diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 3199861..b96f390 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -322,7 +322,7 @@ gen_tunable(user_ping,false) # Strict policy specific # -ifdef(`targeted_policy',`',` +ifdef(`strict_policy',` ## ##

## Allow gpg executable stack @@ -346,6 +346,14 @@ gen_tunable(allow_user_mysql_connect,false) ## ##

+## Allows clients to write to the X server shared +## memory segments. +##

+##
+gen_tunable(allow_write_xshm,false) + +## +##

## Allow cdrecord to read various content. ## nfs, samba, removable devices, user temp ## and untrusted content files diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index d32cc95..effd249 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -48,6 +48,9 @@ template(`java_per_userdomain_template',` type $1_javaplugin_tmp_t; files_tmp_file($1_javaplugin_tmp_t) + + type $1_javaplugin_tmpfs_t; + files_tmpfs_file($1_javaplugin_tmpfs_t) ######################################## # @@ -67,6 +70,13 @@ template(`java_per_userdomain_template',` allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms; files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) + allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + # cjp: rw_dir_perms here doesnt make sense allow $1_javaplugin_t $1_home_t:dir rw_dir_perms; allow $1_javaplugin_t $1_home_t:file rw_file_perms; @@ -164,21 +174,7 @@ template(`java_per_userdomain_template',` nscd_socket_use($1_javaplugin_t) ') - ifdef(`TODO',` - # Manipulate the global font cache - create_dir_file($1, $2_fonts_cache_t) - - # Read per user fonts and font config - r_dir_file($1, $2_fonts_t) - r_dir_file($1, $2_fonts_config_t) - - # There are some fonts in .gnome2 - ifdef(`gnome.te', ` - allow $1 $2_gnome_settings_t:dir { getattr search }; + optional_policy(`xserver',` + xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') - - allow $1_javaplugin_t $1_xauth_home_t:file { getattr read }; - # Connect to X server - x_client_domain($1_javaplugin, $2) - ') dnl end TODO ') diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if index ae2a228..7281785 100644 --- a/refpolicy/policy/modules/apps/tvtime.if +++ b/refpolicy/policy/modules/apps/tvtime.if @@ -50,6 +50,9 @@ template(`tvtime_per_userdomain_template',` type $1_tvtime_tmp_t; files_tmp_file($1_tvtime_tmp_t) + + type $1_tvtime_tmpfs_t; + files_tmpfs_file($1_tvtime_tmpfs_t) ######################################## # @@ -71,7 +74,13 @@ template(`tvtime_per_userdomain_template',` allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms; allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms; files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file }) - fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file }) + + allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Type transition domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t) @@ -133,7 +142,7 @@ template(`tvtime_per_userdomain_template',` fs_manage_cifs_symlinks($1_tvtime_t) ') - ifdef(`TODO',` - x_client_domain($1_tvtime, $1) + optional_policy(`xserver',` + xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t) ') ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index d4bfca2..c12cc52 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -59,11 +59,14 @@ template(`ssh_per_userdomain_template',` domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t) role $3 types $1_ssh_agent_t; - type $1_ssh_keysign_t; #, nscd_client_domain; + type $1_ssh_keysign_t; domain_type($1_ssh_keysign_t) domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t) role $3 types $1_ssh_keysign_t; + type $1_ssh_tmpfs_t; + files_tmpfs_file($1_ssh_tmpfs_t) + ############################## # # $1_ssh_t local policy @@ -82,6 +85,13 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_t self:msg { send receive }; allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms; + allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms; + allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms; + allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms; + allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms; + fs_filetrans_tmpfs($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + # Transition from the user domain to the derived domain. domain_auto_trans($2, ssh_exec_t, $1_ssh_t) allow $2 $1_ssh_t:fd use; @@ -211,6 +221,7 @@ template(`ssh_per_userdomain_template',` ') optional_policy(`xserver',` + xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t) xserver_domtrans_user_xauth($1,$1_ssh_t) ') @@ -232,15 +243,9 @@ template(`ssh_per_userdomain_template',` # for /bin/sh used to execute xauth dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; - # Inherit and use descriptors from gnome-pty-helper. - ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') - # allow ps to show ssh can_ps($1_t, $1_ssh_t) - # Connect to X server - x_client_domain($1_ssh, $1) - #allow ssh to access keys stored on removable media # Should we have a boolean around this? files_search_mnt($1_ssh_t) @@ -610,6 +615,26 @@ interface(`ssh_dontaudit_rw_tcp_sockets',` ######################################## ##

+## Connect to SSH daemons over TCP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_tcp_connect',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:tcp_socket { connectto recvfrom }; + allow sshd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') + +######################################## +## ## Read ssh server keys ## ## diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index a2cf69c..49de4bc 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -1,5 +1,17 @@ ## X Windows Server +####################################### +## +## Template to create types and rules common to +## all X server domains. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +# template(`xserver_common_domain_template',` ############################## @@ -404,6 +416,160 @@ template(`xserver_per_userdomain_template',` ') ') +####################################### +## +## Template for creating sessions on a +## prefix X server, with read-only +## access to the X server shared +## memory segments. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the domain SYSV tmpfs files. +## +## +# +template(`xserver_ro_session_template',` + gen_require(` + type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t; + ') + + # Xserver read/write client shm + allow $1_xserver_t $2:fd use; + allow $1_xserver_t $2:shm rw_shm_perms; + allow $1_xserver_t $3:file rw_file_perms; + + # Connect to xserver + allow $2 $1_xserver_t:unix_stream_socket connectto; + allow $2 $1_xserver_t:process signal; + + # Read /tmp/.X0-lock + allow $2 $1_xserver_tmp_t:file { getattr read }; + + # Client read xserver shm + allow $2 $1_xserver_t:fd use; + allow $2 $1_xserver_t:shm r_shm_perms; + allow $2 $1_xserver_tmpfs_t:file r_file_perms; +') + +####################################### +## +## Template for creating sessions on a +## prefix X server, with read and write +## access to the X server shared +## memory segments. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the domain SYSV tmpfs files. +## +## +# +template(`xserver_rw_session_template',` + gen_require(` + type $1_xserver_t, $1_xserver_tmpfs_t; + ') + + xserver_ro_session_template($1,$2,$3) + allow $2 $1_xserver_t:shm rw_shm_perms; + allow $2 $1_xserver_tmpfs_t:file rw_file_perms; +') + +####################################### +## +## Template for creating full client sessions +## on a user X server. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the domain SYSV tmpfs files. +## +## +# +template(`xserver_user_client_template',` + + gen_require(` + type xdm_t, xdm_tmp_t; + type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; + ') + + allow $2 self:shm create_shm_perms; + allow $2 self:unix_dgram_socket create_socket_perms; + allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; + + # Read .Xauthority file + allow $2 $1_xauth_home_t:file { getattr read }; + + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; + allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_tmp_t:dir search; + allow $2 xdm_tmp_t:sock_file { read write }; + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. + files_search_tmp($2) + + miscfiles_read_fonts($2) + + userdom_search_user_home($1,$2) + # for .xsession-errors + userdom_dontaudit_write_user_home_files($1,$2) + + xserver_ro_session_template(xdm,$2,$3) + xserver_rw_session_template($1,$2,$3) + + # Client write xserver shm + tunable_policy(`allow_write_xshm',` + allow $2 $1_xserver_t:shm rw_shm_perms; + allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + ') + + # for X over a ssh tunnel + optional_policy(`ssh',` + kernel_tcp_recvfrom($2) + ssh_tcp_connect($2) + ') + + ifdef(`TODO',` + # cjp: need to implement the user-specific fonts part + read_fonts($2, $1) + ') +') + ######################################## ## ## Transition to a user Xauthority domain. diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index dacf9aa..248032d 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -276,8 +276,7 @@ ifdef(`strict_policy',` auth_domtrans_chk_passwd(xdm_t) auth_domtrans_pam_console(xdm_t) - # FIXME: - # xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) + xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 82c0117..cef0ee7 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -245,7 +245,6 @@ template(`base_user_template',` logging_dontaudit_getattr_all_logs($1_t) miscfiles_read_localization($1_t) - miscfiles_read_fonts($1_t) # for running TeX programs miscfiles_read_tetex_data($1_t) miscfiles_exec_tetex_data($1_t) @@ -440,6 +439,7 @@ template(`base_user_template',` optional_policy(`xserver',` dev_rw_xserver_misc($1_t) + xserver_user_client_template($1,$1_t,$1_tmpfs_t) xserver_xsession_entry_type($1_t) xserver_dontaudit_write_log($1_t) xserver_stream_connect_xdm($1_t) @@ -474,27 +474,9 @@ template(`base_user_template',` can_resmgrd_connect($1_t) - # Use X - x_client_domain($1, $1) - ifdef(`xdm.te', ` allow $1_t xdm_var_lib_t:file r_file_perms; ') - - # start read_fonts() - # cjp: these types come in from fontconfig - # Manipulate the global font cache - create_dir_file($1, $1_fonts_cache_t) - - # Read per user fonts and font config - r_dir_file($1, $1_fonts_t) - r_dir_file($1, $1_fonts_config_t) - - # There are some fonts in .gnome2 - ifdef(`gnome.te', ` - allow $1 $2_gnome_settings_t:dir { getattr search }; - ') - # end read_fonts() ') dnl endif TODO ') @@ -1392,6 +1374,39 @@ template(`userdom_dontaudit_read_user_home_files',` ######################################## ## +## Do not audit attempts to write user home files. +## +## +##

+## Do not audit attempts to write user home files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain to not audit. +## +## +# +template(`userdom_dontaudit_write_user_home_files',` + gen_require(` + type $1_home_t; + ') + + dontaudit $2 $1_home_t:file write; +') + +######################################## +## ## Read user home subdirectory symbolic links. ## ##