diff --git a/refpolicy/Changelog b/refpolicy/Changelog index a2e705f..4b11b16 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,8 @@ +- Move some rules out of domain_type() and domain_base_type() + to the TE file, to use the domain attribute to take advantage + of space savings from attribute use. +- Add global stack smashing protector rule for urandom access from + Petre Rodan. - Fix temporary rules at the bottom of portmap. - Updated comments in mls file from Chad Hanson. - Added modules: diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 35c21eb..2a9c6aa 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -24,7 +24,6 @@ gen_tunable(allow_cvs_read_shadow,false) ## gen_tunable(allow_execheap,false) - ## ##

## Allow making anonymous memory executable, e.g. @@ -147,6 +146,19 @@ gen_tunable(ftpd_is_daemon,false) ## ##

+## Enable reading of urandom for all domains. +##

+##

+## This should be enabled when all programs +## are compiled with ProPolice/SSP +## stack smashing protection. All domains will +## be allowed to read from /dev/urandom. +##

+##
+gen_tunable(global_ssp,false) + +## +##

## Allow httpd to use built in scripting (usually php) ##

##
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 9b8c0f3..e67dd9d 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -28,26 +28,7 @@ interface(`domain_base_type',` attribute domain; ') - # mark as a domain typeattribute $1 domain; - - # allow the domain to read its /proc/pid entries - allow $1 self:dir r_dir_perms; - allow $1 self:lnk_file r_file_perms; - allow $1 self:file rw_file_perms; - - # allow $1 to create child processes in this domain - allow $1 self:process { fork sigchld }; - - ifdef(`targeted_policy',` - # FIXME: - # hack until role dominance is fixed in - # the module compiler - role secadm_r types $1; - role sysadm_r types $1; - role user_r types $1; - role staff_r types $1; - ') ') ######################################## @@ -64,29 +45,24 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) - # Use trusted objects in /dev - dev_rw_null($1) - dev_rw_zero($1) - term_use_controlling_term($1) - - # read the root directory - files_list_root($1) - - # send init a sigchld and signull - init_sigchld($1) - init_signull($1) - ifdef(`targeted_policy',` unconfined_use_fds($1) unconfined_sigchld($1) ') + # send init a sigchld and signull + optional_policy(`init',` + init_sigchld($1) + init_signull($1) + ') + + # these seem questionable: + # allow any domain to connect to the LDAP server optional_policy(`ldap',` ldap_use($1) ') - # these 3 seem highly questionable: optional_policy(`rpm',` rpm_use_fds($1) rpm_read_pipes($1) diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index acc6267..ae56c65 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -65,3 +65,46 @@ attribute process_uncond_exempt; # add userhelperdomain to this one neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; + +######################################## +# +# Rules applied to all domains +# + +# read /proc/pid entries +allow domain self:dir r_dir_perms; +allow domain self:lnk_file r_file_perms; +allow domain self:file rw_file_perms; + +# create child processes in the domain +allow domain self:process { fork sigchld }; + +# Use trusted objects in /dev +dev_rw_null(domain) +dev_rw_zero(domain) +term_use_controlling_term(domain) + +# list the root directory +files_list_root(domain) + +ifdef(`targeted_policy',` + # RBAC is disabled in the targeted policy, + # as only one role is used, system_r. + role system_r types domain; + + # FIXME: + # workaround until role dominance is fixed in + # the module compiler + role secadm_r types domain; + role sysadm_r types domain; + role user_r types domain; + role staff_r types domain; +') + +tunable_policy(`global_ssp',` + # enable reading of urandom for all domains: + # this should be enabled when all programs + # are compiled with ProPolice/SSP + # stack smashing protection. + dev_read_urand(domain) +')