diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 612defa..be05fd9 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -53,7 +53,7 @@ libraries_use_dynamic_loader(consoletype_t) libraries_read_shared_libraries(consoletype_t) optional_policy(`authlogin.te', ` -authlogin_read_pam_runtime_data(consoletype_t) +authlogin_pam_read_runtime_data(consoletype_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 54dc5a3..35ece3c 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -26,6 +26,7 @@ files_make_file(boot_runtime_t) type bootloader_t; domain_make_domain(bootloader_t) +role system_r types bootloader_t; type bootloader_exec_t; domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) @@ -79,7 +80,7 @@ storage_raw_write_removable_device(bootloader_t) devices_get_all_character_device_attributes(bootloader_t) devices_set_all_block_device_attributes(bootloader_t) devices_ignore_modify_generic_devices(bootloader_t) -# for reading BIOS data (cjp: ?) +# for reading BIOS data devices_raw_read_memory(bootloader_t) init_get_control_channel_attributes(bootloader_t) @@ -104,11 +105,11 @@ logging_send_system_log_message(bootloader_t) filesystem_get_persistent_filesystem_attributes(bootloader_t) terminal_use_controlling_terminal(bootloader_t) -terminal_get_user_terminal_attributes(bootloader_t) +terminal_get_all_users_physical_terminal_attributes(bootloader_t) allow bootloader_t bootloader_etc_t:file { getattr read }; -optional_policy(modutils.te,` +optional_policy(`modutils.te',` modutils_insmod_execute(insmod_t) ') @@ -122,7 +123,7 @@ miscfiles_read_localization(bootloader_t) allow bootloader_t modules_object_t:dir { getattr search read }; allow bootloader_t modules_object_t:file { getattr read }; -files_read_general_system_resources(bootloader_t) +files_read_general_application_resources(bootloader_t) bootloader_install_initrd(bootloader_t) devices_get_random_data(bootloader_t) @@ -160,7 +161,7 @@ tunable_policy(`distro_debian', ` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; -') +') dnl end distro_debian tunable_policy(`distro_redhat', ` files_make_mountpoint(bootloader_tmp_t) @@ -176,7 +177,7 @@ allow bootloader_t boot_runtime_t:file { read getattr unlink }; # for memlock devices_get_zeros(bootloader_t) allow bootloader_t self:capability ipc_lock; -') +') dnl end distro_redhat ifdef(`TODO',` @@ -184,7 +185,6 @@ ifdef(`TODO',` domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) allow bootloader_t admin_tty_type:chr_file rw_file_perms; -role system_r types bootloader_t; allow bootloader_t initrc_t:fifo_file { read write }; allow bootloader_t lib_t:file { getattr read }; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 2092546..352c2ec 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -160,7 +160,7 @@ allow kernel_t sysctl_kernel_t:file { getattr read }; # old base_file_read_access(): files_list_home_directories(kernel_t) -files_read_general_shared_resources(kernel_t) +files_read_general_application_resources(kernel_t) selinux_read_config(kernel_t) selinux_read_binary_policy(kernel_t) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 0640dec..4432acc 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -27,20 +27,112 @@ devices_list_device_nodes_depend ######################################## # -# terminal_use_all_terminals(domain,[`optional']) +# terminal_use_all_terminals(domain) # define(`terminal_use_all_terminals',` -requires_block_template(terminal_use_all_terminals_depend,$2) -devices_list_device_nodes($1,optional) -allow $1 devpts_t:dir { getattr read search }; +requires_block_template(terminal_use_all_terminals_depend) +devices_list_device_nodes($1) +allow $1 devpts_t:dir { getattr search read }; allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write }; ') define(`terminal_use_all_terminals_depend',` attribute ttynode, ptynode; type console_device_t, devtty_t, devpts_t; +class dir { getattr search read }; +class chr_file { read write }; +') + +######################################## +# +# terminal_get_all_users_physical_terminal_attributes(domain) +# +define(`terminal_get_all_users_physical_terminal_attributes',` +requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file getattr; +') + +define(`terminal_get_all_users_physical_terminal_attributes_depend',` +attribute ttynode; +class chr_file getattr; +') + +######################################## +# +# terminal_use_all_users_physical_terminals(domain) +# +define(`terminal_use_all_users_physical_terminals',` +requires_block_template(terminal_use_all_users_physical_terminals_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file { read write }; +') + +define(`terminal_use_all_users_physical_terminals_depend',` +attribute ttynode; +class chr_file { read write }; +') + +######################################## +# +# terminal_ignore_use_all_users_physical_terminals(domain) +# +define(`terminal_ignore_use_all_users_physical_terminals',` +requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend) +dontaudit $1 ttynode:chr_file { read write }; +') + +define(`terminal_ignore_use_all_users_physical_terminals_depend',` +attribute ttynode; +class chr_file { read write }; +') + +######################################## +# +# terminal_get_all_users_pseudoterminal_attributes(domain) +# +define(`terminal_get_all_users_pseudoterminal_attributes',` +requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2) +devices_list_device_nodes($1) +allow $1 devpts_t:dir { getattr search read }; +allow $1 ptynode:chr_file getattr; +') + +define(`terminal_get_all_users_pseudoterminal_attributes_depend',` +attribute ptynode; +class dir { getattr search read }; +class chr_file getattr; +') + +######################################## +# +# terminal_use_all_users_pseudoterminals(domain) +# +define(`terminal_use_all_users_pseudoterminals',` +requires_block_template(terminal_use_all_users_pseudoterminals_depend) +devices_list_device_nodes($1) +allow $1 devpts_t:dir { getattr read search }; +allow $1 ptynode:chr_file { read write }; +') + +define(`terminal_use_all_users_pseudoterminals_depend',` +attribute ptynode; +class dir { getattr search read }; +class chr_file { read write }; +') + +######################################## +# +# terminal_ignore_use_all_users_pseudoterminals(domain) +# +define(`terminal_ignore_use_all_users_pseudoterminals',` +requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend) +dontaudit $1 ptynode:chr_file { read write }; +') + +define(`terminal_ignore_use_all_users_pseudoterminals_depend',` +attribute ptynode; class chr_file { read write }; -devices_list_device_nodes_depend ') ######################################## @@ -154,22 +246,6 @@ class chr_file { read write }; ######################################## # -# terminal_get_user_terminal_attributes(domain,[`optional']) -# -define(`terminal_get_user_terminal_attributes',` -requires_block_template(terminal_get_user_terminal_attributes_depend,$2) -devices_list_device_nodes($1,optional) -allow $1 ttynode:chr_file getattr; -') - -define(`terminal_get_user_terminal_attributes_depend',` -attribute ttynode; -class chr_file getattr; -devices_list_device_nodes_depend -') - -######################################## -# # terminal_list_pseudoterminals(domain,[`optional']) # define(`terminal_list_pseudoterminals',` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 3907b7b..d7982c4 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -37,7 +37,10 @@ kernel_read_system_state($1_chkpwd_t) #can_resolve($1_chkpwd_t) # Transition from the user domain to this domain. -ifelse($1, system, `', ` +ifelse($1, system, ` +#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms; +terminal_use_general_physical_terminal($1_chkpwd_t) +', ` # Transition from the user domain to this domain. allow $1_t chkpwd_exec_t:file { getattr read execute }; allow $1_t $1_chkpwd_t:process transition; @@ -113,6 +116,8 @@ class process transition; # define(`authlogin_modify_login_records',` requires_block_template(authlogin_modify_login_records_depend) +files_search_system_state_data_directory($1) +# FIXME: search var_log_t allow $1 wtmp_t:file { getattr read write setattr }; ') @@ -127,6 +132,7 @@ class file { getattr read write setattr }; # define(`authlogin_read_shadow_passwords',` requires_block_template(authlogin_read_shadow_passwords_depend) +# FIXME: read etc_t dir allow $1 shadow_t:file { getattr read }; typeattribute $1 can_read_shadow_passwords; ') @@ -157,6 +163,7 @@ class file { getattr read }; # define(`authlogin_modify_shadow_passwords',` requires_block_template(authlogin_modify_shadow_passwords_depend) +# FIXME: read etc_t dir allow $1 shadow_t:file { getattr read write }; typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_write_shadow_passwords; @@ -185,16 +192,36 @@ class file { getattr read write setattr }; ####################################### # -# authlogin_read_pam_runtime_data(domain) +# authlogin_pam_read_runtime_data(domain) # -define(`authlogin_read_pam_runtime_data',` -requires_block_template(authlogin_read_pam_runtime_data_depend) -# FIXME: search var_t -# FIXME: search var_run_t +define(`authlogin_pam_read_runtime_data',` +requires_block_template(authlogin_pam_read_runtime_data_depend) +files_search_system_state_data_directory($1) +files_search_runtime_data_directory($1) +allow $1 pam_var_run_t:dir { getattr search read }; allow $1 pam_var_run_t:file { getattr read }; ') -define(`authlogin_read_pam_runtime_data_depend',` -type lastlog_t; +define(`authlogin_pam_read_runtime_data_depend',` +type pam_var_run_t; +class dir { getattr search read }; class file { getattr read }; ') + +####################################### +# +# authlogin_pam_remove_runtime_data(domain) +# +define(`authlogin_pam_remove_runtime_data',` +requires_block_template(authlogin_pam_remove_runtime_data_depend) +files_search_system_state_data_directory($1) +files_search_runtime_data_directory($1) +allow $1 pam_var_run_t:dir { getattr search read write remove_name }; +allow $1 pam_var_run_t:file { getattr unlink }; +') + +define(`authlogin_pam_remove_runtime_data_depend',` +type pam_var_run_t; +class dir { getattr search read write remove_name }; +class file { getattr unlink }; +') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 6446862..e8353c0 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -25,8 +25,9 @@ domain_make_domain(pam_console_t) type pam_console_exec_t; domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) -type pam_t; +type pam_t; #, nscd_client_domain; domain_make_domain(pam_t) +role system_r types pam_t; type pam_exec_t; domain_make_entrypoint_file(pam_t,pam_exec_t) @@ -47,7 +48,7 @@ attribute can_write_shadow_passwords; neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file write; -type utempter_t; +type utempter_t; #, nscd_client_domain; domain_make_domain(utempter_t) type utempter_exec_t; @@ -58,7 +59,102 @@ logging_make_log_file(wtmp_t) ######################################## # -# Local policy +# PAM local policy # -#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; -#dontaudit system_chkpwd_t privfd:fd use; + +allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +dontaudit pam_t self:capability sys_tty_config; + +allow pam_t self:fd use; +allow pam_t self:fifo_file { read getattr lock ioctl write append }; +allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow pam_t self:unix_dgram_socket sendto; +allow pam_t self:unix_stream_socket connectto; +allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow pam_t self:msg { send receive }; + +allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; +allow pam_t pam_var_run_t:file { getattr read unlink }; + +allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) + +kernel_read_system_state(pam_t) + +terminal_use_controlling_terminal(pam_t) +terminal_use_all_users_physical_terminals(pam_t) +terminal_use_all_users_pseudoterminals(pam_t) + +init_script_ignore_modify_runtime_data(pam_t) + +files_read_general_system_config(pam_t) +files_read_runtime_data_directory(pam_t) + +libraries_use_dynamic_loader(pam_t) +libraries_read_shared_libraries(pam_t) + +logging_send_system_log_message(pam_t) + +optional_policy(`locallogin.te',` +locallogin_use_file_descriptors(pam_t) +') + +ifdef(`TODO',` +allow pam_t unpriv_userdomain:fd use; +can_ypbind(pam_t) +ifdef(`automount.te', ` +allow pam_t autofs_t:dir { search getattr }; +') + +in_user_role(pam_t) +domain_auto_trans(userdomain, pam_exec_t, pam_t) +ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') +') dnl endif TODO + +######################################## +# +# Utempter local policy +# + +allow utempter_t self:capability setgid; +allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + +allow utempter_t wtmp_t:file { ioctl read getattr lock write append }; + +terminal_get_all_users_physical_terminal_attributes(utempter_t) +terminal_get_all_users_pseudoterminal_attributes(utempter_t) +terminal_ignore_use_all_users_physical_terminals(utempter_t) +terminal_ignore_use_all_users_pseudoterminals(utempter_t) + +init_script_modify_runtime_data(utempter_t) + +files_read_general_system_config(utempter_t) + +domain_use_widely_inheritable_file_descriptors(utempter_t) + +libraries_use_dynamic_loader(utempter_t) +libraries_read_shared_libraries(utempter_t) + +logging_search_system_log_directory(utempter_t) + +ifdef(`TODO',` +in_user_role(utempter_t) +role sysadm_r types utempter_t; +domain_auto_trans(userdomain, utempter_exec_t, utempter_t) + +# dontaudit access to /dev/ptmx. +dontaudit utempter_t ptmx_t:chr_file rw_file_perms; + +# Allow utemper to write to /tmp/.xses-* +allow utempter_t user_tmpfile:file { getattr write append }; + +ifdef(`xdm.te', ` +allow utempter_t xdm_t:fd use; +allow utempter_t xdm_t:fifo_file { write getattr }; +') + +') dnl endif TODO diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index fbc39fe..c6c6c0c 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -129,6 +129,20 @@ class fd use; ######################################## # +# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional']) +# +define(`domain_ignore_use_widely_inheritable_file_descriptors',` +requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2) +dontaudit $1 privfd:fd use; +') + +define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',` +attribute privfd; +class fd use; +') + +######################################## +# # domain_all_init_domains_transition(domain,[`optional']) # define(`domain_all_init_domains_transition',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 439e70c..1df98c0 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -362,141 +362,125 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# files_read_general_shared_resources(domain,[`optional']) +# files_list_home_directories(type,[`optional']) # -define(`files_read_general_shared_resources',` -requires_block_template(files_read_general_shared_resources_depend,$2) -allow $1 usr_t:dir { getattr search read }; -allow $1 usr_t:{ file lnk_file } { getattr read }; +define(`files_list_home_directories',` +requires_block_template(files_list_home_directories_depend,$2) +allow $1 home_root_t:dir { getattr search read }; ') -define(`files_read_general_shared_resources_depend',` -type usr_t; +define(`files_list_home_directories_depend',` +type home_root_t; class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; ') ######################################## # -# files_manage_pseudorandom_saved_seed(domain,[`optional']) +# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional']) # -define(`files_manage_pseudorandom_saved_seed',` -requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2) -allow $1 var_t:dir search; -allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; -allow $1 var_lib_t:file { getattr create read write setattr unlink }; +define(`files_create_private_tmp_data',` +requires_block_template(files_create_private_tmp_data_depend,$2) +allow $1 tmp_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 tmp_t:file $2; +',` +type_transition $1 tmp_t:$3 $2; +') +typeattribute $1 tmpfile; ') -define(`files_manage_pseudorandom_saved_seed_depend',` -type usr_t; -class dir { getattr search read write add_name remove_name }; -class file { getattr create read write setattr unlink }; +define(`files_create_private_tmp_data_depend',` +attribute tmpfile; +type tmp_t; +class dir { getattr search read write add_name }; ') ######################################## # -# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional']) +# files_remove_all_tmp_data(domain,[`optional']) # -define(`files_create_daemon_runtime_data',` -requires_block_template(files_create_daemon_runtime_data_depend,$4) -allow $1 var_t:dir search; -allow $1 var_run_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 var_run_t:file $2; -',` -type_transition $1 var_run_t:$3 $2; -') dnl end ifelse -typeattribute $1 pidfile; +define(`files_remove_all_tmp_data',` +requires_block_template(files_remove_all_tmp_data_depend,$2) +allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; +allow $1 tmpfile:file { getattr unlink }; +allow $1 tmpfile:lnk_file { getattr unlink }; +allow $1 tmpfile:fifo_file { getattr unlink }; +allow $1 tmpfile:sock_file { getattr unlink }; ') -define(`files_create_daemon_runtime_data_depend',` -attribute pidfile; -type var_t, var_run_t; -class dir { getattr search read write add_name remove_name }; +define(`files_remove_all_tmp_data_depend',` +attribute tmpfile; +class dir { getattr search read write add_name remove_name rmdir }; +class file { getattr unlink }; +class lnk_file { getattr unlink }; +class fifo_file { getattr unlink }; +class sock_file { getattr unlink }; ') ######################################## # -# files_modify_system_runtime_data(domain,[`optional']) +# files_read_general_application_resources(domain,[`optional']) # -define(`files_modify_system_runtime_data',` -requires_block_template(files_modify_system_runtime_data_depend,$2) -allow $1 var_t:dir search; -allow $1 var_run_t:dir { getattr search read }; -allow $1 var_run_t:file { getattr read write }; +define(`files_read_general_application_resources',` +requires_block_template(files_read_general_application_resources_depend,$2) +allow $1 usr_t:dir { getattr search read }; +allow $1 usr_t:{ file lnk_file } { getattr read }; ') -define(`files_modify_system_runtime_data_depend',` -type var_t, var_run_t; +define(`files_read_general_application_resources_depend',` +type usr_t; class dir { getattr search read }; -class file { getattr read write }; +class file { getattr read }; +class lnk_file { getattr read }; ') ######################################## # -# files_remove_all_daemon_runtime_data(domain,[`optional']) +# files_read_system_source_code(domain) # -define(`files_remove_all_daemon_runtime_data',` -requires_block_template(files_remove_all_daemon_runtime_data_depend,$2) -allow $1 var_t:dir search; -allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; -allow $1 var_run_t:dir rmdir; -allow $1 pidfile:dir { getattr search read write add_name remove_name }; -allow $1 pidfile:file { getattr unlink }; -allow $1 pidfile:sock_file { getattr unlink }; +define(`files_read_system_source_code',` +requires_block_template(files_read_system_source_code_depend) +allow $1 usr_t:dir search; +allow $1 src_t:dir { getattr search read }; +allow $1 src_t:{ file lnk_file } { getattr read }; ') -define(`files_remove_all_daemon_runtime_data_depend',` -attribute pidfile; -type var_t, var_run_t; -class dir { getattr search read write add_name remove_name rmdir }; -class file { getattr unlink }; -class lnk_file { getattr unlink }; -class sock_file { getattr unlink }; +define(`files_read_system_source_code_depend',` +type usr_t, src_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; ') ######################################## # -# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional']) +# files_search_system_state_data_directory(domain) # -define(`files_create_private_tmp_data',` -requires_block_template(files_create_private_tmp_data_depend,$2) -allow $1 tmp_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 tmp_t:file $2; -',` -type_transition $1 tmp_t:$3 $2; -') -typeattribute $1 tmpfile; +define(`files_search_system_state_data_directory',` +requires_block_template(files_search_system_state_data_directory_depend) +allow $1 var_t:dir search; ') -define(`files_create_private_tmp_data_depend',` -attribute tmpfile; -type etc_t; -class dir { getattr search read write add_name }; +define(`files_search_system_state_data_directory_depend',` +type var_t; +class dir search; ') ######################################## # -# files_remove_all_tmp_data(domain,[`optional']) +# files_manage_pseudorandom_saved_seed(domain) # -define(`files_remove_all_tmp_data',` -requires_block_template(files_remove_all_tmp_data_depend,$2) -allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; -allow $1 tmpfile:file { getattr unlink }; -allow $1 tmpfile:lnk_file { getattr unlink }; -allow $1 tmpfile:fifo_file { getattr unlink }; -allow $1 tmpfile:sock_file { getattr unlink }; +define(`files_manage_pseudorandom_saved_seed',` +requires_block_template(files_manage_pseudorandom_saved_seed_depend) +allow $1 var_t:dir search; +allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; +allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') -define(`files_remove_all_tmp_data_depend',` -attribute tmpfile; -class dir { getattr search read write add_name remove_name rmdir }; -class file { getattr unlink }; -class lnk_file { getattr unlink }; -class fifo_file { getattr unlink }; -class sock_file { getattr unlink }; +define(`files_manage_pseudorandom_saved_seed_depend',` +type var_t, var_lib_t; +class dir { getattr search read write add_name remove_name }; +class file { getattr create read write setattr unlink }; ') ######################################## @@ -533,50 +517,92 @@ class file { getattr unlink }; ######################################## # -# files_read_general_system_resources(domain,[`optional']) +# files_search_runtime_data_directory(domain) # -define(`files_read_general_system_resources',` -requires_block_template(files_read_general_system_resources_depend,$2) -allow $1 usr_t:dir { getattr search read }; -allow $1 usr_t:{ file lnk_file } { getattr read }; +define(`files_search_runtime_data_directory',` +requires_block_template(files_search_runtime_data_directory_depend) +allow $1 var_t:dir search; +allow $1 var_run_t:dir search; ') -define(`files_read_general_system_resources_depend',` -type usr_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; +define(`files_search_runtime_data_directory_depend',` +type var_t, var_run_t; +class dir search; ') ######################################## # -# files_read_system_source_code(type,[`optional']) +# files_read_runtime_data_directory(domain) # -define(`files_read_system_source_code',` -requires_block_template(files_read_system_source_code_depend,$2) -allow $1 usr_t:dir search; -allow $1 src_t:dir { getattr search read }; -allow $1 src_t:{ file lnk_file } { getattr read }; +define(`files_read_runtime_data_directory',` +requires_block_template(files_read_runtime_data_directory_depend) +allow $1 var_t:dir search; +allow $1 var_run_t:dir { getattr search read }; ') -define(`files_read_system_source_code_depend',` -type usr_t, src_t; +define(`files_read_runtime_data_directory_depend',` +type var_t, var_run_t; class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; ') ######################################## # -# files_list_home_directories(type,[`optional']) +# files_create_daemon_runtime_data(domain,pidfile,[object class(es)]) # -define(`files_list_home_directories',` -requires_block_template(files_list_home_directories_depend,$2) -allow $1 home_root_t:dir { getattr search read }; +define(`files_create_daemon_runtime_data',` +requires_block_template(files_create_daemon_runtime_data_depend) +allow $1 var_t:dir search; +allow $1 var_run_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 var_run_t:file $2; +',` +type_transition $1 var_run_t:$3 $2; +') dnl end ifelse +typeattribute $1 pidfile; ') -define(`files_list_home_directories_depend',` -type home_root_t; +define(`files_create_daemon_runtime_data_depend',` +attribute pidfile; +type var_t, var_run_t; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# files_modify_system_runtime_data(domain,[`optional']) +# +define(`files_modify_system_runtime_data',` +requires_block_template(files_modify_system_runtime_data_depend,$2) +allow $1 var_t:dir search; +allow $1 var_run_t:dir { getattr search read }; +allow $1 var_run_t:file { getattr read write }; +') + +define(`files_modify_system_runtime_data_depend',` +type var_t, var_run_t; class dir { getattr search read }; +class file { getattr read write }; +') + +######################################## +# +# files_remove_all_daemon_runtime_data(domain,[`optional']) +# +define(`files_remove_all_daemon_runtime_data',` +requires_block_template(files_remove_all_daemon_runtime_data_depend,$2) +allow $1 var_t:dir search; +allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; +allow $1 var_run_t:dir rmdir; +allow $1 pidfile:dir { getattr search read write add_name remove_name }; +allow $1 pidfile:file { getattr unlink }; +allow $1 pidfile:sock_file { getattr unlink }; +') +define(`files_remove_all_daemon_runtime_data_depend',` +attribute pidfile; +type var_t, var_run_t; +class dir { getattr search read write add_name remove_name rmdir }; +class file { getattr unlink }; +class lnk_file { getattr unlink }; +class sock_file { getattr unlink }; ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 60a3bea..47d4a83 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -2,10 +2,10 @@ ######################################## # -# init_transition(domain,[`optional']) +# init_transition(domain) # define(`init_transition',` -requires_block_template(init_transition_depend,$2) +requires_block_template(init_transition_depend) allow $1 init_exec_t:file { getattr read execute }; allow $1 init_t:process transition; type_transition $1 init_exec_t:file init_t; @@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# init_get_control_channel_attributes(domain,[`optional']) +# init_get_control_channel_attributes(domain) # define(`init_get_control_channel_attributes',` -requires_block_template(init_get_control_channel_attributes_depend,$2) +requires_block_template(init_get_control_channel_attributes_depend) allow $1 initctl_t:fifo_file getattr; ') @@ -63,10 +63,10 @@ class fifo_file { read write }; ######################################## # -# init_sigchld(domain,[`optional']) +# init_sigchld(domain) # define(`init_sigchld',` -requires_block_template(init_sigchld_depend,$2) +requires_block_template(init_sigchld_depend) allow $1 init_t:process sigchld; ') @@ -77,10 +77,10 @@ class process sigchld; ######################################## # -# init_use_file_descriptors(domain,[`optional']) +# init_use_file_descriptors(domain) # define(`init_use_file_descriptors',` -requires_block_template(init_use_file_descriptors_depend,$2) +requires_block_template(init_use_file_descriptors_depend) allow $1 init_t:fd use; ') @@ -91,10 +91,10 @@ class fd use; ######################################## # -# init_ignore_use_file_descriptors(domain,[`optional']) +# init_ignore_use_file_descriptors(domain) # define(`init_ignore_use_file_descriptors',` -requires_block_template(init_ignore_use_file_descriptors_depend,$2) +requires_block_template(init_ignore_use_file_descriptors_depend) dontaudit $1 init_t:fd use; ') @@ -105,10 +105,10 @@ class fd use; ######################################## # -# init_script_transition(domain,[`optional']) +# init_script_transition(domain) # define(`init_script_transition',` -requires_block_template(init_script_transition_depend,$2) +requires_block_template(init_script_transition_depend) allow $1 initrc_exec_t:file { getattr read execute }; allow $1 initrc_t:process transition; type_transition $1 initrc_exec_t:process init_t; @@ -123,10 +123,30 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# init_script_use_file_descriptors(domain,[`optional']) +# init_script_direct_admin_transition(role,domain) +# +define(`init_script_direct_admin_transition',` +requires_block_template(init_script_direct_admin_transition_depend) +allow $2 initrc_exec_t:file { getattr read execute }; +allow $2 initrc_t:process transition; +type_transition $2 initrc_exec_t:file init_t; +role_transition $1 initrc_exec_t system_r; +dontaudit $2 init_t:process { noatsecure siginh rlimitinh }; +') + +define(`init_script_direct_admin_transition_depend',` +type initrc_t, initrc_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +kernel_system_role_transition_depend +') + +######################################## +# +# init_script_use_file_descriptors(domain) # define(`init_script_use_file_descriptors',` -requires_block_template(init_script_use_file_descriptors_depend,$2) +requires_block_template(init_script_use_file_descriptors_depend) allow $1 initrc_t:fd use; ') @@ -137,10 +157,10 @@ class fd use; ######################################## # -# init_script_use_pseudoterminal(domain,[`optional']) +# init_script_use_pseudoterminal(domain) # define(`init_script_use_pseudoterminal',` -requires_block_template(init_script_use_pseudoterminal_depend,$2) +requires_block_template(init_script_use_pseudoterminal_depend) allow $1 initrc_devpts_t:chr_file { read write }; ') @@ -151,20 +171,44 @@ class chr_file { read write }; ######################################## # -# init_script_direct_admin_transition(role,domain,[`optional']) +# init_script_read_runtime_data(domain) # -define(`init_script_direct_admin_transition',` -requires_block_template(init_script_direct_admin_transition_depend,$2) -allow $2 initrc_exec_t:file { getattr read execute }; -allow $2 initrc_t:process transition; -type_transition $2 initrc_exec_t:file init_t; -kernel_system_role_transition($1,initrc_exec_t,optional) -dontaudit $2 init_t:process { noatsecure siginh rlimitinh }; +define(`init_script_read_runtime_data',` +requires_block_template(init_script_read_runtime_data_depend) +files_read_runtime_data_directory($1) +allow $1 initrc_var_run_t:file { getattr read }; ') -define(`init_script_direct_admin_transition_depend',` -type initrc_t, initrc_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; -kernel_system_role_transition_depend +define(`init_script_read_runtime_data_depend',` +type initrc_var_run_t; +class file { getattr read }; +') + +######################################## +# +# init_script_modify_runtime_data(domain) +# +define(`init_script_modify_runtime_data',` +requires_block_template(init_script_modify_runtime_data_depend) +files_read_runtime_data_directory($1) +allow $1 initrc_var_run_t:file { getattr read write append }; +') + +define(`init_script_modify_runtime_data_depend',` +type initrc_var_run_t; +class file { getattr read write append }; +') + +######################################## +# +# init_script_ignore_modify_runtime_data(domain) +# +define(`init_script_ignore_modify_runtime_data',` +requires_block_template(init_script_ignore_modify_runtime_data_depend) +dontaudit $1 initrc_var_run_t:file { getattr read write append }; +') + +define(`init_script_ignore_modify_runtime_data_depend',` +type initrc_var_run_t; +class file { getattr read write append }; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9c39f90..228350d 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -251,7 +251,7 @@ files_read_general_system_config(initrc_t) files_create_runtime_system_config(initrc_t) files_manage_system_lock_files(initrc_t) files_execute_system_config_script(initrc_t) -files_read_general_shared_resources(initrc_t) +files_read_general_application_resources(initrc_t) files_manage_pseudorandom_saved_seed(initrc_t) corecommands_execute_general_programs(initrc_t) @@ -289,6 +289,11 @@ files_create_boot_flag(initrc_t) bootloader_create_runtime_data(initrc_t) ') +optional_policy(`authlogin.te',` +authlogin_pam_read_runtime_data(initrc_t) +authlogin_pam_remove_runtime_data(initrc_t) +') + ifdef(`TODO',` # Mount and unmount file systems. allow initrc_t { file_t default_t }:dir { read search getattr mounton }; diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index e121acd..e283ec2 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -17,3 +17,17 @@ type local_login_t, login_exec_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') + +######################################## +# +# locallogin_use_file_descriptors(domain,[`optional']) +# +define(`locallogin_use_file_descriptors',` +requires_block_template(locallogin_use_file_descriptors_depend,$2) +allow $1 local_login_t:fd use; +') + +define(`locallogin_use_file_descriptors_depend',` +type local_login_t; +class fd use; +') diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index ab50a27..2ed2cd6 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -2,25 +2,24 @@ ####################################### # -# logging_make_log_file(type,[`optional']) +# logging_make_log_file(domain) # define(`logging_make_log_file',` -requires_block_template(logging_make_log_file_depend,$2) -files_make_file($1,optional) +requires_block_template(logging_make_log_file_depend) +files_make_file($1) typeattribute $1 logfile; ') define(`logging_make_log_file_depend',` attribute logfile; -files_make_file_depend ') ####################################### # -# logging_send_system_log_message(type,[`optional']) +# logging_send_system_log_message(domain) # define(`logging_send_system_log_message',` -requires_block_template(logging_send_system_log_message_depend,$2) +requires_block_template(logging_send_system_log_message_depend) allow $1 devlog_t:lnk_file read; allow $1 devlog_t:sock_file { ioctl read getattr lock write append }; # the type of socket depends on the syslog daemon @@ -39,10 +38,26 @@ class unix_stream_socket { create read getattr write setattr append bind connect ####################################### # -# logging_append_all_logs(type,[`optional']) +# logging_search_system_log_directory(domain) +# +define(`logging_search_system_log_directory',` +requires_block_template(logging_search_system_log_directory_depend) +files_search_system_state_data_directory($1) +allow $1 var_log_t:dir search; +') + +define(`logging_search_system_log_directory_depend',` +type var_log_t; +class dir search; +') + +####################################### +# +# logging_append_all_logs(domain) # define(`logging_append_all_logs',` -requires_block_template(logging_append_all_logs_depend,$2) +requires_block_template(logging_append_all_logs_depend) +files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 logfile:file { getattr append }; ') @@ -56,10 +71,11 @@ class file { getattr append }; ####################################### # -# logging_read_all_logs(type,[`optional']) +# logging_read_all_logs(domain) # define(`logging_read_all_logs',` -requires_block_template(logging_read_all_logs_depend,$2) +requires_block_template(logging_read_all_logs_depend) +files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 logfile:file { getattr read }; ') @@ -73,10 +89,11 @@ class file { getattr read }; ####################################### # -# logging_modify_system_logs(type,[`optional']) +# logging_modify_system_logs(domain) # define(`logging_modify_system_logs',` -requires_block_template(logging_modify_system_logs_depend,$2) +requires_block_template(logging_modify_system_logs_depend) +files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 var_log_t:file { getattr read write append }; ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 56b4ec8..2c2d346 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -72,7 +72,7 @@ filesystem_get_persistent_filesystem_attributes(insmod_t) files_read_runtime_system_config(insmod_t) files_read_general_system_config(insmod_t) -files_read_general_shared_resources(insmod_t) +files_read_general_application_resources(insmod_t) files_execute_system_config_script(insmod_t) domain_signal_all_domains(insmod_t)