file_perms; +uses_shlib($1_$2_t) +read_locale($1_$2_t) +dontaudit $1_$2_t var_t:dir search; +allow $1_$2_t $1_home_dir_t:dir r_dir_perms; +tmp_domain($1_$2) +allow $1_$2_t privfd:fd use; +allow $1_$2_t userpty_type:chr_file rw_file_perms; +') dnl end spamassassin_program_domain + +### +# Give privileges to a domain for accessing ~/.spamassassin +# and a few other misc things like /dev/random. +# This is granted to /usr/bin/spamassassin and +# /usr/sbin/spamd, but NOT spamc (because it does not need it). +# +define(`spamassassin_agent_privs',` +allow $1 home_root_t:dir r_dir_perms; +file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t) +create_dir_file($1, $2_spamassassin_home_t) + +allow $1 urandom_device_t:chr_file r_file_perms; +') + +####### +# Define the main spamassassin macro. This itself creates a +# domain for /usr/bin/spamassassin, and also spamc/spamd if +# applicable. +# +define(`spamassassin_domain',` +spamassassin_program_domain($1, spamassassin) + +# For perl libraries. +allow $1_spamassassin_t lib_t:file rx_file_perms; +# Ignore perl digging in /proc and /var. +dontaudit $1_spamassassin_t proc_t:dir search; +dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; + +# For ~/.spamassassin +home_domain($1, spamassassin) + +spamassassin_agent_privs($1_spamassassin_t, $1) + +# set tunable if you have spamassassin do DNS lookups +if (spamassasin_can_network) { +can_network($1_spamassassin_t) +} +if (spamassasin_can_network && allow_ypbind) { +uncond_can_ypbind($1_spamassassin_t) +} +### +# Define the domain for /usr/bin/spamc +# +ifdef(`spamc.te',` +spamassassin_program_domain($1, spamc) +can_network($1_spamc_t) +can_ypbind($1_spamc_t) + +# Allow connecting to a local spamd +ifdef(`spamd.te',` +can_tcp_connect($1_spamc_t, spamd_t) +') dnl endif spamd.te +') dnl endif spamc.te + +### +# Define the domain for /usr/sbin/spamd +# +ifdef(`spamd.te',` + +spamassassin_agent_privs(spamd_t, $1) + +') dnl endif spamd.te + +') dnl end spamassassin_domain + +', ` + +define(`spamassassin_domain',`') + +') diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te new file mode 100644 index 0000000..0accc1b --- /dev/null +++ b/strict/macros/program/ssh_agent_macros.te @@ -0,0 +1,117 @@ +# +# Macros for ssh agent +# + +# +# Author: Thomas Bleher +# + +# +# ssh_agent_domain(domain_prefix) +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/ssh-agent.te. +# +define(`ssh_agent_domain',` +# Define a derived domain for the ssh-agent program when executed +# by a user domain. +# Derived domain based on the calling user domain and the program. +type $1_ssh_agent_t, domain, privlog; + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) + +# The user role is authorized for this domain. +role $1_r types $1_ssh_agent_t; + +allow $1_ssh_agent_t privfd:fd use; + +# Write to the user domain tty. +access_terminal($1_ssh_agent_t, $1) + +# Allow the user shell to signal the ssh program. +allow $1_t $1_ssh_agent_t:process signal; +# allow ps to show ssh +can_ps($1_t, $1_ssh_agent_t) + +can_ypbind($1_ssh_agent_t) +if (use_nfs_home_dirs) { +allow $1_ssh_agent_t autofs_t:dir { search getattr }; +rw_dir_create_file($1_ssh_agent_t, nfs_t) +} +if (use_samba_home_dirs) { +rw_dir_create_file($1_ssh_agent_t, cifs_t) +} + +uses_shlib($1_ssh_agent_t) +read_locale($1_ssh_agent_t) + +allow $1_ssh_agent_t proc_t:dir search; +dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_ssh_agent_t selinux_config_t:dir search; +read_sysctl($1_ssh_agent_t) + +# Access the ssh temporary files. Should we have an own type here +# to which only ssh, ssh-agent and ssh-add have access? +allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; +file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) +allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; +allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; + +allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; +allow $1_ssh_agent_t self:capability setgid; + +# access the random devices +allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read; + +# for ssh-add +can_unix_connect($1_t, $1_ssh_agent_t) + +# transition back to normal privs upon exec +domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t) +if (use_nfs_home_dirs) { +domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t) +} +if (use_samba_home_dirs) { +domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t) +} +allow $1_ssh_agent_t bin_t:dir search; + +# allow reading of /usr/bin/X11 (is a symlink) +allow $1_ssh_agent_t bin_t:lnk_file read; + +allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; + +allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; + +allow $1_ssh_t $1_tmp_t:sock_file write; +allow $1_ssh_t $1_t:unix_stream_socket connectto; +allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; + +ifdef(`xdm.te', ` +allow $1_ssh_agent_t xdm_t:fd use; +allow $1_ssh_agent_t xdm_t:fifo_file { read write }; + +# kdm: sigchld +allow $1_ssh_agent_t xdm_t:process sigchld; +') + +# +# Allow command to ssh-agent > ~/.ssh_agent +# +allow $1_ssh_agent_t $1_home_t:file rw_file_perms; +allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms; + +allow $1_ssh_agent_t etc_runtime_t:file { getattr read }; +allow $1_ssh_agent_t etc_t:file { getattr read }; +allow $1_ssh_agent_t lib_t:file { getattr read }; + +allow $1_ssh_agent_t self:dir search; +allow $1_ssh_agent_t self:file { getattr read }; + +# Allow the ssh program to communicate with ssh-agent. +allow $1_ssh_t $1_tmp_t:sock_file write; +allow $1_ssh_t $1_t:unix_stream_socket connectto; +allow $1_ssh_t sshd_t:unix_stream_socket connectto; +')dnl end if ssh_agent + diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te new file mode 100644 index 0000000..473b273 --- /dev/null +++ b/strict/macros/program/ssh_macros.te @@ -0,0 +1,171 @@ +# +# Macros for ssh domains. +# + +# +# Authors: Stephen Smalley +# Russell Coker +# Thomas Bleher +# + +# +# ssh_domain(domain_prefix) +# +# Define a derived domain for the ssh program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/ssh.te. +# +undefine(`ssh_domain') +ifdef(`ssh.te', ` +define(`ssh_domain',` +# Derived domain based on the calling user domain and the program. +type $1_ssh_t, domain, privlog, nscd_client_domain; +type $1_home_ssh_t, file_type, $1_file_type, sysadmfile; + +allow $1_ssh_t autofs_t:dir { search getattr }; +if (use_nfs_home_dirs) { +create_dir_file($1_ssh_t, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1_ssh_t, cifs_t) +} + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) + +# The user role is authorized for this domain. +role $1_r types $1_ssh_t; + +# Grant permissions within the domain. +general_domain_access($1_ssh_t) + +# Use descriptors created by sshd +allow $1_ssh_t privfd:fd use; + +uses_shlib($1_ssh_t) +read_locale($1_ssh_t) + +# Get attributes of file systems. +allow $1_ssh_t fs_type:filesystem getattr; + +base_file_read_access($1_ssh_t) + +# Read /var. +allow $1_ssh_t var_t:dir r_dir_perms; +allow $1_ssh_t var_t:notdevfile_class_set r_file_perms; + +# Read /var/run, /var/log. +allow $1_ssh_t var_run_t:dir r_dir_perms; +allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; +allow $1_ssh_t var_log_t:dir r_dir_perms; +allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; + +# Read /etc. +allow $1_ssh_t etc_t:dir r_dir_perms; +allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms; +allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_ssh_t device_t:dir r_dir_perms; +allow $1_ssh_t device_t:lnk_file r_file_perms; + +# Read /dev/urandom. +allow $1_ssh_t urandom_device_t:chr_file r_file_perms; + +# Read and write /dev/null. +allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; + +# Grant permissions needed to create TCP and UDP sockets and +# to access the network. +can_network_client_tcp($1_ssh_t) +can_resolve($1_ssh_t) +can_ypbind($1_ssh_t) +can_kerberos($1_ssh_t) + +# for port forwarding +if (user_tcp_server) { +allow $1_ssh_t port_t:tcp_socket name_bind; +} + +# Use capabilities. +allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; + +# run helper programs - needed eg for x11-ssh-askpass +can_exec($1_ssh_t, { shell_exec_t bin_t }) + +# Read the ssh key file. +allow $1_ssh_t sshd_key_t:file r_file_perms; + +# Access the ssh temporary files. +file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t) +allow $1_ssh_t $1_tmp_t:dir r_dir_perms; + +# for rsync +allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; + +# Access the users .ssh directory. +file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir) +file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file) +allow $1_t $1_home_ssh_t:sock_file create_file_perms; +allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms; +allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read }; +dontaudit $1_ssh_t $1_home_t:dir { getattr search }; +r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) +rw_dir_create_file($1_t, $1_home_ssh_t) + +# for /bin/sh used to execute xauth +dontaudit $1_ssh_t proc_t:dir search; +dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') + +# Write to the user domain tty. +access_terminal($1_ssh_t, $1) + +# Allow the user shell to signal the ssh program. +allow $1_t $1_ssh_t:process signal; +# allow ps to show ssh +can_ps($1_t, $1_ssh_t) + +ifdef(`xserver.te', ` +# Communicate with the X server. +ifdef(`startx.te', ` +can_unix_connect($1_ssh_t, $1_xserver_t) +allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms; +allow $1_ssh_t $1_xserver_tmp_t:dir search; +')dnl end if startx +ifdef(`xdm.te', ` +allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search; +allow $1_ssh_t { xdm_tmp_t }:sock_file write; +') +')dnl end if xserver + +ifdef(`ssh-agent.te', ` +ssh_agent_domain($1) +')dnl end if ssh_agent.te + +#allow ssh to access keys stored on removable media +# Should we have a boolean around this? +allow $1_ssh_t mnt_t:dir search; +r_dir_file($1_ssh_t, removable_t) + +ifdef(`xdm.te', ` +# should be able to remove these two later +allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write }; +allow $1_ssh_t xdm_xserver_tmp_t:dir search; +allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto; +allow $1_ssh_t xdm_xserver_t:shm r_shm_perms; +allow $1_ssh_t xdm_xserver_t:fd use; +allow $1_ssh_t xdm_xserver_tmpfs_t:file read; +allow $1_ssh_t xdm_t:fd use; +')dnl end if xdm.te +')dnl end macro definition + +', ` + +define(`ssh_domain',`') + +')dnl end if ssh.te diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te new file mode 100644 index 0000000..7426b4e --- /dev/null +++ b/strict/macros/program/su_macros.te @@ -0,0 +1,169 @@ +# +# Macros for su domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# +# su_domain(domain_prefix) +# +# Define a derived domain for the su program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/su.te. +# + +undefine(`su_restricted_domain') +undefine(`su_mini_domain') +undefine(`su_domain') +ifdef(`su.te', ` + +define(`su_restricted_domain', ` +# Derived domain based on the calling user domain and the program. +type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; + +# for SSP +allow $1_su_t urandom_device_t:chr_file { getattr read }; + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, su_exec_t, $1_su_t) + +allow $1_su_t sbin_t:dir search; +domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) + +uses_shlib($1_su_t) +allow $1_su_t etc_t:file { getattr read }; +read_locale($1_su_t) +read_sysctl($1_su_t) +allow $1_su_t self:unix_dgram_socket { connect create write }; +allow $1_su_t self:unix_stream_socket create_stream_socket_perms; +allow $1_su_t self:fifo_file rw_file_perms; +allow $1_su_t proc_t:dir search; +allow $1_su_t proc_t:lnk_file read; +r_dir_file($1_su_t, self) +allow $1_su_t proc_t:file read; +allow $1_su_t self:process { setsched setrlimit }; +allow $1_su_t device_t:dir search; +allow $1_su_t self:process { fork sigchld }; +can_ypbind($1_su_t) +r_dir_file($1_su_t, selinux_config_t) + +dontaudit $1_su_t shadow_t:file { getattr read }; +dontaudit $1_su_t home_root_t:dir search; +dontaudit $1_su_t init_t:fd use; +allow $1_su_t var_lib_t:dir search; +allow $1_t $1_su_t:process signal; + +ifdef(`crond.te', ` +allow $1_su_t crond_t:fifo_file read; +') + +# Use capabilities. +allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; +dontaudit $1_su_t self:capability sys_tty_config; +# +# Caused by su - init scripts +# +dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + +# By default, revert to the calling domain when a shell is executed. +domain_auto_trans($1_su_t, shell_exec_t, $1_t) +allow $1_su_t bin_t:dir search; +allow $1_su_t bin_t:lnk_file read; + +# But also allow transitions to unprivileged user domains. +domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) +can_setexec($1_su_t) + +# Get security decisions +can_getsecurity($1_su_t) +r_dir_file($1_su_t, default_context_t) + +allow $1_su_t privfd:fd use; + +# Write to utmp. +allow $1_su_t { var_t var_run_t }:dir search; +allow $1_su_t initrc_var_run_t:file rw_file_perms; +can_kerberos($1_su_t) +') dnl end su_restricted_domain + +define(`su_mini_domain', ` +su_restricted_domain($1,$1) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_su_t, shell_exec_t, sysadm_t) +} + +# Relabel ttys and ptys. +allow $1_su_t device_t:dir { getattr read search }; +allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Close and re-open ttys and ptys to get the fd into the correct domain. +allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; + +')dnl end su_mini_domain + +define(`su_domain', ` +su_mini_domain($1) +ifdef(`chkpwd.te', ` +# Run chkpwd. +can_exec($1_su_t, chkpwd_exec_t) +') + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + +# The user role is authorized for this domain. +role $1_r types $1_su_t; + +# Write to the user domain tty. +access_terminal($1_su_t, $1) + +allow $1_su_t { home_root_t $1_home_dir_t }:dir search; +allow $1_su_t $1_home_t:file create_file_perms; +ifdef(`user_canbe_sysadm', ` +allow $1_su_t home_dir_type:dir { search write }; +', ` +dontaudit $1_su_t home_dir_type:dir { search write }; +') + +allow $1_su_t autofs_t:dir { search getattr }; +if (use_nfs_home_dirs) { +allow $1_su_t nfs_t:dir search; +} +if (use_samba_home_dirs) { +allow $1_su_t cifs_t:dir search; +} + +# Modify .Xauthority file (via xauth program). +ifdef(`xauth.te', ` +file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) +file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) +file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) +domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) +') + +ifdef(`cyrus.te', ` +allow $1_su_t cyrus_var_lib_t:dir search; +') +ifdef(`ssh.te', ` +# Access sshd cookie files. +allow $1_su_t sshd_tmp_t:dir rw_dir_perms; +allow $1_su_t sshd_tmp_t:file rw_file_perms; +file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) +') + +allow $1_su_t var_lib_t:dir search; +dontaudit $1_su_t init_t:fd use; +')dnl end su_domain + +', ` + +define(`su_domain',`') + +') + diff --git a/strict/macros/program/sudo_macros.te b/strict/macros/program/sudo_macros.te new file mode 100644 index 0000000..b2b4e1c --- /dev/null +++ b/strict/macros/program/sudo_macros.te @@ -0,0 +1,34 @@ +# Authors: Dan Walsh, Russell Coker +# Maintained by Dan Walsh +define(`sudo_domain',` +newrole_domain($1_sudo, `, privuser') + +# By default, revert to the calling domain when a shell is executed. +domain_auto_trans($1_sudo_t, shell_exec_t, $1_t) + +ifdef(`mta.te', ` +domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms; +') + +allow $1_sudo_t self:capability sys_resource; + +allow $1_sudo_t self:process setrlimit; + +ifdef(`pam.te', ` +allow $1_sudo_t pam_var_run_t:dir create_dir_perms; +allow $1_sudo_t pam_var_run_t:file create_file_perms; +') + +allow $1_sudo_t initrc_var_run_t:file rw_file_perms; +allow $1_sudo_t sysctl_t:dir search; +allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr; +allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read }; +read_sysctl($1_sudo_t) + +allow $1_sudo_t var_run_t:dir search; +r_dir_file($1_sudo_t, default_context_t) +rw_dir_create_file($1_sudo_t, $1_tmp_t) +rw_dir_create_file($1_sudo_t, $1_home_t) +domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) +') diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te new file mode 100644 index 0000000..acb45b1 --- /dev/null +++ b/strict/macros/program/tvtime_macros.te @@ -0,0 +1,43 @@ +# +# Macros for tvtime domains. +# + +# +# Author: Dan Walsh +# + +# +# tvtime_domain(domain_prefix) +# +# Define a derived domain for the tvtime program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/tvtime.te. +# +undefine(`tvtime_domain') +ifdef(`tvtime.te', ` +define(`tvtime_domain',` + +home_domain($1, tvtime) +x_client_domain($1, tvtime) + +allow $1_tvtime_t urandom_device_t:chr_file read; +allow $1_tvtime_t clock_device_t:chr_file { ioctl read }; +allow $1_tvtime_t kernel_t:system ipc_info; +allow $1_tvtime_t sound_device_t:chr_file read; +allow $1_tvtime_t $1_home_t:dir { getattr read search }; +allow $1_tvtime_t $1_home_t:file { getattr read }; +tmp_domain($1_tvtime) +allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; +allow $1_tvtime_t self:process setsched; +allow $1_tvtime_t usr_t:file { getattr read }; + +')dnl end tvtime_domain + +', ` + +define(`tvtime_domain',`') + +') + diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te new file mode 100644 index 0000000..654b794 --- /dev/null +++ b/strict/macros/program/uml_macros.te @@ -0,0 +1,136 @@ +# +# Macros for uml domains. +# + +# +# Author: Russell Coker +# + +# +# uml_domain(domain_prefix) +# +# Define a derived domain for the uml program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/uml.te. +# +undefine(`uml_domain') +ifdef(`uml.te', ` +define(`uml_domain',` + +# Derived domain based on the calling user domain and the program. +type $1_uml_t, domain; +type $1_uml_exec_t, file_type, sysadmfile, $1_file_type; +type $1_uml_ro_t, file_type, sysadmfile, $1_file_type; +type $1_uml_rw_t, file_type, sysadmfile, $1_file_type; + +# for X +ifdef(`startx.te', ` +ifelse($1, sysadm, `', ` +ifdef(`xdm.te', ` +allow $1_uml_t xdm_xserver_tmp_t:dir search; +')dnl end if xdm.te +allow $1_uml_t $1_xserver_tmp_t:sock_file write; +can_unix_connect($1_uml_t, $1_xserver_t) +')dnl end ifelse sysadm +')dnl end ifdef startx + +allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; +allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; +allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; +allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; +r_dir_file($1_t, uml_ro_t) + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t) +can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) + +# The user role is authorized for this domain. +role $1_r types $1_uml_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;') + +# Inherit and use descriptors from newrole. +ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;') + +# allow ps, ptrace, signal +can_ps($1_t, $1_uml_t) +can_ptrace($1_t, $1_uml_t) +allow $1_t $1_uml_t:process signal_perms; + +# allow the UML thing to happen +allow $1_uml_t self:process { fork signal_perms ptrace }; +can_create_pty($1_uml) +allow $1_uml_t root_t:dir search; +tmp_domain($1_uml) +can_exec($1_uml_t, $1_uml_tmp_t) +tmpfs_domain($1_uml) +can_exec($1_uml_t, $1_uml_tmpfs_t) +create_dir_file($1_t, $1_uml_tmp_t) +allow $1_t $1_uml_tmp_t:sock_file create_file_perms; +allow $1_uml_t self:fifo_file rw_file_perms; +allow $1_uml_t fs_t:filesystem getattr; + +allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl }; + +ifdef(`uml_net.te', ` +# for uml_net +domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) +allow uml_net_t $1_uml_t:unix_stream_socket { read write }; +allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; +dontaudit uml_net_t privfd:fd use; +allow uml_net_t $1_uml_devpts_t:chr_file { read write }; +dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; +')dnl end ifdef uml_net.te + +# for mconsole +allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto; +allow $1_uml_t $1_t:unix_dgram_socket sendto; + +# Use the network. +can_network($1_uml_t) +can_ypbind($1_uml_t) + +# for xterm +uses_shlib($1_uml_t) +can_exec($1_uml_t, { bin_t sbin_t lib_t }) +allow $1_uml_t { bin_t sbin_t }:dir search; +allow $1_uml_t etc_t:file { getattr read }; +dontaudit $1_uml_t etc_runtime_t:file read; +can_tcp_connect($1_uml_t, sshd_t) +ifdef(`xauth.te', ` +allow $1_uml_t $1_xauth_home_t:file { getattr read }; +') +allow $1_uml_t var_run_t:dir search; +allow $1_uml_t initrc_var_run_t:file { getattr read }; +dontaudit $1_uml_t initrc_var_run_t:file { write lock }; + +allow $1_uml_t device_t:dir search; +allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; +allow $1_uml_t self:unix_dgram_socket create_socket_perms; +allow $1_uml_t privfd:fd use; +allow $1_uml_t proc_t:dir search; +allow $1_uml_t proc_t:file { getattr read }; + +# for SKAS - need something better +allow $1_uml_t proc_t:file write; + +# Write to the user domain tty. +access_terminal($1_uml_t, $1) + +# access config files +allow $1_uml_t home_root_t:dir search; +file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t) +r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t }) + +# putting uml data under /var is usual... +allow $1_uml_t var_t:dir search; +')dnl end macro definition + +', ` + +define(`uml_domain',`') + +') diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te new file mode 100644 index 0000000..109b973 --- /dev/null +++ b/strict/macros/program/userhelper_macros.te @@ -0,0 +1,144 @@ +#DESC Userhelper - SELinux utility to run a shell with a new role +# +# Authors: Dan Walsh (Red Hat) +# Maintained by Dan Walsh +# + +# +# userhelper_domain(domain_prefix) +# +# Define a derived domain for the userhelper/userhelper program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/userhelper.te. +# +define(`userhelper_domain',` +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain; + +in_user_role($1_userhelper_t) +role sysadm_r types $1_userhelper_t; + +ifelse($1, sysadm, ` +typealias sysadm_userhelper_t alias userhelper_t; +domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t) +') + +general_domain_access($1_userhelper_t); + +uses_shlib($1_userhelper_t) +read_locale($1_userhelper_t) +read_sysctl($1_userhelper_t) + +# for when the user types "exec userhelper" at the command line +allow $1_userhelper_t privfd:process sigchld; + +domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t) + +# Inherit descriptors from the current session. +allow $1_userhelper_t { init_t privfd }:fd use; + +can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t }) + +# Execute shells +allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms; +allow $1_userhelper_t { sbin_t bin_t }:lnk_file read; +allow $1_userhelper_t shell_exec_t:file r_file_perms; + +# By default, revert to the calling domain when a program is executed. +domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t) + +# Allow $1_userhelper_t to transition to user domains. +domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain) +if (!secure_mode) { + # if we are not in secure mode then we can transition to sysadm_t + domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t) +} +can_setexec($1_userhelper_t) + +ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` +# Allow transitioning to rpm_t, for up2date +allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; +') +') + +# Use capabilities. +allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; + +# Write to utmp. +file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file) + +# Read the devpts root directory. +allow $1_userhelper_t devpts_t:dir r_dir_perms; + +# Read the /etc/security/default_type file +allow $1_userhelper_t etc_t:file r_file_perms; + +# Read /var. +allow $1_userhelper_t var_t:dir r_dir_perms; +allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms; + +# Read /dev directories and any symbolic links. +allow $1_userhelper_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;') + +# +# Allow $1_userhelper to obtain contexts to relabel TTYs +# +can_getsecurity($1_userhelper_t) + +allow $1_userhelper_t fs_t:filesystem getattr; + +# for some PAM modules and for cwd +dontaudit $1_userhelper_t { home_root_t home_type }:dir search; + +allow $1_userhelper_t proc_t:dir search; +allow $1_userhelper_t proc_t:file { getattr read }; + +# for when the network connection is killed +dontaudit unpriv_userdomain $1_userhelper_t:process signal; + +allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; +allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + +ifdef(`pam.te', ` +allow $1_userhelper_t pam_var_run_t:dir create_dir_perms; +allow $1_userhelper_t pam_var_run_t:file create_file_perms; +') + +allow $1_userhelper_t urandom_device_t:chr_file { getattr read }; + +allow $1_userhelper_t autofs_t:dir search; +role system_r types $1_userhelper_t; +r_dir_file($1_userhelper_t, nfs_t) + +ifdef(`xdm.te', ` +allow $1_userhelper_t xdm_t:fd use; +allow $1_userhelper_t xdm_t:fifo_file rw_file_perms; +allow $1_userhelper_t xdm_var_run_t:dir search; +') + +r_dir_file($1_userhelper_t, selinux_config_t) +r_dir_file($1_userhelper_t, default_context_t) + +ifdef(`xauth.te', ` +domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) +allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; +') + +ifdef(`pamconsole.te', ` +allow $1_userhelper_t pam_var_console_t:dir { search }; +') + +ifdef(`mozilla.te', ` +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) +') + +')dnl end userhelper macro diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te new file mode 100644 index 0000000..b306f08 --- /dev/null +++ b/strict/macros/program/vmware_macros.te @@ -0,0 +1,133 @@ +# Macro for vmware +# +# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), +# modifications by NAI Labs. +# +# Turned into a macro by Thomas Bleher +# +# vmware_domain(domain_prefix) +# +# Define a derived domain for the vmware program when executed by +# a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/vmware.te. This file also +# implements a separate domain vmware_t. +# + +define(`vmware_domain', ` + +# Domain for the user applications to run in. +type $1_vmware_t, domain, privmem; + +role $1_r types $1_vmware_t; + +# The user file type is for files created when the user is running VMWare +type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; + +# The user file type for the VMWare configuration files +type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; + +# for compatibility with older policy versions +typealias $1_vmware_t alias vmware_$1_t; +typealias $1_vmware_file_t alias vmware_$1_file_t; +typealias $1_vmware_conf_t alias vmware_$1_conf_t; + +############################################################# +# User rules for running VMWare +# +# Transition to VMWare user domain +domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) +can_exec($1_vmware_t, vmware_user_exec_t) +uses_shlib($1_vmware_t) +var_run_domain($1_vmware) + +general_domain_access($1_vmware_t); + +# Capabilities needed by VMWare for the user execution. This seems a +# bit too much, so be careful. +allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; + +# Access to ttys +allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; +allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; +allow $1_vmware_t privfd:fd use; + +# Access /proc +r_dir_file($1_vmware_t, proc_t) +allow $1_vmware_t proc_net_t:dir search; +allow $1_vmware_t proc_net_t:file { getattr read }; + +# Access to some files in the user home directory +r_dir_file($1_vmware_t, $1_home_t) + +# Access to runtime files for user +allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; +allow $1_vmware_t $1_vmware_file_t:file create_file_perms; +allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; + +# Allow read access to /etc/vmware and /usr/lib/vmware configuration files +r_dir_file($1_vmware_t, vmware_sys_conf_t) + +# Allow $1_vmware_t to read/write files in the tmp dir +tmp_domain($1_vmware) +allow $1_vmware_t $1_vmware_tmp_t:file execute; + +# Allow read access to several paths +r_dir_file($1_vmware_t, etc_t) +allow $1_vmware_t etc_runtime_t:file r_file_perms; +allow $1_vmware_t device_t:dir r_dir_perms; +allow $1_vmware_t var_t:dir r_dir_perms; +allow $1_vmware_t tmpfs_t:file rw_file_perms; + +# Allow vmware to write to ~/.vmware +rw_dir_create_file($1_vmware_t, $1_vmware_file_t) + +# +# This is bad; VMWare needs execute permission to the .cfg file for the +# configuration to run. +# +allow $1_vmware_t $1_vmware_conf_t:file execute; + +# Access X11 config files +allow $1_vmware_t lib_t:file r_file_perms; + +# Access components of VMWare in /usr/lib/vmware/bin by default +allow $1_vmware_t bin_t:dir r_dir_perms; + +# Allow access to lp port (Need to create an lp device domain ) +allow $1_vmware_t device_t:chr_file r_file_perms; + +# Allow access to /dev/mem +allow $1_vmware_t memory_device_t:chr_file { read write }; + +# Allow access to mouse +allow $1_vmware_t mouse_device_t:chr_file r_file_perms; + +# Allow access the sound device +allow $1_vmware_t sound_device_t:chr_file { ioctl write }; + +# Allow removable media and devices +allow $1_vmware_t removable_device_t:blk_file r_file_perms; +allow $1_vmware_t device_t:lnk_file read; + +# Allow access to the real time clock device +allow $1_vmware_t clock_device_t:chr_file read; + +# Allow to attach to Xserver, and Xserver to attach back +ifdef(`gnome-pty-helper.te', ` +allow $1_vmware_t $1_gph_t:fd use; +') +ifdef(`startx.te', ` +allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; +allow $1_vmware_t $1_xserver_tmp_t:dir search; +allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; +allow $1_xserver_t $1_vmware_t:shm r_shm_perms; +allow $1_xserver_t $1_vmware_t:fd use; +') + +# Allow filesystem read access +allow $1_vmware_t fs_t:filesystem getattr; + +') + diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te new file mode 100644 index 0000000..aef31ad --- /dev/null +++ b/strict/macros/program/x_client_macros.te @@ -0,0 +1,161 @@ +# +# Macros for X client programs ($2 etc) +# + +# +# Author: Russell Coker +# Based on the work of Stephen Smalley +# and Timothy Fraser +# + +define(`xsession_domain', ` + +# Connect to xserver +can_unix_connect($1_t, $2_xserver_t) + +# /tmp/.ICE_unix +allow $1_t $2_xserver_tmp_t:dir search; +allow $1_t $2_xserver_tmp_t:sock_file rw_file_perms; + +# Stat /tmp/.X0-lock +allow $1_t $2_xserver_tmp_t:file getattr; + +# Signal Xserver +allow $1_t $2_xserver_t:process signal; + +# Use file descriptors created by each other. +allow $1_t $2_xserver_t:fd use; +allow $2_xserver_t $1_t:fd use; + +# Xserver read/write parent shm +allow $2_xserver_t $1_t:shm rw_shm_perms; +allow $2_xserver_t $1_tmpfs_t:file rw_file_perms; + +# Parent read xserver shm +allow $1_t $2_xserver_t:shm r_shm_perms; +allow $1_t $2_xserver_tmpfs_t:file r_file_perms; +') + +# +# x_client_domain(domain_prefix) +# +# Define a derived domain for an X program when executed by +# a user domain. +# +# The type declaration for the executable type for this program ($2_exec_t) +# must be provided separately! +# +# The first parameter is the base name for the domain/role (EG user or sysadm) +# The second parameter is the program name (EG $2) +# The third parameter is the attributes for the domain (if any) +# +define(`x_client_domain',` +# Derived domain based on the calling user domain and the program. +type $1_$2_t, domain, nscd_client_domain $3; + +ifelse(index(`$3', `transitionbool'), -1, ` +domain_auto_trans($1_t, $2_exec_t, $1_$2_t) +can_exec($1_$2_t, $2_exec_t) +', ` +# Only do it once +ifelse($1, user, ` +bool disable_$2 false; +') +# Transition from the user domain to the derived domain. +if (! disable_$2) { +domain_auto_trans($1_t, $2_exec_t, $1_$2_t) +can_exec($1_$2_t, $2_exec_t) +} +') + +# The user role is authorized for this domain. +role $1_r types $1_$2_t; + +# This domain is granted permissions common to most domains (including can_net) +can_network($1_$2_t) +can_ypbind($1_$2_t) +allow $1_$2_t self:process { fork signal_perms getsched }; +allow $1_$2_t self:unix_dgram_socket create_socket_perms; +allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow $1_$2_t self:fifo_file rw_file_perms; +allow $1_$2_t etc_runtime_t:file { getattr read }; +allow $1_$2_t etc_t:lnk_file read; +allow $1_$2_t fs_t:filesystem getattr; +access_terminal($1_$2_t, $1) +read_locale($1_$2_t) +r_dir_file($1_$2_t, readable_t) +allow $1_$2_t proc_t:dir search; +allow $1_$2_t proc_t:lnk_file read; +allow $1_$2_t self:dir search; +allow $1_$2_t self:lnk_file read; +read_sysctl($1_$2_t) + +ifdef(`xauth.te',` +allow $1_$2_t $1_xauth_home_t:file { getattr read }; +') + +# Allow the user domain to send any signal to the $2 process. +allow $1_t $1_$2_t:process signal_perms; + +# Allow the user domain to read the /proc/PID directory for +# the $2 process. +allow $1_t $1_$2_t:dir r_dir_perms; +allow $1_t $1_$2_t:notdevfile_class_set r_file_perms; + +# Allow use of /dev/zero by ld.so. +allow $1_$2_t device_t:dir search; +allow $1_$2_t zero_device_t:chr_file rw_file_perms; +allow $1_$2_t zero_device_t:chr_file x_file_perms; + +# allow using shared libraries and running programs +uses_shlib($1_$2_t) +allow $1_$2_t { bin_t sbin_t }:dir search; +allow $1_$2_t bin_t:lnk_file read; +can_exec($1_$2_t, { shell_exec_t bin_t }) +allow $1_$2_t etc_t:file { getattr read }; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;') +allow $1_$2_t privfd:fd use; + +# for .xsession-errors +dontaudit $1_$2_t $1_home_t:file write; + +# for X over a ssh tunnel +ifdef(`ssh.te', ` +can_tcp_connect($1_$2_t, sshd_t) +') + +# Read the home directory, e.g. for .Xauthority and to get to config files +allow $1_$2_t home_root_t:dir { search getattr }; + +# Use a separate type for tmpfs/shm pseudo files. +tmpfs_domain($1_$2) + +allow $1_$2_t self:shm create_shm_perms; + +# allow X client to read all font files +r_dir_file($1_$2_t, fonts_t) + +# Allow connections to X server. +ifdef(`xserver.te', ` +allow $1_$2_t tmp_t:dir search; + +ifdef(`xdm.te', ` +xsession_domain($1_$2, xdm) + +# for when /tmp/.X11-unix is created by the system +allow $1_$2_t xdm_t:fifo_file rw_file_perms; +allow $1_$2_t xdm_tmp_t:dir search; +allow $1_$2_t xdm_tmp_t:sock_file { read write }; +allow $1_$2_t xdm_t:fd use; +dontaudit $1_$2_t xdm_t:tcp_socket { read write }; +') + +ifdef(`startx.te', ` +xsession_domain($1_$2, $1) +')dnl end startx + +')dnl end xserver + +')dnl end x_client macro diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te new file mode 100644 index 0000000..405f151 --- /dev/null +++ b/strict/macros/program/xauth_macros.te @@ -0,0 +1,82 @@ +# +# Macros for xauth domains. +# + +# +# Author: Russell Coker +# + +# +# xauth_domain(domain_prefix) +# +# Define a derived domain for the xauth program when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/xauth.te. +# +undefine(`xauth_domain') +ifdef(`xauth.te', ` +define(`xauth_domain',` +# Derived domain based on the calling user domain and the program. +type $1_xauth_t, domain; + +allow $1_xauth_t self:process signal; + +home_domain($1, xauth) + +# Transition from the user domain to this domain. +domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t) +ifdef(`ssh.te', ` +domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) +allow $1_xauth_t sshd_t:fifo_file { getattr read }; +dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; +allow $1_xauth_t sshd_t:process sigchld; +')dnl end if ssh + +# The user role is authorized for this domain. +role $1_r types $1_xauth_t; + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', ` +allow $1_xauth_t $1_gph_t:fd use; +') + +allow $1_xauth_t privfd:fd use; +allow $1_xauth_t ptmx_t:chr_file { read write }; + +# allow ps to show xauth +can_ps($1_t, $1_xauth_t) +allow $1_t $1_xauth_t:process signal; + +uses_shlib($1_xauth_t) + +# allow DNS lookups... +can_resolve($1_xauth_t) +can_ypbind($1_xauth_t) +ifdef(`named.te', ` +can_udp_send($1_xauth_t, named_t) +can_udp_send(named_t, $1_xauth_t) +')dnl end if named.te + +allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; +allow $1_xauth_t etc_t:file { getattr read }; +allow $1_xauth_t fs_t:filesystem getattr; + +# Write to the user domain tty. +access_terminal($1_xauth_t, $1) + +# Scan /var/run. +allow $1_xauth_t var_t:dir search; +allow $1_xauth_t var_run_t:dir search; + +tmp_domain($1_xauth) +allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; + +')dnl end xauth_domain macro + +', ` + +define(`xauth_domain',`') + +')dnl end if xauth.te diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te new file mode 100644 index 0000000..adbe7f7 --- /dev/null +++ b/strict/macros/program/xserver_macros.te @@ -0,0 +1,272 @@ +# +# Macros for X server domains. +# + +# +# Authors: Stephen Smalley and Timothy Fraser +# + +################################# +# +# xserver_domain(domain_prefix) +# +# Define a derived domain for the X server when executed +# by a user domain (e.g. via startx). See the xdm_t domain +# in domains/program/xdm.te if using an X Display Manager. +# +# The type declarations for the executable type for this program +# and the log type are provided separately in domains/program/xserver.te. +# +# FIXME! The X server requires far too many privileges. +# +undefine(`xserver_domain') +ifdef(`xserver.te', ` + +define(`xserver_domain',` +# Derived domain based on the calling user domain and the program. +ifdef(`distro_redhat', ` +type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; +allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; +ifdef(`rpm.te', ` +allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; +allow $1_xserver_t rpm_tmpfs_t:file { read write }; +allow $1_xserver_t rpm_t:fd use; +') + +', ` +type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; +') + +# for SSP +allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; + +# Transition from the user domain to this domain. +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) +') +', ` +domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) +')dnl end ifelse xdm +can_exec($1_xserver_t, xserver_exec_t) + +uses_shlib($1_xserver_t) + +if (allow_execmod) { +allow $1_xserver_t texrel_shlib_t:file execmod; +} + +can_network($1_xserver_t) +can_ypbind($1_xserver_t) +allow $1_xserver_t xserver_port_t:tcp_socket name_bind; + +# for access within the domain +general_domain_access($1_xserver_t) + +if (allow_execmem) { +allow $1_xserver_t self:process execmem; +} + +allow $1_xserver_t etc_runtime_t:file { getattr read }; + +ifelse($1, xdm, ` +# The system role is authorised for the xdm and initrc domains +role system_r types xdm_xserver_t; + +allow xdm_xserver_t init_t:fd use; + +dontaudit xdm_xserver_t home_dir_type:dir { read search }; +', ` +# The user role is authorized for this domain. +role $1_r types $1_xserver_t; + +allow $1_xserver_t getty_t:fd use; +allow $1_xserver_t local_login_t:fd use; +allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + +allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; +allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; + +can_unix_connect($1_t, $1_xserver_t) + +# Access the home directory. +allow $1_xserver_t home_root_t:dir search; +allow $1_xserver_t $1_home_dir_t:dir { getattr search }; +if (allow_xserver_home_fonts) { +r_dir_file($1_xserver_t, $1_home_t) +} +ifdef(`xauth.te', ` +domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) +allow $1_xserver_t $1_xauth_home_t:file { getattr read }; +', ` +allow $1_xserver_t $1_home_t:file { getattr read }; +')dnl end ifdef xauth +ifdef(`userhelper.te', ` +allow $1_xserver_t userhelper_conf_t:dir search; +')dnl end ifdef userhelper +')dnl end ifelse xdm + +allow $1_xserver_t self:process setsched; + +allow $1_xserver_t fs_t:filesystem getattr; + +# Xorg wants to check if kernel is tainted +read_sysctl($1_xserver_t) + +# Use capabilities. +# allow setuid/setgid for the wrapper program to change UID +# sys_rawio is for iopl access - should not be needed for frame-buffer +# sys_admin, locking shared mem? chowning IPC message queues or semaphores? +# admin of APM bios? +# sys_nice is so that the X server can set a negative nice value +allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow $1_xserver_t nfs_t:dir { getattr search }; + +# memory_device_t access is needed if not using the frame buffer +#dontaudit $1_xserver_t memory_device_t:chr_file read; +allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; +# net_bind_service is needed if you want your X server to allow TCP connections +# from other hosts, EG an XDM serving a network of X terms +# if you want good security you do not want this +# not sure why some people want chown, fsetid, and sys_tty_config. +#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; +dontaudit $1_xserver_t self:capability chown; + +# for nscd +dontaudit $1_xserver_t var_run_t:dir search; + +allow $1_xserver_t mtrr_device_t:file rw_file_perms; +allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; +allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; +allow $1_xserver_t device_t:lnk_file { getattr read }; +allow $1_xserver_t devtty_t:chr_file rw_file_perms; +allow $1_xserver_t zero_device_t:chr_file { read write execute }; + +# Type for temporary files. +tmp_domain($1_xserver, `', `{ dir file sock_file }') +file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) + +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:unix_stream_socket connectto; +allow xdm_t $1_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_xserver_t xdm_t:process signal; +allow xdm_xserver_t xdm_t:shm rw_shm_perms; +allow xdm_t xdm_xserver_t:shm rw_shm_perms; +dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; +') +', ` +allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; +allow $1_t xdm_xserver_t:unix_stream_socket connectto; +allow $1_t $1_xserver_t:process signal; + +# Allow the user domain to connect to the X server. +can_unix_connect($1_t, $1_xserver_t) +allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; +allow $1_t $1_xserver_tmp_t:dir r_dir_perms; +ifdef(`xdm.te', ` +allow $1_t xdm_tmp_t:sock_file unlink; +allow $1_xserver_t xdm_var_run_t:dir search; +# for /tmp/.ICE-unix +file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) +') + +# Signal the user domain. +allow $1_xserver_t $1_t:process signal; + +# Communicate via System V shared memory. +allow $1_xserver_t $1_t:shm rw_shm_perms; +allow $1_t $1_xserver_t:shm rw_shm_perms; +allow $1_xserver_t initrc_t:shm rw_shm_perms; + +')dnl end ifelse xdm + +# Create files in /var/log with the xserver_log_t type. +allow $1_xserver_t var_t:dir search; +file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) +allow $1_xserver_t xserver_log_t:dir r_dir_perms; + +# Access AGP device. +allow $1_xserver_t agp_device_t:chr_file rw_file_perms; + +# for other device nodes such as the NVidia binary-only driver +allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; + +# Access /proc/mtrr +allow $1_xserver_t proc_t:file rw_file_perms; +allow $1_xserver_t proc_t:lnk_file { getattr read }; + +# Access /proc/sys/dev +allow $1_xserver_t sysctl_dev_t:dir search; +allow $1_xserver_t sysctl_dev_t:file { getattr read }; +# Access /proc/bus/pci +allow $1_xserver_t proc_t:dir r_dir_perms; + +# Create and access /dev/dri devices. +allow $1_xserver_t device_t:dir { create setattr }; +file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) +# brought on by rhgb +allow $1_xserver_t mnt_t:dir search; + +allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; + +# Run helper programs in $1_xserver_t. +allow $1_xserver_t { bin_t sbin_t }:dir search; +allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; +allow $1_xserver_t bin_t:lnk_file read; +can_exec($1_xserver_t, { bin_t shell_exec_t }) + +# Connect to xfs. +ifdef(`xfs.te', ` +can_unix_connect($1_xserver_t, xfs_t) +allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; +allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; + +# Bind to the X server socket in /tmp. +allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; +') + +read_locale($1_xserver_t) + +# Type for tmpfs/shm files. +tmpfs_domain($1_xserver) +ifelse($1, xdm, ` +ifdef(`xdm.te', ` +allow xdm_xserver_t xdm_t:shm rw_shm_perms; +allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; +') +', ` +allow $1_xserver_t $1_t:shm rw_shm_perms; +rw_dir_file($1_xserver_t, $1_tmpfs_t) +')dnl end ifelse xdm + + +r_dir_file($1_xserver_t,sysfs_t) + +# Use the mouse. +allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; +# Allow xserver to read events - the synaptics touchpad +# driver reads raw events +allow $1_xserver_t event_device_t:chr_file rw_file_perms; +ifdef(`pamconsole.te', ` +allow $1_xserver_t pam_var_console_t:dir search; +') +dontaudit $1_xserver_t selinux_config_t:dir search; + +allow $1_xserver_t var_lib_t:dir search; +rw_dir_create_file($1_xserver_t, var_lib_xkb_t) + +# for fonts +r_dir_file($1_xserver_t, fonts_t) +')dnl end macro definition + +', ` + +define(`xserver_domain',`') + +') + diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te new file mode 100644 index 0000000..2157995 --- /dev/null +++ b/strict/macros/program/ypbind_macros.te @@ -0,0 +1,18 @@ + +define(`uncond_can_ypbind', ` +dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_network($1) +r_dir_file($1,var_yp_t) +allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; +dontaudit $1 self:capability net_bind_service; +') + +define(`can_ypbind', ` +ifdef(`ypbind.te', ` +if (allow_ypbind) { +uncond_can_ypbind($1) +} else { +dontaudit $1 var_yp_t:dir search; +} +') dnl ypbind.te +') dnl can_ypbind diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te new file mode 100644 index 0000000..d6f34f2 --- /dev/null +++ b/strict/macros/user_macros.te @@ -0,0 +1,225 @@ +# +# Macros for all user login domains. +# + +# +# user_domain(domain_prefix) +# +# Define derived types and rules for an ordinary user domain. +# +# The type declaration and role authorization for the domain must be +# provided separately. Likewise, domain transitions into this domain +# must be specified separately. +# + +# user_domain() is also called by the admin_domain() macro +undefine(`user_domain') +define(`user_domain', ` +# Use capabilities + +# Type for home directory. +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type; +type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type; + +tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }') + +# Type and access for pty devices. +can_create_pty($1, `, userpty_type, user_tty_type') + +#Type for tty devices. +type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; + +base_user_domain($1) + +# do not allow privhome access to sysadm_home_dir_t +file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) + +allow $1_t boot_t:dir { getattr search }; +dontaudit $1_t boot_t:lnk_file read; +dontaudit $1_t boot_t:file read; +allow $1_t system_map_t:file { getattr read }; + +# Instantiate derived domains for a number of programs. +# These derived domains encode both information about the calling +# user domain and the program, and allow us to maintain separation +# between different instances of the program being run by different +# user domains. +ifdef(`apache.te', `apache_domain($1)') +ifdef(`slocate.te', `locate_domain($1)') +ifdef(`lockdev.te', `lockdev_domain($1)') + +can_kerberos($1_t) +# allow port_t name binding for UDP because it is not very usable otherwise +allow $1_t port_t:udp_socket name_bind; + +# +# Need the following rule to allow users to run vpnc +# +ifdef(`xserver.te', ` +allow $1_t xserver_port_t:tcp_socket name_bind; +') + +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols +if (user_tcp_server) { +allow $1_t port_t:tcp_socket name_bind; +} +# port access is audited even if dac would not have allowed it, so dontaudit it here +dontaudit $1_t reserved_port_type:tcp_socket name_bind; + +# Allow system log read +if (user_dmesg) { +allow $1_t kernel_t:system syslog_read; +} else { +# else do not log it +dontaudit $1_t kernel_t:system syslog_read; +} + +# Allow read access to utmp. +allow $1_t initrc_var_run_t:file { getattr read lock }; +# The library functions always try to open read-write first, +# then fall back to read-only if it fails. +# Do not audit write denials to utmp to avoid the noise. +dontaudit $1_t initrc_var_run_t:file write; + + +# do not audit read on disk devices +dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; + +ifdef(`xdm.te', ` +allow xdm_t $1_home_t:lnk_file read; +allow xdm_t $1_home_t:dir search; +# +# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp +# +dontaudit xdm_t $1_home_t:file rw_file_perms; +')dnl end ifdef xdm.te + +ifdef(`ftpd.te', ` +if (ftp_home_dir) { +file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) +} +')dnl end ifdef ftpd + + +')dnl end user_domain macro + + +########################################################################### +# +# Domains for ordinary users. +# +undefine(`full_user_role') +define(`full_user_role', ` + +# user_t/$1_t is an unprivileged users domain. +type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; + +attribute $1_file_type; +# Grant read/search permissions to some of /proc. +r_dir_file($1_t, proc_t) +r_dir_file($1_t, proc_net_t) + +base_file_read_access($1_t) + +can_exec($1_t, usr_t) + +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +allow $1_t readable_t:dir r_dir_perms; +allow $1_t readable_t:notdevfile_class_set r_file_perms; + +# Stat lost+found. +allow $1_t lost_found_t:dir getattr; + +# Read /var, /var/spool, /var/run. +allow $1_t var_t:dir r_dir_perms; +allow $1_t var_t:notdevfile_class_set r_file_perms; +allow $1_t var_spool_t:dir r_dir_perms; +allow $1_t var_spool_t:notdevfile_class_set r_file_perms; +allow $1_t var_run_t:dir r_dir_perms; +allow $1_t var_run_t:{ file lnk_file } r_file_perms; +allow $1_t var_lib_t:dir r_dir_perms; +allow $1_t var_lib_t:file { getattr read }; + +read_sysctl($1_t) + +# Read /etc. +allow $1_t etc_t:dir r_dir_perms; +allow $1_t etc_t:notdevfile_class_set r_file_perms; +allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms; + +# for running depmod as part of the kernel packaging process +allow $1_t modules_conf_t:file { getattr read }; + +# Read man directories and files. +allow $1_t man_t:dir r_dir_perms; +allow $1_t man_t:notdevfile_class_set r_file_perms; + +# Allow users to rw usb devices +if (user_rw_usb) { +rw_dir_create_file($1_t,usbdevfs_t) +} else { +r_dir_file($1_t,usbdevfs_t) +} + +r_dir_file($1_t,sysfs_t) + +# Read /dev directories and any symbolic links. +allow $1_t device_t:dir r_dir_perms; +allow $1_t device_t:lnk_file r_file_perms; + +# Do not audit write denials to /etc/ld.so.cache. +dontaudit $1_t ld_so_cache_t:file write; + +# Execute from the system shared libraries. +uses_shlib($1_t); + +# $1_t is also granted permissions specific to user domains. +user_domain($1) + +dontaudit $1_t sysadm_home_t:file { read append }; + +ifdef(`syslogd.te', ` +# Some programs that are left in $1_t will try to connect +# to syslogd, but we do not want to let them generate log messages. +# Do not audit. +dontaudit $1_t devlog_t:sock_file { read write }; +dontaudit $1_t syslogd_t:unix_dgram_socket sendto; +') + +# Stop warnings about access to /dev/console +dontaudit $1_t init_t:fd use; +dontaudit $1_t initrc_t:fd use; +allow $1_t initrc_t:fifo_file write; +ifdef(`user_can_mount', ` +# +# Allow users to mount file systems like floppies and cdrom +# +mount_domain($1, $1_mount, `, fs_domain') +r_dir_file($1_t, mnt_t) +allow $1_mount_t device_t:lnk_file read; +allow $1_mount_t removable_device_t:blk_file read; +allow $1_mount_t iso9660_t:filesystem relabelfrom; +allow $1_mount_t removable_t:filesystem { mount relabelto }; +allow $1_mount_t removable_t:dir mounton; +ifdef(`xdm.te', ` +allow $1_mount_t xdm_t:fd use; +allow $1_mount_t xdm_t:fifo_file { read write }; +') +') + +# +# Rules used to associate a homedir as a mountpoint +# +allow $1_home_t self:filesystem associate; +allow $1_file_type $1_home_t:filesystem associate; +') + +undefine(`in_user_role') +define(`in_user_role', ` +role user_r types $1; +role staff_r types $1; +') + diff --git a/strict/mls b/strict/mls new file mode 100644 index 0000000..3126db6 --- /dev/null +++ b/strict/mls @@ -0,0 +1,742 @@ +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +sensitivity s0; +sensitivity s1; +sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; +sensitivity s7; +sensitivity s8; +sensitivity s9; + + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; + + +# +# Each MLS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0 . c127; +level s1:c0 . c127; +level s2:c0 . c127; +level s3:c0 . c127; +level s4:c0 . c127; +level s5:c0 . c127; +level s6:c0 . c127; +level s7:c0 . c127; +level s8:c0 . c127; +level s9:c0 . c127; + + +# +# Define the MLS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# MLS policy for the file classes +# + +# make sure these file classes are "single level" +mlsconstrain { file lnk_file fifo_file } { create relabelto } + ( l2 eq h2 ); + +# new file labels must be dominated by the relabeling subject's clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto + ( h1 dom h2 ); + +# the file "read" ops (note the check is dominance of the low level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir search + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +# the "single level" file "write" ops +mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# the "ranged" file "write" ops +mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir { add_name remove_name reparent rmdir } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# these access vectors have no MLS restrictions +# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } +# +# file { execute_no_trans entrypoint } + +# the file upgrade/downgrade rule +mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file } + ((( l1 eq l2 ) or + (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( h1 eq h2 ) or + (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); + +# create can also require the upgrade/downgrade checks if the creating process +# has used setfscreate (note that both the high and low level of the object +# default to the process' sensitivity level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create + ((( l1 eq l2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( l1 eq h2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); + + + + +# +# MLS policy for the filesystem class +# + +# new filesystem labels must be dominated by the relabeling subject's clearance +mlsconstrain filesystem relabelto + ( h1 dom h2 ); + +# the filesystem "read" ops (implicit single level) +mlsconstrain filesystem { getattr quotaget } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread )); + +# all the filesystem "write" ops (implicit single level) +mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite )); + +# these access vectors have no MLS restrictions +# filesystem { transition associate } + + + + +# +# MLS policy for the socket classes +# + +# new socket labels must be dominated by the relabeling subject's clearance +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto + ( h1 dom h2 ); + +# the socket "read" ops (note the check is dominance of the low level) +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +mlsconstrain { tcp_socket unix_stream_socket } acceptfrom + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +# the socket "write" ops +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsnetwrite )); + +mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsnetwrite )); + +# these access vectors have no MLS restrictions +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind } +# +# { tcp_socket udp_socket rawip_socket } node_bind +# +# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write +# + + + + +# +# MLS policy for the ipc classes +# + +# the ipc "read" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { getattr read unix_read } + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +mlsconstrain msg receive + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +# the ipc "write" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msgq enqueue + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain shm lock + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msg send + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +# these access vectors have no MLS restrictions +# { ipc sem msgq shm } associate + + + + +# +# MLS policy for the fd class +# + +# these access vectors have no MLS restrictions +# fd use + + + + +# +# MLS policy for the node class +# + +# these access vectors have no MLS restrictions +# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } + + + + +# +# MLS policy for the netif class +# + +# these access vectors have no MLS restrictions +# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } + + + + +# +# MLS policy for the process class +# + +# new process labels must be dominated by the relabeling subject's clearance +# and sensitivity level changes require privilege +mlsconstrain process transition + (( h1 dom h2 ) and + (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or + (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); +mlsconstrain process dyntransition + (( h1 dom h2 ) and + (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); + +# all the process "read" ops +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (( l1 dom l2 ) or + (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsprocread )); + +# all the process "write" ops (note the check is equality on the low level) +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsprocwrite )); + +# these access vectors have no MLS restrictions +# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh} + + + + +# +# MLS policy for the security class +# + +# these access vectors have no MLS restrictions +# security * + + + + +# +# MLS policy for the system class +# + +# these access vectors have no MLS restrictions +# system * + + + + +# +# MLS policy for the capability class +# + +# these access vectors have no MLS restrictions +# capability * + + + + +# +# MLS policy for the passwd class +# + +# these access vectors have no MLS restrictions +# passwd * + + + + +# +# MLS policy for the drawable class +# + +# the drawable "read" ops (implicit single level) +mlsconstrain drawable { getattr copy } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the drawable "write" ops (implicit single level) +mlsconstrain drawable { create destroy draw copy } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the gc class +# + +# the gc "read" ops (implicit single level) +mlsconstrain gc getattr + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the gc "write" ops (implicit single level) +mlsconstrain gc { create free setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the window class +# + +# the window "read" ops (implicit single level) +mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the window "write" ops (implicit single level) +mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# these access vectors have no MLS restrictions +# window { map unmap } + + + + +# +# MLS policy for the font class +# + +# the font "read" ops (implicit single level) +mlsconstrain font { load getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the font "write" ops (implicit single level) +mlsconstrain font free + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# these access vectors have no MLS restrictions +# font use + + + + +# +# MLS policy for the colormap class +# + +# the colormap "read" ops (implicit single level) +mlsconstrain colormap { list read getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the colormap "write" ops (implicit single level) +mlsconstrain colormap { create free install uninstall store setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the property class +# + +# the property "read" ops (implicit single level) +mlsconstrain property { read } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the property "write" ops (implicit single level) +mlsconstrain property { create free write } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the cursor class +# + +# the cursor "write" ops (implicit single level) +mlsconstrain cursor { create createglyph free assign setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xclient class +# + +# the xclient "write" ops (implicit single level) +mlsconstrain xclient kill + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xinput class +# + +# the xinput "read" ops (implicit single level) +mlsconstrain xinput { lookup getattr mousemotion } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xinput "write" ops (implicit single level) +mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xserver class +# + +# the xserver "read" ops (implicit single level) +mlsconstrain xserver { gethostlist getfontpath getattr screensaver } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xserver "write" ops (implicit single level) +mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xextension class +# + +# the xextension "read" ops (implicit single level) +mlsconstrain xextension query + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xextension "write" ops (implicit single level) +mlsconstrain xextension use + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the pax class +# + +# these access vectors have no MLS restrictions +# pax { pageexec emutramp mprotect randmmap randexec segmexec } + + + + +# +# MLS policy for the dbus class +# + +# these access vectors have no MLS restrictions +# dbus { acquire_svc send_msg } + + + + +# +# MLS policy for the nscd class +# + +# these access vectors have no MLS restrictions +# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } + + + + +# +# MLS policy for the association class +# + +# these access vectors have no MLS restrictions +# association { sendto recvfrom } + diff --git a/strict/net_contexts b/strict/net_contexts new file mode 100644 index 0000000..acf0301 --- /dev/null +++ b/strict/net_contexts @@ -0,0 +1,262 @@ +# FLASK + +# +# Security contexts for network entities +# If no context is specified, then a default initial SID is used. +# + +# Modified by Reino Wallin +# Multi NIC, and IPSEC features + +# Modified by Russell Coker +# ifdefs to encapsulate domains, and many additional port contexts + +# +# Port numbers (default = initial SID "port") +# +# protocol number context +# protocol low-high context +# +ifdef(`inetd.te', ` +portcon tcp 7 system_u:object_r:inetd_child_port_t +portcon udp 7 system_u:object_r:inetd_child_port_t +portcon tcp 9 system_u:object_r:inetd_child_port_t +portcon udp 9 system_u:object_r:inetd_child_port_t +portcon tcp 13 system_u:object_r:inetd_child_port_t +portcon udp 13 system_u:object_r:inetd_child_port_t +portcon tcp 19 system_u:object_r:inetd_child_port_t +portcon udp 19 system_u:object_r:inetd_child_port_t +portcon tcp 37 system_u:object_r:inetd_child_port_t +portcon udp 37 system_u:object_r:inetd_child_port_t +portcon tcp 113 system_u:object_r:inetd_child_port_t +portcon tcp 512 system_u:object_r:inetd_child_port_t +portcon tcp 543 system_u:object_r:inetd_child_port_t +portcon tcp 544 system_u:object_r:inetd_child_port_t +portcon tcp 891 system_u:object_r:inetd_child_port_t +portcon udp 891 system_u:object_r:inetd_child_port_t +portcon tcp 892 system_u:object_r:inetd_child_port_t +portcon udp 892 system_u:object_r:inetd_child_port_t +portcon tcp 2105 system_u:object_r:inetd_child_port_t +') +ifdef(`ftpd.te', ` +portcon tcp 20 system_u:object_r:ftp_data_port_t +portcon tcp 21 system_u:object_r:ftp_port_t +') +ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t') +ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t') +ifdef(`mta.te', ` +portcon tcp 25 system_u:object_r:smtp_port_t +portcon tcp 465 system_u:object_r:smtp_port_t +portcon tcp 587 system_u:object_r:smtp_port_t +') +ifdef(`use_dns', ` +portcon udp 53 system_u:object_r:dns_port_t +portcon tcp 53 system_u:object_r:dns_port_t +') +ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t') +ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t') +ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t') +ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t') +ifdef(`apache.te', ` +portcon tcp 80 system_u:object_r:http_port_t +portcon tcp 443 system_u:object_r:http_port_t +') +ifdef(`use_pop', ` +portcon tcp 106 system_u:object_r:pop_port_t +portcon tcp 109 system_u:object_r:pop_port_t +portcon tcp 110 system_u:object_r:pop_port_t +') +ifdef(`portmap.te', ` +portcon udp 111 system_u:object_r:portmap_port_t +portcon tcp 111 system_u:object_r:portmap_port_t +') +ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t') +ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t') +ifdef(`samba.te', ` +portcon tcp 137 system_u:object_r:smbd_port_t +portcon udp 137 system_u:object_r:nmbd_port_t +portcon tcp 138 system_u:object_r:smbd_port_t +portcon udp 138 system_u:object_r:nmbd_port_t +portcon tcp 139 system_u:object_r:smbd_port_t +portcon udp 139 system_u:object_r:nmbd_port_t +portcon tcp 445 system_u:object_r:smbd_port_t +') +ifdef(`use_pop', ` +portcon tcp 143 system_u:object_r:pop_port_t +portcon tcp 220 system_u:object_r:pop_port_t +') +ifdef(`snmpd.te', ` +portcon udp 161 system_u:object_r:snmp_port_t +portcon udp 162 system_u:object_r:snmp_port_t +portcon tcp 199 system_u:object_r:snmp_port_t +') +ifdef(`comsat.te', ` +portcon udp 512 system_u:object_r:comsat_port_t +') +ifdef(`slapd.te', ` +portcon tcp 389 system_u:object_r:ldap_port_t +portcon udp 389 system_u:object_r:ldap_port_t +portcon tcp 636 system_u:object_r:ldap_port_t +portcon udp 636 system_u:object_r:ldap_port_t +') +ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t') +ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t') +ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t') +ifdef(`syslogd.te', ` +portcon udp 514 system_u:object_r:syslogd_port_t +') +ifdef(`ktalkd.te', ` +portcon udp 517 system_u:object_r:ktalkd_port_t +portcon udp 518 system_u:object_r:ktalkd_port_t +') +ifdef(`cups.te', ` +portcon tcp 631 system_u:object_r:ipp_port_t +portcon udp 631 system_u:object_r:ipp_port_t +') +portcon tcp 88 system_u:object_r:kerberos_port_t +portcon udp 88 system_u:object_r:kerberos_port_t +portcon tcp 464 system_u:object_r:kerberos_admin_port_t +portcon udp 464 system_u:object_r:kerberos_admin_port_t +portcon tcp 749 system_u:object_r:kerberos_admin_port_t +portcon tcp 750 system_u:object_r:kerberos_port_t +portcon udp 750 system_u:object_r:kerberos_port_t +portcon tcp 4444 system_u:object_r:kerberos_master_port_t +portcon udp 4444 system_u:object_r:kerberos_master_port_t +ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') +ifdef(`rsync.te', ` +portcon tcp 873 system_u:object_r:rsync_port_t +portcon udp 873 system_u:object_r:rsync_port_t +') +ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t') +ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t') +ifdef(`use_pop', ` +portcon tcp 993 system_u:object_r:pop_port_t +portcon tcp 995 system_u:object_r:pop_port_t +portcon tcp 1109 system_u:object_r:pop_port_t +') +ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t') +ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t') +ifdef(`radius.te', ` +portcon udp 1645 system_u:object_r:radius_port_t +portcon udp 1646 system_u:object_r:radacct_port_t +portcon udp 1812 system_u:object_r:radius_port_t +portcon udp 1813 system_u:object_r:radacct_port_t +') +ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t') +ifdef(`gatekeeper.te', ` +portcon udp 1718 system_u:object_r:gatekeeper_port_t +portcon udp 1719 system_u:object_r:gatekeeper_port_t +portcon tcp 1721 system_u:object_r:gatekeeper_port_t +portcon tcp 7000 system_u:object_r:gatekeeper_port_t +') +ifdef(`asterisk.te', ` +portcon tcp 1720 system_u:object_r:asterisk_port_t +portcon udp 2427 system_u:object_r:asterisk_port_t +portcon udp 2727 system_u:object_r:asterisk_port_t +portcon udp 4569 system_u:object_r:asterisk_port_t +portcon udp 5060 system_u:object_r:asterisk_port_t +') +portcon tcp 2000 system_u:object_r:mail_port_t +ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t') +ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t') +ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t') +ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t') +ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t') +ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t') +ifdef(`imazesrv.te',` +portcon tcp 5323 system_u:object_r:imaze_port_t +portcon udp 5323 system_u:object_r:imaze_port_t +') +ifdef(`howl.te', ` +portcon tcp 5335 system_u:object_r:howl_port_t +portcon udp 5353 system_u:object_r:howl_port_t +') +ifdef(`jabberd.te', ` +portcon tcp 5222 system_u:object_r:jabber_client_port_t +portcon tcp 5223 system_u:object_r:jabber_client_port_t +portcon tcp 5269 system_u:object_r:jabber_interserver_port_t +') +ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t') +ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t') +ifdef(`xdm.te', ` +portcon tcp 5900 system_u:object_r:vnc_port_t +') +ifdef(`use_x_ports', ` +portcon tcp 6000 system_u:object_r:xserver_port_t +portcon tcp 6001 system_u:object_r:xserver_port_t +portcon tcp 6002 system_u:object_r:xserver_port_t +portcon tcp 6003 system_u:object_r:xserver_port_t +portcon tcp 6004 system_u:object_r:xserver_port_t +portcon tcp 6005 system_u:object_r:xserver_port_t +portcon tcp 6006 system_u:object_r:xserver_port_t +portcon tcp 6007 system_u:object_r:xserver_port_t +portcon tcp 6008 system_u:object_r:xserver_port_t +portcon tcp 6009 system_u:object_r:xserver_port_t +portcon tcp 6010 system_u:object_r:xserver_port_t +portcon tcp 6011 system_u:object_r:xserver_port_t +portcon tcp 6012 system_u:object_r:xserver_port_t +portcon tcp 6013 system_u:object_r:xserver_port_t +portcon tcp 6014 system_u:object_r:xserver_port_t +portcon tcp 6015 system_u:object_r:xserver_port_t +portcon tcp 6016 system_u:object_r:xserver_port_t +portcon tcp 6017 system_u:object_r:xserver_port_t +portcon tcp 6018 system_u:object_r:xserver_port_t +portcon tcp 6019 system_u:object_r:xserver_port_t +') +ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t') +ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t') +ifdef(`sound-server.te', ` +portcon tcp 8000 system_u:object_r:soundd_port_t +# 9433 is for YIFF +portcon tcp 9433 system_u:object_r:soundd_port_t +') +ifdef(`use_http_cache', ` +portcon tcp 3128 system_u:object_r:http_cache_port_t +portcon tcp 8080 system_u:object_r:http_cache_port_t +portcon udp 3130 system_u:object_r:http_cache_port_t +') +ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t') +ifdef(`amanda.te', ` +portcon udp 10080 system_u:object_r:amanda_port_t +portcon tcp 10080 system_u:object_r:amanda_port_t +portcon udp 10081 system_u:object_r:amanda_port_t +portcon tcp 10081 system_u:object_r:amanda_port_t +portcon tcp 10082 system_u:object_r:amanda_port_t +portcon tcp 10083 system_u:object_r:amanda_port_t +') +ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t') + +# Defaults for reserved ports. Earlier portcon entries take precedence; +# these entries just cover any remaining reserved ports not otherwise +# declared or omitted due to removal of a domain. +portcon tcp 1-1023 system_u:object_r:reserved_port_t +portcon udp 1-1023 system_u:object_r:reserved_port_t + +# Network interfaces (default = initial SID "netif" and "netmsg") +# +# interface netif_context default_msg_context +# +netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t +netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t +netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t +netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t +netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t +netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t +netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t +netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t + +# Nodes (default = initial SID "node") +# +# address mask context +# +nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t +nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t +nodecon ff00:: ff00:: system_u:object_r:node_multicast_t +nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t +nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t +nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t + +# FLASK diff --git a/strict/rbac b/strict/rbac new file mode 100644 index 0000000..708f70d --- /dev/null +++ b/strict/rbac @@ -0,0 +1,33 @@ +################################################ +# +# Role-based access control (RBAC) configuration. +# + +# The RBAC configuration was originally centralized in this +# file, but has been decomposed into individual role declarations, +# role allow rules, and role transition rules throughout the TE +# configuration to support easy removal or adding of domains without +# modifying a centralized file each time. This also allowed the macros +# to properly instantiate role declarations and rules for domains. +# Hence, this file is largely unused, except for miscellaneous +# role allow rules. + +######################################## +# +# Role allow rules. +# +# A role allow rule specifies the allowable +# transitions between roles on an execve. +# If no rule is specified, then the change in +# roles will not be permitted. Additional +# controls over role transitions based on the +# type of the process may be specified through +# the constraints file. +# +# The syntax of a role allow rule is: +# allow current_role new_role ; +# +# Allow the admin role to transition to the system +# role for run_init. +# +allow sysadm_r system_r; diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun new file mode 100644 index 0000000..00b6eca --- /dev/null +++ b/strict/tunables/distro.tun @@ -0,0 +1,14 @@ +# Distro-specific customizations. + +# Comment out all but the one that matches your distro. +# The policy .te files can then wrap distro-specific customizations with +# appropriate ifdefs. + + +define(`distro_redhat') + +dnl define(`distro_suse') + +dnl define(`distro_gentoo') + +dnl define(`distro_debian') diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun new file mode 100644 index 0000000..bd8b797 --- /dev/null +++ b/strict/tunables/tunable.tun @@ -0,0 +1,31 @@ +# Allow users to execute the mount command +define(`user_can_mount') + +# Allow rpm to run unconfined. +#define(`unlimitedRPM') + +# Allow privileged utilities like hotplug and insmod to run unconfined. +#define(`unlimitedUtils') + +# Allow rc scripts to run unconfined, including any daemon +# started by an rc script that does not have a domain transition +# explicitly defined. +#define(`unlimitedRC') + +# Allow sysadm_t to directly start daemons +define(`direct_sysadm_daemon') + +# Do not audit things that we know to be broken but which +# are not security risks +define(`hide_broken_symptoms') + +# Allow user_r to reach sysadm_r via su, sudo, or userhelper. +# Otherwise, only staff_r can do so. +define(`user_canbe_sysadm') + +# Allow xinetd to run unconfined, including any services it starts +# that do not have a domain transition explicitly defined. +dnl define(`unlimitedInetd') + +# for ndc_t to be used for restart shell scripts +dnl define(`ndc_shell_script') diff --git a/strict/types/device.te b/strict/types/device.te new file mode 100644 index 0000000..35836e2 --- /dev/null +++ b/strict/types/device.te @@ -0,0 +1,156 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Device types +# + +# +# device_t is the type of /dev. +# +type device_t, file_type, dev_fs; + +# +# null_device_t is the type of /dev/null. +# +type null_device_t, device_type, dev_fs, mlstrustedobject; + +# +# zero_device_t is the type of /dev/zero. +# +type zero_device_t, device_type, dev_fs, mlstrustedobject; + +# +# console_device_t is the type of /dev/console. +# +type console_device_t, device_type, dev_fs; + +# +# xconsole_device_t is the type of /dev/xconsole +type xconsole_device_t, file_type, dev_fs; + +# +# memory_device_t is the type of /dev/kmem, +# /dev/mem, and /dev/port. +# +type memory_device_t, device_type, dev_fs; + +# +# random_device_t is the type of /dev/random +# urandom_device_t is the type of /dev/urandom +# +type random_device_t, device_type, dev_fs; +type urandom_device_t, device_type, dev_fs; + +# +# devtty_t is the type of /dev/tty. +# +type devtty_t, device_type, dev_fs, mlstrustedobject; + +# +# tty_device_t is the type of /dev/*tty* +# +type tty_device_t, serial_device, device_type, dev_fs; + +# +# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] +type bsdpty_device_t, device_type, dev_fs; + +# +# usbtty_device_t is the type of /dev/usr/tty* +# +type usbtty_device_t, serial_device, device_type, dev_fs; + +# +# printer_device_t is the type for printer devices +# +type printer_device_t, device_type, dev_fs; + +# +# fixed_disk_device_t is the type of +# /dev/hd* and /dev/sd*. +# +type fixed_disk_device_t, device_type, dev_fs; + +# +# scsi_generic_device_t is the type of /dev/sg* +# it gives access to ALL SCSI devices (both fixed and removable) +# +type scsi_generic_device_t, device_type, dev_fs; + +# +# removable_device_t is the type of +# /dev/scd* and /dev/fd*. +# +type removable_device_t, device_type, dev_fs; + +# +# clock_device_t is the type of +# /dev/rtc. +# +type clock_device_t, device_type, dev_fs; + +# +# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* +# +type tun_tap_device_t, device_type, dev_fs; + +# +# misc_device_t is the type of miscellaneous devices. +# XXX: FIXME! Appropriate access to these devices need to be identified. +# +type misc_device_t, device_type, dev_fs; + +# +# A more general type for mouse devices. +# +type mouse_device_t, device_type, dev_fs; + +# +# For generic /dev/input/event* event devices +# +type event_device_t, device_type, dev_fs; + +# +# Not sure what these devices are for, but X wants access to them. +# +type agp_device_t, device_type, dev_fs; +type dri_device_t, device_type, dev_fs; + +# Type for sound devices. +type sound_device_t, device_type, dev_fs; + +# Type for /dev/ppp. +type ppp_device_t, device_type, dev_fs; + +# Type for frame buffer /dev/fb/* +type framebuf_device_t, device_type, dev_fs; + +# Type for /dev/.devfsd +type devfs_control_t, device_type, dev_fs; + +# Type for /dev/cpu/mtrr +type mtrr_device_t, device_type, dev_fs; + +# Type for /dev/pmu +type power_device_t, device_type, dev_fs; + +# Type for /dev/apm_bios +type apm_bios_t, device_type, dev_fs; + +# Type for v4l +type v4l_device_t, device_type, dev_fs; + +# tape drives +type tape_device_t, device_type, dev_fs; + +# scanners +type scanner_device_t, device_type, dev_fs; + +# cpu control devices /dev/cpu/0/* +type cpu_device_t, device_type, dev_fs; + +# for other device nodes such as the NVidia binary-only driver +type xserver_misc_device_t, device_type, dev_fs; diff --git a/strict/types/devpts.te b/strict/types/devpts.te new file mode 100644 index 0000000..b50cd55 --- /dev/null +++ b/strict/types/devpts.te @@ -0,0 +1,21 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Devpts types +# + +# +# ptmx_t is the type for /dev/ptmx. +# +type ptmx_t, sysadmfile, device_type, dev_fs; + +# +# devpts_t is the type of the devpts file system and +# the type of the root directory of the file system. +# +type devpts_t, fs_type; + + diff --git a/strict/types/file.te b/strict/types/file.te new file mode 100644 index 0000000..0df034a --- /dev/null +++ b/strict/types/file.te @@ -0,0 +1,321 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +####################################### +# +# General file-related types +# + +# +# unlabeled_t is the type of unlabeled objects. +# Objects that have no known labeling information or that +# have labels that are no longer valid are treated as having this type. +# +type unlabeled_t, sysadmfile; + +# +# fs_t is the default type for conventional filesystems. +# +type fs_t, fs_type; + +# needs more work +type eventpollfs_t, fs_type; +type futexfs_t, fs_type; +type bdev_t, fs_type; +type usbfs_t, fs_type; +type nfsd_fs_t, fs_type; +type rpc_pipefs_t, fs_type; +type binfmt_misc_fs_t, fs_type; + +# +# file_t is the default type of a file that has not yet been +# assigned an extended attribute (EA) value (when using a filesystem +# that supports EAs). +# +type file_t, file_type, sysadmfile; + +# default_t is the default type for files that do not +# match any specification in the file_contexts configuration +# other than the generic /.* specification. +type default_t, file_type, sysadmfile; + +# +# root_t is the type for the root directory. +# +type root_t, file_type, sysadmfile; + +# +# mnt_t is the type for mount points such as /mnt/cdrom +type mnt_t, file_type, sysadmfile; + +# +# home_root_t is the type for the directory where user home directories +# are created +# +type home_root_t, file_type, sysadmfile; + +# +# lost_found_t is the type for the lost+found directories. +# +type lost_found_t, file_type, sysadmfile; + +# +# boot_t is the type for files in /boot, +# including the kernel. +# +type boot_t, file_type, sysadmfile; +# system_map_t is for the system.map files in /boot +type system_map_t, file_type, sysadmfile; + +# +# boot_runtime_t is the type for /boot/kernel.h, +# which is automatically generated at boot time. +# only for red hat +type boot_runtime_t, file_type, sysadmfile; + +# +# tmp_t is the type of /tmp and /var/tmp. +# +type tmp_t, file_type, sysadmfile, tmpfile; + +# +# etc_t is the type of the system etc directories. +# +type etc_t, file_type, sysadmfile; + +# +# shadow_t is the type of the /etc/shadow file +# +type shadow_t, file_type, secure_file_type; +allow auth shadow_t:file { getattr read }; + +# +# ld_so_cache_t is the type of /etc/ld.so.cache. +# +type ld_so_cache_t, file_type, sysadmfile; + +# +# etc_runtime_t is the type of various +# files in /etc that are automatically +# generated during initialization. +# +type etc_runtime_t, file_type, sysadmfile; + +# +# fonts_runtime_t is the type of various +# fonts files in /usr that are automatically +# generated during initialization. +# +type fonts_t, file_type, sysadmfile, usercanread; + +# +# etc_aliases_t is the type of the aliases database. +# +type etc_aliases_t, file_type, sysadmfile; + +# net_conf_t is the type of the /etc/resolv.conf file. +# all DHCP clients and PPP need write access to this file. +type net_conf_t, file_type, sysadmfile; + +# +# lib_t is the type of files in the system lib directories. +# +type lib_t, file_type, sysadmfile; + +# +# shlib_t is the type of shared objects in the system lib +# directories. +# +ifdef(`targeted_policy', ` +typealias lib_t alias shlib_t; +', ` +type shlib_t, file_type, sysadmfile; +') + +# +# texrel_shlib_t is the type of shared objects in the system lib +# directories, which require text relocation. +# +type texrel_shlib_t, file_type, sysadmfile; + +# ld_so_t is the type of the system dynamic loaders. +# +type ld_so_t, file_type, sysadmfile; + +# +# bin_t is the type of files in the system bin directories. +# +type bin_t, file_type, sysadmfile; + +# +# cert_t is the type of files in the system certs directories. +# +type cert_t, file_type, sysadmfile, secure_file_type; + +# +# ls_exec_t is the type of the ls program. +# +type ls_exec_t, file_type, exec_type, sysadmfile; + +# +# shell_exec_t is the type of user shells such as /bin/bash. +# +type shell_exec_t, file_type, exec_type, sysadmfile; + +# +# sbin_t is the type of files in the system sbin directories. +# +type sbin_t, file_type, sysadmfile; + +# +# usr_t is the type for /usr. +# +type usr_t, file_type, sysadmfile; + +# +# src_t is the type of files in the system src directories. +# +type src_t, file_type, sysadmfile; + +# +# var_t is the type for /var. +# +type var_t, file_type, sysadmfile; + +# +# Types for subdirectories of /var. +# +type var_run_t, file_type, sysadmfile; +type var_log_t, file_type, sysadmfile, logfile; +type faillog_t, file_type, sysadmfile, logfile; +type var_lock_t, file_type, sysadmfile, lockfile; +type var_lib_t, file_type, sysadmfile; +# for /var/{spool,lib}/texmf index files +type tetex_data_t, file_type, sysadmfile, tmpfile; +type var_spool_t, file_type, sysadmfile, tmpfile; +type var_yp_t, file_type, sysadmfile; + +# Type for /var/log/ksyms. +type var_log_ksyms_t, file_type, sysadmfile, logfile; + +# Type for /var/log/lastlog. +type lastlog_t, file_type, sysadmfile, logfile; + +# Type for /var/lib/nfs. +type var_lib_nfs_t, file_type, sysadmfile, usercanread; + +# +# wtmp_t is the type of /var/log/wtmp. +# +type wtmp_t, file_type, sysadmfile, logfile; + +# +# catman_t is the type for /var/catman. +# +type catman_t, file_type, sysadmfile, tmpfile; + +# +# cron_spool_t is the type for /var/spool/cron. +# +type cron_spool_t, file_type, sysadmfile; + +# +# print_spool_t is the type for /var/spool/lpd and /var/spool/cups. +# +type print_spool_t, file_type, sysadmfile, tmpfile; + +# +# mail_spool_t is the type for /var/spool/mail. +# +type mail_spool_t, file_type, sysadmfile; + +# +# mqueue_spool_t is the type for /var/spool/mqueue. +# +type mqueue_spool_t, file_type, sysadmfile; + +# +# man_t is the type for the man directories. +# +type man_t, file_type, sysadmfile; + +# +# readable_t is a general type for +# files that are readable by all domains. +# +type readable_t, file_type, sysadmfile; + +# +# Base type for the tests directory. +# +type test_file_t, file_type, sysadmfile; + +# +# poly_t is the type for the polyinstantiated directories. +# +type poly_t, file_type, sysadmfile; + +# +# swapfile_t is for swap files +# +type swapfile_t, file_type, sysadmfile; + +# +# locale_t is the type for system localization +# +type locale_t, file_type, sysadmfile; + +# +# Allow each file type to be associated with +# the default file system type. +# +allow { file_type device_type ttyfile } fs_t:filesystem associate; +ifdef(`distro_redhat', ` +allow { dev_fs ttyfile } tmpfs_t:filesystem associate; +') + +# Allow the pty to be associated with the file system. +allow devpts_t self:filesystem associate; + +type tmpfs_t, file_type, sysadmfile, fs_type; +allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; + +type autofs_t, fs_type, noexattrfile, sysadmfile; +allow autofs_t self:filesystem associate; + +type usbdevfs_t, fs_type, noexattrfile, sysadmfile; +allow usbdevfs_t self:filesystem associate; + +type sysfs_t, fs_type, sysadmfile; +allow sysfs_t self:filesystem associate; + +type iso9660_t, fs_type, noexattrfile, sysadmfile; +allow iso9660_t self:filesystem associate; + +type romfs_t, fs_type, sysadmfile; +allow romfs_t self:filesystem associate; + +type ramfs_t, fs_type, sysadmfile; +allow ramfs_t self:filesystem associate; + +type dosfs_t, fs_type, noexattrfile, sysadmfile; +allow dosfs_t self:filesystem associate; + +# udev_runtime_t is the type of the udev table file +type udev_runtime_t, file_type, sysadmfile; + +# krb5_conf_t is the type of the /etc/krb5.conf file +type krb5_conf_t, file_type, sysadmfile; + +type cifs_t, fs_type, noexattrfile, sysadmfile; +allow cifs_t self:filesystem associate; +typealias cifs_t alias sambafs_t; + +# removable_t is the default type of all removable media +type removable_t, file_type, sysadmfile, usercanread; +allow removable_t self:filesystem associate; +allow file_type removable_t:filesystem associate; +allow file_type noexattrfile:filesystem associate; + + diff --git a/strict/types/network.te b/strict/types/network.te new file mode 100644 index 0000000..39666ee --- /dev/null +++ b/strict/types/network.te @@ -0,0 +1,122 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +# Modified by Reino Wallin +# Multi NIC, and IPSEC features + +# Modified by Russell Coker +# Move port types to their respective domains, add ifdefs, other cleanups. + +# generally we do not want to define port types in this file, but some things +# are insanely difficult to do elsewhere, xserver_port_t is a good example +# getting the type defined is the easy part for X, conditional code for many +# other domains (including one that starts with a) is the hard part. +ifdef(`xdm.te', `define(`use_x_ports')') +ifdef(`startx.te', `define(`use_x_ports')') +ifdef(`xauth.te', `define(`use_x_ports')') +ifdef(`xserver.te', `define(`use_x_ports')') +ifdef(`use_x_ports', ` +type xserver_port_t, port_type; +') +# +# Defines used by the te files need to be defined outside of net_constraints +# +ifdef(`named.te', `define(`use_dns')') +ifdef(`nsd.te', `define(`use_dns')') +ifdef(`tinydns.te', `define(`use_dns')') +ifdef(`dnsmasq.te', `define(`use_dns')') +ifdef(`use_dns', ` +type dns_port_t, port_type; +') + +ifdef(`dhcpd.te', `define(`use_dhcpd')') +ifdef(`dnsmasq.te', `define(`use_dhcpd')') +ifdef(`use_dhcpd', ` +type dhcpd_port_t, port_type; +') + +ifdef(`cyrus.te', `define(`use_pop')') +ifdef(`courier.te', `define(`use_pop')') +ifdef(`perdition.te', `define(`use_pop')') +ifdef(`dovecot.te', `define(`use_pop')') +ifdef(`uwimapd.te', `define(`use_pop')') +ifdef(`use_pop', ` +type pop_port_t, port_type, reserved_port_type; +') +ifdef(`apache.te', `define(`use_http_cache')') +ifdef(`squid.te', `define(`use_http_cache')') +ifdef(`use_http_cache', ` +type http_cache_port_t, port_type; +') + +ifdef(`dhcpd.te', `define(`use_pxe')') +ifdef(`pxe.te', `define(`use_pxe')') + +############################################ +# +# Network types +# + +# +# mail_port_t is for generic mail ports shared by different mail servers +# +type mail_port_t, port_type; + +# +# Ports used to communicate with kerberos server +# +type kerberos_port_t, port_type, reserved_port_type; +type kerberos_admin_port_t, port_type, reserved_port_type; +type kerberos_master_port_t, port_type; + +# +# port_t is the default type of INET port numbers. +# The *_port_t types are used for specific port +# numbers in net_contexts or net_contexts.mls. +# +type port_t, port_type; + +# reserved_port_t is the default type for INET reserved ports +# that are not otherwise mapped to a specific port type. +type reserved_port_t, port_type; + +# +# netif_t is the default type of network interfaces. +# The netif_*_t types are used for specific network +# interfaces in net_contexts or net_contexts.mls. +# +type netif_t, netif_type; +type netif_eth0_t, netif_type; +type netif_eth1_t, netif_type; +type netif_eth2_t, netif_type; +type netif_lo_t, netif_type; +type netif_ippp0_t, netif_type; + +type netif_ipsec0_t, netif_type; +type netif_ipsec1_t, netif_type; +type netif_ipsec2_t, netif_type; + +# +# node_t is the default type of network nodes. +# The node_*_t types are used for specific network +# nodes in net_contexts or net_contexts.mls. +# +type node_t, node_type; +type node_lo_t, node_type; +type node_internal_t, node_type; +type node_inaddr_any_t, node_type; +type node_unspec_t, node_type; +type node_link_local_t, node_type; +type node_site_local_t, node_type; +type node_multicast_t, node_type; +type node_mapped_ipv4_t, node_type; +type node_compat_ipv4_t, node_type; + +# Kernel-generated traffic, e.g. ICMP replies. +allow kernel_t netif_type:netif { rawip_send rawip_recv }; +allow kernel_t node_type:node { rawip_send rawip_recv }; + +# Kernel-generated traffic, e.g. TCP resets. +allow kernel_t netif_type:netif { tcp_send tcp_recv }; +allow kernel_t node_type:node { tcp_send tcp_recv }; diff --git a/strict/types/nfs.te b/strict/types/nfs.te new file mode 100644 index 0000000..154a65b --- /dev/null +++ b/strict/types/nfs.te @@ -0,0 +1,22 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################# +# +# NFS types +# + +# +# nfs_t is the default type for NFS file systems +# and their files. +# The nfs_*_t types are used for specific NFS +# servers in net_contexts or net_contexts.mls. +# +type nfs_t, fs_type; + +# +# Allow NFS files to be associated with an NFS file system. +# +allow nfs_t self:filesystem associate; +allow file_type nfs_t:filesystem associate; diff --git a/strict/types/procfs.te b/strict/types/procfs.te new file mode 100644 index 0000000..0cab0fa --- /dev/null +++ b/strict/types/procfs.te @@ -0,0 +1,50 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Procfs types +# + +# +# proc_t is the type of /proc. +# proc_kmsg_t is the type of /proc/kmsg. +# proc_kcore_t is the type of /proc/kcore. +# proc_mdstat_t is the type of /proc/mdstat. +# proc_net_t is the type of /proc/net. +# +type proc_t, fs_type, proc_fs; +type proc_kmsg_t, proc_fs; +type proc_kcore_t, proc_fs; +type proc_mdstat_t, proc_fs; +type proc_net_t, proc_fs; + +# +# sysctl_t is the type of /proc/sys. +# sysctl_fs_t is the type of /proc/sys/fs. +# sysctl_kernel_t is the type of /proc/sys/kernel. +# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. +# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. +# sysctl_net_t is the type of /proc/sys/net. +# sysctl_net_unix_t is the type of /proc/sys/net/unix. +# sysctl_vm_t is the type of /proc/sys/vm. +# sysctl_dev_t is the type of /proc/sys/dev. +# sysctl_rpc_t is the type of /proc/net/rpc. +# +# These types are applied to both the entries in +# /proc/sys and the corresponding sysctl parameters. +# +type sysctl_t, sysctl_type; +type sysctl_fs_t, sysctl_type; +type sysctl_kernel_t, sysctl_type; +type sysctl_modprobe_t, sysctl_type; +type sysctl_hotplug_t, sysctl_type; +type sysctl_net_t, sysctl_type; +type sysctl_net_unix_t, sysctl_type; +type sysctl_vm_t, sysctl_type; +type sysctl_dev_t, sysctl_type; +type sysctl_rpc_t, sysctl_type; +type sysctl_irq_t, sysctl_type; + + diff --git a/strict/types/security.te b/strict/types/security.te new file mode 100644 index 0000000..7bfd0bc --- /dev/null +++ b/strict/types/security.te @@ -0,0 +1,54 @@ +# +# Authors: Stephen Smalley and Timothy Fraser +# + +############################################ +# +# Security types +# + +# +# security_t is the target type when checking +# the permissions in the security class. It is also +# applied to selinuxfs inodes. +# +type security_t, fs_type; + +# +# policy_config_t is the type of /etc/security/selinux/* +# the security server policy configuration. +# +type policy_config_t, file_type; + +# +# policy_src_t is the type of the policy source +# files. +# +type policy_src_t, file_type, sysadmfile; + + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t, file_type, sysadmfile, login_contexts; + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t, file_type, sysadmfile; + +# +# no_access_t is the type for objects that should +# only be accessed administratively. +# +type no_access_t, file_type, sysadmfile; + +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +type selinux_config_t, file_type, sysadmfile; + + diff --git a/strict/types/x.te b/strict/types/x.te new file mode 100644 index 0000000..0cee314 --- /dev/null +++ b/strict/types/x.te @@ -0,0 +1,32 @@ +# +# Authors: Eamon Walsh +# + +####################################### +# +# Types for the SELinux-enabled X Window System +# + +# +# X protocol extension types. The SELinux extension in the X server +# has a hardcoded table that maps actual extension names to these types. +# +type accelgraphics_ext_t, xextension; +type debug_ext_t, xextension; +type font_ext_t, xextension; +type input_ext_t, xextension; +type screensaver_ext_t, xextension; +type security_ext_t, xextension; +type shmem_ext_t, xextension; +type std_ext_t, xextension; +type sync_ext_t, xextension; +type unknown_ext_t, xextension; +type video_ext_t, xextension; +type windowmgr_ext_t, xextension; + +# +# X property types. The SELinux extension in the X server has a +# hardcoded table that maps actual extension names to these types. +# +type wm_property_t, xproperty; +type unknown_property_t, xproperty; diff --git a/strict/users b/strict/users new file mode 100644 index 0000000..dac2092 --- /dev/null +++ b/strict/users @@ -0,0 +1,50 @@ +################################## +# +# User configuration. +# +# This file defines each user recognized by the system security policy. +# Only the user identities defined in this file may be used as the +# user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ level default_level range allowed_range ]; +# +# The MLS default level and allowed range should only be specified if +# MLS was enabled in the policy. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system_u, +# and a user process should never be assigned the system_u user +# identity. +# +user system_u roles system_r; + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +user user_u roles { user_r }; + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# + +# The sysadm_r user also needs to be permitted system_r if we are to allow +# direct execution of daemons +user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') }; + +# sample for administrative user +#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; + +# sample for regular user +#user jdoe roles { user_r };