diff --git a/Changelog b/Changelog index bb2e41c..e324451 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Deprecate per-role templates and rolemap support. +- Implement user-based access control for use as role separations. - Move shared library calls from individual modules to the domain module. - Enable open permission checks policy capability. - Remove hierarchy from portage module as it is not a good example of diff --git a/Makefile b/Makefile index ec7c7d5..12c9128 100644 --- a/Makefile +++ b/Makefile @@ -204,6 +204,10 @@ ifeq ($(DIRECT_INITRC),y) M4PARAM += -D direct_sysadm_daemon endif +ifeq "$(UBAC)" "y" + M4PARAM += -D enable_ubac +endif + # default MLS/MCS sensitivity and category settings. MLS_SENS ?= 16 MLS_CATS ?= 256 @@ -550,6 +554,7 @@ ifneq "$(DISTRO)" "" endif $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf + $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf diff --git a/README b/README index 37d5ce3..184c6ef 100644 --- a/README +++ b/README @@ -119,6 +119,9 @@ UNK_PERMS String. Set the kernel behavior for handling of policy. The permissions can either be allowed, denied, or the policy loading can be rejected. +UBAC Boolean. If set, the SELinux user will be used + additionally for approximate role separation. + MLS_SENS Integer. Set the number of sensitivities in the MLS policy. Ignored on standard and MCS policies. diff --git a/Rules.modular b/Rules.modular index 6c5f58e..168a14f 100644 --- a/Rules.modular +++ b/Rules.modular @@ -157,7 +157,7 @@ endif $(verbose) $(M4) $(M4PARAM) -s $^ > $@ $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files) +$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ diff --git a/Rules.monolithic b/Rules.monolithic index 4b6acbc..1dde01a 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -142,7 +142,7 @@ endif @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -s $^ > $@ -$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files) +$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ diff --git a/build.conf b/build.conf index 1cd0d66..58fd51d 100644 --- a/build.conf +++ b/build.conf @@ -48,6 +48,10 @@ DIRECT_INITRC = n # will build a loadable module policy. MONOLITHIC = y +# User-based access control (UBAC) +# Enable UBAC for role separations. +UBAC = y + # Number of MLS Sensitivities # The sensitivities will be s0 to s(MLS_SENS-1). # Dominance will be in increasing numerical order diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts index c2b7a80..22aeb67 100644 --- a/config/appconfig-mcs/default_contexts +++ b/config/appconfig-mcs/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts index 7f4a125..7805778 100644 --- a/config/appconfig-mcs/root_default_contexts +++ b/config/appconfig-mcs/root_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts index 679a5dd..881a292 100644 --- a/config/appconfig-mcs/staff_u_default_contexts +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:staff_crond_t:s0 +system_r:crond_t:s0 staff_r:cronjob_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts index 53b04ec..106e093 100644 --- a/config/appconfig-mcs/unconfined_u_default_contexts +++ b/config/appconfig-mcs/unconfined_u_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts index 38656b1..cacbc93 100644 --- a/config/appconfig-mcs/user_u_default_contexts +++ b/config/appconfig-mcs/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts index c2b7a80..22aeb67 100644 --- a/config/appconfig-mls/default_contexts +++ b/config/appconfig-mls/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts index 7f4a125..7805778 100644 --- a/config/appconfig-mls/root_default_contexts +++ b/config/appconfig-mls/root_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts index 679a5dd..881a292 100644 --- a/config/appconfig-mls/staff_u_default_contexts +++ b/config/appconfig-mls/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:staff_crond_t:s0 +system_r:crond_t:s0 staff_r:cronjob_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts index 53b04ec..106e093 100644 --- a/config/appconfig-mls/unconfined_u_default_contexts +++ b/config/appconfig-mls/unconfined_u_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts index 38656b1..cacbc93 100644 --- a/config/appconfig-mls/user_u_default_contexts +++ b/config/appconfig-mls/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts index 4bb784d..6141347 100644 --- a/config/appconfig-standard/default_contexts +++ b/config/appconfig-standard/default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t +system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts index 3806d33..f522568 100644 --- a/config/appconfig-standard/root_default_contexts +++ b/config/appconfig-standard/root_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t +system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts index 456bbf9..c2a5ea8 100644 --- a/config/appconfig-standard/staff_u_default_contexts +++ b/config/appconfig-standard/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t system_r:remote_login_t staff_r:staff_t system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t -system_r:crond_t staff_r:staff_crond_t +system_r:crond_t staff_r:cronjob_t system_r:xdm_t staff_r:staff_t staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts index 1b26b60..e340b21 100644 --- a/config/appconfig-standard/unconfined_u_default_contexts +++ b/config/appconfig-standard/unconfined_u_default_contexts @@ -1,4 +1,4 @@ -system_r:crond_t unconfined_r:unconfined_t +system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t system_r:initrc_t unconfined_r:unconfined_t system_r:local_login_t unconfined_r:unconfined_t system_r:remote_login_t unconfined_r:unconfined_t diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts index 26835d8..f5bfac3 100644 --- a/config/appconfig-standard/user_u_default_contexts +++ b/config/appconfig-standard/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t system_r:sshd_t user_r:user_t -system_r:crond_t user_r:user_crond_t +system_r:crond_t user_r:cronjob_t system_r:xdm_t user_r:user_t user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t diff --git a/policy/constraints b/policy/constraints index 2e58ead..bf4a736 100644 --- a/policy/constraints +++ b/policy/constraints @@ -25,59 +25,219 @@ # name_list : name | name_list name # +define(`basic_ubac_conditions',` + ifdef(`enable_ubac',` + u1 == u2 + or u1 == system_u + or u2 == system_u + or t1 != ubac_constrained_type + or t2 != ubac_constrained_type + ') +') + +define(`basic_ubac_constraint',` + ifdef(`enable_ubac',` + constrain $1 all_$1_perms + ( + basic_ubac_conditions + ); + ') +') + +define(`exempted_ubac_constraint',` + ifdef(`enable_ubac',` + constrain $1 all_$1_perms + ( + basic_ubac_conditions + or t1 == $2 + ); + ') +') + +######################################## # -# SELinux process identity change constraint: +# File rules # -constrain process transition + +exempted_ubac_constraint(dir, ubacfile) +exempted_ubac_constraint(file, ubacfile) +exempted_ubac_constraint(lnk_file, ubacfile) +exempted_ubac_constraint(fifo_file, ubacfile) +exempted_ubac_constraint(sock_file, ubacfile) +exempted_ubac_constraint(chr_file, ubacfile) +exempted_ubac_constraint(blk_file, ubacfile) + +# SElinux object identity change constraint: +constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 + or t1 == can_change_object_identity +); - or ( t1 == can_change_process_identity and t2 == process_user_target ) +######################################## +# +# Process rules +# - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) +constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } +( + basic_ubac_conditions + or t1 == ubacproc +); +constrain process { transition noatsecure siginh rlimitinh } +( + u1 == u2 + or ( t1 == can_change_process_identity and t2 == process_user_target ) + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == can_system_change and u2 == system_u ) - or ( t1 == process_uncond_exempt ) ); -# -# SELinux process role change constraint: -# -constrain process transition +constrain process { transition noatsecure siginh rlimitinh } ( - r1 == r2 - - or ( t1 == can_change_process_role and t2 == process_user_target ) - - or ( t1 == cron_source_domain and t2 == cron_job_domain ) - - or ( t1 == can_system_change and r2 == system_r ) - + r1 == r2 + or ( t1 == can_change_process_identity and t2 == process_user_target ) + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) + or ( t1 == can_system_change and u2 == system_u ) or ( t1 == process_uncond_exempt ) ); -# -# SELinux dynamic transition constraint: -# constrain process dyntransition ( u1 == u2 and r1 == r2 ); +# These permissions do not have ubac constraints: +# fork +# setexec +# setfscreate +# setcurrent +# execmem +# execstack +# execheap +# setkeycreate +# setsockcreate + +######################################## # -# SElinux object identity change constraint: +# File descriptor rules # -constrain dir_file_class_set { create relabelto relabelfrom } -( - u1 == u2 - or t1 == can_change_object_identity -); +exempted_ubac_constraint(fd, ubacfd) + +######################################## +# +# Socket rules +# + +exempted_ubac_constraint(socket, ubacsock) +exempted_ubac_constraint(tcp_socket, ubacsock) +exempted_ubac_constraint(udp_socket, ubacsock) +exempted_ubac_constraint(rawip_socket, ubacsock) +exempted_ubac_constraint(netlink_socket, ubacsock) +exempted_ubac_constraint(packet_socket, ubacsock) +exempted_ubac_constraint(key_socket, ubacsock) +exempted_ubac_constraint(unix_stream_socket, ubacsock) +exempted_ubac_constraint(unix_dgram_socket, ubacsock) +exempted_ubac_constraint(netlink_route_socket, ubacsock) +exempted_ubac_constraint(netlink_firewall_socket, ubacsock) +exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock) +exempted_ubac_constraint(netlink_nflog_socket, ubacsock) +exempted_ubac_constraint(netlink_xfrm_socket, ubacsock) +exempted_ubac_constraint(netlink_selinux_socket, ubacsock) +exempted_ubac_constraint(netlink_audit_socket, ubacsock) +exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock) +exempted_ubac_constraint(netlink_dnrt_socket, ubacsock) +exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) +exempted_ubac_constraint(appletalk_socket, ubacsock) +exempted_ubac_constraint(dccp_socket, ubacsock) constrain socket_class_set { create relabelto relabelfrom } ( u1 == u2 - or t1 == can_change_object_identity ); + +######################################## +# +# SysV IPC rules + +exempted_ubac_constraint(sem, ubacipc) +exempted_ubac_constraint(msg, ubacipc) +exempted_ubac_constraint(msgq, ubacipc) +exempted_ubac_constraint(shm, ubacipc) +exempted_ubac_constraint(ipc, ubacipc) + +######################################## +# +# SE-X Windows rules +# + +exempted_ubac_constraint(x_drawable, ubacxwin) +exempted_ubac_constraint(x_screen, ubacxwin) +exempted_ubac_constraint(x_gc, ubacxwin) +exempted_ubac_constraint(x_font, ubacxwin) +exempted_ubac_constraint(x_colormap, ubacxwin) +exempted_ubac_constraint(x_property, ubacxwin) +exempted_ubac_constraint(x_selection, ubacxwin) +exempted_ubac_constraint(x_cursor, ubacxwin) +exempted_ubac_constraint(x_client, ubacxwin) +exempted_ubac_constraint(x_device, ubacxwin) +exempted_ubac_constraint(x_server, ubacxwin) +exempted_ubac_constraint(x_extension, ubacxwin) +exempted_ubac_constraint(x_resource, ubacxwin) +exempted_ubac_constraint(x_event, ubacxwin) +exempted_ubac_constraint(x_synthetic_event, ubacxwin) +exempted_ubac_constraint(x_application_data, ubacxwin) + +######################################## +# +# D-BUS rules +# + +exempted_ubac_constraint(dbus, ubacdbus) + +######################################## +# +# Key rules +# + +exempted_ubac_constraint(key, ubackey) + +######################################## +# +# Database rules +# + +exempted_ubac_constraint(db_database, ubacdb) +exempted_ubac_constraint(db_table, ubacdb) +exempted_ubac_constraint(db_procedure, ubacdb) +exempted_ubac_constraint(db_column, ubacdb) +exempted_ubac_constraint(db_tuple, ubacdb) +exempted_ubac_constraint(db_blob, ubacdb) + + + +basic_ubac_constraint(association) +basic_ubac_constraint(peer) + + +# these classes have no UBAC restrictions +#class security +#class system +#class capability +#class memprotect +#class passwd # userspace +#class node +#class netif +#class packet +#class capability2 +#class nscd # userspace +#class context # userspace + + + +undefine(`basic_ubac_constraint') +undefine(`basic_ubac_conditions') +undefine(`exempted_ubac_constraint') diff --git a/policy/global_tunables b/policy/global_tunables index ee3e484..c08ca6f 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -62,8 +62,8 @@ gen_tunable(global_ssp,false) ## ##

## Allow email client to various content. -## nfs, samba, removable devices, user temp -## and untrusted content files +## nfs, samba, removable devices, and user temp +## files ##

##
gen_tunable(mail_read_content,false) @@ -91,15 +91,6 @@ gen_tunable(read_default_t,false) ## ##

-## Allow applications to read untrusted content -## If this is disallowed, Internet content has -## to be manually relabeled for read access to be granted -##

-##
-gen_tunable(read_untrusted_content,false) - -## -##

## Support NFS home directories ##

##
@@ -120,12 +111,3 @@ gen_tunable(use_samba_home_dirs,false) ##

## gen_tunable(user_tcp_server,false) - -## -##

-## Allow applications to write untrusted content -## If this is disallowed, no Internet content -## will be stored. -##

-##
-gen_tunable(write_untrusted_content,false) diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te index 8a7c421..e51ae66 100644 --- a/policy/modules/admin/acct.te +++ b/policy/modules/admin/acct.te @@ -1,5 +1,5 @@ -policy_module(acct, 1.2.0) +policy_module(acct, 1.2.1) ######################################## # @@ -64,8 +64,7 @@ logging_send_syslog_msg(acct_t) miscfiles_read_localization(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) - -sysadm_dontaudit_search_home_dirs(acct_t) +userdom_dontaudit_search_user_home_dirs(acct_t) optional_policy(` optional_policy(` diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index b7cb5df..fd3abca 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,5 +1,5 @@ -policy_module(alsa, 1.6.0) +policy_module(alsa, 1.6.1) ######################################## # @@ -60,10 +60,7 @@ miscfiles_read_localization(alsa_t) userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) - -sysadm_dontaudit_search_home_dirs(alsa_t) - -unprivuser_search_home_dirs(alsa_t) +userdom_search_user_home_dirs(alsa_t) optional_policy(` hal_use_fds(alsa_t) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index e877b02..dab38fb 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -33,11 +33,6 @@ interface(`amanda_domtrans_recover',` ## The role to be allowed the amanda_recover domain. ## ## -## -## -## The type of the terminal allow the amanda_recover domain to use. -## -## ## # interface(`amanda_run_recover',` @@ -47,7 +42,6 @@ interface(`amanda_run_recover',` amanda_domtrans_recover($1) role $2 types amanda_recover_t; - allow amanda_recover_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index dd39ca4..4b32928 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda, 1.10.0) +policy_module(amanda, 1.10.1) ####################################### # @@ -182,7 +182,7 @@ manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_ manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) +userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) @@ -227,4 +227,5 @@ logging_search_logs(amanda_recover_t) miscfiles_read_localization(amanda_recover_t) -sysadm_search_home_content_dirs(amanda_recover_t) +userdom_use_user_terminals(amanda_recover_t) +userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if index 01432cc..18e3bc6 100644 --- a/policy/modules/admin/amtu.if +++ b/policy/modules/admin/amtu.if @@ -34,11 +34,6 @@ interface(`amtu_domtrans',` ## The role to be allowed the amtu domain. ## ## -## -## -## The type of the terminal allow the amtu domain to use. -## -## # interface(`amtu_run',` gen_require(` @@ -47,5 +42,4 @@ interface(`amtu_run',` amtu_domtrans($1) role $2 types amtu_t; - allow amtu_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te index fd34746..ec4c097 100644 --- a/policy/modules/admin/amtu.te +++ b/policy/modules/admin/amtu.te @@ -1,4 +1,4 @@ -policy_module(amtu,1.1.0) +policy_module(amtu, 1.1.1) ######################################## # @@ -23,6 +23,8 @@ files_read_etc_files(amtu_t) logging_send_audit_msgs(amtu_t) +userdom_use_user_terminals(amtu_t) + optional_policy(` nscd_dontaudit_search_pid(amtu_t) ') diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 35d22c5..9e11224 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -1,5 +1,5 @@ -policy_module(anaconda, 1.4.0) +policy_module(anaconda, 1.4.1) ######################################## # @@ -32,7 +32,7 @@ modutils_domtrans_insmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) -unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) +userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` kudzu_domtrans(anaconda_t) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 99004b5..68ecf71 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -34,11 +34,6 @@ interface(`apt_domtrans',` ## The role to allow the apt domain. ## ## -## -## -## The type of the terminal allow the apt domain to use. -## -## ## # interface(`apt_run',` @@ -48,7 +43,6 @@ interface(`apt_run',` apt_domtrans($1) role $2 types apt_t; - allow apt_t $3:chr_file rw_term_perms; # TODO: likely have to add dpkg_run here. ') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index d59fc5c..37226e1 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -1,5 +1,5 @@ -policy_module(apt, 1.4.0) +policy_module(apt, 1.4.1) ######################################## # @@ -119,6 +119,8 @@ seutil_use_newrole_fds(apt_t) sysnet_read_config(apt_t) +userdom_use_user_terminals(apt_t) + # with boolean, for cron-apt and such? #optional_policy(` # cron_system_entry(apt_t,apt_exec_t) diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if index 8720ae7..29ed36e 100644 --- a/policy/modules/admin/backup.if +++ b/policy/modules/admin/backup.if @@ -33,11 +33,6 @@ interface(`backup_domtrans',` ## The role to be allowed the backup domain. ## ## -## -## -## Domain allowed access. -## -## ## # interface(`backup_run',` @@ -47,5 +42,4 @@ interface(`backup_run',` backup_domtrans($1) role $2 types backup_t; - allow backup_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te index bfe5fab..eea9a80 100644 --- a/policy/modules/admin/backup.te +++ b/policy/modules/admin/backup.te @@ -1,5 +1,5 @@ -policy_module(backup, 1.3.0) +policy_module(backup, 1.3.1) ######################################## # @@ -71,6 +71,8 @@ logging_send_syslog_msg(backup_t) sysnet_read_config(backup_t) +userdom_use_user_terminals(backup_t) + optional_policy(` cron_system_entry(backup_t, backup_exec_t) ') diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index e083200..0106920 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -33,11 +33,6 @@ interface(`bootloader_domtrans',` ## The role to be allowed the bootloader domain. ## ## -## -## -## The type of the terminal allow the bootloader domain to use. -## -## ## # interface(`bootloader_run',` @@ -48,11 +43,10 @@ interface(`bootloader_run',` bootloader_domtrans($1) role $2 types bootloader_t; - allow bootloader_t $3:chr_file rw_term_perms; ifdef(`distro_redhat',` # for mke2fs - mount_run(bootloader_t, $2, $3) + mount_run(bootloader_t, $2) ') ') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 292be8b..b11c06b 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader, 1.9.0) +policy_module(bootloader, 1.9.1) ######################################## # @@ -135,6 +135,9 @@ seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) +userdom_use_user_terminals(bootloader_t) +userdom_dontaudit_search_user_home_dirs(bootloader_t) + ifdef(`distro_debian',` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; fs_list_tmpfs(bootloader_t) @@ -211,11 +214,3 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') - -optional_policy(` - staff_dontaudit_search_home_dirs(bootloader_t) -') - -optional_policy(` - sysadm_dontaudit_search_home_dirs(bootloader_t) -') diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if index 6dc459a..1cbd014 100644 --- a/policy/modules/admin/certwatch.if +++ b/policy/modules/admin/certwatch.if @@ -37,11 +37,6 @@ interface(`certwatch_domtrans',` ## The role to be allowed the certwatch domain. ## ## -## -## -## The type of the terminal allow the certwatch domain to use. -## -## ## # interface(`certwatch_run',` @@ -51,7 +46,6 @@ interface(`certwatch_run',` certwatch_domtrans($1) role $2 types certwatch_t; - allow certwatch_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index 46913fd..15be490 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -32,6 +32,8 @@ logging_send_syslog_msg(certwatch_t) miscfiles_read_certs(certwatch_t) miscfiles_read_localization(certwatch_t) +userdom_use_user_terminals(certwatch_t) + optional_policy(` apache_exec_modules(certwatch_t) ') diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if index bb06d8c..bd8c9c9 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -36,11 +36,6 @@ interface(`consoletype_domtrans',` ## The role to be allowed the consoletype domain. ## ## -## -## -## The type of the terminal allow the consoletype domain to use. -## -## # interface(`consoletype_run',` gen_require(` @@ -49,7 +44,6 @@ interface(`consoletype_run',` consoletype_domtrans($1) role $2 types consoletype_t; - allow consoletype_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 2672c68..d3700dd 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,5 +1,5 @@ -policy_module(consoletype, 1.6.0) +policy_module(consoletype, 1.6.1) ######################################## # @@ -54,6 +54,8 @@ domain_use_interactive_fds(consoletype_t) files_dontaudit_read_root_files(consoletype_t) files_list_usr(consoletype_t) +userdom_use_user_terminals(consoletype_t) + ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(consoletype_t) ') diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if index e334a51..898f54e 100644 --- a/policy/modules/admin/ddcprobe.if +++ b/policy/modules/admin/ddcprobe.if @@ -33,11 +33,6 @@ interface(`ddcprobe_domtrans',` ## Role to be authenticated for ddcprobe domain. ## ## -## -## -## The type of the terminal allow the clock domain to use. -## -## ## # interface(`ddcprobe_run',` @@ -47,5 +42,4 @@ interface(`ddcprobe_run',` ddcprobe_domtrans($1) role $2 types ddcprobe_t; - allow ddcprobe_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te index 07f9f03..be46d42 100644 --- a/policy/modules/admin/ddcprobe.te +++ b/policy/modules/admin/ddcprobe.te @@ -1,5 +1,5 @@ -policy_module(ddcprobe, 1.1.0) +policy_module(ddcprobe, 1.1.1) ######################################## # @@ -45,6 +45,7 @@ miscfiles_read_localization(ddcprobe_t) modutils_read_module_deps(ddcprobe_t) +userdom_use_user_terminals(ddcprobe_t) userdom_use_all_users_fds(ddcprobe_t) #reh why? this does not seem even necessary to function properly diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 02bd258..69ca5b5 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,5 +1,5 @@ -policy_module(dmesg, 1.2.0) +policy_module(dmesg, 1.2.1) ######################################## # @@ -48,8 +48,7 @@ logging_write_generic_logs(dmesg_t) miscfiles_read_localization(dmesg_t) userdom_dontaudit_use_unpriv_user_fds(dmesg_t) - -sysadm_use_terms(dmesg_t) +userdom_use_user_terminals(dmesg_t) optional_policy(` seutil_sigchld_newrole(dmesg_t) diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if index 5a7774a..233e6d4 100644 --- a/policy/modules/admin/dmidecode.if +++ b/policy/modules/admin/dmidecode.if @@ -38,11 +38,6 @@ interface(`dmidecode_domtrans',` ## The role to be allowed the dmidecode domain. ## ## -## -## -## The type of the terminal allow the dmidecode domain to use. -## -## ## # interface(`dmidecode_run',` @@ -52,5 +47,4 @@ interface(`dmidecode_run',` dmidecode_domtrans($1) role $2 types dmidecode_t; - allow dmidecode_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index 8fb4783..d032a09 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -1,5 +1,5 @@ -policy_module(dmidecode, 1.3.0) +policy_module(dmidecode, 1.3.1) ######################################## # @@ -24,8 +24,8 @@ dev_read_raw_memory(dmidecode_t) mls_file_read_all_levels(dmidecode_t) -term_list_ptys(dmidecode_t) - files_list_usr(dmidecode_t) locallogin_use_fds(dmidecode_t) + +userdom_use_user_terminals(dmidecode_t) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if index 1822169..560d021 100644 --- a/policy/modules/admin/dpkg.if +++ b/policy/modules/admin/dpkg.if @@ -58,11 +58,6 @@ interface(`dpkg_domtrans_script',` ## The role to allow the dpkg domain. ## ## -## -## -## The type of the terminal allow the dpkg domain to use. -## -## ## # interface(`dpkg_run',` @@ -73,8 +68,7 @@ interface(`dpkg_run',` dpkg_domtrans($1) role $2 types dpkg_t; role $2 types dpkg_script_t; - seutil_run_loadpolicy(dpkg_script_t, $2, $3) - allow dpkg_t $3:chr_file rw_term_perms; + seutil_run_loadpolicy(dpkg_script_t, $2) ') ######################################## diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index f57eab0..2e03742 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -1,5 +1,5 @@ -policy_module(dpkg, 1.5.0) +policy_module(dpkg, 1.5.1) ######################################## # @@ -141,8 +141,6 @@ storage_raw_write_fixed_disk(dpkg_t) # for installing kernel packages storage_raw_read_fixed_disk(dpkg_t) -term_list_ptys(dpkg_t) - auth_relabel_all_files_except_shadow(dpkg_t) auth_manage_all_files_except_shadow(dpkg_t) auth_dontaudit_read_shadow(dpkg_t) @@ -164,6 +162,7 @@ seutil_manage_bin_policy(dpkg_t) sysnet_read_config(dpkg_t) +userdom_use_user_terminals(dpkg_t) userdom_use_unpriv_users_fds(dpkg_t) # transition to dpkg script: @@ -284,8 +283,6 @@ selinux_compute_user_contexts(dpkg_script_t) storage_raw_read_fixed_disk(dpkg_script_t) storage_raw_write_fixed_disk(dpkg_script_t) -term_getattr_unallocated_ttys(dpkg_script_t) -term_list_ptys(dpkg_script_t) term_use_all_terms(dpkg_script_t) auth_dontaudit_getattr_shadow(dpkg_script_t) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index 402cc7a..00415af 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -36,11 +36,6 @@ interface(`firstboot_domtrans',` ## The role to be allowed the firstboot domain. ## ## -## -## -## The type of the terminal allow the firstboot domain to use. -## -## # interface(`firstboot_run',` gen_require(` @@ -49,7 +44,6 @@ interface(`firstboot_run',` firstboot_domtrans($1) role $2 types firstboot_t; - allow firstboot_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index ea98cfd..374ffd4 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot, 1.8.0) +policy_module(firstboot, 1.8.1) gen_require(` class passwd rootok; @@ -80,14 +80,15 @@ modutils_domtrans_insmod(firstboot_t) modutils_read_module_config(firstboot_t) modutils_read_module_deps(firstboot_t) +userdom_use_user_terminals(firstboot_t) # Add/remove user home directories -unprivuser_manage_home_content_dirs(firstboot_t) -unprivuser_manage_home_content_files(firstboot_t) -unprivuser_manage_home_content_symlinks(firstboot_t) -unprivuser_manage_home_content_pipes(firstboot_t) -unprivuser_manage_home_content_sockets(firstboot_t) -unprivuser_home_filetrans_home_dir(firstboot_t) -unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) +userdom_manage_user_home_content_dirs(firstboot_t) +userdom_manage_user_home_content_files(firstboot_t) +userdom_manage_user_home_content_symlinks(firstboot_t) +userdom_manage_user_home_content_pipes(firstboot_t) +userdom_manage_user_home_content_sockets(firstboot_t) +userdom_home_filetrans_user_home_dir(firstboot_t) +userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` hal_dbus_chat(firstboot_t) @@ -116,6 +117,6 @@ optional_policy(` ') optional_policy(` - xserver_rw_xdm_xserver_shm(firstboot_t) + xserver_rw_shm(firstboot_t) xserver_unconfined(firstboot_t) ') diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if index 149ced6..b4cf132 100644 --- a/policy/modules/admin/kismet.if +++ b/policy/modules/admin/kismet.if @@ -33,11 +33,6 @@ interface(`kismet_domtrans',` ## The role to be allowed the kismet domain. ## ## -## -## -## The type of the role's terminal. -## -## # interface(`kismet_run',` gen_require(` @@ -46,7 +41,6 @@ interface(`kismet_run',` kismet_domtrans($1) role $2 types kismet_t; - allow kismet_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index c6aaa1d..9a243c0 100644 --- a/policy/modules/admin/kismet.te +++ b/policy/modules/admin/kismet.te @@ -1,5 +1,5 @@ -policy_module(kismet, 1.1.0) +policy_module(kismet, 1.1.1) ######################################## # @@ -52,3 +52,5 @@ auth_use_nsswitch(kismet_t) files_read_etc_files(kismet_t) miscfiles_read_localization(kismet_t) + +userdom_use_user_terminals(kismet_t) diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if index 6fb17f7..11c6f9e 100644 --- a/policy/modules/admin/kudzu.if +++ b/policy/modules/admin/kudzu.if @@ -33,11 +33,6 @@ interface(`kudzu_domtrans',` ## The role to be allowed the kudzu domain. ## ## -## -## -## The type of the terminal allow the kudzu domain to use. -## -## ## # interface(`kudzu_run',` @@ -47,7 +42,6 @@ interface(`kudzu_run',` kudzu_domtrans($1) role $2 types kudzu_t; - allow kudzu_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index fe122aa..eef8ee3 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu, 1.7.0) +policy_module(kudzu, 1.7.1) ######################################## # @@ -77,7 +77,6 @@ storage_raw_write_removable_device(kudzu_t) storage_raw_read_fixed_disk(kudzu_t) storage_raw_read_removable_device(kudzu_t) -term_search_ptys(kudzu_t) term_dontaudit_use_console(kudzu_t) # so it can write messages to the console term_use_unallocated_ttys(kudzu_t) @@ -123,9 +122,9 @@ modutils_domtrans_insmod(kudzu_t) sysnet_read_config(kudzu_t) +userdom_use_user_terminals(kudzu_t) userdom_dontaudit_use_unpriv_user_fds(kudzu_t) - -sysadm_search_home_dirs(kudzu_t) +userdom_search_user_home_dirs(kudzu_t) optional_policy(` gpm_getattr_gpmctl(kudzu_t) diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if index 3485d9f..f9af0e1 100644 --- a/policy/modules/admin/logrotate.if +++ b/policy/modules/admin/logrotate.if @@ -33,11 +33,6 @@ interface(`logrotate_domtrans',` ## The role to be allowed the logrotate domain. ## ## -## -## -## The type of the terminal allow the logrotate domain to use. -## -## ## # interface(`logrotate_run',` @@ -47,7 +42,6 @@ interface(`logrotate_run',` logrotate_domtrans($1) role $2 types logrotate_t; - allow logrotate_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 0743fca..982fb75 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,5 +1,5 @@ -policy_module(logrotate, 1.10.0) +policy_module(logrotate, 1.10.1) ######################################## # @@ -115,6 +115,8 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) +userdom_use_user_terminals(logrotate_t) +userdom_dontaudit_search_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) cron_system_entry(logrotate_t, logrotate_exec_t) @@ -122,8 +124,6 @@ cron_search_spool(logrotate_t) mta_send_mail(logrotate_t) -sysadm_dontaudit_search_home_dirs(logrotate_t) - ifdef(`distro_debian', ` allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; # for savelog diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index 80fd11b..d67089e 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch, 1.8.0) +policy_module(logwatch, 1.8.1) ################################# # @@ -86,9 +86,9 @@ selinux_dontaudit_getattr_dir(logwatch_t) sysnet_dns_name_resolve(logwatch_t) -mta_send_mail(logwatch_t) +userdom_dontaudit_search_user_home_dirs(logwatch_t) -sysadm_dontaudit_search_home_dirs(logwatch_t) +mta_send_mail(logwatch_t) optional_policy(` apache_read_log(logwatch_t) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 2e013ac..5acd1fd 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -1,5 +1,5 @@ -policy_module(mrtg, 1.5.0) +policy_module(mrtg, 1.5.1) ######################################## # @@ -113,11 +113,10 @@ miscfiles_read_localization(mrtg_t) selinux_dontaudit_getattr_dir(mrtg_t) +userdom_use_user_terminals(mrtg_t) +userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) -sysadm_use_terms(mrtg_t) -sysadm_dontaudit_read_home_content_files(mrtg_t) - ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) ') diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index 0e3fd06..0ab5f13 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -33,11 +33,6 @@ interface(`netutils_domtrans',` ## The role to be allowed the netutils domain. ## ## -## -## -## The type of the terminal allow the netutils domain to use. -## -## ## # interface(`netutils_run',` @@ -47,7 +42,6 @@ interface(`netutils_run',` netutils_domtrans($1) role $2 types netutils_t; - allow netutils_t $3:chr_file rw_term_perms; ') ######################################## @@ -155,11 +149,6 @@ interface(`netutils_signal_ping',` ## The role to be allowed the ping domain. ## ## -## -## -## The type of the terminal allow the ping domain to use. -## -## ## # interface(`netutils_run_ping',` @@ -169,7 +158,6 @@ interface(`netutils_run_ping',` netutils_domtrans_ping($1) role $2 types ping_t; - allow ping_t $3:chr_file rw_term_perms; ') ######################################## @@ -187,11 +175,6 @@ interface(`netutils_run_ping',` ## The role to be allowed the ping domain. ## ## -## -## -## The type of the terminal allow the ping domain to use. -## -## ## # interface(`netutils_run_ping_cond',` @@ -204,7 +187,6 @@ interface(`netutils_run_ping_cond',` if ( user_ping ) { netutils_domtrans_ping($1) - allow ping_t $3:chr_file rw_term_perms; } ') @@ -259,11 +241,6 @@ interface(`netutils_domtrans_traceroute',` ## The role to be allowed the traceroute domain. ## ## -## -## -## The type of the terminal allow the traceroute domain to use. -## -## ## # interface(`netutils_run_traceroute',` @@ -273,7 +250,6 @@ interface(`netutils_run_traceroute',` netutils_domtrans_traceroute($1) role $2 types traceroute_t; - allow traceroute_t $3:chr_file rw_term_perms; ') ######################################## @@ -291,11 +267,6 @@ interface(`netutils_run_traceroute',` ## The role to be allowed the traceroute domain. ## ## -## -## -## The type of the terminal allow the traceroute domain to use. -## -## ## # interface(`netutils_run_traceroute_cond',` @@ -308,7 +279,6 @@ interface(`netutils_run_traceroute_cond',` if( user_ping ) { netutils_domtrans_traceroute($1) - allow traceroute_t $3:chr_file rw_term_perms; } ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index ca45fce..9414ac3 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils, 1.7.0) +policy_module(netutils, 1.7.1) ######################################## # @@ -85,6 +85,7 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) +userdom_use_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) optional_policy(` @@ -133,6 +134,8 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) +userdom_use_user_terminals(ping_t) + ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) ') @@ -197,6 +200,8 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) +userdom_use_user_terminals(traceroute_t) + #rules needed for nmap dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index da338ab..f4043c3 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -40,11 +40,6 @@ interface(`portage_domtrans',` ## The role to allow the portage domain. ## ## -## -## -## The type of the terminal allow for portage to use. -## -## ## # interface(`portage_run',` @@ -54,9 +49,6 @@ interface(`portage_run',` portage_domtrans($1) role $2 types { portage_t portage_fetch_t portage_sandbox_t }; - allow portage_t $3:chr_file rw_term_perms; - allow portage_fetch_t $3:chr_file rw_term_perms; - allow portage_sandbox_t $3:chr_file rw_term_perms; ') ######################################## @@ -186,6 +178,8 @@ interface(`portage_compile_domain',` logging_send_syslog_msg($1) + userdom_use_user_terminals($1) + ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv optional_policy(` @@ -231,11 +225,6 @@ interface(`portage_domtrans_gcc_config',` ## The role to allow the gcc_config domain. ## ## -## -## -## The type of the terminal allow for gcc_config to use. -## -## ## # interface(`portage_run_gcc_config',` @@ -245,5 +234,4 @@ interface(`portage_run_gcc_config',` portage_domtrans_gcc_config($1) role $2 types gcc_config_t; - allow gcc_config_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index af61ccf..20ac2f1 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -1,5 +1,5 @@ -policy_module(portage, 1.6.1) +policy_module(portage, 1.6.2) ######################################## # @@ -90,8 +90,6 @@ files_search_pids(gcc_config_t) # the directory it is being run from files_list_all(gcc_config_t) -term_search_ptys(gcc_config_t) - # seems to be ok without this init_dontaudit_read_script_status_files(gcc_config_t) @@ -105,6 +103,8 @@ logging_send_syslog_msg(gcc_config_t) miscfiles_read_localization(gcc_config_t) +userdom_use_user_terminals(gcc_config_t) + consoletype_exec(gcc_config_t) optional_policy(` @@ -245,7 +245,8 @@ miscfiles_read_localization(portage_fetch_t) sysnet_read_config(portage_fetch_t) sysnet_dns_name_resolve(portage_fetch_t) -sysadm_dontaudit_read_home_content_files(portage_fetch_t) +userdom_use_user_terminals(portage_fetch_t) +userdom_dontaudit_read_user_home_content_files(portage_fetch_t) ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index 9e09e88..38d22ad 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -33,11 +33,6 @@ interface(`prelink_domtrans',` ## The role to allow the prelink domain. ## ## -## -## -## The type of the terminal allow the prelink domain to use. -## -## ## # interface(`prelink_run',` @@ -47,7 +42,6 @@ interface(`prelink_run',` prelink_domtrans($1) role $2 types prelink_t; - allow prelink_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 6fe27d0..be3a1ee 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink, 1.5.0) +policy_module(prelink, 1.5.1) ######################################## # @@ -79,6 +79,8 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) +userdom_use_user_terminals(prelink_t) + optional_policy(` amanda_manage_lib(prelink_t) ') diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if index 8eae304..50ff52e 100644 --- a/policy/modules/admin/quota.if +++ b/policy/modules/admin/quota.if @@ -33,11 +33,6 @@ interface(`quota_domtrans',` ## The role to be allowed the quota domain. ## ## -## -## -## The type of the terminal allow the quota domain to use. -## -## ## # interface(`quota_run',` @@ -47,7 +42,6 @@ interface(`quota_run',` quota_domtrans($1) role $2 types quota_t; - allow quota_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 098d817..d796579 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -1,5 +1,5 @@ -policy_module(quota, 1.3.0) +policy_module(quota, 1.3.1) ######################################## # @@ -72,6 +72,7 @@ init_use_script_ptys(quota_t) logging_send_syslog_msg(quota_t) +userdom_use_user_terminals(quota_t) userdom_dontaudit_use_unpriv_user_fds(quota_t) optional_policy(` diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index cbf5853..8645082 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead, 1.7.0) +policy_module(readahead, 1.7.1) ######################################## # @@ -77,8 +77,7 @@ logging_dontaudit_search_audit_config(readahead_t) miscfiles_read_localization(readahead_t) userdom_dontaudit_use_unpriv_user_fds(readahead_t) - -sysadm_dontaudit_search_home_dirs(readahead_t) +userdom_dontaudit_search_user_home_dirs(readahead_t) optional_policy(` cron_system_entry(readahead_t, readahead_exec_t) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index e115154..36f9fa8 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -56,11 +56,6 @@ interface(`rpm_domtrans_script',` ## The role to allow the RPM domain. ## ## -## -## -## The type of the terminal allow the RPM domain to use. -## -## ## # interface(`rpm_run',` @@ -71,10 +66,9 @@ interface(`rpm_run',` rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; - seutil_run_loadpolicy(rpm_script_t, $2, $3) - seutil_run_semanage(rpm_script_t, $2, $3) - seutil_run_setfiles(rpm_script_t, $2, $3) - allow rpm_t $3:chr_file rw_term_perms; + seutil_run_loadpolicy(rpm_script_t, $2) + seutil_run_semanage(rpm_script_t, $2) + seutil_run_setfiles(rpm_script_t, $2) ') ######################################## diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index aa77c0f..5d8a46c 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm, 1.8.0) +policy_module(rpm, 1.8.1) ######################################## # @@ -132,8 +132,6 @@ storage_raw_write_fixed_disk(rpm_t) # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) -term_list_ptys(rpm_t) - auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) @@ -168,6 +166,7 @@ logging_send_syslog_msg(rpm_t) seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) +userdom_use_user_terminals(rpm_t) userdom_use_unpriv_users_fds(rpm_t) optional_policy(` @@ -273,8 +272,6 @@ selinux_compute_user_contexts(rpm_script_t) storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) -term_getattr_unallocated_ttys(rpm_script_t) -term_list_ptys(rpm_script_t) term_use_all_terms(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t) @@ -338,7 +335,7 @@ optional_policy(` unconfined_domtrans(rpm_script_t) optional_policy(` - java_domtrans(rpm_script_t) + java_domtrans_unconfined(rpm_script_t) ') optional_policy(` diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 801577e..36f2316 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -125,38 +125,26 @@ template(`su_restricted_domain_template', ` ####################################### ## -## The per role template for the su module. +## The role template for the su module. ## -## -##

-## This template creates a derived domain which is allowed -## to change the linux user id, to run shells as a different -## user. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The type of the user domain. +## The role associated with the user domain. ## ## -## +## ## -## The role associated with the user domain. +## The type of the user domain. ## ## # -template(`su_per_role_template',` +template(`su_role_template',` gen_require(` attribute su_domain_type; type su_exec_t; @@ -167,9 +155,10 @@ template(`su_per_role_template',` domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) - role $3 types $1_su_t; + ubac_constrained($1_su_t) + role $2 types $1_su_t; - allow $2 $1_su_t:process signal; + allow $3 $1_su_t:process signal; allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; @@ -179,13 +168,15 @@ template(`su_per_role_template',` allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) + domtrans_pattern($3, su_exec_t, $1_su_t) + + ps_process_pattern($3, $1_su_t) # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t, $2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; + corecmd_shell_domtrans($1_su_t, $3) + allow $3 $1_su_t:fd use; + allow $3 $1_su_t:fifo_file rw_file_perms; + allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) @@ -200,7 +191,7 @@ template(`su_per_role_template',` # needed for pam_rootok selinux_compute_access_vector($1_su_t) - auth_domtrans_user_chk_passwd($1, $1_su_t) + auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) @@ -224,8 +215,8 @@ template(`su_per_role_template',` miscfiles_read_localization($1_su_t) - userdom_use_user_terminals($1, $1_su_t) - userdom_search_user_home_dirs($1, $1_su_t) + userdom_use_user_terminals($1_su_t) + userdom_search_user_home_dirs($1_su_t) ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) @@ -285,17 +276,9 @@ template(`su_per_role_template',` # Modify .Xauthority file (via xauth program). optional_policy(` - xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type) - xserver_domtrans_user_xauth($1, $1_su_t) + xserver_user_home_dir_filetrans_user_xauth($1_su_t) + xserver_domtrans_xauth($1_su_t) ') - - ifdef(`TODO',` - allow $1_su_t $1_home_t:file manage_file_perms; - - # Access sshd cookie files. - allow $1_su_t sshd_tmp_t:file rw_file_perms; - file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) - ') dnl end TODO ') ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 696a768..68c20e2 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su, 1.8.0) +policy_module(su, 1.8.1) ######################################## # diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index a068802..a9468b9 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -2,7 +2,7 @@ ####################################### ## -## The per role template for the sudo module. +## The role template for the sudo module. ## ## ##

@@ -10,30 +10,25 @@ ## to change the linux user id, to run commands as a different ## user. ##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The type of the user domain. +## The user role. ## ## -## +## ## -## The role associated with the user domain. +## The user domain associated with the role. ## ## # -template(`sudo_per_role_template',` +template(`sudo_role_template',` gen_require(` type sudo_exec_t; @@ -47,7 +42,8 @@ template(`sudo_per_role_template',` type $1_sudo_t; application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) - role $3 types $1_sudo_t; + ubac_constrained($1_sudo_t) + role $2 types $1_sudo_t; ############################## # @@ -71,13 +67,13 @@ template(`sudo_per_role_template',` allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; + corecmd_shell_domtrans($1_sudo_t, $3) + allow $3 $1_sudo_t:fd use; + allow $3 $1_sudo_t:fifo_file rw_file_perms; + allow $3 $1_sudo_t:process sigchld; kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) @@ -113,22 +109,11 @@ template(`sudo_per_role_template',` miscfiles_read_localization($1_sudo_t) - userdom_manage_user_home_content_files($1, $1_sudo_t) - userdom_manage_user_home_content_symlinks($1, $1_sudo_t) - userdom_manage_user_tmp_files($1, $1_sudo_t) - userdom_manage_user_tmp_symlinks($1, $1_sudo_t) - userdom_use_user_terminals($1, $1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) + userdom_manage_user_home_content_files($1_sudo_t) + userdom_manage_user_home_content_symlinks($1_sudo_t) + userdom_manage_user_tmp_files($1_sudo_t) + userdom_manage_user_tmp_symlinks($1_sudo_t) + userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_all_users_home_content($1_sudo_t) - - ifdef(`TODO',` - # for when the network connection is killed - dontaudit unpriv_userdomain $1_sudo_t:process signal; - - ifdef(`mta.te', ` - domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) - ') - - ') dnl end TODO + userdom_dontaudit_search_user_home_content($1_sudo_t) ') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 6af4f6d..c890938 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,5 @@ -policy_module(sudo, 1.3.0) +policy_module(sudo, 1.3.1) ######################################## # @@ -7,5 +7,3 @@ policy_module(sudo, 1.3.0) type sudo_exec_t; application_executable_file(sudo_exec_t) - -# Remaining policy in per user domain template. diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if index 2bbae12..d23d02a 100644 --- a/policy/modules/admin/tripwire.if +++ b/policy/modules/admin/tripwire.if @@ -46,11 +46,6 @@ interface(`tripwire_domtrans_tripwire',` ## The role to be allowed the tripwire domain. ## ## -## -## -## The type of the terminal allow the tripwire domain to use. -## -## ## # interface(`tripwire_run_tripwire',` @@ -60,7 +55,6 @@ interface(`tripwire_run_tripwire',` tripwire_domtrans_tripwire($1) role $2 types tripwire_t; - allow tripwire_t $3:chr_file rw_term_perms; ') ######################################## @@ -96,11 +90,6 @@ interface(`tripwire_domtrans_twadmin',` ## The role to be allowed the twadmin domain. ## ## -## -## -## The type of the terminal allow the twadmin domain to use. -## -## ## # interface(`tripwire_run_twadmin',` @@ -110,7 +99,6 @@ interface(`tripwire_run_twadmin',` tripwire_domtrans_twadmin($1) role $2 types twadmin_t; - allow twadmin_t $3:chr_file rw_term_perms; ') ######################################## @@ -146,11 +134,6 @@ interface(`tripwire_domtrans_twprint',` ## The role to be allowed the twprint domain. ## ## -## -## -## The type of the terminal allow the twprint domain to use. -## -## ## # interface(`tripwire_run_twprint',` @@ -160,7 +143,6 @@ interface(`tripwire_run_twprint',` tripwire_domtrans_twprint($1) role $2 types twprint_t; - allow twprint_t $3:chr_file rw_term_perms; ') ######################################## @@ -196,11 +178,6 @@ interface(`tripwire_domtrans_siggen',` ## The role to be allowed the siggen domain. ## ## -## -## -## The type of the terminal allow the siggen domain to use. -## -## ## # interface(`tripwire_run_siggen',` @@ -210,5 +187,4 @@ interface(`tripwire_run_siggen',` tripwire_domtrans_siggen($1) role $2 types siggen_t; - allow siggen_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te index 151a18c..e57a2d1 100644 --- a/policy/modules/admin/tripwire.te +++ b/policy/modules/admin/tripwire.te @@ -1,5 +1,5 @@ -policy_module(tripwire, 1.1.0) +policy_module(tripwire, 1.1.1) ######################################## # @@ -81,6 +81,8 @@ files_getattr_all_sockets(tripwire_t) logging_send_syslog_msg(tripwire_t) +userdom_use_user_terminals(tripwire_t) + optional_policy(` cron_system_entry(tripwire_t, tripwire_exec_t) ') @@ -100,6 +102,8 @@ logging_send_syslog_msg(twadmin_t) miscfiles_read_localization(twadmin_t) +userdom_use_user_terminals(twadmin_t) + ######################################## # # Twprint local policy @@ -124,6 +128,8 @@ logging_send_syslog_msg(twprint_t) miscfiles_read_localization(twprint_t) +userdom_use_user_terminals(twprint_t) + ######################################## # # Siggen local policy @@ -137,3 +143,5 @@ files_read_all_files(siggen_t) logging_send_syslog_msg(siggen_t) miscfiles_read_localization(siggen_t) + +userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if index f6e3b89..b873388 100644 --- a/policy/modules/admin/tzdata.if +++ b/policy/modules/admin/tzdata.if @@ -32,11 +32,6 @@ interface(`tzdata_domtrans',` ## The role to allow the tzdata domain. ## ## -## -## -## The type of the terminal allow the tzdata domain to use. -## -## ## # interface(`tzdata_run',` @@ -46,5 +41,4 @@ interface(`tzdata_run',` tzdata_domtrans($1) role $2 types tzdata_t; - allow tzdata_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index ad5d172..c21be19 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -1,5 +1,5 @@ -policy_module(tzdata, 1.2.0) +policy_module(tzdata, 1.2.1) ######################################## # @@ -27,6 +27,8 @@ miscfiles_read_localization(tzdata_t) miscfiles_manage_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t) +userdom_use_user_terminals(tzdata_t) + # tzdata looks for /var/spool/postfix/etc/localtime. optional_policy(` postfix_search_spool(tzdata_t) diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te index 976ee15..e492606 100644 --- a/policy/modules/admin/updfstab.te +++ b/policy/modules/admin/updfstab.te @@ -1,5 +1,5 @@ -policy_module(updfstab, 1.4.0) +policy_module(updfstab, 1.4.1) ######################################## # @@ -76,7 +76,7 @@ seutil_read_config(updfstab_t) seutil_read_default_contexts(updfstab_t) seutil_read_file_contexts(updfstab_t) -userdom_dontaudit_search_all_users_home_content(updfstab_t) +userdom_dontaudit_search_user_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) optional_policy(` @@ -86,7 +86,7 @@ optional_policy(` optional_policy(` init_dbus_chat_script(updfstab_t) - dbus_system_bus_client_template(updfstab, updfstab_t) + dbus_system_bus_client(updfstab_t) ') optional_policy(` diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if index 50c1dc3..9ac17f5 100644 --- a/policy/modules/admin/usbmodules.if +++ b/policy/modules/admin/usbmodules.if @@ -34,11 +34,6 @@ interface(`usbmodules_domtrans',` ## The role to be allowed the usbmodules domain. ## ## -## -## -## The type of the terminal allow the usbmodules domain to use. -## -## ## # interface(`usbmodules_run',` @@ -48,5 +43,4 @@ interface(`usbmodules_run',` usbmodules_domtrans($1) role $2 types usbmodules_t; - allow usbmodules_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te index 9932456..3a16d1e 100644 --- a/policy/modules/admin/usbmodules.te +++ b/policy/modules/admin/usbmodules.te @@ -1,5 +1,5 @@ -policy_module(usbmodules, 1.1.0) +policy_module(usbmodules, 1.1.1) ######################################## # @@ -37,6 +37,8 @@ miscfiles_read_hwdata(usbmodules_t) modutils_read_module_deps(usbmodules_t) +userdom_use_user_terminals(usbmodules_t) + optional_policy(` hotplug_read_config(usbmodules_t) ') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 900d377..ac74240 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -35,11 +35,6 @@ interface(`usermanage_domtrans_chfn',` ## The role to be allowed the chfn domain. ## ## -## -## -## The type of the terminal allow the chfn domain to use. -## -## # interface(`usermanage_run_chfn',` gen_require(` @@ -48,7 +43,6 @@ interface(`usermanage_run_chfn',` usermanage_domtrans_chfn($1) role $2 types chfn_t; - allow chfn_t $3:chr_file rw_term_perms; ') ######################################## @@ -86,11 +80,6 @@ interface(`usermanage_domtrans_groupadd',` ## The role to be allowed the groupadd domain. ## ## -## -## -## The type of the terminal allow the groupadd domain to use. -## -## ## # interface(`usermanage_run_groupadd',` @@ -100,10 +89,9 @@ interface(`usermanage_run_groupadd',` usermanage_domtrans_groupadd($1) role $2 types groupadd_t; - allow groupadd_t $3:chr_file rw_term_perms; optional_policy(` - nscd_run(groupadd_t, $2, $3) + nscd_run(groupadd_t, $2) ') ') @@ -142,11 +130,6 @@ interface(`usermanage_domtrans_passwd',` ## The role to be allowed the passwd domain. ## ## -## -## -## The type of the terminal allow the passwd domain to use. -## -## # interface(`usermanage_run_passwd',` gen_require(` @@ -155,7 +138,6 @@ interface(`usermanage_run_passwd',` usermanage_domtrans_passwd($1) role $2 types passwd_t; - allow passwd_t $3:chr_file rw_term_perms; ') ######################################## @@ -195,11 +177,6 @@ interface(`usermanage_domtrans_admin_passwd',` ## The role to be allowed the admin passwd domain. ## ## -## -## -## The type of the terminal allow the admin passwd domain to use. -## -## ## # interface(`usermanage_run_admin_passwd',` @@ -209,10 +186,9 @@ interface(`usermanage_run_admin_passwd',` usermanage_domtrans_admin_passwd($1) role $2 types sysadm_passwd_t; - allow sysadm_passwd_t $3:chr_file rw_term_perms; optional_policy(` - nscd_run(sysadm_passwd_t, $2, $3) + nscd_run(sysadm_passwd_t, $2) ') ') @@ -269,11 +245,6 @@ interface(`usermanage_domtrans_useradd',` ## The role to be allowed the useradd domain. ## ## -## -## -## The type of the terminal allow the useradd domain to use. -## -## ## # interface(`usermanage_run_useradd',` @@ -283,10 +254,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; - allow useradd_t $3:chr_file rw_term_perms; optional_policy(` - nscd_run(useradd_t, $2, $3) + nscd_run(useradd_t, $2) ') ') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 384df0d..8f28ae0 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage, 1.11.0) +policy_module(usermanage, 1.11.1) ######################################## # @@ -119,7 +119,7 @@ seutil_dontaudit_search_config(chfn_t) userdom_use_unpriv_users_fds(chfn_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home_content(chfn_t) +userdom_dontaudit_search_user_home_content(chfn_t) ######################################## # @@ -153,7 +153,7 @@ corecmd_exec_bin(crack_t) logging_send_syslog_msg(crack_t) -sysadm_dontaudit_search_home_dirs(crack_t) +userdom_dontaudit_search_user_home_dirs(crack_t) ifdef(`distro_debian',` # the package cracklib-runtime on Debian contains a daily maintenance @@ -227,9 +227,8 @@ auth_use_nsswitch(groupadd_t) seutil_read_config(groupadd_t) userdom_use_unpriv_users_fds(groupadd_t) - # for when /root is the cwd -sysadm_dontaudit_search_home_dirs(groupadd_t) +userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` dpkg_use_fds(groupadd_t) @@ -316,13 +315,14 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) +userdom_use_user_terminals(passwd_t) userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) userdom_read_all_users_state(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home_content(passwd_t) +userdom_dontaudit_search_user_home_content(passwd_t) optional_policy(` nscd_domtrans(passwd_t) @@ -406,7 +406,7 @@ seutil_dontaudit_search_config(sysadm_passwd_t) userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) +userdom_dontaudit_search_user_home_content(sysadm_passwd_t) optional_policy(` nscd_domtrans(sysadm_passwd_t) @@ -485,10 +485,10 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_all_users_home_content_dirs(useradd_t) -userdom_manage_all_users_home_content_files(useradd_t) -unprivuser_home_filetrans_home_dir(useradd_t) -unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set) +userdom_manage_user_home_content_dirs(useradd_t) +userdom_manage_user_home_content_files(useradd_t) +userdom_home_filetrans_user_home_dir(useradd_t) +userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) mta_manage_spool(useradd_t) diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if index 05cfd4e..8779a18 100644 --- a/policy/modules/admin/vpn.if +++ b/policy/modules/admin/vpn.if @@ -33,11 +33,6 @@ interface(`vpn_domtrans',` ## The role to be allowed the vpnc domain. ## ## -## -## -## The type of the terminal allow the vpnc domain to use. -## -## ## # interface(`vpn_run',` @@ -47,8 +42,7 @@ interface(`vpn_run',` vpn_domtrans($1) role $2 types vpnc_t; - allow vpnc_t $3:chr_file rw_term_perms; - sysnet_run_ifconfig(vpnc_t, $2, $3) + sysnet_run_ifconfig(vpnc_t, $2) ') ######################################## diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index c7db478..42d5238 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn, 1.9.0) +policy_module(vpn, 1.9.1) ######################################## # @@ -105,10 +105,10 @@ sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_all_users_home_content(vpnc_t) +userdom_dontaudit_search_user_home_content(vpnc_t) optional_policy(` - dbus_system_bus_client_template(vpnc, vpnc_t) + dbus_system_bus_client(vpnc_t) optional_policy(` networkmanager_dbus_chat(vpnc_t) diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if index 348c348..3f3bbe0 100644 --- a/policy/modules/apps/ada.if +++ b/policy/modules/apps/ada.if @@ -34,11 +34,6 @@ interface(`ada_domtrans',` ## The role to be allowed the ada domain. ## ## -## -## -## The type of the terminal allow the ada domain to use. -## -## # interface(`ada_run',` gen_require(` @@ -47,5 +42,4 @@ interface(`ada_run',` ada_domtrans($1) role $2 types ada_t; - allow ada_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te index 048d953..4ae3777 100644 --- a/policy/modules/apps/ada.te +++ b/policy/modules/apps/ada.te @@ -1,5 +1,5 @@ -policy_module(ada, 1.2.0) +policy_module(ada, 1.2.1) ######################################## # @@ -18,6 +18,8 @@ role system_r types ada_t; allow ada_t self:process { execstack execmem }; +userdom_use_user_terminals(ada_t) + optional_policy(` unconfined_domain_noaudit(ada_t) ') diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te index 39213d5..9811f98 100644 --- a/policy/modules/apps/calamaris.te +++ b/policy/modules/apps/calamaris.te @@ -1,5 +1,5 @@ -policy_module(calamaris, 1.3.0) +policy_module(calamaris, 1.3.1) ######################################## # @@ -65,7 +65,7 @@ miscfiles_read_localization(calamaris_t) sysnet_read_config(calamaris_t) -sysadm_dontaudit_list_home_dirs(calamaris_t) +userdom_dontaudit_list_user_home_dirs(calamaris_t) squid_read_log(calamaris_t) diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if index 1319eaf..1582faf 100644 --- a/policy/modules/apps/cdrecord.if +++ b/policy/modules/apps/cdrecord.if @@ -1,187 +1,33 @@ ## Policy for cdrecord -####################################### +######################################## ## -## The per role template for the cdrecord module. +## Role access for cdrecord ## -## -##

-## This template creates derived domains which are used -## for cdrecord. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`cdrecord_per_role_template', ` - +interface(`cdrecord_role',` gen_require(` - type cdrecord_exec_t; + type cdrecord_t, cdrecord_exec_t; ') - ######################################## - # - # Declarations - # - - type $1_cdrecord_t; - application_domain($1_cdrecord_t, cdrecord_exec_t) - role $3 types $1_cdrecord_t; - - ######################################## - # - # Local policy - # - - allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; - allow $1_cdrecord_t self:process { getsched setsched sigkill }; - allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; - allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; - - allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2,$1_cdrecord_t) - allow $2 $1_cdrecord_t:process signal; + role $1 types cdrecord_t; # Transition from the user domain to the derived domain. - domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t) - - # allow searching for cdrom-drive - dev_list_all_dev_nodes($1_cdrecord_t) - - domain_interactive_fd($1_cdrecord_t) - domain_use_interactive_fds($1_cdrecord_t) - - files_read_etc_files($1_cdrecord_t) - - term_use_controlling_term($1_cdrecord_t) - term_list_ptys($1_cdrecord_t) - - # allow cdrecord to write the CD - storage_raw_write_removable_device($1_cdrecord_t) - storage_write_scsi_generic($1_cdrecord_t) - - logging_send_syslog_msg($1_cdrecord_t) - - miscfiles_read_localization($1_cdrecord_t) + domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) - # write to the user domain tty. - userdom_use_user_terminals($1, $1_cdrecord_t) - userdom_use_user_terminals($1, $2) + allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; - userdom_read_user_home_content_files($1, $1_cdrecord_t) - - # Handle nfs home dirs - tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_cdrecord_t) - files_list_home($1_cdrecord_t) - fs_read_nfs_files($1_cdrecord_t) - fs_read_nfs_symlinks($1_cdrecord_t) - - ',` - files_dontaudit_list_home($1_cdrecord_t) - fs_dontaudit_list_auto_mountpoints($1_cdrecord_t) - fs_dontaudit_read_nfs_files($1_cdrecord_t) - fs_dontaudit_list_nfs($1_cdrecord_t) - ') - # Handle samba home dirs - tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints($1_cdrecord_t) - files_list_home($1_cdrecord_t) - fs_read_cifs_files($1_cdrecord_t) - fs_read_cifs_symlinks($1_cdrecord_t) - ',` - files_dontaudit_list_home($1_cdrecord_t) - fs_dontaudit_list_auto_mountpoints($1_cdrecord_t) - fs_dontaudit_read_cifs_files($1_cdrecord_t) - fs_dontaudit_list_cifs($1_cdrecord_t) - ') - - # Handle removable media, /tmp, and /home - tunable_policy(`cdrecord_read_content',` - userdom_list_user_tmp($1, $1_cdrecord_t) - userdom_read_user_tmp_files($1, $1_cdrecord_t) - userdom_read_user_tmp_symlinks($1, $1_cdrecord_t) - userdom_search_user_home_dirs($1, $1_cdrecord_t) - userdom_read_user_home_content_files($1, $1_cdrecord_t) - userdom_read_user_home_content_symlinks($1, $1_cdrecord_t) - - ifdef(`enable_mls',` - ',` - fs_search_removable($1_cdrecord_t) - fs_read_removable_files($1_cdrecord_t) - fs_read_removable_symlinks($1_cdrecord_t) - ') - ',` - files_dontaudit_list_tmp($1_cdrecord_t) - files_dontaudit_list_home($1_cdrecord_t) - fs_dontaudit_list_removable($1_cdrecord_t) - fs_dontaudit_read_removable_files($1_cdrecord_t) - userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t) - userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t) - userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t) - userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t) - ') - - # Handle default_t content - tunable_policy(`cdrecord_read_content && read_default_t',` - files_list_default($1_cdrecord_t) - files_read_default_files($1_cdrecord_t) - files_read_default_symlinks($1_cdrecord_t) - ',` - files_dontaudit_read_default_files($1_cdrecord_t) - files_dontaudit_list_default($1_cdrecord_t) - ') - - # Handle untrusted content - tunable_policy(`cdrecord_read_content && read_untrusted_content',` - files_list_tmp($1_cdrecord_t) - files_list_home($1_cdrecord_t) - userdom_search_user_home_dirs($1, $1_cdrecord_t) - - userdom_list_user_untrusted_content($1, $1_cdrecord_t) - userdom_read_user_untrusted_content_files($1, $1_cdrecord_t) - userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t) - userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t) - ',` - files_dontaudit_list_tmp($1_cdrecord_t) - files_dontaudit_list_home($1_cdrecord_t) - userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - files_search_mnt($1_cdrecord_t) - fs_read_nfs_files($1_cdrecord_t) - fs_read_nfs_symlinks($1_cdrecord_t) - ') - - optional_policy(` - resmgr_stream_connect($1_cdrecord_t) - ') + # allow ps to show cdrecord and allow the user to kill it + ps_process_pattern($2, cdrecord_t) + allow $2 cdrecord_t:process signal; ') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 26139e6..a3148c7 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,5 +1,5 @@ -policy_module(cdrecord, 1.4.0) +policy_module(cdrecord, 2.0.0) ######################################## # @@ -15,5 +15,112 @@ policy_module(cdrecord, 1.4.0) ## gen_tunable(cdrecord_read_content, false) +type cdrecord_t; type cdrecord_exec_t; -application_executable_file(cdrecord_exec_t) +typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; +typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; +application_domain(cdrecord_t, cdrecord_exec_t) +ubac_constrained(cdrecord_t) + +######################################## +# +# Local policy +# + +allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow cdrecord_t self:process { getsched setsched sigkill }; +allow cdrecord_t self:unix_dgram_socket create_socket_perms; +allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; + +# allow searching for cdrom-drive +dev_list_all_dev_nodes(cdrecord_t) + +domain_interactive_fd(cdrecord_t) +domain_use_interactive_fds(cdrecord_t) + +files_read_etc_files(cdrecord_t) + +term_use_controlling_term(cdrecord_t) +term_list_ptys(cdrecord_t) + +# allow cdrecord to write the CD +storage_raw_write_removable_device(cdrecord_t) +storage_write_scsi_generic(cdrecord_t) + +logging_send_syslog_msg(cdrecord_t) + +miscfiles_read_localization(cdrecord_t) + +# write to the user domain tty. +userdom_use_user_terminals(cdrecord_t) +userdom_read_user_home_content_files(cdrecord_t) + +# Handle nfs home dirs +tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) + +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_nfs_files(cdrecord_t) + fs_dontaudit_list_nfs(cdrecord_t) +') +# Handle samba home dirs +tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_cifs_files(cdrecord_t) + fs_read_cifs_symlinks(cdrecord_t) +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_cifs_files(cdrecord_t) + fs_dontaudit_list_cifs(cdrecord_t) +') + +# Handle removable media, /tmp, and /home +tunable_policy(`cdrecord_read_content',` + userdom_list_user_tmp(cdrecord_t) + userdom_read_user_tmp_files(cdrecord_t) + userdom_read_user_tmp_symlinks(cdrecord_t) + userdom_read_user_home_content_files(cdrecord_t) + userdom_read_user_home_content_symlinks(cdrecord_t) + + ifndef(`enable_mls',` + fs_search_removable(cdrecord_t) + fs_read_removable_files(cdrecord_t) + fs_read_removable_symlinks(cdrecord_t) + ') +',` + files_dontaudit_list_tmp(cdrecord_t) + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_removable(cdrecord_t) + fs_dontaudit_read_removable_files(cdrecord_t) + userdom_dontaudit_list_user_tmp(cdrecord_t) + userdom_dontaudit_read_user_tmp_files(cdrecord_t) + userdom_dontaudit_list_user_home_dirs(cdrecord_t) + userdom_dontaudit_read_user_home_content_files(cdrecord_t) +') + +# Handle default_t content +tunable_policy(`cdrecord_read_content && read_default_t',` + files_list_default(cdrecord_t) + files_read_default_files(cdrecord_t) + files_read_default_symlinks(cdrecord_t) +',` + files_dontaudit_read_default_files(cdrecord_t) + files_dontaudit_list_default(cdrecord_t) +') + +tunable_policy(`use_nfs_home_dirs',` + files_search_mnt(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) +') + +optional_policy(` + resmgr_stream_connect(cdrecord_t) +') diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc index 7204fe2..b489cae 100644 --- a/policy/modules/apps/ethereal.fc +++ b/policy/modules/apps/ethereal.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if index 20eee67..23d5b85 100644 --- a/policy/modules/apps/ethereal.if +++ b/policy/modules/apps/ethereal.if @@ -1,244 +1,55 @@ ## Ethereal packet capture tool. -####################################### +######################################## ## -## The per role template for the ethereal module. +## Role access for ethereal ## -## -##

-## This template creates a derived domains which are used -## for ethereal packet capture tool. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`ethereal_per_role_template',` - +interface(`ethereal_role',` gen_require(` - type ethereal_exec_t; - ') - - ############################## - # - # Declarations - # - - # Type for program - type $1_ethereal_t; - application_domain($1_ethereal_t, ethereal_exec_t) - role $3 types $1_ethereal_t; - - type $1_ethereal_home_t alias $1_ethereal_rw_t; - files_poly_member($1_ethereal_home_t) - userdom_user_home_content($1, $1_ethereal_home_t) - - type $1_ethereal_tmp_t; - files_tmp_file($1_ethereal_tmp_t) - - type $1_ethereal_tmpfs_t; - files_tmpfs_file($1_ethereal_tmpfs_t) - - ############################## - # - # Local Policy - # - - allow $1_ethereal_t self:capability { net_admin net_raw setgid }; - allow $1_ethereal_t self:process { signal getsched }; - allow $1_ethereal_t self:fifo_file { getattr read write }; - allow $1_ethereal_t self:shm destroy; - allow $1_ethereal_t self:shm create_shm_perms; - allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms }; - allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read }; - allow $1_ethereal_t self:tcp_socket create_socket_perms; - allow $1_ethereal_t self:udp_socket create_socket_perms; - - # Re-execute itself (why?) - can_exec($1_ethereal_t, ethereal_exec_t) - corecmd_search_bin($1_ethereal_t) - - # /home/.ethereal - manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) - manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) - manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) - userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir) - - # Store temporary files - manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) - manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) - files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) - - manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t) - allow $1_ethereal_t $2:fd use; - allow $1_ethereal_t $2:process sigchld; - - manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) - - kernel_read_kernel_sysctls($1_ethereal_t) - kernel_read_system_state($1_ethereal_t) - kernel_read_sysctl($1_ethereal_t) - - corecmd_search_bin($1_ethereal_t) - - corenet_tcp_connect_generic_port($1_ethereal_t) - corenet_tcp_sendrecv_generic_if($1_ethereal_t) - - dev_read_urand($1_ethereal_t) - - files_read_etc_files($1_ethereal_t) - files_read_usr_files($1_ethereal_t) - - fs_list_inotifyfs($1_ethereal_t) - fs_search_auto_mountpoints($1_ethereal_t) - - libs_read_lib_files($1_ethereal_t) - - miscfiles_read_fonts($1_ethereal_t) - miscfiles_read_localization($1_ethereal_t) - - seutil_use_newrole_fds($1_ethereal_t) - - sysnet_read_config($1_ethereal_t) - - userdom_manage_user_home_content_files($1, $1_ethereal_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_ethereal_t) - fs_manage_nfs_files($1_ethereal_t) - fs_manage_nfs_symlinks($1_ethereal_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_ethereal_t) - fs_manage_cifs_files($1_ethereal_t) - fs_manage_cifs_symlinks($1_ethereal_t) - ') - - optional_policy(` - nscd_socket_use($1_ethereal_t) + type ethereal_t, ethereal_exec_t, ethereal_home_t; ') - # Manual transition from userhelper - optional_policy(` - userhelper_use_user_fd($1, $1_ethereal_t) - userhelper_sigchld_user($1, $1_ethereal_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t) - xserver_create_xdm_tmp_sockets($1_ethereal_t) - ') - - ifdef(`TODO',` - # Why does it write this? - optional_policy(` - dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; - ') - #TODO - gnome_application($1_ethereal, $1) - gnome_file_dialog($1_ethereal, $1) - # FIXME: policy is incomplete - ') - -') - -####################################### -## -## The administrative functions template for the ethereal module. -## -## -##

-## This template creates rules for administrating ethereal, -## allowing the specified user to manage ethereal files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`ethereal_admin_template',` - gen_require(` - type $1_ethereal_t; - ') + role $1 types ethereal_t; - # Create various types of sockets - allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms; - allow $1_ethereal_t self:udp_socket create_socket_perms; - allow $1_ethereal_t self:packet_socket create_socket_perms; - allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms; - allow $1_ethereal_t self:tcp_socket create_socket_perms; + domain_auto_trans($2, ethereal_exec_t, ethereal_t) + allow ethereal_t $2:fd use; + allow ethereal_t $2:process sigchld; - userdom_use_user_terminals($1, $1_ethereal_t) - # Ethereal tries to write to user terminal - userdom_dontaudit_use_user_terminals($1, $1_ethereal_t) + manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t) + manage_files_pattern($2, ethereal_home_t, ethereal_home_t) + manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) + relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t) + relabel_files_pattern($2, ethereal_home_t, ethereal_home_t) + relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) ') ######################################## ## ## Run ethereal in ethereal domain. ## -## -##

-## Run ethereal in ethereal domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`ethereal_domtrans_user_ethereal',` +interface(`ethereal_domtrans',` gen_require(` - type $1_ethereal_t, ethereal_exec_t; + type ethereal_t, ethereal_exec_t; ') - domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t) + domtrans_pattern($1, ethereal_exec_t, ethereal_t) ') ######################################## @@ -251,7 +62,7 @@ template(`ethereal_domtrans_user_ethereal',` ## ## # -template(`ethereal_domtrans_tethereal',` +interface(`ethereal_domtrans_tethereal',` gen_require(` type tethereal_t, tethereal_exec_t; ') @@ -274,11 +85,6 @@ template(`ethereal_domtrans_tethereal',` ## The role to be allowed the tethereal domain. ## ## -## -## -## The type of the terminal allow the tethereal domain to use. -## -## # interface(`ethereal_run_tethereal',` gen_require(` @@ -287,5 +93,4 @@ interface(`ethereal_run_tethereal',` ethereal_domtrans_tethereal($1) role $2 types tethereal_t; - allow tethereal_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index e4d312d..30c850f 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -1,13 +1,35 @@ -policy_module(ethereal, 1.5.0) +policy_module(ethereal, 2.0.0) ######################################## # # Declarations # +type ethereal_t; type ethereal_exec_t; -application_executable_file(ethereal_exec_t) +typealias ethereal_t alias { user_ethereal_t staff_ethereal_t sysadm_ethereal_t }; +typealias ethereal_t alias { auditadm_ethereal_t secadm_ethereal_t }; +application_domain(ethereal_t, ethereal_exec_t) +ubac_constrained(ethereal_t) + +type ethereal_home_t; +typealias ethereal_home_t alias { user_ethereal_home_t staff_ethereal_home_t sysadm_ethereal_home_t }; +typealias ethereal_home_t alias { auditadm_ethereal_home_t secadm_ethereal_home_t }; +files_poly_member(ethereal_home_t) +userdom_user_home_content(ethereal_home_t) + +type ethereal_tmp_t; +typealias ethereal_tmp_t alias { user_ethereal_tmp_t staff_ethereal_tmp_t sysadm_ethereal_tmp_t }; +typealias ethereal_tmp_t alias { auditadm_ethereal_tmp_t secadm_ethereal_tmp_t }; +files_tmp_file(ethereal_tmp_t) +ubac_constrained(ethereal_tmp_t) + +type ethereal_tmpfs_t; +typealias ethereal_tmpfs_t alias { user_ethereal_tmpfs_t staff_ethereal_tmpfs_t sysadm_ethereal_tmpfs_t }; +typealias ethereal_tmpfs_t alias { auditadm_ethereal_tmpfs_t secadm_ethereal_tmpfs_t }; +files_tmpfs_file(ethereal_tmpfs_t) +ubac_constrained(ethereal_tmpfs_t) type tethereal_t; type tethereal_exec_t; @@ -16,6 +38,99 @@ application_domain(tethereal_t, tethereal_exec_t) type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) +############################## +# +# Local Policy +# + +allow ethereal_t self:capability { net_admin net_raw setgid }; +allow ethereal_t self:process { signal getsched }; +allow ethereal_t self:fifo_file { getattr read write }; +allow ethereal_t self:shm destroy; +allow ethereal_t self:shm create_shm_perms; +allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms }; +allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read }; +allow ethereal_t self:tcp_socket create_socket_perms; +allow ethereal_t self:udp_socket create_socket_perms; + +# Re-execute itself (why?) +can_exec(ethereal_t, ethereal_exec_t) +corecmd_search_bin(ethereal_t) + +# /home/.ethereal +manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t) +manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t) +manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t) +userdom_user_home_dir_filetrans(ethereal_t, ethereal_home_t, dir) + +# Store temporary files +manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t) +manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t) +files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file }) + +manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t) +manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t) +manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t) +manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t) +manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t) +fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(ethereal_t) +kernel_read_system_state(ethereal_t) +kernel_read_sysctl(ethereal_t) + +corecmd_search_bin(ethereal_t) + +corenet_tcp_connect_generic_port(ethereal_t) +corenet_tcp_sendrecv_generic_if(ethereal_t) + +dev_read_urand(ethereal_t) + +files_read_etc_files(ethereal_t) +files_read_usr_files(ethereal_t) + +fs_list_inotifyfs(ethereal_t) +fs_search_auto_mountpoints(ethereal_t) + +libs_read_lib_files(ethereal_t) + +miscfiles_read_fonts(ethereal_t) +miscfiles_read_localization(ethereal_t) + +seutil_use_newrole_fds(ethereal_t) + +sysnet_read_config(ethereal_t) + +userdom_manage_user_home_content_files(ethereal_t) +userdom_use_user_terminals(ethereal_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(ethereal_t) + fs_manage_nfs_files(ethereal_t) + fs_manage_nfs_symlinks(ethereal_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(ethereal_t) + fs_manage_cifs_files(ethereal_t) + fs_manage_cifs_symlinks(ethereal_t) +') + +optional_policy(` + nscd_socket_use(ethereal_t) +') + +# Manual transition from userhelper +optional_policy(` + userhelper_use_fd(ethereal_t) + userhelper_sigchld(ethereal_t) +') + +optional_policy(` + xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t) + xserver_create_xdm_tmp_sockets(ethereal_t) +') + ######################################## # # Tethereal policy @@ -48,6 +163,8 @@ seutil_use_newrole_fds(tethereal_t) sysnet_dns_name_resolve(tethereal_t) +userdom_use_user_terminals(tethereal_t) + optional_policy(` nscd_socket_use(tethereal_t) ') diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc index 1b425f4..c011277 100644 --- a/policy/modules/apps/evolution.fc +++ b/policy/modules/apps/evolution.fc @@ -2,13 +2,13 @@ # HOME_DIR/ # -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) +HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) # # /tmp # -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0) +/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) # # /usr diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index d50b4b7..1cb204c 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -1,795 +1,71 @@ ## Evolution email client -####################################### +######################################## ## -## The per role template for the evolution module. +## Role access for evolution ## -## -##

-## This template creates a derived domains which are used -## for evolution email client and other related evolution applications such as webcal and alarm -## type is also created to protect the user evolution keys. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`evolution_per_role_template',` - - ######################################## - # - # Declarations - # - - type $1_evolution_t; - application_domain($1_evolution_t, evolution_exec_t) - role $3 types $1_evolution_t; - - type $1_evolution_tmpfs_t; - files_tmpfs_file($1_evolution_tmpfs_t) - - type $1_evolution_home_t alias $1_evolution_rw_t; - files_poly_member($1_evolution_home_t) - userdom_user_home_content($1, $1_evolution_home_t) - - type $1_evolution_orbit_tmp_t; - files_tmp_file($1_evolution_orbit_tmp_t) - - type $1_evolution_alarm_t; - application_domain($1_evolution_alarm_t, evolution_alarm_exec_t) - role $3 types $1_evolution_alarm_t; - - type $1_evolution_alarm_tmpfs_t; - files_tmpfs_file($1_evolution_alarm_tmpfs_t) - - type $1_evolution_alarm_orbit_tmp_t; - files_tmp_file($1_evolution_alarm_orbit_tmp_t) - - type $1_evolution_exchange_t; - application_domain($1_evolution_exchange_t, evolution_exchange_exec_t) - role $3 types $1_evolution_exchange_t; - - type $1_evolution_exchange_tmpfs_t; - files_tmpfs_file($1_evolution_exchange_tmpfs_t) - - type $1_evolution_exchange_tmp_t; - files_tmp_file($1_evolution_exchange_tmp_t) - - type $1_evolution_exchange_orbit_tmp_t; - files_tmp_file($1_evolution_exchange_orbit_tmp_t) - - type $1_evolution_server_t; - application_domain($1_evolution_server_t, evolution_server_exec_t) - role $3 types $1_evolution_server_t; - - type $1_evolution_server_orbit_tmp_t; - files_tmp_file($1_evolution_server_orbit_tmp_t) - - type $1_evolution_webcal_t; - application_domain($1_evolution_webcal_t, evolution_webcal_exec_t) - role $3 types $1_evolution_webcal_t; - - type $1_evolution_webcal_tmpfs_t; - files_tmpfs_file($1_evolution_webcal_tmpfs_t) - - type $1_orbit_tmp_t; - files_tmp_file($1_orbit_tmp_t) - - ######################################## - # - # Evolution local policy - # - - allow $1_evolution_t self:capability { setuid setgid sys_nice }; - allow $1_evolution_t self:process { signal getsched setsched }; - allow $1_evolution_t self:fifo_file rw_file_perms; - allow $1_evolution_t self:tcp_socket create_socket_perms; - allow $1_evolution_t self:udp_socket create_socket_perms; - - allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms; - allow $1_evolution_t $1_evolution_alarm_t:file read; - - allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto; - allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write; - - can_exec($1_evolution_t, evolution_alarm_exec_t) - - allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto; - allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write; - - allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms; - allow $1_evolution_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; - - allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms; - allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file }) - - allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms; - allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file }) - - allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms; - allow $1_evolution_t $1_evolution_server_t:file read; - - allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto; - allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write; - - can_exec($1_evolution_t, evolution_server_exec_t) - - allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms; - fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - allow $1_evolution_t $2:dir search; - allow $1_evolution_t $2:fd use; - allow $1_evolution_t $2:file read; - allow $1_evolution_t $2:lnk_file read; - allow $1_evolution_t $2:process sigchld; - allow $1_evolution_t $2:unix_stream_socket connectto; - allow $1_evolution_t $2:dir search; - allow $1_evolution_t $2:file read; - - domain_auto_trans($2, evolution_exec_t, $1_evolution_t) - - allow $2 $1_evolution_t:unix_stream_socket connectto; - allow $2 $1_evolution_t:process noatsecure; - allow $2 $1_evolution_t:process signal_perms; +interface(`evolution_role',` + gen_require(` + type evolution_t, evolution_exec_t, evolution_home_t; + type evolution_alarm_t, evolution_alarm_exec_t; + type evolution_exchange_t, evolution_exchange_exec_t; + type evolution_exchange_orbit_tmp_t; + type evolution_server_t, evolution_server_exec_t; + type evolution_webcal_t, evolution_webcal_exec_t; + ') + + role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; + role $1 types { evolution_server_t evolution_webcal_t }; + + domtrans_pattern($2, evolution_exec_t, evolution_t) + domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) + domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) + domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) + domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) + + ps_process_pattern($2, evolution_t) + ps_process_pattern($2, evolution_alarm_t) + ps_process_pattern($2, evolution_exchange_t) + ps_process_pattern($2, evolution_server_t) + ps_process_pattern($2, evolution_webcal_t) + + allow evolution_t $2:dir search; + allow evolution_t $2:file read; + allow evolution_t $2:lnk_file read; + allow evolution_t $2:unix_stream_socket connectto; + + allow $2 evolution_t:unix_stream_socket connectto; + allow $2 evolution_t:process noatsecure; + allow $2 evolution_t:process signal_perms; # Access .evolution - allow $2 $1_evolution_home_t:dir manage_dir_perms; - allow $2 $1_evolution_home_t:file manage_file_perms; - allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms; - allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - userdom_search_user_home_dirs($1, $1_evolution_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, $1_evolution_t) - - domain_dontaudit_read_all_domains_state($1_evolution_t) - - #FIXME check to see if really needed - kernel_read_kernel_sysctls($1_evolution_t) - kernel_read_system_state($1_evolution_t) - # Allow netstat - kernel_read_network_state($1_evolution_t) - kernel_read_net_sysctls($1_evolution_t) - - corecmd_exec_shell($1_evolution_t) - # Run various programs - corecmd_exec_bin($1_evolution_t) - - corenet_all_recvfrom_unlabeled($1_evolution_t) - corenet_all_recvfrom_netlabel($1_evolution_t) - corenet_tcp_sendrecv_generic_if($1_evolution_t) - corenet_udp_sendrecv_generic_if($1_evolution_t) - corenet_raw_sendrecv_generic_if($1_evolution_t) - corenet_tcp_sendrecv_all_nodes($1_evolution_t) - corenet_udp_sendrecv_all_nodes($1_evolution_t) - corenet_tcp_sendrecv_pop_port($1_evolution_t) - corenet_udp_sendrecv_pop_port($1_evolution_t) - corenet_tcp_sendrecv_smtp_port($1_evolution_t) - corenet_udp_sendrecv_smtp_port($1_evolution_t) - corenet_tcp_sendrecv_innd_port($1_evolution_t) - corenet_udp_sendrecv_innd_port($1_evolution_t) - corenet_tcp_sendrecv_ldap_port($1_evolution_t) - corenet_udp_sendrecv_ldap_port($1_evolution_t) - corenet_tcp_sendrecv_ipp_port($1_evolution_t) - corenet_udp_sendrecv_ipp_port($1_evolution_t) - corenet_tcp_connect_pop_port($1_evolution_t) - corenet_tcp_connect_smtp_port($1_evolution_t) - corenet_tcp_connect_innd_port($1_evolution_t) - corenet_tcp_connect_ldap_port($1_evolution_t) - corenet_tcp_connect_ipp_port($1_evolution_t) - corenet_sendrecv_pop_client_packets($1_evolution_t) - corenet_sendrecv_smtp_client_packets($1_evolution_t) - corenet_sendrecv_innd_client_packets($1_evolution_t) - corenet_sendrecv_ldap_client_packets($1_evolution_t) - corenet_sendrecv_ipp_client_packets($1_evolution_t) - # not sure about this bind - corenet_udp_bind_all_nodes($1_evolution_t) - corenet_udp_bind_generic_port($1_evolution_t) - - dev_read_urand($1_evolution_t) - - files_read_etc_files($1_evolution_t) - files_read_usr_files($1_evolution_t) - files_read_usr_symlinks($1_evolution_t) - files_read_var_files($1_evolution_t) - - fs_search_auto_mountpoints($1_evolution_t) - - logging_send_syslog_msg($1_evolution_t) - - miscfiles_read_localization($1_evolution_t) - - sysnet_read_config($1_evolution_t) - sysnet_dns_name_resolve($1_evolution_t) - - udev_read_state($1_evolution_t) - - userdom_rw_user_tmp_files($1, $1_evolution_t) - userdom_manage_user_tmp_dirs($1, $1_evolution_t) - userdom_manage_user_tmp_sockets($1, $1_evolution_t) - userdom_manage_user_tmp_files($1, $1_evolution_t) - userdom_use_user_terminals($1, $1_evolution_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented - userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t) - - mta_read_config($1_evolution_t) - - xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t) - xserver_read_xdm_tmp_files($1_evolution_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_evolution_t) - fs_manage_nfs_files($1_evolution_t) - fs_manage_nfs_symlinks($1_evolution_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_evolution_t) - fs_manage_cifs_files($1_evolution_t) - fs_manage_cifs_symlinks($1_evolution_t) - ') - - tunable_policy(`mail_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_evolution_t) - files_list_home($1_evolution_t) - fs_read_nfs_files($1_evolution_t) - fs_read_nfs_symlinks($1_evolution_t) - - ',` - files_dontaudit_list_home($1_evolution_t) - fs_dontaudit_list_auto_mountpoints($1_evolution_t) - fs_dontaudit_read_nfs_files($1_evolution_t) - fs_dontaudit_list_nfs($1_evolution_t) - ') - - tunable_policy(`mail_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints($1_evolution_t) - files_list_home($1_evolution_t) - fs_read_cifs_files($1_evolution_t) - fs_read_cifs_symlinks($1_evolution_t) - ',` - files_dontaudit_list_home($1_evolution_t) - fs_dontaudit_list_auto_mountpoints($1_evolution_t) - fs_dontaudit_read_cifs_files($1_evolution_t) - fs_dontaudit_list_cifs($1_evolution_t) - ') - - tunable_policy(`mail_read_content',` - userdom_list_user_tmp($1, $1_evolution_t) - userdom_read_user_tmp_files($1, $1_evolution_t) - userdom_read_user_tmp_symlinks($1, $1_evolution_t) - userdom_search_user_home_dirs($1, $1_evolution_t) - userdom_read_user_home_content_files($1, $1_evolution_t) - userdom_read_user_home_content_symlinks($1, $1_evolution_t) - - ifndef(`enable_mls',` - fs_search_removable($1_evolution_t) - fs_read_removable_files($1_evolution_t) - fs_read_removable_symlinks($1_evolution_t) - ') - ',` - files_dontaudit_list_tmp($1_evolution_t) - files_dontaudit_list_home($1_evolution_t) - fs_dontaudit_list_removable($1_evolution_t) - fs_dontaudit_read_removable_files($1_evolution_t) - userdom_dontaudit_list_user_tmp($1,$1_evolution_t) - userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t) - userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t) - userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t) - ') - - tunable_policy(`mail_read_content && read_default_t',` - files_list_default($1_evolution_t) - files_read_default_files($1_evolution_t) - files_read_default_symlinks($1_evolution_t) - ',` - files_dontaudit_read_default_files($1_evolution_t) - files_dontaudit_list_default($1_evolution_t) - ') - - tunable_policy(`mail_read_content && read_untrusted_content',` - files_list_tmp($1_evolution_t) - files_list_home($1_evolution_t) - userdom_search_user_home_dirs($1,$1_evolution_t) - - userdom_list_user_untrusted_content($1, $1_evolution_t) - userdom_read_user_untrusted_content_files($1, $1_evolution_t) - userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t) - userdom_list_user_tmp_untrusted_content($1, $1_evolution_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t) - ',` - files_dontaudit_list_tmp($1_evolution_t) - files_dontaudit_list_home($1_evolution_t) - userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t) - ') - - tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` - files_search_home($1_evolution_t) - - fs_search_auto_mountpoints($1_evolution_t) - fs_manage_nfs_dirs($1_evolution_t) - fs_manage_nfs_files($1_evolution_t) - fs_manage_nfs_symlinks($1_evolution_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_evolution_t) - fs_dontaudit_manage_nfs_dirs($1_evolution_t) - fs_dontaudit_manage_nfs_files($1_evolution_t) - ') - - tunable_policy(`write_untrusted_content && use_samba_home_dirs',` - files_search_home($1_evolution_t) - - fs_search_auto_mountpoints($1_evolution_t) - fs_manage_cifs_dirs($1_evolution_t) - fs_manage_cifs_files($1_evolution_t) - fs_manage_cifs_symlinks($1_evolution_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_evolution_t) - fs_dontaudit_manage_cifs_dirs($1_evolution_t) - fs_dontaudit_manage_cifs_files($1_evolution_t) - ') - - tunable_policy(`write_untrusted_content',` - files_search_home($1_evolution_t) - - userdom_manage_user_untrusted_content_files($1, $1_evolution_t) - userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir }) - - ',` - files_dontaudit_list_home($1_evolution_t) - files_dontaudit_list_tmp($1_evolution_t) - - userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t) - #userdom_dontaudit_manage_user_tmp($1,$1_evolution_t) - #userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t) - #userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t) - ') - - optional_policy(` - automount_read_state($1_evolution_t) - ') - - # Allow printing the mail - optional_policy(` - cups_read_rw_config($1_evolution_t) - ') - - optional_policy(` - dbus_system_bus_client_template($1_evolution, $1_evolution_t) - dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_evolution_t) - ') - - # Encrypt mail - optional_policy(` - gpg_domtrans_user_gpg($1, $1_evolution_t) - gpg_signal_user_gpg($1, $1_evolution_t) - ') - - optional_policy(` - lpd_domtrans_user_lpr($1, $1_evolution_t) - ') - - optional_policy(` - mozilla_read_user_home_files($1, $1_evolution_t) - mozilla_domtrans_user_mozilla($1, $1_evolution_t) - ') - - # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) - optional_policy(` - nis_use_ypbind($1_evolution_t) - ') - - optional_policy(` - nscd_socket_use($1_evolution_t) - ') - - ### Junk mail filtering (start spamd) - optional_policy(` - spamassassin_exec_spamd($1_evolution_t) - spamassassin_domtrans_user_client($1, $1_evolution_t) - spamassassin_domtrans_user_local_client($1, $1_evolution_t) - # Allow evolution to signal the daemon - # FIXME: Now evolution can read spamd temp files - spamassassin_read_spamd_tmp_files($1_evolution_t) - spamassassin_signal_spamd($1_evolution_t) - spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t) - ') - - ifdef(`TODO',` - - # Gnome common stuff - gnome_application($1_evolution, $1) - - #TODO gnome stuff - # Store passwords in .gnome2_private - # Type for storing secret data - # (different from home, not directly accessible from ROLE_t) - type $1_evolutioin_secret_t; - userdom_user_home_content($1,$1_evolutioin_secret_t) - - # Put secret files in .gnome2_private - allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms; - allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms; - type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t; - - allow $2 $1_evolution_secret_t:file unlink; + allow $2 evolution_home_t:dir manage_dir_perms; + allow $2 evolution_home_t:file manage_file_perms; + allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; + allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - ifdef(`TODO',` - gnome_file_dialog($1_evolution, $1) - ') - ') - - ######################################## - # - # Evolution alarm local policy - # - - allow $1_evolution_alarm_t self:process { signal getsched }; - allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms; - - allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto; - allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write; - - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; - fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto; - allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write; - - # Access evolution home - allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms; - allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; - - allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto; - allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write; - - domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t) - allow $1_evolution_alarm_t $2:fd use; - - dev_read_urand($1_evolution_alarm_t) - - files_read_etc_files($1_evolution_alarm_t) - files_read_usr_files($1_evolution_alarm_t) - - fs_search_auto_mountpoints($1_evolution_alarm_t) - - miscfiles_read_localization($1_evolution_alarm_t) - - # Access evolution home - userdom_search_user_home_dirs($1,$1_evolution_alarm_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented - userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t) - - xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t) - - # Access evolution home - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_evolution_alarm_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_evolution_alarm_t) - ') - - optional_policy(` - dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t) - ') - - optional_policy(` - nscd_socket_use($1_evolution_alarm_t) - ') - - ifdef(`TODO',` - # Gnome common stuff - gnome_application($1_evolution_alarm,$1) - ') - - ######################################## - # - # Evolution exchange connector local policy - # - - allow $1_evolution_exchange_t self:process getsched; - allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms; - - allow $1_evolution_exchange_t self:tcp_socket create_socket_perms; - allow $1_evolution_exchange_t self:udp_socket create_socket_perms; - - allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto; - allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write; - - allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto; - allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write; - - # Access evolution home - allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms; - allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; - - allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto; - allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write; - - # /tmp/.exchange-$USER - allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir }) - - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; - fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - allow $1_evolution_exchange_t $2:unix_stream_socket connectto; - #FIXME, who should own this. I dont think this module should - allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write; + allow evolution_exchange_t $2:unix_stream_socket connectto; # Clock applet talks to exchange (FIXME: Needs policy) - allow $2 $1_evolution_exchange_t:unix_stream_socket connectto; - allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write; - - # Transition from user domain - domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t) - - kernel_read_network_state($1_evolution_exchange_t) - kernel_read_net_sysctls($1_evolution_exchange_t) - - # Allow netstat - corecmd_exec_bin($1_evolution_exchange_t) - - dev_read_urand($1_evolution_exchange_t) - - files_read_etc_files($1_evolution_exchange_t) - files_read_usr_files($1_evolution_exchange_t) - - # Access evolution home - fs_search_auto_mountpoints($1_evolution_exchange_t) - - miscfiles_read_localization($1_evolution_exchange_t) - - # Access evolution home - userdom_search_user_home_dirs($1, $1_evolution_exchange_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented - userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t) - - xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t) - - # Access evolution home - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_evolution_exchange_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_evolution_exchange_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t) - ') - - optional_policy(` - nscd_socket_use($1_evolution_exchange_t) - ') - - ifdef(`TODO',` - # Gnome common stuff - gnome_application($1_evolution_exchange, $1) - ') - - ######################################## - # - # Evolution data server local policy - # - - allow $1_evolution_server_t self:process { getsched signal }; - - allow $1_evolution_server_t self:fifo_file { read write }; - allow $1_evolution_server_t self:unix_stream_socket { accept connectto }; - # Talk to ldap (address book), - # Obtain weather data via http (read server name from xml file in /usr) - allow $1_evolution_server_t self:tcp_socket create_socket_perms; - - allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto; - allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write; - - allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto; - allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write; - - # Access evolution home - allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms; - allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; - - allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto; - allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write; - - # Transition from user type - domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t) - - kernel_read_system_state($1_evolution_server_t) - - corecmd_exec_shell($1_evolution_server_t) - - # Obtain weather data via http (read server name from xml file in /usr) - corenet_all_recvfrom_unlabeled($1_evolution_server_t) - corenet_all_recvfrom_netlabel($1_evolution_server_t) - corenet_tcp_sendrecv_generic_if($1_evolution_server_t) - corenet_tcp_sendrecv_all_nodes($1_evolution_server_t) - corenet_tcp_sendrecv_http_port($1_evolution_server_t) - corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t) - corenet_tcp_connect_http_cache_port($1_evolution_server_t) - corenet_tcp_connect_http_port($1_evolution_server_t) - corenet_sendrecv_http_client_packets($1_evolution_server_t) - corenet_sendrecv_http_cache_client_packets($1_evolution_server_t) - - dev_read_urand($1_evolution_server_t) - - files_read_etc_files($1_evolution_server_t) - # Obtain weather data via http (read server name from xml file in /usr) - files_read_usr_files($1_evolution_server_t) - - fs_search_auto_mountpoints($1_evolution_server_t) - - miscfiles_read_localization($1_evolution_server_t) - # Look in /etc/pki - miscfiles_read_certs($1_evolution_server_t) - - # Talk to ldap (address book) - sysnet_read_config($1_evolution_server_t) - sysnet_dns_name_resolve($1_evolution_server_t) - sysnet_use_ldap($1_evolution_server_t) - - # Access evolution home - userdom_search_user_home_dirs($1, $1_evolution_server_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented - userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t) - - # Access evolution home - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_evolution_server_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_evolution_server_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_evolution_server_t) - ') - - optional_policy(` - nscd_socket_use($1_evolution_server_t) - ') - - ifdef(`TODO',` - # Gnome common stuff - gnome_application($1_evolution_server, $1) - ') - - ######################################## - # - # Evolution webcal local policy - # - - allow $1_evolution_webcal_t self:tcp_socket create_socket_perms; - - # X/evolution common stuff - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; - fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - # Transition from user type - domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t) - - corenet_all_recvfrom_unlabeled($1_evolution_webcal_t) - corenet_all_recvfrom_netlabel($1_evolution_webcal_t) - corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t) - corenet_raw_sendrecv_generic_if($1_evolution_webcal_t) - corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t) - corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t) - corenet_tcp_sendrecv_http_port($1_evolution_webcal_t) - corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t) - corenet_tcp_connect_http_cache_port($1_evolution_webcal_t) - corenet_tcp_connect_http_port($1_evolution_webcal_t) - corenet_sendrecv_http_client_packets($1_evolution_webcal_t) - corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t) - - # Networking capability - connect to website and handle ics link - sysnet_read_config($1_evolution_webcal_t) - sysnet_dns_name_resolve($1_evolution_webcal_t) - - # Search home directory (?) - userdom_search_user_home_dirs($1, $1_evolution_webcal_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented - userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t) - - xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t) - - optional_policy(` - nscd_socket_use($1_evolution_webcal_t) - ') - - ifdef(`TODO',` - # Gnome common stuff - gnome_application($1_evolution_webcal, $1) - ') + allow $2 evolution_exchange_t:unix_stream_socket connectto; + allow $2 evolution_exchange_orbit_tmp_t:sock_file write; ') ######################################## ## ## Create objects in users evolution home folders. ## -## -##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -802,52 +78,36 @@ template(`evolution_per_role_template',` ## ## ## -## The object class of the object being created. If -## no class is specified, dir will be used. +## The object class of the object being created. ## ## # -template(`evolution_home_filetrans',` +interface(`evolution_home_filetrans',` gen_require(` - type $1_evolution_home_t; + type evolution_home_t; ') - allow $2 $1_evolution_home_t:dir rw_dir_perms; - type_transition $2 $1_evolution_home_t:$4 $3; + allow $1 evolution_home_t:dir rw_dir_perms; + type_transition $1 evolution_home_t:$3 $2; ') ######################################## ## -## Connect to user evolution unix stream socket. +## Connect to evolution unix stream socket. ## -## -##

-## Connect to user evolution unix stream socket. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`evolution_stream_connect',` +interface(`evolution_stream_connect',` gen_require(` - type $1_evolution_t, $1_evolution_home_t; + type evolution_t, evolution_home_t; ') - allow $2 $1_evolution_t:unix_stream_socket connectto; - allow $2 $1_evolution_home_t:dir search; + allow $1 evolution_t:unix_stream_socket connectto; + allow $1 evolution_home_t:dir search; ') ######################################## @@ -855,12 +115,6 @@ template(`evolution_stream_connect',` ## Send and receive messages from ## evolution over dbus. ##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -869,12 +123,12 @@ template(`evolution_stream_connect',` # interface(`evolution_dbus_chat',` gen_require(` - type $1_evolution_t; + type evolution_t; class dbus send_msg; ') - allow $2 $1_evolution_t:dbus send_msg; - allow $1_evolution_t $2:dbus send_msg; + allow $1 evolution_t:dbus send_msg; + allow evolution_t $1:dbus send_msg; ') ######################################## @@ -882,12 +136,6 @@ interface(`evolution_dbus_chat',` ## Send and receive messages from ## evolution_alarm over dbus. ## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -896,10 +144,10 @@ interface(`evolution_dbus_chat',` # interface(`evolution_alarm_dbus_chat',` gen_require(` - type $1_evolution_alarm_t; + type evolution_alarm_t; class dbus send_msg; ') - allow $2 $1_evolution_alarm_t:dbus send_msg; - allow $1_evolution_alarm_t $2:dbus send_msg; + allow $1 evolution_alarm_t:dbus send_msg; + allow evolution_alarm_t $1:dbus send_msg; ') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index c08a51b..c126b9a 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,22 +1,629 @@ -policy_module(evolution, 1.6.0) +policy_module(evolution, 2.0.0) ######################################## # # Declarations # +type evolution_t; type evolution_exec_t; -application_executable_file(evolution_exec_t) +typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; +typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; +application_domain(evolution_t, evolution_exec_t) +ubac_constrained(evolution_t) +type evolution_alarm_t; type evolution_alarm_exec_t; -application_executable_file(evolution_alarm_exec_t) +typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; +typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; +application_domain(evolution_alarm_t, evolution_alarm_exec_t) +ubac_constrained(evolution_alarm_t) +type evolution_alarm_tmpfs_t; +typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; +typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; +files_tmpfs_file(evolution_alarm_tmpfs_t) +ubac_constrained(evolution_alarm_tmpfs_t) + +type evolution_alarm_orbit_tmp_t; +typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; +typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; +files_tmp_file(evolution_alarm_orbit_tmp_t) +ubac_constrained(evolution_alarm_orbit_tmp_t) + +type evolution_exchange_t; type evolution_exchange_exec_t; -application_executable_file(evolution_exchange_exec_t) +typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; +typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; +application_domain(evolution_exchange_t, evolution_exchange_exec_t) +ubac_constrained(evolution_exchange_t) + +type evolution_exchange_tmpfs_t; +typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; +typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; +files_tmpfs_file(evolution_exchange_tmpfs_t) +ubac_constrained(evolution_exchange_tmpfs_t) + +type evolution_exchange_tmp_t; +typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; +typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; +files_tmp_file(evolution_exchange_tmp_t) +ubac_constrained(evolution_exchange_tmp_t) + +type evolution_exchange_orbit_tmp_t; +typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; +typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; +files_tmp_file(evolution_exchange_orbit_tmp_t) +ubac_constrained(evolution_exchange_orbit_tmp_t) +type evolution_home_t; +typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; +typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; +files_poly_member(evolution_home_t) +userdom_user_home_content(evolution_home_t) + +type evolution_orbit_tmp_t; +typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; +typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; +files_tmp_file(evolution_orbit_tmp_t) +ubac_constrained(evolution_orbit_tmp_t) + +type evolution_server_t; type evolution_server_exec_t; -application_executable_file(evolution_server_exec_t) +typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; +typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; +application_domain(evolution_server_t, evolution_server_exec_t) +ubac_constrained(evolution_server_t) + +type evolution_server_orbit_tmp_t; +typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; +typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; +files_tmp_file(evolution_server_orbit_tmp_t) +ubac_constrained(evolution_server_orbit_tmp_t) + +type evolution_tmpfs_t; +typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; +typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; +files_tmpfs_file(evolution_tmpfs_t) +ubac_constrained(evolution_tmpfs_t) +type evolution_webcal_t; type evolution_webcal_exec_t; -application_executable_file(evolution_webcal_exec_t) +typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; +typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; +application_domain(evolution_webcal_t, evolution_webcal_exec_t) +ubac_constrained(evolution_webcal_t) + +type evolution_webcal_tmpfs_t; +typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; +typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; +files_tmpfs_file(evolution_webcal_tmpfs_t) +ubac_constrained(evolution_webcal_tmpfs_t) + +######################################## +# +# Evolution local policy +# + +allow evolution_t self:capability { setuid setgid sys_nice }; +allow evolution_t self:process { signal getsched setsched }; +allow evolution_t self:fifo_file rw_file_perms; +allow evolution_t self:tcp_socket create_socket_perms; +allow evolution_t self:udp_socket create_socket_perms; + +allow evolution_t evolution_alarm_t:dir search_dir_perms; +allow evolution_t evolution_alarm_t:file read; + +allow evolution_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; + +can_exec(evolution_t, evolution_alarm_exec_t) + +allow evolution_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; + +allow evolution_t evolution_home_t:dir manage_dir_perms; +allow evolution_t evolution_home_t:file manage_file_perms; +allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_search_user_home_dirs(evolution_t) + +allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_t evolution_server_t:dir search_dir_perms; +allow evolution_t evolution_server_t:file read; + +allow evolution_t evolution_server_t:unix_stream_socket connectto; +allow evolution_t evolution_server_orbit_tmp_t:sock_file write; + +can_exec(evolution_t, evolution_server_exec_t) + +allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; +allow evolution_t evolution_tmpfs_t:file manage_file_perms; +allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +#FIXME check to see if really needed +kernel_read_kernel_sysctls(evolution_t) +kernel_read_system_state(evolution_t) +# Allow netstat +kernel_read_network_state(evolution_t) +kernel_read_net_sysctls(evolution_t) + +corecmd_exec_shell(evolution_t) +# Run various programs +corecmd_exec_bin(evolution_t) + +corenet_all_recvfrom_unlabeled(evolution_t) +corenet_all_recvfrom_netlabel(evolution_t) +corenet_tcp_sendrecv_generic_if(evolution_t) +corenet_udp_sendrecv_generic_if(evolution_t) +corenet_raw_sendrecv_generic_if(evolution_t) +corenet_tcp_sendrecv_all_nodes(evolution_t) +corenet_udp_sendrecv_all_nodes(evolution_t) +corenet_tcp_sendrecv_pop_port(evolution_t) +corenet_udp_sendrecv_pop_port(evolution_t) +corenet_tcp_sendrecv_smtp_port(evolution_t) +corenet_udp_sendrecv_smtp_port(evolution_t) +corenet_tcp_sendrecv_innd_port(evolution_t) +corenet_udp_sendrecv_innd_port(evolution_t) +corenet_tcp_sendrecv_ldap_port(evolution_t) +corenet_udp_sendrecv_ldap_port(evolution_t) +corenet_tcp_sendrecv_ipp_port(evolution_t) +corenet_udp_sendrecv_ipp_port(evolution_t) +corenet_tcp_connect_pop_port(evolution_t) +corenet_tcp_connect_smtp_port(evolution_t) +corenet_tcp_connect_innd_port(evolution_t) +corenet_tcp_connect_ldap_port(evolution_t) +corenet_tcp_connect_ipp_port(evolution_t) +corenet_sendrecv_pop_client_packets(evolution_t) +corenet_sendrecv_smtp_client_packets(evolution_t) +corenet_sendrecv_innd_client_packets(evolution_t) +corenet_sendrecv_ldap_client_packets(evolution_t) +corenet_sendrecv_ipp_client_packets(evolution_t) +# not sure about this bind +corenet_udp_bind_all_nodes(evolution_t) +corenet_udp_bind_generic_port(evolution_t) + +dev_read_urand(evolution_t) + +domain_dontaudit_read_all_domains_state(evolution_t) + +files_read_etc_files(evolution_t) +files_read_usr_files(evolution_t) +files_read_usr_symlinks(evolution_t) +files_read_var_files(evolution_t) + +fs_search_auto_mountpoints(evolution_t) + +logging_send_syslog_msg(evolution_t) + +miscfiles_read_localization(evolution_t) + +sysnet_read_config(evolution_t) +sysnet_dns_name_resolve(evolution_t) + +udev_read_state(evolution_t) + +userdom_rw_user_tmp_files(evolution_t) +userdom_manage_user_tmp_dirs(evolution_t) +userdom_manage_user_tmp_sockets(evolution_t) +userdom_manage_user_tmp_files(evolution_t) +userdom_use_user_terminals(evolution_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_t) + +mta_read_config(evolution_t) + +xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) +xserver_read_xdm_tmp_files(evolution_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_t) + fs_manage_nfs_files(evolution_t) + fs_manage_nfs_symlinks(evolution_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_t) + fs_manage_cifs_files(evolution_t) + fs_manage_cifs_symlinks(evolution_t) +') + +tunable_policy(`mail_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(evolution_t) + files_list_home(evolution_t) + fs_read_nfs_files(evolution_t) + fs_read_nfs_symlinks(evolution_t) + +',` + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_auto_mountpoints(evolution_t) + fs_dontaudit_read_nfs_files(evolution_t) + fs_dontaudit_list_nfs(evolution_t) +') + +tunable_policy(`mail_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(evolution_t) + files_list_home(evolution_t) + fs_read_cifs_files(evolution_t) + fs_read_cifs_symlinks(evolution_t) +',` + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_auto_mountpoints(evolution_t) + fs_dontaudit_read_cifs_files(evolution_t) + fs_dontaudit_list_cifs(evolution_t) +') + +tunable_policy(`mail_read_content',` + userdom_list_user_tmp(evolution_t) + userdom_read_user_tmp_files(evolution_t) + userdom_read_user_tmp_symlinks(evolution_t) + userdom_read_user_home_content_files(evolution_t) + userdom_read_user_home_content_symlinks(evolution_t) + + ifndef(`enable_mls',` + fs_search_removable(evolution_t) + fs_read_removable_files(evolution_t) + fs_read_removable_symlinks(evolution_t) + ') +',` + files_dontaudit_list_tmp(evolution_t) + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_removable(evolution_t) + fs_dontaudit_read_removable_files(evolution_t) + userdom_dontaudit_list_user_tmp(evolution_t) + userdom_dontaudit_read_user_tmp_files(evolution_t) + userdom_dontaudit_list_user_home_dirs(evolution_t) + userdom_dontaudit_read_user_home_content_files(evolution_t) +') + +tunable_policy(`mail_read_content && read_default_t',` + files_list_default(evolution_t) + files_read_default_files(evolution_t) + files_read_default_symlinks(evolution_t) +',` + files_dontaudit_read_default_files(evolution_t) + files_dontaudit_list_default(evolution_t) +') + +optional_policy(` + automount_read_state(evolution_t) +') + +# Allow printing the mail +optional_policy(` + cups_read_rw_config(evolution_t) +') + +optional_policy(` + dbus_system_bus_client(evolution_t) + dbus_session_bus_client(evolution_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_t) +') + +# Encrypt mail +optional_policy(` + gpg_domtrans(evolution_t) + gpg_signal(evolution_t) +') + +optional_policy(` + lpd_domtrans_lpr(evolution_t) +') + +optional_policy(` + mozilla_read_user_home_files(evolution_t) + mozilla_domtrans(evolution_t) +') + +# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) +optional_policy(` + nis_use_ypbind(evolution_t) +') + +optional_policy(` + nscd_socket_use(evolution_t) +') + +### Junk mail filtering (start spamd) +optional_policy(` + spamassassin_exec_spamd(evolution_t) + spamassassin_domtrans_client(evolution_t) + spamassassin_domtrans_local_client(evolution_t) + # Allow evolution to signal the daemon + # FIXME: Now evolution can read spamd temp files + spamassassin_read_spamd_tmp_files(evolution_t) + spamassassin_signal_spamd(evolution_t) + spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) +') + +######################################## +# +# Evolution alarm local policy +# + +allow evolution_alarm_t self:process { signal getsched }; +allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; + +allow evolution_alarm_t evolution_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; +allow evolution_alarm_t evolution_home_t:file manage_file_perms; +allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; + +dev_read_urand(evolution_alarm_t) + +files_read_etc_files(evolution_alarm_t) +files_read_usr_files(evolution_alarm_t) + +fs_search_auto_mountpoints(evolution_alarm_t) + +miscfiles_read_localization(evolution_alarm_t) + +# Access evolution home +userdom_search_user_home_dirs(evolution_alarm_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) + +xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_alarm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_alarm_t) +') + +optional_policy(` + dbus_session_bus_client(evolution_alarm_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_alarm_t) +') + +optional_policy(` + nscd_socket_use(evolution_alarm_t) +') + +######################################## +# +# Evolution exchange connector local policy +# + +allow evolution_exchange_t self:process getsched; +allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; + +allow evolution_exchange_t self:tcp_socket create_socket_perms; +allow evolution_exchange_t self:udp_socket create_socket_perms; + +allow evolution_exchange_t evolution_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_home_t:file manage_file_perms; +allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; + +# /tmp/.exchange-$USER +allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) + +allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_network_state(evolution_exchange_t) +kernel_read_net_sysctls(evolution_exchange_t) + +# Allow netstat +corecmd_exec_bin(evolution_exchange_t) + +dev_read_urand(evolution_exchange_t) + +files_read_etc_files(evolution_exchange_t) +files_read_usr_files(evolution_exchange_t) + +# Access evolution home +fs_search_auto_mountpoints(evolution_exchange_t) + +miscfiles_read_localization(evolution_exchange_t) + +userdom_write_user_tmp_sockets(evolution_exchange_t) +# Access evolution home +userdom_search_user_home_dirs(evolution_exchange_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) + +xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_exchange_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_exchange_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_exchange_t) +') + +optional_policy(` + nscd_socket_use(evolution_exchange_t) +') + +######################################## +# +# Evolution data server local policy +# + +allow evolution_server_t self:process { getsched signal }; + +allow evolution_server_t self:fifo_file { read write }; +allow evolution_server_t self:unix_stream_socket { accept connectto }; +# Talk to ldap (address book), +# Obtain weather data via http (read server name from xml file in /usr) +allow evolution_server_t self:tcp_socket create_socket_perms; + +allow evolution_server_t evolution_t:unix_stream_socket connectto; +allow evolution_server_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_server_t evolution_home_t:dir manage_dir_perms; +allow evolution_server_t evolution_home_t:file manage_file_perms; +allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; + +kernel_read_system_state(evolution_server_t) + +corecmd_exec_shell(evolution_server_t) + +# Obtain weather data via http (read server name from xml file in /usr) +corenet_all_recvfrom_unlabeled(evolution_server_t) +corenet_all_recvfrom_netlabel(evolution_server_t) +corenet_tcp_sendrecv_generic_if(evolution_server_t) +corenet_tcp_sendrecv_all_nodes(evolution_server_t) +corenet_tcp_sendrecv_http_port(evolution_server_t) +corenet_tcp_sendrecv_http_cache_port(evolution_server_t) +corenet_tcp_connect_http_cache_port(evolution_server_t) +corenet_tcp_connect_http_port(evolution_server_t) +corenet_sendrecv_http_client_packets(evolution_server_t) +corenet_sendrecv_http_cache_client_packets(evolution_server_t) + +dev_read_urand(evolution_server_t) + +files_read_etc_files(evolution_server_t) +# Obtain weather data via http (read server name from xml file in /usr) +files_read_usr_files(evolution_server_t) + +fs_search_auto_mountpoints(evolution_server_t) + +miscfiles_read_localization(evolution_server_t) +# Look in /etc/pki +miscfiles_read_certs(evolution_server_t) + +# Talk to ldap (address book) +sysnet_read_config(evolution_server_t) +sysnet_dns_name_resolve(evolution_server_t) +sysnet_use_ldap(evolution_server_t) + +# Access evolution home +userdom_search_user_home_dirs(evolution_server_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_server_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_server_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_server_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_server_t) +') + +optional_policy(` + nscd_socket_use(evolution_server_t) +') + +######################################## +# +# Evolution webcal local policy +# + +allow evolution_webcal_t self:tcp_socket create_socket_perms; + +# X/evolution common stuff +allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +corenet_all_recvfrom_unlabeled(evolution_webcal_t) +corenet_all_recvfrom_netlabel(evolution_webcal_t) +corenet_tcp_sendrecv_generic_if(evolution_webcal_t) +corenet_raw_sendrecv_generic_if(evolution_webcal_t) +corenet_tcp_sendrecv_all_nodes(evolution_webcal_t) +corenet_raw_sendrecv_all_nodes(evolution_webcal_t) +corenet_tcp_sendrecv_http_port(evolution_webcal_t) +corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) +corenet_tcp_connect_http_cache_port(evolution_webcal_t) +corenet_tcp_connect_http_port(evolution_webcal_t) +corenet_sendrecv_http_client_packets(evolution_webcal_t) +corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) + +# Networking capability - connect to website and handle ics link +sysnet_read_config(evolution_webcal_t) +sysnet_dns_name_resolve(evolution_webcal_t) + +# Search home directory (?) +userdom_search_user_home_dirs(evolution_webcal_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) + +xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) + +optional_policy(` + nscd_socket_use(evolution_webcal_t) +') diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index 86b8ff7..c136e1f 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -1,164 +1,32 @@ ## Games -####################################### +############################################################ ## -## The per role template for the games module. +## Role access for games ## -## -##

-## This template creates a derived domains which are used -## for games. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`games_per_role_template',` - +interface(`games_role',` gen_require(` - type games_exec_t, games_data_t; - ') - - ######################################## - # - # Declarations - # - - type $1_games_t; - application_domain($1_games_t, games_exec_t) - role $3 types $1_games_t; - - type $1_games_devpts_t; - term_pty($1_games_devpts_t) - - type $1_games_tmpfs_t; - files_tmpfs_file($1_games_tmpfs_t) - - type $1_games_tmp_t; - files_tmp_file($1_games_tmp_t) - - ######################################## - # - # Local policy - # - - allow $1_games_t self:sem create_sem_perms; - allow $1_games_t self:tcp_socket create_stream_socket_perms; - allow $1_games_t self:udp_socket create_socket_perms; - - manage_files_pattern($1_games_t, games_data_t, games_data_t) - manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t) - - allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1_games_t,$1_games_devpts_t) - - manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t) - manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t) - files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir }) - - manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t) - manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t) - manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t) - manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t) - fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file }) - - can_exec($1_games_t, games_exec_t) - - domain_auto_trans($2, games_exec_t, $1_games_t) - allow $2 $1_games_t:unix_stream_socket connectto; - allow $1_games_t $2:unix_stream_socket connectto; - - kernel_read_system_state($1_games_t) - - corecmd_exec_bin($1_games_t) - - corenet_all_recvfrom_unlabeled($1_games_t) - corenet_all_recvfrom_netlabel($1_games_t) - corenet_tcp_sendrecv_generic_if($1_games_t) - corenet_udp_sendrecv_generic_if($1_games_t) - corenet_tcp_sendrecv_all_nodes($1_games_t) - corenet_udp_sendrecv_all_nodes($1_games_t) - corenet_tcp_sendrecv_all_ports($1_games_t) - corenet_udp_sendrecv_all_ports($1_games_t) - corenet_tcp_bind_all_nodes($1_games_t) - corenet_tcp_bind_generic_port($1_games_t) - corenet_tcp_connect_generic_port($1_games_t) - corenet_sendrecv_generic_client_packets($1_games_t) - corenet_sendrecv_generic_server_packets($1_games_t) - - dev_read_sound($1_games_t) - dev_write_sound($1_games_t) - dev_read_input($1_games_t) - dev_read_mouse($1_games_t) - dev_read_urand($1_games_t) - - files_list_var($1_games_t) - files_search_var_lib($1_games_t) - files_dontaudit_search_var($1_games_t) - files_read_etc_files($1_games_t) - files_read_usr_files($1_games_t) - files_read_var_files($1_games_t) - - init_dontaudit_rw_utmp($1_games_t) - - logging_dontaudit_search_logs($1_games_t) - - miscfiles_read_man_pages($1_games_t) - miscfiles_read_localization($1_games_t) - - sysnet_read_config($1_games_t) - - userdom_manage_user_tmp_dirs($1,$1_games_t) - userdom_manage_user_tmp_files($1,$1_games_t) - userdom_manage_user_tmp_symlinks($1,$1_games_t) - userdom_manage_user_tmp_sockets($1,$1_games_t) - # Suppress .icons denial until properly implemented - userdom_dontaudit_read_user_home_content_files($1,$1_games_t) - - tunable_policy(`allow_execmem',` - allow $1_games_t self:process execmem; + type games_t, games_exec_t; ') - optional_policy(` - nscd_socket_use($1_games_t) - ') + role $1 types games_t; - optional_policy(` - xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t) - xserver_create_xdm_tmp_sockets($1_games_t) - xserver_read_xdm_lib_files($1_games_t) - ') + domtrans_pattern($2, games_exec_t, games_t) + allow $2 games_t:unix_stream_socket connectto; + allow games_t $2:unix_stream_socket connectto; - ifdef(`TODO',` - gnome_application($1_games, $1) - gnome_file_dialog($1_games, $1) - # Access /home/user/.gnome2 - # FIXME: Change to use per app types - allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms; - allow $1_games_t $1_gnome_settings_t:file manage_file_perms; - allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms; - #missing policy - optional_policy(` - dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; - ') - ') + # Allow the user domain to signal/ps. + ps_process_pattern($2, games_t) + allow $2 games_t:process signal_perms; ') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 92b1513..eedbc4b 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,67 +1,182 @@ -policy_module(games, 1.7.0) +policy_module(games, 2.0.0) ######################################## # # Declarations # +type games_t; +type games_exec_t; +typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; +typealias games_t alias { auditadm_games_t secadm_games_t }; +application_domain(games_t, games_exec_t) +ubac_constrained(games_t) + type games_data_t; +typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; +typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; files_type(games_data_t) +ubac_constrained(games_data_t) + +type games_devpts_t; +typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; +typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; +term_pty(games_devpts_t) +ubac_constrained(games_devpts_t) -# games_t is for system operation of games, generic games daemons and +# games_srv_t is for system operation of games, generic games daemons and # games recovery scripts -type games_t; -type games_exec_t; -init_system_domain(games_t, games_exec_t) +type games_srv_t; +init_system_domain(games_srv_t, games_exec_t) + +type games_srv_var_run_t; +files_pid_file(games_srv_var_run_t) + +type games_tmp_t; +typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; +typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; +files_tmp_file(games_tmp_t) +ubac_constrained(games_tmp_t) -type games_var_run_t; -files_pid_file(games_var_run_t) +type games_tmpfs_t; +typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; +typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; +files_tmpfs_file(games_tmpfs_t) +ubac_constrained(games_tmpfs_t) ######################################## # -# Local policy +# Server local policy # -dontaudit games_t self:capability sys_tty_config; -allow games_t self:process signal_perms; +dontaudit games_srv_t self:capability sys_tty_config; +allow games_srv_t self:process signal_perms; -manage_files_pattern(games_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_t, games_data_t, games_data_t) +manage_files_pattern(games_srv_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) + +manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) +files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) -manage_files_pattern(games_t, games_var_run_t, games_var_run_t) -files_pid_filetrans(games_t, games_var_run_t, file) +can_exec(games_srv_t, games_exec_t) -can_exec(games_t,games_exec_t) +kernel_read_kernel_sysctls(games_srv_t) +kernel_list_proc(games_srv_t) +kernel_read_proc_symlinks(games_srv_t) -kernel_read_kernel_sysctls(games_t) -kernel_list_proc(games_t) -kernel_read_proc_symlinks(games_t) +dev_read_sysfs(games_srv_t) -dev_read_sysfs(games_t) +fs_getattr_all_fs(games_srv_t) +fs_search_auto_mountpoints(games_srv_t) -fs_getattr_all_fs(games_t) -fs_search_auto_mountpoints(games_t) +term_dontaudit_use_console(games_srv_t) -term_dontaudit_use_console(games_t) +domain_use_interactive_fds(games_srv_t) -domain_use_interactive_fds(games_t) +init_use_fds(games_srv_t) +init_use_script_ptys(games_srv_t) -init_use_fds(games_t) -init_use_script_ptys(games_t) +logging_send_syslog_msg(games_srv_t) -logging_send_syslog_msg(games_t) +miscfiles_read_localization(games_srv_t) +userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + +userdom_dontaudit_search_user_home_dirs(games_srv_t) + +optional_policy(` + seutil_sigchld_newrole(games_srv_t) +') + +optional_policy(` + udev_read_db(games_srv_t) +') + +######################################## +# +# Local policy +# + +allow games_t self:sem create_sem_perms; +allow games_t self:tcp_socket create_stream_socket_perms; +allow games_t self:udp_socket create_socket_perms; + +manage_files_pattern(games_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_t, games_data_t, games_data_t) + +allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(games_t, games_devpts_t) + +manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) +manage_files_pattern(games_t, games_tmp_t, games_tmp_t) +files_tmp_filetrans(games_t, games_tmp_t, { file dir }) + +manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(games_t, games_exec_t) + +kernel_read_system_state(games_t) + +corecmd_exec_bin(games_t) + +corenet_all_recvfrom_unlabeled(games_t) +corenet_all_recvfrom_netlabel(games_t) +corenet_tcp_sendrecv_generic_if(games_t) +corenet_udp_sendrecv_generic_if(games_t) +corenet_tcp_sendrecv_all_nodes(games_t) +corenet_udp_sendrecv_all_nodes(games_t) +corenet_tcp_sendrecv_all_ports(games_t) +corenet_udp_sendrecv_all_ports(games_t) +corenet_tcp_bind_all_nodes(games_t) +corenet_tcp_bind_generic_port(games_t) +corenet_tcp_connect_generic_port(games_t) +corenet_sendrecv_generic_client_packets(games_t) +corenet_sendrecv_generic_server_packets(games_t) + +dev_read_sound(games_t) +dev_write_sound(games_t) +dev_read_input(games_t) +dev_read_mouse(games_t) +dev_read_urand(games_t) + +files_list_var(games_t) +files_search_var_lib(games_t) +files_dontaudit_search_var(games_t) +files_read_etc_files(games_t) +files_read_usr_files(games_t) +files_read_var_files(games_t) + +init_dontaudit_rw_utmp(games_t) + +logging_dontaudit_search_logs(games_t) + +miscfiles_read_man_pages(games_t) miscfiles_read_localization(games_t) -userdom_dontaudit_use_unpriv_user_fds(games_t) +sysnet_read_config(games_t) + +userdom_manage_user_tmp_dirs(games_t) +userdom_manage_user_tmp_files(games_t) +userdom_manage_user_tmp_symlinks(games_t) +userdom_manage_user_tmp_sockets(games_t) +# Suppress .icons denial until properly implemented +userdom_dontaudit_read_user_home_content_files(games_t) -sysadm_dontaudit_search_home_dirs(games_t) +tunable_policy(`allow_execmem',` + allow games_t self:process execmem; +') optional_policy(` - seutil_sigchld_newrole(games_t) + nscd_socket_use(games_t) ') optional_policy(` - udev_read_db(games_t) + xserver_user_x_domain_template(games, games_t, games_tmpfs_t) + xserver_create_xdm_tmp_sockets(games_t) + xserver_read_xdm_lib_files(games_t) ') diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc index 2c2a01a..df7ced4 100644 --- a/policy/modules/apps/gift.fc +++ b/policy/modules/apps/gift.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) /usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if index 7ab618e..c9b90d3 100644 --- a/policy/modules/apps/gift.if +++ b/policy/modules/apps/gift.if @@ -1,193 +1,42 @@ ## giFT peer to peer file sharing tool -####################################### +############################################################ ## -## The per role template for the gift module. +## Role access for gift ## -## -##

-## This template creates a derived domains which are used -## for gift client sessions and gift daemons. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`gift_per_role_template',` - - ############################## - # - # Declarations - # - - type $1_gift_t; - application_domain($1_gift_t, gift_exec_t) - role $3 types $1_gift_t; - - type $1_gift_home_t alias $1_gift_rw_t; - files_poly_member($1_gift_home_t) - userdom_user_home_content($1, $1_gift_home_t) - - type $1_gift_tmpfs_t; - files_tmpfs_file($1_gift_tmpfs_t) - - type $1_giftd_t; - application_domain($1_giftd_t, giftd_exec_t) - role $3 types $1_giftd_t; - - ############################## - # - # giFT user interface local policy - # - - allow $1_gift_t self:tcp_socket create_socket_perms; - - manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t) - manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t) - manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t) - manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t) - fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t) - manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t) - manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t) - userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir) +interface(`gift_role',` + gen_require(` + type gift_t, gift_exec_t; + type giftd_t, giftd_exec_t; + type gift_home_t; + ') - # Launch gift daemon - domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t) + role $1 types { gift_t giftd_t }; # transition from user domain - domtrans_pattern($2, gift_exec_t, $1_gift_t) + domtrans_pattern($2, gift_exec_t, gift_t) + domtrans_pattern($2, giftd_exec_t, giftd_t) # user managed content - manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t) - manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t) - manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t) - relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t) - relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t) - relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t) + manage_dirs_pattern($2, gift_home_t, gift_home_t) + manage_files_pattern($2, gift_home_t, gift_home_t) + manage_lnk_files_pattern($2, gift_home_t, gift_home_t) + relabel_dirs_pattern($2, gift_home_t, gift_home_t) + relabel_files_pattern($2, gift_home_t, gift_home_t) + relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) # Allow the user domain to signal/ps. - ps_process_pattern($2, $1_gift_t) - allow $2 $1_gift_t:process signal_perms; - - # Read /proc/meminfo - kernel_read_system_state($1_giftd_t) - - # Connect to gift daemon - corenet_all_recvfrom_unlabeled($1_gift_t) - corenet_all_recvfrom_netlabel($1_gift_t) - corenet_tcp_sendrecv_generic_if($1_gift_t) - corenet_tcp_sendrecv_all_nodes($1_gift_t) - corenet_tcp_sendrecv_giftd_port($1_gift_t) - corenet_tcp_connect_giftd_port($1_gift_t) - corenet_sendrecv_giftd_client_packets($1_gift_t) - - fs_search_auto_mountpoints($1_gift_t) - - sysnet_read_config($1_gift_t) - - # giftui looks in .icons, .themes. - userdom_dontaudit_read_user_home_content_files($1, $1_gift_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_gift_t) - fs_manage_nfs_files($1_gift_t) - fs_manage_nfs_symlinks($1_gift_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_gift_t) - fs_manage_cifs_files($1_gift_t) - fs_manage_cifs_symlinks($1_gift_t) - ') - -# optional_policy(` -# gnome_user_application($1,$1_gift,$1_gift_t) -# ') - - optional_policy(` - nscd_socket_use($1_gift_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t) - ') - - ############################## - # - # giFT server local policy - # - - allow $1_giftd_t self:process { signal setsched }; - allow $1_giftd_t self:unix_stream_socket create_socket_perms; - allow $1_giftd_t self:tcp_socket create_stream_socket_perms; - allow $1_giftd_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t) - manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t) - manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t) - userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir) - - domtrans_pattern($2, giftd_exec_t, $1_giftd_t) - - kernel_read_system_state($1_giftd_t) - kernel_read_kernel_sysctls($1_giftd_t) - - # Serve content on various p2p networks. Ports can be random. - corenet_all_recvfrom_unlabeled($1_giftd_t) - corenet_all_recvfrom_netlabel($1_giftd_t) - corenet_tcp_sendrecv_generic_if($1_giftd_t) - corenet_udp_sendrecv_generic_if($1_giftd_t) - corenet_tcp_sendrecv_all_nodes($1_giftd_t) - corenet_udp_sendrecv_all_nodes($1_giftd_t) - corenet_tcp_sendrecv_all_ports($1_giftd_t) - corenet_udp_sendrecv_all_ports($1_giftd_t) - corenet_tcp_bind_all_nodes($1_giftd_t) - corenet_udp_bind_all_nodes($1_giftd_t) - corenet_tcp_bind_all_ports($1_giftd_t) - corenet_udp_bind_all_ports($1_giftd_t) - corenet_tcp_connect_all_ports($1_giftd_t) - corenet_sendrecv_all_client_packets($1_giftd_t) - - files_read_usr_files($1_giftd_t) - # Read /etc/mtab - files_read_etc_runtime_files($1_giftd_t) - - miscfiles_read_localization($1_giftd_t) - - sysnet_read_config($1_giftd_t) - - userdom_use_user_terminals($1,$1_giftd_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_giftd_t) - fs_manage_nfs_files($1_giftd_t) - fs_manage_nfs_symlinks($1_giftd_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_giftd_t) - fs_manage_cifs_files($1_giftd_t) - fs_manage_cifs_symlinks($1_giftd_t) - ') + ps_process_pattern($2, { gift_t giftd_t }) + allow $2 { gift_t giftd_t }:process signal_perms; ') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te index c0aec31..b7c1e18 100644 --- a/policy/modules/apps/gift.te +++ b/policy/modules/apps/gift.te @@ -1,13 +1,149 @@ -policy_module(gift, 1.4.0) +policy_module(gift, 2.0.0) ######################################## # # Declarations # +type gift_t; type gift_exec_t; -application_executable_file(gift_exec_t) +typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; +typealias gift_t alias { auditadm_gift_t secadm_gift_t }; +application_domain(gift_t, gift_exec_t) +ubac_constrained(gift_t) +type gift_home_t; +typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; +typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; +files_poly_member(gift_home_t) +userdom_user_home_content(gift_home_t) + +type gift_tmpfs_t; +typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; +typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; +files_tmpfs_file(gift_tmpfs_t) +ubac_constrained(gift_tmpfs_t) + +type giftd_t; type giftd_exec_t; -application_executable_file(giftd_exec_t) +typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; +typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; +application_domain(giftd_t, giftd_exec_t) +ubac_constrained(giftd_t) + +############################## +# +# giFT user interface local policy +# + +allow gift_t self:tcp_socket create_socket_perms; + +manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) +manage_files_pattern(gift_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) + +# Launch gift daemon +domtrans_pattern(gift_t, giftd_exec_t, giftd_t) + +# Read /proc/meminfo +kernel_read_system_state(giftd_t) + +# Connect to gift daemon +corenet_all_recvfrom_unlabeled(gift_t) +corenet_all_recvfrom_netlabel(gift_t) +corenet_tcp_sendrecv_generic_if(gift_t) +corenet_tcp_sendrecv_all_nodes(gift_t) +corenet_tcp_sendrecv_giftd_port(gift_t) +corenet_tcp_connect_giftd_port(gift_t) +corenet_sendrecv_giftd_client_packets(gift_t) + +fs_search_auto_mountpoints(gift_t) + +sysnet_read_config(gift_t) + +# giftui looks in .icons, .themes. +userdom_dontaudit_read_user_home_content_files(gift_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gift_t) + fs_manage_nfs_files(gift_t) + fs_manage_nfs_symlinks(gift_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gift_t) + fs_manage_cifs_files(gift_t) + fs_manage_cifs_symlinks(gift_t) +') + +optional_policy(` + nscd_socket_use(gift_t) +') + +optional_policy(` + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) +') + +############################## +# +# giFT server local policy +# + +allow giftd_t self:process { signal setsched }; +allow giftd_t self:unix_stream_socket create_socket_perms; +allow giftd_t self:tcp_socket create_stream_socket_perms; +allow giftd_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) +manage_files_pattern(giftd_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) + +kernel_read_system_state(giftd_t) +kernel_read_kernel_sysctls(giftd_t) + +# Serve content on various p2p networks. Ports can be random. +corenet_all_recvfrom_unlabeled(giftd_t) +corenet_all_recvfrom_netlabel(giftd_t) +corenet_tcp_sendrecv_generic_if(giftd_t) +corenet_udp_sendrecv_generic_if(giftd_t) +corenet_tcp_sendrecv_all_nodes(giftd_t) +corenet_udp_sendrecv_all_nodes(giftd_t) +corenet_tcp_sendrecv_all_ports(giftd_t) +corenet_udp_sendrecv_all_ports(giftd_t) +corenet_tcp_bind_all_nodes(giftd_t) +corenet_udp_bind_all_nodes(giftd_t) +corenet_tcp_bind_all_ports(giftd_t) +corenet_udp_bind_all_ports(giftd_t) +corenet_tcp_connect_all_ports(giftd_t) +corenet_sendrecv_all_client_packets(giftd_t) + +files_read_usr_files(giftd_t) +# Read /etc/mtab +files_read_etc_runtime_files(giftd_t) + +miscfiles_read_localization(giftd_t) + +sysnet_read_config(giftd_t) + +userdom_use_user_terminals(giftd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(giftd_t) + fs_manage_nfs_files(giftd_t) + fs_manage_nfs_symlinks(giftd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(giftd_t) + fs_manage_cifs_files(giftd_t) + fs_manage_cifs_symlinks(giftd_t) +') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index e5f5f1c..223a9d1 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc @@ -1,8 +1,8 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0) +/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 8da9f61..9601de0 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,190 +1,93 @@ ## GNU network object model environment (GNOME) -######################################## +############################################################ ## -## The per role template for the gnome module. +## Role access for gnome ## -## -##

-## This template creates a derived domain which is used -## for gconf sessions. -##

-##

-## This template is invoked automatically for each role, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`gnome_per_role_template',` +interface(`gnome_role',` gen_require(` - type gconfd_exec_t, gconf_etc_t; - attribute gnomedomain; + type gconfd_t, gconfd_exec_t; + type gconf_tmp_t; ') - ############################## - # - # Declarations - # - type $1_gconfd_t, gnomedomain; - - application_domain($1_gconfd_t, gconfd_exec_t) - role $3 types $1_gconfd_t; - - type $1_gconf_home_t; - userdom_user_home_content($1, $1_gconf_home_t) - - type $1_gnome_home_t; - userdom_user_home_content($1, $1_gnome_home_t) - - type $1_gconf_tmp_t; - files_tmp_file($1_gconf_tmp_t) - - ############################## - # - # Local Policy - # - - allow $1_gconfd_t self:process getsched; - allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; - - manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) - manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) - userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir) - - manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) - manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) - userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file }) - - domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t) - allow $1_gconfd_t $2:fd use; - allow $1_gconfd_t $2:fifo_file write; - allow $1_gconfd_t $2:unix_stream_socket connectto; - - allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; - read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t) + role $1 types gconfd_t; - ps_process_pattern($2, $1_gconfd_t) + domain_auto_trans($2, gconfd_exec_t, gconfd_t) + allow gconfd_t $2:fd use; + allow gconfd_t $2:fifo_file write; + allow gconfd_t $2:unix_stream_socket connectto; - dev_read_urand($1_gconfd_t) + ps_process_pattern($2, gconfd_t) - files_read_etc_files($1_gconfd_t) - - miscfiles_read_localization($1_gconfd_t) - - logging_send_syslog_msg($1_gconfd_t) - - userdom_manage_user_tmp_sockets($1, $1_gconfd_t) - userdom_manage_user_tmp_dirs($1, $1_gconfd_t) - userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir) - - gnome_stream_connect_gconf_template($1, $2) - - optional_policy(` - nscd_dontaudit_search_pid($1_gconfd_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_gconfd_t) - xserver_rw_xdm_pipes($1_gconfd_t) - ') + #gnome_stream_connect_gconf_template($1, $2) + read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) + allow $2 gconfd_t:unix_stream_socket connectto; ') ######################################## ## ## gconf connection template. ## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The type of the user domain. ## ## # -template(`gnome_stream_connect_gconf_template',` +interface(`gnome_stream_connect_gconf',` gen_require(` - type $1_gconfd_t, $1_gconf_tmp_t; + type gconfd_t, gconf_tmp_t; ') - read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t) - allow $2 $1_gconfd_t:unix_stream_socket connectto; + read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) + allow $1 gconfd_t:unix_stream_socket connectto; ') ######################################## ## -## Run gconfd in the role-specific gconfd domain. +## Run gconfd in gconfd domain. ## -## -##

-## Run gconfd in the role-specfic gconfd domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`gnome_domtrans_user_gconf',` +interface(`gnome_domtrans_gconfd',` gen_require(` - type $1_gconfd_t, gconfd_exec_t; + type gconfd_t, gconfd_exec_t; ') - domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t) + domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') ######################################## ## ## manage gnome homedir content (.config) ## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The type of the user domain. ## ## # -template(`gnome_manage_user_gnome_config',` +interface(`gnome_manage_config',` gen_require(` - type $1_gnome_home_t; + type gnome_home_t; ') - allow $2 $1_gnome_home_t:dir manage_dir_perms; - allow $2 $1_gnome_home_t:file manage_file_perms; + allow $1 gnome_home_t:dir manage_dir_perms; + allow $1 gnome_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 1bfe4dd..984009e 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -1,5 +1,5 @@ -policy_module(gnome, 1.3.0) +policy_module(gnome, 2.0.0) ############################## # @@ -11,5 +11,65 @@ attribute gnomedomain; type gconf_etc_t; files_type(gconf_etc_t) +type gconf_home_t; +typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; +typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +userdom_user_home_content(gconf_home_t) + +type gconf_tmp_t; +typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; +typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +files_tmp_file(gconf_tmp_t) +ubac_constrained(gconf_tmp_t) + +type gconfd_t, gnomedomain; type gconfd_exec_t; -application_executable_file(gconfd_exec_t) +typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; +typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +application_domain(gconfd_t, gconfd_exec_t) +ubac_constrained(gconfd_t) + +type gnome_home_t; +typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; +typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +userdom_user_home_content(gnome_home_t) + +############################## +# +# Local Policy +# + +allow gconfd_t self:process getsched; +allow gconfd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) + +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) + +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) + +files_read_etc_files(gconfd_t) + +miscfiles_read_localization(gconfd_t) + +logging_send_syslog_msg(gconfd_t) + +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) + +optional_policy(` + nscd_dontaudit_search_pid(gconfd_t) +') + +optional_policy(` + xserver_use_xdm_fds(gconfd_t) + xserver_rw_xdm_pipes(gconfd_t) +') diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index 0c5dc94..3a42f2a 100644 --- a/policy/modules/apps/gpg.fc +++ b/policy/modules/apps/gpg.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index 9b03de2..176e01d 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -1,382 +1,88 @@ ## Policy for GNU Privacy Guard and related programs. -####################################### +############################################################ ## -## The per role template for the gpg module. +## Role access for gpg ## -## -##

-## This template creates the types and rules for GPG, -## GPG-agent, and GPG helper programs. This protects -## the user keys and secrets, and runs the programs -## in domains specific to the user type. -##

-##

-## This is invoked automatically for each user and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user. +## User domain for the role ## ## # -template(`gpg_per_role_template',` +interface(`gpg_role',` gen_require(` - type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t; + type gpg_t, gpg_exec_t; + type gpg_agent_t, gpg_agent_exec_t; + type gpg_agent_tmp_t; + type gpg_helper_t, gpg_pinentry_t; ') - ######################################## - # - # Declarations - # - - type $1_gpg_t; - application_domain($1_gpg_t, gpg_exec_t) - role $3 types $1_gpg_t; - - type $1_gpg_agent_t; - application_domain($1_gpg_agent_t, gpg_agent_exec_t) - role $3 types $1_gpg_agent_t; - - type $1_gpg_agent_tmp_t; - files_tmp_file($1_gpg_agent_tmp_t) - - type $1_gpg_secret_t; - userdom_user_home_content($1, $1_gpg_secret_t) - - type $1_gpg_helper_t; - application_domain($1_gpg_helper_t, gpg_helper_exec_t) - role $3 types $1_gpg_helper_t; - - type $1_gpg_pinentry_t; - application_domain($1_gpg_pinentry_t, pinentry_exec_t) - role $3 types $1_gpg_pinentry_t; - - ######################################## - # - # GPG local policy - # - - allow $1_gpg_t self:capability { ipc_lock setuid }; - allow { $2 $1_gpg_t } $1_gpg_t:process signal; - # setrlimit is for ulimit -c 0 - allow $1_gpg_t self:process { setrlimit setcap setpgid }; - - allow $1_gpg_t self:fifo_file rw_fifo_file_perms; - allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - - # transition from the gpg domain to the helper domain - domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) - - manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) - allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms; - userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir) + role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; # transition from the userdomain to the derived domain - domtrans_pattern($2, gpg_exec_t, $1_gpg_t) + domtrans_pattern($2, gpg_exec_t, gpg_t) # allow ps to show gpg - ps_process_pattern($2, $1_gpg_t) - - corenet_all_recvfrom_unlabeled($1_gpg_t) - corenet_all_recvfrom_netlabel($1_gpg_t) - corenet_tcp_sendrecv_all_if($1_gpg_t) - corenet_udp_sendrecv_all_if($1_gpg_t) - corenet_tcp_sendrecv_all_nodes($1_gpg_t) - corenet_udp_sendrecv_all_nodes($1_gpg_t) - corenet_tcp_sendrecv_all_ports($1_gpg_t) - corenet_udp_sendrecv_all_ports($1_gpg_t) - corenet_tcp_connect_all_ports($1_gpg_t) - corenet_sendrecv_all_client_packets($1_gpg_t) - - dev_read_rand($1_gpg_t) - dev_read_urand($1_gpg_t) - - fs_getattr_xattr_fs($1_gpg_t) - - domain_use_interactive_fds($1_gpg_t) - - files_read_etc_files($1_gpg_t) - files_read_usr_files($1_gpg_t) - files_dontaudit_search_var($1_gpg_t) - - miscfiles_read_localization($1_gpg_t) - - logging_send_syslog_msg($1_gpg_t) - - sysnet_read_config($1_gpg_t) - - userdom_use_user_terminals($1, $1_gpg_t) - - optional_policy(` - nis_use_ypbind($1_gpg_t) - ') - - ifdef(`TODO',` - # Read content to encrypt/decrypt/sign - read_content($1_gpg_t, $1) - - # Write content to encrypt/decrypt/sign - write_trusted($1_gpg_t, $1) - ') dnl end TODO - - ######################################## - # - # GPG helper local policy - # - - # for helper programs (which automatically fetch keys) - # Note: this is only tested with the hkp interface. If you use eg the - # mail interface you will likely need additional permissions. - - allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; - allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; + ps_process_pattern($2, gpg_t) + allow $2 gpg_t:process signal; # communicate with the user - allow $1_gpg_helper_t $2:fd use; - allow $1_gpg_helper_t $2:fifo_file write; - - dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; - - corenet_all_recvfrom_unlabeled($1_gpg_helper_t) - corenet_all_recvfrom_netlabel($1_gpg_helper_t) - corenet_tcp_sendrecv_all_if($1_gpg_helper_t) - corenet_raw_sendrecv_all_if($1_gpg_helper_t) - corenet_udp_sendrecv_all_if($1_gpg_helper_t) - corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) - corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) - corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) - corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) - corenet_udp_sendrecv_all_ports($1_gpg_helper_t) - corenet_tcp_bind_all_nodes($1_gpg_helper_t) - corenet_udp_bind_all_nodes($1_gpg_helper_t) - corenet_tcp_connect_all_ports($1_gpg_helper_t) - - dev_read_urand($1_gpg_helper_t) - - files_read_etc_files($1_gpg_helper_t) - # for nscd - files_dontaudit_search_var($1_gpg_helper_t) - - sysnet_read_config($1_gpg_helper_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files($1_gpg_helper_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files($1_gpg_helper_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_gpg_t) - xserver_rw_xdm_pipes($1_gpg_t) - ') - - ######################################## - # - # GPG agent local policy - # - - # rlimit: gpg-agent wants to prevent coredumps - allow $1_gpg_agent_t self:process setrlimit; - - allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; - allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms; - - # Allow the gpg-agent to manage its tmp files (socket) - manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) - - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) - manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) - - # allow gpg to connect to the gpg agent - stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t) + allow gpg_helper_t $2:fd use; + allow gpg_helper_t $2:fifo_file write; # allow ps to show gpg-agent - ps_process_pattern($2, $1_gpg_agent_t) + ps_process_pattern($2, gpg_agent_t) # Allow the user shell to signal the gpg-agent program. - allow $2 $1_gpg_agent_t:process { signal sigkill signull }; - - # Allow the user to manage gpg-agent tmp files (socket) - manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) - - corecmd_search_bin($1_gpg_agent_t) - - domain_use_interactive_fds($1_gpg_agent_t) - - miscfiles_read_localization($1_gpg_agent_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1, $1_gpg_agent_t) - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - userdom_search_user_home_dirs($1, $1_gpg_agent_t) - - tunable_policy(`gpg_agent_env_file',` - # write ~/.gpg-agent-info or a similar to the users home dir - # or subdir (gpg-agent --write-env-file option) - # - userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file) - userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t) - userdom_manage_user_home_content_files($1, $1_gpg_agent_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_gpg_agent_t) - fs_manage_nfs_files($1_gpg_agent_t) - fs_manage_nfs_symlinks($1_gpg_agent_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_gpg_agent_t) - fs_manage_cifs_files($1_gpg_agent_t) - fs_manage_cifs_symlinks($1_gpg_agent_t) - ') - - ############################## - # - # Pinentry local policy - # - - allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; - - # we need to allow gpg-agent to call pinentry so it can get the passphrase - # from the user. - domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) - - # read /proc/meminfo - kernel_read_system_state($1_gpg_pinentry_t) + allow $2 gpg_agent_t:process { signal sigkill }; - files_read_usr_files($1_gpg_pinentry_t) - # read /etc/X11/qtrc - files_read_etc_files($1_gpg_pinentry_t) + manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - miscfiles_read_fonts($1_gpg_pinentry_t) - miscfiles_read_localization($1_gpg_pinentry_t) - - # for .Xauthority - userdom_read_user_home_content_files($1, $1_gpg_pinentry_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_gpg_pinentry_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files($1_gpg_pinentry_t) - ') - - optional_policy(` - xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) - ') - - ifdef(`TODO',` - allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; - - # wants to put some lock files into the user home dir, seems to work fine without - dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; - dontaudit $1_gpg_pinentry_t $1_home_t:file write; - - tunable_policy(`use_nfs_home_dirs',` - dontaudit $1_gpg_pinentry_t nfs_t:dir write; - dontaudit $1_gpg_pinentry_t nfs_t:file write; - ') - - tunable_policy(`use_samba_home_dirs',` - dontaudit $1_gpg_pinentry_t cifs_t:dir write; - dontaudit $1_gpg_pinentry_t cifs_t:file write; - ') - - dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; - ') dnl end TODO + # Transition from the user domain to the agent domain. + domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) ') ######################################## ## ## Transition to a user gpg domain. ## -## -##

-## Transition to a user gpg domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`gpg_domtrans_user_gpg',` +interface(`gpg_domtrans',` gen_require(` - type $1_gpg_t, gpg_exec_t; + type gpg_t, gpg_exec_t; ') - domtrans_pattern($2, gpg_exec_t, $1_gpg_t) + domtrans_pattern($1, gpg_exec_t, gpg_t) ') ######################################## ## ## Send generic signals to user gpg processes. ## -## -##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`gpg_signal_user_gpg',` +interface(`gpg_signal',` gen_require(` - type $1_gpg_t; + type gpg_t; ') - allow $2 $1_gpg_t:process signal; + allow $1 gpg_t:process signal; ') diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 6754d6d..061b94c 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 1.6.0) +policy_module(gpg, 2.0.0) ######################################## # @@ -14,16 +14,239 @@ policy_module(gpg, 1.6.0) ## gen_tunable(gpg_agent_env_file, false) -# Type for gpg or pgp executables. +type gpg_t; type gpg_exec_t; -type gpg_helper_exec_t; -application_executable_file(gpg_exec_t) -application_executable_file(gpg_helper_exec_t) +typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; +typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; +application_domain(gpg_t, gpg_exec_t) +ubac_constrained(gpg_t) -# Type for the gpg-agent executable. +type gpg_agent_t; type gpg_agent_exec_t; -application_executable_file(gpg_agent_exec_t) +typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; +typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; +application_domain(gpg_agent_t, gpg_agent_exec_t) +ubac_constrained(gpg_agent_t) + +type gpg_agent_tmp_t; +typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; +typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; +files_tmp_file(gpg_agent_tmp_t) +ubac_constrained(gpg_agent_tmp_t) + +type gpg_secret_t; +typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; +typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; +userdom_user_home_content(gpg_secret_t) + +type gpg_helper_t; +type gpg_helper_exec_t; +typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; +typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; +application_domain(gpg_helper_t, gpg_helper_exec_t) +ubac_constrained(gpg_helper_t) -# type for the pinentry executable +type gpg_pinentry_t; type pinentry_exec_t; -application_executable_file(pinentry_exec_t) +typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; +typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; +application_domain(gpg_pinentry_t, pinentry_exec_t) +ubac_constrained(gpg_pinentry_t) + +######################################## +# +# GPG local policy +# + +allow gpg_t self:capability { ipc_lock setuid }; +# setrlimit is for ulimit -c 0 +allow gpg_t self:process { signal setrlimit setcap setpgid }; + +allow gpg_t self:fifo_file rw_fifo_file_perms; +allow gpg_t self:tcp_socket create_stream_socket_perms; + +# transition from the gpg domain to the helper domain +domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + +allow gpg_t gpg_secret_t:dir create_dir_perms; +manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) + +corenet_all_recvfrom_unlabeled(gpg_t) +corenet_all_recvfrom_netlabel(gpg_t) +corenet_tcp_sendrecv_all_if(gpg_t) +corenet_udp_sendrecv_all_if(gpg_t) +corenet_tcp_sendrecv_all_nodes(gpg_t) +corenet_udp_sendrecv_all_nodes(gpg_t) +corenet_tcp_sendrecv_all_ports(gpg_t) +corenet_udp_sendrecv_all_ports(gpg_t) +corenet_tcp_connect_all_ports(gpg_t) +corenet_sendrecv_all_client_packets(gpg_t) + +dev_read_rand(gpg_t) +dev_read_urand(gpg_t) + +fs_getattr_xattr_fs(gpg_t) + +domain_use_interactive_fds(gpg_t) + +files_read_etc_files(gpg_t) +files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + +miscfiles_read_localization(gpg_t) + +logging_send_syslog_msg(gpg_t) + +sysnet_read_config(gpg_t) + +userdom_use_user_terminals(gpg_t) + +optional_policy(` + nis_use_ypbind(gpg_t) +') + +######################################## +# +# GPG helper local policy +# + +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. + +allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + +dontaudit gpg_helper_t gpg_secret_t:file read; + +corenet_all_recvfrom_unlabeled(gpg_helper_t) +corenet_all_recvfrom_netlabel(gpg_helper_t) +corenet_tcp_sendrecv_all_if(gpg_helper_t) +corenet_raw_sendrecv_all_if(gpg_helper_t) +corenet_udp_sendrecv_all_if(gpg_helper_t) +corenet_tcp_sendrecv_all_nodes(gpg_helper_t) +corenet_udp_sendrecv_all_nodes(gpg_helper_t) +corenet_raw_sendrecv_all_nodes(gpg_helper_t) +corenet_tcp_sendrecv_all_ports(gpg_helper_t) +corenet_udp_sendrecv_all_ports(gpg_helper_t) +corenet_tcp_bind_all_nodes(gpg_helper_t) +corenet_udp_bind_all_nodes(gpg_helper_t) +corenet_tcp_connect_all_ports(gpg_helper_t) + +dev_read_urand(gpg_helper_t) + +files_read_etc_files(gpg_helper_t) +# for nscd +files_dontaudit_search_var(gpg_helper_t) + +sysnet_read_config(gpg_helper_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(gpg_helper_t) +') + +optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) +') + +######################################## +# +# GPG agent local policy +# + +# rlimit: gpg-agent wants to prevent coredumps +allow gpg_agent_t self:process setrlimit; + +allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; +allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + +# Allow the gpg-agent to manage its tmp files (socket) +manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +# allow gpg to connect to the gpg agent +stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + +corecmd_search_bin(gpg_agent_t) + +domain_use_interactive_fds(gpg_agent_t) + +miscfiles_read_localization(gpg_agent_t) + +# Write to the user domain tty. +userdom_use_user_terminals(gpg_agent_t) +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +userdom_search_user_home_dirs(gpg_agent_t) + +tunable_policy(`gpg_agent_env_file',` + # write ~/.gpg-agent-info or a similar to the users home dir + # or subdir (gpg-agent --write-env-file option) + # + userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) + userdom_manage_user_home_content_dirs(gpg_agent_t) + userdom_manage_user_home_content_files(gpg_agent_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_agent_t) + fs_manage_nfs_files(gpg_agent_t) + fs_manage_nfs_symlinks(gpg_agent_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_agent_t) + fs_manage_cifs_files(gpg_agent_t) + fs_manage_cifs_symlinks(gpg_agent_t) +') + +############################## +# +# Pinentry local policy +# + +allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; + +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) + +# read /proc/meminfo +kernel_read_system_state(gpg_pinentry_t) + +files_read_usr_files(gpg_pinentry_t) +# read /etc/X11/qtrc +files_read_etc_files(gpg_pinentry_t) + +miscfiles_read_fonts(gpg_pinentry_t) +miscfiles_read_localization(gpg_pinentry_t) + +# for .Xauthority +userdom_read_user_home_content_files(gpg_pinentry_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(gpg_pinentry_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(gpg_pinentry_t) +') + +optional_policy(` + xserver_stream_connect(gpg_pinentry_t) +') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc index 618588c..65ece18 100644 --- a/policy/modules/apps/irc.fc +++ b/policy/modules/apps/irc.fc @@ -1,11 +1,11 @@ # # /home # -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) # # /usr # -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if index 42d49ac..4f9dc90 100644 --- a/policy/modules/apps/irc.if +++ b/policy/modules/apps/irc.if @@ -1,147 +1,31 @@ ## IRC client policy -####################################### +######################################## ## -## The per role template for the irc module. +## Role access for IRC ## -## -##

-## This template creates a derived domains which are used -## for an irc client sessions. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`irc_per_role_template',` +interface(`irc_role',` gen_require(` - type irc_exec_t; + type irc_t, irc_exec_t; ') - ######################################## - # - # Declarations - # - - type $1_irc_t; - application_domain($1_irc_t, irc_exec_t) - role $3 types $1_irc_t; - - type $1_irc_exec_t; - userdom_user_home_content($1, $1_irc_exec_t) - application_domain($1_irc_t, $1_irc_exec_t) - - type $1_irc_home_t; - userdom_user_home_content($1, $1_irc_home_t) - - type $1_irc_tmp_t; - userdom_user_home_content($1, $1_irc_tmp_t) - - ######################################## - # - # Local policy - # - - allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; - allow $1_irc_t self:tcp_socket create_socket_perms; - allow $1_irc_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) - manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) - manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) - userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file }) - - # access files under /tmp - manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) - manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) - manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) - manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) - manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) - files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + role $1 types irc_t; # Transition from the user domain to the derived domain. - domtrans_pattern($2, irc_exec_t, $1_irc_t) - - allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms }; + domtrans_pattern($2, irc_exec_t, irc_t) # allow ps to show irc - ps_process_pattern($2, $1_irc_t) - allow $2 $1_irc_t:process signal; - - kernel_read_proc_symlinks($1_irc_t) - - corenet_all_recvfrom_unlabeled($1_irc_t) - corenet_all_recvfrom_netlabel($1_irc_t) - corenet_tcp_sendrecv_generic_if($1_irc_t) - corenet_udp_sendrecv_generic_if($1_irc_t) - corenet_tcp_sendrecv_all_nodes($1_irc_t) - corenet_udp_sendrecv_all_nodes($1_irc_t) - corenet_tcp_sendrecv_all_ports($1_irc_t) - corenet_udp_sendrecv_all_ports($1_irc_t) - corenet_sendrecv_ircd_client_packets($1_irc_t) - # cjp: this seems excessive: - corenet_tcp_connect_all_ports($1_irc_t) - corenet_sendrecv_all_client_packets($1_irc_t) - - domain_use_interactive_fds($1_irc_t) - - files_dontaudit_search_pids($1_irc_t) - files_search_var($1_irc_t) - files_read_etc_files($1_irc_t) - files_read_usr_files($1_irc_t) - - fs_getattr_xattr_fs($1_irc_t) - fs_search_auto_mountpoints($1_irc_t) - - term_use_controlling_term($1_irc_t) - term_list_ptys($1_irc_t) - - # allow utmp access - init_read_utmp($1_irc_t) - init_dontaudit_lock_utmp($1_irc_t) - - miscfiles_read_localization($1_irc_t) - - # Inherit and use descriptors from newrole. - seutil_use_newrole_fds($1_irc_t) - - sysnet_read_config($1_irc_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1, $1_irc_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_irc_t) - fs_manage_nfs_files($1_irc_t) - fs_manage_nfs_symlinks($1_irc_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_irc_t) - fs_manage_cifs_files($1_irc_t) - fs_manage_cifs_symlinks($1_irc_t) - ') - - optional_policy(` - nis_use_ypbind($1_irc_t) - ') + ps_process_pattern($2, irc_t) + allow $2 irc_t:process signal; ') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te index 31208b6..c8b6405 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -1,10 +1,104 @@ -policy_module(irc, 1.4.0) +policy_module(irc, 2.0.0) ######################################## # # Declarations # +type irc_t; type irc_exec_t; -application_executable_file(irc_exec_t) +typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; +typealias irc_t alias { auditadm_irc_t secadm_irc_t }; +application_domain(irc_t, irc_exec_t) +ubac_constrained(irc_t) + +type irc_home_t; +typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; +typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; +userdom_user_home_content(irc_home_t) + +type irc_tmp_t; +typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; +typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; +userdom_user_home_content(irc_tmp_t) + +######################################## +# +# Local policy +# + +allow irc_t self:unix_stream_socket create_stream_socket_perms; +allow irc_t self:tcp_socket create_socket_perms; +allow irc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) +manage_files_pattern(irc_t, irc_home_t, irc_home_t) +manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) +userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file }) + +# access files under /tmp +manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + +kernel_read_proc_symlinks(irc_t) + +corenet_all_recvfrom_unlabeled(irc_t) +corenet_all_recvfrom_netlabel(irc_t) +corenet_tcp_sendrecv_generic_if(irc_t) +corenet_udp_sendrecv_generic_if(irc_t) +corenet_tcp_sendrecv_all_nodes(irc_t) +corenet_udp_sendrecv_all_nodes(irc_t) +corenet_tcp_sendrecv_all_ports(irc_t) +corenet_udp_sendrecv_all_ports(irc_t) +corenet_sendrecv_ircd_client_packets(irc_t) +# cjp: this seems excessive: +corenet_tcp_connect_all_ports(irc_t) +corenet_sendrecv_all_client_packets(irc_t) + +domain_use_interactive_fds(irc_t) + +files_dontaudit_search_pids(irc_t) +files_search_var(irc_t) +files_read_etc_files(irc_t) +files_read_usr_files(irc_t) + +fs_getattr_xattr_fs(irc_t) +fs_search_auto_mountpoints(irc_t) + +term_use_controlling_term(irc_t) +term_list_ptys(irc_t) + +# allow utmp access +init_read_utmp(irc_t) +init_dontaudit_lock_utmp(irc_t) + +miscfiles_read_localization(irc_t) + +# Inherit and use descriptors from newrole. +seutil_use_newrole_fds(irc_t) + +sysnet_read_config(irc_t) + +# Write to the user domain tty. +userdom_use_user_terminals(irc_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(irc_t) + fs_manage_nfs_files(irc_t) + fs_manage_nfs_symlinks(irc_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(irc_t) + fs_manage_cifs_files(irc_t) + fs_manage_cifs_symlinks(irc_t) +') + +optional_policy(` + nis_use_ypbind(irc_t) +') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 11f192c..a620f39 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -1,206 +1,58 @@ ## Java virtual machine -####################################### +######################################## ## -## The per role template for the java module. +## Role access for java ## -## -##

-## This template creates a derived domains which are used -## for java plugins that are executed by a browser. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`java_per_role_template',` +interface(`java_role',` gen_require(` - type java_exec_t; + type java_t, java_exec_t; ') - ######################################## - # - # Declarations - # - - type $1_javaplugin_t; - application_domain($1_javaplugin_t, java_exec_t) - role $3 types $1_javaplugin_t; - - type $1_javaplugin_tmp_t; - files_tmp_file($1_javaplugin_tmp_t) - - type $1_javaplugin_tmpfs_t; - files_tmpfs_file($1_javaplugin_tmpfs_t) - - ######################################## - # - # Local policy - # - - allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; - allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms; - allow $1_javaplugin_t self:tcp_socket create_socket_perms; - allow $1_javaplugin_t self:udp_socket create_socket_perms; - - allow $1_javaplugin_t $2:unix_stream_socket connectto; - allow $1_javaplugin_t $2:unix_stream_socket { read write }; - userdom_write_user_tmp_sockets($1, $1_javaplugin_t) - - manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) - manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) - files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir }) - - manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - manage_fifo_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - - rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) - read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) - - can_exec($1_javaplugin_t, java_exec_t) + role $1 types java_t; # The user role is authorized for this domain. - domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) - allow $1_javaplugin_t $2:fd use; + domtrans_pattern($2, java_exec_t, java_t) + allow java_t $2:process signull; # Unrestricted inheritance from the caller. - allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; - allow $1_javaplugin_t $2:process signull; - - kernel_read_all_sysctls($1_javaplugin_t) - kernel_search_vm_sysctl($1_javaplugin_t) - kernel_read_network_state($1_javaplugin_t) - kernel_read_system_state($1_javaplugin_t) - - # Search bin directory under javaplugin for javaplugin executable - corecmd_search_bin($1_javaplugin_t) - - corenet_all_recvfrom_unlabeled($1_javaplugin_t) - corenet_all_recvfrom_netlabel($1_javaplugin_t) - corenet_tcp_sendrecv_generic_if($1_javaplugin_t) - corenet_udp_sendrecv_generic_if($1_javaplugin_t) - corenet_tcp_sendrecv_all_nodes($1_javaplugin_t) - corenet_udp_sendrecv_all_nodes($1_javaplugin_t) - corenet_tcp_sendrecv_all_ports($1_javaplugin_t) - corenet_udp_sendrecv_all_ports($1_javaplugin_t) - corenet_tcp_connect_all_ports($1_javaplugin_t) - corenet_sendrecv_all_client_packets($1_javaplugin_t) - - dev_read_sound($1_javaplugin_t) - dev_write_sound($1_javaplugin_t) - dev_read_urand($1_javaplugin_t) - dev_read_rand($1_javaplugin_t) - - files_read_etc_files($1_javaplugin_t) - files_read_usr_files($1_javaplugin_t) - files_search_home($1_javaplugin_t) - files_search_var_lib($1_javaplugin_t) - files_read_etc_runtime_files($1_javaplugin_t) - # Read global fonts and font config - files_read_etc_files($1_javaplugin_t) - - fs_getattr_xattr_fs($1_javaplugin_t) - fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) + allow $2 java_t:process { noatsecure siginh rlimitinh }; - logging_send_syslog_msg($1_javaplugin_t) - - miscfiles_read_localization($1_javaplugin_t) - # Read global fonts and font config - miscfiles_read_fonts($1_javaplugin_t) - - sysnet_read_config($1_javaplugin_t) - - userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t) - userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t) - userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t) - userdom_manage_user_home_content_dirs($1, $1_javaplugin_t) - userdom_manage_user_home_content_files($1, $1_javaplugin_t) - userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t) - userdom_manage_user_home_content_pipes($1, $1_javaplugin_t) - userdom_manage_user_home_content_sockets($1, $1_javaplugin_t) - userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file }) - - tunable_policy(`allow_java_execstack',` - allow $1_javaplugin_t self:process execstack; - - allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; - - libs_legacy_use_shared_libs($1_javaplugin_t) - libs_legacy_use_ld_so($1_javaplugin_t) - - miscfiles_legacy_read_localization($1_javaplugin_t) - ') - - optional_policy(` - nis_use_ypbind($1_javaplugin_t) - ') - - optional_policy(` - nscd_socket_use($1_javaplugin_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t) - ') + allow java_t $2:unix_stream_socket connectto; + allow java_t $2:unix_stream_socket { read write }; ') ######################################## ## ## Run java in javaplugin domain. ## -## -##

-## Run java in javaplugin domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`java_domtrans_user_javaplugin',` +template(`java_domtrans',` gen_require(` - type $1_javaplugin_t, java_exec_t; + type java_t, java_exec_t; ') - domtrans_pattern($2, java_exec_t, $1_javaplugin_t) + domtrans_pattern($1, java_exec_t, java_t) ') ######################################## ## -## Execute the java program in the java domain. +## Execute the java program in the unconfined java domain. ## ## ## @@ -208,11 +60,11 @@ template(`java_domtrans_user_javaplugin',` ## ## # -interface(`java_domtrans',` +interface(`java_domtrans_unconfined',` gen_require(` - type java_t, java_exec_t; + type unconfined_java_t, java_exec_t; ') + domtrans_pattern($1, java_exec_t, unconfined_java_t) corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, java_t) ') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 16d43eb..1f866e7 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java, 1.8.0) +policy_module(java, 2.0.0) ######################################## # @@ -15,19 +15,136 @@ gen_tunable(allow_java_execstack, false) type java_t; type java_exec_t; -init_system_domain(java_t, java_exec_t) +application_domain(java_t, java_exec_t) +ubac_constrained(java_t) +typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; +typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; + +type java_tmp_t; +files_tmp_file(java_tmp_t) +ubac_constrained(java_tmp_t) +typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; +typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; + +type java_tmpfs_t; +ubac_constrained(java_tmpfs_t) +files_tmpfs_file(java_tmpfs_t) +typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; +typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; + +type unconfined_java_t; +init_system_domain(unconfined_java_t, java_exec_t) ######################################## # # Local policy # -# execheap is needed for itanium/BEA jrocket -allow java_t self:process { execstack execmem execheap }; +allow java_t self:process { signal_perms getsched setsched execmem }; +allow java_t self:fifo_file rw_fifo_file_perms; +allow java_t self:tcp_socket create_socket_perms; +allow java_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t) +manage_files_pattern(java_t, java_tmp_t, java_tmp_t) +files_tmp_filetrans(java_t, java_tmp_t,{ file dir }) + +manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(java_t, java_exec_t) + +kernel_read_all_sysctls(java_t) +kernel_search_vm_sysctl(java_t) +kernel_read_network_state(java_t) +kernel_read_system_state(java_t) + +# Search bin directory under java for java executable +corecmd_search_bin(java_t) + +corenet_all_recvfrom_unlabeled(java_t) +corenet_all_recvfrom_netlabel(java_t) +corenet_tcp_sendrecv_generic_if(java_t) +corenet_udp_sendrecv_generic_if(java_t) +corenet_tcp_sendrecv_all_nodes(java_t) +corenet_udp_sendrecv_all_nodes(java_t) +corenet_tcp_sendrecv_all_ports(java_t) +corenet_udp_sendrecv_all_ports(java_t) +corenet_tcp_connect_all_ports(java_t) +corenet_sendrecv_all_client_packets(java_t) + +dev_read_sound(java_t) +dev_write_sound(java_t) +dev_read_urand(java_t) +dev_read_rand(java_t) + +files_read_etc_files(java_t) +files_read_usr_files(java_t) +files_search_home(java_t) +files_search_var_lib(java_t) +files_read_etc_runtime_files(java_t) +# Read global fonts and font config +files_read_etc_files(java_t) + +fs_getattr_xattr_fs(java_t) +fs_dontaudit_rw_tmpfs_files(java_t) + +logging_send_syslog_msg(java_t) + +miscfiles_read_localization(java_t) +# Read global fonts and font config +miscfiles_read_fonts(java_t) + +sysnet_read_config(java_t) + +userdom_dontaudit_use_user_terminals(java_t) +userdom_dontaudit_setattr_user_home_content_files(java_t) +userdom_dontaudit_exec_user_home_content_files(java_t) +userdom_manage_user_home_content_dirs(java_t) +userdom_manage_user_home_content_files(java_t) +userdom_manage_user_home_content_symlinks(java_t) +userdom_manage_user_home_content_pipes(java_t) +userdom_manage_user_home_content_sockets(java_t) +userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) +userdom_write_user_tmp_sockets(java_t) + +tunable_policy(`allow_java_execstack',` + allow java_t self:process execstack; + + allow java_t java_tmp_t:file execute; -init_dbus_chat_script(java_t) + libs_legacy_use_shared_libs(java_t) + libs_legacy_use_ld_so(java_t) + + miscfiles_legacy_read_localization(java_t) +') + +optional_policy(` + nis_use_ypbind(java_t) +') optional_policy(` - unconfined_domain_noaudit(java_t) - unconfined_dbus_chat(java_t) + nscd_socket_use(java_t) +') + +optional_policy(` + xserver_user_x_domain_template(java, java_t, java_tmpfs_t) +') + +######################################## +# +# Unconfined java local policy +# + +optional_policy(` + # execheap is needed for itanium/BEA jrocket + allow unconfined_java_t self:process { execstack execmem execheap }; + + init_dbus_chat_script(unconfined_java_t) + + unconfined_domain_noaudit(unconfined_java_t) + unconfined_dbus_chat(unconfined_java_t) ') diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if index 1c5f09b..c56cfa4 100644 --- a/policy/modules/apps/loadkeys.if +++ b/policy/modules/apps/loadkeys.if @@ -33,11 +33,6 @@ interface(`loadkeys_domtrans',` ## The role to allow the loadkeys domain. ##
## -## -## -## The type of the terminal allow the loadkeys domain to use. -## -## ## # interface(`loadkeys_run',` @@ -47,7 +42,6 @@ interface(`loadkeys_run',` loadkeys_domtrans($1) role $2 types loadkeys_t; - allow loadkeys_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index bcb6676..670ef29 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -1,5 +1,5 @@ -policy_module(loadkeys, 1.4.0) +policy_module(loadkeys, 1.4.1) ######################################## # @@ -39,6 +39,8 @@ locallogin_use_fds(loadkeys_t) miscfiles_read_localization(loadkeys_t) +userdom_use_user_ttys(loadkeys_t) + optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if index c818c1e..8e7d279 100644 --- a/policy/modules/apps/lockdev.if +++ b/policy/modules/apps/lockdev.if @@ -1,79 +1,33 @@ ## device locking policy for lockdev -####################################### +######################################## ## -## The per role template for the lockdev module. +## Role access for lockdev ## -## -##

-## This template creates derived domains which are used -## for lockdev. A derived type is also created to protect -## the user's device locks. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`lockdev_per_role_template',` +interface(`lockdev_role',` gen_require(` - type lockdev_exec_t; + type lockdev_t, lockdev_exec_t; + type lockdev_lock_t; ') - ######################################## - # - # Declarations - # - - type $1_lockdev_t; - application_domain($1_lockdev_t, lockdev_exec_t) - role $3 types $1_lockdev_t; - - type $1_lockdev_lock_t; - files_lock_file($1_lockdev_lock_t) - - ######################################## - # - # Local policy - # - - # Use capabilities. - allow $1_lockdev_t self:capability setgid; - allow $1_lockdev_t $2:process signull; + role $1 types lockdev_t; # Transition from the user domain to the derived domain. - domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t) + domtrans_pattern($2, lockdev_exec_t, lockdev_t) + allow lockdev_t $2:process signull; - allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms; - files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file) - - files_read_all_locks($1_lockdev_t) - - fs_getattr_xattr_fs($1_lockdev_t) - - logging_send_syslog_msg($1_lockdev_t) - - userdom_use_user_terminals($1, $1_lockdev_t) - - optional_policy(` - logging_send_syslog_msg($1_t) - ') + # allow ps to show lockdev + ps_process_pattern($2, lockdev_t) + allow $2 lockdev_t:process signal; ') diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te index bb96b0c..34467b6 100644 --- a/policy/modules/apps/lockdev.te +++ b/policy/modules/apps/lockdev.te @@ -1,10 +1,40 @@ -policy_module(lockdev, 1.2.0) +policy_module(lockdev, 1.2.1) ######################################## # # Declarations # +type lockdev_t; type lockdev_exec_t; -application_executable_file(lockdev_exec_t) +typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; +typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; +application_domain(lockdev_t, lockdev_exec_t) +ubac_constrained(lockdev_t) + +type lockdev_lock_t; +typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; +typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; +files_lock_file(lockdev_lock_t) +ubac_constrained(lockdev_lock_t) + +######################################## +# +# Local policy +# + +# Use capabilities. +allow lockdev_t self:capability setgid; + +allow lockdev_t lockdev_lock_t:file manage_file_perms; +files_lock_filetrans(lockdev_t, lockdev_lock_t, file) + +files_read_all_locks(lockdev_t) + +fs_getattr_xattr_fs(lockdev_t) + +logging_send_syslog_msg(lockdev_t) + +userdom_use_user_terminals(lockdev_t) + diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index 831090a..5c79af6 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -1,5 +1,5 @@ -policy_module(mono, 1.5.0) +policy_module(mono, 1.5.1) ######################################## # @@ -17,10 +17,10 @@ init_system_domain(mono_t, mono_exec_t) allow mono_t self:process { execheap execmem }; -unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) - init_dbus_chat_script(mono_t) +userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) + optional_policy(` avahi_dbus_chat(mono_t) ') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 99f54ca..b6f0924 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index abbb2bb..3811a40 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -1,504 +1,108 @@ ## Policy for Mozilla and related web browsers -####################################### +######################################## ## -## The per role template for the mozilla module. +## Role access for mozilla ## -## -##

-## This template creates a derived domains which are used -## for mozilla web browser. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`mozilla_per_role_template',` +interface(`mozilla_role',` gen_require(` - type mozilla_conf_t, mozilla_exec_t; + type mozilla_t, mozilla_exec_t, mozilla_home_t; ') - ######################################## - # - # Declarations - # - type $1_mozilla_t; - application_domain($1_mozilla_t, mozilla_exec_t) - role $3 types $1_mozilla_t; - - type $1_mozilla_home_t alias $1_mozilla_rw_t; - files_poly_member($1_mozilla_home_t) - userdom_user_home_content($1, $1_mozilla_home_t) - - type $1_mozilla_tmpfs_t; - files_tmpfs_file($1_mozilla_tmpfs_t) - - ######################################## - # - # Local policy - # - - allow $1_mozilla_t self:capability { sys_nice setgid setuid }; - allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; - allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; - allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; - allow $1_mozilla_t self:sem create_sem_perms; - allow $1_mozilla_t self:socket create_socket_perms; - allow $1_mozilla_t self:unix_stream_socket { listen accept }; - # Browse the web, connect to printer - allow $1_mozilla_t self:tcp_socket create_socket_perms; - allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; - - # for bash - old mozilla binary - can_exec($1_mozilla_t, mozilla_exec_t) - - # X access, Home files - manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) - manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) - manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) - userdom_search_user_home_dirs($1, $1_mozilla_t) - - # Mozpluggerrc - allow $1_mozilla_t mozilla_conf_t:file read_file_perms; + role $1 types mozilla_t; - allow $1_mozilla_t $2:fd use; - allow $1_mozilla_t $2:process sigchld; - allow $1_mozilla_t $2:unix_stream_socket connectto; - allow $2 $1_mozilla_t:fd use; - allow $2 $1_mozilla_t:shm { associate getattr }; - allow $2 $1_mozilla_t:shm { unix_read unix_write }; - allow $2 $1_mozilla_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) - - manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) - manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) - manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) - manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) - fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - - allow $1_mozilla_t $2:process signull; - - domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + domain_auto_trans($2, mozilla_exec_t, mozilla_t) # Unrestricted inheritance from the caller. - allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; + allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; + allow mozilla_t $2:fd use; + allow mozilla_t $2:process { sigchld signull }; + allow mozilla_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. - ps_process_pattern($2, $1_mozilla_t) - allow $2 $1_mozilla_t:process signal_perms; - - kernel_read_kernel_sysctls($1_mozilla_t) - kernel_read_network_state($1_mozilla_t) - # Access /proc, sysctl - kernel_read_system_state($1_mozilla_t) - kernel_read_net_sysctls($1_mozilla_t) - - # Look for plugins - corecmd_list_bin($1_mozilla_t) - # for bash - old mozilla binary - corecmd_exec_shell($1_mozilla_t) - corecmd_exec_bin($1_mozilla_t) - - # Browse the web, connect to printer - corenet_all_recvfrom_unlabeled($1_mozilla_t) - corenet_all_recvfrom_netlabel($1_mozilla_t) - corenet_tcp_sendrecv_generic_if($1_mozilla_t) - corenet_raw_sendrecv_generic_if($1_mozilla_t) - corenet_tcp_sendrecv_all_nodes($1_mozilla_t) - corenet_raw_sendrecv_all_nodes($1_mozilla_t) - corenet_tcp_sendrecv_http_port($1_mozilla_t) - corenet_tcp_sendrecv_http_cache_port($1_mozilla_t) - corenet_tcp_sendrecv_ftp_port($1_mozilla_t) - corenet_tcp_sendrecv_ipp_port($1_mozilla_t) - corenet_tcp_connect_http_port($1_mozilla_t) - corenet_tcp_connect_http_cache_port($1_mozilla_t) - corenet_tcp_connect_ftp_port($1_mozilla_t) - corenet_tcp_connect_ipp_port($1_mozilla_t) - corenet_tcp_connect_generic_port($1_mozilla_t) - corenet_sendrecv_http_client_packets($1_mozilla_t) - corenet_sendrecv_http_cache_client_packets($1_mozilla_t) - corenet_sendrecv_ftp_client_packets($1_mozilla_t) - corenet_sendrecv_ipp_client_packets($1_mozilla_t) - corenet_sendrecv_generic_client_packets($1_mozilla_t) - # Should not need other ports - corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t) - corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t) - - dev_read_urand($1_mozilla_t) - dev_read_rand($1_mozilla_t) - dev_write_sound($1_mozilla_t) - dev_read_sound($1_mozilla_t) - dev_dontaudit_rw_dri($1_mozilla_t) - dev_getattr_sysfs_dirs($1_mozilla_t) - - files_read_etc_runtime_files($1_mozilla_t) - files_read_usr_files($1_mozilla_t) - files_read_etc_files($1_mozilla_t) - # /var/lib - files_read_var_lib_files($1_mozilla_t) - # interacting with gstreamer - files_read_var_files($1_mozilla_t) - files_read_var_symlinks($1_mozilla_t) - files_dontaudit_getattr_boot_dirs($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_list_inotifyfs($1_mozilla_t) - fs_rw_tmpfs_files($1_mozilla_t) - - term_dontaudit_getattr_pty_dirs($1_mozilla_t) - - logging_send_syslog_msg($1_mozilla_t) + ps_process_pattern($2, mozilla_t) + allow $2 mozilla_t:process signal_perms; - miscfiles_read_fonts($1_mozilla_t) - miscfiles_read_localization($1_mozilla_t) - - # Browse the web, connect to printer - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) - - userdom_manage_user_home_content_dirs($1, $1_mozilla_t) - userdom_manage_user_home_content_files($1, $1_mozilla_t) - userdom_manage_user_home_content_symlinks($1, $1_mozilla_t) - userdom_manage_user_tmp_dirs($1, $1_mozilla_t) - userdom_manage_user_tmp_files($1, $1_mozilla_t) - userdom_manage_user_tmp_sockets($1, $1_mozilla_t) - - xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t) - xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) - xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) - - tunable_policy(`allow_execmem',` - allow $1_mozilla_t self:process { execmem execstack }; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_mozilla_t) - fs_manage_nfs_files($1_mozilla_t) - fs_manage_nfs_symlinks($1_mozilla_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_mozilla_t) - fs_manage_cifs_files($1_mozilla_t) - fs_manage_cifs_symlinks($1_mozilla_t) - ') - - # Uploads, local html - tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_mozilla_t) - files_list_home($1_mozilla_t) - fs_read_nfs_files($1_mozilla_t) - fs_read_nfs_symlinks($1_mozilla_t) - - ',` - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_read_nfs_files($1_mozilla_t) - fs_dontaudit_list_nfs($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints($1_mozilla_t) - files_list_home($1_mozilla_t) - fs_read_cifs_files($1_mozilla_t) - fs_read_cifs_symlinks($1_mozilla_t) - ',` - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_read_cifs_files($1_mozilla_t) - fs_dontaudit_list_cifs($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content',` - userdom_list_user_tmp($1, $1_mozilla_t) - userdom_read_user_tmp_files($1, $1_mozilla_t) - userdom_read_user_tmp_symlinks($1, $1_mozilla_t) - userdom_search_user_home_dirs($1, $1_mozilla_t) - userdom_read_user_home_content_files($1, $1_mozilla_t) - userdom_read_user_home_content_symlinks($1, $1_mozilla_t) - - ifdef(`enable_mls',`',` - fs_search_removable($1_mozilla_t) - fs_read_removable_files($1_mozilla_t) - fs_read_removable_symlinks($1_mozilla_t) - ') - ',` - files_dontaudit_list_tmp($1_mozilla_t) - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_removable($1_mozilla_t) - fs_dontaudit_read_removable_files($1_mozilla_t) - userdom_dontaudit_list_user_tmp($1, $1_mozilla_t) - userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) - userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) - userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && read_default_t',` - files_list_default($1_mozilla_t) - files_read_default_files($1_mozilla_t) - files_read_default_symlinks($1_mozilla_t) - ',` - files_dontaudit_read_default_files($1_mozilla_t) - files_dontaudit_list_default($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && read_untrusted_content',` - files_list_tmp($1_mozilla_t) - files_list_home($1_mozilla_t) - userdom_search_user_home_dirs($1, $1_mozilla_t) - - userdom_list_user_untrusted_content($1, $1_mozilla_t) - userdom_read_user_untrusted_content_files($1, $1_mozilla_t) - userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t) - userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t) - ',` - files_dontaudit_list_tmp($1_mozilla_t) - files_dontaudit_list_home($1_mozilla_t) - userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) - ') - - # Save web pages - tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` - files_search_home($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_manage_nfs_dirs($1_mozilla_t) - fs_manage_nfs_files($1_mozilla_t) - fs_manage_nfs_symlinks($1_mozilla_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_manage_nfs_dirs($1_mozilla_t) - fs_dontaudit_manage_nfs_files($1_mozilla_t) - ') + allow $2 mozilla_t:fd use; + allow $2 mozilla_t:shm { associate getattr }; + allow $2 mozilla_t:shm { unix_read unix_write }; + allow $2 mozilla_t:unix_stream_socket connectto; - tunable_policy(`write_untrusted_content && use_samba_home_dirs',` - files_search_home($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_manage_cifs_dirs($1_mozilla_t) - fs_manage_cifs_files($1_mozilla_t) - fs_manage_cifs_symlinks($1_mozilla_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_manage_cifs_dirs($1_mozilla_t) - fs_dontaudit_manage_cifs_files($1_mozilla_t) - ') - - tunable_policy(`write_untrusted_content',` - files_search_home($1_mozilla_t) - userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t) - files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file) - files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir) - - userdom_manage_user_untrusted_content_files($1, $1_mozilla_t) - userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) - ',` - files_dontaudit_list_home($1_mozilla_t) - files_dontaudit_list_tmp($1_mozilla_t) - - userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) - userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t) - userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t) - userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t) - - ') - - optional_policy(` - apache_read_user_scripts($1, $1_mozilla_t) - apache_read_user_content($1, $1_mozilla_t) - ') - - optional_policy(` - automount_dontaudit_getattr_tmp_dirs($1_mozilla_t) - ') - - optional_policy(` - cups_read_rw_config($1_mozilla_t) - cups_dbus_chat($1_mozilla_t) - ') - - optional_policy(` - dbus_system_bus_client_template($1_mozilla, $1_mozilla_t) - dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_mozilla_t) - ') - - optional_policy(` - java_domtrans_user_javaplugin($1, $1_mozilla_t) - ') - - optional_policy(` - lpd_domtrans_user_lpr($1, $1_mozilla_t) - ') - - optional_policy(` - mplayer_domtrans_user_mplayer($1, $1_mozilla_t) - mplayer_read_user_home_files($1, $1_mozilla_t) - ') - - optional_policy(` - nscd_socket_use($1_mozilla_t) - ') - - optional_policy(` - thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) - ') - - ifdef(`TODO',` - #NOTE commented out in strict. - ######### Launch email client, and make webcal links work - #ifdef(`evolution.te', ` - #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) - #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) - #') - - # Macros for mozilla/mozilla (or other browser) domains. - # FIXME: Rules were removed to centralize policy in a gnome_app macro - # A similar thing might be necessary for mozilla compiled without GNOME - # support (is this possible?). - - # GNOME integration - optional_policy(` - gnome_application($1_mozilla, $1) - gnome_file_dialog($1_mozilla, $1) - ') - ') + # X access, Home files + manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + manage_files_pattern($2, mozilla_home_t, mozilla_home_t) + manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) ') ######################################## ## -## Read mozilla per user homedir +## Read mozilla home directory content ## -## -##

-## Read mozilla per user homedir -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mozilla_read_user_home_files',` +interface(`mozilla_read_user_home_files',` gen_require(` - type $1_mozilla_home_t; + type mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) ') ######################################## ## -## write mozilla per user homedir +## Write mozilla home directory content ## -## -##

-## Read mozilla per user homedir -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mozilla_write_user_home_files',` +interface(`mozilla_write_user_home_files',` gen_require(` - type $1_mozilla_home_t; + type mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file write; + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file write; + userdom_search_user_home_dirs($1) ') ######################################## ## -## Run mozilla in user mozilla domain. +## Run mozilla in the mozilla domain. ## -## -##

-## Run mozilla in mozilla domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mozilla_domtrans_user_mozilla',` +interface(`mozilla_domtrans',` gen_require(` - type $1_mozilla_t, mozilla_exec_t; + type mozilla_t, mozilla_exec_t; ') - domtrans_pattern($2, mozilla_exec_t, $1_mozilla_t) + domtrans_pattern($1, mozilla_exec_t, mozilla_t) ') ######################################## @@ -506,67 +110,36 @@ template(`mozilla_domtrans_user_mozilla',` ## Send and receive messages from ## mozilla over dbus. ## -## -##

-## Send and receive messages from -## mozilla over dbus. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mozilla_dbus_chat',` +interface(`mozilla_dbus_chat',` gen_require(` - type $1_mozilla_t; + type mozilla_t; class dbus send_msg; ') - allow $2 $1_mozilla_t:dbus send_msg; - allow $1_mozilla_t $2:dbus send_msg; + allow $1 mozilla_t:dbus send_msg; + allow mozilla_t $1:dbus send_msg; ') ######################################## ## ## read/write mozilla per user tcp_socket ## -## -##

-## read/write mozilla per user tcp_socket -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mozilla_rw_user_tcp_sockets',` +interface(`mozilla_rw_tcp_sockets',` gen_require(` - type $1_mozilla_t; + type mozilla_t; ') - allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; + allow $1 mozilla_t:tcp_socket rw_socket_perms; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 5d653b8..55576bc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla, 1.6.0) +policy_module(mozilla, 2.0.0) ######################################## # @@ -13,8 +13,255 @@ policy_module(mozilla, 1.6.0) ## gen_tunable(mozilla_read_content, false) +type mozilla_t; +type mozilla_exec_t; +typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; +typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +application_domain(mozilla_t, mozilla_exec_t) +ubac_constrained(mozilla_t) + type mozilla_conf_t; files_config_file(mozilla_conf_t) -type mozilla_exec_t; -application_executable_file(mozilla_exec_t) +type mozilla_home_t; +typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +files_poly_member(mozilla_home_t) +userdom_user_home_content(mozilla_home_t) + +type mozilla_tmpfs_t; +typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; +typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; +files_tmpfs_file(mozilla_tmpfs_t) +ubac_constrained(mozilla_tmpfs_t) + +######################################## +# +# Local policy +# + +allow mozilla_t self:capability { sys_nice setgid setuid }; +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; +allow mozilla_t self:fifo_file rw_fifo_file_perms; +allow mozilla_t self:shm { unix_read unix_write read write destroy create }; +allow mozilla_t self:sem create_sem_perms; +allow mozilla_t self:socket create_socket_perms; +allow mozilla_t self:unix_stream_socket { listen accept }; +# Browse the web, connect to printer +allow mozilla_t self:tcp_socket create_socket_perms; +allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; + +# for bash - old mozilla binary +can_exec(mozilla_t, mozilla_exec_t) + +# X access, Home files +manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +userdom_search_user_home_dirs(mozilla_t) + +# Mozpluggerrc +allow mozilla_t mozilla_conf_t:file read_file_perms; + +manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(mozilla_t) +kernel_read_network_state(mozilla_t) +# Access /proc, sysctl +kernel_read_system_state(mozilla_t) +kernel_read_net_sysctls(mozilla_t) + +# Look for plugins +corecmd_list_bin(mozilla_t) +# for bash - old mozilla binary +corecmd_exec_shell(mozilla_t) +corecmd_exec_bin(mozilla_t) + +# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(mozilla_t) +corenet_all_recvfrom_netlabel(mozilla_t) +corenet_tcp_sendrecv_generic_if(mozilla_t) +corenet_raw_sendrecv_generic_if(mozilla_t) +corenet_tcp_sendrecv_all_nodes(mozilla_t) +corenet_raw_sendrecv_all_nodes(mozilla_t) +corenet_tcp_sendrecv_http_port(mozilla_t) +corenet_tcp_sendrecv_http_cache_port(mozilla_t) +corenet_tcp_sendrecv_ftp_port(mozilla_t) +corenet_tcp_sendrecv_ipp_port(mozilla_t) +corenet_tcp_connect_http_port(mozilla_t) +corenet_tcp_connect_http_cache_port(mozilla_t) +corenet_tcp_connect_ftp_port(mozilla_t) +corenet_tcp_connect_ipp_port(mozilla_t) +corenet_tcp_connect_generic_port(mozilla_t) +corenet_sendrecv_http_client_packets(mozilla_t) +corenet_sendrecv_http_cache_client_packets(mozilla_t) +corenet_sendrecv_ftp_client_packets(mozilla_t) +corenet_sendrecv_ipp_client_packets(mozilla_t) +corenet_sendrecv_generic_client_packets(mozilla_t) +# Should not need other ports +corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) +corenet_dontaudit_tcp_bind_generic_port(mozilla_t) + +dev_read_urand(mozilla_t) +dev_read_rand(mozilla_t) +dev_write_sound(mozilla_t) +dev_read_sound(mozilla_t) +dev_dontaudit_rw_dri(mozilla_t) +dev_getattr_sysfs_dirs(mozilla_t) + +files_read_etc_runtime_files(mozilla_t) +files_read_usr_files(mozilla_t) +files_read_etc_files(mozilla_t) +# /var/lib +files_read_var_lib_files(mozilla_t) +# interacting with gstreamer +files_read_var_files(mozilla_t) +files_read_var_symlinks(mozilla_t) +files_dontaudit_getattr_boot_dirs(mozilla_t) + +fs_search_auto_mountpoints(mozilla_t) +fs_list_inotifyfs(mozilla_t) +fs_rw_tmpfs_files(mozilla_t) + +term_dontaudit_getattr_pty_dirs(mozilla_t) + +logging_send_syslog_msg(mozilla_t) + +miscfiles_read_fonts(mozilla_t) +miscfiles_read_localization(mozilla_t) + +# Browse the web, connect to printer +sysnet_dns_name_resolve(mozilla_t) + +userdom_manage_user_home_content_dirs(mozilla_t) +userdom_manage_user_home_content_files(mozilla_t) +userdom_manage_user_home_content_symlinks(mozilla_t) +userdom_manage_user_tmp_dirs(mozilla_t) +userdom_manage_user_tmp_files(mozilla_t) +userdom_manage_user_tmp_sockets(mozilla_t) + +xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) +xserver_dontaudit_read_xdm_tmp_files(mozilla_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +tunable_policy(`allow_execmem',` + allow mozilla_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_t) + fs_manage_nfs_files(mozilla_t) + fs_manage_nfs_symlinks(mozilla_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_t) + fs_manage_cifs_files(mozilla_t) + fs_manage_cifs_symlinks(mozilla_t) +') + +# Uploads, local html +tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(mozilla_t) + files_list_home(mozilla_t) + fs_read_nfs_files(mozilla_t) + fs_read_nfs_symlinks(mozilla_t) + +',` + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_auto_mountpoints(mozilla_t) + fs_dontaudit_read_nfs_files(mozilla_t) + fs_dontaudit_list_nfs(mozilla_t) +') + +tunable_policy(`mozilla_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(mozilla_t) + files_list_home(mozilla_t) + fs_read_cifs_files(mozilla_t) + fs_read_cifs_symlinks(mozilla_t) +',` + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_auto_mountpoints(mozilla_t) + fs_dontaudit_read_cifs_files(mozilla_t) + fs_dontaudit_list_cifs(mozilla_t) +') + +tunable_policy(`mozilla_read_content',` + userdom_list_user_tmp(mozilla_t) + userdom_read_user_tmp_files(mozilla_t) + userdom_read_user_tmp_symlinks(mozilla_t) + userdom_read_user_home_content_files(mozilla_t) + userdom_read_user_home_content_symlinks(mozilla_t) + + ifdef(`enable_mls',`',` + fs_search_removable(mozilla_t) + fs_read_removable_files(mozilla_t) + fs_read_removable_symlinks(mozilla_t) + ') +',` + files_dontaudit_list_tmp(mozilla_t) + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_removable(mozilla_t) + fs_dontaudit_read_removable_files(mozilla_t) + userdom_dontaudit_list_user_tmp(mozilla_t) + userdom_dontaudit_read_user_tmp_files(mozilla_t) + userdom_dontaudit_list_user_home_dirs(mozilla_t) + userdom_dontaudit_read_user_home_content_files(mozilla_t) +') + +tunable_policy(`mozilla_read_content && read_default_t',` + files_list_default(mozilla_t) + files_read_default_files(mozilla_t) + files_read_default_symlinks(mozilla_t) +',` + files_dontaudit_read_default_files(mozilla_t) + files_dontaudit_list_default(mozilla_t) +') + +optional_policy(` + apache_read_user_scripts(mozilla_t) + apache_read_user_content(mozilla_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(mozilla_t) +') + +optional_policy(` + cups_read_rw_config(mozilla_t) + cups_dbus_chat(mozilla_t) +') + +optional_policy(` + dbus_system_bus_client(mozilla_t) + dbus_session_bus_client(mozilla_t) +') + +optional_policy(` + gnome_stream_connect_gconf(mozilla_t) +') + +optional_policy(` + java_domtrans(mozilla_t) +') + +optional_policy(` + lpd_domtrans_lpr(mozilla_t) +') + +optional_policy(` + mplayer_domtrans(mozilla_t) + mplayer_read_user_home_files(mozilla_t) +') + +optional_policy(` + nscd_socket_use(mozilla_t) +') + +optional_policy(` + thunderbird_domtrans(mozilla_t) +') diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc index ffef8be..ab54284 100644 --- a/policy/modules/apps/mplayer.fc +++ b/policy/modules/apps/mplayer.fc @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 664a3e9..8944655 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -1,503 +1,85 @@ ## Mplayer media player and encoder -####################################### +######################################## ## -## The per role template for the mplayer module. +## Role access for mplayer ## -## -##

-## This template creates a derived domains which are used -## for mplayer media player. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`mplayer_per_role_template',` +interface(`mplayer_role',` gen_require(` - type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t; + type mencoder_t, mencoder_exec_t; + type mplayer_t, mplayer_exec_t; + type mplayer_home_t; ') - ######################################## - # - # Declarations - # - - type $1_mencoder_t; - application_domain($1_mencoder_t, mencoder_exec_t) - role $3 types $1_mencoder_t; - - type $1_mplayer_t; - application_domain($1_mplayer_t, mplayer_exec_t) - role $3 types $1_mplayer_t; - - type $1_mplayer_home_t alias $1_mplayer_rw_t; - files_poly_member($1_mplayer_home_t) - userdom_user_home_content($1,$1_mplayer_home_t) - - type $1_mplayer_tmpfs_t; - files_tmpfs_file($1_mplayer_tmpfs_t) - - ######################################## - # - # mencoder local policy - # - - manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) - manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) - manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) - - # Read global config - allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms; - read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t) - read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t) + role $1 types { mencoder_t mplayer_t }; # domain transition - domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t) + domtrans_pattern($2, mencoder_exec_t, mencoder_t) # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_mencoder_t) - allow $2 $1_mencoder_t:process signal_perms; - - # Read /proc files and directories - # Necessary for /proc/meminfo, /proc/cpuinfo, etc.. - kernel_read_system_state($1_mencoder_t) - # Sysctl on kernel version - kernel_read_kernel_sysctls($1_mencoder_t) - - # Required for win32 binary loader - dev_rwx_zero($1_mencoder_t) - # Access to DVD/CD/V4L - dev_read_video_dev($1_mencoder_t) - - # Read data in /usr/share (fonts, icons..) - files_read_usr_files($1_mencoder_t) - files_read_usr_symlinks($1_mencoder_t) - - fs_search_auto_mountpoints($1_mencoder_t) - - # Access to DVD/CD/V4L - storage_raw_read_removable_device($1_mencoder_t) - - miscfiles_read_localization($1_mencoder_t) - - userdom_use_user_terminals($1,$1_mencoder_t) - # Handle removable media, /tmp, and /home - userdom_list_user_tmp($1,$1_mencoder_t) - userdom_read_user_tmp_files($1,$1_mencoder_t) - userdom_read_user_tmp_symlinks($1,$1_mencoder_t) - userdom_read_user_home_content_files($1,$1_mencoder_t) - userdom_read_user_home_content_symlinks($1,$1_mencoder_t) - - # Read content to encode - ifdef(`enable_mls',`',` - fs_search_removable($1_mencoder_t) - fs_read_removable_files($1_mencoder_t) - fs_read_removable_symlinks($1_mencoder_t) - ') - - tunable_policy(`allow_execmem',` - allow $1_mencoder_t self:process execmem; - ') - - tunable_policy(`allow_execmod',` - dev_execmod_zero($1_mencoder_t) - ') - - tunable_policy(`allow_mplayer_execstack',` - allow $1_mencoder_t self:process { execmem execstack }; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_mencoder_t) - fs_manage_nfs_files($1_mencoder_t) - fs_manage_nfs_symlinks($1_mencoder_t) - - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_mencoder_t) - fs_manage_cifs_files($1_mencoder_t) - fs_manage_cifs_symlinks($1_mencoder_t) - - ') - - # Read content to encode - tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_mencoder_t) - files_list_home($1_mencoder_t) - fs_read_nfs_files($1_mencoder_t) - fs_read_nfs_symlinks($1_mencoder_t) - - ',` - files_dontaudit_list_home($1_mencoder_t) - fs_dontaudit_list_auto_mountpoints($1_mencoder_t) - fs_dontaudit_read_nfs_files($1_mencoder_t) - fs_dontaudit_list_nfs($1_mencoder_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints($1_mencoder_t) - files_list_home($1_mencoder_t) - fs_read_cifs_files($1_mencoder_t) - fs_read_cifs_symlinks($1_mencoder_t) - ',` - files_dontaudit_list_home($1_mencoder_t) - fs_dontaudit_list_auto_mountpoints($1_mencoder_t) - fs_dontaudit_read_cifs_files($1_mencoder_t) - fs_dontaudit_list_cifs($1_mencoder_t) - ') - - tunable_policy(`read_default_t',` - files_list_default($1_mencoder_t) - files_read_default_files($1_mencoder_t) - files_read_default_symlinks($1_mencoder_t) - ',` - files_dontaudit_read_default_files($1_mencoder_t) - files_dontaudit_list_default($1_mencoder_t) - ') - - tunable_policy(`read_untrusted_content',` - files_list_tmp($1_mencoder_t) - files_list_home($1_mencoder_t) - - userdom_list_user_untrusted_content($1, $1_mencoder_t) - userdom_read_user_untrusted_content_files($1, $1_mencoder_t) - userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t) - userdom_list_user_tmp_untrusted_content($1, $1_mencoder_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_mencoder_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mencoder_t) - ',` - files_dontaudit_list_tmp($1_mencoder_t) - files_dontaudit_list_home($1_mencoder_t) - userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_mencoder_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_mencoder_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mencoder_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mencoder_t) - ') - - tunable_policy(`write_untrusted_content',` - userdom_manage_user_untrusted_content_files($1, $1_mplayer_t) - ') - - # Save encoded files - tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` - files_search_home($1_mencoder_t) - - fs_search_auto_mountpoints($1_mencoder_t) - fs_manage_nfs_dirs($1_mencoder_t) - fs_manage_nfs_files($1_mencoder_t) - fs_manage_nfs_symlinks($1_mencoder_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mencoder_t) - fs_dontaudit_manage_nfs_dirs($1_mencoder_t) - fs_dontaudit_manage_nfs_files($1_mencoder_t) - ') - - tunable_policy(`write_untrusted_content && use_samba_home_dirs',` - files_search_home($1_mencoder_t) - - fs_search_auto_mountpoints($1_mencoder_t) - fs_manage_cifs_dirs($1_mencoder_t) - fs_manage_cifs_files($1_mencoder_t) - fs_manage_cifs_symlinks($1_mencoder_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mencoder_t) - fs_dontaudit_manage_cifs_dirs($1_mencoder_t) - fs_dontaudit_manage_cifs_files($1_mencoder_t) - ') - - tunable_policy(`write_untrusted_content',` - files_search_home($1_mencoder_t) - files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t, file) - files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t ,dir) - - userdom_manage_user_untrusted_content_dirs($1, $1_mencoder_t) - userdom_manage_user_untrusted_content_files($1, $1_mencoder_t) - ',` - files_dontaudit_list_home($1_mencoder_t) - files_dontaudit_list_tmp($1_mencoder_t) - - userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t) - userdom_dontaudit_manage_user_tmp_files($1, $1_mencoder_t) - userdom_dontaudit_manage_user_home_content_dirs($1, $1_mencoder_t) - ') - - ######################################## - # - # mplayer local policy - # - - allow $1_mplayer_t self:process { signal_perms getsched }; - allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; - allow $1_mplayer_t self:sem create_sem_perms; - - manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) - manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) - manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) - userdom_search_user_home_dirs($1, $1_mplayer_t) - - manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) - manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) - manage_fifo_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) - manage_sock_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) - fs_tmpfs_filetrans($1_mplayer_t, $1_mplayer_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - # Read global config - allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms; - read_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t) - read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t) + ps_process_pattern($2, mencoder_t) + allow $2 mencoder_t:process signal_perms; # Home access - manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) - manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) - manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) - relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) - relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) - relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) + manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) + manage_files_pattern($2, mplayer_home_t, mplayer_home_t) + manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) # domain transition - domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) + domtrans_pattern($2, mplayer_exec_t, mplayer_t) # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_mplayer_t) - allow $2 $1_mplayer_t:process signal_perms; - - kernel_dontaudit_list_unlabeled($1_mplayer_t) - kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t) - kernel_dontaudit_read_unlabeled_files($1_mplayer_t) - # Necessary for /proc/meminfo, /proc/cpuinfo, etc.. - kernel_read_system_state($1_mplayer_t) - # Sysctl on kernel version - kernel_read_kernel_sysctls($1_mplayer_t) - - # Run bash/sed (??) - corecmd_exec_bin($1_mplayer_t) - corecmd_exec_shell($1_mplayer_t) - - # Required for win32 binary loader - dev_rwx_zero($1_mplayer_t) - # Access to DVD/CD/V4L - dev_read_video_dev($1_mplayer_t) - # Audio, alsa.conf - dev_read_sound_mixer($1_mplayer_t) - dev_write_sound_mixer($1_mplayer_t) - # RTC clock - dev_read_realtime_clock($1_mplayer_t) - - # Access to DVD/CD/V4L - storage_raw_read_removable_device($1_mplayer_t) - - files_read_etc_files($1_mplayer_t) - files_dontaudit_list_non_security($1_mplayer_t) - files_dontaudit_getattr_non_security_files($1_mplayer_t) - files_read_non_security_files($1_mplayer_t) - # Unfortunately the ancient file dialog starts in / - files_list_home($1_mplayer_t) - # Read /etc/mtab - files_read_etc_runtime_files($1_mplayer_t) - # Read data in /usr/share (fonts, icons..) - files_read_usr_files($1_mplayer_t) - files_read_usr_symlinks($1_mplayer_t) - - fs_dontaudit_getattr_all_fs($1_mplayer_t) - fs_search_auto_mountpoints($1_mplayer_t) - fs_list_inotifyfs($1_mplayer_t) - - miscfiles_read_localization($1_mplayer_t) - miscfiles_read_fonts($1_mplayer_t) - - userdom_use_user_terminals($1, $1_mplayer_t) - # Read media files - userdom_list_user_tmp($1, $1_mplayer_t) - userdom_read_user_tmp_files($1, $1_mplayer_t) - userdom_read_user_tmp_symlinks($1, $1_mplayer_t) - userdom_read_user_home_content_files($1, $1_mplayer_t) - userdom_read_user_home_content_symlinks($1, $1_mplayer_t) - - xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t) - - # Read songs - ifdef(`enable_mls',`',` - fs_search_removable($1_mplayer_t) - fs_read_removable_files($1_mplayer_t) - fs_read_removable_symlinks($1_mplayer_t) - ') - - tunable_policy(`allow_execmem',` - allow $1_mplayer_t self:process execmem; - ') - - tunable_policy(`allow_execmod',` - dev_execmod_zero($1_mplayer_t) - ') - - tunable_policy(`allow_mplayer_execstack',` - allow $1_mplayer_t self:process { execmem execstack }; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_mplayer_t) - fs_manage_nfs_files($1_mplayer_t) - fs_manage_nfs_symlinks($1_mplayer_t) - ') - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_mplayer_t) - fs_manage_cifs_files($1_mplayer_t) - fs_manage_cifs_symlinks($1_mplayer_t) - ') - - # Legacy domain issues - tunable_policy(`allow_mplayer_execstack',` - allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; - ') - - # Read songs - tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_mplayer_t) - files_list_home($1_mplayer_t) - fs_read_nfs_files($1_mplayer_t) - fs_read_nfs_symlinks($1_mplayer_t) - - ',` - files_dontaudit_list_home($1_mplayer_t) - fs_dontaudit_list_auto_mountpoints($1_mplayer_t) - fs_dontaudit_read_nfs_files($1_mplayer_t) - fs_dontaudit_list_nfs($1_mplayer_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints($1_mplayer_t) - files_list_home($1_mplayer_t) - fs_read_cifs_files($1_mplayer_t) - fs_read_cifs_symlinks($1_mplayer_t) - ',` - files_dontaudit_list_home($1_mplayer_t) - fs_dontaudit_list_auto_mountpoints($1_mplayer_t) - fs_dontaudit_read_cifs_files($1_mplayer_t) - fs_dontaudit_list_cifs($1_mplayer_t) - ') - - tunable_policy(`read_default_t',` - files_list_default($1_mplayer_t) - files_read_default_files($1_mplayer_t) - files_read_default_symlinks($1_mplayer_t) - ',` - files_dontaudit_read_default_files($1_mplayer_t) - files_dontaudit_list_default($1_mplayer_t) - ') - - tunable_policy(`read_untrusted_content',` - files_list_tmp($1_mplayer_t) - files_list_home($1_mplayer_t) - - userdom_list_user_untrusted_content($1, $1_mplayer_t) - userdom_read_user_untrusted_content_files($1, $1_mplayer_t) - userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t) - userdom_list_user_tmp_untrusted_content($1, $1_mplayer_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_mplayer_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mplayer_t) - ',` - files_dontaudit_list_tmp($1_mplayer_t) - files_dontaudit_list_home($1_mplayer_t) - userdom_dontaudit_list_user_home_dirs($1, $1_mplayer_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_mplayer_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_mplayer_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mplayer_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mplayer_t) - ') - - optional_policy(` - alsa_read_rw_config($1_mplayer_t) - ') - - optional_policy(` - nscd_socket_use($1_mplayer_t) - ') + ps_process_pattern($2, mplayer_t) + allow $2 mplayer_t:process signal_perms; ') ######################################## ## ## Run mplayer in mplayer domain. ## -## -##

-## Run mplayer in mplayer domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mplayer_domtrans_user_mplayer',` +interface(`mplayer_domtrans',` gen_require(` - type $1_mplayer_t, mplayer_exec_t; + type mplayer_t, mplayer_exec_t; ') - domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) + domtrans_pattern($1, mplayer_exec_t, mplayer_t) ') ######################################## ## ## Read mplayer per user homedir ## -## -##

-## Read mplayer per user homedir -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`mplayer_read_user_home_files',` +interface(`mplayer_read_user_home_files',` gen_require(` - type $1_mplayer_home_t; + type mplayer_home_t; ') - read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) + read_files_pattern($1, mplayer_home_t, mplayer_home_t) + userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 94fa547..83c177c 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,5 +1,5 @@ -policy_module(mplayer, 1.5.0) +policy_module(mplayer, 2.0.0) ######################################## # @@ -13,12 +13,300 @@ policy_module(mplayer, 1.5.0) ## gen_tunable(allow_mplayer_execstack, false) +type mencoder_t; type mencoder_exec_t; -application_executable_file(mencoder_exec_t) +typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; +typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; +application_domain(mencoder_t, mencoder_exec_t) +ubac_constrained(mencoder_t) + +type mplayer_t; +type mplayer_exec_t; +typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; +typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; +application_domain(mplayer_t, mplayer_exec_t) +ubac_constrained(mplayer_t) type mplayer_etc_t; files_config_file(mplayer_etc_t) -type mplayer_exec_t; -corecmd_executable_file(mplayer_exec_t) -application_executable_file(mplayer_exec_t) +type mplayer_home_t; +typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; +typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; +files_poly_member(mplayer_home_t) +userdom_user_home_content(mplayer_home_t) + +type mplayer_tmpfs_t; +typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; +typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; +files_tmpfs_file(mplayer_tmpfs_t) +ubac_constrained(mplayer_tmpfs_t) + +######################################## +# +# mencoder local policy +# + +manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) +manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) +manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) + +# Read global config +allow mencoder_t mplayer_etc_t:dir list_dir_perms; +read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) +read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) + +# Read /proc files and directories +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +kernel_read_system_state(mencoder_t) +# Sysctl on kernel version +kernel_read_kernel_sysctls(mencoder_t) + +# Required for win32 binary loader +dev_rwx_zero(mencoder_t) +# Access to DVD/CD/V4L +dev_read_video_dev(mencoder_t) + +# Read data in /usr/share (fonts, icons..) +files_read_usr_files(mencoder_t) +files_read_usr_symlinks(mencoder_t) + +fs_search_auto_mountpoints(mencoder_t) + +# Access to DVD/CD/V4L +storage_raw_read_removable_device(mencoder_t) + +miscfiles_read_localization(mencoder_t) + +userdom_use_user_terminals(mencoder_t) +# Handle removable media, /tmp, and /home +userdom_list_user_tmp(mencoder_t) +userdom_read_user_tmp_files(mencoder_t) +userdom_read_user_tmp_symlinks(mencoder_t) +userdom_read_user_home_content_files(mencoder_t) +userdom_read_user_home_content_symlinks(mencoder_t) + +# Read content to encode +ifndef(`enable_mls',` + fs_search_removable(mencoder_t) + fs_read_removable_files(mencoder_t) + fs_read_removable_symlinks(mencoder_t) +') + +tunable_policy(`allow_execmem',` + allow mencoder_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mencoder_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mencoder_t) + fs_manage_nfs_files(mencoder_t) + fs_manage_nfs_symlinks(mencoder_t) + +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mencoder_t) + fs_manage_cifs_files(mencoder_t) + fs_manage_cifs_symlinks(mencoder_t) + +') + +# Read content to encode +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(mencoder_t) + files_list_home(mencoder_t) + fs_read_nfs_files(mencoder_t) + fs_read_nfs_symlinks(mencoder_t) + +',` + files_dontaudit_list_home(mencoder_t) + fs_dontaudit_list_auto_mountpoints(mencoder_t) + fs_dontaudit_read_nfs_files(mencoder_t) + fs_dontaudit_list_nfs(mencoder_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(mencoder_t) + files_list_home(mencoder_t) + fs_read_cifs_files(mencoder_t) + fs_read_cifs_symlinks(mencoder_t) +',` + files_dontaudit_list_home(mencoder_t) + fs_dontaudit_list_auto_mountpoints(mencoder_t) + fs_dontaudit_read_cifs_files(mencoder_t) + fs_dontaudit_list_cifs(mencoder_t) +') + +tunable_policy(`read_default_t',` + files_list_default(mencoder_t) + files_read_default_files(mencoder_t) + files_read_default_symlinks(mencoder_t) +',` + files_dontaudit_read_default_files(mencoder_t) + files_dontaudit_list_default(mencoder_t) +') + +######################################## +# +# mplayer local policy +# + +allow mplayer_t self:process { signal_perms getsched }; +allow mplayer_t self:fifo_file rw_fifo_file_perms; +allow mplayer_t self:sem create_sem_perms; + +manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +userdom_search_user_home_dirs(mplayer_t) + +manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Read global config +allow mplayer_t mplayer_etc_t:dir list_dir_perms; +read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) +read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) + +kernel_dontaudit_list_unlabeled(mplayer_t) +kernel_dontaudit_getattr_unlabeled_files(mplayer_t) +kernel_dontaudit_read_unlabeled_files(mplayer_t) +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +kernel_read_system_state(mplayer_t) +# Sysctl on kernel version +kernel_read_kernel_sysctls(mplayer_t) + +# Run bash/sed (??) +corecmd_exec_bin(mplayer_t) +corecmd_exec_shell(mplayer_t) + +# Required for win32 binary loader +dev_rwx_zero(mplayer_t) +# Access to DVD/CD/V4L +dev_read_video_dev(mplayer_t) +# Audio, alsa.conf +dev_read_sound_mixer(mplayer_t) +dev_write_sound_mixer(mplayer_t) +# RTC clock +dev_read_realtime_clock(mplayer_t) + +# Access to DVD/CD/V4L +storage_raw_read_removable_device(mplayer_t) + +files_read_etc_files(mplayer_t) +files_dontaudit_list_non_security(mplayer_t) +files_dontaudit_getattr_non_security_files(mplayer_t) +files_read_non_security_files(mplayer_t) +# Unfortunately the ancient file dialog starts in / +files_list_home(mplayer_t) +# Read /etc/mtab +files_read_etc_runtime_files(mplayer_t) +# Read data in /usr/share (fonts, icons..) +files_read_usr_files(mplayer_t) +files_read_usr_symlinks(mplayer_t) + +fs_dontaudit_getattr_all_fs(mplayer_t) +fs_search_auto_mountpoints(mplayer_t) +fs_list_inotifyfs(mplayer_t) + +miscfiles_read_localization(mplayer_t) +miscfiles_read_fonts(mplayer_t) + +userdom_use_user_terminals(mplayer_t) +# Read media files +userdom_list_user_tmp(mplayer_t) +userdom_read_user_tmp_files(mplayer_t) +userdom_read_user_tmp_symlinks(mplayer_t) +userdom_read_user_home_content_files(mplayer_t) +userdom_read_user_home_content_symlinks(mplayer_t) + +xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) + +# Read songs +ifdef(`enable_mls',`',` + fs_search_removable(mplayer_t) + fs_read_removable_files(mplayer_t) + fs_read_removable_symlinks(mplayer_t) +') + +tunable_policy(`allow_execmem',` + allow mplayer_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mplayer_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mplayer_t) + fs_manage_nfs_files(mplayer_t) + fs_manage_nfs_symlinks(mplayer_t) +') +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mplayer_t) + fs_manage_cifs_files(mplayer_t) + fs_manage_cifs_symlinks(mplayer_t) +') + +# Legacy domain issues +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t mplayer_tmpfs_t:file execute; +') + +# Read songs +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(mplayer_t) + files_list_home(mplayer_t) + fs_read_nfs_files(mplayer_t) + fs_read_nfs_symlinks(mplayer_t) + +',` + files_dontaudit_list_home(mplayer_t) + fs_dontaudit_list_auto_mountpoints(mplayer_t) + fs_dontaudit_read_nfs_files(mplayer_t) + fs_dontaudit_list_nfs(mplayer_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(mplayer_t) + files_list_home(mplayer_t) + fs_read_cifs_files(mplayer_t) + fs_read_cifs_symlinks(mplayer_t) +',` + files_dontaudit_list_home(mplayer_t) + fs_dontaudit_list_auto_mountpoints(mplayer_t) + fs_dontaudit_read_cifs_files(mplayer_t) + fs_dontaudit_list_cifs(mplayer_t) +') + +tunable_policy(`read_default_t',` + files_list_default(mplayer_t) + files_read_default_files(mplayer_t) + files_read_default_symlinks(mplayer_t) +',` + files_dontaudit_read_default_files(mplayer_t) + files_dontaudit_list_default(mplayer_t) +') + +optional_policy(` + alsa_read_rw_config(mplayer_t) +') + +optional_policy(` + nscd_socket_use(mplayer_t) +') diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te index 08b504b..802461d 100644 --- a/policy/modules/apps/podsleuth.te +++ b/policy/modules/apps/podsleuth.te @@ -1,5 +1,5 @@ -policy_module(podsleuth, 1.0.0) +policy_module(podsleuth, 1.0.1) ######################################## # @@ -28,7 +28,7 @@ files_read_etc_files(podsleuth_t) miscfiles_read_localization(podsleuth_t) -dbus_system_bus_client_template(podsleuth, podsleuth_t) +dbus_system_bus_client(podsleuth_t) mono_exec(podsleuth_t) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index aff0165..c010a01 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -32,11 +32,6 @@ interface(`qemu_domtrans',` ## The role to allow the qemu domain. ## ## -## -## -## The type of the terminal allow the qemu domain to use. -## -## # interface(`qemu_run',` gen_require(` @@ -45,7 +40,6 @@ interface(`qemu_run',` qemu_domtrans($1) role $2 types qemu_t; - allow qemu_t $3:chr_file rw_file_perms; ') ######################################## @@ -195,6 +189,8 @@ template(`qemu_domain_template',` sysnet_read_config($1_t) + userdom_use_user_terminals($1_t) + # optional_policy(` # samba_domtrans_smb($1_t) # ') @@ -206,7 +202,7 @@ template(`qemu_domain_template',` ') optional_policy(` - xserver_stream_connect_xdm_xserver($1_t) + xserver_stream_connect($1_t) xserver_read_xdm_tmp_files($1_t) xserver_read_xdm_pid($1_t) # xserver_xdm_rw_shm($1_t) diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index d341aab..fa023cd 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -1,5 +1,5 @@ -policy_module(qemu, 1.0.0) +policy_module(qemu, 1.0.1) ######################################## # diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if index d0129a8..3870eda 100644 --- a/policy/modules/apps/rssh.if +++ b/policy/modules/apps/rssh.if @@ -1,104 +1,30 @@ ## Restricted (scp/sftp) only shell -####################################### +######################################## ## -## The per role template for the rssh module. +## Role access for rssh ## -## -##

-## This template creates a derived domains which are used -## for rssh client sessions. Derived types are also created -## for read-only and read-write file access. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## +## +## Role allowed access +## +## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## User domain for the role ## ## # -template(`rssh_per_role_template',` +interface(`rssh_role',` gen_require(` - type rssh_exec_t; - attribute rssh_domain_type; - attribute rssh_ro_content_type; + type rssh_t; ') - ############################## - # - # Declarations - # - - type $1_rssh_t alias rssh_$1_t, rssh_domain_type; - application_domain($1_rssh_t, rssh_exec_t) - domain_user_exemption_target($1_t) - domain_interactive_fd($1_rssh_t) - role system_r types $1_rssh_t; - - type $1_rssh_devpts_t alias rssh_$1_devpts_t; - term_user_pty($1_rssh_t,$1_rssh_devpts_t) - - type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type; - userdom_user_home_content($1,$1_rssh_ro_t) - - type $1_rssh_rw_t alias rssh_$1_rw_t; - userdom_user_home_content($1, $1_rssh_rw_t) - - ############################## - # - # Local policy - # - - allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_rssh_t self:fd use; - allow $1_rssh_t self:fifo_file rw_fifo_file_perms; - allow $1_rssh_t self:unix_dgram_socket create_socket_perms; - allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms; - allow $1_rssh_t self:unix_dgram_socket sendto; - allow $1_rssh_t self:unix_stream_socket connectto; - allow $1_rssh_t self:shm create_shm_perms; - allow $1_rssh_t self:sem create_sem_perms; - allow $1_rssh_t self:msgq create_msgq_perms; - allow $1_rssh_t self:msg { send receive }; + role $1 types rssh_t; - allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr }; - term_create_pty($1_rssh_t, $1_rssh_devpts_t) - - allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms; - read_files_pattern($1_rssh_t, $1_rssh_ro_t, $1_rssh_ro_t) - - manage_dirs_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t) - manage_files_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t) - - kernel_read_system_state($1_rssh_t) - kernel_read_kernel_sysctls($1_rssh_t) - - files_read_etc_files($1_rssh_t) - files_read_etc_runtime_files($1_rssh_t) - files_list_home($1_rssh_t) - files_read_usr_files($1_rssh_t) - files_list_var($1_rssh_t) - - fs_search_auto_mountpoints($1_rssh_t) - - logging_send_syslog_msg($1_rssh_t) - - miscfiles_read_localization($1_rssh_t) - - userdom_use_unpriv_users_fds($1_rssh_t) - - ssh_rw_tcp_sockets($1_rssh_t) - ssh_rw_stream_sockets($1_rssh_t) - - optional_policy(` - nis_use_ypbind($1_rssh_t) - ') + # allow ps to show irc + ps_process_pattern($2, rssh_t) + allow $2 rssh_t:process signal; ') ######################################## @@ -111,13 +37,12 @@ template(`rssh_per_role_template',` ## ## # -interface(`rssh_spec_domtrans_all_users',` +interface(`rssh_spec_domtrans',` gen_require(` - attribute rssh_domain_type; - type rssh_exec_t; + type rssh_t, rssh_exec_t; ') - spec_domtrans_pattern($1, rssh_exec_t, rssh_domain_type) + spec_domtrans_pattern($1, rssh_exec_t, rssh_t) ') ######################################## @@ -130,12 +55,12 @@ interface(`rssh_spec_domtrans_all_users',` ## ## # -interface(`rssh_read_all_users_ro_content',` +interface(`rssh_read_ro_content',` gen_require(` - attribute rssh_ro_content_type; + type rssh_ro_t; ') - allow $1 rssh_ro_content_type:dir list_dir_perms; - read_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type) - read_lnk_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type) + allow $1 rssh_ro_t:dir list_dir_perms; + read_files_pattern($1, rssh_ro_t, rssh_ro_t) + read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) ') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te index 92ba29f..7f357d2 100644 --- a/policy/modules/apps/rssh.te +++ b/policy/modules/apps/rssh.te @@ -1,13 +1,81 @@ -policy_module(rssh, 1.1.0) +policy_module(rssh, 2.0.0) ######################################## # # Declarations # -attribute rssh_domain_type; -attribute rssh_ro_content_type; - +type rssh_t; type rssh_exec_t; -application_executable_file(rssh_exec_t) +typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; +typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; +application_domain(rssh_t, rssh_exec_t) +domain_user_exemption_target(rssh_t) +domain_interactive_fd(rssh_t) +ubac_constrained(rssh_t) +role system_r types rssh_t; + +type rssh_devpts_t; +typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; +typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; +term_user_pty(rssh_t, rssh_devpts_t) +ubac_constrained(rssh_devpts_t) + +type rssh_ro_t; +typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; +typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; +userdom_user_home_content(rssh_ro_t) + +type rssh_rw_t; +typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; +typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; +userdom_user_home_content(rssh_rw_t) + +############################## +# +# Local policy +# + +allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rssh_t self:fd use; +allow rssh_t self:fifo_file rw_fifo_file_perms; +allow rssh_t self:unix_dgram_socket create_socket_perms; +allow rssh_t self:unix_stream_socket create_stream_socket_perms; +allow rssh_t self:unix_dgram_socket sendto; +allow rssh_t self:unix_stream_socket connectto; +allow rssh_t self:shm create_shm_perms; +allow rssh_t self:sem create_sem_perms; +allow rssh_t self:msgq create_msgq_perms; +allow rssh_t self:msg { send receive }; + +allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr }; +term_create_pty(rssh_t, rssh_devpts_t) + +allow rssh_t rssh_ro_t:dir list_dir_perms; +read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) + +manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + +kernel_read_system_state(rssh_t) +kernel_read_kernel_sysctls(rssh_t) + +files_read_etc_files(rssh_t) +files_read_etc_runtime_files(rssh_t) +files_list_home(rssh_t) +files_read_usr_files(rssh_t) +files_list_var(rssh_t) + +fs_search_auto_mountpoints(rssh_t) + +logging_send_syslog_msg(rssh_t) + +miscfiles_read_localization(rssh_t) + +ssh_rw_tcp_sockets(rssh_t) +ssh_rw_stream_sockets(rssh_t) + +optional_policy(` + nis_use_ypbind(rssh_t) +') diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc index 92211c9..b020416 100644 --- a/policy/modules/apps/screen.fc +++ b/policy/modules/apps/screen.fc @@ -1,7 +1,7 @@ # # /home # -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) +HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) # # /usr diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 2c949a3..2e1ab41 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -2,39 +2,29 @@ ####################################### ## -## The per role template for the screen module. +## The role template for the screen module. ## -## -##

-## This template creates a derived domains which are used -## for screen sessions. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The type of the user domain. +## The role associated with the user domain. ## ## -## +## ## -## The role associated with the user domain. +## The type of the user domain. ## ## # -template(`screen_per_role_template',` +template(`screen_role_template',` gen_require(` - type screen_dir_t, screen_exec_t; + type screen_dir_t, screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; ') ######################################## @@ -45,16 +35,8 @@ template(`screen_per_role_template',` type $1_screen_t; application_domain($1_screen_t, screen_exec_t) domain_interactive_fd($1_screen_t) - role $3 types $1_screen_t; - - type $1_screen_tmp_t; - files_tmp_file($1_screen_tmp_t) - - type $1_screen_ro_home_t; - files_type($1_screen_ro_home_t) - - type $1_screen_var_run_t; - files_pid_file($1_screen_var_run_t) + ubac_constrained($1_screen_t) + role $2 types $1_screen_t; ######################################## # @@ -70,33 +52,33 @@ template(`screen_per_role_template',` allow $1_screen_t self:unix_stream_socket create_socket_perms; allow $1_screen_t self:unix_dgram_socket create_socket_perms; - manage_dirs_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t) - manage_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t) - manage_fifo_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t) - files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir }) + manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) # Create fifo - manage_fifo_files_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t) + manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t) manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t) - filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) + filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file) files_pid_filetrans($1_screen_t, screen_dir_t, dir) - allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; - read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) - read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) + allow $1_screen_t screen_home_t:dir list_dir_perms; + read_files_pattern($1_screen_t, screen_home_t, screen_home_t) + read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) - allow $1_screen_t $2:process signal; + allow $1_screen_t $3:process signal; - domtrans_pattern($2, screen_exec_t, $1_screen_t) - allow $2 $1_screen_t:process signal; - allow $1_screen_t $2:process signal; + domtrans_pattern($3, screen_exec_t, $1_screen_t) + allow $3 $1_screen_t:process signal; + allow $1_screen_t $3:process signal; - manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) - manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) - manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) - relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) - relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) - relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) + manage_dirs_pattern($3, screen_home_t, screen_home_t) + manage_files_pattern($3, screen_home_t, screen_home_t) + manage_lnk_files_pattern($3, screen_home_t, screen_home_t) + relabel_dirs_pattern($3, screen_home_t, screen_home_t) + relabel_files_pattern($3, screen_home_t, screen_home_t) + relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) @@ -107,8 +89,8 @@ template(`screen_per_role_template',` corecmd_read_bin_pipes($1_screen_t) corecmd_read_bin_sockets($1_screen_t) # Revert to the user domain when a shell is executed. - corecmd_shell_domtrans($1_screen_t,$2) - corecmd_bin_domtrans($1_screen_t,$2) + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) corenet_all_recvfrom_unlabeled($1_screen_t) corenet_all_recvfrom_netlabel($1_screen_t) @@ -150,10 +132,10 @@ template(`screen_per_role_template',` sysnet_read_config($1_screen_t) - userdom_use_user_terminals($1, $1_screen_t) - userdom_create_user_pty($1, $1_screen_t) - userdom_user_home_domtrans($1, $1_screen_t, $2) - userdom_setattr_user_ptys($1, $1_screen_t) + userdom_use_user_terminals($1_screen_t) + userdom_create_user_pty($1_screen_t) + userdom_user_home_domtrans($1_screen_t, $3) + userdom_setattr_user_ptys($1_screen_t) tunable_policy(`read_default_t',` files_list_default($1_screen_t) @@ -164,13 +146,13 @@ template(`screen_per_role_template',` ') tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $2) + fs_cifs_domtrans($1_screen_t, $3) fs_read_cifs_symlinks($1_screen_t) fs_list_cifs($1_screen_t) ') tunable_policy(`use_nfs_home_dirs',` - fs_nfs_domtrans($1_screen_t, $2) + fs_nfs_domtrans($1_screen_t, $3) fs_list_nfs($1_screen_t) fs_read_nfs_symlinks($1_screen_t) ') diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 5ad00a1..554eebe 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -1,5 +1,5 @@ -policy_module(screen, 1.4.0) +policy_module(screen, 2.0.0) ######################################## # @@ -11,3 +11,20 @@ files_pid_file(screen_dir_t) type screen_exec_t; application_executable_file(screen_exec_t) + +type screen_home_t; +typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; +typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; +userdom_user_home_content(screen_home_t) + +type screen_tmp_t; +typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; +typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; +files_tmp_file(screen_tmp_t) +ubac_constrained(screen_tmp_t) + +type screen_var_run_t; +typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; +typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t }; +files_pid_file(screen_var_run_t) +ubac_constrained(screen_var_run_t) diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc index 2b6c006..fb43a7b 100644 --- a/policy/modules/apps/thunderbird.fc +++ b/policy/modules/apps/thunderbird.fc @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index d9d5af8..c2cc18d 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -1,383 +1,63 @@ ## Thunderbird email client -####################################### +######################################## ## -## The per role template for the thunderbird module. +## Role access for thunderbird ## -## -##

-## This template creates a derived domain which is used -## for the thunderbird email client. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`thunderbird_per_role_template',` - - ######################################## - # - # Declarations - # - - type $1_thunderbird_t; - application_domain($1_thunderbird_t, thunderbird_exec_t) - role $3 types $1_thunderbird_t; - - type $1_thunderbird_home_t alias $1_thunderbird_rw_t; - files_poly_member($1_thunderbird_home_t) - userdom_user_home_content($1, $1_thunderbird_home_t) - - type $1_thunderbird_tmpfs_t; - files_tmpfs_file($1_thunderbird_tmpfs_t) - - ######################################## - # - # Local policy - # - - allow $1_thunderbird_t self:capability sys_nice; - allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; - allow $1_thunderbird_t self:fifo_file { ioctl read write getattr }; - allow $1_thunderbird_t self:unix_dgram_socket { create connect }; - allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; - allow $1_thunderbird_t self:tcp_socket create_socket_perms; - allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; - - # Access ~/.thunderbird - manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) - manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) - manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) - userdom_search_user_home_dirs($1, $1_thunderbird_t) - - manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) - manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) - manage_fifo_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) - manage_sock_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) - fs_tmpfs_filetrans($1_thunderbird_t, $1_thunderbird_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) - allow $2 $1_thunderbird_t:fd use; - allow $2 $1_thunderbird_t:shm { associate getattr }; - allow $2 $1_thunderbird_t:unix_stream_socket connectto; - allow $1_thunderbird_t $2:fd use; - allow $1_thunderbird_t $2:process sigchld; - allow $1_thunderbird_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_thunderbird_t) - - # Access ~/.thunderbird - manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - - relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) - - # Allow netstat - kernel_read_network_state($1_thunderbird_t) - kernel_read_net_sysctls($1_thunderbird_t) - kernel_read_system_state($1_thunderbird_t) - - # Startup shellscript - corecmd_exec_shell($1_thunderbird_t) - - corenet_all_recvfrom_unlabeled($1_thunderbird_t) - corenet_all_recvfrom_netlabel($1_thunderbird_t) - corenet_tcp_sendrecv_generic_if($1_thunderbird_t) - corenet_tcp_sendrecv_all_nodes($1_thunderbird_t) - corenet_tcp_sendrecv_ipp_port($1_thunderbird_t) - corenet_tcp_sendrecv_ldap_port($1_thunderbird_t) - corenet_tcp_sendrecv_innd_port($1_thunderbird_t) - corenet_tcp_sendrecv_smtp_port($1_thunderbird_t) - corenet_tcp_sendrecv_pop_port($1_thunderbird_t) - corenet_tcp_sendrecv_http_port($1_thunderbird_t) - corenet_tcp_connect_ipp_port($1_thunderbird_t) - corenet_tcp_connect_ldap_port($1_thunderbird_t) - corenet_tcp_connect_innd_port($1_thunderbird_t) - corenet_tcp_connect_smtp_port($1_thunderbird_t) - corenet_tcp_connect_pop_port($1_thunderbird_t) - corenet_tcp_connect_http_port($1_thunderbird_t) - corenet_sendrecv_ipp_client_packets($1_thunderbird_t) - corenet_sendrecv_ldap_client_packets($1_thunderbird_t) - corenet_sendrecv_innd_client_packets($1_thunderbird_t) - corenet_sendrecv_smtp_client_packets($1_thunderbird_t) - corenet_sendrecv_pop_client_packets($1_thunderbird_t) - corenet_sendrecv_http_client_packets($1_thunderbird_t) - - dev_read_urand($1_thunderbird_t) - dev_dontaudit_search_sysfs($1_thunderbird_t) - - files_list_tmp($1_thunderbird_t) - files_read_usr_files($1_thunderbird_t) - files_read_etc_files($1_thunderbird_t) - files_read_etc_runtime_files($1_thunderbird_t) - files_read_var_files($1_thunderbird_t) - files_read_var_symlinks($1_thunderbird_t) - files_dontaudit_getattr_all_tmp_files($1_thunderbird_t) - files_dontaudit_getattr_boot_dirs($1_thunderbird_t) - files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t) - files_dontaudit_search_mnt($1_thunderbird_t) - - fs_getattr_xattr_fs($1_thunderbird_t) - fs_list_inotifyfs($1_thunderbird_t) - # Access ~/.thunderbird - fs_search_auto_mountpoints($1_thunderbird_t) - - auth_use_nsswitch($1_thunderbird_t) - - miscfiles_read_fonts($1_thunderbird_t) - miscfiles_read_localization($1_thunderbird_t) - - userdom_manage_user_tmp_dirs($1, $1_thunderbird_t) - userdom_read_user_tmp_files($1, $1_thunderbird_t) - userdom_write_user_tmp_sockets($1, $1_thunderbird_t) - userdom_manage_user_tmp_sockets($1, $1_thunderbird_t) - # .kde/....gtkrc - userdom_read_user_home_content_files($1, $1_thunderbird_t) - - xserver_user_x_domain_template($1, $1_thunderbird, $1_thunderbird_t, $1_thunderbird_tmpfs_t) - xserver_read_xdm_tmp_files($1_thunderbird_t) - xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t) - - # Access ~/.thunderbird - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_thunderbird_t) - fs_manage_nfs_files($1_thunderbird_t) - fs_manage_nfs_symlinks($1_thunderbird_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_thunderbird_t) - fs_manage_cifs_files($1_thunderbird_t) - fs_manage_cifs_symlinks($1_thunderbird_t) - ') - - tunable_policy(`mail_read_content && use_nfs_home_dirs',` - files_list_home($1_thunderbird_t) - - fs_list_auto_mountpoints($1_thunderbird_t) - fs_read_nfs_files($1_thunderbird_t) - fs_read_nfs_symlinks($1_thunderbird_t) - ',` - files_dontaudit_list_home($1_thunderbird_t) - - fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) - fs_dontaudit_list_nfs($1_thunderbird_t) - fs_dontaudit_read_nfs_files($1_thunderbird_t) - ') - - tunable_policy(`mail_read_content && use_samba_home_dirs',` - files_list_home($1_thunderbird_t) - - fs_list_auto_mountpoints($1_thunderbird_t) - fs_read_cifs_files($1_thunderbird_t) - fs_read_cifs_symlinks($1_thunderbird_t) - ',` - files_dontaudit_list_home($1_thunderbird_t) - - fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) - fs_dontaudit_read_cifs_files($1_thunderbird_t) - fs_dontaudit_list_cifs($1_thunderbird_t) - ') - - tunable_policy(`mail_read_content',` - userdom_list_user_tmp($1, $1_thunderbird_t) - userdom_read_user_tmp_files($1, $1_thunderbird_t) - userdom_read_user_tmp_symlinks($1, $1_thunderbird_t) - userdom_search_user_home_dirs($1, $1_thunderbird_t) - userdom_read_user_home_content_files($1, $1_thunderbird_t) - - ifndef(`enable_mls',` - fs_search_removable($1_thunderbird_t) - fs_read_removable_files($1_thunderbird_t) - fs_read_removable_symlinks($1_thunderbird_t) - ') - ',` - files_dontaudit_list_tmp($1_thunderbird_t) - files_dontaudit_list_home($1_thunderbird_t) - - fs_dontaudit_list_removable($1_thunderbird_t) - fs_dontaudit_read_removable_files($1_thunderbird_t) - - userdom_dontaudit_list_user_tmp($1, $1_thunderbird_t) - userdom_dontaudit_read_user_tmp_files($1, $1_thunderbird_t) - userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t) - userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t) - ') - - tunable_policy(`mail_read_content && read_default_t',` - files_list_default($1_thunderbird_t) - files_read_default_files($1_thunderbird_t) - files_read_default_symlinks($1_thunderbird_t) - ',` - files_dontaudit_read_default_files($1_thunderbird_t) - files_dontaudit_list_default($1_thunderbird_t) - ') - - tunable_policy(`mail_read_content && read_untrusted_content',` - files_list_tmp($1_thunderbird_t) - files_list_home($1_thunderbird_t) - - userdom_search_user_home_dirs($1, $1_thunderbird_t) - userdom_list_user_untrusted_content($1, $1_thunderbird_t) - userdom_read_user_untrusted_content_files($1, $1_thunderbird_t) - userdom_read_user_untrusted_content_symlinks($1, $1_thunderbird_t) - userdom_list_user_tmp_untrusted_content($1, $1_thunderbird_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t) - userdom_read_user_tmp_untrusted_content_symlinks($1, $1_thunderbird_t) - ',` - files_dontaudit_list_tmp($1_thunderbird_t) - files_dontaudit_list_home($1_thunderbird_t) - - userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t) - userdom_dontaudit_list_user_untrusted_content($1, $1_thunderbird_t) - userdom_dontaudit_read_user_untrusted_content_files($1, $1_thunderbird_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_thunderbird_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t) - ') - - # Manage nfs homedirs - tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` - files_search_home($1_thunderbird_t) - - fs_search_auto_mountpoints($1_thunderbird_t) - fs_manage_nfs_dirs($1_thunderbird_t) - fs_manage_nfs_files($1_thunderbird_t) - fs_manage_nfs_symlinks($1_thunderbird_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) - fs_dontaudit_manage_nfs_dirs($1_thunderbird_t) - fs_dontaudit_manage_nfs_files($1_thunderbird_t) - ') - - # Manage samba homedirs - tunable_policy(`write_untrusted_content && use_samba_home_dirs',` - files_search_home($1_thunderbird_t) - - fs_search_auto_mountpoints($1_thunderbird_t) - fs_manage_cifs_dirs($1_thunderbird_t) - fs_manage_cifs_files($1_thunderbird_t) - fs_manage_cifs_symlinks($1_thunderbird_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_thunderbird_t) - fs_dontaudit_manage_cifs_dirs($1_thunderbird_t) - fs_dontaudit_manage_cifs_files($1_thunderbird_t) - ') - - # Manage /tmp and /home - tunable_policy(`write_untrusted_content',` - files_search_home($1_thunderbird_t) - files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file) - files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir) - userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t) - userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t) - userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) - ',` - files_dontaudit_list_home($1_thunderbird_t) - files_dontaudit_list_tmp($1_thunderbird_t) - - userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t) - userdom_dontaudit_manage_user_tmp_dirs($1, $1_thunderbird_t) - userdom_dontaudit_manage_user_tmp_files($1, $1_thunderbird_t) - userdom_dontaudit_manage_user_home_content_dirs($1, $1_thunderbird_t) - ') - - optional_policy(` - dbus_system_bus_client_template($1_thunderbird, $1_thunderbird_t) - dbus_user_bus_client_template($1, $1_thunderbird, $1_thunderbird_t) - ') - - optional_policy(` - cups_read_rw_config($1_thunderbird_t) - cups_dbus_chat($1_thunderbird_t) - ') - - optional_policy(` - gnome_stream_connect_gconf_template($1, $1_thunderbird_t) - gnome_domtrans_user_gconf($1, $1_thunderbird_t) - gnome_manage_user_gnome_config($1, $1_thunderbird_t) - ') - - optional_policy(` - gpg_domtrans_user_gpg($1, $1_thunderbird_t) +interface(`thunderbird_role',` + gen_require(` + type thunderbird_t, thunderbird_exec_t; + type thunderbird_home_t, thunderbird_tmpfs_t; ') - optional_policy(` - lpd_domtrans_user_lpr($1, $1_thunderbird_t) - ') + role $1 types thunderbird_t; - optional_policy(` - mozilla_read_user_home_files($1, $1_thunderbird_t) - mozilla_domtrans_user_mozilla($1, $1_thunderbird_t) - mozilla_dbus_chat($1, $1_thunderbird_t) - ') + domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) + allow $2 thunderbird_t:fd use; + allow $2 thunderbird_t:shm { associate getattr }; + allow $2 thunderbird_t:unix_stream_socket connectto; + allow thunderbird_t $2:fd use; + allow thunderbird_t $2:process sigchld; + allow thunderbird_t $2:unix_stream_socket connectto; - ifdef(`TODO',` - # FIXME: Rules were removed to centralize policy in a gnome_app macro - # A similar thing might be necessary for mozilla compiled without GNOME - # support (is this possible?). + # allow ps to show thunderbird and allow the user to kill it + ps_process_pattern($2, thunderbird_t) + allow $2 thunderbird_t:process signal; - # GNOME support - optional_policy(` - gnome_application($1_thunderbird, $1) - gnome_file_dialog($1_thunderbird, $1) - allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; - ') - ') + # Access ~/.thunderbird + manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) + manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) ') ######################################## ## ## Run thunderbird in the user thunderbird domain. ## -## -##

-## Run thunderbird in the user thunderbird domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`thunderbird_domtrans_user_thunderbird',` +interface(`thunderbird_domtrans',` gen_require(` - type $1_thunderbird_t, thunderbird_exec_t; + type thunderbird_t, thunderbird_exec_t; ') - domtrans_pattern($2, thunderbird_exec_t, $1_thunderbird_t) + domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) ') diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index 15169bc..8c0faea 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -1,10 +1,221 @@ -policy_module(thunderbird, 1.6.0) +policy_module(thunderbird, 2.0.0) ######################################## # # Declarations # +type thunderbird_t; type thunderbird_exec_t; -application_executable_file(thunderbird_exec_t) +typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; +typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; +application_domain(thunderbird_t, thunderbird_exec_t) +ubac_constrained(thunderbird_t) + +type thunderbird_home_t; +typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; +typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; +files_poly_member(thunderbird_home_t) +userdom_user_home_content(thunderbird_home_t) + +type thunderbird_tmpfs_t; +typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; +typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; +files_tmpfs_file(thunderbird_tmpfs_t) +ubac_constrained(thunderbird_tmpfs_t) + +######################################## +# +# Local policy +# + +allow thunderbird_t self:capability sys_nice; +allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; +allow thunderbird_t self:fifo_file { ioctl read write getattr }; +allow thunderbird_t self:unix_dgram_socket { create connect }; +allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; +allow thunderbird_t self:tcp_socket create_socket_perms; +allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; + +# Access ~/.thunderbird +manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +userdom_search_user_home_dirs(thunderbird_t) + +manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Allow netstat +kernel_read_network_state(thunderbird_t) +kernel_read_net_sysctls(thunderbird_t) +kernel_read_system_state(thunderbird_t) + +# Startup shellscript +corecmd_exec_shell(thunderbird_t) + +corenet_all_recvfrom_unlabeled(thunderbird_t) +corenet_all_recvfrom_netlabel(thunderbird_t) +corenet_tcp_sendrecv_generic_if(thunderbird_t) +corenet_tcp_sendrecv_all_nodes(thunderbird_t) +corenet_tcp_sendrecv_ipp_port(thunderbird_t) +corenet_tcp_sendrecv_ldap_port(thunderbird_t) +corenet_tcp_sendrecv_innd_port(thunderbird_t) +corenet_tcp_sendrecv_smtp_port(thunderbird_t) +corenet_tcp_sendrecv_pop_port(thunderbird_t) +corenet_tcp_sendrecv_http_port(thunderbird_t) +corenet_tcp_connect_ipp_port(thunderbird_t) +corenet_tcp_connect_ldap_port(thunderbird_t) +corenet_tcp_connect_innd_port(thunderbird_t) +corenet_tcp_connect_smtp_port(thunderbird_t) +corenet_tcp_connect_pop_port(thunderbird_t) +corenet_tcp_connect_http_port(thunderbird_t) +corenet_sendrecv_ipp_client_packets(thunderbird_t) +corenet_sendrecv_ldap_client_packets(thunderbird_t) +corenet_sendrecv_innd_client_packets(thunderbird_t) +corenet_sendrecv_smtp_client_packets(thunderbird_t) +corenet_sendrecv_pop_client_packets(thunderbird_t) +corenet_sendrecv_http_client_packets(thunderbird_t) + +dev_read_urand(thunderbird_t) +dev_dontaudit_search_sysfs(thunderbird_t) + +files_list_tmp(thunderbird_t) +files_read_usr_files(thunderbird_t) +files_read_etc_files(thunderbird_t) +files_read_etc_runtime_files(thunderbird_t) +files_read_var_files(thunderbird_t) +files_read_var_symlinks(thunderbird_t) +files_dontaudit_getattr_all_tmp_files(thunderbird_t) +files_dontaudit_getattr_boot_dirs(thunderbird_t) +files_dontaudit_getattr_lost_found_dirs(thunderbird_t) +files_dontaudit_search_mnt(thunderbird_t) + +fs_getattr_xattr_fs(thunderbird_t) +fs_list_inotifyfs(thunderbird_t) +# Access ~/.thunderbird +fs_search_auto_mountpoints(thunderbird_t) + +auth_use_nsswitch(thunderbird_t) + +miscfiles_read_fonts(thunderbird_t) +miscfiles_read_localization(thunderbird_t) + +userdom_manage_user_tmp_dirs(thunderbird_t) +userdom_read_user_tmp_files(thunderbird_t) +userdom_manage_user_tmp_sockets(thunderbird_t) +# .kde/....gtkrc +userdom_read_user_home_content_files(thunderbird_t) + +xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) +xserver_read_xdm_tmp_files(thunderbird_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) + +# Access ~/.thunderbird +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(thunderbird_t) + fs_manage_nfs_files(thunderbird_t) + fs_manage_nfs_symlinks(thunderbird_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(thunderbird_t) + fs_manage_cifs_files(thunderbird_t) + fs_manage_cifs_symlinks(thunderbird_t) +') + +tunable_policy(`mail_read_content && use_nfs_home_dirs',` + files_list_home(thunderbird_t) + + fs_list_auto_mountpoints(thunderbird_t) + fs_read_nfs_files(thunderbird_t) + fs_read_nfs_symlinks(thunderbird_t) +',` + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_auto_mountpoints(thunderbird_t) + fs_dontaudit_list_nfs(thunderbird_t) + fs_dontaudit_read_nfs_files(thunderbird_t) +') + +tunable_policy(`mail_read_content && use_samba_home_dirs',` + files_list_home(thunderbird_t) + + fs_list_auto_mountpoints(thunderbird_t) + fs_read_cifs_files(thunderbird_t) + fs_read_cifs_symlinks(thunderbird_t) +',` + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_auto_mountpoints(thunderbird_t) + fs_dontaudit_read_cifs_files(thunderbird_t) + fs_dontaudit_list_cifs(thunderbird_t) +') + +tunable_policy(`mail_read_content',` + userdom_list_user_tmp(thunderbird_t) + userdom_read_user_tmp_files(thunderbird_t) + userdom_read_user_tmp_symlinks(thunderbird_t) + userdom_search_user_home_dirs(thunderbird_t) + userdom_read_user_home_content_files(thunderbird_t) + + ifndef(`enable_mls',` + fs_search_removable(thunderbird_t) + fs_read_removable_files(thunderbird_t) + fs_read_removable_symlinks(thunderbird_t) + ') +',` + files_dontaudit_list_tmp(thunderbird_t) + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_removable(thunderbird_t) + fs_dontaudit_read_removable_files(thunderbird_t) + + userdom_dontaudit_list_user_tmp(thunderbird_t) + userdom_dontaudit_read_user_tmp_files(thunderbird_t) + userdom_dontaudit_list_user_home_dirs(thunderbird_t) + userdom_dontaudit_read_user_home_content_files(thunderbird_t) +') + +tunable_policy(`mail_read_content && read_default_t',` + files_list_default(thunderbird_t) + files_read_default_files(thunderbird_t) + files_read_default_symlinks(thunderbird_t) +',` + files_dontaudit_read_default_files(thunderbird_t) + files_dontaudit_list_default(thunderbird_t) +') + +optional_policy(` + dbus_system_bus_client(thunderbird_t) + dbus_session_bus_client(thunderbird_t) +') + +optional_policy(` + cups_read_rw_config(thunderbird_t) + cups_dbus_chat(thunderbird_t) +') + +optional_policy(` + gnome_stream_connect_gconf(thunderbird_t) + gnome_domtrans_gconfd(thunderbird_t) + gnome_manage_config(thunderbird_t) +') + +optional_policy(` + gpg_domtrans(thunderbird_t) +') + +optional_policy(` + lpd_domtrans_lpr(thunderbird_t) +') + +optional_policy(` + mozilla_read_user_home_files(thunderbird_t) + mozilla_domtrans(thunderbird_t) + mozilla_dbus_chat(thunderbird_t) +') diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index 2cfec68..8d89f21 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -1,136 +1,40 @@ ## tvtime - a high quality television application -####################################### +######################################## ## -## The per role template for the tvtime module. +## Role access for tvtime ## -## -##

-## This template creates a derived domains which are used -## for tvtime. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## +## ## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`tvtime_per_role_template',` +interface(`tvtime_role',` gen_require(` - type tvtime_exec_t; + type tvtime_t, tvtime_exec_t; + type tvtime_home_t, tvtime_tmpfs_t; ') - ######################################## - # - # Declarations - # - - type $1_tvtime_t; - application_domain($1_tvtime_t, tvtime_exec_t) - role $3 types $1_tvtime_t; - - type $1_tvtime_home_t alias $1_tvtime_rw_t; - userdom_user_home_content($1, $1_tvtime_home_t) - files_poly_member($1_tvtime_home_t) - - type $1_tvtime_tmp_t; - files_tmp_file($1_tvtime_tmp_t) - - type $1_tvtime_tmpfs_t; - files_tmpfs_file($1_tvtime_tmpfs_t) - - ######################################## - # - # Local policy - # - - allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; - allow $1_tvtime_t self:process setsched; - allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms; - allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; - - # X access, Home files - manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) - manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) - manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) - userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir) - - manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) - manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) - files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir }) - - manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) - manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) - manage_fifo_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) - manage_sock_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) - fs_tmpfs_filetrans($1_tvtime_t, $1_tvtime_tmpfs_t, { file lnk_file sock_file fifo_file }) + role $1 types tvtime_t; # Type transition - domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) + domtrans_pattern($2, tvtime_exec_t, tvtime_t) # X access, Home files - manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) - manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) - manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) - relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) - relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) - relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) + manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) + manage_files_pattern($2, tvtime_home_t, tvtime_home_t) + manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_tvtime_t) - allow $2 $1_tvtime_t:process signal_perms; - - kernel_read_all_sysctls($1_tvtime_t) - kernel_get_sysvipc_info($1_tvtime_t) - - dev_read_urand($1_tvtime_t) - dev_read_realtime_clock($1_tvtime_t) - dev_read_sound($1_tvtime_t) - - files_read_usr_files($1_tvtime_t) - files_search_pids($1_tvtime_t) - # Read /etc/tvtime - files_read_etc_files($1_tvtime_t) - - # X access, Home files - fs_search_auto_mountpoints($1_tvtime_t) - - miscfiles_read_localization($1_tvtime_t) - miscfiles_read_fonts($1_tvtime_t) - - userdom_use_user_terminals($1, $1_tvtime_t) - userdom_read_user_home_content_files($1, $1_tvtime_t) - - # X access, Home files - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_tvtime_t) - fs_manage_nfs_files($1_tvtime_t) - fs_manage_nfs_symlinks($1_tvtime_t) - ') - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_tvtime_t) - fs_manage_cifs_files($1_tvtime_t) - fs_manage_cifs_symlinks($1_tvtime_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_tvtime, $1_tvtime_t, $1_tvtime_tmpfs_t) - ') + ps_process_pattern($2, tvtime_t) + allow $2 tvtime_t:process signal_perms; ') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 8c64f2d..033b123 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te @@ -1,13 +1,95 @@ -policy_module(tvtime, 1.4.0) +policy_module(tvtime, 2.0.0) ######################################## # # Declarations # +type tvtime_t; type tvtime_exec_t; -application_executable_file(tvtime_exec_t) +typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; +typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; +application_domain(tvtime_t, tvtime_exec_t) +ubac_constrained(tvtime_t) -type tvtime_dir_t; -files_pid_file(tvtime_dir_t) +type tvtime_home_t alias tvtime_rw_t; +typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; +typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; +userdom_user_home_content(tvtime_home_t) +files_poly_member(tvtime_home_t) + +type tvtime_tmp_t; +typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; +typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; +files_tmp_file(tvtime_tmp_t) +ubac_constrained(tvtime_tmp_t) + +type tvtime_tmpfs_t; +typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; +typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; +files_tmpfs_file(tvtime_tmpfs_t) +ubac_constrained(tvtime_tmpfs_t) + +######################################## +# +# Local policy +# + +allow tvtime_t self:capability { setuid sys_nice sys_resource }; +allow tvtime_t self:process setsched; +allow tvtime_t self:unix_dgram_socket rw_socket_perms; +allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; + +# X access, Home files +manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) + +manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) + +manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) + +kernel_read_all_sysctls(tvtime_t) +kernel_get_sysvipc_info(tvtime_t) + +dev_read_urand(tvtime_t) +dev_read_realtime_clock(tvtime_t) +dev_read_sound(tvtime_t) + +files_read_usr_files(tvtime_t) +files_search_pids(tvtime_t) +# Read /etc/tvtime +files_read_etc_files(tvtime_t) + +# X access, Home files +fs_search_auto_mountpoints(tvtime_t) + +miscfiles_read_localization(tvtime_t) +miscfiles_read_fonts(tvtime_t) + +userdom_use_user_terminals(tvtime_t) +userdom_read_user_home_content_files(tvtime_t) + +# X access, Home files +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(tvtime_t) + fs_manage_nfs_files(tvtime_t) + fs_manage_nfs_symlinks(tvtime_t) +') +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(tvtime_t) + fs_manage_cifs_files(tvtime_t) + fs_manage_cifs_symlinks(tvtime_t) +') + +optional_policy(` + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) +') diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc index ba0a764..b8b9520 100644 --- a/policy/modules/apps/uml.fc +++ b/policy/modules/apps/uml.fc @@ -1,7 +1,7 @@ # # HOME_DIR/ # -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) # # /usr diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index a833644..d2ab7cb 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -1,194 +1,64 @@ ## Policy for UML -####################################### +######################################## ## -## The per role template for the uml module. +## Role access for uml ## -## -##

-## This template creates a derived domains which are used -## for uml program. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`uml_per_role_template',` +interface(`uml_role',` gen_require(` - type uml_ro_t, uml_exec_t; + type uml_t, uml_exec_t; + type uml_ro_t, uml_rw_t, uml_tmp_t; + type uml_devpts_t, uml_tmpfs_t; ') - ######################################## - # - # Declarations - # - - type $1_uml_t; - type $1_uml_exec_t; - application_domain($1_uml_t, $1_uml_exec_t) - role $3 types $1_uml_t; - - type $1_uml_ro_t; - files_type($1_uml_ro_t) - - type $1_uml_rw_t; - files_type($1_uml_rw_t) - - type $1_uml_tmp_t; - files_tmp_file($1_uml_tmp_t) - - type $1_uml_tmpfs_t; - files_tmpfs_file($1_uml_tmpfs_t) - - type $1_uml_devpts_t; - term_pty($1_uml_devpts_t) - - ######################################## - # - # Local policy - # - - allow $1_uml_t self:fifo_file rw_fifo_file_perms; - allow $1_uml_t self:process { signal_perms ptrace }; - allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; - allow $1_uml_t self:unix_dgram_socket create_socket_perms; - # Use the network. - allow $1_uml_t self:tcp_socket create_stream_socket_perms; - allow $1_uml_t self:udp_socket create_socket_perms; - - allow $1_uml_t $2:process sigchld; - allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append }; - - # allow the UML thing to happen - allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1_uml_t,$1_uml_devpts_t) - - manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t) - manage_files_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t) - files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir }) - can_exec($1_uml_t, $1_uml_tmp_t) - - manage_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t) - manage_lnk_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t) - manage_fifo_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t) - manage_sock_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t) - fs_tmpfs_filetrans($1_uml_t, $1_uml_tmpfs_t, { file lnk_file sock_file fifo_file }) - can_exec($1_uml_t, $1_uml_tmpfs_t) - - # access config files - allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms; - read_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t }) - read_lnk_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t }) - - manage_dirs_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t) - manage_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t) - manage_lnk_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t) - manage_fifo_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t) - manage_sock_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t) - userdom_user_home_dir_filetrans($1, $1_uml_t, $1_uml_rw_t, { file lnk_file sock_file fifo_file }) - - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2,uml_ro_t, uml_ro_t) - read_lnk_files_pattern($2,uml_ro_t, uml_ro_t) - - manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - manage_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - manage_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - manage_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - relabel_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - relabel_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - relabel_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t }) - - manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) - manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) - relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) - relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) - - # allow ps, ptrace, signal - ps_process_pattern($2,$1_uml_t) - allow $2 $1_uml_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t) - manage_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t) - manage_lnk_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t) - manage_sock_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t) + role $1 types uml_t; # Transition from the user domain to this domain. - domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t) - can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) + domtrans_pattern($2, uml_exec_t, uml_t) # for mconsole - allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto; - allow $1_uml_t $2:unix_dgram_socket sendto; - - kernel_read_system_state($1_uml_t) - # for SKAS - need something better - kernel_write_proc_files($1_uml_t) - - # for xterm - corecmd_exec_bin($1_uml_t) - - corenet_all_recvfrom_unlabeled($1_uml_t) - corenet_all_recvfrom_netlabel($1_uml_t) - corenet_tcp_sendrecv_generic_if($1_uml_t) - corenet_udp_sendrecv_generic_if($1_uml_t) - corenet_tcp_sendrecv_all_nodes($1_uml_t) - corenet_udp_sendrecv_all_nodes($1_uml_t) - corenet_tcp_sendrecv_all_ports($1_uml_t) - corenet_udp_sendrecv_all_ports($1_uml_t) - corenet_tcp_connect_all_ports($1_uml_t) - corenet_sendrecv_all_client_packets($1_uml_t) - corenet_rw_tun_tap_dev($1_uml_t) - - domain_use_interactive_fds($1_uml_t) + allow $2 uml_t:unix_dgram_socket sendto; + allow uml_t $2:unix_dgram_socket sendto; - # for xterm - files_read_etc_files($1_uml_t) - files_dontaudit_read_etc_runtime_files($1_uml_t) - # putting uml data under /var is usual... - files_search_var($1_uml_t) - - fs_getattr_xattr_fs($1_uml_t) - - init_read_utmp($1_uml_t) - init_dontaudit_write_utmp($1_uml_t) - - # for xterm - libs_exec_lib_files($1_uml_t) - - # Inherit and use descriptors from newrole. - seutil_use_newrole_fds($1_uml_t) - - # Use the network. - sysnet_read_config($1_uml_t) - - userdom_use_user_terminals($1, $1_uml_t) + # allow ps, ptrace, signal + ps_process_pattern($2, uml_t) + allow $2 uml_t:process { ptrace signal_perms }; - optional_policy(` - nis_use_ypbind($1_uml_t) - ') + allow $2 uml_ro_t:dir list_dir_perms; + read_files_pattern($2, uml_ro_t, uml_ro_t) + read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) + + manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + + manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + + manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) + manage_files_pattern($2, uml_tmp_t, uml_tmp_t) + manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) + manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) ') ######################################## diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index b9f8783..84b8efd 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -1,16 +1,47 @@ -policy_module(uml, 1.6.0) +policy_module(uml, 2.0.0) ######################################## # # Declarations # +type uml_t; type uml_exec_t; -application_executable_file(uml_exec_t) +typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; +typealias uml_t alias { auditadm_uml_t secadm_uml_t }; +application_domain(uml_t, uml_exec_t) +ubac_constrained(uml_t) type uml_ro_t; +typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; +typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; files_type(uml_ro_t) +ubac_constrained(uml_ro_t) + +type uml_rw_t; +typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; +typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; +files_type(uml_rw_t) +ubac_constrained(uml_rw_t) + +type uml_tmp_t; +typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; +typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; +files_tmp_file(uml_tmp_t) +ubac_constrained(uml_tmp_t) + +type uml_tmpfs_t; +typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; +typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; +files_tmpfs_file(uml_tmpfs_t) +ubac_constrained(uml_tmpfs_t) + +type uml_devpts_t; +typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; +typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; +term_pty(uml_devpts_t) +ubac_constrained(uml_devpts_t) type uml_switch_t; type uml_switch_exec_t; @@ -24,6 +55,98 @@ files_pid_file(uml_switch_var_run_t) # Local policy # +allow uml_t self:fifo_file rw_fifo_file_perms; +allow uml_t self:process { signal_perms ptrace }; +allow uml_t self:unix_stream_socket create_stream_socket_perms; +allow uml_t self:unix_dgram_socket create_socket_perms; +# Use the network. +allow uml_t self:tcp_socket create_stream_socket_perms; +allow uml_t self:udp_socket create_socket_perms; +# for mconsole +allow uml_t self:unix_dgram_socket sendto; + +# allow the UML thing to happen +allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr }; +term_create_pty(uml_t, uml_devpts_t) + +manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) +manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) +files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) +can_exec(uml_t, uml_tmp_t) + +manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) +can_exec(uml_t, uml_tmpfs_t) + +# access config files +allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms; +read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) +read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) + +manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) +userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file }) + +can_exec(uml_t, { uml_exec_t uml_exec_t }) + +kernel_read_system_state(uml_t) +# for SKAS - need something better +kernel_write_proc_files(uml_t) + +# for xterm +corecmd_exec_bin(uml_t) + +corenet_all_recvfrom_unlabeled(uml_t) +corenet_all_recvfrom_netlabel(uml_t) +corenet_tcp_sendrecv_generic_if(uml_t) +corenet_udp_sendrecv_generic_if(uml_t) +corenet_tcp_sendrecv_all_nodes(uml_t) +corenet_udp_sendrecv_all_nodes(uml_t) +corenet_tcp_sendrecv_all_ports(uml_t) +corenet_udp_sendrecv_all_ports(uml_t) +corenet_tcp_connect_all_ports(uml_t) +corenet_sendrecv_all_client_packets(uml_t) +corenet_rw_tun_tap_dev(uml_t) + +domain_use_interactive_fds(uml_t) + +# for xterm +files_read_etc_files(uml_t) +files_dontaudit_read_etc_runtime_files(uml_t) +# putting uml data under /var is usual... +files_search_var(uml_t) + +fs_getattr_xattr_fs(uml_t) + +init_read_utmp(uml_t) +init_dontaudit_write_utmp(uml_t) + +# for xterm +libs_exec_lib_files(uml_t) + +# Inherit and use descriptors from newrole. +seutil_use_newrole_fds(uml_t) + +# Use the network. +sysnet_read_config(uml_t) + +userdom_use_user_terminals(uml_t) + +optional_policy(` + nis_use_ypbind(uml_t) +') + +######################################## +# +# Local policy +# + dontaudit uml_switch_t self:capability sys_tty_config; allow uml_switch_t self:process signal_perms; allow uml_switch_t self:unix_dgram_socket create_socket_perms; @@ -54,8 +177,7 @@ logging_send_syslog_msg(uml_switch_t) miscfiles_read_localization(uml_switch_t) userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) - -sysadm_dontaudit_search_home_dirs(uml_switch_t) +userdom_dontaudit_search_user_home_dirs(uml_switch_t) optional_policy(` seutil_sigchld_newrole(uml_switch_t) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if index b144715..c25e403 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -2,38 +2,28 @@ ####################################### ## -## The per role template for the userhelper module. +## The role template for the userhelper module. ## -## -##

-## This template creates a derived domains which are used -## for userhelper. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The type of the user domain. +## The user role. ## ## -## +## ## -## The role associated with the user domain. +## The user domain associated with the role. ## ## # -template(`userhelper_per_role_template',` +template(`userhelper_role_template',` gen_require(` + attribute userhelper_type; type userhelper_exec_t, userhelper_conf_t; ') @@ -42,13 +32,14 @@ template(`userhelper_per_role_template',` # Declarations # - type $1_userhelper_t; + type $1_userhelper_t, userhelper_type; application_domain($1_userhelper_t, userhelper_exec_t) domain_role_change_exemption($1_userhelper_t) domain_obj_id_change_exemption($1_userhelper_t) domain_interactive_fd($1_userhelper_t) domain_subj_id_change_exemption($1_userhelper_t) - role $3 types $1_userhelper_t; + ubac_constrained($1_userhelper_t) + role $2 types $1_userhelper_t; ######################################## # @@ -70,14 +61,14 @@ template(`userhelper_per_role_template',` allow $1_userhelper_t self:sock_file read_sock_file_perms; #Transition to the derived domain. - domtrans_pattern($2, userhelper_exec_t, $1_userhelper_t) + domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) can_exec($1_userhelper_t, userhelper_exec_t) - dontaudit $2 $1_userhelper_t:process signal; + dontaudit $3 $1_userhelper_t:process signal; kernel_read_all_sysctls($1_userhelper_t) kernel_getattr_debugfs($1_userhelper_t) @@ -86,7 +77,7 @@ template(`userhelper_per_role_template',` # Execute shells corecmd_exec_shell($1_userhelper_t) # By default, revert to the calling domain when a program is executed - corecmd_bin_domtrans($1_userhelper_t,$2) + corecmd_bin_domtrans($1_userhelper_t, $3) # Inherit descriptors from the current session. domain_use_interactive_fds($1_userhelper_t) @@ -98,8 +89,6 @@ template(`userhelper_per_role_template',` dev_list_all_dev_nodes($1_userhelper_t) files_list_var_lib($1_userhelper_t) - # Write to utmp. - files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file) # Read the /etc/security/default_type file files_read_etc_files($1_userhelper_t) # Read /var. @@ -138,13 +127,13 @@ template(`userhelper_per_role_template',` init_use_fds($1_userhelper_t) # Write to utmp. init_manage_utmp($1_userhelper_t) + init_pid_filetrans_utmp($1_userhelper_t) miscfiles_read_localization($1_userhelper_t) seutil_read_config($1_userhelper_t) seutil_read_default_contexts($1_userhelper_t) - userdom_use_unpriv_users_fds($1_userhelper_t) # Allow $1_userhelper_t to transition to user domains. userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) @@ -156,14 +145,8 @@ template(`userhelper_per_role_template',` ') ') - tunable_policy(`! secure_mode',` - #if we are not in secure mode then we can transition to sysadm_t - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') - optional_policy(` - ethereal_domtrans_user_ethereal($1, $1_userhelper_t) + ethereal_domtrans($1_userhelper_t) ') optional_policy(` @@ -177,6 +160,14 @@ template(`userhelper_per_role_template',` optional_policy(` nscd_socket_use($1_userhelper_t) ') + + optional_policy(` + tunable_policy(`! secure_mode',` + #if we are not in secure mode then we can transition to sysadm_t + sysadm_bin_spec_domtrans($1_userhelper_t) + sysadm_entry_spec_domtrans($1_userhelper_t) + ') + ') ') ######################################## @@ -220,46 +211,36 @@ interface(`userhelper_dontaudit_search_config',` ## ## Allow domain to use userhelper file descriptor. ## -## -## -## The prefix of the domain, example user is the prefix of user_t. -## -## ## ## ## Domain allowed access. ## ## # -template(`userhelper_use_user_fd',` +interface(`userhelper_use_fd',` gen_require(` - type $1_userhelper_t; + attribute userhelper_type; ') - allow $2 $1_userhelper_t:fd use; + allow $1 userhelper_type:fd use; ') ######################################## ## ## Allow domain to send sigchld to userhelper. ## -## -## -## The prefix of the domain, example user is the prefix of user_t. -## -## ## ## ## Domain allowed access. ## ## # -template(`userhelper_sigchld_user',` +interface(`userhelper_sigchld',` gen_require(` - type $1_userhelper_t; + attribute userhelper_type; ') - allow $2 $1_userhelper_t:process sigchld; + allow $1 userhelper_type:process sigchld; ') ######################################## diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index b93fc24..eac2ff4 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -1,11 +1,13 @@ -policy_module(userhelper, 1.4.0) +policy_module(userhelper, 1.4.1) ######################################## # # Declarations # +attribute userhelper_type; + type userhelper_conf_t; files_type(userhelper_conf_t) diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if index f846690..cc4609c 100644 --- a/policy/modules/apps/usernetctl.if +++ b/policy/modules/apps/usernetctl.if @@ -33,11 +33,6 @@ interface(`usernetctl_domtrans',` ## The role to be allowed the usernetctl domain. ## ## -## -## -## The type of the terminal allow the usernetctl domain to use. -## -## ## # interface(`usernetctl_run',` @@ -47,24 +42,23 @@ interface(`usernetctl_run',` usernetctl_domtrans($1) role $2 types usernetctl_t; - allow usernetctl_t $3:chr_file rw_term_perms; - sysnet_run_ifconfig(usernetctl_t, $2, $3) - sysnet_run_dhcpc(usernetctl_t, $2, $3) + sysnet_run_ifconfig(usernetctl_t, $2) + sysnet_run_dhcpc(usernetctl_t, $2) optional_policy(` - consoletype_run(usernetctl_t, $2, $3) + consoletype_run(usernetctl_t, $2) ') optional_policy(` - iptables_run(usernetctl_t, $2, $3) + iptables_run(usernetctl_t, $2) ') optional_policy(` - modutils_run_insmod(usernetctl_t, $2, $3) + modutils_run_insmod(usernetctl_t, $2) ') optional_policy(` - ppp_run(usernetctl_t, $2, $3) + ppp_run(usernetctl_t, $2) ') ') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index aa63889..ef81e79 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -1,5 +1,5 @@ -policy_module(usernetctl, 1.4.0) +policy_module(usernetctl, 1.4.1) ######################################## # @@ -59,7 +59,7 @@ seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -term_search_ptys(usernetctl_t) +userdom_use_user_terminals(usernetctl_t) optional_policy(` hostname_exec(usernetctl_t) diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc index cf2097d..85b26a5 100644 --- a/policy/modules/apps/vmware.fc +++ b/policy/modules/apps/vmware.fc @@ -1,9 +1,9 @@ # # HOME_DIR/ # -HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) -HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) +HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) +HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) +HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) # # /etc diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index d4d83f6..80afe1f 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -1,168 +1,33 @@ ## VMWare Workstation virtual machines -####################################### +######################################## ## -## The per role template for the vmware module. +## Role access for vmware ## -## -##

-## This template creates a derived domain which is used -## for vmware sessions. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`vmware_per_role_template',` +interface(`vmware_role',` gen_require(` - type vmware_exec_t, vmware_sys_conf_t; + type vmware_t, vmware_exec_t; ') - ############################## - # - # Declarations - # - - type $1_vmware_t; - domain_type($1_vmware_t) - domain_entry_file($1_vmware_t, vmware_exec_t) - role $3 types $1_vmware_t; - - type $1_vmware_conf_t; - userdom_user_home_content($1, $1_vmware_conf_t) - - type $1_vmware_file_t; - userdom_user_home_content($1, $1_vmware_file_t) - - type $1_vmware_tmp_t; - files_tmp_file($1_vmware_tmp_t) - - type $1_vmware_tmpfs_t; - files_tmpfs_file($1_vmware_tmpfs_t) - - type $1_vmware_var_run_t; - files_pid_file($1_vmware_var_run_t) - - ############################## - # - # Local policy - # - - allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; - dontaudit $1_vmware_t self:capability sys_tty_config; - allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_vmware_t self:process { execmem execstack }; - allow $1_vmware_t self:fd use; - allow $1_vmware_t self:fifo_file rw_fifo_file_perms; - allow $1_vmware_t self:unix_dgram_socket create_socket_perms; - allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms; - allow $1_vmware_t self:unix_dgram_socket sendto; - allow $1_vmware_t self:unix_stream_socket connectto; - allow $1_vmware_t self:shm create_shm_perms; - allow $1_vmware_t self:sem create_sem_perms; - allow $1_vmware_t self:msgq create_msgq_perms; - allow $1_vmware_t self:msg { send receive }; - - can_exec($1_vmware_t, vmware_exec_t) - - # User configuration files - allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms; - - # VMWare disks - manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) - manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) - - allow $1_vmware_t $1_vmware_tmp_t:file execute; - manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) - manage_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) - manage_sock_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) - files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir }) - - manage_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t) - manage_lnk_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t) - manage_fifo_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t) - manage_sock_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t) - fs_tmpfs_filetrans($1_vmware_t, $1_vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - # Read clobal configuration files - allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms; - read_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) - read_lnk_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) - - manage_dirs_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t) - manage_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t) - manage_lnk_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t) - manage_sock_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t) - files_pid_filetrans($1_vmware_t, $1_vmware_var_run_t, { dir file lnk_file }) - - domtrans_pattern($2, vmware_exec_t, $1_vmware_t) - - kernel_read_system_state($1_vmware_t) - kernel_read_network_state($1_vmware_t) - kernel_read_kernel_sysctls($1_vmware_t) - - # startup scripts - corecmd_exec_bin($1_vmware_t) - corecmd_exec_shell($1_vmware_t) - - dev_read_raw_memory($1_vmware_t) - dev_write_raw_memory($1_vmware_t) - dev_read_mouse($1_vmware_t) - dev_write_sound($1_vmware_t) - dev_read_realtime_clock($1_vmware_t) - dev_rwx_vmware($1_vmware_t) - dev_rw_usbfs($1_vmware_t) - dev_search_sysfs($1_vmware_t) - - domain_use_interactive_fds($1_vmware_t) - - files_read_etc_files($1_vmware_t) - files_read_etc_runtime_files($1_vmware_t) - files_read_usr_files($1_vmware_t) - files_list_home($1_vmware_t) - - fs_getattr_xattr_fs($1_vmware_t) - fs_search_auto_mountpoints($1_vmware_t) - - storage_raw_read_removable_device($1_vmware_t) - storage_raw_write_removable_device($1_vmware_t) - - # startup scripts run ldd - libs_exec_ld_so($1_vmware_t) - # Access X11 config files - libs_read_lib_files($1_vmware_t) - - miscfiles_read_localization($1_vmware_t) - - userdom_use_user_terminals($1, $1_vmware_t) - userdom_use_unpriv_users_fds($1_vmware_t) - userdom_list_user_home_dirs($1, $1_vmware_t) - # cjp: why? - userdom_read_user_home_content_files($1, $1_vmware_t) + role $1 types vmware_t; - sysnet_dns_name_resolve($1_vmware_t) - sysnet_read_config($1_vmware_t) + # Transition from the user domain to the derived domain. + domtrans_pattern($2, vmware_exec_t, vmware_t) - xserver_user_x_domain_template($1, $1_vmware, $1_vmware_t, $1_vmware_tmpfs_t) + # allow ps to show vmware and allow the user to kill it + ps_process_pattern($2, vmware_t) + allow $2 vmware_t:process signal; ') ######################################## @@ -180,7 +45,7 @@ interface(`vmware_read_system_config',` type vmware_sys_conf_t; ') - allow $1 vmware_sys_conf_t:file read_file_perms; + allow $1 vmware_sys_conf_t:file { getattr read }; ') ######################################## diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index bf61196..8cc3a31 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -1,5 +1,5 @@ -policy_module(vmware, 1.6.0) +policy_module(vmware, 2.0.0) ######################################## # @@ -7,23 +7,58 @@ policy_module(vmware, 1.6.0) # # VMWare user program +type vmware_t; type vmware_exec_t; -corecmd_executable_file(vmware_exec_t) +typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; +typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; +application_domain(vmware_t, vmware_exec_t) +ubac_constrained(vmware_t) + +type vmware_conf_t; +typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; +typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; +userdom_user_home_content(vmware_conf_t) + +type vmware_file_t; +typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; +typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; +userdom_user_home_content(vmware_file_t) # VMWare host programs type vmware_host_t; type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) +type vmware_host_pid_t alias vmware_var_run_t; +files_pid_file(vmware_host_pid_t) + type vmware_log_t; +typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; +typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; logging_log_file(vmware_log_t) +ubac_constrained(vmware_log_t) + +type vmware_pid_t; +typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; +typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; +files_pid_file(vmware_pid_t) +ubac_constrained(vmware_pid_t) # Systemwide configuration files type vmware_sys_conf_t; files_type(vmware_sys_conf_t) -type vmware_var_run_t; -files_pid_file(vmware_var_run_t) +type vmware_tmp_t; +typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; +typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; +files_tmp_file(vmware_tmp_t) +ubac_constrained(vmware_tmp_t) + +type vmware_tmpfs_t; +typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; +typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; +files_tmpfs_file(vmware_tmpfs_t) +ubac_constrained(vmware_tmpfs_t) ######################################## # @@ -92,8 +127,7 @@ miscfiles_read_localization(vmware_host_t) sysnet_dns_name_resolve(vmware_host_t) userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) - -sysadm_dontaudit_search_home_dirs(vmware_host_t) +userdom_dontaudit_search_user_home_dirs(vmware_host_t) netutils_domtrans_ping(vmware_host_t) @@ -105,3 +139,112 @@ optional_policy(` optional_policy(` udev_read_db(vmware_host_t) ') + +ifdef(`TODO',` +# VMWare need access to pcmcia devices for network +optional_policy(` +allow kernel_t cardmgr_var_lib_t:dir { getattr search }; +allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; +') +# Vmware create network devices +allow kernel_t self:capability net_admin; +allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow kernel_t self:socket create; +') + +############################## +# +# VMWare guest local policy +# + +allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; +dontaudit vmware_t self:capability sys_tty_config; +allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow vmware_t self:process { execmem execstack }; +allow vmware_t self:fd use; +allow vmware_t self:fifo_file rw_fifo_file_perms; +allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; +allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow vmware_t self:shm create_shm_perms; +allow vmware_t self:sem create_sem_perms; +allow vmware_t self:msgq create_msgq_perms; +allow vmware_t self:msg { send receive }; + +can_exec(vmware_t, vmware_exec_t) + +# User configuration files +allow vmware_t vmware_conf_t:file manage_file_perms; + +# VMWare disks +manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) +manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) + +allow vmware_t vmware_tmp_t:file execute; +manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) + +manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +# Read clobal configuration files +allow vmware_t vmware_sys_conf_t:dir list_dir_perms; +read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) +read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) + +manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) + +kernel_read_system_state(vmware_t) +kernel_read_network_state(vmware_t) +kernel_read_kernel_sysctls(vmware_t) + +# startup scripts +corecmd_exec_bin(vmware_t) +corecmd_exec_shell(vmware_t) + +dev_read_raw_memory(vmware_t) +dev_write_raw_memory(vmware_t) +dev_read_mouse(vmware_t) +dev_write_sound(vmware_t) +dev_read_realtime_clock(vmware_t) +dev_rwx_vmware(vmware_t) +dev_rw_usbfs(vmware_t) +dev_search_sysfs(vmware_t) + +domain_use_interactive_fds(vmware_t) + +files_read_etc_files(vmware_t) +files_read_etc_runtime_files(vmware_t) +files_read_usr_files(vmware_t) +files_list_home(vmware_t) + +fs_getattr_xattr_fs(vmware_t) +fs_search_auto_mountpoints(vmware_t) + +storage_raw_read_removable_device(vmware_t) +storage_raw_write_removable_device(vmware_t) + +# startup scripts run ldd +libs_exec_ld_so(vmware_t) +# Access X11 config files +libs_read_lib_files(vmware_t) + +miscfiles_read_localization(vmware_t) + +userdom_use_user_terminals(vmware_t) +userdom_list_user_home_dirs(vmware_t) +# cjp: why? +userdom_read_user_home_content_files(vmware_t) + +sysnet_dns_name_resolve(vmware_t) +sysnet_read_config(vmware_t) + +xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if index 7b0bc5c..1d25688 100644 --- a/policy/modules/apps/webalizer.if +++ b/policy/modules/apps/webalizer.if @@ -33,11 +33,6 @@ interface(`webalizer_domtrans',` ## The role to be allowed the webalizer domain. ## ## -## -## -## The type of the terminal allow the webalizer domain to use. -## -## ## # interface(`webalizer_run',` @@ -47,5 +42,4 @@ interface(`webalizer_run',` webalizer_domtrans($1) role $2 types webalizer_t; - allow webalizer_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index 3553ffc..e268644 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer, 1.7.0) +policy_module(webalizer, 1.7.1) ######################################## # @@ -80,8 +80,9 @@ miscfiles_read_localization(webalizer_t) sysnet_dns_name_resolve(webalizer_t) sysnet_read_config(webalizer_t) +userdom_use_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) -userdom_dontaudit_search_all_users_home_content(webalizer_t) +userdom_dontaudit_search_user_home_content(webalizer_t) apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 48ba074..7a99209 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -34,11 +34,6 @@ interface(`wine_domtrans',` ## The role to be allowed the wine domain. ## ## -## -## -## The type of the terminal allow the wine domain to use. -## -## # interface(`wine_run',` gen_require(` @@ -47,5 +42,4 @@ interface(`wine_run',` wine_domtrans($1) role $2 types wine_t; - allow wine_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 6789cdc..6dd261c 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -1,5 +1,5 @@ -policy_module(wine, 1.5.0) +policy_module(wine, 1.5.1) ######################################## # @@ -15,6 +15,8 @@ application_domain(wine_t, wine_exec_t) # Local policy # +userdom_use_user_terminals(wine_t) + optional_policy(` allow wine_t self:process { execstack execmem execheap }; unconfined_domain_noaudit(wine_t) diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc index dac9c99..96844ae 100644 --- a/policy/modules/apps/wireshark.fc +++ b/policy/modules/apps/wireshark.fc @@ -1,3 +1,3 @@ -HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:ROLE_wireshark_home_t,s0) +HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) /usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if index 8a0af00..a7c27a5 100644 --- a/policy/modules/apps/wireshark.if +++ b/policy/modules/apps/wireshark.if @@ -1,242 +1,55 @@ ## Wireshark packet capture tool. -####################################### +############################################################ ## -## The per role template for the wireshark module. +## Role access for wireshark ## -## -##

-## This template creates a derived domains which are used -## for wireshark packet capture tool. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`wireshark_per_role_template',` - +interface(`wireshark_role',` gen_require(` - type wireshark_exec_t; + type wireshark_t, wireshark_exec_t; + type wireshark_home_t, wireshark_tmp_t; + type wireshark_tmpfs_t; ') - ############################## - # - # Declarations - # - - # Type for program - type $1_wireshark_t; - application_domain($1_wireshark_t, wireshark_exec_t) - role $3 types $1_wireshark_t; - - type $1_wireshark_home_t; - files_poly_member($1_wireshark_home_t) - userdom_user_home_content($1, $1_wireshark_home_t) - - type $1_wireshark_tmp_t; - files_tmp_file($1_wireshark_tmp_t) - - type $1_wireshark_tmpfs_t; - files_tmpfs_file($1_wireshark_tmpfs_t) - - ############################## - # - # Local Policy - # - - allow $1_wireshark_t self:capability { net_admin net_raw setgid }; - allow $1_wireshark_t self:process { signal getsched }; - allow $1_wireshark_t self:fifo_file { getattr read write }; - allow $1_wireshark_t self:shm destroy; - allow $1_wireshark_t self:shm create_shm_perms; - allow $1_wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; - allow $1_wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; - allow $1_wireshark_t self:tcp_socket create_socket_perms; - allow $1_wireshark_t self:udp_socket create_socket_perms; - - # Re-execute itself (why?) - can_exec($1_wireshark_t, wireshark_exec_t) - corecmd_search_bin($1_wireshark_t) - - # /home/.wireshark - manage_dirs_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t) - manage_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t) - manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t) - userdom_user_home_dir_filetrans($1, $1_wireshark_t, $1_wireshark_home_t, dir) - - # Store temporary files - manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t) - manage_files_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t) - files_tmp_filetrans($1_wireshark_t, $1_wireshark_tmp_t, { dir file }) + role $1 types wireshark_t; - manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t) - manage_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t) - manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t) - manage_sock_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t) - manage_fifo_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t) - fs_tmpfs_filetrans($1_wireshark_t, $1_wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - domain_auto_trans($2, wireshark_exec_t, $1_wireshark_t) - allow $1_wireshark_t $2:fd use; - allow $1_wireshark_t $2:process sigchld; - - manage_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - manage_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - manage_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - relabel_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - relabel_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - relabel_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t) - - kernel_read_kernel_sysctls($1_wireshark_t) - kernel_read_system_state($1_wireshark_t) - kernel_read_sysctl($1_wireshark_t) - - corecmd_search_bin($1_wireshark_t) - - corenet_tcp_connect_generic_port($1_wireshark_t) - corenet_tcp_sendrecv_generic_if($1_wireshark_t) - - dev_read_urand($1_wireshark_t) - - files_read_etc_files($1_wireshark_t) - files_read_usr_files($1_wireshark_t) - - fs_list_inotifyfs($1_wireshark_t) - fs_search_auto_mountpoints($1_wireshark_t) - - libs_read_lib_files($1_wireshark_t) - - miscfiles_read_fonts($1_wireshark_t) - miscfiles_read_localization($1_wireshark_t) - - seutil_use_newrole_fds($1_wireshark_t) - - sysnet_read_config($1_wireshark_t) - - userdom_manage_user_home_content_files($1, $1_wireshark_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_wireshark_t) - fs_manage_nfs_files($1_wireshark_t) - fs_manage_nfs_symlinks($1_wireshark_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_wireshark_t) - fs_manage_cifs_files($1_wireshark_t) - fs_manage_cifs_symlinks($1_wireshark_t) - ') - - optional_policy(` - nscd_socket_use($1_wireshark_t) - ') - - # Manual transition from userhelper - optional_policy(` - userhelper_use_user_fd($1, $1_wireshark_t) - userhelper_sigchld_user($1, $1_wireshark_t) - ') - - optional_policy(` - xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t) - xserver_create_xdm_tmp_sockets($1_wireshark_t) - ') - - ifdef(`TODO',` - # Why does it write this? - optional_policy(` - dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write; - ') - #TODO - gnome_application($1_wireshark, $1) - gnome_file_dialog($1_wireshark, $1) - # FIXME: policy is incomplete - ') + domain_auto_trans($2, wireshark_exec_t, wireshark_t) + allow wireshark_t $2:fd use; + allow wireshark_t $2:process sigchld; -') - -####################################### -## -## The administrative functions template for the wireshark module. -## -## -##

-## This template creates rules for administrating wireshark, -## allowing the specified user to manage wireshark files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`wireshark_admin_template',` - gen_require(` - type $1_wireshark_t; - ') - - # Create various types of sockets - allow $1_wireshark_t self:netlink_route_socket create_netlink_socket_perms; - allow $1_wireshark_t self:udp_socket create_socket_perms; - allow $1_wireshark_t self:packet_socket create_socket_perms; - allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms; - allow $1_wireshark_t self:tcp_socket create_socket_perms; - - userdom_use_user_terminals($1, $1_wireshark_t) - # wireshark tries to write to user terminal - userdom_dontaudit_use_user_terminals($1, $1_wireshark_t) + manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) + manage_files_pattern($2, wireshark_home_t, wireshark_home_t) + manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) ') ######################################## ## ## Run wireshark in wireshark domain. ## -## -##

-## Run wireshark in wireshark domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`wireshark_domtrans_user_wireshark',` +interface(`wireshark_domtrans',` gen_require(` - type $1_wireshark_t, wireshark_exec_t; + type wireshark_t, wireshark_exec_t; ') - domtrans_pattern($2, wireshark_exec_t, $1_wireshark_t) + domtrans_pattern($1, wireshark_exec_t, wireshark_t) ') diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index a0f1de0..9a03cb6 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -1,10 +1,124 @@ -policy_module(wireshark, 1.0.0) +policy_module(wireshark, 2.0.0) ######################################## # # Declarations # +type wireshark_t; type wireshark_exec_t; -application_executable_file(wireshark_exec_t) +typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; +typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; +application_domain(wireshark_t, wireshark_exec_t) +ubac_constrained(wireshark_t) + +type wireshark_home_t; +typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; +typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; +files_poly_member(wireshark_home_t) +userdom_user_home_content(wireshark_home_t) + +type wireshark_tmp_t; +typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; +typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; +files_tmp_file(wireshark_tmp_t) +ubac_constrained(wireshark_tmp_t) + +type wireshark_tmpfs_t; +typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; +typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; +files_tmpfs_file(wireshark_tmpfs_t) +ubac_constrained(wireshark_tmpfs_t) + +############################## +# +# Local Policy +# + +allow wireshark_t self:capability { net_admin net_raw setgid }; +allow wireshark_t self:process { signal getsched }; +allow wireshark_t self:fifo_file { getattr read write }; +allow wireshark_t self:shm destroy; +allow wireshark_t self:shm create_shm_perms; +allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; +allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; +allow wireshark_t self:tcp_socket create_socket_perms; +allow wireshark_t self:udp_socket create_socket_perms; + +# Re-execute itself (why?) +can_exec(wireshark_t, wireshark_exec_t) +corecmd_search_bin(wireshark_t) + +# /home/.wireshark +manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t,dir) + +# Store temporary files +manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) + +manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(wireshark_t) +kernel_read_system_state(wireshark_t) +kernel_read_sysctl(wireshark_t) + +corecmd_search_bin(wireshark_t) + +corenet_tcp_connect_generic_port(wireshark_t) +corenet_tcp_sendrecv_generic_if(wireshark_t) + +dev_read_urand(wireshark_t) + +files_read_etc_files(wireshark_t) +files_read_usr_files(wireshark_t) + +fs_list_inotifyfs(wireshark_t) +fs_search_auto_mountpoints(wireshark_t) + +libs_read_lib_files(wireshark_t) + +miscfiles_read_fonts(wireshark_t) +miscfiles_read_localization(wireshark_t) + +seutil_use_newrole_fds(wireshark_t) + +sysnet_read_config(wireshark_t) + +userdom_manage_user_home_content_files(wireshark_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(wireshark_t) + fs_manage_nfs_files(wireshark_t) + fs_manage_nfs_symlinks(wireshark_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(wireshark_t) + fs_manage_cifs_files(wireshark_t) + fs_manage_cifs_symlinks(wireshark_t) +') + +optional_policy(` + nscd_socket_use(wireshark_t) +') + +# Manual transition from userhelper +optional_policy(` + userhelper_use_fd(wireshark_t) + userhelper_sigchld(wireshark_t) +') + +optional_policy(` + xserver_user_client(wireshark_t, wireshark_tmpfs_t) + xserver_create_xdm_tmp_sockets(wireshark_t) +') diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if index b530e78..5fb7790 100644 --- a/policy/modules/apps/yam.if +++ b/policy/modules/apps/yam.if @@ -34,11 +34,6 @@ interface(`yam_domtrans',` ## The role to be allowed the yam domain. ## ## -## -## -## The type of the terminal allow the yam domain to use. -## -## ## # interface(`yam_run',` @@ -48,7 +43,6 @@ interface(`yam_run',` yam_domtrans($1) role $2 types yam_t; - allow yam_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te index 5c5b8a3..5971c2f 100644 --- a/policy/modules/apps/yam.te +++ b/policy/modules/apps/yam.te @@ -1,5 +1,5 @@ -policy_module(yam, 1.2.0) +policy_module(yam, 1.2.1) ######################################## # @@ -84,8 +84,6 @@ fs_search_auto_mountpoints(yam_t) # Content can also be on ISO image files. fs_read_iso9660_files(yam_t) -term_search_ptys(yam_t) - logging_send_syslog_msg(yam_t) miscfiles_read_localization(yam_t) @@ -95,10 +93,11 @@ seutil_read_config(yam_t) sysnet_dns_name_resolve(yam_t) sysnet_read_config(yam_t) +userdom_use_user_terminals(yam_t) userdom_use_unpriv_users_fds(yam_t) # Reading dotfiles... # cjp: ? -userdom_search_all_users_home_dirs(yam_t) +userdom_search_user_home_dirs(yam_t) # The whole point of this program is to make updates available on a # local web server. Need to go through /var to get to /var/yam diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if index 532cb5a..d320022 100644 --- a/policy/modules/roles/auditadm.if +++ b/policy/modules/roles/auditadm.if @@ -2,44 +2,49 @@ ######################################## ## -## Change to the generic user role. +## Change to the audit administrator role. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`auditadm_role_change_template',` - userdom_role_change_template($1, auditadm) +interface(`auditadm_role_change',` + gen_require(` + role auditadm_r; + ') + + allow $1 auditadm_r; ') ######################################## ## -## Change from the generic user role. +## Change from the audit administrator role. ## ## ##

-## Change from the generic user role to +## Change from the audit administrator role to ## the specified role. ##

##

-## This is a template to support third party modules +## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`auditadm_role_change_to_template',` - userdom_role_change_template(auditadm, $1) -') +interface(`auditadm_role_change_to',` + gen_require(` + role auditadm_r; + ') + allow auditadm_r $1; +') diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index 29d389a..046de2a 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -1,5 +1,5 @@ -policy_module(auditadm, 1.0.0) +policy_module(auditadm, 2.0.0) ######################################## # @@ -25,26 +25,165 @@ logging_send_syslog_msg(auditadm_t) logging_read_generic_logs(auditadm_t) logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) -logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) -logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +logging_run_auditctl(auditadm_t, auditadm_r) +logging_run_auditd(auditadm_t, auditadm_r) -seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) optional_policy(` + apache_role(auditadm_r, auditadm_t) +') + +optional_policy(` + auth_role(auditadm_r, auditadm_t) +') + +optional_policy(` + bluetooth_role(auditadm_r, auditadm_t) +') + +optional_policy(` + cdrecord_role(auditadm_r, auditadm_t) +') + +optional_policy(` consoletype_exec(auditadm_t) ') optional_policy(` + cron_role(auditadm_r, auditadm_t) +') + +optional_policy(` + dbus_role_template(auditadm, auditadm_r, auditadm_t) +') + +optional_policy(` dmesg_exec(auditadm_t) ') optional_policy(` - secadm_role_change_template(auditadm) + ethereal_role(auditadm_r, auditadm_t) +') + +optional_policy(` + evolution_role(auditadm_r, auditadm_t) +') + +optional_policy(` + games_role(auditadm_r, auditadm_t) +') + +optional_policy(` + gift_role(auditadm_r, auditadm_t) +') + +optional_policy(` + gpg_role(auditadm_r, auditadm_t) +') + +optional_policy(` + gnome_role(auditadm_r, auditadm_t) +') + +optional_policy(` + irc_role(auditadm_r, auditadm_t) +') + +optional_policy(` + java_role(auditadm_r, auditadm_t) +') + +optional_policy(` + lockdev_role(auditadm_r, auditadm_t) +') + +optional_policy(` + lpd_role(auditadm_r, auditadm_t) +') + +optional_policy(` + mozilla_role(auditadm_r, auditadm_t) +') + +optional_policy(` + mplayer_role(auditadm_r, auditadm_t) +') + +optional_policy(` + mta_role(auditadm_r, auditadm_t) +') + +optional_policy(` + oident_manage_user_content(auditadm_t) + oident_relabel_user_content(auditadm_t) +') + +optional_policy(` + pyzor_role(auditadm_r, auditadm_t) +') + +optional_policy(` + razor_role(auditadm_r, auditadm_t) +') + +optional_policy(` + rssh_role(auditadm_r, auditadm_t) +') + +optional_policy(` + screen_role_template(auditadm, auditadm_r, auditadm_t) +') + +optional_policy(` + spamassassin_role(auditadm_r, auditadm_t) +') + +optional_policy(` + ssh_role_template(auditadm, auditadm_r, auditadm_t) +') + +optional_policy(` + secadm_role_change(auditadm_r) ') optional_policy(` - sysadm_role_change_template(auditadm) - sysadm_dontaudit_read_home_content_files(auditadm_t) + su_role_template(auditadm, auditadm_r, auditadm_t) ') +optional_policy(` + sudo_role_template(auditadm, auditadm_r, auditadm_t) +') + +optional_policy(` + sysadm_role_change(auditadm_r) +') + +optional_policy(` + thunderbird_role(auditadm_r, auditadm_t) +') + +optional_policy(` + tvtime_role(auditadm_r, auditadm_t) +') + +optional_policy(` + userhelper_role_template(auditadm, auditadm_r, auditadm_t) +') + +optional_policy(` + vmware_role(auditadm_r, auditadm_t) +') + +optional_policy(` + wireshark_role(auditadm_r, auditadm_t) +') + +optional_policy(` + uml_role(auditadm_r, auditadm_t) +') + +optional_policy(` + xserver_role(auditadm_r, auditadm_t) +') diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if index a5148b0..bb6a5fe 100644 --- a/policy/modules/roles/secadm.if +++ b/policy/modules/roles/secadm.if @@ -2,44 +2,50 @@ ######################################## ## -## Change to the generic user role. +## Change to the security administrator role. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`secadm_role_change_template',` - userdom_role_change_template($1, secadm) +interface(`secadm_role_change',` + gen_require(` + role secadm_r; + ') + + allow $1 secadm_r; ') ######################################## ## -## Change from the generic user role. +## Change from the security administrator role. ## ## ##

-## Change from the generic user role to +## Change from the security administrator role to ## the specified role. ##

##

-## This is a template to support third party modules +## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`secadm_role_change_to_template',` - userdom_role_change_template(secadm, $1) +interface(`secadm_role_change_to_template',` + gen_require(` + role secadm_r; + ') + + allow secadm_r $1; ') diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index 5b62c8f..018f64d 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -1,5 +1,5 @@ -policy_module(secadm, 1.1.0) +policy_module(secadm, 2.0.0) ######################################## # @@ -9,7 +9,7 @@ policy_module(secadm, 1.1.0) role secadm_r; userdom_unpriv_user_template(secadm) -userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) +userdom_security_admin_template(secadm_t, secadm_r) ######################################## # @@ -30,6 +30,7 @@ mls_file_write_all_levels(secadm_t) mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) +auth_role(secadm_r, secadm_t) auth_relabel_all_files_except_shadow(secadm_t) auth_relabel_shadow(secadm_t) @@ -40,11 +41,31 @@ logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) optional_policy(` - aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) + aide_run(secadm_t, secadm_r) ') optional_policy(` - auditadm_role_change_template(secadm) + apache_role(secadm_r, secadm_t) +') + +optional_policy(` + auditadm_role_change(secadm_r) +') + +optional_policy(` + bluetooth_role(secadm_r, secadm_t) +') + +optional_policy(` + cdrecord_role(secadm_r, secadm_t) +') + +optional_policy(` + cron_role(secadm_r, secadm_t) +') + +optional_policy(` + dbus_role_template(secadm, secadm_r, secadm_t) ') optional_policy(` @@ -52,15 +73,126 @@ optional_policy(` ') optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ethereal_role(secadm_r, secadm_t) +') + +optional_policy(` + evolution_role(secadm_r, secadm_t) +') + +optional_policy(` + games_role(secadm_r, secadm_t) +') + +optional_policy(` + gift_role(secadm_r, secadm_t) +') + +optional_policy(` + gnome_role(secadm_r, secadm_t) +') + +optional_policy(` + gpg_role(secadm_r, secadm_t) +') + +optional_policy(` + irc_role(secadm_r, secadm_t) +') + +optional_policy(` + java_role(secadm_r, secadm_t) +') + +optional_policy(` + lockdev_role(secadm_r, secadm_t) +') + +optional_policy(` + lpd_role(secadm_r, secadm_t) +') + +optional_policy(` + mozilla_role(secadm_r, secadm_t) +') + +optional_policy(` + mplayer_role(secadm_r, secadm_t) +') + +optional_policy(` + mta_role(secadm_r, secadm_t) ') optional_policy(` - staff_dontaudit_append_home_content_files(secadm_t) + netlabel_run_mgmt(secadm_t, secadm_r) ') optional_policy(` - sysadm_role_change_template(secadm) - sysadm_dontaudit_read_home_content_files(secadm_t) + oident_manage_user_content(secadm_t) + oident_relabel_user_content(secadm_t) ') +optional_policy(` + pyzor_role(secadm_r, secadm_t) +') + +optional_policy(` + razor_role(secadm_r, secadm_t) +') + +optional_policy(` + rssh_role(secadm_r, secadm_t) +') + +optional_policy(` + screen_role_template(secadm, secadm_r, secadm_t) +') + +optional_policy(` + spamassassin_role(secadm_r, secadm_t) +') + +optional_policy(` + ssh_role_template(secadm, secadm_r, secadm_t) +') + +optional_policy(` + su_role_template(secadm, secadm_r, secadm_t) +') + +optional_policy(` + sudo_role_template(secadm, secadm_r, secadm_t) +') + +optional_policy(` + sysadm_role_change(secadm_r) +') + +optional_policy(` + thunderbird_role(secadm_r, secadm_t) +') + +optional_policy(` + tvtime_role(secadm_r, secadm_t) +') + +optional_policy(` + uml_role(secadm_r, secadm_t) +') + +optional_policy(` + userhelper_role_template(secadm, secadm_r, secadm_t) +') + +optional_policy(` + vmware_role(secadm_r, secadm_t) +') + +optional_policy(` + wireshark_role(secadm_r, secadm_t) +') + +optional_policy(` + xserver_role(secadm_r, secadm_t) +') diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if index 6e0bc69..234a940 100644 --- a/policy/modules/roles/staff.if +++ b/policy/modules/roles/staff.if @@ -4,16 +4,19 @@ ## ## Change to the staff role. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`staff_role_change_template',` - userdom_role_change_template($1, staff) +interface(`staff_role_change',` + gen_require(` + role staff_r; + ') + + allow $1 staff_r; ') ######################################## @@ -26,137 +29,22 @@ template(`staff_role_change_template',` ## the specified role. ##

##

-## This is a template to support third party modules +## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`staff_role_change_to_template',` - userdom_role_change_template(staff, $1) -') - -######################################## -## -## Search the staff users home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`staff_search_home_dirs',` +interface(`staff_role_change_to',` gen_require(` - type staff_home_dir_t; + role staff_r; ') - files_search_home($1) - allow $1 staff_home_dir_t:dir search_dir_perms; + allow staff_r $1; ') - -######################################## -## -## Do not audit attempts to search the staff -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`staff_dontaudit_search_home_dirs',` - gen_require(` - type staff_home_dir_t; - ') - - dontaudit $1 staff_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete staff -## home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`staff_manage_home_dirs',` - gen_require(` - type staff_home_dir_t; - ') - - files_search_home($1) - allow $1 staff_home_dir_t:dir manage_dir_perms; -') - -######################################## -## -## Relabel to staff home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`staff_relabelto_home_dirs',` - gen_require(` - type staff_home_dir_t; - ') - - files_search_home($1) - allow $1 staff_home_dir_t:dir relabelto; -') - -######################################## -## -## Do not audit attempts to append to the staff -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`staff_dontaudit_append_home_content_files',` - gen_require(` - type staff_home_t; - ') - - dontaudit $1 staff_home_t:file append; -') - -######################################## -## -## Read files in the staff users home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`staff_read_home_content_files',` - gen_require(` - type staff_home_dir_t, staff_home_t; - ') - - files_search_home($1) - allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; - read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t) - read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t) -') - diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 9d68d0b..7433ca0 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -1,5 +1,5 @@ -policy_module(staff, 1.0.0) +policy_module(staff, 2.0.0) ######################################## # @@ -16,15 +16,155 @@ userdom_unpriv_user_template(staff) # optional_policy(` - auditadm_role_change_template(staff) + apache_role(staff_r, staff_t) ') optional_policy(` - secadm_role_change_template(staff) + auth_role(staff_r, staff_t) ') optional_policy(` - sysadm_role_change_template(staff) - sysadm_dontaudit_use_terms(staff_t) + auditadm_role_change(staff_r) ') +optional_policy(` + bluetooth_role(staff_r, staff_t) +') + +optional_policy(` + cdrecord_role(staff_r, staff_t) +') + +optional_policy(` + cron_role(staff_r, staff_t) +') + +optional_policy(` + dbus_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + ethereal_role(staff_r, staff_t) +') + +optional_policy(` + evolution_role(staff_r, staff_t) +') + +optional_policy(` + games_role(staff_r, staff_t) +') + +optional_policy(` + gift_role(staff_r, staff_t) +') + +optional_policy(` + gnome_role(staff_r, staff_t) +') + +optional_policy(` + gpg_role(staff_r, staff_t) +') + +optional_policy(` + irc_role(staff_r, staff_t) +') + +optional_policy(` + java_role(staff_r, staff_t) +') + +optional_policy(` + lockdev_role(staff_r, staff_t) +') + +optional_policy(` + lpd_role(staff_r, staff_t) +') + +optional_policy(` + mozilla_role(staff_r, staff_t) +') + +optional_policy(` + mplayer_role(staff_r, staff_t) +') + +optional_policy(` + mta_role(staff_r, staff_t) +') + +optional_policy(` + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) +') + +optional_policy(` + pyzor_role(staff_r, staff_t) +') + +optional_policy(` + razor_role(staff_r, staff_t) +') + +optional_policy(` + rssh_role(staff_r, staff_t) +') + +optional_policy(` + screen_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + secadm_role_change(staff_r) +') + +optional_policy(` + spamassassin_role(staff_r, staff_t) +') + +optional_policy(` + ssh_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + su_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + sudo_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + sysadm_role_change(staff_r) + userdom_dontaudit_use_user_terminals(staff_t) +') + +optional_policy(` + thunderbird_role(staff_r, staff_t) +') + +optional_policy(` + tvtime_role(staff_r, staff_t) +') + +optional_policy(` + uml_role(staff_r, staff_t) +') + +optional_policy(` + userhelper_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + vmware_role(staff_r, staff_t) +') + +optional_policy(` + wireshark_role(staff_r, staff_t) +') + +optional_policy(` + xserver_role(staff_r, staff_t) +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if index 8c4ad00..42be030 100644 --- a/policy/modules/roles/sysadm.if +++ b/policy/modules/roles/sysadm.if @@ -2,45 +2,51 @@ ######################################## ## -## Change to the generic user role. +## Change to the system administrator role. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`sysadm_role_change_template',` - userdom_role_change_template($1, sysadm) +interface(`sysadm_role_change',` + gen_require(` + role sysadm_r; + ') + + allow $1 sysadm_r; ') ######################################## ## -## Change from the generic user role. +## Change from the system administrator role. ## ## ##

-## Change from the generic user role to +## Change from the system administrator role to ## the specified role. ##

##

-## This is a template to support third party modules +## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`sysadm_role_change_to_template',` - userdom_role_change_template(sysadm, $1) +interface(`sysadm_role_change_to',` + gen_require(` + role sysadm_r; + ') + + allow sysadm_r $1; ') ######################################## @@ -195,353 +201,3 @@ interface(`sysadm_rw_pipes',` allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ') - -######################################## -## -## Do not audit attepts to get the attributes -## of sysadm ttys. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_dontaudit_getattr_ttys',` - gen_require(` - type sysadm_tty_device_t; - ') - - dontaudit $1 sysadm_tty_device_t:chr_file getattr; -') - -######################################## -## -## Read and write sysadm ttys. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_use_ttys',` - gen_require(` - type sysadm_tty_device_t; - ') - - dev_list_all_dev_nodes($1) - term_list_ptys($1) - allow $1 sysadm_tty_device_t:chr_file rw_term_perms; -') - -######################################## -## -## Do not audit attempts to use sysadm ttys. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_use_ttys',` - gen_require(` - type sysadm_tty_device_t; - ') - - dontaudit $1 sysadm_tty_device_t:chr_file { read write }; -') - -######################################## -## -## Read and write sysadm ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_use_ptys',` - gen_require(` - type sysadm_devpts_t; - ') - - dev_list_all_dev_nodes($1) - term_list_ptys($1) - allow $1 sysadm_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Dont audit attempts to read and write sysadm ptys. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_use_ptys',` - gen_require(` - type sysadm_devpts_t; - ') - - dontaudit $1 sysadm_devpts_t:chr_file { read write }; -') - -######################################## -## -## Read and write sysadm ttys and ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_use_terms',` - sysadm_use_ttys($1) - sysadm_use_ptys($1) -') - -######################################## -## -## Do not audit attempts to use sysadm ttys and ptys. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_use_terms',` - sysadm_dontaudit_use_ttys($1) - sysadm_dontaudit_use_ptys($1) -') - -######################################## -## -## Get the attributes of the sysadm users -## home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_getattr_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - allow $1 sysadm_home_dir_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the sysadm users -## home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_getattr_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir getattr; -') - -######################################## -## -## Search the sysadm users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_search_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - allow $1 sysadm_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the sysadm -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_search_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## List the sysadm users home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_list_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - allow $1 sysadm_home_dir_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list the sysadm -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_list_home_dirs',` - gen_require(` - type sysadm_home_dir_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir list_dir_perms; -') - -######################################## -## -## Create objects in sysadm home directories -## with automatic file type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The class of the object to be created. -## If not specified, file is used. -## -## -# -interface(`sysadm_home_dir_filetrans',` - gen_require(` - type sysadm_home_dir_t; - ') - - filetrans_pattern($1, sysadm_home_dir_t, $2, $3) -') - -######################################## -## -## Search the sysadm users home sub directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_search_home_content_dirs',` - gen_require(` - type sysadm_home_dir_t, sysadm_home_t; - ') - - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms; -') - -######################################## -## -## Read files in the sysadm home directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_read_home_content_files',` - gen_require(` - type sysadm_home_dir_t, sysadm_home_t; - ') - - files_search_home($1) - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; - read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) - read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) -') - -######################################## -## -## Do not audit attempts to read files in the sysadm -## home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`sysadm_dontaudit_read_home_content_files',` - gen_require(` - type sysadm_home_dir_t, sysadm_home_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:file read_file_perms; -') - -######################################## -## -## Read sysadm temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sysadm_read_tmp_files',` - gen_require(` - type sysadm_tmp_t; - ') - - files_search_tmp($1) - allow $1 sysadm_tmp_t:dir list_dir_perms; - read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) - read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) -') - diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index f1628d2..e69ab7c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,5 +1,5 @@ -policy_module(sysadm, 1.0.0) +policy_module(sysadm, 2.0.0) ######################################## # @@ -18,7 +18,7 @@ role sysadm_r; userdom_admin_user_template(sysadm) ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + userdom_security_admin_template(sysadm_t, sysadm_r) ') ######################################## @@ -30,20 +30,24 @@ corecmd_exec_shell(sysadm_t) mls_process_read_up(sysadm_t) +ubac_process_exempt(sysadm_t) +ubac_file_exempt(sysadm_t) +ubac_fd_exempt(sysadm_t) + init_exec(sysadm_t) -# For sending reboot and wall messages -userdom_use_unpriv_users_ptys(sysadm_t) -userdom_use_unpriv_users_ttys(sysadm_t) +# Add/remove user home directories +userdom_manage_user_home_dirs(sysadm_t) +userdom_home_filetrans_user_home_dir(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(` - init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + init_run_daemon(sysadm_t, sysadm_r) ') ',` ifdef(`distro_gentoo',` optional_policy(` - seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + seutil_init_script_run_runinit(sysadm_t, sysadm_r) ') ') ') @@ -51,7 +55,7 @@ ifdef(`direct_sysadm_daemon',` ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) - logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + logging_run_auditctl(sysadm_t, sysadm_r) ') tunable_policy(`allow_ptrace',` @@ -59,13 +63,14 @@ tunable_policy(`allow_ptrace',` ') optional_policy(` - amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + amanda_run_recover(sysadm_t, sysadm_r) ') optional_policy(` - apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) + apache_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -74,43 +79,55 @@ optional_policy(` ') optional_policy(` - apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + apt_run(sysadm_t, sysadm_r) +') + +optional_policy(` + auditadm_role_change(sysadm_r) +') + +optional_policy(` + auth_role(sysadm_r, sysadm_t) +') + +optional_policy(` + backup_run(sysadm_t, sysadm_r) ') optional_policy(` - auditadm_role_change_template(sysadm) + bind_run_ndc(sysadm_t, sysadm_r) ') optional_policy(` - backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + bluetooth_role(sysadm_r, sysadm_t) ') optional_policy(` - bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + bootloader_run(sysadm_t, sysadm_r) ') optional_policy(` - bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + cdrecord_role(sysadm_r, sysadm_t) ') optional_policy(` - certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + certwatch_run(sysadm_t, sysadm_r) ') optional_policy(` - clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + clock_run(sysadm_t, sysadm_r) ') optional_policy(` - clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + clockspeed_run_cli(sysadm_t, sysadm_r) ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + consoletype_run(sysadm_t, sysadm_r) ') optional_policy(` - cron_admin_template(sysadm) + cron_admin_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -118,13 +135,17 @@ optional_policy(` ') optional_policy(` - dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + dbus_role_template(sysadm, sysadm_r, sysadm_t) ') optional_policy(` - ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + dcc_run_cdcc(sysadm_t, sysadm_r) + dcc_run_client(sysadm_t, sysadm_r) + dcc_run_dbclean(sysadm_t, sysadm_r) +') + +optional_policy(` + ddcprobe_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -132,28 +153,48 @@ optional_policy(` ') optional_policy(` - dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + dmidecode_run(sysadm_t, sysadm_r) +') + +optional_policy(` + dpkg_run(sysadm_t, sysadm_r) ') optional_policy(` - dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + ethereal_role(sysadm_r, sysadm_t) + ethereal_run_tethereal(sysadm_t, sysadm_r) ') optional_policy(` - ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - ethereal_admin_template(sysadm) + evolution_role(sysadm_r, sysadm_t) ') optional_policy(` - firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t) + firstboot_run(sysadm_t, sysadm_r) ') optional_policy(` - fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + fstools_run(sysadm_t, sysadm_r) ') optional_policy(` - hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + games_role(sysadm_r, sysadm_t) +') + +optional_policy(` + gift_role(sysadm_r, sysadm_t) +') + +optional_policy(` + gnome_role(sysadm_r, sysadm_t) +') + +optional_policy(` + gpg_role(sysadm_r, sysadm_t) +') + +optional_policy(` + hostname_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -167,42 +208,62 @@ optional_policy(` ') optional_policy(` - iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + iptables_run(sysadm_t, sysadm_r) +') + +optional_policy(` + irc_role(sysadm_r, sysadm_t) +') + +optional_policy(` + java_role(sysadm_r, sysadm_t) ') optional_policy(` - kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` - logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + lockdev_role(sysadm_r, sysadm_t) ') optional_policy(` - lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - lpr_admin_template(sysadm) + logrotate_run(sysadm_t, sysadm_r) ') optional_policy(` - lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + lpd_run_checkpc(sysadm_t, sysadm_r) + lpd_role(sysadm_r, sysadm_t) ') optional_policy(` - modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + lvm_run(sysadm_t, sysadm_r) ') optional_policy(` - mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + modutils_run_depmod(sysadm_t, sysadm_r) + modutils_run_insmod(sysadm_t, sysadm_r) + modutils_run_update_mods(sysadm_t, sysadm_r) ') optional_policy(` - mta_admin_template(sysadm, sysadm_t) + mount_run(sysadm_t, sysadm_r) +') + +optional_policy(` + mozilla_role(sysadm_r, sysadm_t) +') + +optional_policy(` + mplayer_role(sysadm_r, sysadm_t) +') + +optional_policy(` + mta_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -214,9 +275,9 @@ optional_policy(` ') optional_policy(` - netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + netutils_run(sysadm_t, sysadm_r) + netutils_run_ping(sysadm_t, sysadm_r) + netutils_run_traceroute(sysadm_t, sysadm_r) ') optional_policy(` @@ -225,24 +286,33 @@ optional_policy(` ') optional_policy(` - oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + oav_run_update(sysadm_t, sysadm_r) +') + +optional_policy(` + oident_manage_user_content(sysadm_t) + oident_relabel_user_content(sysadm_t) +') + +optional_policy(` + pcmcia_run_cardctl(sysadm_t, sysadm_r) ') optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + portage_run(sysadm_t, sysadm_r) + portage_run_gcc_config(sysadm_t, sysadm_r) ') optional_policy(` - portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + portmap_run_helper(sysadm_t, sysadm_r) ') optional_policy(` - portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + pyzor_role(sysadm_r, sysadm_t) ') optional_policy(` - quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + quota_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -250,11 +320,19 @@ optional_policy(` ') optional_policy(` + razor_role(sysadm_r, sysadm_t) +') + +optional_policy(` rpc_domtrans_nfsd(sysadm_t) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + rpm_run(sysadm_t, sysadm_r) +') + +optional_policy(` + rssh_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -262,33 +340,61 @@ optional_policy(` ') optional_policy(` - samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + samba_run_net(sysadm_t, sysadm_r) + samba_run_winbind_helper(sysadm_t, sysadm_r) ') optional_policy(` - secadm_role_change_template(sysadm) + screen_role_template(sysadm, sysadm_r, sysadm_t) ') optional_policy(` - seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + secadm_role_change(sysadm_r) ') optional_policy(` - staff_role_change_template(sysadm) + seutil_run_setfiles(sysadm_t, sysadm_r) + seutil_run_runinit(sysadm_t, sysadm_r) ') optional_policy(` - sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + spamassassin_role(sysadm_r, sysadm_t) ') optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + ssh_role_template(sysadm, sysadm_r, sysadm_t) +') + +optional_policy(` + staff_role_change(sysadm_r) +') + +optional_policy(` + su_role_template(sysadm, sysadm_r, sysadm_t) +') + +optional_policy(` + sudo_role_template(sysadm, sysadm_r, sysadm_t) +') + +optional_policy(` + sysnet_run_ifconfig(sysadm_t, sysadm_r) + sysnet_run_dhcpc(sysadm_t, sysadm_r) +') + +optional_policy(` + thunderbird_role(sysadm_r, sysadm_t) +') + +optional_policy(` + tripwire_run_siggen(sysadm_t, sysadm_r) + tripwire_run_tripwire(sysadm_t, sysadm_r) + tripwire_run_twadmin(sysadm_t, sysadm_r) + tripwire_run_twprint(sysadm_t, sysadm_r) +') + +optional_policy(` + tvtime_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -296,35 +402,51 @@ optional_policy(` ') optional_policy(` + uml_role(sysadm_r, sysadm_t) +') + +optional_policy(` unconfined_domtrans(sysadm_t) ') optional_policy(` - # Add/remove user home directories - unprivuser_manage_home_dirs(sysadm_t) - unprivuser_home_filetrans_home_dir(sysadm_t) + unprivuser_role_change(sysadm_r) +') + +optional_policy(` + usbmodules_run(sysadm_t, sysadm_r) +') - unprivuser_role_change_template(sysadm) +optional_policy(` + userhelper_role_template(sysadm, sysadm_r, sysadm_t) +') + +optional_policy(` + usermanage_run_admin_passwd(sysadm_t, sysadm_r) + usermanage_run_groupadd(sysadm_t, sysadm_r) + usermanage_run_useradd(sysadm_t, sysadm_r) +') + +optional_policy(` + vmware_role(sysadm_r, sysadm_t) ') optional_policy(` - usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + vpn_run(sysadm_t, sysadm_r) ') optional_policy(` - usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + webalizer_run(sysadm_t, sysadm_r) ') optional_policy(` - vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + wireshark_role(sysadm_r, sysadm_t) ') optional_policy(` - webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + xserver_role(sysadm_r, sysadm_t) ') optional_policy(` - yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + yam_run(sysadm_t, sysadm_r) ') diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index 8ac6b36..3835596 100644 --- a/policy/modules/roles/unprivuser.if +++ b/policy/modules/roles/unprivuser.if @@ -4,16 +4,19 @@ ## ## Change to the generic user role. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`unprivuser_role_change_template',` - userdom_role_change_template($1, user) +interface(`unprivuser_role_change',` + gen_require(` + role user_r; + ') + + allow $1 user_r; ') ######################################## @@ -26,319 +29,22 @@ template(`unprivuser_role_change_template',` ## the specified role. ##

##

-## This is a template to support third party modules +## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Role allowed access. ## ## ## # -template(`unprivuser_role_change_to_template',` - userdom_role_change_template(user, $1) -') - -######################################## -## -## Create generic user home directories -## with automatic file type transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_home_filetrans_home_dir',` - gen_require(` - type user_home_dir_t; - ') - - files_home_filetrans($1, user_home_dir_t, dir) -') - -######################################## -## -## Search generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_search_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## Create objects in generic user home directories -## with automatic file type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## If not specified, file is used. -## -## -# -interface(`unprivuser_home_dir_filetrans_home_content',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - filetrans_pattern($1, user_home_dir_t, user_home_t, $2) -') - -######################################## -## -## Don't audit search on the user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_dontaudit_search_home_dirs',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:dir search_dir_perms; -') - -######################################## -## -## Create generic user home directories -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_create_home_dir',` - gen_require(` - type user_home_dir_t; - ') - - files_search_home($1) - allow $1 user_home_dir_t:dir create_dir_perms; -') - -######################################## -## -## Create, read, write, and delete generic user -## home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - files_search_home($1) - allow $1 user_home_dir_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## subdirectories of generic user -## home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_content_dirs',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -') - -######################################## -## -## Relabel to generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_relabelto_home_dirs',` - gen_require(` - type user_home_dir_t; - ') - - files_search_home($1) - allow $1 user_home_dir_t:dir relabelto; -') - -######################################## -## -## Read files in generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_read_home_content_files',` - gen_require(` - type user_home_t, user_home_dir_t; - ') - - files_search_home($1) - allow $1 user_home_t:dir list_dir_perms; - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -') - -######################################## -## -## Mmap of generic user -## home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_mmap_home_content_files',` - gen_require(` - type user_home_t; - ') - - files_search_home($1) - allow $1 user_home_t:file execute; -') - -######################################## -## -## Create, read, write, and delete files -## in generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - manage_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -') - -######################################## -## -## Do not audit attempts to relabel generic user -## home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_dontaudit_relabel_home_content_files',` - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file { relabelto relabelfrom }; -') - -######################################## -## -## Create, read, write, and delete symbolic -## links in generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_content_symlinks',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - manage_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -') - -######################################## -## -## Create, read, write, and delete named -## pipes in generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_content_pipes',` +interface(`unprivuser_role_change_to',` gen_require(` - type user_home_dir_t, user_home_t; + role user_r; ') - files_search_home($1) - manage_fifo_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow user_r $1; ') - -######################################## -## -## Create, read, write, and delete named -## sockets in generic user home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unprivuser_manage_home_content_sockets',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -') - diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 63f50c2..2183644 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,5 @@ -policy_module(unprivuser, 1.1.0) +policy_module(unprivuser, 2.0.0) # this module should be named user, but that is # a compile error since user is a keyword. @@ -13,3 +13,143 @@ role user_r; userdom_unpriv_user_template(user) +optional_policy(` + apache_role(user_r, user_t) +') + +optional_policy(` + auth_role(user_r, user_t) +') + +optional_policy(` + bluetooth_role(user_r, user_t) +') + +optional_policy(` + cdrecord_role(user_r, user_t) +') + +optional_policy(` + cron_role(user_r, user_t) +') + +optional_policy(` + dbus_role_template(user, user_r, user_t) +') + +optional_policy(` + ethereal_role(user_r, user_t) +') + +optional_policy(` + evolution_role(user_r, user_t) +') + +optional_policy(` + games_role(user_r, user_t) +') + +optional_policy(` + gift_role(user_r, user_t) +') + +optional_policy(` + gnome_role(user_r, user_t) +') + +optional_policy(` + gpg_role(user_r, user_t) +') + +optional_policy(` + irc_role(user_r, user_t) +') + +optional_policy(` + java_role(user_r, user_t) +') + +optional_policy(` + lockdev_role(user_r, user_t) +') + +optional_policy(` + lpd_role(user_r, user_t) +') + +optional_policy(` + mozilla_role(user_r, user_t) +') + +optional_policy(` + mplayer_role(user_r, user_t) +') + +optional_policy(` + mta_role(user_r, user_t) +') + +optional_policy(` + oident_manage_user_content(user_t) + oident_relabel_user_content(user_t) +') + +optional_policy(` + pyzor_role(user_r, user_t) +') + +optional_policy(` + razor_role(user_r, user_t) +') + +optional_policy(` + rssh_role(user_r, user_t) +') + +optional_policy(` + screen_role_template(user, user_r, user_t) +') + +optional_policy(` + spamassassin_role(user_r, user_t) +') + +optional_policy(` + ssh_role_template(user, user_r, user_t) +') + +optional_policy(` + su_role_template(user, user_r, user_t) +') + +optional_policy(` + sudo_role_template(user, user_r, user_t) +') + +optional_policy(` + thunderbird_role(user_r, user_t) +') + +optional_policy(` + tvtime_role(user_r, user_t) +') + +optional_policy(` + uml_role(user_r, user_t) +') + +optional_policy(` + userhelper_role_template(user, user_r, user_t) +') + +optional_policy(` + vmware_role(user_r, user_t) +') + +optional_policy(` + wireshark_role(user_r, user_t) +') + +optional_policy(` + xserver_role(user_r, user_t) +') diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index 7f193c4..b571424 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te @@ -1,5 +1,5 @@ -policy_module(afs, 1.3.0) +policy_module(afs, 1.3.1) ######################################## # @@ -180,7 +180,7 @@ seutil_read_config(afs_fsserver_t) sysnet_read_config(afs_fsserver_t) -sysadm_dontaudit_use_terms(afs_fsserver_t) +userdom_dontaudit_use_user_terminals(afs_fsserver_t) ######################################## # @@ -225,7 +225,7 @@ seutil_read_config(afs_kaserver_t) sysnet_read_config(afs_kaserver_t) -sysadm_dontaudit_use_terms(afs_kaserver_t) +userdom_dontaudit_use_user_terminals(afs_kaserver_t) ######################################## # @@ -263,7 +263,7 @@ miscfiles_read_localization(afs_ptserver_t) sysnet_read_config(afs_ptserver_t) -sysadm_dontaudit_use_terms(afs_ptserver_t) +userdom_dontaudit_use_user_terminals(afs_ptserver_t) ######################################## # @@ -301,4 +301,4 @@ miscfiles_read_localization(afs_vlserver_t) sysnet_read_config(afs_vlserver_t) -sysadm_dontaudit_use_terms(afs_vlserver_t) +userdom_dontaudit_use_user_terminals(afs_vlserver_t) diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if index c656fa9..5b8def1 100644 --- a/policy/modules/services/aide.if +++ b/policy/modules/services/aide.if @@ -33,11 +33,6 @@ interface(`aide_domtrans',` ## The role to allow the AIDE domain. ## ## -## -## -## The type of the terminal allow the AIDE domain to use. -## -## # interface(`aide_run',` gen_require(` @@ -46,7 +41,6 @@ interface(`aide_run',` aide_domtrans($1) role $2 types aide_t; - allow aide_t $3:chr_file rw_chr_file_perms; ') ######################################## diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te index af51f7f..aa3692c 100644 --- a/policy/modules/services/aide.te +++ b/policy/modules/services/aide.te @@ -1,5 +1,5 @@ -policy_module(aide, 1.4.0) +policy_module(aide, 1.4.1) ######################################## # @@ -37,3 +37,5 @@ files_read_all_files(aide_t) logging_send_audit_msgs(aide_t) seutil_use_newrole_fds(aide_t) + +userdom_use_user_terminals(aide_t) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 42ffed8..6a9b4f7 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -1,5 +1,5 @@ -policy_module(amavis, 1.8.0) +policy_module(amavis, 1.8.1) ######################################## # @@ -145,6 +145,8 @@ miscfiles_read_localization(amavis_t) sysnet_dns_name_resolve(amavis_t) sysnet_use_ldap(amavis_t) +userdom_dontaudit_search_user_home_dirs(amavis_t) + # Cron handling cron_use_fds(amavis_t) cron_use_system_job_fds(amavis_t) @@ -152,8 +154,6 @@ cron_rw_pipes(amavis_t) mta_read_config(amavis_t) -sysadm_dontaudit_search_home_dirs(amavis_t) - optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 7bb7be7..afcb9bd 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,4 +1,4 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 7946f40..bae17ed 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -238,107 +238,71 @@ template(`apache_content_template',` ') ') -####################################### +######################################## ## -## The per role template for the apache module. +## Role access for apache ## -## -##

-## This template creates types used for web pages -## and web cgi to be used from the user home directory. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`apache_per_role_template', ` +interface(`apache_role',` gen_require(` - attribute httpdcontent, httpd_script_domains; - attribute httpd_exec_scripts, httpd_user_content_type; - attribute httpd_user_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; + attribute httpdcontent; + type httpd_user_content_t, httpd_user_htaccess_t; + type httpd_user_script_t, httpd_user_script_exec_t; + type httpd_user_script_ra_t, httpd_user_script_ro_t; + type httpd_user_script_rw_t; ') - apache_content_template($1) - - typeattribute httpd_$1_content_t httpd_user_content_type; - typeattribute httpd_$1_script_ra_t httpd_user_content_type; - typeattribute httpd_$1_script_rw_t httpd_user_content_type; - typeattribute httpd_$1_script_ro_t httpd_user_content_type; - typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; - - typeattribute httpd_$1_script_t httpd_script_domains; - userdom_user_home_content($1,httpd_$1_content_t) + role $1 types httpd_user_script_t; - role $3 types httpd_$1_script_t; + allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; + manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) + manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) + manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) + relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) + relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) + relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) - manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) + manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) + manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) + manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) + relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) + relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) + relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) - manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) + manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) + manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) + manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) + relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) + relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) + relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) - manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - - manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) + manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context - domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - - domtrans_pattern($2, httpdcontent, httpd_$1_script_t) - ') - - # allow accessing files/dirs below the users home dir - tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs($1,httpd_t) - userdom_search_user_home_dirs($1,httpd_suexec_t) - userdom_search_user_home_dirs($1,httpd_$1_script_t) + domtrans_pattern($2, httpdcontent, httpd_user_script_t) ') ') @@ -346,52 +310,40 @@ template(`apache_per_role_template', ` ## ## Read httpd user scripts executables. ## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## ## ## ## Domain allowed access. ## ## # -template(`apache_read_user_scripts',` +interface(`apache_read_user_scripts',` gen_require(` - type httpd_$1_script_exec_t; + type httpd_user_script_exec_t; ') - allow $2 httpd_$1_script_exec_t:dir list_dir_perms; - read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) - read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) + allow $1 httpd_user_script_exec_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) + read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## ## ## Read user web content. ## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## ## ## ## Domain allowed access. ## ## # -template(`apache_read_user_content',` +interface(`apache_read_user_content',` gen_require(` - type httpd_$1_content_t; + type httpd_user_content_t; ') - allow $2 httpd_$1_content_t:dir list_dir_perms; - read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) + allow $1 httpd_user_content_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) + read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## @@ -630,11 +582,6 @@ interface(`apache_domtrans_helper',` ## The role to be allowed the dmidecode domain. ## ## -## -## -## The type of the terminal allow the dmidecode domain to use. -## -## ## # interface(`apache_run_helper',` @@ -644,7 +591,6 @@ interface(`apache_run_helper',` apache_domtrans_helper($1) role $2 types httpd_helper_t; - allow httpd_helper_t $3:chr_file rw_term_perms; ') ######################################## @@ -913,8 +859,6 @@ interface(`apache_domtrans_all_scripts',` ## ## # -# cjp: this is missing the terminal since scripts -# do not output to the terminal interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index ab19229..2afa17f 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,18 +1,17 @@ -policy_module(apache, 1.11.0) +policy_module(apache, 2.0.0) # # NOTES: # This policy will work with SUEXEC enabled as part of the Apache # configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the -# of the creating user. +# system_u:system_r:httpd_user_script_t. # -# The user CGI scripts must be labeled with the httpd_$1_script_exec_t +# The user CGI scripts must be labeled with the httpd_user_script_exec_t # type, and the directory containing the scripts should also be labeled -# with these types. This policy allows user_r role to perform that -# relabeling. If it is desired that only sysadm_r should be able to relabel -# the user CGI scripts, then relabel rule for user_r should be removed. +# with these types. This policy allows the user role to perform that +# relabeling. If it is desired that only admin role should be able to relabel +# the user CGI scripts, then relabel rule for user roles should be removed. # ######################################## @@ -187,6 +186,30 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) +apache_content_template(user) +ubac_constrained(httpd_user_script_t) +userdom_user_home_content(httpd_user_content_t) +userdom_user_home_content(httpd_user_htaccess_t) +userdom_user_home_content(httpd_user_script_exec_t) +userdom_user_home_content(httpd_user_script_ra_t) +userdom_user_home_content(httpd_user_script_ro_t) +userdom_user_home_content(httpd_user_script_rw_t) +typeattribute httpd_user_script_t httpd_script_domains; +typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; +typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; +typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; +typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; +typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; +typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; +typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; +typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; +typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; +typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; +typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; +typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + # for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) @@ -393,7 +416,7 @@ tunable_policy(`httpd_enable_ftp_server',` ') tunable_policy(`httpd_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -418,12 +441,9 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` - # cjp: this is redundant: - term_use_controlling_term(httpd_t) - - sysadm_use_terms(httpd_t) + userdom_use_user_terminals(httpd_t) ',` - sysadm_dontaudit_use_terms(httpd_t) + userdom_dontaudit_use_user_terminals(httpd_t) ') optional_policy(` @@ -513,9 +533,7 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) -tunable_policy(`httpd_tty_comm',` - sysadm_use_terms(httpd_helper_t) -') +userdom_use_user_terminals(httpd_helper_t) ######################################## # @@ -628,7 +646,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` ') tunable_policy(`httpd_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -686,7 +704,7 @@ ifdef(`distro_redhat',` ') tunable_policy(`httpd_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) + userdom_read_user_home_content_files(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -728,3 +746,19 @@ files_read_etc_files(httpd_rotatelogs_t) logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) + +######################################## +# +# User content local policy +# + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; +') + +# allow accessing files/dirs below the users home dir +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_t) + userdom_search_user_home_dirs(httpd_suexec_t) + userdom_search_user_home_dirs(httpd_user_script_t) +') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index 2a96926..e565c32 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -1,5 +1,5 @@ -policy_module(apcupsd, 1.4.0) +policy_module(apcupsd, 1.4.1) ######################################## # @@ -88,8 +88,7 @@ miscfiles_read_localization(apcupsd_t) sysnet_dns_name_resolve(apcupsd_t) -userdom_use_unpriv_users_ttys(apcupsd_t) -userdom_use_unpriv_users_ptys(apcupsd_t) +userdom_use_user_ttys(apcupsd_t) optional_policy(` hostname_exec(apcupsd_t) diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 80c7780..2490ed7 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm, 1.8.0) +policy_module(apm, 1.8.1) ######################################## # @@ -133,9 +133,8 @@ modutils_read_module_config(apmd_t) seutil_dontaudit_read_config(apmd_t) userdom_dontaudit_use_unpriv_user_fds(apmd_t) -userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive? - -sysadm_dontaudit_search_home_dirs(apmd_t) +userdom_dontaudit_search_user_home_dirs(apmd_t) +userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file manage_file_perms; @@ -225,5 +224,5 @@ optional_policy(` # cjp: related to sleep/resume (?) optional_policy(` - xserver_domtrans_xdm_xserver(apmd_t) + xserver_domtrans(apmd_t) ') diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te index efff63c..27bf9ad 100644 --- a/policy/modules/services/arpwatch.te +++ b/policy/modules/services/arpwatch.te @@ -1,5 +1,5 @@ -policy_module(arpwatch, 1.6.0) +policy_module(arpwatch, 1.6.1) ######################################## # @@ -77,12 +77,11 @@ logging_send_syslog_msg(arpwatch_t) miscfiles_read_localization(arpwatch_t) +userdom_dontaudit_search_user_home_dirs(arpwatch_t) userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) mta_send_mail(arpwatch_t) -sysadm_dontaudit_search_home_dirs(arpwatch_t) - optional_policy(` seutil_sigchld_newrole(arpwatch_t) ') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 5aaa127..6f1f982 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -1,5 +1,5 @@ -policy_module(asterisk, 1.5.0) +policy_module(asterisk, 1.5.1) ######################################## # @@ -123,8 +123,7 @@ miscfiles_read_localization(asterisk_t) sysnet_read_config(asterisk_t) userdom_dontaudit_use_unpriv_user_fds(asterisk_t) - -sysadm_dontaudit_search_home_dirs(asterisk_t) +userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` nis_use_ypbind(asterisk_t) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 66672f4..64a716a 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -1,5 +1,5 @@ -policy_module(audio_entropy, 1.4.0) +policy_module(audio_entropy, 1.4.1) ######################################## # @@ -46,8 +46,7 @@ logging_send_syslog_msg(entropyd_t) miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) - -sysadm_dontaudit_search_home_dirs(entropyd_t) +userdom_dontaudit_search_user_home_dirs(entropyd_t) optional_policy(` seutil_sigchld_newrole(entropyd_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 61b06c6..43192df 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount, 1.10.0) +policy_module(automount, 1.10.1) ######################################## # @@ -144,8 +144,7 @@ miscfiles_read_certs(automount_t) mount_domtrans(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) - -sysadm_dontaudit_search_home_dirs(automount_t) +userdom_dontaudit_search_user_home_dirs(automount_t) optional_policy(` bind_search_cache(automount_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index dddae90..8120ad5 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi, 1.9.0) +policy_module(avahi, 1.9.1) ######################################## # @@ -75,11 +75,10 @@ logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) - -sysadm_dontaudit_search_home_dirs(avahi_t) +userdom_dontaudit_search_user_home_dirs(avahi_t) optional_policy(` - dbus_system_bus_client_template(avahi,avahi_t) + dbus_system_bus_client(avahi_t) dbus_connect_system_bus(avahi_t) init_dbus_chat_script(avahi_t) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index d089eff..c28e4d9 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -51,11 +51,6 @@ interface(`bind_signal',` ## The role to be allowed the bind domain. ## ## -## -## -## The type of the terminal allow the bind domain to use. -## -## ## # interface(`bind_run_ndc',` @@ -65,7 +60,6 @@ interface(`bind_run_ndc',` bind_domtrans_ndc($1) role $2 types ndc_t; - allow ndc_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 4ceaab3..77dfd18 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,5 +1,5 @@ -policy_module(bind, 1.8.0) +policy_module(bind, 1.8.1) ######################################## # @@ -147,8 +147,7 @@ miscfiles_read_certs(named_t) sysnet_read_config(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) - -sysadm_dontaudit_search_home_dirs(named_t) +userdom_dontaudit_search_user_home_dirs(named_t) tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) @@ -161,7 +160,7 @@ optional_policy(` sysnet_dbus_chat_dhcpc(named_t) - dbus_system_bus_client_template(named, named_t) + dbus_system_bus_client(named_t) dbus_connect_system_bus(named_t) optional_policy(` @@ -241,6 +240,8 @@ miscfiles_read_localization(ndc_t) sysnet_read_config(ndc_t) sysnet_dns_name_resolve(ndc_t) +userdom_use_user_terminals(ndc_t) + # for /etc/rndc.key ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index deb7d45..edf2769 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -1,111 +1,40 @@ ## Bluetooth tools and system services. -####################################### +######################################## ## -## The per role template for the bluetooth module. +## Role access for bluetooth ## -## -##

-## This template creates derived domains which are used -## for bluetooth. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`bluetooth_per_role_template',` +interface(`bluetooth_role',` gen_require(` - attribute bluetooth_helper_domain; - type bluetooth_helper_exec_t, bluetooth_t; + type bluetooth_helper_t, bluetooth_helper_exec_t; + type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t; ') - type $1_bluetooth_t, bluetooth_helper_domain; - application_domain($1_bluetooth_t, bluetooth_helper_exec_t) - role $3 types $1_bluetooth_t; - - type $1_bluetooth_tmp_t; - files_tmp_file($1_bluetooth_tmp_t) - - type $1_bluetooth_tmpfs_t; - files_tmpfs_file($1_bluetooth_tmpfs_t) - - allow $1_bluetooth_t self:capability sys_nice; - allow $1_bluetooth_t self:process getsched; - allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms; - allow $1_bluetooth_t self:shm create_shm_perms; - allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_bluetooth_t self:tcp_socket create_socket_perms; - allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms; - - allow $1_bluetooth_t bluetooth_t:socket { read write }; - - manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) - manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) - manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) - files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file }) - - manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t) - manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t) - fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file }) - - kernel_read_system_state($1_bluetooth_t) - kernel_read_kernel_sysctls($1_bluetooth_t) + role $1 types bluetooth_helper_t; - dev_read_urand($1_bluetooth_t) + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - term_dontaudit_use_all_user_ttys($1_bluetooth_t) + # allow ps to show cdrecord and allow the user to kill it + ps_process_pattern($2, bluetooth_helper_t) + allow $2 bluetooth_helper_t:process signal; - corecmd_exec_bin($1_bluetooth_t) - corecmd_exec_shell($1_bluetooth_t) + manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - domain_read_all_domains_state($1_bluetooth_t) - - files_read_etc_files($1_bluetooth_t) - files_read_etc_runtime_files($1_bluetooth_t) - files_read_usr_files($1_bluetooth_t) - files_dontaudit_list_default($1_bluetooth_t) - - locallogin_dontaudit_use_fds($1_bluetooth_t) - - logging_send_syslog_msg($1_bluetooth_t) - - miscfiles_read_localization($1_bluetooth_t) - - sysnet_read_config($1_bluetooth_t) - - optional_policy(` - bluetooth_dbus_chat($1_bluetooth_t) - - dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t) - dbus_connect_system_bus($1_bluetooth_t) - ') - - optional_policy(` - nscd_socket_use($1_bluetooth_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_bluetooth, $1_bluetooth_t, $1_bluetooth_tmpfs_t) - ') + manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) ') ######################################## @@ -207,7 +136,7 @@ interface(`bluetooth_run_helper',` ######################################## ## -## Read bluetooth helper files. +## Read bluetooth helper state files. ## ## ## @@ -215,11 +144,11 @@ interface(`bluetooth_run_helper',` ## ## # -interface(`bluetooth_dontaudit_read_helper_files',` +interface(`bluetooth_dontaudit_read_helper_state',` gen_require(` - attribute bluetooth_helper_domain; + type bluetooth_helper_t; ') - dontaudit $1 bluetooth_helper_domain:dir search; - dontaudit $1 bluetooth_helper_domain:file { read getattr }; + dontaudit $1 bluetooth_helper_t:dir search; + dontaudit $1 bluetooth_helper_t:file { read getattr }; ') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 0da2c88..302dd11 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth, 2.2.0) +policy_module(bluetooth, 3.0.0) ######################################## # @@ -15,10 +15,24 @@ files_type(bluetooth_conf_t) type bluetooth_conf_rw_t; files_type(bluetooth_conf_rw_t) -attribute bluetooth_helper_domain; - +type bluetooth_helper_t; type bluetooth_helper_exec_t; -application_executable_file(bluetooth_helper_exec_t) +typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; +typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; +application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) +ubac_constrained(bluetooth_helper_t) + +type bluetooth_helper_tmp_t; +typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; +typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; +files_tmp_file(bluetooth_helper_tmp_t) +ubac_constrained(bluetooth_helper_tmp_t) + +type bluetooth_helper_tmpfs_t; +typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; +typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; +files_tmpfs_file(bluetooth_helper_tmpfs_t) +ubac_constrained(bluetooth_helper_tmpfs_t) type bluetooth_lock_t; files_lock_file(bluetooth_lock_t) @@ -118,12 +132,11 @@ miscfiles_read_fonts(bluetooth_t) sysnet_read_config(bluetooth_t) userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) - -sysadm_dontaudit_use_ptys(bluetooth_t) -sysadm_dontaudit_search_home_dirs(bluetooth_t) +userdom_dontaudit_use_user_terminals(bluetooth_t) +userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` - dbus_system_bus_client_template(bluetooth, bluetooth_t) + dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) ') @@ -142,3 +155,67 @@ optional_policy(` optional_policy(` ppp_domtrans(bluetooth_t) ') + +######################################## +# +# Bluetooth helper programs local policy +# + +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:process getsched; +allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow bluetooth_helper_t self:tcp_socket create_socket_perms; +allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; + +allow bluetooth_helper_t bluetooth_t:socket { read write }; + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) + +kernel_read_system_state(bluetooth_helper_t) +kernel_read_kernel_sysctls(bluetooth_helper_t) + +dev_read_urand(bluetooth_helper_t) + +term_dontaudit_use_all_user_ttys(bluetooth_helper_t) + +corecmd_exec_bin(bluetooth_helper_t) +corecmd_exec_shell(bluetooth_helper_t) + +domain_read_all_domains_state(bluetooth_helper_t) + +files_read_etc_files(bluetooth_helper_t) +files_read_etc_runtime_files(bluetooth_helper_t) +files_read_usr_files(bluetooth_helper_t) +files_dontaudit_list_default(bluetooth_helper_t) + +locallogin_dontaudit_use_fds(bluetooth_helper_t) + +logging_send_syslog_msg(bluetooth_helper_t) + +miscfiles_read_localization(bluetooth_helper_t) + +sysnet_read_config(bluetooth_helper_t) + +optional_policy(` + bluetooth_dbus_chat(bluetooth_helper_t) + + dbus_system_bus_client(bluetooth_helper_t) + dbus_connect_system_bus(bluetooth_helper_t) +') + +optional_policy(` + nscd_socket_use(bluetooth_helper_t) +') + +optional_policy(` + xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) +') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 5f14678..110f2fa 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -1,5 +1,5 @@ -policy_module(canna, 1.8.0) +policy_module(canna, 1.8.1) ######################################## # @@ -78,8 +78,7 @@ miscfiles_read_localization(canna_t) sysnet_read_config(canna_t) userdom_dontaudit_use_unpriv_user_fds(canna_t) - -sysadm_dontaudit_search_home_dirs(canna_t) +userdom_dontaudit_search_user_home_dirs(canna_t) optional_policy(` nis_use_ypbind(canna_t) diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if index 5dc0c2d..50aba89 100644 --- a/policy/modules/services/clockspeed.if +++ b/policy/modules/services/clockspeed.if @@ -32,11 +32,6 @@ interface(`clockspeed_domtrans_cli',` ## The role to be allowed the clockspeed_cli domain. ## ## -## -## -## The type of the terminal allow the clockspeed_cli domain to use. -## -## ## # interface(`clockspeed_run_cli',` @@ -46,6 +41,4 @@ interface(`clockspeed_run_cli',` role $2 types clockspeed_cli_t; clockspeed_domtrans_cli($1) - allow clockspeed_cli_t $3:chr_file { getattr read write ioctl }; - ') diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te index f1699bc..075a7ea 100644 --- a/policy/modules/services/clockspeed.te +++ b/policy/modules/services/clockspeed.te @@ -1,5 +1,5 @@ -policy_module(clockspeed, 1.3.0) +policy_module(clockspeed, 1.3.1) ######################################## # @@ -39,6 +39,8 @@ files_read_etc_files(clockspeed_cli_t) miscfiles_read_localization(clockspeed_cli_t) +userdom_use_user_terminals(clockspeed_cli_t) + ######################################## # # Server local policy diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te index 4881daf..5e1df3a 100644 --- a/policy/modules/services/comsat.te +++ b/policy/modules/services/comsat.te @@ -1,5 +1,5 @@ -policy_module(comsat, 1.5.0) +policy_module(comsat, 1.5.1) ######################################## # @@ -66,9 +66,9 @@ logging_send_syslog_msg(comsat_t) miscfiles_read_localization(comsat_t) -mta_getattr_spool(comsat_t) +userdom_dontaudit_getattr_user_ttys(comsat_t) -sysadm_dontaudit_getattr_ttys(comsat_t) +mta_getattr_spool(comsat_t) optional_policy(` kerberos_use(comsat_t) diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index 33deb95..f483a16 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -1,5 +1,5 @@ -policy_module(consolekit, 1.3.0) +policy_module(consolekit, 1.3.1) ######################################## # @@ -50,7 +50,7 @@ auth_use_nsswitch(consolekit_t) miscfiles_read_localization(consolekit_t) optional_policy(` - dbus_system_bus_client_template(consolekit, consolekit_t) + dbus_system_bus_client(consolekit_t) dbus_connect_system_bus(consolekit_t) hal_dbus_chat(consolekit_t) @@ -61,6 +61,6 @@ optional_policy(` ') optional_policy(` - xserver_read_all_users_xauth(consolekit_t) - xserver_stream_connect_xdm_xserver(consolekit_t) + xserver_read_user_xauth(consolekit_t) + xserver_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 768c1da..475e509 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -1,5 +1,5 @@ -policy_module(courier, 1.6.0) +policy_module(courier, 1.6.1) ######################################## # @@ -67,12 +67,10 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) # should not be needed! -userdom_search_unpriv_users_home_dirs(courier_authdaemon_t) +userdom_search_user_home_dirs(courier_authdaemon_t) courier_domtrans_pop(courier_authdaemon_t) -sysadm_dontaudit_search_home_dirs(courier_authdaemon_t) - ######################################## # # Calendar (PCP) local policy @@ -100,12 +98,12 @@ miscfiles_read_localization(courier_pop_t) courier_domtrans_authdaemon(courier_pop_t) # do the actual work (read the Maildir) -userdom_manage_unpriv_users_home_content_files(courier_pop_t) +userdom_manage_user_home_content_files(courier_pop_t) # cjp: the fact that this is different for pop vs imap means that # there should probably be a courier_pop_t and courier_imap_t # this should also probably be a separate type too instead of # the regular home dir -userdom_manage_unpriv_users_home_content_dirs(courier_pop_t) +userdom_manage_user_home_content_dirs(courier_pop_t) ######################################## # diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index fb0d378..969629e 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -41,7 +41,7 @@ ifdef(`distro_suse', ` #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/.* <> +/var/spool/fcron/[^/]* <> /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 0822ff9..e75526a 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -2,307 +2,234 @@ ####################################### ## -## The per role template for the cron module. +## The common rules for a crontab domain. ## -## -##

-## This template creates a derived domains which are used -## for running programs on behalf of the user, from cron. -## A type for the user crontab is also created. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## # -template(`cron_per_role_template',` - gen_require(` - attribute cron_spool_type; - type crond_t, cron_spool_t, crontab_exec_t; - class dbus send_msg; - ') - - # Type of user crontabs once moved to cron spool. - type $1_cron_spool_t, cron_spool_type; - files_type($1_cron_spool_t) - - type $1_crond_t; - domain_type($1_crond_t) - domain_cron_exemption_target($1_crond_t) - corecmd_shell_entry_type($1_crond_t) - role $3 types $1_crond_t; +template(`cron_common_crontab_template',` + ############################## + # + # Declarations + # - type $1_crontab_t; - application_domain($1_crontab_t, crontab_exec_t) - role $3 types $1_crontab_t; + type $1_t; + application_domain($1_t, crontab_exec_t) + ubac_constrained($1_t) - type $1_crontab_tmp_t; - files_tmp_file($1_crontab_tmp_t) + type $1_tmp_t; + files_tmp_file($1_tmp_t) ############################## # - # $1_crond_t local policy + # Local policy # - allow $1_crond_t self:capability dac_override; - allow $1_crond_t self:process { signal_perms setsched }; - allow $1_crond_t self:fifo_file rw_fifo_file_perms; - allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; - allow $1_crond_t self:unix_dgram_socket create_socket_perms; - - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that - # the crontab file has a type that is appropriate - # for the domain of the user cron job. It - # performs an entrypoint permission check - # for this purpose. - allow $1_crond_t $1_cron_spool_t:file entrypoint; - - # Permit a transition from the crond_t domain to this domain. - # The transition is requested explicitly by the modified crond - # via setexeccon. There is no way to set up an automatic - # transition, since crontabs are configuration files, not executables. - allow crond_t $1_crond_t:process transition; - dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; - allow crond_t $1_crond_t:fd use; - allow $1_crond_t crond_t:fd use; - allow $1_crond_t crond_t:fifo_file rw_file_perms; - allow $1_crond_t crond_t:process sigchld; - - kernel_read_system_state($1_crond_t) - kernel_read_kernel_sysctls($1_crond_t) - - # ps does not need to access /boot when run from cron - files_dontaudit_search_boot($1_crond_t) - - corenet_all_recvfrom_unlabeled($1_crond_t) - corenet_all_recvfrom_netlabel($1_crond_t) - corenet_tcp_sendrecv_all_if($1_crond_t) - corenet_udp_sendrecv_all_if($1_crond_t) - corenet_tcp_sendrecv_all_nodes($1_crond_t) - corenet_udp_sendrecv_all_nodes($1_crond_t) - corenet_tcp_sendrecv_all_ports($1_crond_t) - corenet_udp_sendrecv_all_ports($1_crond_t) - corenet_tcp_connect_all_ports($1_crond_t) - corenet_sendrecv_all_client_packets($1_crond_t) - - dev_read_urand($1_crond_t) - - fs_getattr_all_fs($1_crond_t) - - corecmd_exec_all_executables($1_crond_t) - - # quiet other ps operations - domain_dontaudit_read_all_domains_state($1_crond_t) - domain_dontaudit_getattr_all_domains($1_crond_t) - - files_read_usr_files($1_crond_t) - files_exec_etc_files($1_crond_t) - # for nscd: - files_dontaudit_search_pids($1_crond_t) - - libs_exec_lib_files($1_crond_t) - libs_exec_ld_so($1_crond_t) - - files_read_etc_runtime_files($1_crond_t) - files_read_var_files($1_crond_t) - files_search_spool($1_crond_t) - - logging_search_logs($1_crond_t) - - seutil_read_config($1_crond_t) - - miscfiles_read_localization($1_crond_t) - - userdom_manage_user_tmp_files($1, $1_crond_t) - userdom_manage_user_tmp_symlinks($1, $1_crond_t) - userdom_manage_user_tmp_pipes($1, $1_crond_t) - userdom_manage_user_tmp_sockets($1, $1_crond_t) - # Run scripts in user home directory and access shared libs. - userdom_exec_user_home_content_files($1, $1_crond_t) - # Access user files and dirs. -# userdom_manage_user_home_subdir_dirs($1,$1_crond_t) - userdom_manage_user_home_content_files($1, $1_crond_t) - userdom_manage_user_home_content_symlinks($1, $1_crond_t) - userdom_manage_user_home_content_pipes($1, $1_crond_t) - userdom_manage_user_home_content_sockets($1, $1_crond_t) -# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) - - tunable_policy(`fcron_crond', ` - allow crond_t $1_cron_spool_t:file manage_file_perms; - ') + # dac_override is to create the file in the directory under /tmp + allow $1_t self:capability { fowner setuid setgid chown dac_override }; + allow $1_t self:process signal_perms; - # need a per-role version of this: - #optional_policy(` - # mono_domtrans($1_crond_t) - #') + allow $1_t $1_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_t,$1_tmp_t,file) - optional_policy(` - dbus_stub($1_crond_t) + # create files in /var/spool/cron + # cjp: change this to a role transition + manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) + files_search_spool($1_t) - allow $1_crond_t $2:dbus send_msg; - ') + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; - optional_policy(` - nis_use_ypbind($1_crond_t) - ') + kernel_read_system_state($1_t) - ifdef(`TODO',` - optional_policy(` - create_dir_file($1_crond_t, httpd_$1_content_t) - ') - allow $1_crond_t tmp_t:dir rw_dir_perms; - type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; + # for the checks used by crontab -u + selinux_dontaudit_search_fs($1_t) - ifdef(`mta.te', ` - domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) - allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms; + fs_getattr_xattr_fs($1_t) - # $1_mail_t should only be reading from the cron fifo not needing to write - dontaudit $1_mail_t crond_t:fifo_file write; - allow mta_user_agent $1_crond_t:fd use; - ') - ') dnl endif TODO + domain_use_interactive_fds($1_t) - ############################## - # - # $1_crontab_t local policy - # + files_read_etc_files($1_t) + files_dontaudit_search_pids($1_t) - # dac_override is to create the file in the directory under /tmp - allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_crontab_t self:process signal_perms; + logging_send_syslog_msg($1_t) - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, $1_crontab_t) + miscfiles_read_localization($1_t) - # crontab shows up in user ps - ps_process_pattern($2, $1_crontab_t) + seutil_read_config($1_t) - # for ^Z - allow $2 $1_crontab_t:process signal; + userdom_manage_user_tmp_dirs($1_t) + userdom_manage_user_tmp_files($1_t) + # Access terminals. + userdom_use_user_terminals($1_t) + # Read user crontabs + userdom_read_user_home_content_files($1_t) - # Allow crond to read those crontabs in cron spool. - allow crond_t $1_cron_spool_t:file manage_file_perms; + tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + dontaudit $1_t crond_t:process signal; + ') - allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file) + optional_policy(` + nscd_socket_use($1_t) + ') +') - # create files in /var/spool/cron - manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t) - filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file) - files_search_spool($1_crontab_t) +######################################## +## +## Role access for cron +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + ') - # crontab signals crond by updating the mtime on the spooldir - allow $1_crontab_t cron_spool_t:dir setattr; + role $1 types { cronjob_t crontab_t }; - kernel_read_system_state($1_crontab_t) + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) - # for the checks used by crontab -u - selinux_dontaudit_search_fs($1_crontab_t) + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) - fs_getattr_xattr_fs($1_crontab_t) + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; # Run helper programs as the user domain - corecmd_bin_domtrans($1_crontab_t, $2) - corecmd_shell_domtrans($1_crontab_t, $2) + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') - domain_use_interactive_fds($1_crontab_t) + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') - files_read_etc_files($1_crontab_t) - files_dontaudit_search_pids($1_crontab_t) +######################################## +## +## Role access for unconfined cronjobs +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`cron_unconfined_role',` + gen_require(` + type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; + ') - logging_send_syslog_msg($1_crontab_t) + role $1 types { unconfined_cronjob_t crontab_t }; - miscfiles_read_localization($1_crontab_t) + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) - seutil_read_config($1_crontab_t) + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) - userdom_manage_user_tmp_dirs($1, $1_crontab_t) - userdom_manage_user_tmp_files($1, $1_crontab_t) - # Access terminals. - userdom_use_user_terminals($1, $1_crontab_t) - # Read user crontabs - userdom_read_user_home_content_files($1, $1_crontab_t) + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; - tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - dontaudit $1_crontab_t crond_t:process signal; - ') + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) optional_policy(` - nscd_socket_use($1_crontab_t) - ') + gen_require(` + class dbus send_msg; + ') - ifdef(`TODO',` - # Read user crontabs - dontaudit $1_crontab_t $1_home_dir_t:dir write; - ') dnl endif TODO + dbus_stub(unconfined_cronjob_t) + + allow unconfined_cronjob_t $2:dbus send_msg; + ') ') -####################################### +######################################## ## -## The administrative functions template for the cron module. +## Role access for cron ## -## -##

-## This template creates rules for administrating the cron service, -## allowing the specified user to manage other user crontabs. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access +## +## +## +## +## User domain for the role ## ## -## # -template(`cron_admin_template',` +interface(`cron_admin_role',` gen_require(` - attribute cron_spool_type; - type $1_crontab_t, $1_crond_t; + type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; + class passwd crontab; ') - # Allow our crontab domain to unlink a user cron spool file. - allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms }; + role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - logging_read_generic_logs($1_crond_t) + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) # Manipulate other users crontab. - selinux_get_fs_mount($1_crontab_t) - selinux_validate_context($1_crontab_t) - selinux_compute_access_vector($1_crontab_t) - selinux_compute_create_context($1_crontab_t) - selinux_compute_relabel_context($1_crontab_t) - selinux_compute_user_contexts($1_crontab_t) - - tunable_policy(`fcron_crond', ` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - allow $1_crontab_t self:process setfscreate; - selinux_get_fs_mount($1_crontab_t) - ') + allow $2 self:passwd crontab; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, admin_crontab_t) + allow $2 admin_crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(admin_crontab_t, $2) + #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') ') ######################################## @@ -323,16 +250,16 @@ template(`cron_admin_template',` # interface(`cron_system_entry',` gen_require(` - type crond_t, system_crond_t; + type crond_t, system_cronjob_t; ') - domain_auto_trans(system_crond_t, $2, $1) + domain_auto_trans(system_cronjob_t, $2, $1) # cjp: perhaps these four rules from the old # domain_auto_trans are not needed? - allow $1 system_crond_t:fd use; - allow $1 system_crond_t:fifo_file rw_file_perms; - allow $1 system_crond_t:process sigchld; + allow $1 system_cronjob_t:fd use; + allow $1 system_cronjob_t:fifo_file rw_file_perms; + allow $1 system_cronjob_t:process sigchld; allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; @@ -481,10 +408,10 @@ interface(`cron_search_spool',` # interface(`cron_anacron_domtrans_system_job',` gen_require(` - type system_crond_t, anacron_exec_t; + type system_cronjob_t, anacron_exec_t; ') - domtrans_pattern($1, anacron_exec_t, system_crond_t) + domtrans_pattern($1,anacron_exec_t,system_cronjob_t) ') ######################################## @@ -500,10 +427,10 @@ interface(`cron_anacron_domtrans_system_job',` # interface(`cron_use_system_job_fds',` gen_require(` - type system_crond_t; + type system_cronjob_t; ') - allow $1 system_crond_t:fd use; + allow $1 system_cronjob_t:fd use; ') ######################################## @@ -518,10 +445,10 @@ interface(`cron_use_system_job_fds',` # interface(`cron_write_system_job_pipes',` gen_require(` - type system_crond_t; + type system_cronjob_t; ') - allow $1 system_crond_t:file write; + allow $1 system_cronjob_t:file write; ') ######################################## @@ -536,10 +463,10 @@ interface(`cron_write_system_job_pipes',` # interface(`cron_rw_system_job_pipes',` gen_require(` - type system_crond_t; + type system_cronjob_t; ') - allow $1 system_crond_t:fifo_file rw_fifo_file_perms; + allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -554,11 +481,11 @@ interface(`cron_rw_system_job_pipes',` # interface(`cron_read_system_job_tmp_files',` gen_require(` - type system_crond_tmp_t; + type system_cronjob_tmp_t; ') files_search_tmp($1) - allow $1 system_crond_tmp_t:file read_file_perms; + allow $1 system_cronjob_tmp_t:file read_file_perms; ') ######################################## @@ -574,8 +501,8 @@ interface(`cron_read_system_job_tmp_files',` # interface(`cron_dontaudit_append_system_job_tmp_files',` gen_require(` - type system_crond_tmp_t; + type system_cronjob_tmp_t; ') - dontaudit $1 system_crond_tmp_t:file append; + dontaudit $1 system_cronjob_tmp_t:file append; ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index d8ffcc3..a63ee63 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 1.9.0) +policy_module(cron, 2.0.0) gen_require(` class passwd rootok; @@ -42,6 +42,14 @@ files_type(cron_var_lib_t) type cron_log_t; logging_log_file(cron_log_t) +type cronjob_t; +typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; +typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; +domain_type(cronjob_t) +domain_cron_exemption_target(cronjob_t) +corecmd_shell_entry_type(cronjob_t) +ubac_constrained(cronjob_t) + type crond_t; type crond_exec_t; init_daemon_domain(crond_t, crond_exec_t) @@ -57,27 +65,69 @@ files_pid_file(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) +cron_common_crontab_template(admin_crontab) +typealias admin_crontab_t alias sysadm_crontab_t; +typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; + +cron_common_crontab_template(crontab) +typealias crontab_t alias { user_crontab_t staff_crontab_t }; +typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; +typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; + type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -type system_crond_t; -init_daemon_domain(system_crond_t, anacron_exec_t) -corecmd_shell_entry_type(system_crond_t) -role system_r types system_crond_t; +type system_cronjob_t alias system_crond_t; +init_daemon_domain(system_cronjob_t, anacron_exec_t) +corecmd_shell_entry_type(system_cronjob_t) +role system_r types system_cronjob_t; -type system_crond_lock_t; -files_lock_file(system_crond_lock_t) +type system_cronjob_lock_t alias system_crond_lock_t; +files_lock_file(system_cronjob_lock_t) -type system_crond_tmp_t; -files_tmp_file(system_crond_tmp_t) +type system_cronjob_tmp_t alias system_crond_tmp_t; +files_tmp_file(system_cronjob_tmp_t) ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) ') +type unconfined_cronjob_t; +domain_type(unconfined_cronjob_t) + +# Type of user crontabs once moved to cron spool. +type user_cron_spool_t, cron_spool_type; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; +typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +files_type(user_cron_spool_t) +ubac_constrained(user_cron_spool_t) + +######################################## +# +# Admin crontab local policy +# + +# Allow our crontab domain to unlink a user cron spool file. +allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; + +# Manipulate other users crontab. +selinux_get_fs_mount(admin_crontab_t) +selinux_validate_context(admin_crontab_t) +selinux_compute_access_vector(admin_crontab_t) +selinux_compute_create_context(admin_crontab_t) +selinux_compute_relabel_context(admin_crontab_t) +selinux_compute_user_contexts(admin_crontab_t) + +tunable_policy(`fcron_crond', ` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; +') + ######################################## # -# Cron Local policy +# Cron daemon local policy # allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; @@ -155,7 +205,7 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed -userdom_list_all_users_home_dirs(crond_t) +userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -218,22 +268,22 @@ optional_policy(` # System cron process domain # -allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_crond_t self:process { signal_perms setsched }; -allow system_crond_t self:fifo_file rw_fifo_file_perms; -allow system_crond_t self:passwd rootok; +allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; +allow system_cronjob_t self:process { signal_perms setsched }; +allow system_cronjob_t self:fifo_file rw_fifo_file_perms; +allow system_cronjob_t self:passwd rootok; # This is to handle creation of files in /var/log directory. # Used currently by rpm script log files -allow system_crond_t cron_log_t:file manage_file_perms; -logging_log_filetrans(system_crond_t, cron_log_t, file) +allow system_cronjob_t cron_log_t:file manage_file_perms; +logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron -allow system_crond_t cron_var_lib_t:file manage_file_perms; -files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file) +allow system_cronjob_t cron_var_lib_t:file manage_file_perms; +files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) -allow system_crond_t system_cron_spool_t:file read_file_perms; +allow system_cronjob_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that @@ -241,193 +291,303 @@ allow system_crond_t system_cron_spool_t:file read_file_perms; # for the domain of the user cron job. It # performs an entrypoint permission check # for this purpose. -allow system_crond_t system_cron_spool_t:file entrypoint; +allow system_cronjob_t system_cron_spool_t:file entrypoint; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. -allow crond_t system_crond_t:process transition; -dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; -allow crond_t system_crond_t:fd use; -allow system_crond_t crond_t:fd use; -allow system_crond_t crond_t:fifo_file rw_file_perms; -allow system_crond_t crond_t:process sigchld; +allow crond_t system_cronjob_t:process transition; +dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t system_cronjob_t:fd use; +allow system_cronjob_t crond_t:fd use; +allow system_cronjob_t crond_t:fifo_file rw_file_perms; +allow system_cronjob_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. -allow system_crond_t system_crond_lock_t:file manage_file_perms; -files_lock_filetrans(system_crond_t,system_crond_lock_t,file) +allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +files_lock_filetrans(system_cronjob_t,system_cronjob_lock_t,file) # write temporary files -manage_files_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t) -manage_lnk_files_pattern(system_crond_t,crond_tmp_t, system_crond_tmp_t) -filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file) +manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) # Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir list_dir_perms; -allow system_crond_t cron_spool_t:file read_file_perms; +allow system_cronjob_t cron_spool_t:dir list_dir_perms; +allow system_cronjob_t cron_spool_t:file read_file_perms; -kernel_read_kernel_sysctls(system_crond_t) -kernel_read_system_state(system_crond_t) -kernel_read_software_raid_state(system_crond_t) +kernel_read_kernel_sysctls(system_cronjob_t) +kernel_read_system_state(system_cronjob_t) +kernel_read_software_raid_state(system_cronjob_t) # ps does not need to access /boot when run from cron -files_dontaudit_search_boot(system_crond_t) +files_dontaudit_search_boot(system_cronjob_t) -corecmd_exec_all_executables(system_crond_t) +corecmd_exec_all_executables(system_cronjob_t) -corenet_all_recvfrom_unlabeled(system_crond_t) -corenet_all_recvfrom_netlabel(system_crond_t) -corenet_tcp_sendrecv_all_if(system_crond_t) -corenet_udp_sendrecv_all_if(system_crond_t) -corenet_tcp_sendrecv_all_nodes(system_crond_t) -corenet_udp_sendrecv_all_nodes(system_crond_t) -corenet_tcp_sendrecv_all_ports(system_crond_t) -corenet_udp_sendrecv_all_ports(system_crond_t) +corenet_all_recvfrom_unlabeled(system_cronjob_t) +corenet_all_recvfrom_netlabel(system_cronjob_t) +corenet_tcp_sendrecv_all_if(system_cronjob_t) +corenet_udp_sendrecv_all_if(system_cronjob_t) +corenet_tcp_sendrecv_all_nodes(system_cronjob_t) +corenet_udp_sendrecv_all_nodes(system_cronjob_t) +corenet_tcp_sendrecv_all_ports(system_cronjob_t) +corenet_udp_sendrecv_all_ports(system_cronjob_t) -dev_getattr_all_blk_files(system_crond_t) -dev_getattr_all_chr_files(system_crond_t) -dev_read_urand(system_crond_t) +dev_getattr_all_blk_files(system_cronjob_t) +dev_getattr_all_chr_files(system_cronjob_t) +dev_read_urand(system_cronjob_t) -fs_getattr_all_fs(system_crond_t) -fs_getattr_all_files(system_crond_t) -fs_getattr_all_symlinks(system_crond_t) -fs_getattr_all_pipes(system_crond_t) -fs_getattr_all_sockets(system_crond_t) +fs_getattr_all_fs(system_cronjob_t) +fs_getattr_all_files(system_cronjob_t) +fs_getattr_all_symlinks(system_cronjob_t) +fs_getattr_all_pipes(system_cronjob_t) +fs_getattr_all_sockets(system_cronjob_t) # quiet other ps operations -domain_dontaudit_read_all_domains_state(system_crond_t) - -files_exec_etc_files(system_crond_t) -files_read_etc_files(system_crond_t) -files_read_etc_runtime_files(system_crond_t) -files_list_all(system_crond_t) -files_getattr_all_dirs(system_crond_t) -files_getattr_all_files(system_crond_t) -files_getattr_all_symlinks(system_crond_t) -files_getattr_all_pipes(system_crond_t) -files_getattr_all_sockets(system_crond_t) -files_read_usr_files(system_crond_t) -files_read_var_files(system_crond_t) +domain_dontaudit_read_all_domains_state(system_cronjob_t) + +files_exec_etc_files(system_cronjob_t) +files_read_etc_files(system_cronjob_t) +files_read_etc_runtime_files(system_cronjob_t) +files_list_all(system_cronjob_t) +files_getattr_all_dirs(system_cronjob_t) +files_getattr_all_files(system_cronjob_t) +files_getattr_all_symlinks(system_cronjob_t) +files_getattr_all_pipes(system_cronjob_t) +files_getattr_all_sockets(system_cronjob_t) +files_read_usr_files(system_cronjob_t) +files_read_var_files(system_cronjob_t) # for nscd: -files_dontaudit_search_pids(system_crond_t) +files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. -files_manage_generic_spool(system_crond_t) +files_manage_generic_spool(system_cronjob_t) -init_use_script_fds(system_crond_t) -init_read_utmp(system_crond_t) -init_dontaudit_rw_utmp(system_crond_t) +init_use_script_fds(system_cronjob_t) +init_read_utmp(system_cronjob_t) +init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_crond_t) +init_write_initctl(system_cronjob_t) -auth_use_nsswitch(system_crond_t) +auth_use_nsswitch(system_cronjob_t) -libs_exec_lib_files(system_crond_t) -libs_exec_ld_so(system_crond_t) +libs_exec_lib_files(system_cronjob_t) +libs_exec_ld_so(system_cronjob_t) -logging_read_generic_logs(system_crond_t) -logging_send_syslog_msg(system_crond_t) +logging_read_generic_logs(system_cronjob_t) +logging_send_syslog_msg(system_cronjob_t) -miscfiles_read_localization(system_crond_t) -miscfiles_manage_man_pages(system_crond_t) +miscfiles_read_localization(system_cronjob_t) +miscfiles_manage_man_pages(system_cronjob_t) -seutil_read_config(system_crond_t) +seutil_read_config(system_cronjob_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` - rpm_manage_log(system_crond_t) + rpm_manage_log(system_cronjob_t) ') ') tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_crond_t) + seutil_domtrans_setfiles(system_cronjob_t) ',` - selinux_get_fs_mount(system_crond_t) - selinux_validate_context(system_crond_t) - selinux_compute_access_vector(system_crond_t) - selinux_compute_create_context(system_crond_t) - selinux_compute_relabel_context(system_crond_t) - selinux_compute_user_contexts(system_crond_t) - seutil_read_file_contexts(system_crond_t) + selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) + selinux_compute_relabel_context(system_cronjob_t) + selinux_compute_user_contexts(system_cronjob_t) + seutil_read_file_contexts(system_cronjob_t) ') optional_policy(` # Needed for certwatch - apache_exec_modules(system_crond_t) - apache_read_config(system_crond_t) - apache_read_log(system_crond_t) - apache_read_sys_content(system_crond_t) + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) ') optional_policy(` - cyrus_manage_data(system_crond_t) + cyrus_manage_data(system_cronjob_t) ') optional_policy(` - ftp_read_log(system_crond_t) + ftp_read_log(system_cronjob_t) ') optional_policy(` - inn_manage_log(system_crond_t) - inn_manage_pid(system_crond_t) - inn_read_config(system_crond_t) + inn_manage_log(system_cronjob_t) + inn_manage_pid(system_cronjob_t) + inn_read_config(system_cronjob_t) ') optional_policy(` - mrtg_append_create_logs(system_crond_t) + mrtg_append_create_logs(system_cronjob_t) ') optional_policy(` - mta_send_mail(system_crond_t) + mta_send_mail(system_cronjob_t) ') optional_policy(` - mysql_read_config(system_crond_t) + mysql_read_config(system_cronjob_t) ') optional_policy(` - postfix_read_config(system_crond_t) + postfix_read_config(system_cronjob_t) ') optional_policy(` - prelink_read_cache(system_crond_t) - prelink_manage_log(system_crond_t) - prelink_delete_cache(system_crond_t) + prelink_read_cache(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_delete_cache(system_cronjob_t) ') optional_policy(` - samba_read_config(system_crond_t) - samba_read_log(system_crond_t) - #samba_read_secrets(system_crond_t) + samba_read_config(system_cronjob_t) + samba_read_log(system_cronjob_t) + #samba_read_secrets(system_cronjob_t) ') optional_policy(` - slocate_create_append_log(system_crond_t) + slocate_create_append_log(system_cronjob_t) ') optional_policy(` # cjp: why? - squid_domtrans(system_crond_t) + squid_domtrans(system_cronjob_t) ') optional_policy(` - sysstat_manage_log(system_crond_t) + sysstat_manage_log(system_cronjob_t) ') optional_policy(` - unconfined_domain(system_crond_t) - - userdom_priveleged_home_dir_manager(system_crond_t) + unconfined_domain(system_cronjob_t) + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') ifdef(`TODO',` ifdef(`mta.te', ` -allow system_crond_t mail_spool_t:lnk_file read; -allow mta_user_agent system_crond_t:fd use; +allow system_cronjob_t mail_spool_t:lnk_file read; +allow mta_user_agent system_cronjob_t:fd use; r_dir_file(system_mail_t, crond_tmp_t) ') ') dnl end TODO + +######################################## +# +# User cronjobs local policy +# + +allow cronjob_t self:capability dac_override; +allow cronjob_t self:process { signal_perms setsched }; +allow cronjob_t self:fifo_file rw_fifo_file_perms; +allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +allow cronjob_t self:unix_dgram_socket create_socket_perms; + +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow cronjob_t user_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t cronjob_t:process transition; +dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t cronjob_t:fd use; +allow cronjob_t crond_t:fd use; +allow cronjob_t crond_t:fifo_file rw_file_perms; +allow cronjob_t crond_t:process sigchld; + +kernel_read_system_state(cronjob_t) +kernel_read_kernel_sysctls(cronjob_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(cronjob_t) + +corenet_all_recvfrom_unlabeled(cronjob_t) +corenet_all_recvfrom_netlabel(cronjob_t) +corenet_tcp_sendrecv_all_if(cronjob_t) +corenet_udp_sendrecv_all_if(cronjob_t) +corenet_tcp_sendrecv_all_nodes(cronjob_t) +corenet_udp_sendrecv_all_nodes(cronjob_t) +corenet_tcp_sendrecv_all_ports(cronjob_t) +corenet_udp_sendrecv_all_ports(cronjob_t) +corenet_tcp_connect_all_ports(cronjob_t) +corenet_sendrecv_all_client_packets(cronjob_t) + +dev_read_urand(cronjob_t) + +fs_getattr_all_fs(cronjob_t) + +corecmd_exec_all_executables(cronjob_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(cronjob_t) +domain_dontaudit_getattr_all_domains(cronjob_t) + +files_read_usr_files(cronjob_t) +files_exec_etc_files(cronjob_t) +# for nscd: +files_dontaudit_search_pids(cronjob_t) + +libs_exec_lib_files(cronjob_t) +libs_exec_ld_so(cronjob_t) + +files_read_etc_runtime_files(cronjob_t) +files_read_var_files(cronjob_t) +files_search_spool(cronjob_t) + +logging_search_logs(cronjob_t) + +seutil_read_config(cronjob_t) + +miscfiles_read_localization(cronjob_t) + +userdom_manage_user_tmp_files(cronjob_t) +userdom_manage_user_tmp_symlinks(cronjob_t) +userdom_manage_user_tmp_pipes(cronjob_t) +userdom_manage_user_tmp_sockets(cronjob_t) +# Run scripts in user home directory and access shared libs. +userdom_exec_user_home_content_files(cronjob_t) +# Access user files and dirs. +userdom_manage_user_home_content_files(cronjob_t) +userdom_manage_user_home_content_symlinks(cronjob_t) +userdom_manage_user_home_content_pipes(cronjob_t) +userdom_manage_user_home_content_sockets(cronjob_t) +#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + +tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; +') + +# need a per-role version of this: +#optional_policy(` +# mono_domtrans(cronjob_t) +#') + +optional_policy(` + nis_use_ypbind(cronjob_t) +') + +######################################## +# +# Unconfined cronjobs local policy +# + +optional_policy(` + unconfined_domain(unconfined_cronjob_t) +') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 43bcd15..3b9dd1a 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups, 1.11.0) +policy_module(cups, 1.11.1) ######################################## # @@ -221,7 +221,7 @@ seutil_read_config(cupsd_t) sysnet_read_config(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_all_users_home_content(cupsd_t) +userdom_dontaudit_search_user_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) @@ -239,7 +239,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(cupsd, cupsd_t) + dbus_system_bus_client(cupsd_t) userdom_dbus_send_all_users(cupsd_t) @@ -352,13 +352,12 @@ miscfiles_read_localization(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) +userdom_dontaudit_search_user_home_dirs(cupsd_config_t) cups_stream_connect(cupsd_config_t) lpd_read_config(cupsd_config_t) -sysadm_dontaudit_search_home_dirs(cupsd_config_t) - ifdef(`distro_redhat',` init_getattr_script_files(cupsd_config_t) @@ -372,7 +371,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(cupsd_config, cupsd_config_t) + dbus_system_bus_client(cupsd_config_t) dbus_connect_system_bus(cupsd_config_t) optional_policy(` @@ -551,14 +550,13 @@ miscfiles_read_localization(hplip_t) sysnet_read_config(hplip_t) userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_all_users_home_content(hplip_t) +userdom_dontaudit_search_user_home_dirs(hplip_t) +userdom_dontaudit_search_user_home_content(hplip_t) lpd_read_config(cupsd_t) -sysadm_dontaudit_search_home_dirs(hplip_t) - optional_policy(` - dbus_system_bus_client_template(hplip, hplip_t) + dbus_system_bus_client(hplip_t) ') optional_policy(` @@ -628,7 +626,7 @@ miscfiles_read_localization(ptal_t) sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -userdom_dontaudit_search_all_users_home_content(ptal_t) +userdom_dontaudit_search_user_home_content(ptal_t) optional_policy(` seutil_sigchld_newrole(ptal_t) diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te index 6e1c9fd..4bc1990 100644 --- a/policy/modules/services/cyphesis.te +++ b/policy/modules/services/cyphesis.te @@ -1,5 +1,5 @@ -policy_module(cyphesis, 1.0.0) +policy_module(cyphesis, 1.0.1) ######################################## # @@ -73,7 +73,7 @@ sysnet_dns_name_resolve(cyphesis_t) # cyphesis wants to talk to avahi via dbus optional_policy(` avahi_dbus_chat(cyphesis_t) - dbus_system_bus_client_template(cyphesis, cyphesis_t) + dbus_system_bus_client(cyphesis_t) ') optional_policy(` diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if index b4e232d..ff8f24d 100644 --- a/policy/modules/services/cyrus.if +++ b/policy/modules/services/cyrus.if @@ -79,4 +79,3 @@ interface(`cyrus_admin',` files_list_pids($1) admin_pattern($1, cyrus_var_run_t) ') - diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index b8fe817..39b8b04 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus, 1.7.0) +policy_module(cyrus, 1.7.1) ######################################## # @@ -108,14 +108,12 @@ miscfiles_read_certs(cyrus_t) sysnet_read_config(cyrus_t) -userdom_dontaudit_use_unpriv_user_fds(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) +userdom_dontaudit_search_user_home_dirs(cyrus_t) mta_manage_spool(cyrus_t) mta_send_mail(cyrus_t) -sysadm_dontaudit_search_home_dirs(cyrus_t) - optional_policy(` cron_system_entry(cyrus_t, cyrus_exec_t) ') diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te index fd80978..9231cd4 100644 --- a/policy/modules/services/dante.te +++ b/policy/modules/services/dante.te @@ -1,5 +1,5 @@ -policy_module(dante, 1.5.0) +policy_module(dante, 1.5.1) ######################################## # @@ -69,8 +69,7 @@ miscfiles_read_localization(dante_t) sysnet_read_config(dante_t) userdom_dontaudit_use_unpriv_user_fds(dante_t) - -sysadm_dontaudit_search_home_dirs(dante_t) +userdom_dontaudit_search_user_home_dirs(dante_t) optional_policy(` seutil_sigchld_newrole(dante_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc index 1f30fc4..e67e4e6 100644 --- a/policy/modules/services/dbus.fc +++ b/policy/modules/services/dbus.fc @@ -1,8 +1,8 @@ /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) # Sorting does not work correctly if I combine these next two roles -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) -/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index f63337c..b117926 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -17,57 +17,45 @@ interface(`dbus_stub',` ') ') -####################################### +######################################## ## -## The per role template for the dbus module. +## Role access for dbus ## -## -##

-## This template creates a derived domain which is -## used for the user dbus. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`dbus_per_role_template',` +template(`dbus_role_template',` gen_require(` - type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; class dbus { send_msg acquire_svc }; + + attribute session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ') ############################## # # Delcarations # - type $1_dbusd_t; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, system_dbusd_exec_t) - role $3 types $1_dbusd_t; - - type $1_dbusd_$1_t; - type $1_dbusd_tmp_t; - files_tmp_file($1_dbusd_tmp_t) + type $1_dbusd_t, session_bus_type; + domain_type($1_dbusd_t) + domain_entry_file($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) + role $2 types $1_dbusd_t; ############################## # @@ -85,31 +73,29 @@ template(`dbus_per_role_template',` allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; # For connecting to the bus - allow $2 $1_dbusd_t:unix_stream_socket connectto; - type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; + allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions - allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - manage_dirs_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t) - manage_files_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t) - files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) + manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) + manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) + files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) - domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) - allow $2 $1_dbusd_t:process { sigkill signal }; + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + allow $3 $1_dbusd_t:process { sigkill signal }; # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $2) - allow $1_dbusd_t $2:process sigkill; - allow $2 $1_dbusd_t:fd use; - allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; - allow $2 $1_dbusd_t:process sigchld; + corecmd_bin_domtrans($1_dbusd_t, $3) + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; + allow $3 $1_dbusd_t:process sigchld; kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) @@ -158,10 +144,10 @@ template(`dbus_per_role_template',` seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) - userdom_read_user_home_content_files($1, $1_dbusd_t) + userdom_read_user_home_content_files($1_dbusd_t) ifdef(`hide_broken_symptoms', ` - dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') tunable_policy(`read_default_t',` @@ -187,39 +173,29 @@ template(`dbus_per_role_template',` ## Template for creating connections to ## the system DBUS. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The type of the domain. ## ## # -template(`dbus_system_bus_client_template',` +interface(`dbus_system_bus_client',` gen_require(` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; ') -# type $1_dbusd_system_t; -# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t; - # SE-DBus specific permissions -# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; - allow $2 { system_dbusd_t self }:dbus send_msg; + allow $1 { system_dbusd_t self }:dbus send_msg; - read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($2) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) # For connecting to the bus - files_search_pids($2) - stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($2) + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + dbus_read_config($1) ') ####################################### @@ -227,64 +203,42 @@ template(`dbus_system_bus_client_template',` ## Template for creating connections to ## a user DBUS. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The type of the domain. ## ## # -template(`dbus_user_bus_client_template',` +interface(`dbus_session_bus_client',` gen_require(` - type $1_dbusd_t; + attribute session_bus_type; class dbus send_msg; ') -# type $2_dbusd_$1_t; -# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t; - # SE-DBus specific permissions -# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - allow $3 { $1_dbusd_t self }:dbus send_msg; + allow $1 { session_bus_type self }:dbus send_msg; # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; + allow $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Send a message on user/application specific DBUS. +## Send a message the session DBUS. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`dbus_send_user_bus',` +interface(`dbus_send_session_bus',` gen_require(` - type $1_dbusd_t; + attribute session_bus_type; class dbus send_msg; ') - allow $2 $1_dbusd_t:dbus send_msg; + allow $1 session_bus_type:dbus send_msg; ') ######################################## diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 0e5c879..0ea943b 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus, 1.9.0) +policy_module(dbus, 1.9.1) gen_require(` class dbus all_dbus_perms; @@ -10,12 +10,22 @@ gen_require(` # Delcarations # -type dbusd_etc_t alias etc_dbusd_t; +attribute session_bus_type; + +type dbusd_etc_t; files_type(dbusd_etc_t) -type system_dbusd_t alias dbusd_t; -type system_dbusd_exec_t; -init_system_domain(system_dbusd_t, system_dbusd_exec_t) +type dbusd_exec_t; +corecmd_executable_file(dbusd_exec_t) + +type session_dbusd_tmp_t; +typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; +files_tmp_file(session_dbusd_tmp_t) +ubac_constrained(session_dbusd_tmp_t) + +type system_dbusd_t; +init_system_domain(system_dbusd_t, dbusd_exec_t) type system_dbusd_tmp_t; files_tmp_file(system_dbusd_tmp_t) @@ -28,7 +38,7 @@ files_pid_file(system_dbusd_var_run_t) ############################## # -# Local policy +# System bus local policy # # dac_override: /var/run/dbus is owned by messagebus on Debian @@ -103,8 +113,7 @@ seutil_read_default_contexts(system_dbusd_t) seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) - -sysadm_dontaudit_search_home_dirs(system_dbusd_t) +userdom_dontaudit_search_user_home_dirs(system_dbusd_t) tunable_policy(`read_default_t',` files_list_default(system_dbusd_t) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if index 320c670..80102a7 100644 --- a/policy/modules/services/dcc.if +++ b/policy/modules/services/dcc.if @@ -34,11 +34,6 @@ interface(`dcc_domtrans_cdcc',` ## The role to be allowed the cdcc domain. ## ## -## -## -## The type of the terminal allow the cdcc domain to use. -## -## ## # interface(`dcc_run_cdcc',` @@ -48,7 +43,6 @@ interface(`dcc_run_cdcc',` dcc_domtrans_cdcc($1) role $2 types cdcc_t; - allow cdcc_t $3:chr_file rw_term_perms; ') ######################################## @@ -85,11 +79,6 @@ interface(`dcc_domtrans_client',` ## The role to be allowed the dcc_client domain. ## ## -## -## -## The type of the terminal allow the dcc_client domain to use. -## -## ## # interface(`dcc_run_client',` @@ -99,7 +88,6 @@ interface(`dcc_run_client',` dcc_domtrans_client($1) role $2 types dcc_client_t; - allow dcc_client_t $3:chr_file rw_term_perms; ') ######################################## @@ -136,11 +124,6 @@ interface(`dcc_domtrans_dbclean',` ## The role to be allowed the dcc_dbclean domain. ## ## -## -## -## The type of the terminal allow the dcc_dbclean domain to use. -## -## ## # interface(`dcc_run_dbclean',` @@ -150,7 +133,6 @@ interface(`dcc_run_dbclean',` dcc_domtrans_dbclean($1) role $2 types dcc_dbclean_t; - allow dcc_dbclean_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index b3c90f3..baddef3 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -1,5 +1,5 @@ -policy_module(dcc, 1.6.0) +policy_module(dcc, 1.6.1) ######################################## # @@ -112,6 +112,8 @@ miscfiles_read_localization(cdcc_t) sysnet_read_config(cdcc_t) sysnet_dns_name_resolve(cdcc_t) +userdom_use_user_terminals(cdcc_t) + optional_policy(` nscd_socket_use(cdcc_t) ') @@ -152,6 +154,8 @@ miscfiles_read_localization(dcc_client_t) sysnet_read_config(dcc_client_t) sysnet_dns_name_resolve(dcc_client_t) +userdom_use_user_terminals(dcc_client_t) + optional_policy(` nscd_socket_use(dcc_client_t) ') @@ -192,6 +196,8 @@ miscfiles_read_localization(dcc_dbclean_t) sysnet_read_config(dcc_dbclean_t) sysnet_dns_name_resolve(dcc_dbclean_t) +userdom_use_user_terminals(dcc_dbclean_t) + optional_policy(` nscd_socket_use(dcc_dbclean_t) ') @@ -261,8 +267,7 @@ sysnet_read_config(dccd_t) sysnet_dns_name_resolve(dccd_t) userdom_dontaudit_use_unpriv_user_fds(dccd_t) - -sysadm_dontaudit_search_home_dirs(dccd_t) +userdom_dontaudit_search_user_home_dirs(dccd_t) optional_policy(` nscd_socket_use(dccd_t) @@ -332,8 +337,7 @@ sysnet_read_config(dccifd_t) sysnet_dns_name_resolve(dccifd_t) userdom_dontaudit_use_unpriv_user_fds(dccifd_t) - -sysadm_dontaudit_search_home_dirs(dccifd_t) +userdom_dontaudit_search_user_home_dirs(dccifd_t) optional_policy(` nscd_socket_use(dccifd_t) @@ -402,8 +406,7 @@ sysnet_read_config(dccm_t) sysnet_dns_name_resolve(dccm_t) userdom_dontaudit_use_unpriv_user_fds(dccm_t) - -sysadm_dontaudit_search_home_dirs(dccm_t) +userdom_dontaudit_search_user_home_dirs(dccm_t) optional_policy(` nscd_socket_use(dccm_t) diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index dccbbe2..4b42128 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -1,5 +1,5 @@ -policy_module(ddclient, 1.6.0) +policy_module(ddclient, 1.6.1) ######################################## # @@ -98,8 +98,7 @@ sysnet_exec_ifconfig(ddclient_t) sysnet_read_config(ddclient_t) userdom_dontaudit_use_unpriv_user_fds(ddclient_t) - -sysadm_dontaudit_search_home_dirs(ddclient_t) +userdom_dontaudit_search_user_home_dirs(ddclient_t) optional_policy(` seutil_sigchld_newrole(ddclient_t) diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index 9e125b7..a81476a 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -1,5 +1,5 @@ -policy_module(dhcp, 1.6.0) +policy_module(dhcp, 1.6.1) ######################################## # @@ -96,8 +96,7 @@ sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) - -sysadm_dontaudit_search_home_dirs(dhcpd_t) +userdom_dontaudit_search_user_home_dirs(dhcpd_t) ifdef(`distro_gentoo',` allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; @@ -109,7 +108,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(dhcpd, dhcpd_t) + dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index eb74f4e..4d0c431 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -1,5 +1,5 @@ -policy_module(distcc, 1.6.0) +policy_module(distcc, 1.6.1) ######################################## # @@ -79,8 +79,7 @@ miscfiles_read_localization(distccd_t) sysnet_read_config(distccd_t) userdom_dontaudit_use_unpriv_user_fds(distccd_t) - -sysadm_dontaudit_search_home_dirs(distccd_t) +userdom_dontaudit_search_user_home_dirs(distccd_t) optional_policy(` nis_use_ypbind(distccd_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 9dbbc52..c2002a0 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -1,5 +1,5 @@ -policy_module(dnsmasq, 1.6.0) +policy_module(dnsmasq, 1.6.1) ######################################## # @@ -78,8 +78,7 @@ miscfiles_read_localization(dnsmasq_t) sysnet_read_config(dnsmasq_t) userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - -sysadm_dontaudit_search_home_dirs(dnsmasq_t) +userdom_dontaudit_search_user_home_dirs(dnsmasq_t) optional_policy(` nis_use_ypbind(dnsmasq_t) diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index a738f3e..7018910 100644 --- a/policy/modules/services/dovecot.fc +++ b/policy/modules/services/dovecot.fc @@ -33,4 +33,3 @@ ifdef(`distro_redhat', ` /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) - diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 0148550..7f49af3 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot, 1.9.0) +policy_module(dovecot, 1.9.1) ######################################## # @@ -110,12 +110,15 @@ miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_priveleged_home_dir_manager(dovecot_t) +userdom_manage_user_home_content_dirs(dovecot_t) +userdom_manage_user_home_content_files(dovecot_t) +userdom_manage_user_home_content_symlinks(dovecot_t) +userdom_manage_user_home_content_pipes(dovecot_t) +userdom_manage_user_home_content_sockets(dovecot_t) +userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) mta_manage_spool(dovecot_t) -sysadm_dontaudit_search_home_dirs(dovecot_t) - optional_policy(` kerberos_use(dovecot_t) ') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index eb01ac7..0cbf37b 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -1,5 +1,5 @@ -policy_module(exim, 1.2.0) +policy_module(exim, 1.2.1) ######################################## # @@ -99,20 +99,18 @@ miscfiles_read_localization(exim_t) sysnet_dns_name_resolve(exim_t) -unprivuser_dontaudit_search_home_dirs(exim_t) +userdom_dontaudit_search_user_home_dirs(exim_t) mta_read_aliases(exim_t) mta_rw_spool(exim_t) -sysadm_dontaudit_search_home_dirs(exim_t) - tunable_policy(`exim_read_user_files',` - userdom_read_unpriv_users_home_content_files(exim_t) - userdom_read_unpriv_users_tmp_files(exim_t) + userdom_read_user_home_content_files(exim_t) + userdom_read_user_tmp_files(exim_t) ') tunable_policy(`exim_manage_user_files',` - userdom_manage_unpriv_users_home_content_dirs(exim_t) - userdom_read_unpriv_users_tmp_files(exim_t) - userdom_write_unpriv_users_tmp_files(exim_t) + userdom_manage_user_home_content_dirs(exim_t) + userdom_read_user_tmp_files(exim_t) + userdom_write_user_tmp_files(exim_t) ') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index b9720c1..3ee6d4b 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -1,5 +1,5 @@ -policy_module(fetchmail, 1.7.0) +policy_module(fetchmail, 1.7.1) ######################################## # @@ -80,8 +80,7 @@ miscfiles_read_certs(fetchmail_t) sysnet_read_config(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) - -sysadm_dontaudit_search_home_dirs(fetchmail_t) +userdom_dontaudit_search_user_home_dirs(fetchmail_t) optional_policy(` procmail_domtrans(fetchmail_t) diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 0c8a0b8..ba4cb01 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -1,5 +1,5 @@ -policy_module(finger, 1.7.0) +policy_module(finger, 1.7.1) ######################################## # @@ -90,11 +90,9 @@ miscfiles_read_localization(fingerd_t) # stop it accessing sub-directories, prevents checking a Maildir for new mail, # have to change this when we create a type for Maildir -userdom_read_unpriv_users_home_content_files(fingerd_t) +userdom_read_user_home_content_files(fingerd_t) userdom_dontaudit_use_unpriv_user_fds(fingerd_t) -sysadm_dontaudit_search_home_dirs(fingerd_t) - optional_policy(` cron_system_entry(fingerd_t, fingerd_exec_t) ') diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index f07f6d4..b593224 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -1,42 +1,5 @@ ## File transfer protocol service -####################################### -## -## The per role template for the ftp module. -## -## -##

-## This template allows ftpd to manage files in -## a user home directory, creating files with the -## correct type. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`ftp_per_role_template',` - gen_require(` - type ftpd_t; - ') - - tunable_policy(`ftp_home_dir',` - userdom_manage_user_home_content_files($1, ftpd_t) - userdom_manage_user_home_content_symlinks($1, ftpd_t) - userdom_manage_user_home_content_sockets($1, ftpd_t) - userdom_manage_user_home_content_pipes($1, ftpd_t) - userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file }) - ') -') - ######################################## ## ## Use ftp by connecting over TCP. (Deprecated) @@ -141,11 +104,6 @@ interface(`ftp_domtrans_ftpdctl',` ## The role to allow the ftpdctl domain. ## ## -## -## -## The type of the terminal allow the ftpdctl domain to use. -## -## ## # interface(`ftp_run_ftpdctl',` @@ -155,7 +113,6 @@ interface(`ftp_run_ftpdctl',` ftp_domtrans_ftpdctl($1) role $2 types ftpdctl_t; - allow ftpdctl_t $3:chr_file rw_term_perms; ') ######################################## @@ -173,11 +130,6 @@ interface(`ftp_run_ftpdctl',` ## The role to be allowed to manage the ftp domain. ## ## -## -## -## The type of the terminal allow the ftpdctl domain to use. -## -## ## # interface(`ftp_admin',` @@ -197,7 +149,7 @@ interface(`ftp_admin',` allow $2 system_r; ps_process_pattern($1, ftpdctl_t) - ftp_run_ftpdctl($1, $2, $3) + ftp_run_ftpdctl($1, $2) miscfiles_manage_public_files($1) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 6c0dcf0..597a734 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp, 1.9.0) +policy_module(ftp, 1.9.1) ######################################## # @@ -184,8 +184,7 @@ sysnet_read_config(ftpd_t) sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) - -sysadm_dontaudit_search_home_dirs(ftpd_t) +userdom_dontaudit_search_user_home_dirs(ftpd_t) tunable_policy(`allow_ftpd_anon_write',` miscfiles_manage_public_files(ftpd_t) @@ -219,10 +218,11 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) - userdom_read_all_users_home_content_files(ftpd_t) - userdom_manage_all_users_home_content_dirs(ftpd_t) - userdom_manage_all_users_home_content_files(ftpd_t) - userdom_manage_all_users_home_content_symlinks(ftpd_t) + userdom_read_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_symlinks(ftpd_t) + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -292,3 +292,5 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files files_read_etc_files(ftpdctl_t) + +userdom_use_user_terminals(ftpdctl_t) diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index c8b8742..0baa897 100644 --- a/policy/modules/services/gatekeeper.te +++ b/policy/modules/services/gatekeeper.te @@ -1,5 +1,5 @@ -policy_module(gatekeeper, 1.5.0) +policy_module(gatekeeper, 1.5.1) ######################################## # @@ -85,8 +85,7 @@ miscfiles_read_localization(gatekeeper_t) sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) - -sysadm_dontaudit_search_home_dirs(gatekeeper_t) +userdom_dontaudit_search_user_home_dirs(gatekeeper_t) optional_policy(` nis_use_ypbind(gatekeeper_t) diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index 9ad5472..e991ef5 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -1,5 +1,5 @@ -policy_module(gpm, 1.5.0) +policy_module(gpm, 1.5.1) ######################################## # @@ -66,8 +66,7 @@ logging_send_syslog_msg(gpm_t) miscfiles_read_localization(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) - -sysadm_dontaudit_search_home_dirs(gpm_t) +userdom_dontaudit_search_user_home_dirs(gpm_t) optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 260c08d..3e49a36 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal, 1.10.0) +policy_module(hal, 1.10.1) ######################################## # @@ -197,8 +197,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) userdom_dontaudit_use_unpriv_user_fds(hald_t) - -sysadm_dontaudit_search_home_dirs(hald_t) +userdom_dontaudit_search_user_home_dirs(hald_t) optional_policy(` alsa_domtrans(hald_t) @@ -233,7 +232,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(hald, hald_t) + dbus_system_bus_client(hald_t) dbus_connect_system_bus(hald_t) init_dbus_chat_script(hald_t) diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te index e135a7e..1560d23 100644 --- a/policy/modules/services/howl.te +++ b/policy/modules/services/howl.te @@ -1,5 +1,5 @@ -policy_module(howl, 1.6.0) +policy_module(howl, 1.6.1) ######################################## # @@ -66,8 +66,7 @@ miscfiles_read_localization(howl_t) sysnet_read_config(howl_t) userdom_dontaudit_use_unpriv_user_fds(howl_t) - -sysadm_dontaudit_search_home_dirs(howl_t) +userdom_dontaudit_search_user_home_dirs(howl_t) optional_policy(` nis_use_ypbind(howl_t) diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te index f3db142..bcb0113 100644 --- a/policy/modules/services/i18n_input.te +++ b/policy/modules/services/i18n_input.te @@ -1,5 +1,5 @@ -policy_module(i18n_input, 1.6.0) +policy_module(i18n_input, 1.6.1) ######################################## # @@ -74,9 +74,7 @@ miscfiles_read_localization(i18n_input_t) sysnet_read_config(i18n_input_t) userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_read_unpriv_users_home_content_files(i18n_input_t) - -sysadm_dontaudit_search_home_dirs(i18n_input_t) +userdom_read_user_home_content_files(i18n_input_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(i18n_input_t) diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te index d8c62bf..6b53adf 100644 --- a/policy/modules/services/imaze.te +++ b/policy/modules/services/imaze.te @@ -1,5 +1,5 @@ -policy_module(imaze, 1.5.0) +policy_module(imaze, 1.5.1) ######################################## # @@ -85,8 +85,7 @@ miscfiles_read_localization(imazesrv_t) sysnet_read_config(imazesrv_t) userdom_use_unpriv_users_fds(imazesrv_t) - -sysadm_dontaudit_search_home_dirs(imazesrv_t) +userdom_dontaudit_search_user_home_dirs(imazesrv_t) optional_policy(` nis_use_ypbind(imazesrv_t) diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index d788754..faeadf0 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd, 1.8.0) +policy_module(inetd, 1.8.1) ######################################## # @@ -150,8 +150,7 @@ mls_process_set_level(inetd_t) sysnet_read_config(inetd_t) userdom_dontaudit_use_unpriv_user_fds(inetd_t) - -sysadm_dontaudit_search_home_dirs(inetd_t) +userdom_dontaudit_search_user_home_dirs(inetd_t) ifdef(`distro_redhat',` optional_policy(` diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index e0d02e0..cc5dabe 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -1,5 +1,5 @@ -policy_module(inn, 1.7.0) +policy_module(inn, 1.7.1) ######################################## # @@ -105,8 +105,7 @@ seutil_dontaudit_search_config(innd_t) sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) - -sysadm_dontaudit_search_home_dirs(innd_t) +userdom_dontaudit_search_user_home_dirs(innd_t) mta_send_mail(innd_t) diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te index fafbdd5..0015e70 100644 --- a/policy/modules/services/ircd.te +++ b/policy/modules/services/ircd.te @@ -1,5 +1,5 @@ -policy_module(ircd, 1.5.0) +policy_module(ircd, 1.5.1) ######################################## # @@ -79,8 +79,7 @@ miscfiles_read_localization(ircd_t) sysnet_read_config(ircd_t) userdom_dontaudit_use_unpriv_user_fds(ircd_t) - -sysadm_dontaudit_search_home_dirs(ircd_t) +userdom_dontaudit_search_user_home_dirs(ircd_t) optional_policy(` nis_use_ypbind(ircd_t) diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te index a7e1ad4..30f26e8 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te @@ -1,5 +1,5 @@ -policy_module(irqbalance, 1.3.0) +policy_module(irqbalance, 1.3.1) ######################################## # @@ -47,8 +47,7 @@ logging_send_syslog_msg(irqbalance_t) miscfiles_read_localization(irqbalance_t) userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) - -sysadm_dontaudit_search_home_dirs(irqbalance_t) +userdom_dontaudit_search_user_home_dirs(irqbalance_t) optional_policy(` seutil_sigchld_newrole(irqbalance_t) diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 6a123ff..c0d8cee 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -1,5 +1,5 @@ -policy_module(jabber, 1.6.0) +policy_module(jabber, 1.6.1) ######################################## # @@ -80,8 +80,7 @@ miscfiles_read_localization(jabberd_t) sysnet_read_config(jabberd_t) userdom_dontaudit_use_unpriv_user_fds(jabberd_t) - -sysadm_dontaudit_search_home_dirs(jabberd_t) +userdom_dontaudit_search_user_home_dirs(jabberd_t) optional_policy(` nis_use_ypbind(jabberd_t) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 8ab5c86..00ff5fa 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos, 1.8.0) +policy_module(kerberos, 1.8.1) ######################################## # @@ -153,8 +153,7 @@ sysnet_read_config(kadmind_t) sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) - -sysadm_dontaudit_search_home_dirs(kadmind_t) +userdom_dontaudit_search_user_home_dirs(kadmind_t) optional_policy(` nis_use_ypbind(kadmind_t) @@ -254,8 +253,7 @@ sysnet_read_config(krb5kdc_t) sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) - -sysadm_dontaudit_search_home_dirs(krb5kdc_t) +userdom_dontaudit_search_user_home_dirs(krb5kdc_t) optional_policy(` nis_use_ypbind(krb5kdc_t) diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te index f9bb268..e27a1ec 100644 --- a/policy/modules/services/kerneloops.te +++ b/policy/modules/services/kerneloops.te @@ -1,5 +1,5 @@ -policy_module(kerneloops, 1.1.0) +policy_module(kerneloops, 1.1.1) ######################################## # @@ -46,6 +46,6 @@ miscfiles_read_localization(kerneloops_t) sysnet_dns_name_resolve(kerneloops_t) optional_policy(` - dbus_system_bus_client_template(kerneloops, kerneloops_t) + dbus_system_bus_client(kerneloops_t) dbus_connect_system_bus(kerneloops_t) ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 07d2572..f228aae 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap, 1.8.0) +policy_module(ldap, 1.8.1) ######################################## # @@ -114,8 +114,7 @@ miscfiles_read_certs(slapd_t) miscfiles_read_localization(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) - -sysadm_dontaudit_search_home_dirs(slapd_t) +userdom_dontaudit_search_user_home_dirs(slapd_t) optional_policy(` kerberos_use(slapd_t) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index ae4ac06..5a7046d 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -1,230 +1,36 @@ ## Line printer daemon -####################################### +######################################## ## -## The per role template for the lpd module. +## Role access for lpd ## -## -##

-## This template creates a derived domains which are used -## for lpr printing client. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`lpd_per_role_template',` +interface(`lpd_role',` gen_require(` - type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t; - ') - - ############################## - # - # Declarations - # - # Derived domain based on the calling user domain and the program - type $1_lpr_t; - application_domain($1_lpr_t, lpr_exec_t) - role $3 types $1_lpr_t; - - type $1_lpr_tmp_t; - files_tmp_file($1_lpr_tmp_t) - - # Type for spool files. - type $1_print_spool_t; - files_type($1_print_spool_t) - - ############################## - # - # Local policy - # - allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown }; - allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; - allow $1_lpr_t self:tcp_socket create_socket_perms; - allow $1_lpr_t self:udp_socket create_socket_perms; - allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms; - - can_exec($1_lpr_t,lpr_exec_t) - - tunable_policy(`use_lpd_server',` - # lpr can run in lightweight mode, without a local print spooler. - allow $1_lpr_t lpd_var_run_t:dir search; - allow $1_lpr_t lpd_var_run_t:sock_file write; - files_read_var_files($1_lpr_t) - - # Connect to lpd via a Unix domain socket. - allow $1_lpr_t printer_t:sock_file rw_sock_file_perms; - allow $1_lpr_t lpd_t:unix_stream_socket connectto; - # Send SIGHUP to lpd. - allow $1_lpr_t lpd_t:process signal; - - manage_dirs_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t) - manage_files_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t) - files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir }) - - manage_files_pattern($1_lpr_t, print_spool_t, $1_print_spool_t) - filetrans_pattern($1_lpr_t, print_spool_t, $1_print_spool_t, file) - # Read and write shared files in the spool directory. - allow $1_lpr_t print_spool_t:file rw_file_perms; - - allow $1_lpr_t printconf_t:dir list_dir_perms; - read_files_pattern($1_lpr_t, printconf_t, printconf_t) - read_lnk_files_pattern($1_lpr_t, printconf_t, printconf_t) + type lpr_t, lpr_exec_t, print_spool_t; ') - dontaudit $1_lpr_t $2:unix_stream_socket { read write }; + role $1 types lpr_t; # Transition from the user domain to the derived domain. - domtrans_pattern($2, lpr_exec_t, $1_lpr_t) - - allow $2 $1_lpr_t:process signull; - - # Allow lpd to read, rename, and unlink spool files. - allow lpd_t $1_print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; - - kernel_read_kernel_sysctls($1_lpr_t) - - corenet_all_recvfrom_unlabeled($1_lpr_t) - corenet_all_recvfrom_netlabel($1_lpr_t) - corenet_tcp_sendrecv_generic_if($1_lpr_t) - corenet_udp_sendrecv_generic_if($1_lpr_t) - corenet_tcp_sendrecv_all_nodes($1_lpr_t) - corenet_udp_sendrecv_all_nodes($1_lpr_t) - corenet_tcp_sendrecv_all_ports($1_lpr_t) - corenet_udp_sendrecv_all_ports($1_lpr_t) - corenet_tcp_connect_all_ports($1_lpr_t) - corenet_sendrecv_all_client_packets($1_lpr_t) - - dev_read_rand($1_lpr_t) - dev_read_urand($1_lpr_t) - - domain_use_interactive_fds($1_lpr_t) - - files_search_spool($1_lpr_t) - # for lpd config files (should have a new type) - files_read_etc_files($1_lpr_t) - # for test print - files_read_usr_files($1_lpr_t) - #Added to cover read_content macro - files_list_home($1_lpr_t) - files_read_generic_tmp_files($1_lpr_t) - - fs_getattr_xattr_fs($1_lpr_t) - - # Access the terminal. - term_use_controlling_term($1_lpr_t) - term_use_generic_ptys($1_lpr_t) - - miscfiles_read_localization($1_lpr_t) - - sysnet_read_config($1_lpr_t) - - userdom_read_user_tmp_symlinks($1,$1_lpr_t) - # Write to the user domain tty. - userdom_use_user_terminals($1,$1_lpr_t) - userdom_read_user_home_content_files($1,$1_lpr_t) - userdom_read_user_tmp_files($1,$1_lpr_t) - - tunable_policy(`read_default_t',` - files_list_default($1_lpr_t) - files_read_default_symlinks($1_lpr_t) - files_read_default_files($1_lpr_t) - ') - - tunable_policy(`read_untrusted_content',` - #list and read user specific untrusted content - userdom_read_user_untrusted_content_files($1, $1_lpr_t) - - #list and read user specific temporary untrusted content - files_list_tmp($1_lpr_t) - userdom_read_user_tmp_untrusted_content_files($1, $1_lpr_t) - ') + domtrans_pattern($2, lpr_exec_t, lpr_t) + dontaudit lpr_t $2:unix_stream_socket { read write }; - tunable_policy(`use_nfs_home_dirs',` - files_list_home($1_lpr_t) - fs_list_auto_mountpoints($1_lpr_t) - fs_read_nfs_files($1_lpr_t) - fs_read_nfs_symlinks($1_lpr_t) - ') - - tunable_policy(`use_samba_home_dirs',` - files_list_home($1_lpr_t) - fs_list_auto_mountpoints($1_lpr_t) - fs_read_cifs_files($1_lpr_t) - fs_read_cifs_symlinks($1_lpr_t) - ') + ps_process_pattern($2, lpr_t) + allow $2 lpr_t:process signull; optional_policy(` - cups_read_config($1_lpr_t) cups_read_config($2) - cups_stream_connect($1_lpr_t) - cups_read_pid_files($1_lpr_t) - ') - - optional_policy(` - logging_send_syslog_msg($1_lpr_t) - ') - - optional_policy(` - nscd_socket_use($1_lpr_t) - ') - - optional_policy(` - nis_use_ypbind($1_lpr_t) - ') -') - -####################################### -## -## The administrative functions template for the lpd module. -## -## -##

-## This template creates rules for administrating the ldp service, -## allowing the specified user to manage lpr files. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`lpr_admin_template',` - gen_require(` - type $1_lpr_t, print_spool_t; - ') - - userdom_read_all_users_home_content_files($1_lpr_t) - - # Read and write shared files in the spool directory. - allow $1_lpr_t print_spool_t:file rw_file_perms; - - # Allow per user lpr domain read acces for specific user. - tunable_policy(`read_untrusted_content',` - userdom_read_all_untrusted_content($1_lpr_t) - userdom_read_all_tmp_untrusted_content($1_lpr_t) ') ') @@ -261,11 +67,6 @@ interface(`lpd_domtrans_checkpc',` ## The role to be allowed the lpd domain. ## ## -## -## -## The type of the terminal allow the lpd domain to use. -## -## ## # interface(`lpd_run_checkpc',` @@ -275,7 +76,6 @@ interface(`lpd_run_checkpc',` lpd_domtrans_checkpc($1) role $2 types checkpc_t; - allow checkpc_t $3:chr_file rw_term_perms; ') ######################################## @@ -379,33 +179,18 @@ interface(`lpd_read_config',` ## ## Transition to a user lpr domain. ## -## -##

-## Transition to a user lpr domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`lpd_domtrans_user_lpr',` +template(`lpd_domtrans_lpr',` gen_require(` - type $1_lpr_t, lpr_exec_t; + type lpr_t, lpr_exec_t; ') - domtrans_pattern($2, lpr_exec_t, $1_lpr_t) + domtrans_pattern($1, lpr_exec_t, lpr_t) ') ######################################## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 6093e9b..0dd55e8 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd, 1.10.0) +policy_module(lpd, 1.10.1) ######################################## # @@ -31,11 +31,25 @@ files_tmp_file(lpd_tmp_t) type lpd_var_run_t; files_pid_file(lpd_var_run_t) +type lpr_t; type lpr_exec_t; -application_executable_file(lpr_exec_t) - +typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; +typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; +application_domain(lpr_t, lpr_exec_t) +ubac_constrained(lpr_t) + +type lpr_tmp_t; +typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; +typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; +files_tmp_file(lpr_tmp_t) +ubac_constrained(lpr_tmp_t) + +# Type for spool files. type print_spool_t; -files_tmp_file(print_spool_t) +typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; +typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +files_type(print_spool_t) +ubac_constrained(print_spool_t) type printer_t; files_type(printer_t) @@ -100,6 +114,8 @@ init_use_fds(checkpc_t) sysnet_read_config(checkpc_t) +userdom_use_user_terminals(checkpc_t) + optional_policy(` cron_system_entry(checkpc_t, checkpc_exec_t) ') @@ -132,7 +148,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, file) +files_pid_filetrans(lpd_t, lpd_var_run_t,file) # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) @@ -194,8 +210,7 @@ miscfiles_read_localization(lpd_t) sysnet_read_config(lpd_t) userdom_dontaudit_use_unpriv_user_fds(lpd_t) - -sysadm_dontaudit_search_home_dirs(lpd_t) +userdom_dontaudit_search_user_home_dirs(lpd_t) optional_policy(` nis_use_ypbind(lpd_t) @@ -208,3 +223,126 @@ optional_policy(` optional_policy(` udev_read_db(lpd_t) ') + +############################## +# +# Local policy +# + +allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:unix_stream_socket create_stream_socket_perms; +allow lpr_t self:tcp_socket create_socket_perms; +allow lpr_t self:udp_socket create_socket_perms; +allow lpr_t self:netlink_route_socket r_netlink_socket_perms; + +can_exec(lpr_t, lpr_exec_t) + +# Allow lpd to read, rename, and unlink spool files. +allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; + +kernel_read_kernel_sysctls(lpr_t) + +corenet_all_recvfrom_unlabeled(lpr_t) +corenet_all_recvfrom_netlabel(lpr_t) +corenet_tcp_sendrecv_generic_if(lpr_t) +corenet_udp_sendrecv_generic_if(lpr_t) +corenet_tcp_sendrecv_all_nodes(lpr_t) +corenet_udp_sendrecv_all_nodes(lpr_t) +corenet_tcp_sendrecv_all_ports(lpr_t) +corenet_udp_sendrecv_all_ports(lpr_t) +corenet_tcp_connect_all_ports(lpr_t) +corenet_sendrecv_all_client_packets(lpr_t) + +dev_read_rand(lpr_t) +dev_read_urand(lpr_t) + +domain_use_interactive_fds(lpr_t) + +files_search_spool(lpr_t) +# for lpd config files (should have a new type) +files_read_etc_files(lpr_t) +# for test print +files_read_usr_files(lpr_t) +#Added to cover read_content macro +files_list_home(lpr_t) +files_read_generic_tmp_files(lpr_t) + +fs_getattr_xattr_fs(lpr_t) + +# Access the terminal. +term_use_controlling_term(lpr_t) +term_use_generic_ptys(lpr_t) + +miscfiles_read_localization(lpr_t) + +sysnet_read_config(lpr_t) + +userdom_read_user_tmp_symlinks(lpr_t) +# Write to the user domain tty. +userdom_use_user_terminals(lpr_t) +userdom_read_user_home_content_files(lpr_t) +userdom_read_user_tmp_files(lpr_t) + +tunable_policy(`read_default_t',` + files_list_default(lpr_t) + files_read_default_symlinks(lpr_t) + files_read_default_files(lpr_t) +') + +tunable_policy(`use_lpd_server',` + # lpr can run in lightweight mode, without a local print spooler. + allow lpr_t lpd_var_run_t:dir search; + allow lpr_t lpd_var_run_t:sock_file write; + files_read_var_files(lpr_t) + + # Connect to lpd via a Unix domain socket. + allow lpr_t printer_t:sock_file rw_sock_file_perms; + allow lpr_t lpd_t:unix_stream_socket connectto; + # Send SIGHUP to lpd. + allow lpr_t lpd_t:process signal; + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) + + manage_files_pattern(lpr_t,print_spool_t,print_spool_t) + filetrans_pattern(lpr_t,print_spool_t,print_spool_t,file) + # Read and write shared files in the spool directory. + allow lpr_t print_spool_t:file rw_file_perms; + + allow lpr_t printconf_t:dir list_dir_perms; + read_files_pattern(lpr_t,printconf_t,printconf_t) + read_lnk_files_pattern(lpr_t,printconf_t,printconf_t) +') + +tunable_policy(`use_nfs_home_dirs',` + files_list_home(lpr_t) + fs_list_auto_mountpoints(lpr_t) + fs_read_nfs_files(lpr_t) + fs_read_nfs_symlinks(lpr_t) +') + +tunable_policy(`use_samba_home_dirs',` + files_list_home(lpr_t) + fs_list_auto_mountpoints(lpr_t) + fs_read_cifs_files(lpr_t) + fs_read_cifs_symlinks(lpr_t) +') + +optional_policy(` + cups_read_config(lpr_t) + cups_stream_connect(lpr_t) + cups_read_pid_files(lpr_t) +') + +optional_policy(` + logging_send_syslog_msg(lpr_t) +') + +optional_policy(` + nscd_socket_use(lpr_t) +') + +optional_policy(` + nis_use_ypbind(lpr_t) +') diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index ea67c12..d6c5212 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman, 1.5.0) +policy_module(mailman, 1.5.1) ######################################## # @@ -99,11 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t) # for su seutil_dontaudit_search_config(mailman_queue_t) -su_exec(mailman_queue_t) - # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes -sysadm_search_home_dirs(mailman_queue_t) +userdom_search_user_home_dirs(mailman_queue_t) + +su_exec(mailman_queue_t) optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te index df46abf..23842b3 100644 --- a/policy/modules/services/monop.te +++ b/policy/modules/services/monop.te @@ -1,5 +1,5 @@ -policy_module(monop, 1.5.0) +policy_module(monop, 1.5.1) ######################################## # @@ -71,8 +71,7 @@ miscfiles_read_localization(monopd_t) sysnet_read_config(monopd_t) userdom_dontaudit_use_unpriv_user_fds(monopd_t) - -sysadm_dontaudit_search_home_dirs(monopd_t) +userdom_dontaudit_search_user_home_dirs(monopd_t) optional_policy(` nis_use_ypbind(monopd_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 5bfa326..1709743 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -132,154 +132,36 @@ template(`mta_base_mail_template',` ') -####################################### +######################################## ## -## The per role template for the mta module. +## Role access for mta ## -## -##

-## This template creates a derived domain which is -## a email transfer agent, which sends mail on -## behalf of the user. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`mta_per_role_template',` +interface(`mta_role',` gen_require(` attribute mta_user_agent; - attribute mailserver_delivery; - type sendmail_exec_t; + type user_mail_t, sendmail_exec_t; ') - ############################## - # - # Declarations - # - - mta_base_mail_template($1) - role $3 types $1_mail_t; - - ############################## - # - # $1_mail_t local policy - # + role $1 types { user_mail_t mta_user_agent }; # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, $1_mail_t) + domtrans_pattern($2, sendmail_exec_t, user_mail_t) allow $2 sendmail_exec_t:lnk_file { getattr read }; - domain_use_interactive_fds($1_mail_t) - - userdom_use_user_terminals($1, $1_mail_t) - # Write to the user domain tty. cjp: why? - userdom_use_user_terminals($1, mta_user_agent) - # Create dead.letter in user home directories. - userdom_manage_user_home_content_files($1, $1_mail_t) - userdom_user_home_dir_filetrans_user_home_content($1, $1_mail_t, file) - # for reading .forward - maybe we need a new type for it? - # also for delivering mail to maildir - userdom_manage_user_home_content_dirs($1, mailserver_delivery) - userdom_manage_user_home_content_files($1, mailserver_delivery) - userdom_manage_user_home_content_symlinks($1, mailserver_delivery) - userdom_manage_user_home_content_pipes($1, mailserver_delivery) - userdom_manage_user_home_content_sockets($1, mailserver_delivery) - userdom_user_home_dir_filetrans_user_home_content($1, mailserver_delivery, { dir file lnk_file fifo_file sock_file }) - # Read user temporary files. - userdom_read_user_tmp_files($1, $1_mail_t) - userdom_dontaudit_append_user_tmp_files($1, $1_mail_t) - # cjp: this should probably be read all user tmp - # files in an appropriate place for mta_user_agent - userdom_read_user_tmp_files($1, mta_user_agent) - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_mail_t) - fs_manage_cifs_symlinks($1_mail_t) - ') - - optional_policy(` - allow $1_mail_t self:capability dac_override; - - # Read user temporary files. - # postfix seems to need write access if the file handle is opened read/write - userdom_rw_user_tmp_files($1, $1_mail_t) - - postfix_read_config($1_mail_t) - postfix_list_spool($1_mail_t) - ') -') - -######################################## -## -## Provide extra permissions for admin users -## mail domain. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -# -template(`mta_admin_template',` - gen_require(` - type $1_mail_t; - ') - - # allow the sysadmin to do "mail someone < /home/user/whatever" - userdom_read_unpriv_users_home_content_files($1_mail_t) - - optional_policy(` - gen_require(` - attribute mta_user_agent; - type etc_aliases_t; - ') - - allow mta_user_agent $2:fifo_file { read write }; - - manage_dirs_pattern($1_mail_t, etc_aliases_t, etc_aliases_t) - manage_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t) - manage_fifo_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans($1_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) - - # postfix needs this for newaliases - files_getattr_tmp_dirs($1_mail_t) - - postfix_exec_master($1_mail_t) - - ifdef(`distro_redhat',` - # compatability for old default main.cf - postfix_config_filetrans($1_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') - ') + allow mta_user_agent $2:fd use; + allow mta_user_agent $2:process sigchld; + allow mta_user_agent $2:fifo_file { read write }; ') ######################################## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index d796fa4..27b9099 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta, 1.11.0) +policy_module(mta, 2.0.0) ######################################## # @@ -33,6 +33,14 @@ mta_agent_executable(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; +mta_base_mail_template(user) +typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; +typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; +typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; +typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; +ubac_constrained(user_mail_t) +ubac_constrained(user_mail_tmp_t) + ######################################## # # System mail local policy @@ -55,8 +63,8 @@ dev_read_urand(system_mail_t) init_use_script_ptys(system_mail_t) -sysadm_use_terms(system_mail_t) -sysadm_dontaudit_search_home_dirs(system_mail_t) +userdom_use_user_terminals(system_mail_t) +userdom_dontaudit_search_user_home_dirs(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) @@ -134,7 +142,7 @@ optional_policy(` ') optional_policy(` - userdom_dontaudit_use_unpriv_users_ptys(system_mail_t) + userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` cron_dontaudit_append_system_job_tmp_files(system_mail_t) @@ -160,3 +168,47 @@ optional_policy(` cron_read_system_job_tmp_files(mta_user_agent) ') ') + +######################################## +# +# User send mail local policy +# + +domain_use_interactive_fds(user_mail_t) + +userdom_use_user_terminals(user_mail_t) +# Write to the user domain tty. cjp: why? +userdom_use_user_terminals(mta_user_agent) +# Create dead.letter in user home directories. +userdom_manage_user_home_content_files(user_mail_t) +userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +userdom_manage_user_home_content_dirs(mailserver_delivery) +userdom_manage_user_home_content_files(mailserver_delivery) +userdom_manage_user_home_content_symlinks(mailserver_delivery) +userdom_manage_user_home_content_pipes(mailserver_delivery) +userdom_manage_user_home_content_sockets(mailserver_delivery) +userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) +# Read user temporary files. +userdom_read_user_tmp_files(user_mail_t) +userdom_dontaudit_append_user_tmp_files(user_mail_t) +# cjp: this should probably be read all user tmp +# files in an appropriate place for mta_user_agent +userdom_read_user_tmp_files(mta_user_agent) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(user_mail_t) + fs_manage_cifs_symlinks(user_mail_t) +') + +optional_policy(` + allow user_mail_t self:capability dac_override; + + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write + userdom_rw_user_tmp_files(user_mail_t) + + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) +') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index e5f05ae..174b17d 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -1,5 +1,5 @@ -policy_module(munin, 1.5.0) +policy_module(munin, 1.5.1) ######################################## # @@ -93,8 +93,7 @@ miscfiles_read_localization(munin_t) sysnet_read_config(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) - -sysadm_dontaudit_search_home_dirs(munin_t) +userdom_dontaudit_search_user_home_dirs(munin_t) optional_policy(` # for accessing the output directory diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index c093fc4..8f5706a 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -1,5 +1,5 @@ -policy_module(mysql, 1.9.0) +policy_module(mysql, 1.9.1) ######################################## # @@ -97,9 +97,8 @@ miscfiles_read_localization(mysqld_t) sysnet_read_config(mysqld_t) userdom_dontaudit_use_unpriv_user_fds(mysqld_t) - # for /root/.my.cnf - should not be needed: -sysadm_read_home_content_files(mysqld_t) +userdom_read_user_home_content_files(mysqld_t) ifdef(`distro_redhat',` # because Fedora has the sock_file in the database directory diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 3d6b783..5fc26e7 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -1,5 +1,5 @@ -policy_module(nagios, 1.6.0) +policy_module(nagios, 1.6.1) ######################################## # @@ -100,11 +100,10 @@ logging_send_syslog_msg(nagios_t) miscfiles_read_localization(nagios_t) userdom_dontaudit_use_unpriv_user_fds(nagios_t) +userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) -sysadm_dontaudit_search_home_dirs(nagios_t) - optional_policy(` netutils_domtrans_ping(nagios_t) netutils_signal_ping(nagios_t) diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te index 1d265b0..0977507 100644 --- a/policy/modules/services/nessus.te +++ b/policy/modules/services/nessus.te @@ -1,5 +1,5 @@ -policy_module(nessus, 1.5.0) +policy_module(nessus, 1.5.1) ######################################## # @@ -91,8 +91,7 @@ miscfiles_read_localization(nessusd_t) sysnet_read_config(nessusd_t) userdom_dontaudit_use_unpriv_user_fds(nessusd_t) - -sysadm_dontaudit_search_home_dirs(nessusd_t) +userdom_dontaudit_search_user_home_dirs(nessusd_t) optional_policy(` nis_use_ypbind(nessusd_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index f978889..b36d63f 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager, 1.11.0) +policy_module(networkmanager, 1.11.1) ######################################## # @@ -127,11 +127,9 @@ sysnet_manage_config(NetworkManager_t) sysnet_etc_filetrans_config(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) -userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) +userdom_dontaudit_use_user_ttys(NetworkManager_t) # Read gnome-keyring -userdom_read_unpriv_users_home_content_files(NetworkManager_t) - -sysadm_dontaudit_search_home_dirs(NetworkManager_t) +userdom_read_user_home_content_files(NetworkManager_t) optional_policy(` bind_domtrans(NetworkManager_t) @@ -140,7 +138,7 @@ optional_policy(` ') optional_policy(` - bluetooth_dontaudit_read_helper_files(NetworkManager_t) + bluetooth_dontaudit_read_helper_state(NetworkManager_t) ') optional_policy(` @@ -148,7 +146,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(NetworkManager, NetworkManager_t) + dbus_system_bus_client(NetworkManager_t) dbus_connect_system_bus(NetworkManager_t) ') @@ -185,11 +183,6 @@ optional_policy(` ') optional_policy(` - # Read gnome-keyring - unconfined_read_home_content_files(NetworkManager_t) -') - -optional_policy(` vpn_domtrans(NetworkManager_t) vpn_signal(NetworkManager_t) ') @@ -198,6 +191,7 @@ optional_policy(` # # wpa_cli local policy # + allow wpa_cli_t self:capability dac_override; allow wpa_cli_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index bfcdfcb..d0572ac 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis, 1.7.0) +policy_module(nis, 1.7.1) ######################################## # @@ -108,8 +108,7 @@ miscfiles_read_localization(ypbind_t) sysnet_read_config(ypbind_t) userdom_dontaudit_use_unpriv_user_fds(ypbind_t) - -sysadm_dontaudit_search_home_dirs(ypbind_t) +userdom_dontaudit_search_user_home_dirs(ypbind_t) optional_policy(` seutil_sigchld_newrole(ypbind_t) @@ -187,8 +186,7 @@ miscfiles_read_localization(yppasswdd_t) sysnet_read_config(yppasswdd_t) userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) - -sysadm_dontaudit_search_home_dirs(yppasswdd_t) +userdom_dontaudit_search_user_home_dirs(yppasswdd_t) optional_policy(` hostname_exec(yppasswdd_t) @@ -268,8 +266,7 @@ nis_domtrans_ypxfr(ypserv_t) sysnet_read_config(ypserv_t) userdom_dontaudit_use_unpriv_user_fds(ypserv_t) - -sysadm_dontaudit_search_home_dirs(ypserv_t) +userdom_dontaudit_search_user_home_dirs(ypserv_t) optional_policy(` seutil_sigchld_newrole(ypserv_t) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 732e5e8..33ce3da 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -189,11 +189,6 @@ interface(`nscd_unconfined',` ## The role to be allowed the nscd domain. ## ## -## -## -## The type of the role's terminal. -## -## # interface(`nscd_run',` gen_require(` @@ -202,5 +197,4 @@ interface(`nscd_run',` nscd_domtrans($1) role $2 types nscd_t; - dontaudit nscd_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index f99aa8a..d84d0ac 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd, 1.7.0) +policy_module(nscd, 1.7.1) gen_require(` class nscd all_nscd_perms; @@ -100,9 +100,9 @@ seutil_sigchld_newrole(nscd_t) sysnet_read_config(nscd_t) +userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) - -sysadm_dontaudit_search_home_dirs(nscd_t) +userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` udev_read_db(nscd_t) diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index f50ef97..d9b34e0 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -1,5 +1,5 @@ -policy_module(nsd, 1.5.0) +policy_module(nsd, 1.5.1) ######################################## # @@ -93,8 +93,7 @@ miscfiles_read_localization(nsd_t) sysnet_read_config(nsd_t) userdom_dontaudit_use_unpriv_user_fds(nsd_t) - -sysadm_dontaudit_search_home_dirs(nsd_t) +userdom_dontaudit_search_user_home_dirs(nsd_t) optional_policy(` nis_use_ypbind(nsd_t) @@ -167,7 +166,7 @@ miscfiles_read_localization(nsd_crond_t) sysnet_read_config(nsd_crond_t) -sysadm_dontaudit_search_home_dirs(nsd_crond_t) +userdom_dontaudit_search_user_home_dirs(nsd_crond_t) optional_policy(` cron_system_entry(nsd_crond_t, nsd_exec_t) diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index dce93e7..000815f 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -1,5 +1,5 @@ -policy_module(ntop, 1.6.0) +policy_module(ntop, 1.6.1) ######################################## # @@ -89,8 +89,7 @@ miscfiles_read_localization(ntop_t) sysnet_read_config(ntop_t) userdom_dontaudit_use_unpriv_user_fds(ntop_t) - -sysadm_dontaudit_search_home_dirs(ntop_t) +userdom_dontaudit_search_user_home_dirs(ntop_t) optional_policy(` seutil_sigchld_newrole(ntop_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index b5b2701..546c28e 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,5 +1,5 @@ -policy_module(ntp, 1.7.0) +policy_module(ntp, 1.7.1) ######################################## # @@ -113,9 +113,7 @@ logging_send_syslog_msg(ntpd_t) miscfiles_read_localization(ntpd_t) userdom_dontaudit_use_unpriv_user_fds(ntpd_t) - -sysadm_list_home_dirs(ntpd_t) -sysadm_dontaudit_list_home_dirs(ntpd_t) +userdom_list_user_home_dirs(ntpd_t) optional_policy(` # for cron jobs diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if index 0d6b501..2102b0b 100644 --- a/policy/modules/services/oav.if +++ b/policy/modules/services/oav.if @@ -34,11 +34,6 @@ interface(`oav_domtrans_update',` ## The role to be allowed the oav_update domain. ## ## -## -## -## The type of the terminal allow the oav_update domain to use. -## -## ## # interface(`oav_run_update',` @@ -48,5 +43,4 @@ interface(`oav_run_update',` oav_domtrans_update($1) role $2 types oav_update_t; - allow oav_update_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index d865e02..80a8ec9 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -1,5 +1,5 @@ -policy_module(oav, 1.7.0) +policy_module(oav, 1.7.1) ######################################## # @@ -67,6 +67,8 @@ logging_send_syslog_msg(oav_update_t) sysnet_read_config(oav_update_t) +userdom_use_user_terminals(oav_update_t) + optional_policy(` cron_system_entry(oav_update_t, oav_update_exec_t) ') @@ -134,8 +136,7 @@ miscfiles_read_localization(scannerdaemon_t) sysnet_read_config(scannerdaemon_t) userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) - -sysadm_dontaudit_search_home_dirs(scannerdaemon_t) +userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) optional_policy(` seutil_sigchld_newrole(scannerdaemon_t) diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index c48e0f2..daba3ef 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -1,5 +1,5 @@ -policy_module(oddjob, 1.5.0) +policy_module(oddjob, 1.5.1) ######################################## # @@ -52,7 +52,7 @@ miscfiles_read_localization(oddjob_t) locallogin_dontaudit_use_fds(oddjob_t) optional_policy(` - dbus_system_bus_client_template(oddjob, oddjob_t) + dbus_system_bus_client(oddjob_t) dbus_connect_system_bus(oddjob_t) ') @@ -72,12 +72,10 @@ files_read_etc_files(oddjob_mkhomedir_t) miscfiles_read_localization(oddjob_mkhomedir_t) -staff_manage_home_dirs(oddjob_mkhomedir_t) - # Add/remove user home directories -unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) -unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t) -unprivuser_manage_home_content_files(oddjob_mkhomedir_t) -unprivuser_manage_home_dirs(oddjob_mkhomedir_t) -unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t, notdevfile_class_set) +userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content_files(oddjob_mkhomedir_t) +userdom_manage_user_home_dirs(oddjob_mkhomedir_t) +userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc index 9879ead..5840ea8 100644 --- a/policy/modules/services/oident.fc +++ b/policy/modules/services/oident.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0) +HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) /etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) /etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) @@ -6,4 +6,3 @@ HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0) /etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) /usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) - diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if index c9beafe..bb4fae5 100644 --- a/policy/modules/services/oident.if +++ b/policy/modules/services/oident.if @@ -7,66 +7,49 @@ ##

## -####################################### +######################################## ## -## The per role template for the Oidentd module. +## Allow the specified domain to read +## Oidentd personal configuration files. ## -## -##

-## This template creates derived domains which are used -## for Oident daemon. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## +## +## +## Domain allowed access. +## ## # -template(`oident_per_role_template', ` - - ######################################## - # - # Oident daemon shared declarations - # - +interface(`oident_read_user_content', ` gen_require(` - attribute oidentd_user_content_type; + type oidentd_home_t; ') - type $1_oidentd_home_t, oidentd_user_content_type; - userdom_user_home_content($1, $1_oidentd_home_t) - - typeattribute $1_oidentd_home_t oidentd_user_content_type; + allow $1 oidentd_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') - ######################################## - # - # Oident daemon shared policy - # +######################################## +## +## Allow the specified domain to create, read, write, and delete +## Oidentd personal configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`oident_manage_user_content', ` + gen_require(` + type oidentd_home_t; + ') - allow $2 $1_oidentd_home_t:file manage_file_perms; - allow $2 $1_oidentd_home_t:file relabel_file_perms; + allow $1 oidentd_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) ') ######################################## ## -## Allow the specified domain to read +## Allow the specified domain to relabel ## Oidentd personal configuration files. ## ## @@ -75,11 +58,11 @@ template(`oident_per_role_template', ` ## ## # -interface(`oident_read_all_user_content', ` +interface(`oident_relabel_user_content', ` gen_require(` - attribute oidentd_user_content_type; + type oidentd_home_t; ') - allow $1 oidentd_user_content_type:file read_file_perms; - userdom_search_all_users_home_dirs($1) + allow $1 oidentd_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 0a7195c..bb56f9e 100644 --- a/policy/modules/services/oident.te +++ b/policy/modules/services/oident.te @@ -1,17 +1,20 @@ -policy_module(oident, 1.0.0) +policy_module(oident, 2.0.0) ######################################## # # Oident daemon private declarations # -attribute oidentd_user_content_type; - type oidentd_t; type oidentd_exec_t; init_daemon_domain(oidentd_t, oidentd_exec_t) +type oidentd_home_t; +typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; +typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; +userdom_user_home_content(oidentd_home_t) + type oidentd_initrc_exec_t; init_script_file(oidentd_initrc_exec_t) @@ -53,7 +56,7 @@ miscfiles_read_localization(oidentd_t) sysnet_read_config(oidentd_t) -oident_read_all_user_content(oidentd_t) +oident_read_user_content(oidentd_t) optional_policy(` nis_use_ypbind(oidentd_t) diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te index cb046d9..638508a 100644 --- a/policy/modules/services/openct.te +++ b/policy/modules/services/openct.te @@ -1,5 +1,5 @@ -policy_module(openct, 1.3.0) +policy_module(openct, 1.3.1) ######################################## # @@ -48,8 +48,7 @@ logging_send_syslog_msg(openct_t) miscfiles_read_localization(openct_t) userdom_dontaudit_use_unpriv_user_fds(openct_t) - -sysadm_dontaudit_search_home_dirs(openct_t) +userdom_dontaudit_search_user_home_dirs(openct_t) openct_exec(openct_t) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if index f448846..18d95e6 100644 --- a/policy/modules/services/openvpn.if +++ b/policy/modules/services/openvpn.if @@ -33,11 +33,6 @@ interface(`openvpn_domtrans',` ## The role to be allowed the openvpn domain. ## ## -## -## -## The type of the terminal allow the openvpn domain to use. -## -## ## # interface(`openvpn_run',` @@ -47,7 +42,6 @@ interface(`openvpn_run',` openvpn_domtrans($1) role $2 types openvpn_t; - allow openvpn_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index ed97458..6e16c60 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn, 1.6.0) +policy_module(openvpn, 1.6.1) ######################################## # @@ -100,8 +100,10 @@ miscfiles_read_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) +userdom_use_user_terminals(openvpn_t) + tunable_policy(`openvpn_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(openvpn_t) + userdom_read_user_home_content_files(openvpn_t) ') optional_policy(` @@ -109,7 +111,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(openvpn, openvpn_t) + dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) networkmanager_dbus_chat(openvpn_t) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 8f206d5..57cb94d 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -1,5 +1,5 @@ -policy_module(pegasus, 1.6.0) +policy_module(pegasus, 1.6.1) ######################################## # @@ -119,8 +119,7 @@ sysnet_read_config(pegasus_t) sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) - -sysadm_dontaudit_search_home_dirs(pegasus_t) +userdom_dontaudit_search_user_home_dirs(pegasus_t) optional_policy(` rpm_exec(pegasus_t) diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te index e54e60d..a8372cd 100644 --- a/policy/modules/services/perdition.te +++ b/policy/modules/services/perdition.te @@ -1,5 +1,5 @@ -policy_module(perdition, 1.5.0) +policy_module(perdition, 1.5.1) ######################################## # @@ -65,8 +65,7 @@ miscfiles_read_localization(perdition_t) sysnet_read_config(perdition_t) userdom_dontaudit_use_unpriv_user_fds(perdition_t) - -sysadm_dontaudit_search_home_dirs(perdition_t) +userdom_dontaudit_search_user_home_dirs(perdition_t) optional_policy(` seutil_sigchld_newrole(perdition_t) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if index 039c6de..19d9f8a 100644 --- a/policy/modules/services/portmap.if +++ b/policy/modules/services/portmap.if @@ -35,11 +35,6 @@ interface(`portmap_domtrans_helper',` ## The role to be allowed the portmap domain. ## ## -## -## -## The type of the terminal allow the portmap domain to use. -## -## ## # interface(`portmap_run_helper',` @@ -49,7 +44,6 @@ interface(`portmap_run_helper',` portmap_domtrans_helper($1) role $2 types portmap_helper_t; - allow portmap_helper_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index b766249..e9af057 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -1,5 +1,5 @@ -policy_module(portmap, 1.7.0) +policy_module(portmap, 1.7.1) ######################################## # @@ -84,8 +84,7 @@ miscfiles_read_localization(portmap_t) sysnet_read_config(portmap_t) userdom_dontaudit_use_unpriv_user_fds(portmap_t) - -sysadm_dontaudit_search_home_dirs(portmap_t) +userdom_dontaudit_search_user_home_dirs(portmap_t) optional_policy(` nis_use_ypbind(portmap_t) @@ -145,6 +144,7 @@ logging_send_syslog_msg(portmap_helper_t) sysnet_read_config(portmap_helper_t) +userdom_use_user_terminals(portmap_helper_t) userdom_dontaudit_use_all_users_fds(portmap_helper_t) optional_policy(` diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te index 617ebe0..c52a3e2 100644 --- a/policy/modules/services/portslave.te +++ b/policy/modules/services/portslave.te @@ -1,5 +1,5 @@ -policy_module(portslave, 1.5.0) +policy_module(portslave, 1.5.1) ######################################## # @@ -95,7 +95,7 @@ sysnet_read_config(portslave_t) userdom_use_unpriv_users_fds(portslave_t) # for ~/.ppprc - if it actually exists then you need some policy to read it -userdom_search_all_users_home_dirs(portslave_t) +userdom_search_user_home_dirs(portslave_t) mta_send_mail(portslave_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 0eeb4e7..88b923c 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -160,40 +160,6 @@ template(`postfix_user_domain_template',` ######################################## ## -## The per role template for the postfix module. -## -## -## -## The prefix of the user domain. -## (e.g., user is the prefix of user_t) -## -## -## -## -## User domain type. -## -## -## -## -## User role -## -## -# -template(`postfix_per_role_template',` - gen_require(` - attribute postfix_user_domains; - type postfix_postdrop_t; - ') - - role $3 types postfix_postdrop_t; - - allow postfix_user_domains $2:process sigchld; - allow postfix_user_domains $2:fifo_file { write getattr }; - allow postfix_user_domains $2:fd use; -') - -######################################## -## ## Read postfix configuration files. ## ## @@ -353,11 +319,6 @@ interface(`postfix_domtrans_map',` ## The role to be allowed the postfix_map domain. ## ## -## -## -## The type of the terminal allow the postfix_map domain to use. -## -## ## # interface(`postfix_run_map',` @@ -367,7 +328,6 @@ interface(`postfix_run_map',` postfix_domtrans_map($1) role $2 types postfix_map_t; - allow postfix_map_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index d83b1b6..89d0abe 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix, 1.9.0) +policy_module(postfix, 1.9.1) ######################################## # @@ -342,6 +342,8 @@ miscfiles_read_localization(postfix_map_t) seutil_read_config(postfix_map_t) +userdom_use_user_terminals(postfix_map_t) + tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 4351a8c..7c84488 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -2,16 +2,11 @@ ####################################### ## -## The userdomain template for the SE-PostgreSQL. +## Role access for SE-PostgreSQL. ## -## -## This template creates a delivered types which are used -## for given userdomains. -## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The role associated with the user domain. ## ## ## @@ -19,13 +14,8 @@ ## The type of the user domain. ## ## -## -## -## The role associated with the user domain. -## -## # -template(`postgresql_userdom_template',` +interface(`postgresql_role',` gen_require(` class db_database all_db_database_perms; class db_table all_db_table_perms; @@ -38,6 +28,8 @@ template(`postgresql_userdom_template',` attribute sepgsql_sysobj_table_type; type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; + type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; + type user_sepgsql_sysobj_t, user_sepgsql_table_t; ') ######################################## @@ -46,20 +38,7 @@ template(`postgresql_userdom_template',` # typeattribute $2 sepgsql_client_type; - - type $1_sepgsql_blob_t; - postgresql_blob_object($1_sepgsql_blob_t) - - type $1_sepgsql_proc_exec_t; - postgresql_procedure_object($1_sepgsql_proc_exec_t) - - type $1_sepgsql_sysobj_t; - postgresql_system_table_object($1_sepgsql_sysobj_t) - - type $1_sepgsql_table_t; - postgresql_table_object($1_sepgsql_table_t) - - role $3 types sepgsql_trusted_proc_t; + role $1 types sepgsql_trusted_proc_t; ############################## # @@ -67,25 +46,25 @@ template(`postgresql_userdom_template',` # tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 $1_sepgsql_table_t:db_table { create drop }; - type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t; + allow $2 user_sepgsql_table_t:db_table { create drop }; + type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; - allow $2 $1_sepgsql_table_t:db_column { create drop }; + allow $2 user_sepgsql_table_t:db_column { create drop }; - allow $2 $1_sepgsql_sysobj_t:db_tuple { update insert delete }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t; + allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; + type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; ') - allow $2 $1_sepgsql_table_t:db_table { getattr setattr use select update insert delete }; - allow $2 $1_sepgsql_table_t:db_column { getattr setattr use select update insert }; - allow $2 $1_sepgsql_table_t:db_tuple { use select update insert delete }; - allow $2 $1_sepgsql_sysobj_t:db_tuple { use select }; + allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete }; + allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; + allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - allow $2 $1_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; - type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_exec_t; + allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; + type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; - allow $2 $1_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; - type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t; + allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; + type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; allow $2 sepgsql_trusted_proc_t:process transition; type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 0dc0afb..3ba8a4c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql, 1.7.0) +policy_module(postgresql, 1.7.1) gen_require(` class db_database all_db_database_perms; @@ -96,6 +96,26 @@ domain_type(sepgsql_trusted_proc_t) postgresql_unconfined(sepgsql_trusted_proc_t) role system_r types sepgsql_trusted_proc_t; +type user_sepgsql_blob_t; +typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; +typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t }; +postgresql_blob_object(user_sepgsql_blob_t) + +type user_sepgsql_proc_exec_t; +typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t }; +typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; +postgresql_procedure_object(user_sepgsql_proc_exec_t) + +type user_sepgsql_sysobj_t; +typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; +typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; +postgresql_system_table_object(user_sepgsql_sysobj_t) + +type user_sepgsql_table_t; +typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t }; +typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; +postgresql_table_object(user_sepgsql_table_t) + ######################################## # # postgresql Local policy @@ -218,12 +238,11 @@ miscfiles_read_localization(postgresql_t) seutil_libselinux_linked(postgresql_t) userdom_dontaudit_use_unpriv_user_fds(postgresql_t) +userdom_dontaudit_search_user_home_dirs(postgresql_t) +userdom_dontaudit_use_user_terminals(postgresql_t) mta_getattr_spool(postgresql_t) -sysadm_dontaudit_search_home_dirs(postgresql_t) -sysadm_dontaudit_use_ttys(postgresql_t) - tunable_policy(`allow_execmem',` allow postgresql_t self:process execmem; ') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index 68be03d..7c40fed 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -1,5 +1,5 @@ -policy_module(postgrey, 1.5.0) +policy_module(postgrey, 1.5.1) ######################################## # @@ -75,8 +75,7 @@ miscfiles_read_localization(postgrey_t) sysnet_read_config(postgrey_t) userdom_dontaudit_use_unpriv_user_fds(postgrey_t) - -sysadm_dontaudit_search_home_dirs(postgrey_t) +userdom_dontaudit_search_user_home_dirs(postgrey_t) optional_policy(` nis_use_ypbind(postgrey_t) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index e100e9a..5786afa 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -125,11 +125,6 @@ interface(`ppp_domtrans',` ## The role to allow the ppp domain. ## ## -## -## -## The type of the terminal allow the ppp domain to use. -## -## ## # interface(`ppp_run_cond',` @@ -141,7 +136,6 @@ interface(`ppp_run_cond',` tunable_policy(`pppd_for_user',` ppp_domtrans($1) - allow pppd_t $3:chr_file rw_term_perms; ') ') @@ -159,11 +153,6 @@ interface(`ppp_run_cond',` ## The role to allow the ppp domain. ## ## -## -## -## The type of the terminal allow the ppp domain to use. -## -## ## # interface(`ppp_run',` @@ -173,7 +162,6 @@ interface(`ppp_run',` ppp_domtrans($1) role $2 types pppd_t; - allow pppd_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 6f8636a..02f556e 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -1,5 +1,5 @@ -policy_module(ppp, 1.9.0) +policy_module(ppp, 1.9.1) ######################################## # @@ -172,16 +172,13 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) +userdom_use_user_terminals(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) # for ~/.ppprc - if it actually exists then you need some policy to read it -#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; -userdom_search_unpriv_users_home_dirs(pppd_t) +userdom_search_user_home_dirs(pppd_t) ppp_exec(pppd_t) -sysadm_dontaudit_search_home_dirs(pppd_t) -sysadm_search_home_dirs(pppd_t) - optional_policy(` ddclient_domtrans(pppd_t) ') @@ -279,8 +276,7 @@ miscfiles_read_localization(pptp_t) sysnet_read_config(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) - -sysadm_dontaudit_search_home_dirs(pptp_t) +userdom_dontaudit_search_user_home_dirs(pptp_t) optional_policy(` consoletype_exec(pppd_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index cf1e5a8..5c6323b 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -1,5 +1,5 @@ -policy_module(privoxy, 1.7.0) +policy_module(privoxy, 1.7.1) ######################################## # @@ -73,10 +73,9 @@ miscfiles_read_localization(privoxy_t) sysnet_dns_name_resolve(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) - -sysadm_dontaudit_search_home_dirs(privoxy_t) +userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed -sysadm_use_terms(privoxy_t) +userdom_use_user_terminals(privoxy_t) optional_policy(` nis_use_ypbind(privoxy_t) diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index f75453b..c9d52f4 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail, 1.9.0) +policy_module(procmail, 1.9.1) ######################################## # @@ -70,11 +70,15 @@ logging_send_syslog_msg(procmail_t) miscfiles_read_localization(procmail_t) # only works until we define a different type for maildir -userdom_priveleged_home_dir_manager(procmail_t) +userdom_manage_user_home_content_dirs(procmail_t) +userdom_manage_user_home_content_files(procmail_t) +userdom_manage_user_home_content_symlinks(procmail_t) +userdom_manage_user_home_content_pipes(procmail_t) +userdom_manage_user_home_content_sockets(procmail_t) +userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) # Do not audit attempts to access /root. -staff_dontaudit_search_home_dirs(procmail_t) -sysadm_dontaudit_search_home_dirs(procmail_t) +userdom_dontaudit_search_user_home_dirs(procmail_t) mta_manage_spool(procmail_t) diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te index 558a691..17e7c49 100644 --- a/policy/modules/services/pxe.te +++ b/policy/modules/services/pxe.te @@ -1,5 +1,5 @@ -policy_module(pxe, 1.3.0) +policy_module(pxe, 1.3.1) # cjp: policy seems incomplete @@ -53,8 +53,7 @@ logging_send_syslog_msg(pxe_t) miscfiles_read_localization(pxe_t) userdom_dontaudit_use_unpriv_user_fds(pxe_t) - -sysadm_dontaudit_search_home_dirs(pxe_t) +userdom_dontaudit_search_user_home_dirs(pxe_t) optional_policy(` seutil_sigchld_newrole(pxe_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index c512523..d4a7750 100644 --- a/policy/modules/services/pyzor.fc +++ b/policy/modules/services/pyzor.fc @@ -1,6 +1,6 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 8ab808b..3745b62 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -1,40 +1,34 @@ ## Pyzor is a distributed, collaborative spam detection and filtering network. -####################################### +######################################## ## -## The per role template for the pyzor module. +## Role access for pyzor ## -## -##

-## This template allows pyzor to manage files in -## a user home directory, creating files with the -## correct type. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## +## +## Role allowed access +## +## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## User domain for the role ## ## # -template(`pyzor_per_role_template',` +interface(`pyzor_role',` gen_require(` - type pyzord_t; + type pyzor_t, pyzor_exec_t; + type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; ') - type $1_pyzor_home_t; - userdom_user_home_content($1, $1_pyzor_home_t) + role $1 types pyzor_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, pyzor_exec_t, pyzor_t) - manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) + # allow ps to show pyzor and allow the user to kill it + ps_process_pattern($2, pyzor_t) + allow $2 pyzor_t:process signal; ') ######################################## diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 6a4ba88..002132a 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor, 1.6.0) +policy_module(pyzor, 2.0.0) ######################################## # @@ -8,33 +8,51 @@ policy_module(pyzor, 1.6.0) type pyzor_t; type pyzor_exec_t; +typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; application_domain(pyzor_t, pyzor_exec_t) +ubac_constrained(pyzor_t) role system_r types pyzor_t; -type pyzord_t; -type pyzord_exec_t; -domain_type(pyzord_t) -init_daemon_domain(pyzord_t, pyzord_exec_t) - type pyzor_etc_t; files_type(pyzor_etc_t) -type pyzord_log_t; -logging_log_file(pyzord_log_t) +type pyzor_home_t; +typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; +typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; +userdom_user_home_content(pyzor_home_t) type pyzor_tmp_t; +typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; +typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; files_tmp_file(pyzor_tmp_t) +ubac_constrained(pyzor_tmp_t) type pyzor_var_lib_t; +typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; +typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; files_type(pyzor_var_lib_t) +ubac_constrained(pyzor_var_lib_t) + +type pyzord_t; +type pyzord_exec_t; +init_daemon_domain(pyzord_t,pyzord_exec_t) + +type pyzord_log_t; +logging_log_file(pyzord_log_t) ######################################## # -# Pyzor local policy +# Pyzor client local policy # allow pyzor_t self:udp_socket create_socket_perms; +manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) + allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t) files_search_var_lib(pyzor_t) @@ -65,7 +83,7 @@ auth_use_nsswitch(pyzor_t) miscfiles_read_localization(pyzor_t) -sysadm_dontaudit_search_home_dirs(pyzor_t) +userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` amavis_manage_lib_files(pyzor_t) @@ -79,7 +97,7 @@ optional_policy(` ######################################## # -# Pyzord local policy +# Pyzor server local policy # allow pyzord_t self:udp_socket create_socket_perms; @@ -121,11 +139,10 @@ locallogin_dontaudit_use_fds(pyzord_t) miscfiles_read_localization(pyzord_t) -mta_manage_spool(pyzord_t) - # Do not audit attempts to access /root. -staff_dontaudit_search_home_dirs(pyzord_t) -sysadm_dontaudit_search_home_dirs(pyzord_t) +userdom_dontaudit_search_user_home_dirs(pyzord_t) + +mta_manage_spool(pyzord_t) optional_policy(` logging_send_syslog_msg(pyzord_t) diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if index a40b0a2..5112322 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -1,48 +1,5 @@ ## Qmail Mail Server -####################################### -## -## The per role template for qmail -## -## -##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`qmail_per_role_template',` - gen_require(` - attribute qmail_user_domains; - ') - - role $3 types qmail_user_domains; - - qmail_domtrans_inject($2) - - allow qmail_user_domains $2:process sigchld; - allow qmail_user_domains $2:fifo_file { write getattr }; - allow qmail_user_domains $2:fd use; - -') - ######################################## ## ## Template for qmail parent/sub-domain pairs diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index ca0bf07..1da1661 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -1,5 +1,5 @@ -policy_module(qmail, 1.4.0) +policy_module(qmail, 1.4.1) ######################################## # diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index d803d38..c247f4f 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius, 1.9.0) +policy_module(radius, 1.9.1) ######################################## # @@ -113,9 +113,7 @@ miscfiles_read_localization(radiusd_t) miscfiles_read_certs(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) - -sysadm_dontaudit_search_home_dirs(radiusd_t) -sysadm_dontaudit_getattr_home_dirs(radiusd_t) +userdom_dontaudit_search_user_home_dirs(radiusd_t) optional_policy(` cron_system_entry(radiusd_t, radiusd_exec_t) diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index 1397e40..dc5cc13 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -1,5 +1,5 @@ -policy_module(radvd, 1.9.0) +policy_module(radvd, 1.9.1) ######################################## # @@ -70,8 +70,7 @@ miscfiles_read_localization(radvd_t) sysnet_read_config(radvd_t) userdom_dontaudit_use_unpriv_user_fds(radvd_t) - -sysadm_dontaudit_search_home_dirs(radvd_t) +userdom_dontaudit_search_user_home_dirs(radvd_t) optional_policy(` nis_use_ypbind(radvd_t) diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc index d50875b..1efba0c 100644 --- a/policy/modules/services/razor.fc +++ b/policy/modules/services/razor.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 37fc170..b564199 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -26,6 +26,9 @@ template(`razor_common_domain_template',` gen_require(` type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') + type $1_t; + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:fd use; @@ -95,109 +98,46 @@ template(`razor_common_domain_template',` sysnet_read_config($1_t) sysnet_dns_name_resolve($1_t) - userdom_use_unpriv_users_fds($1_t) - optional_policy(` nis_use_ypbind($1_t) ') ') -####################################### +######################################## ## -## The per role template for the razor module. +## Role access for razor ## -## -##

-## The per role template for the razor module. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -template(`razor_per_role_template',` +interface(`razor_role',` gen_require(` - type razor_exec_t; + type razor_t, razor_exec_t, razor_home_t; ') - type $1_razor_t; - domain_type($1_razor_t) - domain_entry_file($1_razor_t, razor_exec_t) - razor_common_domain_template($1_razor) - role $3 types $1_razor_t; + role $1 types razor_t; - type $1_razor_home_t alias $1_razor_rw_t; - files_poly_member($1_razor_home_t) - userdom_user_home_content($1, $1_razor_home_t) + # Transition from the user domain to the derived domain. + domtrans_pattern($2, razor_exec_t, razor_t) - type $1_razor_tmp_t; - files_tmp_file($1_razor_tmp_t) + # allow ps to show razor and allow the user to kill it + ps_process_pattern($2, razor_t) + allow $2 razor_t:process signal; - ############################## - # - # Local policy - # - - allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) - manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) - manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) - userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir) - - manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) - manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) - files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir }) - - domtrans_pattern($2, razor_exec_t, $1_razor_t) - - manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) - manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t) - manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) - relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) - relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t) - relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) - - logging_send_syslog_msg($1_razor_t) - - userdom_search_user_home_dirs($1, $1_razor_t) - # Allow razor to be run by hand. Needed by any action other than - # invocation from a spam filter. - userdom_use_user_terminals($1, $1_razor_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_razor_t) - fs_manage_nfs_files($1_razor_t) - fs_manage_nfs_symlinks($1_razor_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_razor_t) - fs_manage_cifs_files($1_razor_t) - fs_manage_cifs_symlinks($1_razor_t) - ') - - optional_policy(` - nscd_socket_use($1_razor_t) - ') + manage_dirs_pattern($2, razor_home_t, razor_home_t) + manage_files_pattern($2, razor_home_t, razor_home_t) + manage_lnk_files_pattern($2, razor_home_t, razor_home_t) + relabel_dirs_pattern($2, razor_home_t, razor_home_t) + relabel_files_pattern($2, razor_home_t, razor_home_t) + relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) ') ######################################## diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 156d1a6..f856ccf 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -1,60 +1,122 @@ -policy_module(razor, 1.4.0) +policy_module(razor, 2.0.0) ######################################## # # Declarations # -type razor_t; type razor_exec_t; -domain_type(razor_t) -domain_entry_file(razor_t, razor_exec_t) -role system_r types razor_t; +corecmd_executable_file(razor_exec_t) type razor_etc_t; files_config_file(razor_etc_t) +type razor_home_t; +typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +files_poly_member(razor_home_t) +userdom_user_home_content(razor_home_t) + type razor_log_t; logging_log_file(razor_log_t) +type razor_tmp_t; +typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +files_tmp_file(razor_tmp_t) +ubac_constrained(razor_tmp_t) + type razor_var_lib_t; files_type(razor_var_lib_t) +# these are here due to ordering issues: razor_common_domain_template(razor) +typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; +typealias razor_t alias { auditadm_razor_t secadm_razor_t }; +ubac_constrained(razor_t) + +razor_common_domain_template(system_razor) +role system_r types system_razor_t; ######################################## # -# Local policy +# System razor local policy # -allow razor_t self:tcp_socket create_socket_perms; +# this version of razor is invoked typically +# via the system spam filter -manage_dirs_pattern(razor_t, razor_etc_t, razor_etc_t) -manage_files_pattern(razor_t, razor_etc_t, razor_etc_t) -manage_lnk_files_pattern(razor_t, razor_etc_t, razor_etc_t) -files_search_etc(razor_t) +allow system_razor_t self:tcp_socket create_socket_perms; -allow razor_t razor_log_t:file manage_file_perms; -logging_log_filetrans(razor_t, razor_log_t, file) +manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +files_search_etc(system_razor_t) -manage_files_pattern(razor_t, razor_var_lib_t, razor_var_lib_t) -files_var_lib_filetrans(razor_t, razor_var_lib_t, file) +allow system_razor_t razor_log_t:file manage_file_perms; +logging_log_filetrans(system_razor_t, razor_log_t, file) -corenet_all_recvfrom_unlabeled(razor_t) -corenet_all_recvfrom_netlabel(razor_t) -corenet_tcp_sendrecv_generic_if(razor_t) -corenet_raw_sendrecv_generic_if(razor_t) -corenet_tcp_sendrecv_all_nodes(razor_t) -corenet_raw_sendrecv_all_nodes(razor_t) -corenet_tcp_sendrecv_razor_port(razor_t) -corenet_tcp_connect_razor_port(razor_t) -corenet_sendrecv_razor_client_packets(razor_t) +manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) -sysnet_read_config(razor_t) +corenet_all_recvfrom_unlabeled(system_razor_t) +corenet_all_recvfrom_netlabel(system_razor_t) +corenet_tcp_sendrecv_generic_if(system_razor_t) +corenet_raw_sendrecv_generic_if(system_razor_t) +corenet_tcp_sendrecv_all_nodes(system_razor_t) +corenet_raw_sendrecv_all_nodes(system_razor_t) +corenet_tcp_sendrecv_razor_port(system_razor_t) +corenet_tcp_connect_razor_port(system_razor_t) +corenet_sendrecv_razor_client_packets(system_razor_t) + +sysnet_read_config(system_razor_t) + +# cjp: this shouldn't be needed +userdom_use_unpriv_users_fds(system_razor_t) optional_policy(` - logging_send_syslog_msg(razor_t) + logging_send_syslog_msg(system_razor_t) +') + +optional_policy(` + nscd_socket_use(system_razor_t) +') + +######################################## +# +# User razor local policy +# + +# Allow razor to be run by hand. Needed by any action other than +# invocation from a spam filter. + +allow razor_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) +manage_files_pattern(razor_t, razor_home_t, razor_home_t) +manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) +userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) + +manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) +manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) +files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + +logging_send_syslog_msg(razor_t) + +userdom_search_user_home_dirs(razor_t) +userdom_use_user_terminals(razor_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) ') optional_policy(` diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index 7a77cc0..5810a43 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -1,5 +1,5 @@ -policy_module(remotelogin, 1.5.0) +policy_module(remotelogin, 1.5.1) ######################################## # @@ -83,7 +83,7 @@ sysnet_dns_name_resolve(remote_login_t) miscfiles_read_localization(remote_login_t) userdom_use_unpriv_users_fds(remote_login_t) -userdom_search_all_users_home_content(remote_login_t) +userdom_search_user_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index 8b118e0..59f6291 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb, 1.7.0) +policy_module(rhgb, 1.7.1) ######################################## # @@ -109,18 +109,16 @@ sysnet_read_config(rhgb_t) sysnet_domtrans_ifconfig(rhgb_t) userdom_dontaudit_use_unpriv_user_fds(rhgb_t) -userdom_dontaudit_search_all_users_home_content(rhgb_t) +userdom_dontaudit_search_user_home_content(rhgb_t) -sysadm_dontaudit_search_home_dirs(rhgb_t) - -xserver_read_xdm_xserver_tmp_files(rhgb_t) -xserver_kill_xdm_xserver(rhgb_t) +xserver_read_tmp_files(rhgb_t) +xserver_kill(rhgb_t) # for running setxkbmap xserver_read_xkb_libs(rhgb_t) -xserver_domtrans_xdm_xserver(rhgb_t) -xserver_signal_xdm_xserver(rhgb_t) +xserver_domtrans(rhgb_t) +xserver_signal(rhgb_t) xserver_read_xdm_tmp_files(rhgb_t) -xserver_stream_connect_xdm_xserver(rhgb_t) +xserver_stream_connect(rhgb_t) optional_policy(` consoletype_exec(rhgb_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index 4cb3917..38e99a4 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -1,5 +1,5 @@ -policy_module(ricci, 1.4.0) +policy_module(ricci, 1.4.1) ######################################## # @@ -155,7 +155,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(ricci, ricci_t) + dbus_system_bus_client(ricci_t) oddjob_dbus_chat(ricci_t) ') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 3286a3c..f1c0407 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin, 1.7.0) +policy_module(rlogin, 1.7.1) ######################################## # @@ -83,9 +83,9 @@ miscfiles_read_localization(rlogind_t) seutil_read_config(rlogind_t) -userdom_setattr_unpriv_users_ptys(rlogind_t) +userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious -userdom_read_all_users_home_content_files(rlogind_t) +userdom_read_user_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te index 395044f..1325aa7 100644 --- a/policy/modules/services/roundup.te +++ b/policy/modules/services/roundup.te @@ -1,5 +1,5 @@ -policy_module(roundup, 1.5.0) +policy_module(roundup, 1.5.1) ######################################## # @@ -78,8 +78,7 @@ miscfiles_read_localization(roundup_t) sysnet_read_config(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) - -sysadm_dontaudit_search_home_dirs(roundup_t) +userdom_dontaudit_search_user_home_dirs(roundup_t) optional_policy(` mysql_stream_connect(roundup_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 55995a5..7c6d443 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc, 1.9.0) +policy_module(rpc, 1.9.1) ######################################## # @@ -174,9 +174,9 @@ auth_use_nsswitch(gssd_t) miscfiles_read_certs(gssd_t) tunable_policy(`allow_gssd_read_tmp',` - userdom_list_unpriv_users_tmp(gssd_t) - userdom_read_unpriv_users_tmp_files(gssd_t) - userdom_read_unpriv_users_tmp_symlinks(gssd_t) + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) ') optional_policy(` diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te index ea4a7c5..00887fb 100644 --- a/policy/modules/services/rshd.te +++ b/policy/modules/services/rshd.te @@ -1,5 +1,5 @@ -policy_module(rshd, 1.5.0) +policy_module(rshd, 1.5.1) ######################################## # @@ -61,7 +61,7 @@ miscfiles_read_localization(rshd_t) seutil_read_config(rshd_t) seutil_read_default_contexts(rshd_t) -userdom_search_all_users_home_content(rshd_t) +userdom_search_user_home_content(rshd_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 23da552..a0eaff1 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -4,44 +4,6 @@ ## from Windows NT servers. ##
-####################################### -## -## The per role template for the samba module. -## -## -##

-## This template allows smbd to manage files in -## a user home directory, creating files with the -## correct type. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`samba_per_role_template',` - gen_require(` - type smbd_t; - ') - - tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs($1, smbd_t) - userdom_manage_user_home_content_files($1, smbd_t) - userdom_manage_user_home_content_symlinks($1, smbd_t) - userdom_manage_user_home_content_sockets($1, smbd_t) - userdom_manage_user_home_content_pipes($1, smbd_t) - userdom_user_home_dir_filetrans_user_home_content($1, smbd_t, { dir file lnk_file sock_file fifo_file }) - ') -') - ######################################## ## ## Execute samba net in the samba_net domain. @@ -76,11 +38,6 @@ interface(`samba_domtrans_net',` ## The role to be allowed the samba_net domain. ## ## -## -## -## The type of the terminal allow the samba_net domain to use. -## -## ## # interface(`samba_run_net',` @@ -90,7 +47,6 @@ interface(`samba_run_net',` samba_domtrans_net($1) role $2 types samba_net_t; - allow samba_net_t $3:chr_file rw_term_perms; ') ######################################## @@ -127,11 +83,6 @@ interface(`samba_domtrans_smbmount',` ## The role to be allowed the smbmount domain. ## ## -## -## -## The type of the terminal allow the smbmount domain to use. -## -## ## # interface(`samba_run_smbmount',` @@ -141,7 +92,6 @@ interface(`samba_run_smbmount',` samba_domtrans_smbmount($1) role $2 types smbmount_t; - allow smbmount_t $3:chr_file rw_term_perms; ') ######################################## @@ -437,11 +387,6 @@ interface(`samba_domtrans_winbind_helper',` ## The role to be allowed the winbind_helper domain. ## ## -## -## -## The type of the terminal allow the winbind_helper domain to use. -## -## ## # interface(`samba_run_winbind_helper',` @@ -451,7 +396,6 @@ interface(`samba_run_winbind_helper',` samba_domtrans_winbind_helper($1) role $2 types winbind_helper_t; - allow winbind_helper_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 2b52ef9..b1eda58 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba, 1.10.0) +policy_module(samba, 1.10.1) ################################# # @@ -197,7 +197,8 @@ logging_send_syslog_msg(samba_net_t) miscfiles_read_localization(samba_net_t) -sysadm_dontaudit_search_home_dirs(samba_net_t) +userdom_use_user_terminals(samba_net_t) +userdom_dontaudit_search_user_home_dirs(samba_net_t) optional_policy(` kerberos_use(samba_net_t) @@ -317,10 +318,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) -userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) - -sysadm_dontaudit_search_home_dirs(smbd_t) +userdom_dontaudit_search_user_home_dirs(smbd_t) ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) @@ -338,6 +337,15 @@ tunable_policy(`samba_domain_controller',` usermanage_domtrans_groupadd(smbd_t) ') +tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content_dirs(smbd_t) + userdom_manage_user_home_content_files(smbd_t) + userdom_manage_user_home_content_symlinks(smbd_t) + userdom_manage_user_home_content_sockets(smbd_t) + userdom_manage_user_home_content_pipes(smbd_t) + userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) +') + # Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) @@ -367,8 +375,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; - unprivuser_create_home_dir(smbd_t) - unprivuser_home_filetrans_home_dir(smbd_t) + userdom_create_user_home_dirs(smbd_t) + userdom_home_filetrans_user_home_dir(smbd_t) ') tunable_policy(`samba_export_all_ro',` @@ -383,7 +391,7 @@ tunable_policy(`samba_export_all_rw',` auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) - unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir }) + userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ') ######################################## @@ -461,10 +469,8 @@ logging_send_syslog_msg(nmbd_t) miscfiles_read_localization(nmbd_t) -userdom_dontaudit_use_unpriv_user_fds(nmbd_t) userdom_use_unpriv_users_fds(nmbd_t) - -sysadm_dontaudit_search_home_dirs(nmbd_t) +userdom_dontaudit_search_user_home_dirs(nmbd_t) optional_policy(` seutil_sigchld_newrole(nmbd_t) @@ -526,8 +532,6 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) -term_list_ptys(smbmount_t) - corecmd_list_bin(smbmount_t) files_list_mnt(smbmount_t) @@ -546,6 +550,7 @@ locallogin_use_fds(smbmount_t) logging_search_logs(smbmount_t) +userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) ######################################## @@ -714,9 +719,12 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_priveleged_home_dir_manager(winbind_t) - -sysadm_dontaudit_search_home_dirs(winbind_t) +userdom_manage_user_home_content_dirs(winbind_t) +userdom_manage_user_home_content_files(winbind_t) +userdom_manage_user_home_content_symlinks(winbind_t) +userdom_manage_user_home_content_pipes(winbind_t) +userdom_manage_user_home_content_sockets(winbind_t) +userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` kerberos_use(winbind_t) @@ -757,6 +765,8 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) +userdom_use_user_terminals(winbind_helper_t) + optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index cad7efb..c7d0716 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl, 1.10.0) +policy_module(sasl, 1.10.1) ######################################## # @@ -89,8 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t) sysnet_read_config(saslauthd_t) userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) - -sysadm_dontaudit_search_home_dirs(saslauthd_t) +userdom_dontaudit_search_user_home_dirs(saslauthd_t) # cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index 1e63079..9c63d2d 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail, 1.8.0) +policy_module(sendmail, 1.8.1) ######################################## # @@ -94,6 +94,7 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) +userdom_dontaudit_search_user_home_dirs(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) @@ -103,8 +104,6 @@ mta_rw_aliases(sendmail_t) mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) -sysadm_dontaudit_search_home_dirs(sendmail_t) - optional_policy(` clamav_search_lib(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 709b7a6..74f4499 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot, 1.8.0) +policy_module(setroubleshoot, 1.8.1) ######################################## # @@ -102,10 +102,10 @@ seutil_read_file_contexts(setroubleshootd_t) sysnet_read_config(setroubleshootd_t) -sysadm_dontaudit_read_home_content_files(setroubleshootd_t) +userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` - dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) + dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) ') diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te index dd722d6..9bc9e4c 100644 --- a/policy/modules/services/slrnpull.te +++ b/policy/modules/services/slrnpull.te @@ -1,5 +1,5 @@ -policy_module(slrnpull, 1.3.0) +policy_module(slrnpull, 1.3.1) ######################################## # @@ -56,8 +56,7 @@ logging_send_syslog_msg(slrnpull_t) miscfiles_read_localization(slrnpull_t) userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) - -sysadm_dontaudit_search_home_dirs(slrnpull_t) +userdom_dontaudit_search_user_home_dirs(slrnpull_t) optional_policy(` cron_system_entry(slrnpull_t, slrnpull_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 5e015ea..6dfe92a 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -1,5 +1,5 @@ -policy_module(smartmon, 1.7.0) +policy_module(smartmon, 1.7.1) ######################################## # @@ -83,8 +83,7 @@ miscfiles_read_localization(fsdaemon_t) sysnet_dns_name_resolve(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) - -sysadm_dontaudit_search_home_dirs(fsdaemon_t) +userdom_dontaudit_search_user_home_dirs(fsdaemon_t) optional_policy(` mta_send_mail(fsdaemon_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index afefddc..242e92f 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp, 1.8.0) +policy_module(snmp, 1.8.1) ######################################## # @@ -103,8 +103,7 @@ seutil_dontaudit_search_config(snmpd_t) sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) - -sysadm_dontaudit_search_home_dirs(snmpd_t) +userdom_dontaudit_search_user_home_dirs(snmpd_t) ifdef(`distro_redhat', ` optional_policy(` diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 64f2f5e..9206d22 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -1,5 +1,5 @@ -policy_module(snort, 1.6.0) +policy_module(snort, 1.6.1) ######################################## # @@ -92,8 +92,7 @@ miscfiles_read_localization(snort_t) sysnet_read_config(snort_t) userdom_dontaudit_use_unpriv_user_fds(snort_t) - -sysadm_dontaudit_search_home_dirs(snort_t) +userdom_dontaudit_search_user_home_dirs(snort_t) optional_policy(` seutil_sigchld_newrole(snort_t) diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te index 3536fd3..8a7ac69 100644 --- a/policy/modules/services/soundserver.te +++ b/policy/modules/services/soundserver.te @@ -1,5 +1,5 @@ -policy_module(soundserver, 1.6.0) +policy_module(soundserver, 1.6.1) ######################################## # @@ -100,8 +100,7 @@ miscfiles_read_localization(soundd_t) sysnet_read_config(soundd_t) userdom_dontaudit_use_unpriv_user_fds(soundd_t) - -sysadm_dontaudit_search_home_dirs(soundd_t) +userdom_dontaudit_search_user_home_dirs(soundd_t) optional_policy(` alsa_domtrans(soundd_t) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index e4f676b..80cab98 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 6881e57..4140164 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -1,315 +1,41 @@ ## Filter used for removing unsolicited email. -####################################### +######################################## ## -## The per role template for the spamassassin module. +## Role access for spamassassin ## -## -##

-## The per role template for the spamassassin module. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role ## ## # -# cjp: when tunables are available, spamc stuff should be -# toggled on activation of spamc, and similarly for spamd. -template(`spamassassin_per_role_template',` - +interface(`spamassassin_role',` gen_require(` - type spamc_exec_t, spamassassin_exec_t; - type spamd_t, spamd_tmp_t; - ') - - ############################## - # - # Declarations - # - - type $1_spamc_t; - application_domain($1_spamc_t, spamc_exec_t) - role $3 types $1_spamc_t; - - type $1_spamc_tmp_t; - files_tmp_file($1_spamc_tmp_t) - - type $1_spamassassin_t; - application_domain($1_spamassassin_t, spamassassin_exec_t) - role $3 types $1_spamassassin_t; - - type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_user_home_content($1, $1_spamassassin_home_t) - files_poly_member($1_spamassassin_home_t) - - type $1_spamassassin_tmp_t; - files_tmp_file($1_spamassassin_tmp_t) - - ############################## - # - # $1_spamc_t local policy - # - - allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_spamc_t self:fd use; - allow $1_spamc_t self:fifo_file rw_fifo_file_perms; - allow $1_spamc_t self:sock_file read_sock_file_perms; - allow $1_spamc_t self:shm create_shm_perms; - allow $1_spamc_t self:sem create_sem_perms; - allow $1_spamc_t self:msgq create_msgq_perms; - allow $1_spamc_t self:msg { send receive }; - allow $1_spamc_t self:unix_dgram_socket create_socket_perms; - allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms; - allow $1_spamc_t self:unix_dgram_socket sendto; - allow $1_spamc_t self:unix_stream_socket connectto; - allow $1_spamc_t self:tcp_socket create_stream_socket_perms; - allow $1_spamc_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) - manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) - files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) - - # Allow connecting to a local spamd - stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t) - - domtrans_pattern($2, spamc_exec_t, $1_spamc_t) - - kernel_read_kernel_sysctls($1_spamc_t) - - corenet_all_recvfrom_unlabeled($1_spamc_t) - corenet_all_recvfrom_netlabel($1_spamc_t) - corenet_tcp_sendrecv_generic_if($1_spamc_t) - corenet_udp_sendrecv_generic_if($1_spamc_t) - corenet_tcp_sendrecv_all_nodes($1_spamc_t) - corenet_udp_sendrecv_all_nodes($1_spamc_t) - corenet_tcp_sendrecv_all_ports($1_spamc_t) - corenet_udp_sendrecv_all_ports($1_spamc_t) - corenet_tcp_connect_all_ports($1_spamc_t) - corenet_sendrecv_all_client_packets($1_spamc_t) - - fs_search_auto_mountpoints($1_spamc_t) - - # cjp: these should probably be removed: - corecmd_list_bin($1_spamc_t) - corecmd_read_bin_symlinks($1_spamc_t) - corecmd_read_bin_files($1_spamc_t) - corecmd_read_bin_pipes($1_spamc_t) - corecmd_read_bin_sockets($1_spamc_t) - - domain_use_interactive_fds($1_spamc_t) - - files_read_etc_files($1_spamc_t) - files_read_etc_runtime_files($1_spamc_t) - files_read_usr_files($1_spamc_t) - files_dontaudit_search_var($1_spamc_t) - # cjp: this may be removable: - files_list_home($1_spamc_t) - - logging_send_syslog_msg($1_spamc_t) - - miscfiles_read_localization($1_spamc_t) - - # cjp: this should probably be removed: - seutil_read_config($1_spamc_t) - - sysnet_read_config($1_spamc_t) - - userdom_use_unpriv_users_fds($1_spamc_t) - # cjp: this really should just be the - # terminal specific to the role - userdom_use_unpriv_users_ptys($1_spamc_t) - - # cjp: this should probably be removed: - tunable_policy(`read_default_t',` - files_list_default($1_spamc_t) - files_read_default_files($1_spamc_t) - files_read_default_symlinks($1_spamc_t) - files_read_default_sockets($1_spamc_t) - files_read_default_pipes($1_spamc_t) - ') - - optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect($1, $1_spamc_t) - ') - - optional_policy(` - nis_use_ypbind($1_spamc_t) - ') - - optional_policy(` - nscd_socket_use($1_spamc_t) - ') - - optional_policy(` - mta_read_config($1_spamc_t) - sendmail_stub($1_spamc_t) - ') - - ############################## - # - # $1_spamassassin_t local policy - # - - allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_spamassassin_t self:fd use; - allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms; - allow $1_spamassassin_t self:sock_file read_sock_file_perms; - allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; - allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; - allow $1_spamassassin_t self:unix_dgram_socket sendto; - allow $1_spamassassin_t self:unix_stream_socket connectto; - allow $1_spamassassin_t self:shm create_shm_perms; - allow $1_spamassassin_t self:sem create_sem_perms; - allow $1_spamassassin_t self:msgq create_msgq_perms; - allow $1_spamassassin_t self:msg { send receive }; - - manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) - manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) - files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) - - manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - - domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) - - manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) - userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_kernel_sysctls($1_spamassassin_t) - - dev_read_urand($1_spamassassin_t) - - fs_search_auto_mountpoints($1_spamassassin_t) - - # this should probably be removed - corecmd_list_bin($1_spamassassin_t) - corecmd_read_bin_symlinks($1_spamassassin_t) - corecmd_read_bin_files($1_spamassassin_t) - corecmd_read_bin_pipes($1_spamassassin_t) - corecmd_read_bin_sockets($1_spamassassin_t) - - domain_use_interactive_fds($1_spamassassin_t) - - files_read_etc_files($1_spamassassin_t) - files_read_etc_runtime_files($1_spamassassin_t) - files_list_home($1_spamassassin_t) - files_read_usr_files($1_spamassassin_t) - files_dontaudit_search_var($1_spamassassin_t) - - logging_send_syslog_msg($1_spamassassin_t) - - miscfiles_read_localization($1_spamassassin_t) - - # cjp: this could probably be removed - seutil_read_config($1_spamassassin_t) - - sysnet_dns_name_resolve($1_spamassassin_t) - - userdom_use_unpriv_users_fds($1_spamassassin_t) - userdom_search_user_home_dirs($1,$1_spamassassin_t) - # cjp: this really should just be the - # terminal specific to the role - userdom_use_unpriv_users_ptys($1_spamassassin_t) - - # this should probably be removed: - tunable_policy(`read_default_t',` - files_list_default($1_spamassassin_t) - files_read_default_files($1_spamassassin_t) - files_read_default_symlinks($1_spamassassin_t) - files_read_default_sockets($1_spamassassin_t) - files_read_default_pipes($1_spamassassin_t) - ') - - # set tunable if you have spamassassin do DNS lookups - tunable_policy(`spamassassin_can_network',` - allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; - allow $1_spamassassin_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1_spamassassin_t) - corenet_all_recvfrom_netlabel($1_spamassassin_t) - corenet_tcp_sendrecv_generic_if($1_spamassassin_t) - corenet_udp_sendrecv_generic_if($1_spamassassin_t) - corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) - corenet_udp_sendrecv_all_nodes($1_spamassassin_t) - corenet_tcp_sendrecv_all_ports($1_spamassassin_t) - corenet_udp_sendrecv_all_ports($1_spamassassin_t) - corenet_tcp_connect_all_ports($1_spamassassin_t) - corenet_sendrecv_all_client_packets($1_spamassassin_t) - - sysnet_read_config($1_spamassassin_t) + type spamc_t, spamc_exec_t, spamc_tmp_t; + type spamassassin_t, spamassassin_exec_t; + type spamassassin_home_t, spamassassin_tmp_t; ') - tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_dirs($1,spamd_t) - userdom_manage_user_home_content_files($1,spamd_t) - userdom_manage_user_home_content_symlinks($1,spamd_t) - ') + role $1 types { spamc_t spamassassin_t }; - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_spamassassin_t) - fs_manage_nfs_files($1_spamassassin_t) - fs_manage_nfs_symlinks($1_spamassassin_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_spamassassin_t) - fs_manage_cifs_files($1_spamassassin_t) - fs_manage_cifs_symlinks($1_spamassassin_t) - ') - - optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file }) - ') + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + ps_process_pattern($2, spamassassin_t) - optional_policy(` - # cjp: clearly some redundancy here + domtrans_pattern($2, spamc_exec_t, spamc_t) + ps_process_pattern($2, spamc_t) - nis_use_ypbind($1_spamassassin_t) - - tunable_policy(`spamassassin_can_network && allow_ypbind',` - nis_use_ypbind_uncond($1_spamassassin_t) - ') - ') - - optional_policy(` - mta_read_config($1_spamassassin_t) - sendmail_stub($1_spamassassin_t) - ') + manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) + manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ') ######################################## @@ -371,31 +97,20 @@ interface(`spamassassin_exec_spamd',` ######################################## ## -## Execute spamassassin client in the user spamassassin client domain. +## Execute spamassassin client in the spamassassin client domain. ## -## -##

-## This is a template and should only be called -## from per user domain tempaltes. -##

-##
-## -## -## The prefix of the user domain. eg user would be the prefix of user_t. -## -## ## -## -## The type of the process performing this action. -## +## +## Domain allowed access. +## ## # -template(`spamassassin_domtrans_user_client',` +interface(`spamassassin_domtrans_client',` gen_require(` - type $1_spamc_t, spamc_exec_t; + type spamc_t, spamc_exec_t; ') - domtrans_pattern($2, spamc_exec_t, $1_spamc_t) + domtrans_pattern($1, spamc_exec_t, spamc_t) ') ######################################## @@ -419,31 +134,20 @@ interface(`spamassassin_exec_client',` ######################################## ## -## Execute spamassassin in the user spamassassin domain. +## Execute spamassassin standalone client in the user spamassassin domain. ## -## -##

-## This is a template and should only be called -## from per user domain tempaltes. -##

-##
-## -## -## The prefix of the user domain. eg user would be the prefix of user_t. -## -## ## -## -## The type of the process performing this action. -## +## +## Domain allowed access. +## ## # -template(`spamassassin_domtrans_user_local_client',` +interface(`spamassassin_domtrans_local_client',` gen_require(` - type $1_spamassassin_t, spamassassin_exec_t; + type spamassassin_t, spamassassin_exec_t; ') - domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) + domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) ') ######################################## diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 98c7009..343136a 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin, 1.10.0) +policy_module(spamassassin, 2.0.0) ######################################## # @@ -20,13 +20,41 @@ gen_tunable(spamassassin_can_network, false) ## gen_tunable(spamd_enable_home_dirs, true) -# spamassassin client executable +type spamassassin_t; +type spamassassin_exec_t; +typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; +application_domain(spamassassin_t, spamassassin_exec_t) +ubac_constrained(spamassassin_t) + +type spamassassin_home_t; +typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +userdom_user_home_content(spamassassin_home_t) +files_poly_member(spamassassin_home_t) + +type spamassassin_tmp_t; +typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; +files_tmp_file(spamassassin_tmp_t) +ubac_constrained(spamassassin_tmp_t) + +type spamc_t; type spamc_exec_t; -application_executable_file(spamc_exec_t) +typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; +typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; +application_domain(spamc_t, spamc_exec_t) +ubac_constrained(spamc_t) + +type spamc_tmp_t; +typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +files_tmp_file(spamc_tmp_t) +ubac_constrained(spamc_tmp_t) type spamd_t; type spamd_exec_t; -init_daemon_domain(spamd_t,spamd_exec_t) +init_daemon_domain(spamd_t, spamd_exec_t) type spamd_spool_t; files_type(spamd_spool_t) @@ -41,12 +69,232 @@ files_type(spamd_var_lib_t) type spamd_var_run_t; files_pid_file(spamd_var_run_t) -type spamassassin_exec_t; -application_executable_file(spamassassin_exec_t) +############################## +# +# Standalone program local policy +# + +allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamassassin_t self:fd use; +allow spamassassin_t self:fifo_file rw_fifo_file_perms; +allow spamassassin_t self:sock_file read_sock_file_perms; +allow spamassassin_t self:unix_dgram_socket create_socket_perms; +allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; +allow spamassassin_t self:unix_dgram_socket sendto; +allow spamassassin_t self:unix_stream_socket connectto; +allow spamassassin_t self:shm create_shm_perms; +allow spamassassin_t self:sem create_sem_perms; +allow spamassassin_t self:msgq create_msgq_perms; +allow spamassassin_t self:msg { send receive }; + +manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) + +manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(spamassassin_t) + +dev_read_urand(spamassassin_t) + +fs_search_auto_mountpoints(spamassassin_t) + +# this should probably be removed +corecmd_list_bin(spamassassin_t) +corecmd_read_bin_symlinks(spamassassin_t) +corecmd_read_bin_files(spamassassin_t) +corecmd_read_bin_pipes(spamassassin_t) +corecmd_read_bin_sockets(spamassassin_t) + +domain_use_interactive_fds(spamassassin_t) + +files_read_etc_files(spamassassin_t) +files_read_etc_runtime_files(spamassassin_t) +files_list_home(spamassassin_t) +files_read_usr_files(spamassassin_t) +files_dontaudit_search_var(spamassassin_t) + +logging_send_syslog_msg(spamassassin_t) + +miscfiles_read_localization(spamassassin_t) + +# cjp: this could probably be removed +seutil_read_config(spamassassin_t) + +sysnet_dns_name_resolve(spamassassin_t) + +# this should probably be removed: +tunable_policy(`read_default_t',` + files_list_default(spamassassin_t) + files_read_default_files(spamassassin_t) + files_read_default_symlinks(spamassassin_t) + files_read_default_sockets(spamassassin_t) + files_read_default_pipes(spamassassin_t) +') + +# set tunable if you have spamassassin do DNS lookups +tunable_policy(`spamassassin_can_network',` + allow spamassassin_t self:tcp_socket create_stream_socket_perms; + allow spamassassin_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(spamassassin_t) + corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_udp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_all_nodes(spamassassin_t) + corenet_udp_sendrecv_all_nodes(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) + + sysnet_read_config(spamassassin_t) +') + +tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs(spamd_t) + userdom_manage_user_home_content_files(spamd_t) + userdom_manage_user_home_content_symlinks(spamd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamassassin_t) + fs_manage_nfs_files(spamassassin_t) + fs_manage_nfs_symlinks(spamassassin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamassassin_t) + fs_manage_cifs_files(spamassassin_t) + fs_manage_cifs_symlinks(spamassassin_t) +') + +optional_policy(` + # Write pid file and socket in ~/.evolution/cache/tmp + evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) +') + +optional_policy(` + tunable_policy(`spamassassin_can_network && allow_ypbind',` + nis_use_ypbind_uncond(spamassassin_t) + ') +') + +optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) +') + +######################################## +# +# Client local policy +# + +allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamc_t self:fd use; +allow spamc_t self:fifo_file rw_fifo_file_perms; +allow spamc_t self:sock_file read_sock_file_perms; +allow spamc_t self:shm create_shm_perms; +allow spamc_t self:sem create_sem_perms; +allow spamc_t self:msgq create_msgq_perms; +allow spamc_t self:msg { send receive }; +allow spamc_t self:unix_dgram_socket create_socket_perms; +allow spamc_t self:unix_stream_socket create_stream_socket_perms; +allow spamc_t self:unix_dgram_socket sendto; +allow spamc_t self:unix_stream_socket connectto; +allow spamc_t self:tcp_socket create_stream_socket_perms; +allow spamc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + +# Allow connecting to a local spamd +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; + +kernel_read_kernel_sysctls(spamc_t) + +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_udp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_all_nodes(spamc_t) +corenet_udp_sendrecv_all_nodes(spamc_t) +corenet_tcp_sendrecv_all_ports(spamc_t) +corenet_udp_sendrecv_all_ports(spamc_t) +corenet_tcp_connect_all_ports(spamc_t) +corenet_sendrecv_all_client_packets(spamc_t) + +fs_search_auto_mountpoints(spamc_t) + +# cjp: these should probably be removed: +corecmd_list_bin(spamc_t) +corecmd_read_bin_symlinks(spamc_t) +corecmd_read_bin_files(spamc_t) +corecmd_read_bin_pipes(spamc_t) +corecmd_read_bin_sockets(spamc_t) + +domain_use_interactive_fds(spamc_t) + +files_read_etc_files(spamc_t) +files_read_etc_runtime_files(spamc_t) +files_read_usr_files(spamc_t) +files_dontaudit_search_var(spamc_t) +# cjp: this may be removable: +files_list_home(spamc_t) + +logging_send_syslog_msg(spamc_t) + +miscfiles_read_localization(spamc_t) + +# cjp: this should probably be removed: +seutil_read_config(spamc_t) + +sysnet_read_config(spamc_t) + +# cjp: this should probably be removed: +tunable_policy(`read_default_t',` + files_list_default(spamc_t) + files_read_default_files(spamc_t) + files_read_default_symlinks(spamc_t) + files_read_default_sockets(spamc_t) + files_read_default_pipes(spamc_t) +') + +optional_policy(` + # Allow connection to spamd socket above + evolution_stream_connect(spamc_t) +') + +optional_policy(` + nis_use_ypbind(spamc_t) +') + +optional_policy(` + nscd_socket_use(spamc_t) +') + +optional_policy(` + mta_read_config(spamc_t) + sendmail_stub(spamc_t) +') ######################################## # -# Spamassassin daemon local policy +# Server local policy # # Spamassassin, when run as root and using per-user config files, @@ -143,9 +391,7 @@ sysnet_use_ldap(spamd_t) sysnet_dns_name_resolve(spamd_t) userdom_use_unpriv_users_fds(spamd_t) -userdom_search_unpriv_users_home_dirs(spamd_t) - -sysadm_dontaudit_search_home_dirs(spamd_t) +userdom_search_user_home_dirs(spamd_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(spamd_t) diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te index 45f3070..dc0423f 100644 --- a/policy/modules/services/speedtouch.te +++ b/policy/modules/services/speedtouch.te @@ -1,5 +1,5 @@ -policy_module(speedtouch, 1.3.0) +policy_module(speedtouch, 1.3.1) ####################################### # @@ -51,8 +51,7 @@ logging_send_syslog_msg(speedmgmt_t) miscfiles_read_localization(speedmgmt_t) userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) - -sysadm_dontaudit_search_home_dirs(speedmgmt_t) +userdom_dontaudit_search_user_home_dirs(speedmgmt_t) optional_policy(` seutil_sigchld_newrole(speedmgmt_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 9b7187a..fcde140 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,5 +1,5 @@ -policy_module(squid, 1.7.0) +policy_module(squid, 1.7.1) ######################################## # @@ -148,9 +148,7 @@ miscfiles_read_certs(squid_t) miscfiles_read_localization(squid_t) userdom_use_unpriv_users_fds(squid_t) -userdom_dontaudit_use_unpriv_user_fds(squid_t) - -sysadm_dontaudit_search_home_dirs(squid_t) +userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index bf53f28..6262c7b 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 58b25e6..545f5b0 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -166,247 +166,6 @@ template(`ssh_basic_client_template',` ####################################### ## -## The per role template for the ssh module. -## -## -##

-## This template creates a derived domains which are used -## for ssh client sessions and user ssh agents. A derived -## type is also created to protect the user ssh keys. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`ssh_per_role_template',` - gen_require(` - type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t; - ') - - ############################## - # - # Declarations - # - - ssh_basic_client_template($1, $2, $3) - - userdom_user_home_content($1, $1_home_ssh_t) - - type $1_ssh_agent_t; - application_domain($1_ssh_agent_t, ssh_agent_exec_t) - domain_interactive_fd($1_ssh_agent_t) - role $3 types $1_ssh_agent_t; - - type $1_ssh_agent_tmp_t; - files_tmp_file($1_ssh_agent_tmp_t) - - type $1_ssh_keysign_t; - application_domain($1_ssh_keysign_t, ssh_keysign_exec_t) - role $3 types $1_ssh_keysign_t; - - type $1_ssh_tmpfs_t; - files_tmpfs_file($1_ssh_tmpfs_t) - - ############################## - # - # Client local policy - # - - manage_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) - manage_lnk_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) - manage_fifo_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) - manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) - fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) - manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) - userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file }) - - # Allow the ssh program to communicate with ssh-agent. - stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) - - allow $1_ssh_t sshd_t:unix_stream_socket connectto; - - allow $2 $1_ssh_t:process signal; - - userdom_use_unpriv_users_fds($1_ssh_t) - userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) - userdom_search_user_home_dirs($1,$1_ssh_t) - # Write to the user domain tty. - userdom_use_user_terminals($1,$1_ssh_t) - # needs to read krb tgt - userdom_read_user_tmp_files($1, $1_ssh_t) - - tunable_policy(`allow_ssh_keysign',` - domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) - allow $1_ssh_keysign_t $1_ssh_t:fd use; - allow $1_ssh_keysign_t $1_ssh_t:process sigchld; - allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_ssh_t) - fs_manage_nfs_files($1_ssh_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_ssh_t) - fs_manage_cifs_files($1_ssh_t) - ') - - # for port forwarding - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port($1_ssh_t) - ') - - optional_policy(` - xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) - xserver_domtrans_user_xauth($1, $1_ssh_t) - ') - - ifdef(`TODO',` - # for /bin/sh used to execute xauth - dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; - - #allow ssh to access keys stored on removable media - # Should we have a boolean around this? - files_search_mnt($1_ssh_t) - r_dir_file($1_ssh_t, removable_t) - - ') dnl endif TODO - - ############################## - # - # $1_ssh_agent_t local policy - # - - allow $1_ssh_agent_t self:process setrlimit; - allow $1_ssh_agent_t self:capability setgid; - - allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull; - - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - manage_dirs_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t) - manage_sock_files_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t) - files_tmp_filetrans($1_ssh_agent_t, $1_ssh_agent_tmp_t, { dir sock_file }) - - # for ssh-add - stream_connect_pattern($2, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. - allow $2 $1_ssh_agent_t:process signal; - - # allow ps to show ssh - ps_process_pattern($2, $1_ssh_agent_t) - - domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t) - - kernel_read_kernel_sysctls($1_ssh_agent_t) - - dev_read_urand($1_ssh_agent_t) - dev_read_rand($1_ssh_agent_t) - - fs_search_auto_mountpoints($1_ssh_agent_t) - - # transition back to normal privs upon exec - corecmd_shell_domtrans($1_ssh_agent_t, $1_t) - corecmd_bin_domtrans($1_ssh_agent_t, $1_t) - - domain_use_interactive_fds($1_ssh_agent_t) - - files_read_etc_files($1_ssh_agent_t) - files_read_etc_runtime_files($1_ssh_agent_t) - files_search_home($1_ssh_agent_t) - - libs_read_lib_files($1_ssh_agent_t) - - logging_send_syslog_msg($1_ssh_agent_t) - - miscfiles_read_localization($1_ssh_agent_t) - - seutil_dontaudit_read_config($1_ssh_agent_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1,$1_ssh_agent_t) - - # for the transition back to normal privs upon exec - userdom_user_home_domtrans($1, $1_ssh_agent_t, $2) - allow $2 $1_ssh_agent_t:fd use; - allow $2 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $2 $1_ssh_agent_t:process sigchld; - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_nfs_domtrans($1_ssh_agent_t, $1_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $1_t) - ') - - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) - ') - - ifdef(`TODO',` - dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; - ') dnl endif TODO - - ############################## - # - # $1_ssh_keysign_t local policy - # - - tunable_policy(`allow_ssh_keysign',` - allow $1_ssh_keysign_t self:capability { setgid setuid }; - allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; - - allow $1_ssh_keysign_t sshd_key_t:file read_file_perms; - - dev_read_urand($1_ssh_keysign_t) - - files_read_etc_files($1_ssh_keysign_t) - ') - - optional_policy(` - tunable_policy(`allow_ssh_keysign',` - nscd_socket_use($1_ssh_keysign_t) - ') - ') -') - -####################################### -## ## The template to define a ssh server. ## ## @@ -493,8 +252,8 @@ template(`ssh_server_template', ` sysnet_read_config($1_t) - userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) - userdom_search_all_users_home_dirs($1_t) + userdom_dontaudit_relabelfrom_user_ptys($1_t) + userdom_search_user_home_dirs($1_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) @@ -524,6 +283,159 @@ template(`ssh_server_template', ` ######################################## ## +## Role access for ssh +## +## +## +## The prefix of the role (e.g., user +## is the prefix for user_r). +## +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +template(`ssh_role_template',` + gen_require(` + attribute ssh_server, ssh_agent_type; + + type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t; + type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; + type ssh_agent_tmp_t; + ') + + ############################## + # + # Declarations + # + + role $2 types ssh_t; + + type $1_ssh_agent_t, ssh_agent_type; + application_domain($1_ssh_agent_t, ssh_agent_exec_t) + domain_interactive_fd($1_ssh_agent_t) + ubac_constrained($1_ssh_agent_t) + role $2 types $1_ssh_agent_t; + + ############################## + # + # Local policy + # + + # Transition from the domain to the derived domain. + domtrans_pattern($3, ssh_exec_t, ssh_t) + + # inheriting stream sockets is needed for "ssh host command" as no pty + # is allocated + allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms; + + # allow ps to show ssh + ps_process_pattern($3, ssh_t) + allow $3 ssh_t:process signal; + + # for rsync + allow ssh_t $3:unix_stream_socket rw_socket_perms; + allow ssh_t $3:unix_stream_socket connectto; + + # user can manage the keys and config + manage_files_pattern($3, home_ssh_t, home_ssh_t) + manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) + manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) + + ############################## + # + # SSH agent local policy + # + + allow $1_ssh_agent_t self:process setrlimit; + allow $1_ssh_agent_t self:capability setgid; + + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; + + allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) + manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) + files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) + + # for ssh-add + stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + + # Allow the user shell to signal the ssh program. + allow $3 $1_ssh_agent_t:process signal; + + # allow ps to show ssh + ps_process_pattern($3, $1_ssh_agent_t) + + domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) + + kernel_read_kernel_sysctls($1_ssh_agent_t) + + dev_read_urand($1_ssh_agent_t) + dev_read_rand($1_ssh_agent_t) + + fs_search_auto_mountpoints($1_ssh_agent_t) + + # transition back to normal privs upon exec + corecmd_shell_domtrans($1_ssh_agent_t, $3) + corecmd_bin_domtrans($1_ssh_agent_t, $3) + + domain_use_interactive_fds($1_ssh_agent_t) + + files_read_etc_files($1_ssh_agent_t) + files_read_etc_runtime_files($1_ssh_agent_t) + files_search_home($1_ssh_agent_t) + + libs_read_lib_files($1_ssh_agent_t) + + logging_send_syslog_msg($1_ssh_agent_t) + + miscfiles_read_localization($1_ssh_agent_t) + + seutil_dontaudit_read_config($1_ssh_agent_t) + + # Write to the user domain tty. + userdom_use_user_terminals($1_ssh_agent_t) + + # for the transition back to normal privs upon exec + userdom_user_home_domtrans($1_ssh_agent_t, $3) + allow $3 $1_ssh_agent_t:fd use; + allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; + allow $3 $1_ssh_agent_t:process sigchld; + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_ssh_agent_t) + + # transition back to normal privs upon exec + fs_nfs_domtrans($1_ssh_agent_t, $3) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_ssh_agent_t) + + # transition back to normal privs upon exec + fs_cifs_domtrans($1_ssh_agent_t, $3) + ') + + optional_policy(` + nis_use_ypbind($1_ssh_agent_t) + ') + + optional_policy(` + xserver_use_xdm_fds($1_ssh_agent_t) + xserver_rw_xdm_pipes($1_ssh_agent_t) + ') +') + +######################################## +## ## Send a SIGCHLD signal to the ssh server. ## ## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index fcc0a95..f192d2c 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh, 1.11.0) +policy_module(ssh, 2.0.0) ######################################## # @@ -21,23 +21,13 @@ gen_tunable(allow_ssh_keysign, false) gen_tunable(ssh_sysadm_login, false) attribute ssh_server; - -# Type for the ssh-agent executable. -type ssh_agent_exec_t; -files_type(ssh_agent_exec_t) - -# ssh client executable. -type ssh_exec_t; -application_executable_file(ssh_exec_t) +attribute ssh_agent_type; type ssh_keygen_t; type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) role system_r types ssh_keygen_t; -type ssh_keysign_exec_t; -application_executable_file(ssh_keysign_exec_t) - type sshd_exec_t; corecmd_executable_file(sshd_exec_t) @@ -55,6 +45,252 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') +type ssh_t; +type ssh_exec_t; +typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; +typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t }; +application_domain(ssh_t, ssh_exec_t) +ubac_constrained(ssh_t) + +type ssh_agent_exec_t; +corecmd_executable_file(ssh_agent_exec_t) + +type ssh_agent_tmp_t; +typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; +typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; +files_tmp_file(ssh_agent_tmp_t) +ubac_constrained(ssh_agent_tmp_t) + +type ssh_keysign_t; +type ssh_keysign_exec_t; +typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t }; +typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t }; +application_domain(ssh_keysign_t, ssh_keysign_exec_t) +ubac_constrained(ssh_keysign_t) + +type ssh_tmpfs_t; +typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; +typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; +files_tmpfs_file(ssh_tmpfs_t) +ubac_constrained(ssh_tmpfs_t) + +type home_ssh_t; +typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; +typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; +files_type(home_ssh_t) +userdom_user_home_content(home_ssh_t) + +############################## +# +# SSH client local policy +# + +allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow ssh_t self:fd use; +allow ssh_t self:fifo_file rw_fifo_file_perms; +allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; +allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ssh_t self:shm create_shm_perms; +allow ssh_t self:sem create_sem_perms; +allow ssh_t self:msgq create_msgq_perms; +allow ssh_t self:msg { send receive }; +allow ssh_t self:tcp_socket create_socket_perms; +allow ssh_t self:netlink_route_socket r_netlink_socket_perms; + +# Read the ssh key file. +allow ssh_t sshd_key_t:file read_file_perms; + +# Access the ssh temporary files. +allow ssh_t sshd_tmp_t:dir manage_dir_perms; +allow ssh_t sshd_tmp_t:file manage_file_perms; +files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) + +manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) +manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) +userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) + +# Allow the ssh program to communicate with ssh-agent. +stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) + +allow ssh_t sshd_t:unix_stream_socket connectto; + +# ssh client can manage the keys and config +manage_files_pattern(ssh_t,home_ssh_t,home_ssh_t) +read_lnk_files_pattern(ssh_t,home_ssh_t,home_ssh_t) + +# ssh servers can read the user keys and config +allow ssh_server home_ssh_t:dir list_dir_perms; +read_files_pattern(ssh_server,home_ssh_t,home_ssh_t) +read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t) + +kernel_read_kernel_sysctls(ssh_t) + +corenet_all_recvfrom_unlabeled(ssh_t) +corenet_all_recvfrom_netlabel(ssh_t) +corenet_tcp_sendrecv_all_if(ssh_t) +corenet_tcp_sendrecv_all_nodes(ssh_t) +corenet_tcp_sendrecv_all_ports(ssh_t) +corenet_tcp_connect_ssh_port(ssh_t) +corenet_sendrecv_ssh_client_packets(ssh_t) + +dev_read_urand(ssh_t) + +fs_getattr_all_fs(ssh_t) +fs_search_auto_mountpoints(ssh_t) + +# run helper programs - needed eg for x11-ssh-askpass +corecmd_exec_shell(ssh_t) +corecmd_exec_bin(ssh_t) + +domain_use_interactive_fds(ssh_t) + +files_list_home(ssh_t) +files_read_usr_files(ssh_t) +files_read_etc_runtime_files(ssh_t) +files_read_etc_files(ssh_t) +files_read_var_files(ssh_t) + +logging_send_syslog_msg(ssh_t) +logging_read_generic_logs(ssh_t) + +miscfiles_read_localization(ssh_t) + +seutil_read_config(ssh_t) + +sysnet_read_config(ssh_t) +sysnet_dns_name_resolve(ssh_t) + +userdom_dontaudit_list_user_home_dirs(ssh_t) +userdom_search_user_home_dirs(ssh_t) +# Write to the user domain tty. +userdom_use_user_terminals(ssh_t) +# needs to read krb tgt +userdom_read_user_tmp_files(ssh_t) + +tunable_policy(`allow_ssh_keysign',` + domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + allow ssh_keysign_t ssh_t:fd use; + allow ssh_keysign_t ssh_t:process sigchld; + allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; +') + +tunable_policy(`read_default_t',` + files_list_default(ssh_t) + files_read_default_files(ssh_t) + files_read_default_symlinks(ssh_t) + files_read_default_sockets(ssh_t) + files_read_default_pipes(ssh_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(ssh_t) + fs_manage_nfs_files(ssh_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(ssh_t) + fs_manage_cifs_files(ssh_t) +') + +# for port forwarding +tunable_policy(`user_tcp_server',` + corenet_tcp_bind_ssh_port(ssh_t) +') + +optional_policy(` + kerberos_use(ssh_t) +') + +optional_policy(` + nis_use_ypbind(ssh_t) +') + +optional_policy(` + nscd_socket_use(ssh_t) +') + +optional_policy(` + xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) + xserver_domtrans_xauth(ssh_t) +') + +######################################## +# +# ssh_keygen local policy +# + +# ssh_keygen_t is the type of the ssh-keygen program when run at install time +# and by sysadm_t + +dontaudit ssh_keygen_t self:capability sys_tty_config; +allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; + +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; + +allow ssh_keygen_t sshd_key_t:file manage_file_perms; +files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) + +kernel_read_kernel_sysctls(ssh_keygen_t) + +fs_search_auto_mountpoints(ssh_keygen_t) + +dev_read_sysfs(ssh_keygen_t) +dev_read_urand(ssh_keygen_t) + +term_dontaudit_use_console(ssh_keygen_t) + +domain_use_interactive_fds(ssh_keygen_t) + +files_read_etc_files(ssh_keygen_t) + +init_use_fds(ssh_keygen_t) +init_use_script_ptys(ssh_keygen_t) + +logging_send_syslog_msg(ssh_keygen_t) + +userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) + +optional_policy(` + nscd_socket_use(ssh_keygen_t) +') + +optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) +') + +optional_policy(` + udev_read_db(ssh_keygen_t) +') + +############################## +# +# ssh_keysign_t local policy +# + +tunable_policy(`allow_ssh_keysign',` + allow ssh_keysign_t self:capability { setgid setuid }; + allow ssh_keysign_t self:unix_stream_socket create_socket_perms; + + allow ssh_keysign_t sshd_key_t:file { getattr read }; + + dev_read_urand(ssh_keysign_t) + + files_read_etc_files(ssh_keysign_t) +') + +optional_policy(` + tunable_policy(`allow_ssh_keysign',` + nscd_socket_use(ssh_keysign_t) + ') +') + ################################# # # sshd local policy @@ -74,6 +310,10 @@ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) kernel_search_key(sshd_t) kernel_link_key(sshd_t) +term_use_all_user_ptys(sshd_t) +term_setattr_all_user_ptys(sshd_t) +term_relabelto_all_user_ptys(sshd_t) + # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -83,19 +323,11 @@ tunable_policy(`ssh_sysadm_login',` # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr - term_use_all_user_ptys(sshd_t) - term_setattr_all_user_ptys(sshd_t) - term_relabelto_all_user_ptys(sshd_t) - userdom_spec_domtrans_all_users(sshd_t) userdom_signal_all_users(sshd_t) ',` userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) - - userdom_setattr_unpriv_users_ptys(sshd_t) - userdom_relabelto_unpriv_users_ptys(sshd_t) - userdom_use_unpriv_users_ptys(sshd_t) ') optional_policy(` @@ -111,9 +343,9 @@ optional_policy(` ') optional_policy(` - rssh_spec_domtrans_all_users(sshd_t) + rssh_spec_domtrans(sshd_t) # For reading /home/user/.ssh - rssh_read_all_users_ro_content(sshd_t) + rssh_read_ro_content(sshd_t) ') optional_policy(` diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 4d32293..3a4e7b8 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel, 1.7.0) +policy_module(stunnel, 1.7.1) ######################################## # @@ -86,8 +86,7 @@ ifdef(`distro_gentoo', ` domain_use_interactive_fds(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) - - sysadm_dontaudit_search_home_dirs(stunnel_t) + userdom_dontaudit_search_user_home_dirs(stunnel_t) optional_policy(` daemontools_service_domain(stunnel_t, stunnel_exec_t) diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 6cc56c8..dbdd85a 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -1,5 +1,5 @@ -policy_module(sysstat, 1.3.0) +policy_module(sysstat, 1.3.1) ######################################## # @@ -57,7 +57,7 @@ locallogin_use_fds(sysstat_t) miscfiles_read_localization(sysstat_t) -sysadm_dontaudit_list_home_dirs(sysstat_t) +userdom_dontaudit_list_user_home_dirs(sysstat_t) optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index 12c6a7b..cda45ef 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -1,5 +1,5 @@ -policy_module(telnet, 1.7.0) +policy_module(telnet, 1.7.1) ######################################## # @@ -84,7 +84,7 @@ seutil_read_config(telnetd_t) remotelogin_domtrans(telnetd_t) -userdom_search_unpriv_users_home_dirs(telnetd_t) +userdom_search_user_home_dirs(telnetd_t) optional_policy(` kerberos_use(telnetd_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 154671d..67b736a 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp, 1.9.0) +policy_module(tftp, 1.9.1) ######################################## # @@ -87,8 +87,8 @@ miscfiles_read_localization(tftpd_t) miscfiles_read_public_files(tftpd_t) userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -sysadm_dontaudit_use_ttys(tftpd_t) -sysadm_dontaudit_search_home_dirs(tftpd_t) +userdom_dontaudit_use_user_terminals(tftpd_t) +userdom_dontaudit_search_user_home_dirs(tftpd_t) tunable_policy(`tftp_anon_write',` miscfiles_manage_public_files(tftpd_t) diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te index 344422a..8147f5a 100644 --- a/policy/modules/services/timidity.te +++ b/policy/modules/services/timidity.te @@ -1,5 +1,5 @@ -policy_module(timidity, 1.7.0) +policy_module(timidity, 1.7.1) # Note: You only need this policy if you want to run timidity as a server @@ -75,7 +75,7 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t) # stupid timidity won't start if it can't search its current directory. # allow this so /etc/init.d/alsasound start works from /root # cjp: this should be fixed if possible so this rule can be removed. -sysadm_search_home_dirs(timidity_t) +userdom_search_user_home_dirs(timidity_t) optional_policy(` seutil_sigchld_newrole(timidity_t) diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te index fa408a9..0599626 100644 --- a/policy/modules/services/transproxy.te +++ b/policy/modules/services/transproxy.te @@ -1,5 +1,5 @@ -policy_module(transproxy, 1.5.0) +policy_module(transproxy, 1.5.1) ######################################## # @@ -55,8 +55,7 @@ miscfiles_read_localization(transproxy_t) sysnet_read_config(transproxy_t) userdom_dontaudit_use_unpriv_user_fds(transproxy_t) - -sysadm_dontaudit_search_home_dirs(transproxy_t) +userdom_dontaudit_search_user_home_dirs(transproxy_t) optional_policy(` seutil_sigchld_newrole(transproxy_t) diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index 97a478c..86bdd42 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -1,5 +1,5 @@ -policy_module(uptime, 1.3.0) +policy_module(uptime, 1.3.1) ######################################## # @@ -59,8 +59,7 @@ logging_send_syslog_msg(uptimed_t) miscfiles_read_localization(uptimed_t) userdom_dontaudit_use_unpriv_user_fds(uptimed_t) - -sysadm_dontaudit_search_home_dirs(uptimed_t) +userdom_dontaudit_search_user_home_dirs(uptimed_t) optional_policy(` mta_send_mail(uptimed_t) diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te index 234cf68..34ffa8b 100644 --- a/policy/modules/services/uwimap.te +++ b/policy/modules/services/uwimap.te @@ -1,5 +1,5 @@ -policy_module(uwimap, 1.6.0) +policy_module(uwimap, 1.6.1) ######################################## # @@ -74,9 +74,12 @@ sysnet_read_config(imapd_t) userdom_dontaudit_use_unpriv_user_fds(imapd_t) # cjp: this is excessive, should be limited to the # mail directories -userdom_priveleged_home_dir_manager(imapd_t) - -sysadm_dontaudit_search_home_dirs(imapd_t) +userdom_manage_user_home_content_dirs(imapd_t) +userdom_manage_user_home_content_files(imapd_t) +userdom_manage_user_home_content_symlinks(imapd_t) +userdom_manage_user_home_content_pipes(imapd_t) +userdom_manage_user_home_content_sockets(imapd_t) +userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file }) mta_rw_spool(imapd_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 7c1c1b8..6aff9bd 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -1,5 +1,5 @@ -policy_module(virt, 1.0.0) +policy_module(virt, 1.0.1) ######################################## # @@ -144,7 +144,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(virtd, virtd_t) + dbus_system_bus_client(virtd_t) optional_policy(` avahi_dbus_chat(virtd_t) diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 11c4d04..0ac9daa 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -1,5 +1,5 @@ -policy_module(watchdog, 1.5.0) +policy_module(watchdog, 1.5.1) ################################# # @@ -87,8 +87,7 @@ miscfiles_read_localization(watchdog_t) sysnet_read_config(watchdog_t) userdom_dontaudit_use_unpriv_user_fds(watchdog_t) - -sysadm_dontaudit_search_home_dirs(watchdog_t) +userdom_dontaudit_search_user_home_dirs(watchdog_t) optional_policy(` mta_send_mail(watchdog_t) diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index 0b49a20..025f9fa 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -1,5 +1,5 @@ -policy_module(xfs, 1.4.0) +policy_module(xfs, 1.4.1) ######################################## # @@ -70,8 +70,7 @@ miscfiles_read_localization(xfs_t) miscfiles_read_fonts(xfs_t) userdom_dontaudit_use_unpriv_user_fds(xfs_t) - -sysadm_dontaudit_search_home_dirs(xfs_t) +userdom_dontaudit_search_user_home_dirs(xfs_t) xfs_exec(xfs_t) diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te index 7e39ac9..0a09bb0 100644 --- a/policy/modules/services/xprint.te +++ b/policy/modules/services/xprint.te @@ -1,5 +1,5 @@ -policy_module(xprint, 1.5.0) +policy_module(xprint, 1.5.1) ######################################## # @@ -64,8 +64,7 @@ miscfiles_read_localization(xprint_t) sysnet_read_config(xprint_t) userdom_dontaudit_use_unpriv_user_fds(xprint_t) - -sysadm_dontaudit_search_home_dirs(xprint_t) +userdom_dontaudit_search_user_home_dirs(xprint_t) optional_policy(` cups_read_config(xprint_t) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 1c4a31d..df70a29 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -1,13 +1,13 @@ # # HOME_DIR # -HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0) -HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0) -HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) -HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) -HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) -HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) -HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev @@ -49,7 +49,7 @@ ifdef(`distro_redhat',` /tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) +/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index ffa2bd7..43f64fc 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1,518 +1,135 @@ ## X Windows Server -####################################### -## -## Template to create types and rules common to -## all X server domains. -## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`xserver_common_domain_template',` - gen_require(` - type xkb_var_lib_t, xserver_exec_t, xserver_log_t; - - attribute x_server_domain; - class x_drawable all_x_drawable_perms; - class x_colormap all_x_colormap_perms; - class x_screen all_x_screen_perms; - ') - - ############################## - # - # Declarations - # - - attribute $1_x_domain; - attribute $1_input_xevent_type; - - type $1_rootwindow_t, rootwindow_type; - - type $1_xserver_t, x_server_domain; - domain_type($1_xserver_t) - domain_entry_file($1_xserver_t, xserver_exec_t) - - type $1_xserver_tmp_t; - files_tmp_file($1_xserver_tmp_t) - - type $1_xserver_tmpfs_t; - files_tmpfs_file($1_xserver_tmpfs_t) - - ############################## - # - # $1_xserver_t local policy - # - - # setuid/setgid for the wrapper program to change UID - # sys_rawio is for iopl access - should not be needed for frame-buffer - # sys_admin, locking shared mem? chowning IPC message queues or semaphores? - # admin of APM bios? - # sys_nice is so that the X server can set a negative nice value - # execheap needed until the X module loader is fixed. - # NVIDIA Needs execstack - - allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; - dontaudit $1_xserver_t self:capability chown; - allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_xserver_t self:memprotect mmap_zero; - allow $1_xserver_t self:fd use; - allow $1_xserver_t self:fifo_file rw_fifo_file_perms; - allow $1_xserver_t self:sock_file read_sock_file_perms; - allow $1_xserver_t self:shm create_shm_perms; - allow $1_xserver_t self:sem create_sem_perms; - allow $1_xserver_t self:msgq create_msgq_perms; - allow $1_xserver_t self:msg { send receive }; - allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_xserver_t self:tcp_socket create_stream_socket_perms; - allow $1_xserver_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t) - manage_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t) - manage_sock_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t) - files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) - - filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) - ifdef(`enable_mls',` - range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh; - ') - - manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) - manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) - manage_lnk_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) - manage_fifo_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) - manage_sock_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) - fs_tmpfs_filetrans($1_xserver_t, $1_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - manage_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t) - manage_lnk_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t) - files_search_var_lib($1_xserver_t) - - # Create files in /var/log with the xserver_log_t type. - manage_files_pattern($1_xserver_t, xserver_log_t, xserver_log_t) - logging_log_filetrans($1_xserver_t, xserver_log_t, file) - - # Labeling rules for default windows and colormaps - type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t; - ifdef(`enable_mls',` - range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh; - ') - - kernel_read_system_state($1_xserver_t) - kernel_read_device_sysctls($1_xserver_t) - kernel_read_modprobe_sysctls($1_xserver_t) - # Xorg wants to check if kernel is tainted - kernel_read_kernel_sysctls($1_xserver_t) - kernel_write_proc_files($1_xserver_t) - - # Run helper programs in $1_xserver_t. - corecmd_exec_bin($1_xserver_t) - corecmd_exec_shell($1_xserver_t) - - corenet_all_recvfrom_unlabeled($1_xserver_t) - corenet_all_recvfrom_netlabel($1_xserver_t) - corenet_tcp_sendrecv_generic_if($1_xserver_t) - corenet_udp_sendrecv_generic_if($1_xserver_t) - corenet_tcp_sendrecv_all_nodes($1_xserver_t) - corenet_udp_sendrecv_all_nodes($1_xserver_t) - corenet_tcp_sendrecv_all_ports($1_xserver_t) - corenet_udp_sendrecv_all_ports($1_xserver_t) - corenet_tcp_bind_all_nodes($1_xserver_t) - corenet_tcp_bind_xserver_port($1_xserver_t) - corenet_tcp_connect_all_ports($1_xserver_t) - corenet_sendrecv_xserver_server_packets($1_xserver_t) - corenet_sendrecv_all_client_packets($1_xserver_t) - - dev_rw_sysfs($1_xserver_t) - dev_rw_mouse($1_xserver_t) - dev_rw_mtrr($1_xserver_t) - dev_rw_apm_bios($1_xserver_t) - dev_rw_agp($1_xserver_t) - dev_rw_framebuffer($1_xserver_t) - dev_manage_dri_dev($1_xserver_t) - dev_create_generic_dirs($1_xserver_t) - dev_setattr_generic_dirs($1_xserver_t) - # raw memory access is needed if not using the frame buffer - dev_read_raw_memory($1_xserver_t) - dev_wx_raw_memory($1_xserver_t) - # for other device nodes such as the NVidia binary-only driver - dev_rw_xserver_misc($1_xserver_t) - # read events - the synaptics touchpad driver reads raw events - dev_rw_input_dev($1_xserver_t) - dev_rwx_zero($1_xserver_t) - - domain_mmap_low($1_xserver_t) - - files_read_etc_files($1_xserver_t) - files_read_etc_runtime_files($1_xserver_t) - files_read_usr_files($1_xserver_t) - - # brought on by rhgb - files_search_mnt($1_xserver_t) - # for nscd - files_dontaudit_search_pids($1_xserver_t) - - fs_getattr_xattr_fs($1_xserver_t) - fs_search_nfs($1_xserver_t) - fs_search_auto_mountpoints($1_xserver_t) - fs_search_ramfs($1_xserver_t) - - selinux_validate_context($1_xserver_t) - selinux_compute_access_vector($1_xserver_t) - selinux_compute_create_context($1_xserver_t) - - auth_use_nsswitch($1_xserver_t) - - init_getpgid($1_xserver_t) - - term_setattr_unallocated_ttys($1_xserver_t) - term_use_unallocated_ttys($1_xserver_t) - - logging_send_syslog_msg($1_xserver_t) - logging_send_audit_msgs($1_xserver_t) - - miscfiles_read_localization($1_xserver_t) - miscfiles_read_fonts($1_xserver_t) - - modutils_domtrans_insmod($1_xserver_t) - - # read x_contexts - seutil_read_default_contexts($1_xserver_t) - - ifndef(`distro_redhat',` - allow $1_xserver_t self:process { execmem execheap execstack }; - ') - - ifdef(`distro_rhel4',` - allow $1_xserver_t self:process { execmem execheap execstack }; - ') - - tunable_policy(`!xserver_object_manager',` - # should be xserver_unconfined($1_xserver_t), - # but typeattribute doesnt work in conditionals - gen_require(` - attribute x_server_domain, x_domain; - attribute xproperty_type, xselection_type; - attribute xextension_type, xevent_type; - attribute rootwindow_type; - - type remote_xclient_t; - ') - allow $1_xserver_t x_server_domain:x_server *; - allow $1_xserver_t { x_domain rootwindow_type }:x_drawable *; - allow $1_xserver_t x_server_domain:x_screen *; - allow $1_xserver_t x_domain:x_gc *; - allow $1_xserver_t { x_domain rootwindow_type }:x_colormap *; - allow $1_xserver_t xproperty_type:x_property *; - allow $1_xserver_t xselection_type:x_selection *; - allow $1_xserver_t x_domain:x_cursor *; - allow $1_xserver_t { x_domain remote_xclient_t }:x_client *; - allow $1_xserver_t { x_domain x_server_domain }:x_device *; - allow $1_xserver_t xextension_type:x_extension *; - allow $1_xserver_t { x_domain x_server_domain }:x_resource *; - allow $1_xserver_t xevent_type:{ x_event x_synthetic_event } *; - ') - - optional_policy(` - apm_stream_connect($1_xserver_t) - ') - - optional_policy(` - auth_search_pam_console_data($1_xserver_t) - ') - - optional_policy(` - rhgb_getpgid($1_xserver_t) - rhgb_signal($1_xserver_t) - ') - - optional_policy(` - xfs_stream_connect($1_xserver_t) - ') -') - -####################################### +######################################## ## -## The per role template for the xserver module. +## Rules required for using the X Windows server +## and environment. ## -## -##

-## Define a derived domain for the X server when executed -## by a user domain (e.g. via startx). See the xdm module -## if using an X Display Manager. -##

-##

-## This is invoked automatically for each user and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access. ## ## -## -## -## The type of the user domain. -## -## -## +## ## -## The role associated with the user domain. +## Domain allowed access. ## ## # -template(`xserver_per_role_template',` - +interface(`xserver_role',` gen_require(` - type iceauth_exec_t, xauth_exec_t; - attribute fonts_type, fonts_cache_type, fonts_config_type; - ') - - ############################## - # - # Declarations - # - - xserver_common_domain_template($1) - role $3 types $1_xserver_t; - - type $1_fonts_t, fonts_type; - userdom_user_home_content($1, $1_fonts_t) - - type $1_fonts_cache_t, fonts_cache_type; - userdom_user_home_content($1, $1_fonts_cache_t) + type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type iceauth_t, iceauth_exec_t, iceauth_home_t; + type xauth_t, xauth_exec_t, xauth_home_t; - type $1_fonts_config_t, fonts_config_type; - userdom_user_home_content($1, $1_fonts_cache_t) + type info_xproperty_t, rootwindow_t; - type $1_iceauth_t; - domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t, iceauth_exec_t) - role $3 types $1_iceauth_t; - - type $1_iceauth_home_t alias $1_iceauth_rw_t; - files_poly_member($1_iceauth_home_t) - userdom_user_home_content($1, $1_iceauth_home_t) - - type $1_xauth_t; - domain_type($1_xauth_t) - domain_entry_file($1_xauth_t, xauth_exec_t) - role $3 types $1_xauth_t; - - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1, $1_xauth_home_t) - - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) - - ############################## - # - # $1_xserver_t Local policy - # - - domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) + class x_drawable all_x_drawable_perms; + class x_screen all_x_screen_perms; + class x_gc all_x_gc_perms; + class x_font all_x_font_perms; + class x_colormap all_x_colormap_perms; + class x_property all_x_property_perms; + class x_selection all_x_selection_perms; + class x_cursor all_x_cursor_perms; + class x_client all_x_client_perms; + class x_device all_x_device_perms; + class x_server all_x_server_perms; + class x_extension all_x_extension_perms; + class x_resource all_x_resource_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; + ') - allow $1_xserver_t $1_xauth_home_t:file read_file_perms; + role $1 types { xserver_t xauth_t iceauth_t }; - domtrans_pattern($2, xserver_exec_t, $1_xserver_t) - allow $1_xserver_t $2:process signal; + domtrans_pattern($2, xserver_exec_t, xserver_t) + allow xserver_t $2:process signal; - allow $1_xserver_t $2:shm rw_shm_perms; + allow xserver_t $2:shm rw_shm_perms; - manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t) - manage_files_pattern($2, $1_fonts_t, $1_fonts_t) - relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t) - relabel_files_pattern($2, $1_fonts_t, $1_fonts_t) + manage_dirs_pattern($2, user_fonts_t, user_fonts_t) + manage_files_pattern($2, user_fonts_t, user_fonts_t) + relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) + relabel_files_pattern($2, user_fonts_t, user_fonts_t) - manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t) - manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) - relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) + manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - # For startup relabel - allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; + manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) + manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t) + stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; # Communicate via System V shared memory. - allow $1_xserver_t $2:shm rw_shm_perms; - allow $2 $1_xserver_t:shm rw_shm_perms; - - getty_use_fds($1_xserver_t) - - locallogin_use_fds($1_xserver_t) - - userdom_search_user_home_dirs($1, $1_xserver_t) - userdom_use_user_ttys($1, $1_xserver_t) - userdom_setattr_user_ttys($1, $1_xserver_t) - userdom_rw_user_tmpfs_files($1, $1_xserver_t) - - xserver_use_user_fonts($1, $1_xserver_t) - xserver_rw_xdm_tmp_files($1_xauth_t) - - optional_policy(` - userhelper_search_config($1_xserver_t) - ') - - ifdef(`TODO',` - ifdef(`xdm.te', ` - allow $1_t xdm_tmp_t:sock_file unlink; - allow $1_xserver_t xdm_var_run_t:dir search; - ') - ') dnl end TODO - - ############################## - # - # $1_xauth_t Local policy - # + allow xserver_t $2:shm rw_shm_perms; + allow $2 xserver_t:shm rw_shm_perms; - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; + # allow ps to show iceauth + ps_process_pattern($2, iceauth_t) - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file) + domtrans_pattern($2, iceauth_exec_t, iceauth_t) - manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) + allow $2 iceauth_home_t:file manage_file_perms; + allow $2 iceauth_home_t:file { relabelfrom relabelto }; - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + domtrans_pattern($2, xauth_exec_t, xauth_t) - allow $2 $1_xauth_t:process signal; + allow $2 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) - - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file) - - domain_use_interactive_fds($1_xauth_t) - - files_read_etc_files($1_xauth_t) - files_search_pids($1_xauth_t) - - fs_getattr_xattr_fs($1_xauth_t) - fs_search_auto_mountpoints($1_xauth_t) + ps_process_pattern($2,xauth_t) - # cjp: why? - term_use_ptmx($1_xauth_t) + allow $2 xauth_home_t:file manage_file_perms; + allow $2 xauth_home_t:file { relabelfrom relabelto }; - auth_use_nsswitch($1_xauth_t) - - userdom_use_user_terminals($1, $1_xauth_t) - userdom_read_user_tmp_files($1, $1_xauth_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_xauth_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_xauth_t) - ') - - optional_policy(` - ssh_sigchld($1_xauth_t) - ssh_read_pipes($1_xauth_t) - ssh_dontaudit_rw_tcp_sockets($1_xauth_t) - ') - - ############################## - # - # $1_iceauth_t Local policy - # - - domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) - - allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file) - - # allow ps to show iceauth - ps_process_pattern($2, $1_iceauth_t) - - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; - - allow xdm_t $1_iceauth_home_t:file read_file_perms; - - fs_search_auto_mountpoints($1_iceauth_t) - - userdom_use_user_terminals($1, $1_iceauth_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_iceauth_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_iceauth_t) - ') + xserver_common_x_domain_template(user, $2) ############################## # # User X object manager local policy # - # Device rules - allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell }; - - allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send; - allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send; - # manage: xhost X11:ChangeHosts # freeze: metacity X11:GrabKey # force_cursor: metacity X11:GrabPointer - allow $2 $1_xserver_t:x_device { manage freeze force_cursor }; + allow $2 xserver_t:x_device { manage freeze force_cursor }; # gnome-settings-daemon XKEYBOARD:SetControls - allow $2 $1_xserver_t:x_server manage; + allow $2 xserver_t:x_server manage; # gnome-settings-daemon RANDR:SelectInput - allow $2 $1_xserver_t:x_resource write; + allow $2 xserver_t:x_resource write; # metacity X11:InstallColormap X11:UninstallColormap - allow $2 $1_rootwindow_t:x_colormap { install uninstall }; + allow $2 rootwindow_t:x_colormap { install uninstall }; # read: gnome-settings-daemon RANDR:GetScreenSizeRange # write: gnome-settings-daemon RANDR:SelectInput # setattr: gnome-settings-daemon X11:GrabKey # manage: metacity X11:ChangeWindowAttributes - allow $2 $1_rootwindow_t:x_drawable { read write manage setattr }; + allow $2 rootwindow_t:x_drawable { read write manage setattr }; # setattr: metacity X11:InstallColormap - allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr }; + allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER - allow $2 info_xproperty_t:x_property { create write append }; - - mls_xwin_read_to_clearance($1_xserver_t) - - xserver_common_x_domain_template($1, $1, $2) + allow $2 info_xproperty_t:x_property { create append write }; ') ####################################### ## -## Template for creating sessions on a -## prefix X server, with read-only +## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -524,42 +141,35 @@ template(`xserver_per_role_template',` ## ## # -template(`xserver_ro_session_template',` +interface(`xserver_ro_session',` gen_require(` - type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t; + type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm - allow $1_xserver_t $2:fd use; - allow $1_xserver_t $2:shm rw_shm_perms; - allow $1_xserver_t $3:file rw_file_perms; + allow xserver_t $1:fd use; + allow xserver_t $1:shm rw_shm_perms; + allow xserver_t $2:file rw_file_perms; # Connect to xserver - allow $2 $1_xserver_t:unix_stream_socket connectto; - allow $2 $1_xserver_t:process signal; + allow $1 xserver_t:unix_stream_socket connectto; + allow $1 xserver_t:process signal; # Read /tmp/.X0-lock - allow $2 $1_xserver_tmp_t:file read_file_perms; + allow $1 xserver_tmp_t:file { getattr read }; # Client read xserver shm - allow $2 $1_xserver_t:fd use; - allow $2 $1_xserver_t:shm r_shm_perms; - allow $2 $1_xserver_tmpfs_t:file read_file_perms; + allow $1 xserver_t:fd use; + allow $1 xserver_t:shm r_shm_perms; + allow $1 xserver_tmpfs_t:file read_file_perms; ') ####################################### ## -## Template for creating sessions on a -## prefix X server, with read and write +## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -571,27 +181,21 @@ template(`xserver_ro_session_template',` ## ## # -template(`xserver_rw_session_template',` +interface(`xserver_rw_session',` gen_require(` - type $1_xserver_t, $1_xserver_tmpfs_t; + type xserver_t, xserver_tmpfs_t; ') - xserver_ro_session_template($1, $2, $3) - allow $2 $1_xserver_t:shm rw_shm_perms; - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + xserver_ro_session($1,$2) + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; ') ####################################### ## -## Template for creating full client sessions +## Create full client sessions ## on a user X server. ## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -603,47 +207,46 @@ template(`xserver_rw_session_template',` ## ## # -template(`xserver_user_client_template',` +interface(`xserver_user_client',` # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; - type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; + allow $1 self:shm create_shm_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $2 $1_xauth_home_t:file read_file_perms; - allow $2 $1_iceauth_home_t:file read_file_perms; + allow $1 xauth_home_t:file { getattr read }; + allow $1 iceauth_home_t:file { getattr read }; # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; + allow $1 xdm_t:fd use; + allow $1 xdm_t:fifo_file { getattr read write ioctl }; + allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:sock_file { read write }; + dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. - files_search_tmp($2) + files_search_tmp($1) - miscfiles_read_fonts($2) + miscfiles_read_fonts($1) - userdom_search_user_home_dirs($1, $2) + userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1, $2) + userdom_dontaudit_write_user_home_content_files($1) - xserver_ro_session_template(xdm, $2, $3) - xserver_rw_session_template($1, $2, $3) - xserver_use_user_fonts($1, $2) + xserver_ro_session($1,$2) + xserver_use_user_fonts($1) - xserver_read_xdm_tmp_files($2) + xserver_read_xdm_tmp_files($1) # Client write xserver shm tunable_policy(`allow_write_xshm',` - allow $2 $1_xserver_t:shm rw_shm_perms; - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; ') ') @@ -653,12 +256,6 @@ template(`xserver_user_client_template',` ## an X client domain. Provides the minimal set required by a basic ## X client application. ## -## -## -## The prefix of the X server domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The prefix of the X client domain (e.g., user @@ -673,176 +270,104 @@ template(`xserver_user_client_template',` # template(`xserver_common_x_domain_template',` gen_require(` - type $1_rootwindow_t, std_xext_t, shmem_xext_t; - type xproperty_t, info_xproperty_t, clipboard_xproperty_t; + type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t; + type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t; + type $1_client_xevent_t; + + type rootwindow_t, xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; - type clipboard_xselection_t, xselection_t; - attribute x_server_domain, x_domain; + attribute x_domain; attribute xproperty_type; - attribute xevent_type, xextension_type; - attribute $1_x_domain, $1_input_xevent_type; + attribute xevent_type; + attribute input_xevent_type; class x_drawable all_x_drawable_perms; - class x_screen all_x_screen_perms; - class x_gc all_x_gc_perms; - class x_font all_x_font_perms; - class x_colormap all_x_colormap_perms; class x_property all_x_property_perms; - class x_selection all_x_selection_perms; - class x_cursor all_x_cursor_perms; - class x_client all_x_client_perms; - class x_device all_x_device_perms; - class x_server all_x_server_perms; - class x_extension all_x_extension_perms; - class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; ') ############################## # - # Declarations + # Local Policy # # Type attributes - typeattribute $3 $1_x_domain, x_domain; + typeattribute $2 x_domain; - # Types for properties - type $2_xproperty_t alias $2_default_xproperty_t, xproperty_type; + # X Properties + # can read and write client properties + allow $2 $1_xproperty_t:x_property { create destroy read write append }; + type_transition $2 xproperty_t:x_property $1_xproperty_t; - # Types for events - type $2_input_xevent_t, $1_input_xevent_type, xevent_type; - type $2_property_xevent_t, xevent_type; - type $2_focus_xevent_t, xevent_type; - type $2_manage_xevent_t, xevent_type; - type $2_default_xevent_t, xevent_type; - type $2_client_xevent_t, xevent_type; + # X Windows + # new windows have the domain type + type_transition $2 rootwindow_t:x_drawable $2; + + # X Input + # can receive own events + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive; + type_transition $2 input_xevent_t:x_event $1_input_xevent_t; + type_transition $2 property_xevent_t:x_event $1_property_xevent_t; + type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t; + type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; + type_transition $2 client_xevent_t:x_event $1_client_xevent_t; + type_transition $2 xevent_t:x_event $1_default_xevent_t; + # can send ICCCM events to myself + allow $2 $1_manage_xevent_t:x_synthetic_event send; +') + +####################################### +## +## Template for creating the set of types used +## in an X windows domain. +## +## +## +## The prefix of the X client domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`xserver_object_types_template',` + gen_require(` + attribute xproperty_type, input_xevent_type, xevent_type; + ') ############################## # - # Local Policy + # Declarations # - # Hacks - # everyone can get the input focus of everyone else - # this is a fundamental brokenness in the X protocol - allow $3 { x_domain x_server_domain }:x_device getfocus; - # everyone can grab the server - # everyone does it, it is basically a free DOS attack - allow $3 x_server_domain:x_server grab; - # everyone can get the font path, etc. - # this could leak out sensitive information - allow $3 x_server_domain:x_server getattr; - # everyone can do override-redirect windows. - # this could be used to spoof labels - allow $3 self:x_drawable override; - # everyone can receive management events on the root window - # allows to know when new windows appear, among other things - allow $3 manage_xevent_t:x_event receive; - - # X Server - # can read server-owned resources - allow $3 x_server_domain:x_resource read; - # can mess with own clients - allow $3 self:x_client { manage destroy }; - - # X Protocol Extensions - allow $3 std_xext_t:x_extension { query use }; - allow $3 shmem_xext_t:x_extension { query use }; - dontaudit $3 xextension_type:x_extension { query use }; + # Types for properties + type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type; + ubac_constrained($1_xproperty_t) - # X Properties - # can read and write client properties - allow $3 $2_xproperty_t:x_property { create destroy read write append }; - type_transition $3 xproperty_t:x_property $2_xproperty_t; - # can read and write cut buffers - allow $3 clipboard_xproperty_t:x_property { create read write append }; - # can read info properties - allow $3 info_xproperty_t:x_property read; - # can change properties of root window - allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property }; - # can change properties of own windows - allow $3 self:x_drawable { list_property get_property set_property }; + # Types for events + type $1_input_xevent_t, input_xevent_type, xevent_type; + ubac_constrained($1_input_xevent_t) - # X Windows - # operations allowed on root windows - allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; - # operations allowed on my windows - allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; - type_transition $3 $1_rootwindow_t:x_drawable $3; + type $1_property_xevent_t, xevent_type; + ubac_constrained($1_property_xevent_t) - # X Colormaps - # can use the default colormap - allow $3 $1_rootwindow_t:x_colormap { read use add_color }; + type $1_focus_xevent_t, xevent_type; + ubac_constrained($1_focus_xevent_t) - # X Input - # can receive own events - allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive; - allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive; - allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive; - allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive; - allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive; - allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } receive; - type_transition $3 input_xevent_t:x_event $2_input_xevent_t; - type_transition $3 property_xevent_t:x_event $2_property_xevent_t; - type_transition $3 focus_xevent_t:x_event $2_focus_xevent_t; - type_transition $3 manage_xevent_t:x_event $2_manage_xevent_t; - type_transition $3 client_xevent_t:x_event $2_client_xevent_t; - type_transition $3 xevent_t:x_event $2_default_xevent_t; - # can receive certain root window events - allow $3 focus_xevent_t:x_event receive; - allow $3 property_xevent_t:x_event receive; - allow $3 client_xevent_t:x_synthetic_event receive; - allow $3 manage_xevent_t:x_synthetic_event receive; - # can send ICCCM events to myself - allow $3 $2_manage_xevent_t:x_synthetic_event send; - # can send ICCCM events to the root window - allow $3 manage_xevent_t:x_synthetic_event send; - allow $3 client_xevent_t:x_synthetic_event send; - - # X Selections - # can use the clipboard - allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; - # can query all other selections - allow $3 xselection_t:x_selection { getattr read }; - - # Other X Objects - # can create and use cursors - allow $3 self:x_cursor *; - # can create and use graphics contexts - allow $3 self:x_gc *; - # can create and use colormaps - allow $3 self:x_colormap *; - # can read and write own objects - allow $3 self:x_resource { read write }; - - tunable_policy(`! xserver_object_manager',` - # should be xserver_unconfined($3), - # but typeattribute doesnt work in conditionals - gen_require(` - attribute x_server_domain, x_domain; - attribute xproperty_type, xselection_type; - attribute xextension_type, xevent_type; - attribute rootwindow_type; - - type remote_xclient_t; - ') - allow $3 x_server_domain:x_server *; - allow $3 { x_domain rootwindow_type }:x_drawable *; - allow $3 x_server_domain:x_screen *; - allow $3 x_domain:x_gc *; - allow $3 { x_domain rootwindow_type }:x_colormap *; - allow $3 xproperty_type:x_property *; - allow $3 xselection_type:x_selection *; - allow $3 x_domain:x_cursor *; - allow $3 { x_domain remote_xclient_t }:x_client *; - allow $3 { x_domain x_server_domain }:x_device *; - allow $3 xextension_type:x_extension *; - allow $3 { x_domain x_server_domain }:x_resource *; - allow $3 xevent_type:{ x_event x_synthetic_event } *; - ') + type $1_manage_xevent_t, xevent_type; + ubac_constrained($1_manage_xevent_t) + + type $1_default_xevent_t, xevent_type; + ubac_constrained($1_default_xevent_t) + + type $1_client_xevent_t, xevent_type; + ubac_constrained($1_client_xevent_t) ') ####################################### @@ -851,12 +376,6 @@ template(`xserver_common_x_domain_template',` ## an X client domain. Provides the minimal set required by a basic ## X client application. ## -## -## -## The prefix of the X server domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## The prefix of the X client domain (e.g., user @@ -877,46 +396,46 @@ template(`xserver_common_x_domain_template',` template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xdm_tmp_t; - type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') - allow $3 self:shm create_shm_perms; - allow $3 self:unix_dgram_socket create_socket_perms; - allow $3 self:unix_stream_socket { connectto create_stream_socket_perms }; + allow $2 self:shm create_shm_perms; + allow $2 self:unix_dgram_socket create_socket_perms; + allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $3 $1_xauth_home_t:file read_file_perms; - allow $3 $1_iceauth_home_t:file read_file_perms; + allow $2 xauth_home_t:file read_file_perms; + allow $2 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system - allow $3 xdm_t:fd use; - allow $3 xdm_t:fifo_file { getattr read write ioctl }; - allow $3 xdm_tmp_t:dir search_dir_perms; - allow $3 xdm_tmp_t:sock_file { read write }; - dontaudit $3 xdm_t:tcp_socket { read write }; + allow $2 xdm_t:fd use; + allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_tmp_t:dir search_dir_perms; + allow $2 xdm_tmp_t:sock_file { read write }; + dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. - files_search_tmp($3) + files_search_tmp($2) - miscfiles_read_fonts($3) + miscfiles_read_fonts($2) - userdom_search_user_home_dirs($1, $3) + userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1, $3) + userdom_dontaudit_write_user_home_content_files($2) - xserver_ro_session_template(xdm, $3, $4) - xserver_rw_session_template($1, $3, $4) - xserver_use_user_fonts($1, $3) + xserver_ro_session($2,$3) + xserver_use_user_fonts($2) - xserver_read_xdm_tmp_files($3) + xserver_read_xdm_tmp_files($2) # X object manager - xserver_common_x_domain_template($1, $2, $3) + xserver_object_types_template($1) + xserver_common_x_domain_template($1,$2) # Client write xserver shm tunable_policy(`allow_write_xshm',` - allow $3 $1_xserver_t:shm rw_shm_perms; - allow $3 $1_xserver_tmpfs_t:file rw_file_perms; + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; ') ') @@ -935,102 +454,66 @@ template(`xserver_user_x_domain_template',` ## be called from a per-userdomain template. ##

## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`xserver_use_user_fonts',` +interface(`xserver_use_user_fonts',` gen_require(` - type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t; + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts - allow $2 $1_fonts_t:dir list_dir_perms; - allow $2 $1_fonts_t:file read_file_perms; + allow $1 user_fonts_t:dir list_dir_perms; + allow $1 user_fonts_t:file read_file_perms; # Manipulate the global font cache - manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) - manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) + manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) + manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config - allow $2 $1_fonts_config_t:dir list_dir_perms; - allow $2 $1_fonts_config_t:file read_file_perms; + allow $1 user_fonts_config_t:dir list_dir_perms; + allow $1 user_fonts_config_t:file read_file_perms; - userdom_search_user_home_dirs($1, $2) + userdom_search_user_home_dirs($1) ') ######################################## ## -## Transition to a user Xauthority domain. +## Transition to the Xauthority domain. ## -## -##

-## Transition to a user Xauthority domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`xserver_domtrans_user_xauth',` +interface(`xserver_domtrans_xauth',` gen_require(` - type $1_xauth_t, xauth_exec_t; + type xauth_t, xauth_exec_t; ') - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + domtrans_pattern($1, xauth_exec_t, xauth_t) ') ######################################## ## -## Transition to a user Xauthority domain. +## Create a Xauthority file in the user home directory. ## -## -##

-## Transition to a user Xauthority domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. ## ## # -template(`xserver_user_home_dir_filetrans_user_xauth',` +interface(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` - type $1_xauth_home_t; + type xauth_home_t; ') - userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file) + userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') ######################################## @@ -1045,23 +528,8 @@ template(`xserver_user_home_dir_filetrans_user_xauth',` ## # interface(`xserver_use_all_users_fonts',` - gen_require(` - attribute fonts_type, fonts_cache_type, fonts_config_type; - ') - - # Read per user fonts - allow $1 fonts_type:dir list_dir_perms; - allow $1 fonts_type:file read_file_perms; - - # Manipulate the global font cache - manage_dirs_pattern($1, fonts_cache_type, fonts_cache_type) - manage_files_pattern($1, fonts_cache_type, fonts_cache_type) - - # Read per user font config - allow $1 fonts_config_type:dir list_dir_perms; - allow $1 fonts_config_type:file read_file_perms; - - userdom_search_all_users_home_dirs($1) + refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') + xserver_use_user_fonts($1) ') ######################################## @@ -1074,13 +542,13 @@ interface(`xserver_use_all_users_fonts',` ##
## # -interface(`xserver_read_all_users_xauth',` +interface(`xserver_read_user_xauth',` gen_require(` - attribute xauth_home_type; + type xauth_home_t; ') - allow $1 xauth_home_type:file read_file_perms; - userdom_search_all_users_home_dirs($1) + allow $1 xauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) ') ######################################## @@ -1311,25 +779,6 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## -## Execute the X server in the XDM X server domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_domtrans_xdm_xserver',` - gen_require(` - type xdm_xserver_t, xserver_exec_t; - ') - - allow $1 xdm_xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xdm_xserver_t) -') - -######################################## -## ## Make an X session script an entrypoint for the specified domain. ## ## @@ -1474,24 +923,6 @@ interface(`xserver_read_xkb_libs',` ## ## # -interface(`xserver_read_xdm_xserver_tmp_files',` - gen_require(` - type xdm_xserver_tmp_t; - ') - - allow $1 xdm_xserver_tmp_t:file read_file_perms; -') - -######################################## -## -## Read xdm temporary files. -## -## -## -## Domain to not audit -## -## -# interface(`xserver_read_xdm_tmp_files',` gen_require(` type xdm_tmp_t; @@ -1577,7 +1008,26 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ######################################## ## -## Signal XDM X servers +## Execute the X server in the X server domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_domtrans',` + gen_require(` + type xserver_t, xserver_exec_t; + ') + + allow $1 xserver_t:process siginh; + domtrans_pattern($1, xserver_exec_t, xserver_t) +') + +######################################## +## +## Signal X servers ## ## ## @@ -1585,17 +1035,17 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ## ## # -interface(`xserver_signal_xdm_xserver',` +interface(`xserver_signal',` gen_require(` - type xdm_xserver_t; + type xserver_t; ') - allow $1 xdm_xserver_t:process signal; + allow $1 xserver_t:process signal; ') ######################################## ## -## Kill XDM X servers +## Kill X servers ## ## ## @@ -1603,18 +1053,37 @@ interface(`xserver_signal_xdm_xserver',` ## ## # -interface(`xserver_kill_xdm_xserver',` +interface(`xserver_kill',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:process sigkill; +') + +######################################## +## +## Read and write X server Sys V Shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_shm',` gen_require(` - type xdm_xserver_t; + type xserver_t; ') - allow $1 xdm_xserver_t:process sigkill; + allow $1 xserver_t:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to read and write to -## a XDM X server socket. +## X server sockets. ## ## ## @@ -1622,17 +1091,17 @@ interface(`xserver_kill_xdm_xserver',` ## ## # -interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',` +interface(`xserver_dontaudit_rw_tcp_sockets',` gen_require(` - type xdm_xserver_t; + type xserver_t; ') - dontaudit $1 xdm_xserver_t:tcp_socket { read write }; + dontaudit $1 xserver_t:tcp_socket { read write }; ') ######################################## ## -## Do not audit attempts to read and write xdm_xserver +## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## @@ -1641,17 +1110,17 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',` ## ## # -interface(`xserver_dontaudit_rw_xdm_stream_sockets',` +interface(`xserver_dontaudit_rw_stream_sockets',` gen_require(` - type xdm_xserver_t; + type xserver_t; ') - dontaudit $1 xdm_xserver_t:unix_stream_socket { read write }; + dontaudit $1 xserver_t:unix_stream_socket { read write }; ') ######################################## ## -## Connect to xdm_xserver over a unix domain +## Connect to the X server over a unix domain ## stream socket. ## ## @@ -1660,31 +1129,32 @@ interface(`xserver_dontaudit_rw_xdm_stream_sockets',` ## ## # -interface(`xserver_stream_connect_xdm_xserver',` +interface(`xserver_stream_connect',` gen_require(` - type xdm_xserver_t, xdm_xserver_tmp_t; + type xserver_t, xserver_tmp_t; ') files_search_tmp($1) - stream_connect_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ') ######################################## ## -## xdm xserver RW shared memory socket. +## Read X server temporary files. ## ## ## -## Domain allowed access. +## Domain to not audit ## ## # -interface(`xserver_rw_xdm_xserver_shm',` +interface(`xserver_read_tmp_files',` gen_require(` - type xdm_xserver_t; + type xserver_tmp_t; ') - allow $1 xdm_xserver_t:shm rw_shm_perms; + allow $1 xserver_tmp_t:file read_file_perms; + files_search_tmp($1) ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 5fae59a..d507654 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,23 @@ -policy_module(xserver, 2.2.0) +policy_module(xserver, 3.0.0) + +gen_require(` + class x_drawable all_x_drawable_perms; + class x_screen all_x_screen_perms; + class x_gc all_x_gc_perms; + class x_font all_x_font_perms; + class x_colormap all_x_colormap_perms; + class x_property all_x_property_perms; + class x_selection all_x_selection_perms; + class x_cursor all_x_cursor_perms; + class x_client all_x_client_perms; + class x_device all_x_device_perms; + class x_server all_x_server_perms; + class x_extension all_x_extension_perms; + class x_resource all_x_resource_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; +') ######################################## # @@ -28,18 +46,10 @@ gen_tunable(xdm_sysadm_login, false) ##
gen_tunable(xserver_object_manager, false) -attribute fonts_type; -attribute fonts_cache_type; -attribute fonts_config_type; -attribute xauth_home_type; - -# Domains +attribute input_xevent_type; attribute xserver_unconfined_type; -attribute x_server_domain; - -# Per-object attributes -attribute rootwindow_type; attribute x_domain; +attribute x_userdomain; attribute xproperty_type; attribute xselection_type; attribute xextension_type; @@ -53,8 +63,18 @@ type debug_xext_t, xextension_type; type directhw_xext_t alias disallowed_xext_t, xextension_type; type focus_xevent_t, xevent_type; +type iceauth_t; type iceauth_exec_t; -application_executable_file(iceauth_exec_t) +typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; +application_domain(iceauth_t, iceauth_exec_t) +ubac_constrained(iceauth_t) + +type iceauth_home_t; +typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +files_poly_member(iceauth_home_t) +userdom_user_home_content(iceauth_home_t) type info_xproperty_t, xproperty_type; type input_xevent_t, xevent_type; @@ -62,19 +82,73 @@ type manage_xevent_t, xevent_type; type output_xext_t, xextension_type; type property_xevent_t, xevent_type; type remote_xclient_t; + +type rootwindow_t; +typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t }; +typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t }; +ubac_constrained(rootwindow_t) + type screensaver_xext_t, xextension_type; type security_xext_t, xextension_type; type shmem_xext_t, xextension_type; type std_xext_t, xextension_type; type video_xext_t, xextension_type; type unknown_xevent_t, xevent_type; + +xserver_object_types_template(user) +typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; +typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; +typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; +typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; +typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t }; +typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; +typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t }; +typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; +typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t }; +typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; +typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t }; +typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; +typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t }; +typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; + +type user_fonts_t; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +userdom_user_home_content(user_fonts_t) + +type user_fonts_cache_t; +typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +userdom_user_home_content(user_fonts_cache_t) + +type user_fonts_config_t; +typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; +typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; +userdom_user_home_content(user_fonts_cache_t) + type xevent_t alias default_xevent_t, xevent_type; type xext_t alias unknown_xext_t, xextension_type; type xproperty_t alias default_xproperty_t, xproperty_type; type xselection_t alias default_xselection_t, xselection_type; +type xauth_t; type xauth_exec_t; -application_executable_file(xauth_exec_t) +typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; +typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +application_domain(xauth_t, xauth_exec_t) +ubac_constrained(xauth_t) + +type xauth_home_t; +typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; +typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +files_poly_member(xauth_home_t) +userdom_user_home_content(xauth_home_t) + +type xauth_tmp_t; +typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; +files_tmp_file(xauth_tmp_t) +ubac_constrained(xauth_tmp_t) # this is not actually a device, its a pipe type xconsole_device_t; @@ -112,8 +186,26 @@ type xkb_var_lib_t; files_type(xkb_var_lib_t) # Type for the executable used to start the X server, e.g. Xwrapper. +type xserver_t; type xserver_exec_t; -corecmd_executable_file(xserver_exec_t) +typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; +typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t }; +xserver_object_types_template(xdm) +xserver_common_x_domain_template(xdm,xdm_t) +init_system_domain(xserver_t, xserver_exec_t) +ubac_constrained(xserver_t) + +type xserver_tmp_t; +typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; +typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t }; +files_tmp_file(xserver_tmp_t) +ubac_constrained(xserver_tmp_t) + +type xserver_tmpfs_t; +typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; +files_tmpfs_file(xserver_tmpfs_t) +ubac_constrained(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) @@ -122,10 +214,6 @@ corecmd_executable_file(xsession_exec_t) type xserver_log_t; logging_log_file(xserver_log_t) -xserver_common_domain_template(xdm) -xserver_common_x_domain_template(xdm, xdm, xdm_t) -init_system_domain(xdm_xserver_t, xserver_exec_t) - ifdef(`enable_mcs',` init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh) init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh) @@ -137,6 +225,78 @@ optional_policy(` ######################################## # +# Iceauth local policy +# + +allow iceauth_t iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) + +allow xdm_t iceauth_home_t:file read_file_perms; + +fs_search_auto_mountpoints(iceauth_t) + +userdom_use_user_terminals(iceauth_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(iceauth_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(iceauth_t) +') + +######################################## +# +# Xauth local policy +# + +allow xauth_t self:process signal; +allow xauth_t self:unix_stream_socket create_stream_socket_perms; + +allow xauth_t xauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) +manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) +files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) + +allow xdm_t xauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) + +domain_use_interactive_fds(xauth_t) + +files_read_etc_files(xauth_t) +files_search_pids(xauth_t) + +fs_getattr_xattr_fs(xauth_t) +fs_search_auto_mountpoints(xauth_t) + +# cjp: why? +term_use_ptmx(xauth_t) + +auth_use_nsswitch(xauth_t) + +userdom_use_user_terminals(xauth_t) +userdom_read_user_tmp_files(xauth_t) + +xserver_rw_xdm_tmp_files(xauth_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(xauth_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(xauth_t) +') + +optional_policy(` + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) + ssh_dontaudit_rw_tcp_sockets(xauth_t) +') + +######################################## +# # XDM Local policy # @@ -186,25 +346,25 @@ manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) -allow xdm_t xdm_xserver_t:process signal; -allow xdm_t xdm_xserver_t:unix_stream_socket connectto; +allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:unix_stream_socket connectto; -allow xdm_t xdm_xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr list_dir_perms }; +allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; +allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; # transition to the xdm xserver -domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t) -allow xdm_xserver_t xdm_t:process signal; -allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; +domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) +allow xserver_t xdm_t:process signal; +allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; -allow xdm_t xdm_xserver_t:shm rw_shm_perms; +allow xdm_t xserver_t:shm rw_shm_perms; # connect to xdm xserver over stream socket -stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) +stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) # Remove /tmp/.X11-unix/X0. -delete_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t) -delete_sock_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t) +delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) +delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) @@ -308,14 +468,12 @@ sysnet_read_config(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) # for .dmrc -userdom_read_unpriv_users_home_content_files(xdm_t) +userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) -sysadm_dontaudit_search_home_dirs(xdm_t) - -xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) +xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) tunable_policy(`use_nfs_home_dirs',` @@ -340,8 +498,8 @@ tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_unpriv_users(xdm_t) # FIXME: # xserver_rw_session_template(xdm,unpriv_userdomain) -# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; -# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; +# dontaudit xserver_t sysadm_t:shm { unix_read unix_write }; +# allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') optional_policy(` @@ -380,6 +538,10 @@ optional_policy(` ') optional_policy(` + resmgr_stream_connect(xdm_t) +') + +optional_policy(` seutil_sigchld_newrole(xdm_t) ') @@ -414,59 +576,275 @@ optional_policy(` ######################################## # +# X server local policy +# + +# setuid/setgid for the wrapper program to change UID +# sys_rawio is for iopl access - should not be needed for frame-buffer +# sys_admin, locking shared mem? chowning IPC message queues or semaphores? +# admin of APM bios? +# sys_nice is so that the X server can set a negative nice value +# execheap needed until the X module loader is fixed. +# NVIDIA Needs execstack + +allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +dontaudit xserver_t self:capability chown; +allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow xserver_t self:memprotect mmap_zero; +allow xserver_t self:fd use; +allow xserver_t self:fifo_file rw_fifo_file_perms; +allow xserver_t self:sock_file read_sock_file_perms; +allow xserver_t self:shm create_shm_perms; +allow xserver_t self:sem create_sem_perms; +allow xserver_t self:msgq create_msgq_perms; +allow xserver_t self:msg { send receive }; +allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow xserver_t self:tcp_socket create_stream_socket_perms; +allow xserver_t self:udp_socket create_socket_perms; + +# Device rules +allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; + +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) + +allow xserver_t xauth_home_t:file read_file_perms; + +# Labeling rules for root windows and colormaps +type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; + +allow xserver_t { rootwindow_t x_domain }:x_drawable send; + +manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) + +filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) + +manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +files_search_var_lib(xserver_t) + +# Create files in /var/log with the xserver_log_t type. +manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) +logging_log_filetrans(xserver_t, xserver_log_t,file) + +kernel_read_system_state(xserver_t) +kernel_read_device_sysctls(xserver_t) +kernel_read_modprobe_sysctls(xserver_t) +# Xorg wants to check if kernel is tainted +kernel_read_kernel_sysctls(xserver_t) +kernel_write_proc_files(xserver_t) + +# Run helper programs in xserver_t. +corecmd_exec_bin(xserver_t) +corecmd_exec_shell(xserver_t) + +corenet_all_recvfrom_unlabeled(xserver_t) +corenet_all_recvfrom_netlabel(xserver_t) +corenet_tcp_sendrecv_generic_if(xserver_t) +corenet_udp_sendrecv_generic_if(xserver_t) +corenet_tcp_sendrecv_all_nodes(xserver_t) +corenet_udp_sendrecv_all_nodes(xserver_t) +corenet_tcp_sendrecv_all_ports(xserver_t) +corenet_udp_sendrecv_all_ports(xserver_t) +corenet_tcp_bind_all_nodes(xserver_t) +corenet_tcp_bind_xserver_port(xserver_t) +corenet_tcp_connect_all_ports(xserver_t) +corenet_sendrecv_xserver_server_packets(xserver_t) +corenet_sendrecv_all_client_packets(xserver_t) + +dev_rw_sysfs(xserver_t) +dev_rw_mouse(xserver_t) +dev_rw_mtrr(xserver_t) +dev_rw_apm_bios(xserver_t) +dev_rw_agp(xserver_t) +dev_rw_framebuffer(xserver_t) +dev_manage_dri_dev(xserver_t) +dev_create_generic_dirs(xserver_t) +dev_setattr_generic_dirs(xserver_t) +# raw memory access is needed if not using the frame buffer +dev_read_raw_memory(xserver_t) +dev_wx_raw_memory(xserver_t) +# for other device nodes such as the NVidia binary-only driver +dev_rw_xserver_misc(xserver_t) +# read events - the synaptics touchpad driver reads raw events +dev_rw_input_dev(xserver_t) +dev_rwx_zero(xserver_t) + +domain_mmap_low(xserver_t) + +files_read_etc_files(xserver_t) +files_read_etc_runtime_files(xserver_t) +files_read_usr_files(xserver_t) + +# brought on by rhgb +files_search_mnt(xserver_t) +# for nscd +files_dontaudit_search_pids(xserver_t) + +fs_getattr_xattr_fs(xserver_t) +fs_search_nfs(xserver_t) +fs_search_auto_mountpoints(xserver_t) +fs_search_ramfs(xserver_t) + +mls_xwin_read_to_clearance(xserver_t) + +selinux_validate_context(xserver_t) +selinux_compute_access_vector(xserver_t) +selinux_compute_create_context(xserver_t) + +auth_use_nsswitch(xserver_t) + +init_getpgid(xserver_t) + +term_setattr_unallocated_ttys(xserver_t) +term_use_unallocated_ttys(xserver_t) + +getty_use_fds(xserver_t) + +locallogin_use_fds(xserver_t) + +logging_send_syslog_msg(xserver_t) +logging_send_audit_msgs(xserver_t) + +miscfiles_read_localization(xserver_t) +miscfiles_read_fonts(xserver_t) + +modutils_domtrans_insmod(xserver_t) + +# read x_contexts +seutil_read_default_contexts(xserver_t) + +userdom_search_user_home_dirs(xserver_t) +userdom_use_user_ttys(xserver_t) +userdom_setattr_user_ttys(xserver_t) +userdom_rw_user_tmpfs_files(xserver_t) + +xserver_use_user_fonts(xserver_t) + +ifndef(`distro_redhat',` + allow xserver_t self:process { execmem execheap execstack }; +') + +ifdef(`distro_rhel4',` + allow xserver_t self:process { execmem execheap execstack }; +') + +ifdef(`enable_mls',` + range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; + range_transition xserver_t rootwindow_t:x_drawable s0 - mls_systemhigh; +') + +tunable_policy(`!xserver_object_manager',` + # should be xserver_unconfined(xserver_t), + # but typeattribute doesnt work in conditionals + + allow xserver_t xserver_t:x_server *; + allow xserver_t { x_domain rootwindow_t }:x_drawable *; + allow xserver_t xserver_t:x_screen *; + allow xserver_t x_domain:x_gc *; + allow xserver_t { x_domain rootwindow_t }:x_colormap *; + allow xserver_t xproperty_type:x_property *; + allow xserver_t xselection_type:x_selection *; + allow xserver_t x_domain:x_cursor *; + allow xserver_t { x_domain remote_xclient_t }:x_client *; + allow xserver_t { x_domain xserver_t }:x_device *; + allow xserver_t xextension_type:x_extension *; + allow xserver_t { x_domain xserver_t }:x_resource *; + allow xserver_t xevent_type:{ x_event x_synthetic_event } *; +') + +optional_policy(` + apm_stream_connect(xserver_t) +') + +optional_policy(` + auth_search_pam_console_data(xserver_t) +') + +optional_policy(` + rhgb_getpgid(xserver_t) + rhgb_signal(xserver_t) +') + +optional_policy(` + unconfined_domain_noaudit(xserver_t) + unconfined_domtrans(xserver_t) +') + +optional_policy(` + userhelper_search_config(xserver_t) +') + +optional_policy(` + xfs_stream_connect(xserver_t) +') + +######################################## +# # XDM Xserver local policy # +# cjp: when xdm is configurable via tunable these +# rules will be enabled only when xdm is enabled -allow xdm_xserver_t xdm_t:process { signal getpgid }; -allow xdm_xserver_t xdm_t:shm rw_shm_perms; +allow xserver_t xdm_t:process { signal getpgid }; +allow xserver_t xdm_t:shm rw_shm_perms; -# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open +# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xdm_xserver_t xdm_var_lib_t:dir search; +allow xserver_t xdm_var_lib_t:file { getattr read }; +dontaudit xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file read_file_perms; +allow xserver_t xdm_var_run_t:file read_file_perms; # Label pid and temporary files with derived types. -manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) +manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. -allow xdm_xserver_t xkb_var_lib_t:lnk_file read; -can_exec(xdm_xserver_t, xkb_var_lib_t) -files_search_var_lib(xdm_xserver_t) +allow xserver_t xkb_var_lib_t:lnk_file read; +can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -corenet_tcp_bind_vnc_port(xdm_xserver_t) - -fs_search_auto_mountpoints(xdm_xserver_t) +corenet_tcp_bind_vnc_port(xserver_t) -init_use_fds(xdm_xserver_t) +init_use_fds(xserver_t) # FIXME: After per user fonts are properly working -# xdm_xserver_t may no longer have any reason +# xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) -userdom_read_unpriv_users_home_content_files(xdm_xserver_t) +userdom_read_user_home_content_files(xserver_t) -xserver_use_all_users_fonts(xdm_xserver_t) +xserver_use_user_fonts(xserver_t) tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_xserver_t) - fs_manage_nfs_files(xdm_xserver_t) - fs_manage_nfs_symlinks(xdm_xserver_t) + fs_manage_nfs_dirs(xserver_t) + fs_manage_nfs_files(xserver_t) + fs_manage_nfs_symlinks(xserver_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xdm_xserver_t) - fs_manage_cifs_files(xdm_xserver_t) - fs_manage_cifs_symlinks(xdm_xserver_t) + fs_manage_cifs_dirs(xserver_t) + fs_manage_cifs_files(xserver_t) + fs_manage_cifs_symlinks(xserver_t) ') optional_policy(` - dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) - hal_dbus_chat(xdm_xserver_t) + dbus_system_bus_client(xserver_t) + hal_dbus_chat(xserver_t) ') optional_policy(` @@ -474,21 +852,105 @@ optional_policy(` ') optional_policy(` - rhgb_rw_shm(xdm_xserver_t) - rhgb_rw_tmpfs_files(xdm_xserver_t) + rhgb_rw_shm(xserver_t) + rhgb_rw_tmpfs_files(xserver_t) ') -optional_policy(` - unconfined_domain_noaudit(xdm_xserver_t) - unconfined_domtrans(xdm_xserver_t) - - ifndef(`distro_redhat',` - allow xdm_xserver_t self:process { execheap execmem }; - ') +######################################## +# +# Rules common to all X window domains +# - ifdef(`distro_rhel4',` - allow xdm_xserver_t self:process { execheap execmem }; - ') +# Hacks +# everyone can get the input focus of everyone else +# this is a fundamental brokenness in the X protocol +allow x_domain { x_domain xserver_t }:x_device getfocus; +# everyone can grab the server +# everyone does it, it is basically a free DOS attack +allow x_domain xserver_t:x_server grab; +# everyone can get the font path, etc. +# this could leak out sensitive information +allow x_domain xserver_t:x_server getattr; +# everyone can do override-redirect windows. +# this could be used to spoof labels +allow x_domain self:x_drawable override; +# everyone can receive management events on the root window +# allows to know when new windows appear, among other things +allow x_domain manage_xevent_t:x_event receive; + +# X Server +# can read server-owned resources +allow x_domain xserver_t:x_resource read; +# can mess with own clients +allow x_domain self:x_client { manage destroy }; + +# X Protocol Extensions +allow x_domain std_xext_t:x_extension { query use }; +allow x_domain shmem_xext_t:x_extension { query use }; +dontaudit x_domain xextension_type:x_extension { query use }; + +# X Properties +# can read and write cut buffers +allow x_domain clipboard_xproperty_t:x_property { create read write append }; +# can read info properties +allow x_domain info_xproperty_t:x_property read; +# can change properties of root window +allow x_domain rootwindow_t:x_drawable { list_property get_property set_property }; +# can change properties of own windows +allow x_domain self:x_drawable { list_property get_property set_property }; + +# X Windows +# operations allowed on root windows +allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; +# operations allowed on my windows +allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; + +# X Colormaps +# can use the default colormap +allow x_domain rootwindow_t:x_colormap { read use add_color }; + +# X Input +# can receive certain root window events +allow x_domain focus_xevent_t:x_event receive; +allow x_domain property_xevent_t:x_event receive; +allow x_domain client_xevent_t:x_synthetic_event receive; +allow x_domain manage_xevent_t:x_synthetic_event receive; +# can send ICCCM events to the root window +allow x_domain manage_xevent_t:x_synthetic_event send; +allow x_domain client_xevent_t:x_synthetic_event send; +# X Selections +# can use the clipboard +allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; +# can query all other selections +allow x_domain xselection_t:x_selection { getattr read }; + +# Other X Objects +# can create and use cursors +allow x_domain self:x_cursor *; +# can create and use graphics contexts +allow x_domain self:x_gc *; +# can create and use colormaps +allow x_domain self:x_colormap *; +# can read and write own objects +allow x_domain self:x_resource { read write }; + +tunable_policy(`! xserver_object_manager',` + # should be xserver_unconfined(x_domain), + # but typeattribute doesnt work in conditionals + + allow x_domain xserver_t:x_server *; + allow x_domain { x_domain rootwindow_t }:x_drawable *; + allow x_domain xserver_t:x_screen *; + allow x_domain x_domain:x_gc *; + allow x_domain { x_domain rootwindow_t }:x_colormap *; + allow x_domain xproperty_type:x_property *; + allow x_domain xselection_type:x_selection *; + allow x_domain x_domain:x_cursor *; + allow x_domain { x_domain remote_xclient_t }:x_client *; + allow x_domain { x_domain xserver_t }:x_device *; + allow x_domain xextension_type:x_extension *; + allow x_domain { x_domain xserver_t }:x_resource *; + allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') ######################################## @@ -496,35 +958,21 @@ optional_policy(` # Rules for unconfined access to this module # -allow xserver_unconfined_type x_server_domain:x_server *; -allow xserver_unconfined_type { x_domain rootwindow_type }:x_drawable *; -allow xserver_unconfined_type x_server_domain:x_screen *; +allow xserver_unconfined_type xserver_t:x_server *; +allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *; +allow xserver_unconfined_type xserver_t:x_screen *; allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type { x_domain rootwindow_type }:x_colormap *; +allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *; allow xserver_unconfined_type xproperty_type:x_property *; allow xserver_unconfined_type xselection_type:x_selection *; allow xserver_unconfined_type x_domain:x_cursor *; allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *; -allow xserver_unconfined_type { x_domain x_server_domain }:x_device *; +allow xserver_unconfined_type { x_domain xserver_t }:x_device *; allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *; +allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; ifdef(`TODO',` -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file manage_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp allow xdm_t polymember:dir { add_name remove_name write }; @@ -537,8 +985,4 @@ allow xdm_t polymember:file { create getattr write }; # Wants to delete .xsession-errors file # allow xdm_t user_home_type:file unlink; -# -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -# -allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 15458df..a663133 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra, 1.8.0) +policy_module(zebra, 1.8.1) ######################################## # @@ -113,8 +113,7 @@ miscfiles_read_localization(zebra_t) sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) - -sysadm_dontaudit_search_home_dirs(zebra_t) +userdom_dontaudit_search_user_home_dirs(zebra_t) tunable_policy(`allow_zebra_write_config',` manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index cdda011..7fb4cfe 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1,156 +1,33 @@ ## Common policy for authentication and user login. -####################################### -## -## Common template to create a domain for authentication. -## -## -##

-## This template creates a derived domain which is allowed -## to authenticate users by using PAM unix_chkpwd support. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`authlogin_common_auth_domain_template',` - gen_require(` - attribute can_read_shadow_passwords; - type chkpwd_exec_t, shadow_t; - ') - - type $1_chkpwd_t, can_read_shadow_passwords; - application_domain($1_chkpwd_t,chkpwd_exec_t) - - allow $1_chkpwd_t self:capability { dac_override setuid }; - dontaudit $1_chkpwd_t self:capability sys_tty_config; - allow $1_chkpwd_t self:process getattr; - - files_list_etc($1_chkpwd_t) - allow $1_chkpwd_t shadow_t:file read_file_perms; - - # is_selinux_enabled - kernel_read_system_state($1_chkpwd_t) - - dev_read_rand($1_chkpwd_t) - dev_read_urand($1_chkpwd_t) - - files_read_etc_files($1_chkpwd_t) - # for nscd - files_dontaudit_search_var($1_chkpwd_t) - - fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) - - auth_use_nsswitch($1_chkpwd_t) - - logging_send_audit_msgs($1_chkpwd_t) - logging_send_syslog_msg($1_chkpwd_t) - - miscfiles_read_localization($1_chkpwd_t) - - seutil_read_config($1_chkpwd_t) - - optional_policy(` - kerberos_use($1_chkpwd_t) - ') -') - -####################################### +######################################## ## -## The per role template for the authlogin module. +## Role access for password authentication. ## -## -##

-## This template creates a derived domain which is allowed -## to authenticate users by using PAM unix_chkpwd support. -## This domain will be used by any programs running in the -## user domain which use PAM to authenticate. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## +## ## -## The type of the user domain. +## Role allowed access. ## ## -## +## ## -## The role associated with the user domain. +## Domain allowed access. ## ## # -template(`authlogin_per_role_template',` - +interface(`auth_role',` gen_require(` - type system_chkpwd_t, shadow_t; + type chkpwd_t, chkpwd_exec_t, shadow_t; ') - authlogin_common_auth_domain_template($1) - - role $3 types $1_chkpwd_t; - role $3 types system_chkpwd_t; - - dontaudit $2 shadow_t:file read_file_perms; + role $1 types chkpwd_t; # Transition from the user domain to this domain. - domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) - - domain_use_interactive_fds($1_chkpwd_t) + domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) - seutil_use_newrole_fds($1_chkpwd_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1,$1_chkpwd_t) -') - -######################################## -## -## Run unix_chkpwd to check a password -## for a user domain. -## -## -##

-## Run unix_chkpwd to check a password -## for a user domain. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`auth_domtrans_user_chk_passwd',` - gen_require(` - type $1_chkpwd_t, chkpwd_exec_t; - ') + ps_process_pattern($2, chkpwd_t) - corecmd_search_bin($2) - domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) + dontaudit $2 shadow_t:file read_file_perms; ') ######################################## @@ -319,11 +196,11 @@ interface(`auth_ranged_domtrans_login_program',` # interface(`auth_domtrans_chk_passwd',` gen_require(` - type system_chkpwd_t, chkpwd_exec_t, shadow_t; + type chkpwd_t, chkpwd_exec_t, shadow_t; ') corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t) + domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) dontaudit $1 shadow_t:file { getattr read }; @@ -369,20 +246,14 @@ interface(`auth_domtrans_chk_passwd',` ## The role to allow the chkpwd domain. ## ## -## -## -## The type of the terminal allow the chkpwd domain to use. -## -## # interface(`auth_run_chk_passwd',` gen_require(` - type system_chkpwd_t; + type chkpwd_t; ') auth_domtrans_chk_passwd($1) - role $2 types system_chkpwd_t; - allow system_chkpwd_t $3:chr_file rw_file_perms; + role $2 types chkpwd_t; ') ######################################## @@ -419,11 +290,6 @@ interface(`auth_domtrans_upd_passwd',` ## The role to allow the updpwd domain. ## ## -## -## -## The type of the terminal allow the updpwd domain to use. -## -## # interface(`auth_run_upd_passwd',` gen_require(` @@ -432,7 +298,6 @@ interface(`auth_run_upd_passwd',` auth_domtrans_upd_passwd($1) role $2 types updpwd_t; - allow updpwd_t $3:chr_file rw_file_perms; ') ######################################## @@ -815,11 +680,6 @@ interface(`auth_signal_pam',` ## The role to allow the PAM domain. ## ## -## -## -## The type of the terminal allow the PAM domain to use. -## -## # interface(`auth_run_pam',` gen_require(` @@ -828,7 +688,6 @@ interface(`auth_run_pam',` auth_domtrans_pam($1) role $2 types pam_t; - allow pam_t $3:chr_file rw_file_perms; ') ######################################## @@ -1228,11 +1087,6 @@ interface(`auth_domtrans_utempter',` ## The role to allow the utempter domain. ## ## -## -## -## The type of the terminal allow the utempter domain to use. -## -## # interface(`auth_run_utempter',` gen_require(` @@ -1241,7 +1095,6 @@ interface(`auth_run_utempter',` auth_domtrans_utempter($1) role $2 types utempter_t; - allow utempter_t $3:chr_file rw_file_perms; ') ####################################### diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index b4c998f..0f02b4f 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin, 1.11.1) +policy_module(authlogin, 2.0.0) ######################################## # @@ -10,8 +10,12 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +type chkpwd_t, can_read_shadow_passwords; type chkpwd_exec_t; -application_executable_file(chkpwd_exec_t) +typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; +typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; +application_domain(chkpwd_t, chkpwd_exec_t) +role system_r types chkpwd_t; type faillog_t; logging_log_file(faillog_t) @@ -69,9 +73,56 @@ files_type(var_auth_t) type wtmp_t; logging_log_file(wtmp_t) -# reorder to work around require-then-decare bug -authlogin_common_auth_domain_template(system) -role system_r types system_chkpwd_t; +######################################## +# +# Check password local policy +# + +allow chkpwd_t self:capability { dac_override setuid }; +dontaudit chkpwd_t self:capability sys_tty_config; +allow chkpwd_t self:process getattr; + +allow chkpwd_t shadow_t:file read_file_perms; +files_list_etc(chkpwd_t) + +# is_selinux_enabled +kernel_read_system_state(chkpwd_t) + +domain_dontaudit_use_interactive_fds(chkpwd_t) + +dev_read_rand(chkpwd_t) +dev_read_urand(chkpwd_t) + +files_read_etc_files(chkpwd_t) +# for nscd +files_dontaudit_search_var(chkpwd_t) + +fs_dontaudit_getattr_xattr_fs(chkpwd_t) + +term_dontaudit_use_unallocated_ttys(chkpwd_t) +term_dontaudit_use_generic_ptys(chkpwd_t) + +auth_use_nsswitch(chkpwd_t) + +logging_send_audit_msgs(chkpwd_t) +logging_send_syslog_msg(chkpwd_t) + +miscfiles_read_localization(chkpwd_t) + +seutil_read_config(chkpwd_t) +seutil_dontaudit_use_newrole_fds(chkpwd_t) + +userdom_use_user_terminals(chkpwd_t) + +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(chkpwd_t) + ') +') + +optional_policy(` + kerberos_use(chkpwd_t) +') ######################################## # @@ -117,8 +168,6 @@ files_read_etc_files(pam_t) logging_send_syslog_msg(pam_t) -userdom_use_unpriv_users_fds(pam_t) - ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) @@ -254,31 +303,6 @@ optional_policy(` ######################################## # -# System check password local policy -# - -allow system_chkpwd_t shadow_t:file read_file_perms; - -corecmd_search_bin(system_chkpwd_t) - -domain_dontaudit_use_interactive_fds(system_chkpwd_t) - -term_dontaudit_use_unallocated_ttys(system_chkpwd_t) -term_dontaudit_use_generic_ptys(system_chkpwd_t) - -userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) -userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) - -sysadm_dontaudit_use_terms(system_chkpwd_t) - -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(system_chkpwd_t) - ') -') - -######################################## -# # updpwd local policy # @@ -292,7 +316,6 @@ kernel_read_system_state(updpwd_t) files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) -term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) auth_manage_shadow(updpwd_t) @@ -302,6 +325,8 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) +userdom_use_user_terminals(updpwd_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(updpwd_t) @@ -334,8 +359,9 @@ domain_use_interactive_fds(utempter_t) logging_search_logs(utempter_t) +userdom_use_user_terminals(utempter_t) # Allow utemper to write to /tmp/.xses-* -userdom_write_unpriv_users_tmp_files(utempter_t) +userdom_write_user_tmp_files(utempter_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -348,11 +374,6 @@ optional_policy(` ') optional_policy(` - # Allow utemper to write to /tmp/.xses-* - unconfined_write_tmp_files(utempter_t) -') - -optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index 29397af..f76522e 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -33,11 +33,6 @@ interface(`clock_domtrans',` ## The role to be allowed the clock domain. ## ## -## -## -## The type of the terminal allow the clock domain to use. -## -## ## # interface(`clock_run',` @@ -47,7 +42,6 @@ interface(`clock_run',` clock_domtrans($1) role $2 types hwclock_t; - allow hwclock_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 6f74901..4a97136 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.5.0) +policy_module(clock, 1.5.1) ######################################## # diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index e529bd6..732b54a 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -34,11 +34,6 @@ interface(`fstools_domtrans',` ## The role to be allowed the fs tools domain. ## ## -## -## -## The type of the terminal allow the fs tools domain to use. -## -## ## # interface(`fstools_run',` @@ -48,7 +43,6 @@ interface(`fstools_run',` fstools_domtrans($1) role $2 types fsadm_t; - allow fsadm_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 2f58907..14282bb 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools, 1.11.0) +policy_module(fstools, 1.11.1) ######################################## # @@ -150,6 +150,7 @@ modutils_read_module_config(fsadm_t) seutil_read_config(fsadm_t) +userdom_use_user_terminals(fsadm_t) userdom_use_unpriv_users_fds(fsadm_t) tunable_policy(`read_default_t',` diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if index 7910037..1ce151a 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -34,11 +34,6 @@ interface(`hostname_domtrans',` ## The role to be allowed the hostname domain. ## ## -## -## -## The type of the terminal allow the hostname domain to use. -## -## # interface(`hostname_run',` gen_require(` @@ -47,7 +42,6 @@ interface(`hostname_run',` hostname_domtrans($1) role $2 types hostname_t; - allow hostname_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index d043c9b..c5dca1c 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -1,5 +1,5 @@ -policy_module(hostname,1.5.0) +policy_module(hostname, 1.5.1) ######################################## # diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index a1511c4..f7c2d4c 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,5 +1,5 @@ -policy_module(hotplug, 1.10.0) +policy_module(hotplug, 1.10.1) ######################################## # @@ -112,8 +112,7 @@ seutil_dontaudit_search_config(hotplug_t) sysnet_read_config(hotplug_t) userdom_dontaudit_use_unpriv_user_fds(hotplug_t) - -sysadm_dontaudit_search_home_dirs(hotplug_t) +userdom_dontaudit_search_user_home_dirs(hotplug_t) ifdef(`distro_redhat', ` optional_policy(` @@ -130,7 +129,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(hotplug,hotplug_t) + dbus_system_bus_client(hotplug_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d6f0c52..150a28e 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -190,6 +190,8 @@ interface(`init_daemon_domain',` typeattribute $1 direct_init; typeattribute $2 direct_init_entry; + + userdom_dontaudit_use_user_terminals($1) ') ifdef(`hide_broken_symptoms',` @@ -739,11 +741,6 @@ interface(`init_labeled_script_domtrans',` ## The role to be performing this action. ## ## -## -## -## The type of the terminal of the user. -## -## # interface(`init_run_daemon',` gen_require(` @@ -753,7 +750,6 @@ interface(`init_run_daemon',` typeattribute $1 direct_run_init; role_transition $2 direct_init_entry system_r; - dontaudit direct_init $3:chr_file rw_file_perms; ') ######################################## @@ -1474,6 +1470,25 @@ interface(`init_manage_utmp',` ######################################## ## +## Create files in /var/run with the +## utmp file type. +## +## +## +## Domain access allowed. +## +## +# +interface(`init_pid_filetrans_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_pid_filetrans($1, initrc_var_run_t, file) +') + +######################################## +## ## Allow the specified domain to connect to daemon with a tcp socket ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f0035b7..d3788e1 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init, 1.12.0) +policy_module(init, 1.12.1) gen_require(` class passwd rootok; @@ -382,12 +382,11 @@ modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) -userdom_read_all_users_home_content_files(initrc_t) - +userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. -sysadm_use_terms(initrc_t) +userdom_use_user_terminals(initrc_t) ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) @@ -567,7 +566,7 @@ optional_policy(` optional_policy(` dbus_connect_system_bus(initrc_t) - dbus_system_bus_client_template(initrc,initrc_t) + dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) optional_policy(` diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index e082a55..27cacf5 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -219,11 +219,6 @@ interface(`ipsec_domtrans_setkey',` ## The role to be allowed the racoon and setkey domains. ## ## -## -## -## The type of the terminal allow the racoon and setkey domains to use. -## -## ## # interface(`ipsec_run_setkey',` @@ -233,5 +228,4 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; - allow setkey_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index b7a6b0e..8ccedbe 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec, 1.8.0) +policy_module(ipsec, 1.8.1) ######################################## # @@ -134,8 +134,7 @@ miscfiles_read_localization(ipsec_t) sysnet_read_config(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) - -sysadm_dontaudit_search_home_dirs(ipsec_t) +userdom_dontaudit_search_user_home_dirs(ipsec_t) optional_policy(` nis_use_ypbind(ipsec_t) @@ -250,7 +249,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) -sysadm_use_terms(ipsec_mgmt_t) +userdom_use_user_terminals(ipsec_mgmt_t) optional_policy(` consoletype_exec(ipsec_mgmt_t) @@ -348,3 +347,5 @@ locallogin_use_fds(setkey_t) miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) + +userdom_use_user_terminals(setkey_t) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index f05ae34..bab19d2 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -34,11 +34,6 @@ interface(`iptables_domtrans',` ## The role to be allowed the iptables domain. ## ## -## -## -## The type of the terminal allow the iptables domain to use. -## -## ## # interface(`iptables_run',` @@ -48,12 +43,11 @@ interface(`iptables_run',` iptables_domtrans($1) role $2 types iptables_t; - allow iptables_t $3:chr_file rw_term_perms; - sysnet_run_ifconfig(iptables_t, $2, $3) + sysnet_run_ifconfig(iptables_t, $2) optional_policy(` - modutils_run_insmod(iptables_t, $2, $3) + modutils_run_insmod(iptables_t, $2) ') ') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 937f2db..be4ce0f 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables, 1.7.0) +policy_module(iptables, 1.7.1) ######################################## # @@ -74,6 +74,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) +userdom_use_user_terminals(iptables_t) userdom_use_all_users_fds(iptables_t) optional_policy(` diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index db3945a..7c9b27b 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -33,11 +33,6 @@ interface(`libs_domtrans_ldconfig',` ## The role to allow the ldconfig domain. ## ## -## -## -## The type of the terminal allow the ldconfig domain to use. -## -## ## # interface(`libs_run_ldconfig',` @@ -47,7 +42,6 @@ interface(`libs_run_ldconfig',` libs_domtrans_ldconfig($1) role $2 types ldconfig_t; - allow ldconfig_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 0e47455..794a424 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries, 2.3.0) +policy_module(libraries, 2.3.1) ######################################## # @@ -85,6 +85,7 @@ miscfiles_read_localization(ldconfig_t) logging_send_syslog_msg(ldconfig_t) +userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 1e31efb..7a00ae1 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin, 1.8.0) +policy_module(locallogin, 1.8.1) ######################################## # @@ -131,7 +131,7 @@ miscfiles_read_localization(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) -userdom_search_all_users_home_content(local_login_t) +userdom_search_user_home_content(local_login_t) userdom_use_unpriv_users_fds(local_login_t) userdom_sigchld_all_users(local_login_t) userdom_create_all_users_keys(local_login_t) @@ -165,7 +165,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(local_login, local_login_t) + dbus_system_bus_client(local_login_t) consolekit_dbus_chat(local_login_t) ') @@ -238,11 +238,10 @@ auth_read_shadow(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) -staff_search_home_dirs(sulogin_t) +userdom_search_user_home_dirs(sulogin_t) +userdom_use_user_ptys(sulogin_t) sysadm_shell_domtrans(sulogin_t) -sysadm_use_ptys(sulogin_t) -sysadm_search_home_dirs(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4855a56..65004be 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -136,11 +136,6 @@ interface(`logging_domtrans_auditctl',` ## The role to be allowed the auditctl domain. ## ## -## -## -## The type of the terminal allow the auditctl domain to use. -## -## ## # interface(`logging_run_auditctl',` @@ -150,7 +145,6 @@ interface(`logging_run_auditctl',` logging_domtrans_auditctl($1) role $2 types auditctl_t; - allow auditctl_t $3:chr_file rw_term_perms; ') ######################################## @@ -186,11 +180,6 @@ interface(`logging_domtrans_auditd',` ## The role to be allowed the auditd domain. ## ## -## -## -## The type of the terminal allow the auditd domain to use. -## -## # interface(`logging_run_auditd',` gen_require(` @@ -199,7 +188,6 @@ interface(`logging_run_auditd',` logging_domtrans_auditd($1) role $2 types auditd_t; - allow auditd_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 6ec8c70..eddb18e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging, 1.12.0) +policy_module(logging, 1.12.1) ######################################## # @@ -188,9 +188,9 @@ seutil_dontaudit_read_config(auditd_t) sysnet_dns_name_resolve(auditd_t) +userdom_use_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) - -sysadm_dontaudit_search_home_dirs(auditd_t) +userdom_dontaudit_search_user_home_dirs(auditd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -305,7 +305,7 @@ miscfiles_read_localization(klogd_t) mls_file_read_all_levels(klogd_t) -sysadm_dontaudit_search_home_dirs(klogd_t) +userdom_dontaudit_search_user_home_dirs(klogd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -440,8 +440,7 @@ logging_send_syslog_msg(syslogd_t) miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) - -sysadm_dontaudit_search_home_dirs(syslogd_t) +userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index adfa5ae..170f742 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -33,11 +33,6 @@ interface(`lvm_domtrans',` ## The role to allow the LVM domain. ## ## -## -## -## The type of the terminal allow the LVM domain to use. -## -## ## # interface(`lvm_run',` @@ -47,7 +42,6 @@ interface(`lvm_run',` lvm_domtrans($1) role $2 types lvm_t; - allow lvm_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 29b0d9d..358a447 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm, 1.9.0) +policy_module(lvm, 1.9.1) ######################################## # @@ -114,8 +114,7 @@ seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) - -sysadm_dontaudit_search_home_dirs(clvmd_t) +userdom_dontaudit_search_user_home_dirs(clvmd_t) lvm_domtrans(clvmd_t) lvm_read_config(clvmd_t) @@ -241,9 +240,6 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) -term_getattr_all_user_ttys(lvm_t) -term_list_ptys(lvm_t) - corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) @@ -267,6 +263,8 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) +userdom_use_user_terminals(lvm_t) + ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 73b4e08..ce4ac17 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -141,11 +141,6 @@ interface(`modutils_domtrans_insmod',` ## The role to be allowed the insmod domain. ## ## -## -## -## The type of the terminal allow the insmod domain to use. -## -## ## # interface(`modutils_run_insmod',` @@ -155,7 +150,6 @@ interface(`modutils_run_insmod',` modutils_domtrans_insmod($1) role $2 types insmod_t; - allow insmod_t $3:chr_file rw_term_perms; ') ######################################## @@ -210,11 +204,6 @@ interface(`modutils_domtrans_depmod',` ## The role to be allowed the depmod domain. ## ## -## -## -## The type of the terminal allow the depmod domain to use. -## -## ## # interface(`modutils_run_depmod',` @@ -224,7 +213,6 @@ interface(`modutils_run_depmod',` modutils_domtrans_depmod($1) role $2 types depmod_t; - allow insmod_t $3:chr_file rw_term_perms; ') ######################################## @@ -279,11 +267,6 @@ interface(`modutils_domtrans_update_mods',` ## The role to be allowed the update_modules domain. ## ## -## -## -## The type of the terminal allow the update_modules domain to use. -## -## ## # interface(`modutils_run_update_mods',` @@ -293,9 +276,8 @@ interface(`modutils_run_update_mods',` modutils_domtrans_update_mods($1) role $2 types update_modules_t; - allow update_modules_t $3:chr_file rw_term_perms; - modutils_run_insmod(update_modules_t, $2, $3) + modutils_run_insmod(update_modules_t, $2) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 53ff21b..1883186 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils, 1.8.0) +policy_module(modutils, 1.8.1) gen_require(` bool secure_mode_insmod; @@ -109,6 +109,8 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) +userdom_use_user_terminals(insmod_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(insmod_t) @@ -142,11 +144,11 @@ optional_policy(` rhgb_dontaudit_use_ptys(insmod_t) xserver_dontaudit_write_log(insmod_t) - xserver_stream_connect_xdm_xserver(insmod_t) - xserver_dontaudit_rw_xdm_stream_sockets(insmod_t) + xserver_stream_connect(insmod_t) + xserver_dontaudit_rw_stream_sockets(insmod_t) ifdef(`hide_broken_symptoms',` - xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t) + xserver_dontaudit_rw_tcp_sockets(insmod_t) ') ') @@ -200,10 +202,10 @@ files_read_etc_files(depmod_t) files_read_usr_src_files(depmod_t) files_list_usr(depmod_t) +userdom_use_user_terminals(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) -staff_read_home_content_files(depmod_t) -sysadm_read_home_content_files(depmod_t) +userdom_read_user_home_content_files(depmod_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -212,11 +214,6 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - # Read System.map from home directories. - unconfined_read_home_content_files(depmod_t) -') - -optional_policy(` rpm_rw_pipes(depmod_t) ') @@ -274,7 +271,8 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) -sysadm_dontaudit_search_home_dirs(update_modules_t) +userdom_use_user_terminals(update_modules_t) +userdom_dontaudit_search_user_home_dirs(update_modules_t) ifdef(`distro_gentoo',` files_search_pids(update_modules_t) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index f9717ce..805bef0 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -34,11 +34,6 @@ interface(`mount_domtrans',` ## The role to be allowed the mount domain. ## ## -## -## -## The type of the terminal allow the mount domain to use. -## -## ## # interface(`mount_run',` @@ -48,10 +43,9 @@ interface(`mount_run',` mount_domtrans($1) role $2 types mount_t; - allow mount_t $3:chr_file rw_file_perms; optional_policy(` - samba_run_smbmount($1, $2, $3) + samba_run_smbmount($1, $2) ') ') @@ -155,11 +149,6 @@ interface(`mount_domtrans_unconfined',` ## The role to be allowed the unconfined mount domain. ## ## -## -## -## The type of the terminal allow the unconfined mount domain to use. -## -## ## # interface(`mount_run_unconfined',` @@ -169,5 +158,4 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; - allow unconfined_mount_t $3:chr_file rw_file_perms; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 0089812..04a2293 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.9.0) +policy_module(mount, 1.9.1) ######################################## # diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if index 7c48ce5..1c9b8f5 100644 --- a/policy/modules/system/netlabel.if +++ b/policy/modules/system/netlabel.if @@ -34,11 +34,6 @@ interface(`netlabel_domtrans_mgmt',` ## The role to be allowed the netlabel_mgmt domain. ## ## -## -## -## The type of the terminal allow the netlabel_mgmt domain to use. -## -## ## # interface(`netlabel_run_mgmt',` @@ -48,5 +43,4 @@ interface(`netlabel_run_mgmt',` netlabel_domtrans_mgmt($1) role $2 types netlabel_mgmt_t; - allow netlabel_mgmt_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index 59562b0..86d7eaa 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -1,5 +1,5 @@ -policy_module(netlabel, 1.2.0) +policy_module(netlabel, 1.2.1) ######################################## # @@ -25,3 +25,5 @@ kernel_read_network_state(netlabel_mgmt_t) files_read_etc_files(netlabel_mgmt_t) seutil_use_newrole_fds(netlabel_mgmt_t) + +userdom_use_user_terminals(netlabel_mgmt_t) diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if index 5724365..5f63c3a 100644 --- a/policy/modules/system/pcmcia.if +++ b/policy/modules/system/pcmcia.if @@ -85,11 +85,6 @@ interface(`pcmcia_domtrans_cardctl',` ## The role to be allowed the cardmgr domain. ## ## -## -## -## The type of the terminal allow the cardmgr domain to use. -## -## ## # interface(`pcmcia_run_cardctl',` @@ -99,7 +94,6 @@ interface(`pcmcia_run_cardctl',` pcmcia_domtrans_cardctl($1) role $2 types cardmgr_t; - allow cardmgr_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 77da11e..aaf441e 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -1,5 +1,5 @@ -policy_module(pcmcia, 1.5.0) +policy_module(pcmcia, 1.5.1) ######################################## # @@ -107,9 +107,9 @@ sysnet_domtrans_ifconfig(cardmgr_t) sysnet_etc_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) +userdom_use_user_terminals(cardmgr_t) userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) - -sysadm_dontaudit_search_home_dirs(cardmgr_t) +userdom_dontaudit_search_user_home_dirs(cardmgr_t) optional_policy(` seutil_dontaudit_read_config(cardmgr_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 7556f02..a6a6531 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -1,5 +1,5 @@ -policy_module(raid, 1.7.0) +policy_module(raid, 1.7.1) ######################################## # @@ -66,12 +66,11 @@ logging_send_syslog_msg(mdadm_t) miscfiles_read_localization(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) -userdom_dontaudit_search_all_users_home_content(mdadm_t) +userdom_dontaudit_search_user_home_content(mdadm_t) +userdom_dontaudit_use_user_terminals(mdadm_t) mta_send_mail(mdadm_t) -sysadm_dontaudit_use_ttys(mdadm_t) - optional_policy(` gpm_dontaudit_getattr_gpmctl(mdadm_t) ') diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 7364a6e..a8edd1f 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -36,11 +36,6 @@ interface(`seutil_domtrans_checkpolicy',` ## The role to be allowed the checkpolicy domain. ## ## -## -## -## The type of the terminal allow the checkpolicy domain to use. -## -## ## # interface(`seutil_run_checkpolicy',` @@ -50,7 +45,6 @@ interface(`seutil_run_checkpolicy',` seutil_domtrans_checkpolicy($1) role $2 types checkpolicy_t; - allow checkpolicy_t $3:chr_file rw_term_perms; ') ######################################## @@ -109,11 +103,6 @@ interface(`seutil_domtrans_loadpolicy',` ## The role to be allowed the load_policy domain. ## ## -## -## -## The type of the terminal allow the load_policy domain to use. -## -## ## # interface(`seutil_run_loadpolicy',` @@ -123,7 +112,6 @@ interface(`seutil_run_loadpolicy',` seutil_domtrans_loadpolicy($1) role $2 types load_policy_t; - allow load_policy_t $3:chr_file rw_term_perms; ') ######################################## @@ -166,7 +154,7 @@ interface(`seutil_read_loadpolicy',` ####################################### ## -## Execute newrole in the load_policy domain. +## Execute newrole in the newole domain. ## ## ## @@ -200,11 +188,6 @@ interface(`seutil_domtrans_newrole',` ## The role to be allowed the newrole domain. ## ## -## -## -## The type of the terminal allow the newrole domain to use. -## -## ## # interface(`seutil_run_newrole',` @@ -214,9 +197,8 @@ interface(`seutil_run_newrole',` seutil_domtrans_newrole($1) role $2 types newrole_t; - allow newrole_t $3:chr_file rw_term_perms; - auth_run_upd_passwd(newrole_t, $2, $3) + auth_run_upd_passwd(newrole_t, $2) ') ######################################## @@ -294,6 +276,25 @@ interface(`seutil_use_newrole_fds',` allow $1 newrole_t:fd use; ') +######################################## +## +## Do not audit attempts to inherit and use +## newrole file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`seutil_dontaudit_use_newrole_fds',` + gen_require(` + type newrole_t; + ') + + dontaudit $1 newrole_t:fd use; +') + ####################################### ## ## Execute restorecon in the restorecon domain. (Deprecated) @@ -325,16 +326,11 @@ interface(`seutil_domtrans_restorecon',` ## The role to be allowed the restorecon domain. ## ## -## -## -## The type of the terminal allow the restorecon domain to use. -## -## ## # interface(`seutil_run_restorecon',` refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') - seutil_run_setfiles($1,$2,$3) + seutil_run_setfiles($1,$2) ') ######################################## @@ -417,11 +413,6 @@ interface(`seutil_init_script_domtrans_runinit',` ## The role to be allowed the run_init domain. ## ## -## -## -## The type of the terminal allow the run_init domain to use. -## -## ## # interface(`seutil_run_runinit',` @@ -430,10 +421,10 @@ interface(`seutil_run_runinit',` role system_r; ') - auth_run_chk_passwd(run_init_t, $2, $3) + auth_run_chk_passwd(run_init_t, $2) seutil_domtrans_runinit($1) role $2 types run_init_t; - allow run_init_t $3:chr_file rw_term_perms; + allow $2 system_r; ') @@ -463,11 +454,6 @@ interface(`seutil_run_runinit',` ## The role to be allowed the run_init domain. ## ## -## -## -## The type of the terminal allow the run_init domain to use. -## -## # interface(`seutil_init_script_run_runinit',` gen_require(` @@ -475,10 +461,10 @@ interface(`seutil_init_script_run_runinit',` role system_r; ') - auth_run_chk_passwd(run_init_t, $2, $3) + auth_run_chk_passwd(run_init_t, $2) seutil_init_script_domtrans_runinit($1) role $2 types run_init_t; - allow run_init_t $3:chr_file rw_term_perms; + allow $2 system_r; ') @@ -536,11 +522,6 @@ interface(`seutil_domtrans_setfiles',` ## The role to be allowed the setfiles domain. ## ## -## -## -## The type of the terminal allow the setfiles domain to use. -## -## ## # interface(`seutil_run_setfiles',` @@ -550,7 +531,6 @@ interface(`seutil_run_setfiles',` seutil_domtrans_setfiles($1) role $2 types setfiles_t; - allow setfiles_t $3:chr_file rw_term_perms; ') ######################################## @@ -1033,11 +1013,6 @@ interface(`seutil_domtrans_semanage',` ## The role to be allowed the checkpolicy domain. ## ## -## -## -## The type of the terminal allow the semanage domain to use. -## -## ## # interface(`seutil_run_semanage',` @@ -1046,10 +1021,9 @@ interface(`seutil_run_semanage',` ') seutil_domtrans_semanage($1) - seutil_run_setfiles(semanage_t, $2, $3) - seutil_run_loadpolicy(semanage_t, $2, $3) + seutil_run_setfiles(semanage_t, $2) + seutil_run_loadpolicy(semanage_t, $2) role $2 types semanage_t; - allow semanage_t $3:chr_file rw_term_perms; ') ######################################## diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index dbbfadd..49e789f 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil, 1.11.1) +policy_module(selinuxutil, 1.11.2) gen_require(` bool secure_mode; @@ -140,6 +140,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) +userdom_use_user_terminals(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` @@ -181,6 +182,7 @@ miscfiles_read_localization(load_policy_t) seutil_libselinux_linked(load_policy_t) +userdom_use_user_terminals(load_policy_t) userdom_use_all_users_fds(load_policy_t) ifdef(`distro_ubuntu',` @@ -274,10 +276,9 @@ miscfiles_read_localization(newrole_t) seutil_libselinux_linked(newrole_t) -userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd -userdom_dontaudit_search_all_users_home_content(newrole_t) -userdom_search_all_users_home_dirs(newrole_t) +userdom_dontaudit_search_user_home_content(newrole_t) +userdom_search_user_home_dirs(newrole_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -380,8 +381,6 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) -term_dontaudit_list_ptys(run_init_t) - auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) @@ -398,6 +397,8 @@ miscfiles_read_localization(run_init_t) seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) +userdom_use_user_terminals(run_init_t) + ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` # Gentoo integrated run_init: @@ -494,13 +495,8 @@ ifdef(`enable_mls',` # read secadm tmp files ',` # Handle pp files created in homedir and /tmp - sysadm_read_home_content_files(semanage_t) - sysadm_read_tmp_files(semanage_t) - - optional_policy(` - unconfined_read_home_content_files(semanage_t) - unconfined_read_tmp_files(semanage_t) - ') + userdom_read_user_home_content_files(semanage_t) + userdom_read_user_tmp_files(semanage_t) ') ######################################## @@ -574,7 +570,7 @@ seutil_libselinux_linked(setfiles_t) userdom_use_all_users_fds(setfiles_t) # for config files in a home directory -userdom_read_all_users_home_content_files(setfiles_t) +userdom_read_user_home_content_files(setfiles_t) ifdef(`distro_debian',` # udev tmpfs is populated with static device nodes diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 57a33a7..21864b9 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -34,11 +34,6 @@ interface(`sysnet_domtrans_dhcpc',` ## The role to be allowed the clock domain. ## ## -## -## -## The type of the terminal allow the clock domain to use. -## -## ## # interface(`sysnet_run_dhcpc',` @@ -48,7 +43,6 @@ interface(`sysnet_run_dhcpc',` sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; - allow dhcpc_t $3:chr_file rw_term_perms; ') ######################################## @@ -404,11 +398,6 @@ interface(`sysnet_domtrans_ifconfig',` ## The role to be allowed the ifconfig domain. ## ## -## -## -## The type of the terminal allow the ifconfig domain to use. -## -## ## # interface(`sysnet_run_ifconfig',` @@ -419,7 +408,6 @@ interface(`sysnet_run_ifconfig',` corecmd_search_bin($1) sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; - allow ifconfig_t $3:chr_file rw_term_perms; ') ####################################### diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 06ef1ab..db38b3c 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork, 1.8.0) +policy_module(sysnetwork, 1.8.1) ######################################## # @@ -132,7 +132,8 @@ miscfiles_read_localization(dhcpc_t) modutils_domtrans_insmod(dhcpc_t) -staff_dontaudit_search_home_dirs(dhcpc_t) +userdom_use_user_terminals(dhcpc_t) +userdom_dontaudit_search_user_home_dirs(dhcpc_t) ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) @@ -151,7 +152,7 @@ optional_policy(` optional_policy(` init_dbus_chat_script(dhcpc_t) - dbus_system_bus_client_template(dhcpc,dhcpc_t) + dbus_system_bus_client(dhcpc_t) dbus_connect_system_bus(dhcpc_t) optional_policy(` @@ -295,6 +296,7 @@ modutils_domtrans_insmod(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) +userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index b6506e6..9bd5d7f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.9.0) +policy_module(udev, 1.9.1) ######################################## # @@ -160,7 +160,7 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) -userdom_dontaudit_search_all_users_home_content(udev_t) +userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` # during boot, init scripts use /dev/.rcsysinit @@ -198,7 +198,7 @@ optional_policy(` ') optional_policy(` - dbus_system_bus_client_template(udev,udev_t) + dbus_system_bus_client(udev_t) ') optional_policy(` diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index cb43eb1..2d4c440 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -205,11 +205,6 @@ interface(`unconfined_domtrans',` ## The role to allow the unconfined domain. ## ## -## -## -## The type of the terminal allow the unconfined domain to use. -## -## # interface(`unconfined_run',` gen_require(` @@ -218,7 +213,6 @@ interface(`unconfined_run',` unconfined_domtrans($1) role $2 types unconfined_t; - allow unconfined_t $3:chr_file rw_term_perms; ') ######################################## @@ -308,13 +302,13 @@ interface(`unconfined_domtrans_to',` # interface(`unconfined_run_to',` gen_require(` - type unconfined_t, unconfined_devpts_t, unconfined_tty_device_t; + type unconfined_t; role unconfined_r; ') domtrans_pattern(unconfined_t,$2,$1) role unconfined_r types $1; - allow $1 { unconfined_devpts_t unconfined_tty_device_t }:chr_file rw_term_perms; + userdom_use_user_terminals($1) ') ######################################## @@ -587,63 +581,3 @@ interface(`unconfined_dbus_connect',` allow $1 unconfined_t:dbus acquire_svc; ') - -######################################## -## -## Read files in unconfined users home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_home_content_files',` - gen_require(` - type unconfined_home_dir_t, unconfined_home_t; - ') - - files_search_home($1) - allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; - read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) - read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) -') - -######################################## -## -## Read unconfined users temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_tmp_files',` - gen_require(` - type unconfined_tmp_t; - ') - - files_search_tmp($1) - allow $1 unconfined_tmp_t:dir list_dir_perms; - read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) - read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) -') - -######################################## -## -## Write unconfined users temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_write_tmp_files',` - gen_require(` - type unconfined_tmp_t; - ') - - allow $1 unconfined_tmp_t:file write_file_perms; -') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 1c98875..0f2cfb6 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined, 2.4.0) +policy_module(unconfined, 3.0.0) ######################################## # @@ -10,9 +10,9 @@ policy_module(unconfined, 2.4.0) # calls is not correct, however we dont currently # have another method to add access to these types userdom_base_user_template(unconfined) -userdom_manage_home_template(unconfined) -userdom_manage_tmp_template(unconfined) -userdom_manage_tmpfs_template(unconfined) +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -34,25 +34,25 @@ files_create_boot_flag(unconfined_t) mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) -init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +init_run_daemon(unconfined_t, unconfined_r) -libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +libs_run_ldconfig(unconfined_t, unconfined_r) logging_send_syslog_msg(unconfined_t) -logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +logging_run_auditctl(unconfined_t, unconfined_r) -mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +mount_run_unconfined(unconfined_t, unconfined_r) -seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +seutil_run_setfiles(unconfined_t, unconfined_r) +seutil_run_semanage(unconfined_t, unconfined_r) unconfined_domain(unconfined_t) -userdom_priveleged_home_dir_manager(unconfined_t) +userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) + seutil_run_runinit(unconfined_t, unconfined_r) + seutil_init_script_run_runinit(unconfined_t, unconfined_r) ') optional_policy(` @@ -60,24 +60,20 @@ optional_policy(` ') optional_policy(` - apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - apache_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: - unconfined_domain(httpd_unconfined_script_t) + apache_run_helper(unconfined_t, unconfined_r) + apache_role(unconfined_r, unconfined_t) ') optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + bind_run_ndc(unconfined_t, unconfined_r) ') optional_policy(` - bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + bootloader_run(unconfined_t, unconfined_r) ') optional_policy(` - cron_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: - unconfined_domain(unconfined_crond_t) + cron_unconfined_role(unconfined_r, unconfined_t) ') optional_policy(` @@ -115,11 +111,11 @@ optional_policy(` ') optional_policy(` - firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + firstboot_run(unconfined_t, unconfined_r) ') optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ftp_run_ftpdctl(unconfined_t, unconfined_r) ') optional_policy(` @@ -127,15 +123,15 @@ optional_policy(` ') optional_policy(` - java_domtrans(unconfined_t) + java_domtrans_unconfined(unconfined_t) ') optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + lpd_run_checkpc(unconfined_t, unconfined_r) ') optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + modutils_run_update_mods(unconfined_t, unconfined_r) ') optional_policy(` @@ -143,7 +139,7 @@ optional_policy(` ') optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) + mta_role(unconfined_r, unconfined_t) ') optional_policy(` @@ -151,26 +147,21 @@ optional_policy(` ') optional_policy(` - prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + prelink_run(unconfined_t, unconfined_r) ') optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + portmap_run_helper(unconfined_t, unconfined_r) ') optional_policy(` - postfix_per_role_template(unconfined, unconfined_t, unconfined_r) - postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + postfix_run_map(unconfined_t, unconfined_r) # cjp: this should probably be removed: postfix_domtrans_master(unconfined_t) ') optional_policy(` - pyzor_per_role_template(unconfined) -') - -optional_policy(` - qmail_per_role_template(unconfined, unconfined_t, unconfined_r) + pyzor_role(unconfined_r, unconfined_t) ') optional_policy(` @@ -179,38 +170,37 @@ optional_policy(` ') optional_policy(` - rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + rpm_run(unconfined_t, unconfined_r) ') optional_policy(` - samba_per_role_template(unconfined) - samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_net(unconfined_t, unconfined_r) + samba_run_winbind_helper(unconfined_t, unconfined_r) ') optional_policy(` - spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) + spamassassin_role(unconfined_r, unconfined_t) ') optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + sysnet_run_dhcpc(unconfined_t, unconfined_r) sysnet_dbus_chat_dhcpc(unconfined_t) ') optional_policy(` - tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + tzdata_run(unconfined_t, unconfined_r) ') optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + usermanage_run_admin_passwd(unconfined_t, unconfined_r) ') optional_policy(` - vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + vpn_run(unconfined_t, unconfined_r) ') optional_policy(` - webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + webalizer_run(unconfined_t, unconfined_r) ') optional_policy(` @@ -218,7 +208,7 @@ optional_policy(` ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) + xserver_domtrans(unconfined_t) ') ######################################## diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index ebb37c5..db75976 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,4 +1,4 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) +HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) -/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index d546c89..4cb0867 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -25,6 +25,7 @@ template(`userdom_base_user_template',` gen_require(` attribute userdomain; + type user_devpts_t, user_tty_device_t; class context contains; ') @@ -35,15 +36,13 @@ template(`userdom_base_user_template',` corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) + ubac_constrained($1_t) role $1_r types $1_t; allow system_r $1_r; - type $1_devpts_t; - term_user_pty($1_t,$1_devpts_t) - files_type($1_devpts_t) + term_user_pty($1_t, user_devpts_t) - type $1_tty_device_t; - term_user_tty($1_t,$1_tty_device_t) + term_user_tty($1_t, user_tty_device_t) allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; allow $1_t self:fd use; @@ -57,10 +56,13 @@ template(`userdom_base_user_template',` allow $1_t self:context contains; dontaudit $1_t self:socket create; - allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_t,$1_devpts_t) + allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; + # avoid annoying messages on terminal hangup on role change + dontaudit $1_t user_devpts_t:chr_file ioctl; - allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + # avoid annoying messages on terminal hangup on role change + dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) kernel_dontaudit_list_unlabeled($1_t) @@ -117,402 +119,250 @@ template(`userdom_base_user_template',` ####################################### ## -## The template for creating a home directory -## that the user has read-only access. +## Allow a home directory for which the +## role has read-only access. ## ## ##

-## The template for creating a home directory -## that the user has read-only access. +## Allow a home directory for which the +## role has read-only access. ##

##

## This does not allow execute access. ##

##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The user role +## +## +## +## +## The user domain ## ## ## # -template(`userdom_ro_home_template',` +interface(`userdom_ro_home_role',` gen_require(` - attribute home_type, home_dir_type, $1_file_type; + type user_home_t, user_home_dir_t; ') - # type for contents of home directory - type $1_home_t, $1_file_type, home_type; - files_type($1_home_t) - files_associate_tmp($1_home_t) - fs_associate_tmpfs($1_home_t) - files_mountpoint($1_home_t) - - # type of home directory - type $1_home_dir_t, home_dir_type, home_type; - files_type($1_home_dir_t) - files_mountpoint($1_home_dir_t) - files_associate_tmp($1_home_dir_t) - fs_associate_tmpfs($1_home_dir_t) - files_poly_member($1_home_dir_t) - - ############################## - # - # User home directory file rules - # - - allow $1_file_type $1_home_t:filesystem associate; - - # Rules used to associate a homedir as a mountpoint - allow $1_home_t self:filesystem associate; + role $1 types { user_home_t user_home_dir_t }; ############################## # # Domain access to home dir # + type_member $2 user_home_dir_t:dir user_home_dir_t; + # read-only home directory - allow $1_t $1_home_dir_t:dir list_dir_perms; - allow $1_t $1_home_t:dir list_dir_perms; - allow $1_t $1_home_t:file entrypoint; - read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - files_list_home($1_t) + allow $2 user_home_dir_t:dir list_dir_perms; + allow $2 user_home_t:dir list_dir_perms; + allow $2 user_home_t:file entrypoint; + read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + files_list_home($2) tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($1_t) - fs_read_nfs_files($1_t) - fs_read_nfs_symlinks($1_t) - fs_read_nfs_named_sockets($1_t) - fs_read_nfs_named_pipes($1_t) + fs_list_nfs($2) + fs_read_nfs_files($2) + fs_read_nfs_symlinks($2) + fs_read_nfs_named_sockets($2) + fs_read_nfs_named_pipes($2) ',` - fs_dontaudit_list_nfs($1_t) - fs_dontaudit_read_nfs_files($1_t) + fs_dontaudit_list_nfs($2) + fs_dontaudit_read_nfs_files($2) ') tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($1_t) - fs_read_cifs_files($1_t) - fs_read_cifs_symlinks($1_t) - fs_read_cifs_named_sockets($1_t) - fs_read_cifs_named_pipes($1_t) + fs_list_cifs($2) + fs_read_cifs_files($2) + fs_read_cifs_symlinks($2) + fs_read_cifs_named_sockets($2) + fs_read_cifs_named_pipes($2) ',` - fs_dontaudit_list_cifs($1_t) - fs_dontaudit_read_cifs_files($1_t) + fs_dontaudit_list_cifs($2) + fs_dontaudit_read_cifs_files($2) ') ') ####################################### ## -## The template for creating a home directory -## that the user has full access. +## Allow a home directory for which the +## role has full access. ## ## ##

-## The template for creating a home directory -## that the user has full access. +## Allow a home directory for which the +## role has full access. ##

##

## This does not allow execute access. ##

##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The user role +## +## +## +## +## The user domain ## ## ## # -template(`userdom_manage_home_template',` +interface(`userdom_manage_home_role',` gen_require(` - attribute home_type, home_dir_type, $1_file_type; + type user_home_t, user_home_dir_t; ') - # type for contents of home directory - type $1_home_t, $1_file_type, home_type; - files_type($1_home_t) - files_associate_tmp($1_home_t) - fs_associate_tmpfs($1_home_t) - - # type of home directory - type $1_home_dir_t, home_dir_type, home_type; - files_type($1_home_dir_t) - files_associate_tmp($1_home_dir_t) - fs_associate_tmpfs($1_home_dir_t) - - ############################## - # - # User home directory file rules - # - - allow $1_file_type $1_home_t:filesystem associate; - - # Rules used to associate a homedir as a mountpoint - allow $1_home_t self:filesystem associate; + role $1 types { user_home_t user_home_dir_t }; ############################## # # Domain access to home dir # + type_member $2 user_home_dir_t:dir user_home_dir_t; + # full control of the home directory - allow $1_t $1_home_t:file entrypoint; - manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) - files_list_home($1_t) + allow $2 user_home_t:file entrypoint; + manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + files_list_home($2) # cjp: this should probably be removed: - allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_t) - fs_manage_nfs_files($1_t) - fs_manage_nfs_symlinks($1_t) - fs_manage_nfs_named_sockets($1_t) - fs_manage_nfs_named_pipes($1_t) + fs_manage_nfs_dirs($2) + fs_manage_nfs_files($2) + fs_manage_nfs_symlinks($2) + fs_manage_nfs_named_sockets($2) + fs_manage_nfs_named_pipes($2) ',` - fs_dontaudit_manage_nfs_dirs($1_t) - fs_dontaudit_manage_nfs_files($1_t) + fs_dontaudit_manage_nfs_dirs($2) + fs_dontaudit_manage_nfs_files($2) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_t) - fs_manage_cifs_files($1_t) - fs_manage_cifs_symlinks($1_t) - fs_manage_cifs_named_sockets($1_t) - fs_manage_cifs_named_pipes($1_t) + fs_manage_cifs_dirs($2) + fs_manage_cifs_files($2) + fs_manage_cifs_symlinks($2) + fs_manage_cifs_named_sockets($2) + fs_manage_cifs_named_pipes($2) ',` - fs_dontaudit_manage_cifs_dirs($1_t) - fs_dontaudit_manage_cifs_files($1_t) + fs_dontaudit_manage_cifs_dirs($2) + fs_dontaudit_manage_cifs_files($2) ') ') ####################################### ## -## The template for allowing the user -## to execute files in their home directory. +## Manage user temporary files ## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_exec_home_template',` - can_exec($1_t,$1_home_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1_t) - ') -') - -####################################### -## -## The template for polyinstantiating -## a user home directory. -## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access. ## ## -## -# -template(`userdom_poly_home_template',` - type_member $1_t $1_home_dir_t:dir $1_home_dir_t; - files_poly($1_home_dir_t) - files_poly_parent($1_home_dir_t) - files_poly_parent($1_home_t) - files_poly_member($1_home_t) -') - -####################################### -## -## The template for full access to the temporary directories. -## -## -##

-## The template for full access to the temporary directories. -## This creates a derived type for the user -## temporary type. Execute access is not given. -##

-##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Domain allowed access. ## ## ## # -template(`userdom_manage_tmp_template',` +interface(`userdom_manage_tmp_role',` gen_require(` - attribute $1_file_type; + type user_tmp_t; ') - type $1_tmp_t, $1_file_type; - files_tmp_file($1_tmp_t) + role $1 types user_tmp_t; - manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) -') + files_poly_member_tmp($2, user_tmp_t) -####################################### -## -## The template for execute access to the user temporary files. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_exec_tmp_template',` - exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_dirs_pattern($2, user_tmp_t, user_tmp_t) + manage_files_pattern($2, user_tmp_t, user_tmp_t) + manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) + manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) + manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) + files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ') ####################################### ## -## The template for a polyinstantiated temporary directory. +## The execute access user temporary files. ## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Domain allowed access. ## ## ## # -template(`userdom_poly_tmp_template',` - files_poly_member_tmp($1_t,tmp_t) +interface(`userdom_exec_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + exec_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ####################################### ## -## The template for creating a tmpfs type +## Role access for the user tmpfs type ## that the user has full access. ## ## ##

-## The template for creating a tmpfs type +## Role access for the user tmpfs type ## that the user has full access. ##

##

## This does not allow execute access. ##

##
-## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Role allowed access. ## ## -## -# -template(`userdom_manage_tmpfs_template',` - gen_require(` - attribute $1_file_type; - ') - - type $1_tmpfs_t, $1_file_type; - files_tmpfs_file($1_tmpfs_t) - - manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -') - -####################################### -## -## The template for creating a set of types -## for untrusted content. -## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## Domain allowed access. ## ## -## +## # -template(`userdom_untrusted_content_template',` +interface(`userdom_manage_tmpfs_role',` gen_require(` - attribute $1_file_type; - attribute untrusted_content_type, untrusted_content_tmp_type; - type $1_t; - ') - - # types for network-obtained content - type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable - files_type($1_untrusted_content_t) - files_poly_member($1_untrusted_content_t) - - type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable - files_tmp_file($1_untrusted_content_tmp_t) - - # Allow user to relabel untrusted content - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabel_file_perms rename }; - - tunable_policy(`read_untrusted_content',` - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms; - read_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t }) - read_lnk_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t }) - ',` - dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms; - dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms; + type user_tmpfs_t; ') -') -####################################### -## -## The template allowing the user to execute -## generic programs, such as those found in /bin, -## /sbin, /usr/bin, and /usr/sbin. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# -template(`userdom_exec_generic_pgms_template',` - gen_require(` - type $1_t; - ') + role $1 types user_tmpfs_t; - corecmd_exec_bin($1_t) + manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) + manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) + manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) + manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) + manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) + fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ') ####################################### @@ -573,7 +423,7 @@ template(`userdom_basic_networking_template',` # template(`userdom_xwindows_client_template',` gen_require(` - type $1_t, $1_tmpfs_t; + type $1_t, user_tmpfs_t; ') dev_rw_xserver_misc($1_t) @@ -587,7 +437,7 @@ template(`userdom_xwindows_client_template',` # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) - xserver_user_client_template($1,$1_t,$1_tmpfs_t) + xserver_user_client($1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) xserver_dontaudit_write_log($1_t) xserver_stream_connect_xdm($1_t) @@ -613,46 +463,14 @@ template(`userdom_xwindows_client_template',` # template(`userdom_change_password_template',` gen_require(` - type $1_t, $1_devpts_t, $1_tty_device_t; + type $1_t; role $1_r; ') optional_policy(` - usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - ') -') - -####################################### -## -## The template for allowing the user to change roles. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`userdom_role_change_template',` - gen_require(` - role $1_r, $2_r; - type $1_t, $2_t; - type $1_devpts_t, $2_devpts_t; - type $1_tty_device_t, $2_tty_device_t; + usermanage_run_chfn($1_t,$1_r) + usermanage_run_passwd($1_t,$1_r) ') - - allow $1_r $2_r; - type_change $2_t $1_devpts_t:chr_file $2_devpts_t; - type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; - # avoid annoying messages on terminal hangup - dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; ') ####################################### @@ -678,12 +496,8 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') - userdom_untrusted_content_template($1) - userdom_basic_networking_template($1) - userdom_exec_generic_pgms_template($1) - optional_policy(` userdom_xwindows_client_template($1) ') @@ -707,6 +521,8 @@ template(`userdom_common_user_template',` # Find CDROM devices: kernel_read_device_sysctls($1_t) + corecmd_exec_bin($1_t) + corenet_udp_bind_all_nodes($1_t) corenet_udp_bind_generic_port($1_t) @@ -742,14 +558,14 @@ template(`userdom_common_user_template',` auth_use_nsswitch($1_t) auth_read_login_records($1_t) auth_search_pam_console_data($1_t) - auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + auth_run_pam($1_t,$1_r) + auth_run_utempter($1_t,$1_r) init_read_utmp($1_t) seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t) - seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_t) # for when the network connection is killed @@ -787,15 +603,15 @@ template(`userdom_common_user_template',` ') optional_policy(` - dbus_system_bus_client_template($1,$1_t) + dbus_system_bus_client($1_t) optional_policy(` bluetooth_dbus_chat($1_t) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) + evolution_dbus_chat($1_t) + evolution_alarm_dbus_chat($1_t) ') optional_policy(` @@ -876,7 +692,7 @@ template(`userdom_common_user_template',` ') optional_policy(` - usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + usernetctl_run($1_t,$1_r) ') ') @@ -905,15 +721,13 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_template($1) - userdom_poly_home_template($1) - userdom_poly_tmp_template($1) + userdom_manage_home_role($1_r, $1_t) - userdom_manage_tmp_template($1) - userdom_manage_tmpfs_template($1) + userdom_manage_tmp_role($1_r, $1_t) + userdom_manage_tmpfs_role($1_r, $1_t) - userdom_exec_tmp_template($1) - userdom_exec_home_template($1) + userdom_exec_user_tmp_files($1_t) + userdom_exec_user_home_content_files($1_t) userdom_change_password_template($1) @@ -1019,7 +833,6 @@ template(`userdom_login_user_template', ` template(`userdom_restricted_user_template',` gen_require(` attribute unpriv_userdomain; - attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; ') userdom_login_user_template($1) @@ -1027,27 +840,13 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) - typeattribute $1_devpts_t user_ptynode; - typeattribute $1_home_dir_t user_home_dir_type; - typeattribute $1_home_t user_home_type; - typeattribute $1_tmp_t user_tmpfile; - typeattribute $1_tty_device_t user_ttynode; - ############################## # # Local policy # - # privileged home directory writers - manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) - optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) + loadkeys_run($1_t,$1_r) ') ') @@ -1083,7 +882,7 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # - authlogin_per_role_template($1, $1_t, $1_r) + auth_role($1_r, $1_t) auth_search_pam_console_data($1_t) dev_read_sound($1_t) @@ -1103,8 +902,8 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` - dbus_per_role_template($1, $1_t, $1_r) - dbus_system_bus_client_template($1, $1_t) + dbus_role_template($1, $1_r, $1_t) + dbus_system_bus_client($1_t) optional_policy(` consolekit_dbus_chat($1_t) @@ -1116,7 +915,7 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` - java_per_role_template($1, $1_t, $1_r) + java_role($1_r, $1_t) ') optional_policy(` @@ -1201,17 +1000,17 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + netutils_run_ping_cond($1_t,$1_r) + netutils_run_traceroute_cond($1_t,$1_r) ') optional_policy(` - postgresql_userdom_template($1,$1_t,$1_r) + postgresql_role($1_r,$1_t) ') # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ppp_run_cond($1_t,$1_r) ') optional_policy(` @@ -1250,8 +1049,7 @@ template(`userdom_unpriv_user_template', ` # template(`userdom_admin_user_template',` gen_require(` - attribute admin_terminal, privhome; - class passwd { passwd chfn chsh rootok crontab }; + class passwd { passwd chfn chsh rootok }; ') ############################## @@ -1263,7 +1061,6 @@ template(`userdom_admin_user_template',` userdom_login_user_template($1) userdom_common_user_template($1) - typeattribute $1_t privhome; domain_obj_id_change_exemption($1_t) role system_r types $1_t; @@ -1271,10 +1068,6 @@ template(`userdom_admin_user_template',` domain_system_change_exemption($1_t) ') - typeattribute $1_devpts_t admin_terminal; - - typeattribute $1_tty_device_t admin_terminal; - ############################## # # $1_t local policy @@ -1289,9 +1082,6 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; - # Manipulate other users crontab. - allow $1_t self:passwd crontab; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; kernel_read_software_raid_state($1_t) @@ -1371,6 +1161,13 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) + userdom_manage_user_home_content_dirs($1_t) + userdom_manage_user_home_content_files($1_t) + userdom_manage_user_home_content_symlinks($1_t) + userdom_manage_user_home_content_pipes($1_t) + userdom_manage_user_home_content_sockets($1_t) + userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) + tunable_policy(`user_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) @@ -1402,12 +1199,6 @@ template(`userdom_admin_user_template',` ## be called from a per-userdomain template. ##

## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## ## ## ## Domain allowed access. @@ -1453,17 +1244,13 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) - seutil_run_checkpolicy($1,$2,$3) - seutil_run_loadpolicy($1,$2,$3) - seutil_run_semanage($1,$2,$3) - seutil_run_setfiles($1, $2, $3) - - staff_dontaudit_append_home_content_files($1) - - sysadm_dontaudit_read_home_content_files($1) + seutil_run_checkpolicy($1,$2) + seutil_run_loadpolicy($1,$2) + seutil_run_semanage($1,$2) + seutil_run_setfiles($1, $2) optional_policy(` - aide_run($1,$2, $3) + aide_run($1,$2) ') optional_policy(` @@ -1475,2523 +1262,186 @@ template(`userdom_security_admin_template',` ') optional_policy(` - ipsec_run_setkey($1,$2,$3) + ipsec_run_setkey($1,$2) ') optional_policy(` - netlabel_run_mgmt($1,$2, $3) + netlabel_run_mgmt($1,$2) ') ') ######################################## ## -## Change to the generic user role. +## Make the specified type usable in a +## user home directory. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Type to be used as a file in the +## user home directory. ## ## -## # -template(`userdom_role_change_generic_user',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_template() instead.') - unprivuser_role_change_template($1) +interface(`userdom_user_home_content',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:filesystem associate; + files_type($1) + ubac_constrained($1) ') ######################################## ## -## Change from the generic user role. +## Set the attributes of a user pty. ## -## -##

-## Change from the generic user role to -## the specified role. -##

-##

-## This is a template to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_from_generic_user',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_to_template() instead.') - unprivuser_role_change_to_template($1) +interface(`userdom_setattr_user_ptys',` + gen_require(` + type user_devpts_t; + ') + + allow $1 user_devpts_t:chr_file setattr; ') ######################################## ## -## Change to the staff user role. +## Create a user pty. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_staff',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_template() instead.') - staff_role_change_template($1) +interface(`userdom_create_user_pty',` + gen_require(` + type user_devpts_t; + ') + + term_create_pty($1, user_devpts_t) ') ######################################## ## -## Change from the staff user role. +## Get the attributes of user home directories. ## -## -##

-## Change from the staff user role to -## the specified role. -##

-##

-## This is a template to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_from_staff',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_to_template() instead.') - staff_role_change_to_template($1) +interface(`userdom_getattr_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + allow $1 user_home_dir_t:dir getattr_dir_perms; + files_search_home($1) ') ######################################## ## -## Change to the sysadm user role. +## Do not audit attempts to get the attributes of user home directories. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_template() instead.') - sysadm_role_change_template($1) +interface(`userdom_dontaudit_getattr_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + dontaudit $1 user_home_dir_t:dir getattr_dir_perms; ') ######################################## ## -## Change from the sysadm user role. +## Search user home directories. ## -## -##

-## Change from the sysadm user role to -## the specified role. -##

-##

-## This is a template to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_from_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_to_template() instead.') - sysadm_role_change_to_template($1) +interface(`userdom_search_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Change to the secadm user role. +## Search user home directories. ## -## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_secadm',` - refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_template() instead.') - secadm_role_change_template($1) +interface(`userdom_dontaudit_search_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + dontaudit $1 user_home_dir_t:dir search_dir_perms; ') ######################################## ## -## Change from the secadm user role. +## List user home directories. ## -## -##

-## Change from the secadm user role to -## the specified role. -##

-##

-## This is a template to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## +## ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). +## Domain allowed access. ## ## -## # -template(`userdom_role_change_from_secadm',` - refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_to_template() instead.') - secadm_role_change_to_template($1) -') +interface(`userdom_list_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') -######################################## -## -## Change to the auditadm user role. -## -## -## -## The prefix of the auditadm role (e.g., user -## is the prefix for user_r). -## -## -## -# -template(`userdom_role_change_auditadm',` - refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_template() instead.') - auditadm_role_change_template($1) -') - -######################################## -## -## Change from the auditadm user role. -## -## -##

-## Change from the auditadm user role to -## the specified role. -##

-##

-## This is a template to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -# -template(`userdom_role_change_from_auditadm',` - refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_to_template() instead.') - auditadm_role_change_to_template($1) -') - -######################################## -## -## Make the specified type usable in a -## user home directory. -## -## -##

-## Make the specified type usable in a -## user home directory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Type to be used as a file in the -## user home directory. -## -## -# -template(`userdom_user_home_content',` - gen_require(` - attribute $1_file_type; - ') - - typeattribute $2 $1_file_type; - files_type($2) -') - -######################################## -## -## Set the attributes of a user pty. -## -## -##

-## Set the attributes of a user pty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_setattr_user_ptys',` - gen_require(` - type $1_devpts_t; - ') - - allow $2 $1_devpts_t:chr_file setattr; -') - -######################################## -## -## Create a user pty. -## -## -##

-## Create a user pty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_create_user_pty',` - gen_require(` - type $1_devpts_t; - ') - - term_create_pty($2, $1_devpts_t) -') - -######################################## -## -## Search user home directories. -## -## -##

-## Search user home directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_search_user_home_dirs',` - gen_require(` - type $1_home_dir_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; -') - -######################################## -## -## List user home directories. -## -## -##

-## List user home directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_list_user_home_dirs',` - gen_require(` - type $1_home_dir_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir list_dir_perms; -') - -######################################## -## -## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -## -## -##

-## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## Domain to transition to. -## -## -# -template(`userdom_user_home_domtrans',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - domain_auto_trans($2,$1_home_t,$3) -') - -######################################## -## -## Do not audit attempts to list user home subdirectories. -## -## -##

-## Do not audit attempts to list user home subdirectories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit -## -## -# -template(`userdom_dontaudit_list_user_home_dirs',` - gen_require(` - type $1_home_dir_t; - ') - - dontaudit $2 $1_home_dir_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete directories -## in a user home subdirectory. -## -## -##

-## Create, read, write, and delete directories -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_home_content_dirs',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -') - -######################################## -## -## Do not audit attempts to set the -## attributes of user home files. -## -## -##

-## Do not audit attempts to set the -## attributes of user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - dontaudit $2 $1_home_t:file setattr; -') - -######################################## -## -## Read user home files. -## -## -##

-## Read user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_home_content_files',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -') - -######################################## -## -## Do not audit attempts to read user home files. -## -## -##

-## Do not audit attempts to read user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` - type $1_home_t; - ') - - dontaudit $2 $1_home_t:dir list_dir_perms; - dontaudit $2 $1_home_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write user home files. -## -## -##

-## Do not audit attempts to write user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_write_user_home_content_files',` - gen_require(` - type $1_home_t; - ') - - dontaudit $2 $1_home_t:file write; -') - -######################################## -## -## Read user home subdirectory symbolic links. -## -## -##

-## Read user home subdirectory symbolic links. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_home_content_symlinks',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -') - -######################################## -## -## Execute user home files. -## -## -##

-## Execute user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_exec_user_home_content_files',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -') - -######################################## -## -## Do not audit attempts to execute user home files. -## -## -##

-## Do not audit attempts to execute user home files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_dontaudit_exec_user_home_content_files',` - gen_require(` - type $1_home_t; - ') - - dontaudit $2 $1_home_t:file execute; -') - -######################################## -## -## Create, read, write, and delete files -## in a user home subdirectory. -## -## -##

-## Create, read, write, and delete files -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_home_content_files',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_files_pattern($2,$1_home_t,$1_home_t) -') - -######################################## -## -## Do not audit attempts to create, read, write, and delete directories -## in a user home subdirectory. -## -## -##

-## Do not audit attempts to create, read, write, and delete directories -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_dontaudit_manage_user_home_content_dirs',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - dontaudit $2 $1_home_t:dir manage_dir_perms; -') - -######################################## -## -## Create, read, write, and delete symbolic links -## in a user home subdirectory. -## -## -##

-## Create, read, write, and delete symbolic links -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_home_content_symlinks',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_lnk_files_pattern($2,$1_home_t,$1_home_t) -') - -######################################## -## -## Create, read, write, and delete named pipes -## in a user home subdirectory. -## -## -##

-## Create, read, write, and delete named pipes -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_home_content_pipes',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_fifo_files_pattern($2,$1_home_t,$1_home_t) -') - -######################################## -## -## Create, read, write, and delete named sockets -## in a user home subdirectory. -## -## -##

-## Create, read, write, and delete named sockets -## in a user home subdirectory. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_home_content_sockets',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_sock_files_pattern($2,$1_home_t,$1_home_t) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -## -## -##

-## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. If not -## specified, file is used. -## -## -# -template(`userdom_user_home_dir_filetrans',` - gen_require(` - type $1_home_dir_t; - ') - - files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$3,$4) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -## -## -##

-## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. If not -## specified, file is used. -## -## -# -template(`userdom_user_home_content_filetrans',` - gen_require(` - type $1_home_t; - ') - - files_search_home($2) - filetrans_pattern($2,$1_home_t,$3,$4) -') - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## the user home file type. -## -## -##

-## Create objects in a user home directory -## with an automatic type transition to -## the user home file type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. If not -## specified, file is used. -## -## -# -template(`userdom_user_home_dir_filetrans_user_home_content',` - gen_require(` - type $1_home_dir_t, $1_home_t; - ') - - files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) -') - -######################################## -## -## Write to user temporary named sockets. -## -## -##

-## Write to user temporary named sockets. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_write_user_tmp_sockets',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - allow $2 $1_tmp_t:sock_file write; -') - -######################################## -## -## List user temporary directories. -## -## -##

-## List user temporary directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_list_user_tmp',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list user -## temporary directories. -## -## -##

-## Do not audit attempts to list user -## temporary directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_list_user_tmp',` - gen_require(` - type $1_tmp_t; - ') - - dontaudit $2 $1_tmp_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to manage users -## temporary directories. -## -## -##

-## Do not audit attempts to manage users -## temporary directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_manage_user_tmp_dirs',` - gen_require(` - type $1_tmp_t; - ') - - dontaudit $2 $1_tmp_t:dir manage_dir_perms; -') - -######################################## -## -## Read user temporary files. -## -## -##

-## Read user temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - read_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Do not audit attempts to read users -## temporary files. -## -## -##

-## Do not audit attempts to read users -## temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_read_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - dontaudit $2 $1_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to append users -## temporary files. -## -## -##

-## Do not audit attempts to append users -## temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_append_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - dontaudit $2 $1_tmp_t:file append; -') - -######################################## -## -## Read and write user temporary files. -## -## -##

-## Read and write user temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_rw_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - rw_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Do not audit attempts to manage users -## temporary files. -## -## -##

-## Do not audit attempts to manage users -## temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_manage_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - dontaudit $2 $1_tmp_t:file manage_file_perms; -') - -######################################## -## -## Read user -## temporary symbolic links. -## -## -##

-## Read user -## temporary symbolic links. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_tmp_symlinks',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create, read, write, and delete user -## temporary directories. -## -## -##

-## Create, read, write, and delete user -## temporary directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_tmp_dirs',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create, read, write, and delete user -## temporary files. -## -## -##

-## Create, read, write, and delete user -## temporary files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_tmp_files',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - manage_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create, read, write, and delete user -## temporary symbolic links. -## -## -##

-## Create, read, write, and delete user -## temporary symbolic links. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create, read, write, and delete user -## temporary named pipes. -## -## -##

-## Create, read, write, and delete user -## temporary named pipes. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_tmp_pipes',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create, read, write, and delete user -## temporary named sockets. -## -## -##

-## Create, read, write, and delete user -## temporary named sockets. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_tmp_sockets',` - gen_require(` - type $1_tmp_t; - ') - - files_search_tmp($2) - manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t) -') - -######################################## -## -## Create objects in a user temporary directory -## with an automatic type transition to -## a specified private type. -## -## -##

-## Create objects in a user temporary directory -## with an automatic type transition to -## a specified private type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. If not -## specified, file is used. -## -## -# -template(`userdom_user_tmp_filetrans',` - gen_require(` - type $1_tmp_t; - ') - - filetrans_pattern($2,$1_tmp_t,$3,$4) - files_search_tmp($2) -') - -######################################## -## -## Create objects in the temporary directory -## with an automatic type transition to -## the user temporary type. -## -## -##

-## Create objects in the temporary directory -## with an automatic type transition to -## the user temporary type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. If not -## specified, file is used. -## -## -# -template(`userdom_tmp_filetrans_user_tmp',` - gen_require(` - type $1_tmp_t; - ') - - files_tmp_filetrans($2,$1_tmp_t,$3) -') - -######################################## -## -## Read user tmpfs files. -## -## -##

-## Read user tmpfs files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_rw_user_tmpfs_files',` - gen_require(` - type $1_tmpfs_t; - ') - - fs_search_tmpfs($2) - allow $2 $1_tmpfs_t:dir list_dir_perms; - rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) - read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) -') - -######################################## -## -## List users untrusted directories. -## -## -##

-## List users untrusted directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_list_user_untrusted_content',` - gen_require(` - type $1_untrusted_content_t; - ') - - allow $2 $1_untrusted_content_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list user -## untrusted directories. -## -## -##

-## Do not audit attempts to read user -## untrusted directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_list_user_untrusted_content',` - gen_require(` - type $1_untrusted_content_t; - ') - - dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; -') - -######################################## -## -## Create, read, write, and delete users untrusted directories. -## -## -##

-## Create, read, write, and delete users untrusted directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_untrusted_content_dirs',` - gen_require(` - type $1_untrusted_content_t; - ') - - allow $2 $1_untrusted_content_t:dir manage_dir_perms; -') - -######################################## -## -## Read user untrusted files. -## -## -##

-## Read user untrusted files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_untrusted_content_files',` - gen_require(` - type $1_untrusted_content_t; - ') - - allow $2 $1_untrusted_content_t:dir list_dir_perms; - read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) -') - -######################################## -## -## Manage user untrusted files. -## -## -##

-## Create, read, write, and delete untrusted files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_untrusted_content_files',` - gen_require(` - type $1_untrusted_content_t; - ') - - manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) -') - -######################################## -## -## Manage user untrusted tmp files. -## -## -##

-## Create, read, write, and delete untrusted tmp files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_manage_user_untrusted_content_tmp_files',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - manage_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) -') - -######################################## -## -## Do not audit attempts to read users -## untrusted files. -## -## -##

-## Do not audit attempts to read users -## untrusted files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_read_user_untrusted_content_files',` - gen_require(` - type $1_untrusted_content_t; - ') - - dontaudit $2 $1_untrusted_content_t:file read_file_perms; -') - -######################################## -## -## Read user untrusted symbolic links. -## -## -##

-## Read user untrusted symbolic links. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_untrusted_content_symlinks',` - gen_require(` - type $1_untrusted_content_t; - ') - - allow $2 $1_untrusted_content_t:dir list_dir_perms; - read_lnk_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) -') - -######################################## -## -## List users temporary untrusted directories. -## -## -##

-## List users temporary untrusted directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_list_user_tmp_untrusted_content',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; -') - -######################################## -## -## Do not audit attempts to list user -## temporary untrusted directories. -## -## -##

-## Do not audit attempts to list user -## temporary directories. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_list_user_tmp_untrusted_content',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - dontaudit $2 $1_untrusted_content_tmp_t:dir list_dir_perms; -') - -######################################## -## -## Read user temporary untrusted files. -## -## -##

-## Read user temporary untrusted files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_tmp_untrusted_content_files',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; - read_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) -') - -######################################## -## -## Do not audit attempts to read users -## temporary untrusted files. -## -## -##

-## Do not audit attempts to read users -## temporary untrusted files. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain to not audit. -## -## -# -template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - dontaudit $2 $1_untrusted_content_tmp_t:file read_file_perms; -') - -######################################## -## -## Read user temporary untrusted symbolic links. -## -## -##

-## Read user temporary untrusted symbolic links. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_read_user_tmp_untrusted_content_symlinks',` - gen_require(` - type $1_untrusted_content_tmp_t; - ') - - allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; - read_lnk_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) -') - -######################################## -## -## Read all user untrusted content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_all_untrusted_content',` - gen_require(` - attribute untrusted_content_type; - ') - - allow $1 untrusted_content_type:dir list_dir_perms; - read_files_pattern($1,untrusted_content_type,untrusted_content_type) - read_lnk_files_pattern($1,untrusted_content_type,untrusted_content_type) -') - -######################################## -## -## Read all user temporary untrusted content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_read_all_tmp_untrusted_content',` - gen_require(` - attribute untrusted_content_tmp_type; - ') - - allow $1 untrusted_content_tmp_type:dir list_dir_perms; - read_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type) - read_lnk_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type) -') - -######################################## -## -## Set the attributes of a user domain tty. -## -## -##

-## Set the attributes of a user domain tty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_setattr_user_ttys',` - gen_require(` - type $1_tty_device_t; - ') - - allow $2 $1_tty_device_t:chr_file setattr; -') - -######################################## -## -## Read and write a user domain tty. -## -## -##

-## Read and write a user domain tty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_use_user_ttys',` - gen_require(` - type $1_tty_device_t; - ') - - allow $2 $1_tty_device_t:chr_file rw_term_perms; -') - -######################################## -## -## Read and write a user domain tty and pty. -## -## -##

-## Read and write a user domain tty and pty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_use_user_terminals',` - gen_require(` - type $1_tty_device_t, $1_devpts_t; - ') - - allow $2 $1_tty_device_t:chr_file rw_term_perms; - allow $2 $1_devpts_t:chr_file rw_term_perms; - term_list_ptys($2) -') - -######################################## -## -## Do not audit attempts to read and write -## a user domain tty and pty. -## -## -##

-## Do not audit attempts to read and write -## a user domain tty and pty. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-##
-## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# -template(`userdom_dontaudit_use_user_terminals',` - gen_require(` - type $1_tty_device_t, $1_devpts_t; - ') - - dontaudit $2 $1_tty_device_t:chr_file rw_term_perms; - dontaudit $2 $1_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Execute a shell in all user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_spec_domtrans_all_users',` - gen_require(` - attribute userdomain; - ') - - corecmd_shell_spec_domtrans($1,userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -') - -######################################## -## -## Execute an Xserver session in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_xsession_spec_domtrans_all_users',` - gen_require(` - attribute userdomain; - ') - - xserver_xsession_spec_domtrans($1,userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -') - -######################################## -## -## Execute a shell in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - corecmd_shell_spec_domtrans($1,unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Execute an Xserver session in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_xsession_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - xserver_xsession_spec_domtrans($1,unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; -') - -######################################## -## -## Manage unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem create_sem_perms; -') - -######################################## -## -## Manage unpriviledged user SysV shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_unpriv_user_shared_mem',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:shm create_shm_perms; + allow $1 user_home_dir_t:dir list_dir_perms; + files_search_home($1) ') ######################################## ## -## Execute bin_t in the unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). +## Do not audit attempts to list user home subdirectories. ## ## ## -## Domain allowed access. +## Domain to not audit ## ## # -interface(`userdom_bin_spec_domtrans_unpriv_users',` +interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` - attribute unpriv_userdomain; + type user_home_dir_t; ') - corecmd_bin_spec_domtrans($1,unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; + dontaudit $1 user_home_dir_t:dir list_dir_perms; ') ######################################## ## -## Execute generic sbin programs in all unprivileged user -## domains. This is an explicit transition, requiring the -## caller to use setexeccon(). +## Create user home directories. ## ## ## @@ -3999,16 +1449,17 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',` ## ## # -interface(`userdom_sbin_spec_domtrans_unpriv_users',` - userdom_bin_spec_domtrans_unpriv_users($1) - refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_unpriv_users() instead.') +interface(`userdom_create_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + allow $1 user_home_dir_t:dir create_dir_perms; ') ######################################## ## -## Execute all entrypoint files in unprivileged user -## domains. This is an explicit transition, requiring the -## caller to use setexeccon(). +## Create user home directories. ## ## ## @@ -4016,20 +1467,17 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',` ## ## # -interface(`userdom_entry_spec_domtrans_unpriv_users',` +interface(`userdom_manage_user_home_dirs',` gen_require(` - attribute unpriv_userdomain; + type user_home_dir_t; ') - domain_entry_file_spec_domtrans($1,unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; + allow $1 user_home_dir_t:dir manage_dir_perms; ') ######################################## ## -## Execute a shell in the sysadm domain. +## Relabel to user home directories. ## ## ## @@ -4037,29 +1485,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` ## ## # -interface(`userdom_shell_domtrans_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_shell_domtrans() instead.') - sysadm_shell_domtrans($1) -') +interface(`userdom_relabelto_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') -######################################## -## -## Execute a generic bin program in the sysadm domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_bin_spec_domtrans_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans() instead.') - sysadm_bin_spec_domtrans($1) + allow $1 user_home_dir_t:dir relabelto; ') ######################################## ## -## Execute a generic sbin program in the sysadm domain. (Deprecated) +## Create directories in the home dir root with +## the user home directory type. ## ## ## @@ -4067,148 +1504,75 @@ interface(`userdom_bin_spec_domtrans_sysadm',` ## ## # -interface(`userdom_sbin_spec_domtrans_sysadm',` - refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans() instead.') - sysadm_bin_spec_domtrans($1) -') +interface(`userdom_home_filetrans_user_home_dir',` + gen_require(` + type user_home_dir_t; + ') -######################################## -## -## Execute all entrypoint files in the sysadm domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_entry_spec_domtrans_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.') - sysadm_entry_spec_domtrans($1) + files_home_filetrans($1, user_home_dir_t, dir) ') ######################################## ## -## Allow sysadm to execute a generic bin program in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). (Deprecated) +## Do a domain transition to the specified +## domain when executing a program in the +## user home directory. ## ## ##

-## Allow sysadm to execute a generic bin program in -## a specified domain. (Deprecated) +## Do a domain transition to the specified +## domain when executing a program in the +## user home directory. ##

##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. ##

##
-## +## ## -## Domain to execute in. +## Domain allowed access. ## ## -# -interface(`userdom_sysadm_bin_spec_domtrans_to',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans_to() instead.') - sysadm_bin_spec_domtrans_to($1) -') - -######################################## -## -## Allow sysadm to execute a generic sbin program in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). (Deprecated) -## -## -##

-## Allow sysadm to execute a generic sbin program in -## a specified domain. (Deprecated) -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## +## ## -## Domain to execute in. +## Domain to transition to. ## ## # -interface(`userdom_sysadm_sbin_spec_domtrans_to',` - refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans_to() instead.') - sysadm_bin_spec_domtrans_to($1) -') +interface(`userdom_user_home_domtrans',` + gen_require(` + type user_home_dir_t, user_home_t; + ') -######################################## -## -## Allow sysadm to execute all entrypoint files -## in the specified domain. This is an explicit -## transition, requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute all entrypoint files -## in the specified domain. This is an explicit -## transition, requiring the caller to use setexeccon(). -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -# -interface(`userdom_sysadm_entry_spec_domtrans_to',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.') - sysadm_entry_spec_domtrans($1) + domain_auto_trans($1, user_home_t, $2) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Search the staff users home directory. +## Do not audit attempts to search user home content directories. ## ## ## -## Domain allowed access. +## Domain to not audit ## ## # -interface(`userdom_search_staff_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_search_home_dirs() instead.') - staff_search_home_dirs($1) -') +interface(`userdom_dontaudit_search_user_home_content',` + gen_require(` + type user_home_t; + ') -######################################## -## -## Do not audit attempts to search the staff -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_search_staff_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_search_home_dirs() instead.') - staff_dontaudit_search_home_dirs($1) + dontaudit $1 user_home_t:dir search_dir_perms; ') ######################################## ## -## Create, read, write, and delete staff -## home directories. +## Create, read, write, and delete directories +## in a user home subdirectory. ## ## ## @@ -4216,14 +1580,19 @@ interface(`userdom_dontaudit_search_staff_home_dirs',` ## ## # -interface(`userdom_manage_staff_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_manage_home_dirs() instead.') - staff_manage_home_dirs($1) +interface(`userdom_manage_user_home_content_dirs',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) ') ######################################## ## -## Relabel to staff home directories. +## Do not audit attempts to set the +## attributes of user home files. ## ## ## @@ -4231,30 +1600,17 @@ interface(`userdom_manage_staff_home_dirs',` ## ## # -interface(`userdom_relabelto_staff_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_relabelto_home_dirs() instead.') - staff_relabelto_home_dirs($1) -') +interface(`userdom_dontaudit_setattr_user_home_content_files',` + gen_require(` + type user_home_t; + ') -######################################## -## -## Do not audit attempts to append to the staff -## users home directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`userdom_dontaudit_append_staff_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_append_home_content_files() instead.') - staff_dontaudit_append_home_content_files($1) + dontaudit $1 user_home_t:file setattr; ') ######################################## ## -## Read files in the staff users home directory. +## Mmap user home files. ## ## ## @@ -4262,30 +1618,18 @@ interface(`userdom_dontaudit_append_staff_home_content_files',` ## ## # -interface(`userdom_read_staff_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use staff_read_home_content_files() instead.') - staff_read_home_content_files($1) -') +interface(`userdom_mmap_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') -######################################## -## -## Send a SIGCHLD signal to sysadm users. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_sigchld_sysadm',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_sigchld() instead.') - sysadm_sigchld($1) + mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) ') ######################################## ## -## Do not audit attepts to get the attributes -## of sysadm ttys. +## Read user home files. ## ## ## @@ -4293,29 +1637,37 @@ interface(`userdom_sigchld_sysadm',` ## ## # -interface(`userdom_dontaudit_getattr_sysadm_ttys',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_ttys() instead.') - sysadm_dontaudit_getattr_ttys($1) +interface(`userdom_read_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) ') ######################################## ## -## Read and write sysadm ttys. +## Do not audit attempts to read user home files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_use_sysadm_ttys',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ttys() instead.') - sysadm_use_ttys($1) +interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:dir list_dir_perms; + dontaudit $1 user_home_t:file read_file_perms; ') ######################################## ## -## Do not audit attempts to use sysadm ttys. +## Do not audit attempts to append user home files. ## ## ## @@ -4323,29 +1675,35 @@ interface(`userdom_use_sysadm_ttys',` ## ## # -interface(`userdom_dontaudit_use_sysadm_ttys',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ttys() instead.') - sysadm_dontaudit_use_ttys($1) +interface(`userdom_dontaudit_append_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:file append; ') ######################################## ## -## Read and write sysadm ptys. +## Do not audit attempts to write user home files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_use_sysadm_ptys',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ptys() instead.') - sysadm_use_ptys($1) +interface(`userdom_dontaudit_write_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:file write; ') ######################################## ## -## Dont audit attempts to read and write sysadm ptys. +## Do not audit attempts to write user home files. ## ## ## @@ -4353,14 +1711,17 @@ interface(`userdom_use_sysadm_ptys',` ## ## # -interface(`userdom_dontaudit_use_sysadm_ptys',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ptys() instead.') - sysadm_dontaudit_use_ptys($1) +interface(`userdom_dontaudit_relabel_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:file relabel_file_perms; ') ######################################## ## -## Read and write sysadm ttys and ptys. +## Read user home subdirectory symbolic links. ## ## ## @@ -4368,29 +1729,46 @@ interface(`userdom_dontaudit_use_sysadm_ptys',` ## ## # -interface(`userdom_use_sysadm_terms',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_terms() instead.') - sysadm_use_terms($1) +interface(`userdom_read_user_home_content_symlinks',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) ') ######################################## ## -## Do not audit attempts to use sysadm ttys and ptys. +## Execute user home files. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## +## # -interface(`userdom_dontaudit_use_sysadm_terms',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_terms() instead.') - sysadm_dontaudit_use_terms($1) +interface(`userdom_exec_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files($1) + ') ') ######################################## ## -## Inherit and use sysadm file descriptors +## Do not audit attempts to execute user home files. ## ## ## @@ -4398,14 +1776,18 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ## ## # -interface(`userdom_use_sysadm_fds',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_fds() instead.') - sysadm_use_fds($1) +interface(`userdom_dontaudit_exec_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + dontaudit $1 user_home_t:file execute; ') ######################################## ## -## Read and write sysadm user unnamed pipes. +## Create, read, write, and delete files +## in a user home subdirectory. ## ## ## @@ -4413,15 +1795,20 @@ interface(`userdom_use_sysadm_fds',` ## ## # -interface(`userdom_rw_sysadm_pipes',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_rw_pipes() instead.') - sysadm_rw_pipes($1) +interface(`userdom_manage_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + manage_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Get the attributes of the sysadm users -## home directory. +## Do not audit attempts to create, read, write, and delete directories +## in a user home subdirectory. ## ## ## @@ -4429,166 +1816,188 @@ interface(`userdom_rw_sysadm_pipes',` ## ## # -interface(`userdom_getattr_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_getattr_home_dirs() instead.') - sysadm_getattr_home_dirs($1) +interface(`userdom_dontaudit_manage_user_home_content_dirs',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + dontaudit $1 user_home_t:dir manage_dir_perms; ') ######################################## ## -## Do not audit attempts to get the -## attributes of the sysadm users -## home directory. +## Create, read, write, and delete symbolic links +## in a user home subdirectory. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_home_dirs() instead.') - sysadm_dontaudit_getattr_home_dirs($1) +interface(`userdom_manage_user_home_content_symlinks',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + manage_lnk_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Search the sysadm users home directory. +## Create, read, write, and delete named pipes +## in a user home subdirectory. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`userdom_search_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_dirs() instead.') - sysadm_search_home_dirs($1) +interface(`userdom_manage_user_home_content_pipes',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + manage_fifo_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Do not audit attempts to search the sysadm -## users home directory. +## Create, read, write, and delete named sockets +## in a user home subdirectory. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`userdom_dontaudit_search_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_search_home_dirs() instead.') - sysadm_dontaudit_search_home_dirs($1) +interface(`userdom_manage_user_home_content_sockets',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + allow $1 user_home_dir_t:dir search_dir_perms; + manage_sock_files_pattern($1, user_home_t, user_home_t) + files_search_home($1) ') ######################################## ## -## List the sysadm users home directory. +## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. ## ## ## ## Domain allowed access. ## ## -# -interface(`userdom_list_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_list_home_dirs() instead.') - sysadm_list_home_dirs($1) -') - -######################################## -## -## Do not audit attempts to list the sysadm -## users home directory. -## -## +## ## -## Domain to not audit. +## The type of the object to create. ## ## -# -interface(`userdom_dontaudit_list_sysadm_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_list_home_dirs() instead.') - sysadm_dontaudit_list_home_dirs($1) -') - -######################################## -## -## Do not audit attempts to search the sysadm -## users home directory. -## -## +## ## -## Domain to not audit. +## The class of the object to be created. ## ## # -interface(`userdom_dontaudit_read_sysadm_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_read_home_content_files() instead.') - sysadm_dontaudit_read_home_content_files($1) +interface(`userdom_user_home_dir_filetrans',` + gen_require(` + type user_home_dir_t; + ') + + filetrans_pattern($1, user_home_dir_t, $2, $3) + files_search_home($1) ') ######################################## ## -## Create objects in sysadm home directories -## with automatic file type transition. +## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. ## ## ## ## Domain allowed access. ## ## -## +## ## -## The type of the object to be created. +## The type of the object to create. ## ## ## ## ## The class of the object to be created. -## If not specified, file is used. ## ## # -interface(`userdom_sysadm_home_dir_filetrans',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_home_dir_filetrans() instead.') - sysadm_home_dir_filetrans($1,$2,$3) +interface(`userdom_user_home_content_filetrans',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + filetrans_pattern($1, user_home_t, $2, $3) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) ') ######################################## ## -## Search the sysadm users home sub directories. +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. ## ## ## -## Domain to not audit. +## Domain allowed access. +## +## +## +## +## The class of the object to be created. ## ## # -interface(`userdom_search_sysadm_home_content_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_content_dirs() instead.') - sysadm_search_home_content_dirs($1) +interface(`userdom_user_home_dir_filetrans_user_home_content',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + filetrans_pattern($1, user_home_dir_t, user_home_t, $2) + files_search_home($1) ') ######################################## ## -## Read files in the sysadm users home directory. +## Write to user temporary named sockets. ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # -interface(`userdom_read_sysadm_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_home_content_files() instead.') - sysadm_read_home_content_files($1) +interface(`userdom_write_user_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:sock_file write; + files_search_tmp($1) ') ######################################## ## -## Read sysadm temporary files. +## List user temporary directories. ## ## ## @@ -4596,52 +2005,56 @@ interface(`userdom_read_sysadm_home_content_files',` ## ## # -interface(`userdom_read_sysadm_tmp_files',` - refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_tmp_files() instead.') - sysadm_read_tmp_files($1) +interface(`userdom_list_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir list_dir_perms; + files_search_tmp($1) ') ######################################## ## -## Search all users home directories. +## Do not audit attempts to list user +## temporary directories. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_search_all_users_home_dirs',` +interface(`userdom_dontaudit_list_user_tmp',` gen_require(` - attribute home_dir_type; + type user_tmp_t; ') - files_list_home($1) - allow $1 home_dir_type:dir search_dir_perms; + dontaudit $1 user_tmp_t:dir list_dir_perms; ') ######################################## ## -## List all users home directories. +## Do not audit attempts to manage users +## temporary directories. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_list_all_users_home_dirs',` +interface(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` - attribute home_dir_type; + type user_tmp_t; ') - files_list_home($1) - allow $1 home_dir_type:dir list_dir_perms; + dontaudit $1 user_tmp_t:dir manage_dir_perms; ') ######################################## ## -## Search all users home directories. +## Read user temporary files. ## ## ## @@ -4649,18 +2062,20 @@ interface(`userdom_list_all_users_home_dirs',` ## ## # -interface(`userdom_search_all_users_home_content',` +interface(`userdom_read_user_tmp_files',` gen_require(` - attribute home_dir_type, home_type; + type user_tmp_t; ') - files_list_home($1) - allow $1 { home_dir_type home_type }:dir search_dir_perms; + read_files_pattern($1, user_tmp_t, user_tmp_t) + allow $1 user_tmp_t:dir list_dir_perms; + files_search_tmp($1) ') ######################################## ## -## Do not audit attempts to search all users home directories. +## Do not audit attempts to read users +## temporary files. ## ## ## @@ -4668,38 +2083,36 @@ interface(`userdom_search_all_users_home_content',` ## ## # -interface(`userdom_dontaudit_search_all_users_home_content',` +interface(`userdom_dontaudit_read_user_tmp_files',` gen_require(` - attribute home_dir_type, home_type; + type user_tmp_t; ') - dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; + dontaudit $1 user_tmp_t:file read_file_perms; ') ######################################## ## -## Read all files in all users home directories. +## Do not audit attempts to append users +## temporary files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_read_all_users_home_content_files',` +interface(`userdom_dontaudit_append_user_tmp_files',` gen_require(` - attribute home_type; + type user_tmp_t; ') - files_list_home($1) - allow $1 home_type:dir list_dir_perms; - read_files_pattern($1,home_type,home_type) + dontaudit $1 user_tmp_t:file append; ') ######################################## ## -## Create, read, write, and delete all directories -## in all users home directories. +## Read and write user temporary files. ## ## ## @@ -4707,39 +2120,38 @@ interface(`userdom_read_all_users_home_content_files',` ## ## # -interface(`userdom_manage_all_users_home_content_dirs',` +interface(`userdom_rw_user_tmp_files',` gen_require(` - attribute home_type; + type user_tmp_t; ') - files_list_home($1) - allow $1 home_type:dir manage_dir_perms; + allow $1 user_tmp_t:dir list_dir_perms; + rw_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Create, read, write, and delete all files -## in all users home directories. +## Do not audit attempts to manage users +## temporary files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_manage_all_users_home_content_files',` +interface(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` - attribute home_type; + type user_tmp_t; ') - files_list_home($1) - manage_files_pattern($1,home_type,home_type) + dontaudit $1 user_tmp_t:file manage_file_perms; ') ######################################## ## -## Create, read, write, and delete all symlinks -## in all users home directories. +## Read user temporary symbolic links. ## ## ## @@ -4747,47 +2159,40 @@ interface(`userdom_manage_all_users_home_content_files',` ## ## # -interface(`userdom_manage_all_users_home_content_symlinks',` +interface(`userdom_read_user_tmp_symlinks',` gen_require(` - attribute home_type; + type user_tmp_t; ') - files_list_home($1) - manage_lnk_files_pattern($1,home_type,home_type) + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + allow $1 user_tmp_t:dir list_dir_perms; + files_search_tmp($1) ') ######################################## ## -## Make the specified domain a privileged -## home directory manager. +## Create, read, write, and delete user +## temporary directories. ## -## -##

-## Make the specified domain a privileged -## home directory manager. This domain will be -## able to manage the contents of all users -## general home directory content, and create -## files with the correct context. -##

-##
## ## ## Domain allowed access. ## ## # -interface(`userdom_priveleged_home_dir_manager',` +interface(`userdom_manage_user_tmp_dirs',` gen_require(` - attribute privhome; + type user_tmp_t; ') - files_list_home($1) - typeattribute $1 privhome; + manage_dirs_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Send general signals to unprivileged user domains. +## Create, read, write, and delete user +## temporary files. ## ## ## @@ -4795,17 +2200,19 @@ interface(`userdom_priveleged_home_dir_manager',` ## ## # -interface(`userdom_signal_unpriv_users',` +interface(`userdom_manage_user_tmp_files',` gen_require(` - attribute unpriv_userdomain; + type user_tmp_t; ') - allow $1 unpriv_userdomain:process signal; + manage_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Inherit the file descriptors from unprivileged user domains. +## Create, read, write, and delete user +## temporary symbolic links. ## ## ## @@ -4813,18 +2220,19 @@ interface(`userdom_signal_unpriv_users',` ## ## # -interface(`userdom_use_unpriv_users_fds',` +interface(`userdom_manage_user_tmp_symlinks',` gen_require(` - attribute unpriv_userdomain; + type user_tmp_t; ') - allow $1 unpriv_userdomain:fd use; + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Do not audit attempts to inherit the -## file descriptors from all user domains. +## Create, read, write, and delete user +## temporary named pipes. ## ## ## @@ -4832,18 +2240,19 @@ interface(`userdom_use_unpriv_users_fds',` ## ## # -interface(`userdom_dontaudit_use_unpriv_user_fds',` +interface(`userdom_manage_user_tmp_pipes',` gen_require(` - attribute unpriv_userdomain; + type user_tmp_t; ') - dontaudit $1 unpriv_userdomain:fd use; + manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Create generic user home directories -## with automatic file type transition. +## Create, read, write, and delete user +## temporary named sockets. ## ## ## @@ -4851,30 +2260,51 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',` ## ## # -interface(`userdom_home_filetrans_generic_user_home_dir',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_filetrans_home_dir() instead.') - unprivuser_home_filetrans_home_dir($1) +interface(`userdom_manage_user_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + + manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') ######################################## ## -## Search generic user home directories. +## Create objects in a user temporary directory +## with an automatic type transition to +## a specified private type. ## ## ## ## Domain allowed access. ## ## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## # -interface(`userdom_search_generic_user_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_search_home_dirs() instead.') - unprivuser_search_home_dirs($1) +interface(`userdom_user_tmp_filetrans',` + gen_require(` + type user_tmp_t; + ') + + filetrans_pattern($1, user_tmp_t, $2, $3) + files_search_tmp($1) ') ######################################## ## -## Create objects in generic user home directories -## with automatic file type transition. +## Create objects in the temporary directory +## with an automatic type transition to +## the user temporary type. ## ## ## @@ -4884,18 +2314,20 @@ interface(`userdom_search_generic_user_home_dirs',` ## ## ## The class of the object to be created. -## If not specified, file is used. ## ## # -interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_dir_filetrans_home_content() instead.') - unprivuser_home_dir_filetrans_home_content($1, $2) +interface(`userdom_tmp_filetrans_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + files_tmp_filetrans($1, user_tmp_t, $2) ') ######################################## ## -## Don't audit search on the user home subdirectory. +## Read user tmpfs files. ## ## ## @@ -4903,15 +2335,20 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` ## ## # -interface(`userdom_dontaudit_search_generic_user_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_search_home_dirs() instead.') - unprivuser_dontaudit_search_home_dirs($1) +interface(`userdom_rw_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) ') ######################################## ## -## Create, read, write, and delete generic user -## home directories. +## Get the attributes of a user domain tty. ## ## ## @@ -4919,16 +2356,17 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',` ## ## # -interface(`userdom_manage_generic_user_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_dirs() instead.') - unprivuser_manage_home_dirs($1) +interface(`userdom_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file getattr; ') ######################################## ## -## Create, read, write, and delete -## subdirectories of generic user -## home directories. +## Do not audit attempts to get the attributes of a user domain tty. ## ## ## @@ -4936,14 +2374,17 @@ interface(`userdom_manage_generic_user_home_dirs',` ## ## # -interface(`userdom_manage_generic_user_home_content_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_dirs() instead.') - unprivuser_manage_home_content_dirs($1) +interface(`userdom_dontaudit_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + dontaudit $1 user_tty_device_t:chr_file getattr; ') ######################################## ## -## Relabel to generic user home directories. +## Set the attributes of a user domain tty. ## ## ## @@ -4951,14 +2392,17 @@ interface(`userdom_manage_generic_user_home_content_dirs',` ## ## # -interface(`userdom_relabelto_generic_user_home_dirs',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_relabelto_home_dirs() instead.') - unprivuser_relabelto_home_dirs($1) +interface(`userdom_setattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file setattr; ') ######################################## ## -## Read files in generic user home directories. +## Do not audit attempts to set the attributes of a user domain tty. ## ## ## @@ -4966,15 +2410,17 @@ interface(`userdom_relabelto_generic_user_home_dirs',` ## ## # -interface(`userdom_read_generic_user_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_read_home_content_files() instead.') - unprivuser_read_home_content_files($1) +interface(`userdom_dontaudit_setattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + dontaudit $1 user_tty_device_t:chr_file setattr; ') ######################################## ## -## Mmap of generic user -## home files. +## Read and write a user domain tty. ## ## ## @@ -4982,15 +2428,17 @@ interface(`userdom_read_generic_user_home_content_files',` ## ## # -interface(`userdom_mmap_generic_user_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_mmap_home_content_files() instead.') - unprivuser_mmap_home_content_files($1) +interface(`userdom_use_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file rw_term_perms; ') ######################################## ## -## Create, read, write, and delete files -## in generic user home directories. +## Read and write a user domain pty. ## ## ## @@ -4998,15 +2446,17 @@ interface(`userdom_mmap_generic_user_home_content_files',` ## ## # -interface(`userdom_manage_generic_user_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_files() instead.') - unprivuser_manage_home_content_files($1) +interface(`userdom_use_user_ptys',` + gen_require(` + type user_devpts_t; + ') + + allow $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## ## -## Do not audit attempts to relabel generic user -## home files. +## Read and write a user domain tty and pty. ## ## ## @@ -5014,15 +2464,20 @@ interface(`userdom_manage_generic_user_home_content_files',` ## ## # -interface(`userdom_dontaudit_relabel_generic_user_home_content_files',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_relabel_home_content_files() instead.') - unprivuser_dontaudit_relabel_home_content_files($1) +interface(`userdom_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; + term_list_ptys($1) ') ######################################## ## -## Create, read, write, and delete symbolic -## links in generic user home directories. +## Do not audit attempts to read and write +## a user domain tty and pty. ## ## ## @@ -5030,15 +2485,20 @@ interface(`userdom_dontaudit_relabel_generic_user_home_content_files',` ## ## # -interface(`userdom_manage_generic_user_home_content_symlinks',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_symlinks() instead.') - unprivuser_manage_home_content_symlinks($1) +interface(`userdom_dontaudit_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## ## -## Create, read, write, and delete named -## pipes in generic user home directories. +## Execute a shell in all user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5046,15 +2506,22 @@ interface(`userdom_manage_generic_user_home_content_symlinks',` ## ## # -interface(`userdom_manage_generic_user_home_content_pipes',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_pipes() instead.') - unprivuser_manage_home_content_pipes($1) +interface(`userdom_spec_domtrans_all_users',` + gen_require(` + attribute userdomain; + ') + + corecmd_shell_spec_domtrans($1,userdomain) + allow userdomain $1:fd use; + allow userdomain $1:fifo_file rw_file_perms; + allow userdomain $1:process sigchld; ') ######################################## ## -## Create, read, write, and delete named -## sockets in generic user home directories. +## Execute an Xserver session in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5062,14 +2529,22 @@ interface(`userdom_manage_generic_user_home_content_pipes',` ## ## # -interface(`userdom_manage_generic_user_home_content_sockets',` - refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_sockets() instead.') - unprivuser_manage_home_content_sockets($1) +interface(`userdom_xsession_spec_domtrans_all_users',` + gen_require(` + attribute userdomain; + ') + + xserver_xsession_spec_domtrans($1,userdomain) + allow userdomain $1:fd use; + allow userdomain $1:fifo_file rw_file_perms; + allow userdomain $1:process sigchld; ') ######################################## ## -## Search all unprivileged users home directories. +## Execute a shell in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5077,19 +2552,22 @@ interface(`userdom_manage_generic_user_home_content_sockets',` ## ## # -interface(`userdom_search_unpriv_users_home_dirs',` +interface(`userdom_spec_domtrans_unpriv_users',` gen_require(` - attribute user_home_dir_type; + attribute unpriv_userdomain; ') - files_search_home($1) - allow $1 user_home_dir_type:dir search_dir_perms; + corecmd_shell_spec_domtrans($1,unpriv_userdomain) + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') ######################################## ## -## Read all unprivileged users home directory -## files. +## Execute an Xserver session in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5097,21 +2575,20 @@ interface(`userdom_search_unpriv_users_home_dirs',` ## ## # -interface(`userdom_read_unpriv_users_home_content_files',` +interface(`userdom_xsession_spec_domtrans_unpriv_users',` gen_require(` - attribute user_home_dir_type, user_home_type; + attribute unpriv_userdomain; ') - files_search_home($1) - allow $1 user_home_type:dir list_dir_perms; - read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) - read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) + xserver_xsession_spec_domtrans($1,unpriv_userdomain) + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') ######################################## ## -## Create, read, write, and delete directories in -## unprivileged users home directories. +## Manage unpriviledged user SysV sempaphores. ## ## ## @@ -5119,19 +2596,18 @@ interface(`userdom_read_unpriv_users_home_content_files',` ## ## # -interface(`userdom_manage_unpriv_users_home_content_dirs',` +interface(`userdom_manage_unpriv_user_semaphores',` gen_require(` - attribute user_home_dir_type, user_home_type; + attribute unpriv_userdomain; ') - files_search_home($1) - manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) + allow $1 unpriv_userdomain:sem create_sem_perms; ') ######################################## ## -## Create, read, write, and delete files in -## unprivileged users home directories. +## Manage unpriviledged user SysV shared +## memory segments. ## ## ## @@ -5139,18 +2615,19 @@ interface(`userdom_manage_unpriv_users_home_content_dirs',` ## ## # -interface(`userdom_manage_unpriv_users_home_content_files',` +interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` - attribute user_home_dir_type, user_home_type; + attribute unpriv_userdomain; ') - files_search_home($1) - manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) + allow $1 unpriv_userdomain:shm create_shm_perms; ') ######################################## ## -## Set the attributes of user ptys. +## Execute bin_t in the unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5158,17 +2635,22 @@ interface(`userdom_manage_unpriv_users_home_content_files',` ## ## # -interface(`userdom_setattr_unpriv_users_ptys',` +interface(`userdom_bin_spec_domtrans_unpriv_users',` gen_require(` - attribute user_ptynode; + attribute unpriv_userdomain; ') - allow $1 user_ptynode:chr_file setattr; + corecmd_bin_spec_domtrans($1,unpriv_userdomain) + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') ######################################## ## -## Read and write unprivileged user ptys. +## Execute all entrypoint files in unprivileged user +## domains. This is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ## @@ -5176,37 +2658,39 @@ interface(`userdom_setattr_unpriv_users_ptys',` ## ## # -interface(`userdom_use_unpriv_users_ptys',` +interface(`userdom_entry_spec_domtrans_unpriv_users',` gen_require(` - attribute user_ptynode; + attribute unpriv_userdomain; ') - term_search_ptys($1) - allow $1 user_ptynode:chr_file rw_file_perms; + domain_entry_file_spec_domtrans($1,unpriv_userdomain) + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') ######################################## ## -## Do not audit attempts to use unprivileged -## user ptys. +## Search users home directories. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`userdom_dontaudit_use_unpriv_users_ptys',` +interface(`userdom_search_user_home_content',` gen_require(` - attribute user_ptynode; + type user_home_dir_t, user_home_t; ') - dontaudit $1 user_ptynode:chr_file rw_file_perms; + files_list_home($1) + allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ') ######################################## ## -## Relabel files to unprivileged user pty types. +## Send general signals to unprivileged user domains. ## ## ## @@ -5214,18 +2698,17 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',` ## ## # -interface(`userdom_relabelto_unpriv_users_ptys',` +interface(`userdom_signal_unpriv_users',` gen_require(` - attribute user_ptynode; + attribute unpriv_userdomain; ') - allow $1 user_ptynode:chr_file relabelto; + allow $1 unpriv_userdomain:process signal; ') ######################################## ## -## Do not audit attempts to relabel files from -## unprivileged user pty types. +## Inherit the file descriptors from unprivileged user domains. ## ## ## @@ -5233,17 +2716,18 @@ interface(`userdom_relabelto_unpriv_users_ptys',` ## ## # -interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',` +interface(`userdom_use_unpriv_users_fds',` gen_require(` - attribute user_ptynode; + attribute unpriv_userdomain; ') - dontaudit $1 user_ptynode:chr_file relabelfrom; + allow $1 unpriv_userdomain:fd use; ') ######################################## ## -## Read all unprivileged users temporary directories. +## Do not audit attempts to inherit the +## file descriptors from all user domains. ## ## ## @@ -5251,35 +2735,35 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',` ## ## # -interface(`userdom_list_unpriv_users_tmp',` +interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(` - attribute user_tmpfile; + attribute unpriv_userdomain; ') - allow $1 user_tmpfile:dir list_dir_perms; + dontaudit $1 unpriv_userdomain:fd use; ') ######################################## ## -## Read all unprivileged users temporary files. +## Do not audit attempts to use user ptys. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_read_unpriv_users_tmp_files',` +interface(`userdom_dontaudit_use_user_ptys',` gen_require(` - attribute user_tmpfile; + type user_devpts_t; ') - allow $1 user_tmpfile:file read_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_file_perms; ') ######################################## ## -## Read all unprivileged users temporary symbolic links. +## Relabel files to unprivileged user pty types. ## ## ## @@ -5287,17 +2771,18 @@ interface(`userdom_read_unpriv_users_tmp_files',` ## ## # -interface(`userdom_read_unpriv_users_tmp_symlinks',` +interface(`userdom_relabelto_user_ptys',` gen_require(` - attribute user_tmpfile; + type user_devpts_t; ') - allow $1 user_tmpfile:lnk_file { getattr read }; + allow $1 user_devpts_t:chr_file relabelto; ') ######################################## ## -## Write all unprivileged users files in /tmp +## Do not audit attempts to relabel files from +## user pty types. ## ## ## @@ -5305,17 +2790,17 @@ interface(`userdom_read_unpriv_users_tmp_symlinks',` ## ## # -interface(`userdom_write_unpriv_users_tmp_files',` +interface(`userdom_dontaudit_relabelfrom_user_ptys',` gen_require(` - attribute user_tmpfile; + type user_devpts_t; ') - allow $1 user_tmpfile:file write_file_perms; + dontaudit $1 user_devpts_t:chr_file relabelfrom; ') ######################################## ## -## Read and write unprivileged user ttys. +## Write all users files in /tmp ## ## ## @@ -5323,18 +2808,17 @@ interface(`userdom_write_unpriv_users_tmp_files',` ## ## # -interface(`userdom_use_unpriv_users_ttys',` +interface(`userdom_write_user_tmp_files',` gen_require(` - attribute user_ttynode; + type user_tmp_t; ') - allow $1 user_ttynode:chr_file rw_term_perms; + allow $1 user_tmp_t:file write_file_perms; ') ######################################## ## -## Do not audit attempts to use unprivileged -## user ttys. +## Do not audit attempts to use user ttys. ## ## ## @@ -5342,12 +2826,12 @@ interface(`userdom_use_unpriv_users_ttys',` ## ## # -interface(`userdom_dontaudit_use_unpriv_users_ttys',` +interface(`userdom_dontaudit_use_user_ttys',` gen_require(` - attribute user_ttynode; + type user_tty_device_t; ') - dontaudit $1 user_ttynode:chr_file rw_file_perms; + dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ') ######################################## @@ -5496,17 +2980,3 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') - -######################################## -## -## Unconfined access to user domains. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_unconfined',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index f53a5de..201c359 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain, 3.2.0) +policy_module(userdomain, 4.0.0) ######################################## # @@ -49,33 +49,6 @@ gen_tunable(user_rw_noexattrfile,false) ## gen_tunable(user_ttyfile_stat,false) -# admin users terminals (tty and pty) -attribute admin_terminal; - -# users home directory -attribute home_dir_type; - -# users home directory contents -attribute home_type; - -# The privhome attribute identifies every domain that can create files under -# regular user home directories in the regular context (IE act on behalf of -# a user in writing regular files) -attribute privhome; - -# all unprivileged users home directories -attribute user_home_dir_type; -attribute user_home_type; - -# all unprivileged users ptys -attribute user_ptynode; - -# all unprivileged users tmp files -attribute user_tmpfile; - -# all unprivileged users ttys -attribute user_ttynode; - # all user domains attribute userdomain; @@ -84,3 +57,41 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; + +type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; +fs_associate_tmpfs(user_home_dir_t) +files_type(user_home_dir_t) +files_mountpoint(user_home_dir_t) +files_associate_tmp(user_home_dir_t) +files_poly(user_home_dir_t) +files_poly_member(user_home_dir_t) +files_poly_parent(user_home_dir_t) +ubac_constrained(user_home_dir_t) + +type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; +typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +userdom_user_home_content(user_home_t) +fs_associate_tmpfs(user_home_t) +files_associate_tmp(user_home_t) +files_poly_member(user_home_t) +files_poly_parent(user_home_t) +files_mountpoint(user_home_t) +ubac_constrained(user_home_t) + +type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; +dev_node(user_devpts_t) +files_type(user_devpts_t) +ubac_constrained(user_devpts_t) + +type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; +typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; +files_tmp_file(user_tmp_t) +userdom_user_home_content(user_tmp_t) + +type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; +files_tmpfs_file(user_tmpfs_t) +userdom_user_home_content(user_tmpfs_t) + +type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; +dev_node(user_tty_device_t) +ubac_constrained(user_tty_device_t) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 9e95995..80caa8b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen, 1.7.0) +policy_module(xen, 1.7.1) ######################################## # @@ -201,12 +201,12 @@ sysnet_delete_dhcpc_pid(xend_t) sysnet_read_dhcpc_pid(xend_t) sysnet_rw_dhcp_config(xend_t) +userdom_dontaudit_search_user_home_dirs(xend_t) + xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t) -sysadm_dontaudit_search_home_dirs(xend_t) - optional_policy(` consoletype_exec(xend_t) ') diff --git a/policy/rolemap b/policy/rolemap index 729ed88..c1de37e 100644 --- a/policy/rolemap +++ b/policy/rolemap @@ -1,6 +1,6 @@ # # This file contains the mappings -# used for per-userdomain template +# used for per-role template # infrastructure. Each line describes # the prefix and user domain type # corresponding to each role. @@ -8,11 +8,6 @@ # syntax: role prefix user_domain # -user_r user user_t -staff_r staff staff_t -sysadm_r sysadm sysadm_t - -ifdef(`enable_mls',` - secadm_r secadm secadm_t - auditadm_r auditadm auditadm_t -') +# This support has been deprecated and +# will be removed in the future. Note: No +# per-role templates exist in refpolicy. diff --git a/support/Makefile.devel b/support/Makefile.devel index a944df0..87be614 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -62,6 +62,10 @@ ifeq ($(DIRECT_INITRC),y) M4PARAM += -D direct_sysadm_daemon endif +ifeq "$(UBAC)" "y" + M4PARAM += -D enable_ubac +endif + # default MLS/MCS sensitivity and category settings. MLS_SENS ?= 16 MLS_CATS ?= 256