diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ff405e7..eb1fa16 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,6 @@
+- Make logrotate, sendmail, sshd, and rpm policies
+ unconfined in the targeted policy so no special
+ modules.conf is required.
- Add experimental MCS support.
- Add appconfig for MLS.
- Add equivalents for old can_resolve(), can_ldap(), and
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index e2bebb5..a03a9fd 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -27,7 +27,9 @@
#OUTPUT_POLICY = 18
# Policy Type
-# strict, targeted, strict-mls, targeted-mls
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
TYPE = strict
# Policy Name
@@ -45,6 +47,13 @@ NAME = refpolicy
# Fedora users should enable redhat.
#DISTRO = redhat
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=n
+
# Build monolithic policy. Putting n here
# will build a loadable module policy.
MONOLITHIC=y
@@ -139,6 +148,10 @@ ifeq ($(NAME),)
NAME := $(TYPE)
endif
+ifeq ($(DIRECT_INITRC),y)
+ override M4PARAM += -D direct_sysadm_daemon
+endif
+
# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)
diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example
deleted file mode 100644
index 7f14aca..0000000
--- a/refpolicy/policy/modules.conf.targeted_example
+++ /dev/null
@@ -1,493 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: system
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: system
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = off
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-#
-consoletype = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = off
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = off
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = off
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = off
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-#
-howl = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = module
-
-# Layer: system
-# Module: corecommands
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-#
-hotplug = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = module
-
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 5ddfe4b..b5bc065 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -6,9 +6,10 @@ policy_module(logrotate,1.0)
# Declarations
#
-type logrotate_t; #, priv_system_role
+type logrotate_t;
domain_type(logrotate_t)
domain_obj_id_change_exempt(logrotate_t)
+domain_system_change_exempt(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
@@ -126,6 +127,10 @@ ifdef(`distro_debian', `
can_exec(logrotate_t, logrotate_exec_t)
')
+ifdef(`targeted_policy',`
+ unconfined_domain_template(logrotate_t)
+')
+
optional_policy(`acct.te',`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 1da113f..9939948 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -169,6 +169,10 @@ sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fd(rpm_t)
+ifdef(`targeted_policy',`
+ unconfined_domain_template(rpm_t)
+')
+
optional_policy(`cron.te',`
cron_system_entry(rpm_t,rpm_exec_t)
')
@@ -310,11 +314,8 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
-# this should be tunable_policy, but
-# typeattribute does not work in conditionals
-ifdef(`unlimitedRPM',`
+ifdef(`targeted_policy',`
unconfined_domain_template(rpm_t)
- unconfined_domain_template(rpm_script_t)
')
tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 07b9a03..8481397 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -220,3 +220,20 @@ interface(`dbus_send_system_bus_msg',`
allow $1 system_dbusd_t:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 5524cc8..f1438ed 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -15,7 +15,7 @@ files_type(dbusd_etc_t)
type system_dbusd_t alias dbusd_t;
type system_dbusd_exec_t;
-init_daemon_domain(system_dbusd_t,system_dbusd_exec_t)
+init_system_domain(system_dbusd_t,system_dbusd_exec_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 61e6238..0ac4b5f 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -102,7 +102,8 @@ mta_rw_aliases(sendmail_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+ unconfined_domain_template(sendmail_t)
term_dontaudit_use_unallocated_tty(sendmail_t)
term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index fe1f7c9..8935f68 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -72,6 +72,10 @@ auth_exec_pam(sshd_t)
seutil_read_config(sshd_t)
+ifdef(`targeted_policy',`
+ unconfined_domain_template(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 2d53cc0..7ee474b 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -12,12 +12,6 @@ policy_module(corecommands,1.0)
type bin_t;
files_type(bin_t)
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # macros and domains from the "strict" policy.
- typealias bin_t alias su_exec_t;
-')
-
#
# sbin_t is the type of files in the system sbin directories.
#
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 1b1028c..1b08279 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -2568,8 +2568,6 @@ interface(`files_manage_generic_spools',`
interface(`files_unconfined',`
gen_require(`
attribute file_type;
- class unix_stream_socket name_bind;
- class unix_dgram_socket name_bind;
')
# Create/access any file in a labeled filesystem;
@@ -2582,4 +2580,10 @@ interface(`files_unconfined',`
# Bind to any network address.
# cjp: need to check this, I dont think this has any effect.
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`allow_execmod',`
+ allow $1 file_type:file execmod;
+ ')
+ ')
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 59eb383..82d9f6e 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -9,6 +9,11 @@
## </param>
#
template(`unconfined_domain_template',`
+ gen_require(`
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
# Use any Linux capability.
allow $1 self:capability *;
@@ -52,6 +57,11 @@ template(`unconfined_domain_template',`
bootloader_manage_kernel_modules($1)
')
+ optional_policy(`dbus.te', `
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
+ ')
+
optional_policy(`nscd.te', `
nscd_unconfined($1)
')
@@ -67,20 +77,12 @@ template(`unconfined_domain_template',`
ifdef(`TODO',`
if (allow_execmod) {
- ifdef(`targeted_policy', `
- allow $1 file_type:file execmod;
- ', `
+ ifdef(`targeted_policy', `', `
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1 texrel_shlib_t:file execmod;
allow $1 home_type:file execmod;
')
}
-
- ifdef(`dbusd.te', `
- # Communicate via dbusd.
- allow $1 system_dbusd_t:dbus *;
- ')
-
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 80a543d..7def5d0 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,14 +25,14 @@ ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
- typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ # cjp: remove xdm_t when we get to that module
+ typealias unconfined_t alias { secadm_t sysadm_t xdm_t };
init_domtrans_script(unconfined_t)
userdom_unconfined(unconfined_t)
ifdef(`TODO',`
- #cjp: why is this needed?
ifdef(`samba.te', `samba_domain(user)')
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 721e51a..4656bb4 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -731,6 +731,10 @@ template(`unpriv_user_template', `
## </param>
#
template(`admin_user_template',`
+ gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
##############################
#
# Declarations
@@ -743,9 +747,10 @@ template(`admin_user_template',`
domain_obj_id_change_exempt($1_t)
role system_r types $1_t;
- #ifdef(`direct_sysadm_daemon', `, priv_system_role')
- #; dnl end of sysadm_t type declaration
-
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exempt($1_t)
+ ')
+
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;
diff --git a/tools/regression.sh b/tools/regression.sh
index 0979a05..db3e42b 100755
--- a/tools/regression.sh
+++ b/tools/regression.sh
@@ -1,16 +1,15 @@
#!/bin/bash
DISTROS="redhat gentoo debian suse"
-STRICT_TYPES="strict strict-mls strict-mcs"
-TARG_TYPES="targeted targeted-mls targeted-mcs"
+TYPES="strict strict-mls strict-mcs targeted targeted-mls targeted-mcs"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"
do_test() {
local OPTS=""
- for i in $STRICT_TYPES; do
- OPTS="TYPE=$i QUIET=@"
+ for i in $TYPES; do
+ OPTS="TYPE=$i QUIET=@ DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
make bare || exit 1
echo "**** Options: $OPTS ****"
@@ -19,19 +18,6 @@ do_test() {
make $OPTS file_contexts || exit 1
$SETFILES -q -c policy.$POLVER file_contexts || exit 1
done
-
- # need a specific config for targeted policy
- for i in $TARG_TYPES; do
- OPTS="TYPE=$i QUIET=@"
- [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
- make bare || exit 1
- echo "**** Options: $OPTS ****"
- cp policy/modules.conf.targeted_example policy/modules.conf
- make $OPTS conf || exit 1
- make $OPTS || exit 1
- make $OPTS file_contexts || exit 1
- $SETFILES -q -c policy.$POLVER file_contexts|| exit 1
- done
}
# first to generic test