diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 7ee01bc..897620a 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -30,6 +30,11 @@ gen_tunable(cron_can_relabel,false) ## gen_tunable(fcron_crond,false) +## +## Allow gpg executable stack +## +gen_tunable(allow_gpg_execstack,false) + ## ## Allow reading of default_t files. ## @@ -72,6 +77,11 @@ gen_tunable(user_dmesg,false) ## gen_tunable(user_net_control,false) +## +## Control users use of ping and traceroute +## +gen_tunable(user_ping,false) + ## ## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) ## diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 9f4348a..a49a055 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -73,21 +73,7 @@ allow consoletype_t nfs_t:file write; allow consoletype_t crond_t:fifo_file r_file_perms; allow consoletype_t system_crond_t:fd use; -optional_policy(`ypbind.te', ` -if (allow_ypbind) { -can_network(consoletype_t) -r_dir_file(consoletype_t,var_yp_t) -corenet_tcp_bind_generic_port(consoletype_t) -corenet_udp_bind_generic_port(consoletype_t) -corenet_tcp_bind_reserved_port(consoletype_t) -corenet_udp_bind_reserved_port(consoletype_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t) -corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t) -dontaudit consoletype_t self:capability net_bind_service; -} else { -dontaudit consoletype_t var_yp_t:dir search; -} -') dnl end ypbind optional_policy +can_ypbind(consoletype_t) optional_policy(`automount.te', ` allow consoletype_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 6f9995b..ce6656f 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -24,11 +24,6 @@ type traceroute_exec_t; init_system_domain(traceroute_t,traceroute_exec_t) role system_r types traceroute_t; -# -# Control users use of ping and traceroute -# -bool user_ping false; - ######################################## # # Netutils local policy @@ -129,10 +124,10 @@ sysnet_read_config(ping_t) logging_send_syslog_msg(ping_t) -if (user_ping) { +tunable_policy(`user_ping',` term_use_all_user_ttys(ping_t) term_use_all_user_ptys(ping_t) -} +') ifdef(`TODO',` can_ypbind(ping_t) @@ -143,10 +138,11 @@ allow ping_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') in_user_role(ping_t) -if (user_ping) { +tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') -} +') + ') dnl end TODO ######################################## @@ -192,10 +188,10 @@ dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) files_read_usr_files(traceroute_t) -if (user_ping) { +tunable_policy(`user_ping',` term_use_all_user_ttys(traceroute_t) term_use_all_user_ptys(traceroute_t) -} +') ifdef(`TODO',` role sysadm_r types traceroute_t; @@ -210,9 +206,9 @@ allow traceroute_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') in_user_role(traceroute_t) -if (user_ping) { +tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) -} +') #rules needed for nmap dontaudit traceroute_t userdomain:dir search; diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 0af217d..4e3a53a 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -94,14 +94,14 @@ define(`gpg_per_userdomain_template',` sysnet_read_config($1_gpg_t) # Legacy - if (allow_gpg_execstack) { + tunable_policy(`allow_gpg_execstack',` allow $1_gpg_t self:process execmem; libs_legacy_use_shared_libs($1_gpg_t) libs_legacy_use_ld_so($1_gpg_t) miscfiles_legacy_read_localization($1_gpg_t) # Not quite sure why this is needed... allow $1_gpg_t gpg_exec_t:file execmod; - } + ') ifdef(`TODO',` @@ -134,12 +134,12 @@ define(`gpg_per_userdomain_template',` # allow the usual access to /tmp file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) - if (use_nfs_home_dirs) { + tunable_policy(`use_nfs_home_dirs',` create_dir_file($1_gpg_t, nfs_t) - } - if (use_samba_home_dirs) { + ') + tunable_policy(`use_samba_home_dirs',` create_dir_file($1_gpg_t, cifs_t) - } + ') rw_dir_create_file($1_gpg_t, $1_file_type) @@ -199,12 +199,12 @@ define(`gpg_per_userdomain_template',` ifdef(`TODO',` - if (use_nfs_home_dirs) { + tunable_policy(`use_nfs_home_dirs',` dontaudit $1_gpg_helper_t nfs_t:file { read write }; - } - if (use_samba_home_dirs) { + ') + tunable_policy(`use_samba_home_dirs',` dontaudit $1_gpg_helper_t cifs_t:file { read write }; - } + ') # communicate with the user allow $1_gpg_helper_t $1_t:fd use; @@ -261,12 +261,12 @@ define(`gpg_per_userdomain_template',` # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) - if (use_nfs_home_dirs) { + tunable_policy(`use_nfs_home_dirs',` create_dir_file($1_gpg_agent_t, nfs_t) - } - if (use_samba_home_dirs) { + ') + tunable_policy(`use_samba_home_dirs',` create_dir_file($1_gpg_agent_t, cifs_t) - } + ') # gpg connect allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; @@ -327,19 +327,19 @@ define(`gpg_per_userdomain_template',` dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; - if (use_nfs_home_dirs) { + tunable_policy(`use_nfs_home_dirs',` allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; allow $1_gpg_pinentry_t nfs_t:file r_file_perms; dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; dontaudit $1_gpg_pinentry_t nfs_t:file write; - } + ') - if (use_samba_home_dirs) { + tunable_policy(`use_samba_home_dirs',` allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; allow $1_gpg_pinentry_t cifs_t:file r_file_perms; dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; dontaudit $1_gpg_pinentry_t cifs_t:file write; - } + ') dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; ') dnl end TODO diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 0bc46d2..15154b9 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -6,9 +6,6 @@ policy_module(gpg, 1.0) # Declarations # -# Allow gpg exec stack -bool allow_gpg_execstack false; - # Type for gpg or pgp executables. type gpg_exec_t; type gpg_helper_exec_t; diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 2b89a8d..6aaf240 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -116,9 +116,9 @@ define(`mta_per_userdomain_template',` # Create dead.letter in user home directories. file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) - if (use_samba_home_dirs) { + tunable_policy(`use_samba_home_dirs',` rw_dir_create_file($1_mail_t, cifs_t) - } + ') # if you do not want to allow dead.letter then use the following instead #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index bde3757..3d00299 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -92,10 +92,10 @@ allow remote_login_t bin_t:dir r_dir_perms; allow remote_login_t bin_t:notdevfile_class_set r_file_perms; allow remote_login_t sbin_t:dir r_dir_perms; allow remote_login_t sbin_t:notdevfile_class_set r_file_perms; -if (read_default_t) { +tunable_policy(`read_default_t',` allow remote_login_t default_t:dir r_dir_perms; allow remote_login_t default_t:notdevfile_class_set r_file_perms; -} +') # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. @@ -116,13 +116,13 @@ dontaudit remote_login_t sysfs_t:dir search; allow remote_login_t autofs_t:dir r_dir_perms; allow remote_login_t mnt_t:dir r_dir_perms; -if (use_nfs_home_dirs) { -r_dir_file(remote_login_t, nfs_t) -} +tunable_policy(`use_nfs_home_dirs',` + r_dir_file(remote_login_t, nfs_t) +') -if (use_samba_home_dirs) { -r_dir_file(remote_login_t, cifs_t) -} +tunable_policy(`use_samba_home_dirs',` + r_dir_file(remote_login_t, cifs_t) +') # FIXME: what is this for? ifdef(`xdm.te', ` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 6745937..e93ac69 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -124,10 +124,11 @@ allow local_login_t bin_t:dir r_dir_perms; allow local_login_t bin_t:notdevfile_class_set r_file_perms; allow local_login_t sbin_t:dir r_dir_perms; allow local_login_t sbin_t:notdevfile_class_set r_file_perms; -if (read_default_t) { + +tunable_policy(`read_default_t',` allow local_login_t default_t:dir r_dir_perms; allow local_login_t default_t:notdevfile_class_set r_file_perms; -} +') # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. @@ -182,13 +183,14 @@ allow local_login_t sound_device_t:chr_file { getattr setattr }; # Allow setting of attributes on power management devices. allow local_login_t power_device_t:chr_file { getattr setattr }; -#if (use_nfs_home_dirs) { -#r_dir_file(local_login_t, nfs_t) -#} +tunable_policy(`use_nfs_home_dirs',` + r_dir_file(local_login_t, nfs_t) +') + +tunable_policy(`use_samba_home_dirs',` + r_dir_file(local_login_t, cifs_t) +') -#if (use_samba_home_dirs) { -#r_dir_file(local_login_t, cifs_t) -#} ') dnl endif TODO ################################# diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 2b3d1c5..d1118e7 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -238,10 +238,10 @@ define(`base_user_domain',` # /initrd is left mounted, various programs try to look at it dontaudit $1_t ramfs_t:dir getattr; - if (read_default_t) { + tunable_policy(`read_default_t',` allow $1_t default_t:dir r_dir_perms; allow $1_t default_t:notdevfile_class_set r_file_perms; - } + ') # # Running ifconfig as a user generates the following @@ -254,10 +254,10 @@ define(`base_user_domain',` can_ypbind($1_t) - if (allow_execmod) { + tunable_policy(`allow_execmod',` # Allow text relocations on system shared libraries, e.g. libGL. allow $1_t texrel_shlib_t:file execmod; - } + ') allow $1_t fs_type:dir getattr; @@ -275,17 +275,19 @@ define(`base_user_domain',` allow $1_t autofs_t:dir { getattr search }; can_exec($1_t, { removable_t noexattrfile } ) - if (user_rw_noexattrfile) { + + tunable_policy(`user_rw_noexattrfile',` create_dir_file($1_t, noexattrfile) create_dir_file($1_t, removable_t) # Write floppies allow $1_t removable_device_t:blk_file rw_file_perms; allow $1_t usbtty_device_t:chr_file write; - } else { + ',` r_dir_file($1_t, noexattrfile) r_dir_file($1_t, removable_t) allow $1_t removable_device_t:blk_file r_file_perms; - } + ') + allow $1_t usbtty_device_t:chr_file read; can_exec($1_t, noexattrfile) @@ -526,15 +528,15 @@ define(`user_domain_template', ` ') ifdef(`ftpd.te', ` - if (ftp_home_dir) { + tunable_policy(`ftp_home_dir',` file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) - } + ') ') - if (read_default_t) { + tunable_policy(`read_default_t',` allow $1 default_t:dir r_dir_perms; allow $1 default_t:notdevfile_class_set r_file_perms; - } + ') can_exec($1_t, usr_t) @@ -557,11 +559,11 @@ define(`user_domain_template', ` allow $1_t var_lib_t:file { getattr read }; # Allow users to rw usb devices - if (user_rw_usb) { + tunable_policy(`user_rw_usb',` rw_dir_create_file($1_t,usbdevfs_t) - } else { + ',` r_dir_file($1_t,usbdevfs_t) - } + ') # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; @@ -765,10 +767,10 @@ define(`admin_domain_template',` ifdef(`xdm.te', ` ifdef(`xauth.te', ` - if (xdm_sysadm_login) { + tunable_policy(`xdm_sysadm_login',` allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; - } + ') allow $1_t xdm_t:fifo_file rw_file_perms; ') ')