diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index de09fa8..a2c072d 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -157,13 +157,13 @@ optional_policy(`fsadm.te', ` filesystemtools_execute(bootloader_t) ') -ifdef(`distro_debian', ` +tunable_policy(`distro_debian', ` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; ') -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` files_make_mountpoint(bootloader_tmp_t) # for mke2fs @@ -204,7 +204,7 @@ allow lvm_t bootloader_tmp_t:file rw_file_perms; r_dir_file(bootloader_t, lvm_etc_t) ') -ifdef(`distro_debian', ` +tunable_policy(`distro_debian', ` allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; allow bootloader_t tmpfs_t:dir r_dir_perms; @@ -216,7 +216,7 @@ allow bootloader_t dpkg_var_lib_t:file { getattr read }; can_exec(bootloader_t, usr_t) ') -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t file_t:dir create_dir_perms; allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 6bb4ff9..1b32933 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -277,7 +277,7 @@ optional_policy(`consoletype.te',` consoletype_transition(initrc_t) ') -ifdef(`distro_redhat',` +tunable_policy(`distro_redhat',` kernel_set_selinux_enforcement_mode(initrc_t) files_create_boot_flag(initrc_t) @@ -308,7 +308,7 @@ allow initrc_t home_type:file r_file_perms; allow initrc_t udev_runtime_t:file rw_file_perms; # for lsof in shutdown scripts -ifdef(`kerberos.te',` +optional_policy(`kerberos.te',` if (allow_kerberos) { can_network_client(initrc_t, `kerberos_port_t') can_resolve(initrc_t) @@ -326,12 +326,12 @@ allow initrc_t device_t:lnk_file unlink; # # These rules are here to allow init scripts to su # -ifdef(`su.te', ` +optional_policy(`su.te', ` su_restricted_domain(initrc,system) role system_r types initrc_su_t; ') -ifdef(`distro_debian', ` +tunable_policy(`distro_debian', ` allow initrc_t { etc_t device_t }:dir setattr; # for storing state under /dev/shm @@ -339,9 +339,9 @@ allow initrc_t tmpfs_t:dir setattr; file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; -') +')dnl end distro_debian -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. allow initrc_t boot_t:lnk_file rw_file_perms; @@ -375,7 +375,7 @@ dontaudit initrc_t proc_kmsg_t:file getattr; # Run_init local policy # -ifdef(`targeted_policy',` +tunable_policy(`targeted_policy',` # targeted/unconfined stuff ',` corecommands_execute_general_programs(run_init_t) @@ -426,7 +426,7 @@ files_ignore_search_all_directories(run_init_t) ifdef(`TODO',` -ifdef(`targeted_policy', ` +tunable_policy(`targeted_policy', ` domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; @@ -445,7 +445,7 @@ allow run_init_t lib_t:file { getattr read }; ') dnl endif targeted policy -ifdef(`distro_gentoo', ` +tunable_policy(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) ') diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 908e274..ace0030 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -76,9 +76,11 @@ allow iptables_t userdomain:fd use; # Access terminals. allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') +optional_policy(`gnome-pty-helper.te',` +allow iptables_t sysadm_gph_t:fd use; +') -ifdef(`firstboot.te', ` +optional_policy(`firstboot.te', ` allow iptables_t firstboot_t:fifo_file write; ') ') dnl ifdef TODO diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index a90877b..3947470 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -75,11 +75,8 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms; # Read /dev directories and any symbolic links. allow local_login_t device_t:lnk_file r_file_perms; -ifdef(`pam.te', ` +optional_policy(`authlogin.te',` can_exec(local_login_t, pam_exec_t) -') - -ifdef(`pamconsole.te', ` rw_dir_create_file(local_login_t, pam_var_console_t) ') @@ -89,7 +86,7 @@ allow local_login_t autofs_t:dir { search read getattr }; allow local_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? -ifdef(`xdm.te', ` +optional_policy(`xdm.te', ` allow xdm_t local_login_t:process signull; ') @@ -118,7 +115,7 @@ allow local_login_t mail_spool_t:lnk_file read; allow local_login_t mouse_device_t:chr_file { getattr setattr }; -ifdef(`targeted_policy',` +tunable_policy(`targeted_policy',` unconfined_domain(local_login_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') @@ -153,8 +150,9 @@ allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; -ifdef(`gpm.te', -`allow local_login_t gpmctl_t:sock_file { getattr setattr };') +optional_policy(`gpm.te',` +allow local_login_t gpmctl_t:sock_file { getattr setattr }; +') # Allow setting of attributes on sound devices. allow local_login_t sound_device_t:chr_file { getattr setattr }; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 05ba325..09f102a 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -120,11 +120,13 @@ filesystem_get_all_filesystems_attributes(syslogd_t) init_use_file_descriptors(syslogd_t) init_script_use_pseudoterminal(syslogd_t) +domain_use_widely_inheritable_file_descriptors(syslogd_t) + files_read_general_system_config(syslogd_t) files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) -ifdef(`distro_suse', ` +tunable_policy(`distro_suse', ` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) ') @@ -153,9 +155,19 @@ kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) ') +optional_policy(`selinux.te',` +selinux_newrole_sigchld(syslogd_t) +') + optional_policy(`udev.te', ` udev_read_database(syslogd_t) -')dnl end if udev.te +') + +tunable_policy(`targeted_policy', ` +terminal_ignore_use_general_physical_terminal(syslogd_t) +terminal_ignore_use_general_pseudoterminal(syslogd_t) +files_ignore_read_rootfs_file(syslogd_t) +') ifdef(`TODO',` allow syslogd_t proc_t:dir r_dir_perms; @@ -163,19 +175,13 @@ allow syslogd_t proc_t:lnk_file read; allow syslogd_t null_device_t:chr_file r_file_perms; dontaudit syslogd_t unpriv_userdomain:fd use; allow syslogd_t autofs_t:dir { search getattr }; -allow syslogd_t privfd:fd use; dontaudit syslogd_t sysadm_home_dir_t:dir search; -ifdef(`newrole.te', `allow syslogd_t newrole_t:process sigchld;') -ifdef(`rhgb.te', ` +optional_policy(`rhgb.te', ` allow syslogd_t rhgb_t:process sigchld; allow syslogd_t rhgb_t:fd use; allow syslogd_t rhgb_t:fifo_file { read write }; ') -ifdef(`targeted_policy', ` -dontaudit syslogd_t { tty_device_t devpts_t }:chr_file { read write }; -dontaudit syslogd_t root_t:file { getattr read }; -')dnl end if targeted_policy -ifdef(`direct_sysadm_daemon', ` +tunable_policy(`direct_sysadm_daemon',` dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index adcf70e..56b4ec8 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -88,22 +88,10 @@ miscfiles_read_localization(insmod_t) logging_send_system_log_message(insmod_t) -define(`insmod_mount_optional_policy',` +optional_policy(`mount.te',` mount_transition(insmod_t) ') -######################################## -# -# Conditional policy logic -# - -ifdef(`monolithic_policy',` -ifdef(`mount.te',`insmod_mount_optional_policy') -',` -optional mount { mount_transition_depend } -ifopt (consoletype) { insmod_mount_optional_policy } -') dnl end monolithic_policy - # # # TODO rules: diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index af0b7b1..e983a4c 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -100,30 +100,30 @@ ifdef(`gnome-pty-helper.te', ` allow mount_t sysadm_gph_t:fd use; ') -ifdef(`distro_redhat',` -ifdef(`pamconsole.te',` +tunable_policy(`distro_redhat',` +optional_policy(`authlogin.te',` r_dir_file($2_t,pam_var_console_t) # mount config by default sets fscontext=removable_t allow $2_t dosfs_t:filesystem relabelfrom; -') dnl end pamconsole.te +') dnl end authlogin ') dnl end distro_redhat -ifdef(`rhgb.te', ` +optional_policy(`rhgb.te', ` allow mount_t rhgb_t:process sigchld; allow mount_t rhgb_t:fd use; allow mount_t rhgb_t:fifo_file { read write }; ') -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` allow mount_t tmpfs_t:chr_file { read write }; allow mount_t tmpfs_t:dir mounton; ') -ifdef(`automount.te', ` +optional_policy(`automount.te', ` allow mount_t autofs_t:dir read; ') -ifdef(`portmap.te', ` +optional_policy(`portmap.te', ` # for nfs can_network(mount_t) can_ypbind(mount_t) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 54ddfd6..42f74c3 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use; # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 54ddfd6..42f74c3 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use; # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; ') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 361107c..e72279a 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -108,7 +108,7 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; dbusd_client(system, udev) # Ifdefs -ifdef(`distro_redhat', ` +tunable_policy(`distro_redhat', ` allow udev_t tmpfs_t:dir rw_dir_perms; allow udev_t tmpfs_t:sock_file create_file_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms; @@ -119,26 +119,26 @@ allow udev_t tmpfs_t:dir search; domain_auto_trans(udev_t, netutils_exec_t, netutils_t) ') dnl end ifdef distro_redhat -ifdef(`hide_broken_symptoms', ` +tunable_policy(`hide_broken_symptoms', ` dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; ') -ifdef(`xdm.te', ` +optional_policy(`xdm.te', ` allow udev_t xdm_var_run_t:file { getattr read }; ') -ifdef(`hotplug.te', ` +optional_policy(`hotplug.te', ` r_dir_file(udev_t, hotplug_etc_t) ') -ifdef(`pamconsole.te', ` +optional_policy(`authlogin.te', ` allow udev_t pam_var_console_t:dir search; allow udev_t pam_var_console_t:file { getattr read }; -domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) +authlogin_pam_console_transition(udev_t) ') -ifdef(`dhcpc.te', ` +optional_policy(`sysnetwork.te', ` domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) ') ') dnl endif TODO