diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index c1ff4e9..1c751aa 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -67,6 +67,12 @@ optional_policy(`cron.te',` cron_read_pipe(consoletype_t) ') +optional_policy(`firstboot.te',` + files_read_etc_files(consoletype_t) + firstboot_use_fd(consoletype_t) + firstboot_write_pipe(consoletype_t) +') + optional_policy(`logrotate.te',` logrotate_dontaudit_use_fd(consoletype_t) ') @@ -102,8 +108,4 @@ optional_policy(`lpd.te', ` allow consoletype_t printconf_t:file r_file_perms; ') -optional_policy(`firstboot.te', ` -allow consoletype_t firstboot_t:fifo_file write; -') - ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/firstboot.fc b/refpolicy/policy/modules/admin/firstboot.fc new file mode 100644 index 0000000..6d2e5f8 --- /dev/null +++ b/refpolicy/policy/modules/admin/firstboot.fc @@ -0,0 +1,5 @@ +# firstboot +/usr/sbin/firstboot -- context_template(system_u:object_r:firstboot_exec_t,s0) + +/usr/share/firstboot context_template(system_u:object_r:firstboot_rw_t,s0) +/usr/share/firstboot/firstboot\.py -- context_template(system_u:object_r:firstboot_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if new file mode 100644 index 0000000..13678e0 --- /dev/null +++ b/refpolicy/policy/modules/admin/firstboot.if @@ -0,0 +1,88 @@ +## +## Final system configuration run during the first boot +## after installation of Red Hat/Fedora systems. +## + +######################################## +## +## Execute firstboot in the firstboot domain. +## +## +## The type of the process performing this action. +## +# +interface(`firstboot_domtrans',` + gen_require(` + type firstboot_t, firstboot_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,firstboot_exec_t,firstboot_t) + + allow $1 firstboot_t:fd use; + allow firstboot_t $1:fd use; + allow firstboot_t $1:fifo_file rw_file_perms; + allow firstboot_t $1:process sigchld; +') + +######################################## +## +## Execute firstboot in the firstboot domain, and +## allow the specified role the firstboot domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the firstboot domain. +## +## +## The type of the terminal allow the firstboot domain to use. +## +# +interface(`firstboot_run',` + gen_require(` + type firstboot_t; + class chr_file rw_term_perms; + ') + + firstboot_domtrans($1) + role $2 types firstboot_t; + allow firstboot_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Inherit and use a file descriptor from firstboot. +## +## +## The type of the process performing this action. +## +# +interface(`firstboot_use_fd',` + gen_require(` + type firstboot_t; + class fd use; + ') + + allow $1 firstboot_t:fd use; +') + +######################################## +## +## Write to a firstboot unnamed pipe. +## +## +## The type of the process performing this action. +## +# +interface(`firstboot_write_pipe',` + gen_require(` + type firstboot_t; + class fifo_file write; + ') + + allow $1 firstboot_t:fifo_file write; +') diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te new file mode 100644 index 0000000..aaf5090 --- /dev/null +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -0,0 +1,136 @@ + +policy_module(firstboot,1.0) + +######################################## +# +# Declarations +# + +type firstboot_t; +type firstboot_exec_t; +init_system_domain(firstboot_t,firstboot_exec_t) +domain_obj_id_change_exempt(firstboot_t) +role system_r types firstboot_t; + +type firstboot_etc_t; #, usercanread; +files_type(firstboot_etc_t) + +type firstboot_rw_t; +files_type(firstboot_rw_t) + +######################################## +# +# Local policy +# + +allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:process setfscreate; +allow firstboot_t self:file { read write }; +allow firstboot_t self:fifo_file { getattr read write }; +allow firstboot_t self:tcp_socket create_stream_socket_perms; +allow firstboot_t self:unix_stream_socket { connect create }; +allow firstboot_t self:passwd rootok; + +allow firstboot_t firstboot_etc_t:file { getattr read }; + +allow firstboot_t firstboot_rw_t:dir create_dir_perms; +allow firstboot_t firstboot_rw_t:file create_file_perms; +files_create_etc_config(firstboot_t,firstboot_rw_t,file) + +# The big hammer +unconfined_domain_template(firstboot_t) + +kernel_read_system_state(firstboot_t) +kernel_read_kernel_sysctl(firstboot_t) + +corenet_tcp_sendrecv_all_if(firstboot_t) +corenet_raw_sendrecv_all_if(firstboot_t) +corenet_tcp_sendrecv_all_nodes(firstboot_t) +corenet_raw_sendrecv_all_nodes(firstboot_t) +corenet_tcp_sendrecv_all_ports(firstboot_t) +corenet_tcp_bind_all_nodes(firstboot_t) + +dev_read_urand(firstboot_t) + +selinux_get_fs_mount(firstboot_t) +selinux_validate_context(firstboot_t) +selinux_compute_access_vector(firstboot_t) +selinux_compute_create_context(firstboot_t) +selinux_compute_relabel_context(firstboot_t) +selinux_compute_user_contexts(firstboot_t) + +auth_dontaudit_getattr_shadow(firstboot_t) + +corecmd_exec_bin(firstboot_t) +corecmd_exec_sbin(firstboot_t) + +domain_exec_all_entry_files(firstboot_t) + +files_exec_etc_files(firstboot_t) +files_manage_etc_files(firstboot_t) +files_read_etc_runtime_files(firstboot_t) +files_read_usr_files(firstboot_t) +files_manage_var_dirs(firstboot_t) +files_manage_var_files(firstboot_t) +files_manage_var_symlinks(firstboot_t) + +init_read_script(firstboot_t) +init_rw_script_pid(firstboot_t) + +libs_use_ld_so(firstboot_t) +libs_use_shared_libs(firstboot_t) +libs_exec_ld_so(firstboot_t) +libs_exec_lib_files(firstboot_t) + +locallogin_use_fd(firstboot_t) + +logging_send_syslog_msg(firstboot_t) + +miscfiles_read_localization(firstboot_t) + +modutils_domtrans_insmod(firstboot_t) +modutils_read_module_conf(firstboot_t) +modutils_read_mods_deps(firstboot_t) + +sysnet_manage_config(firstboot_t) + +# Add/remove user home directories +userdom_create_user_home_dir(firstboot_t) +userdom_manage_user_home_dir(firstboot_t) +userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file }) +userdom_manage_user_home_dirs(firstboot_t) +userdom_manage_user_home_files(firstboot_t) +userdom_manage_user_home_symlinks(firstboot_t) +userdom_manage_user_home_pipes(firstboot_t) +userdom_manage_user_home_sockets(firstboot_t) +usermanage_domtrans_useradd(firstboot_t) +usermanage_domtrans_groupadd(firstboot_t) + +optional_policy(`kerberos.te',` + kerberos_rw_config(firstboot_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(firstboot_t) +') + +ifdef(`TODO',` +allow firstboot_t proc_t:file write; + +ifdef(`printconf.te', ` + can_exec(firstboot_t, printconf_t) +') + +ifdef(`samba.te', ` + rw_dir_file(firstboot_t, samba_etc_t) +') + +ifdef(`userhelper.te', ` + role system_r types sysadm_userhelper_t; + domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) +') + +ifdef(`xserver.te', ` + domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) +') +') dnl end TODO diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index a2a76fe..499c7b1 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -68,7 +68,7 @@ interface(`kerberos_use',` ## Domain allowed access. ## # -interface(`kerberos_read_conf',` +interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; class files r_file_perms; @@ -77,3 +77,21 @@ interface(`kerberos_read_conf',` files_search_etc($1) allow $1 krb5_conf_t:file r_file_perms; ') + +######################################## +## +## Read and write the kerberos configuration file (/etc/krb5.conf). +## +## +## Domain allowed access. +## +# +interface(`kerberos_rw_config',` + gen_require(` + type krb5_conf_t; + class files rw_file_perms; + ') + + files_search_etc($1) + allow $1 krb5_conf_t:file rw_file_perms; +') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 6acc26c..980b8e3 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -546,12 +546,6 @@ interface(`files_create_root',` gen_require(` type root_t; class dir create_dir_perms; - class file create_file_perms; - class lnk_file create_lnk_perms; - class fifo_file create_file_perms; - class sock_file create_file_perms; - class blk_file create_file_perms; - class chr_file create_file_perms; ') allow $1 root_t:dir rw_dir_perms; @@ -1694,6 +1688,24 @@ interface(`files_dontaudit_search_var',` ######################################## ## +## Create, read, write, and delete directories +## in the /var directory. +## +## +## Domain allowed access. +## +# +interface(`files_manage_var_dirs',` + gen_require(` + type var_t; + class dir create_dir_perms; + ') + + allow $1 var_t:dir create_dir_perms; +') + +######################################## +## ## Read files in the /var directory. ## ## @@ -1713,6 +1725,25 @@ interface(`files_read_var_files',` ######################################## ## +## Create, read, write, and delete files in the /var directory. +## +## +## Domain allowed access. +## +# +interface(`files_manage_var_files',` + gen_require(` + type var_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + allow $1 var_t:dir rw_dir_perms; + allow $1 var_t:file create_file_perms; +') + +######################################## +## ## Read symbolic links in the /var directory. ## ## @@ -1732,6 +1763,26 @@ interface(`files_read_var_symlink',` ######################################## ## +## Create, read, write, and delete symbolic +## links in the /var directory. +## +## +## Domain allowed access. +## +# +interface(`files_manage_var_symlinks',` + gen_require(` + type var_t; + class dir rw_dir_perms; + class lnk_file create_lnk_perms; + ') + + allow $1 var_t:dir rw_dir_perms; + allow $1 var_t:lnk_file create_lnk_perms; +') + +######################################## +## ## Get the attributes of the /var/lib directory. ## ## diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index a96f5fa..73db9df 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -78,6 +78,10 @@ tunable_policy(`use_dns',` sysnet_read_config(hostname_t) ') +optional_policy(`firstboot.te',` + firstboot_use_fd(hostname_t) +') + optional_policy(`hotplug.te',` hotplug_dontaudit_use_fd(hostname_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index d93fdc3..9543b93 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -301,6 +301,13 @@ interface(`init_domtrans_script',` ## ## Start and stop daemon programs directly. ## +## +##

+## Start and stop daemon programs directly +## in the traditional "/etc/init.d/daemon start" +## style, and do not require run_init. +##

+##
## ## The type of the process performing this action. ## @@ -324,6 +331,24 @@ interface(`init_run_daemon',` ') ######################################## +## +## Read init scripts. +## +## +## Domain allowed access. +## +# +interface(`init_read_script',` + gen_require(` + type initrc_exec_t; + class file { getattr read }; + ') + + files_list_etc($1) + allow $1 initrc_exec_t:file { getattr read }; +') + +######################################## # # init_exec_script(domain) # @@ -440,8 +465,21 @@ interface(`init_udp_sendto_script',` ') ######################################## -# -# init_use_script_pty(domain) +## +## Read and write the init script pty. +## +## +##

+## Read and write the init script pty. This +## pty is generally opened by the open_init_pty +## portion of the run_init program so that the +## daemon does not require direct access to +## the administrator terminal. +##

+##
+## +## The type of the process performing this action. +## # interface(`init_use_script_pty',` gen_require(` @@ -454,6 +492,24 @@ interface(`init_use_script_pty',` ') ######################################## +## +## Read init scripts. +## +## +## The type of the process performing this action. +## +# +interface(`init_read_script_file',` + gen_require(` + type initrc_exec_t; + class file r_file_perms; + ') + + files_search_etc($1) + allow $1 initrc_exec_t:file r_file_perms; +') + +######################################## # # init_dontaudit_use_script_pty(domain) # diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 8b0620e..509ba51 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -92,6 +92,11 @@ tunable_policy(`use_dns',` sysnet_read_config(iptables_t) ') +optional_policy(`firstboot.te',` + firstboot_use_fd(iptables_t) + firstboot_write_pipe(iptables_t) +') + optional_policy(`modutils.te', ` corecmd_search_sbin(iptables_t) modutils_domtrans_insmod(iptables_t) @@ -118,8 +123,4 @@ rhgb_domain(iptables_t) optional_policy(`gnome-pty-helper.te',` allow iptables_t sysadm_gph_t:fd use; ') - -optional_policy(`firstboot.te', ` - allow iptables_t firstboot_t:fifo_file write; -') ') dnl ifdef TODO diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 28ac24a..133694a 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -104,6 +104,7 @@ miscfiles_read_localization(cardmgr_t) sysnet_domtrans_ifconfig(cardmgr_t) # for /etc/resolv.conf +sysnet_create_config(cardmgr_t) sysnet_manage_config(cardmgr_t) userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index fc7109b..7373da2 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -165,6 +165,24 @@ interface(`sysnet_read_config',` ####################################### ## +## Create files in /etc with the type used for +## the network config files. +## +## +## The type of the process performing this action. +## +# +interface(`sysnet_create_config',` + gen_require(` + type net_conf_t; + class file create_file_perms; + ') + + files_create_etc_config($1,net_conf_t,file) +') + +####################################### +## ## Create, read, write, and delete network config files. ## ## @@ -177,8 +195,7 @@ interface(`sysnet_manage_config',` class file create_file_perms; ') - allow $1 net_conf_t:file r_file_perms; - files_create_etc_config($1,net_conf_t,file) + allow $1 net_conf_t:file create_file_perms; ') ####################################### diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index d3809ef..a7342bd 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1250,105 +1250,232 @@ interface(`userdom_read_all_user_files',` ######################################## ## -## Write all unprivileged users files in /tmp +## Send general signals to unprivileged user domains. ## ## ## The type of the process performing this action. ## # -interface(`userdom_write_unpriv_user_tmp',` +interface(`userdom_signal_unpriv_users',` gen_require(` - attribute user_tmpfile; - class file { getattr write append }; + attribute unpriv_userdomain; + class process signal; ') - allow $1 user_tmpfile:file { getattr write append }; + allow $1 unpriv_userdomain:process signal; ') ######################################## ## -## Inherit the file descriptors from all user domains +## Inherit the file descriptors from unprivileged user domains. ## ## ## The type of the process performing this action. ## # -interface(`userdom_use_all_user_fd',` +interface(`userdom_use_unpriv_users_fd',` gen_require(` - attribute userdomain; + attribute unpriv_userdomain; class fd use; ') - allow $1 userdomain:fd use; + allow $1 unpriv_userdomain:fd use; ') ######################################## ## -## Send general signals to all user domains. +## Do not audit attempts to inherit the +## file descriptors from all user domains. ## ## ## The type of the process performing this action. ## # -interface(`userdom_signal_all_users',` +interface(`userdom_dontaudit_use_unpriv_user_fd',` gen_require(` - attribute userdomain; - class process signal; + attribute unpriv_userdomain; + class fd use; ') - allow $1 userdomain:process signal; + dontaudit $1 unpriv_userdomain:fd use; ') ######################################## ## -## Send general signals to unprivileged user domains. +## Create generic user home directories +## with automatic file type transition. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # -interface(`userdom_signal_unpriv_users',` +interface(`userdom_create_user_home_dir',` gen_require(` - attribute unpriv_userdomain; - class process signal; + type user_home_dir_t; ') - allow $1 unpriv_userdomain:process signal; + files_create_home_dirs($1,user_home_dir_t) ') ######################################## ## -## Inherit the file descriptors from unprivileged user domains. +## Create, read, write, and delete +## generic user home directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # -interface(`userdom_use_unpriv_users_fd',` +interface(`userdom_manage_user_home_dir',` gen_require(` - attribute unpriv_userdomain; - class fd use; + type user_home_dir_t; + class dir create_dir_perms; ') - allow $1 unpriv_userdomain:fd use; + allow $1 user_home_dir_t:dir create_dir_perms; ') ######################################## ## -## Do not audit attempts to inherit the -## file descriptors from all user domains. +## Create objects in generic user home directories +## with automatic file type transition. +## +## +## Domain allowed access. +## +## +## The class of the object to be created. +## If not specified, file is used. +## +# +interface(`userdom_create_user_home',` + gen_require(` + type user_home_dir_t, user_home_t; + class dir rw_dir_perms; + ') + + allow $1 etc_t:dir rw_dir_perms; + ifelse(`$2',`',` + type_transition $1 user_home_dir_t:file user_home_t; + ',` + type_transition $1 user_home_dir_t:$2 user_home_t; + ') +') + +######################################## +## +## Create, read, write, and delete +## subdirectories of generic user +## home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_user_home_dirs',` + gen_require(` + type user_home_t; + class dir create_dir_perms; + ') + + allow $1 user_home_t:dir create_dir_perms; +') + +######################################## +## +## Create, read, write, and delete files +## in generic user home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_user_home_files',` + gen_require(` + type user_home_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + allow $1 user_home_t:dir rw_dir_perms; + allow $1 user_home_t:file create_file_perms; +') + +######################################## +## +## Create, read, write, and delete symbolic +## links in generic user home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_user_home_symlinks',` + gen_require(` + type user_home_t; + class dir rw_dir_perms; + class lnk_file create_lnk_perms; + ') + + allow $1 user_home_t:dir rw_dir_perms; + allow $1 user_home_t:lnk_file create_lnk_perms; +') + +######################################## +## +## Create, read, write, and delete named +## pipes in generic user home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_user_home_pipes',` + gen_require(` + type user_home_t; + class dir rw_dir_perms; + class fifo_file create_file_perms; + ') + + allow $1 user_home_t:dir rw_dir_perms; + allow $1 user_home_t:fifo_file create_file_perms; +') + +######################################## +## +## Create, read, write, and delete named +## sockets in generic user home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_user_home_sockets',` + gen_require(` + type user_home_t; + class dir rw_dir_perms; + class sock_file create_file_perms; + ') + + allow $1 user_home_t:dir rw_dir_perms; + allow $1 user_home_t:sock_file create_file_perms; +') + +######################################## +## +## Write all unprivileged users files in /tmp ## ## ## The type of the process performing this action. ## # -interface(`userdom_dontaudit_use_unpriv_user_fd',` +interface(`userdom_write_unpriv_user_tmp',` gen_require(` - attribute unpriv_userdomain; - class fd use; + attribute user_tmpfile; + class file { getattr write append }; ') - dontaudit $1 unpriv_userdomain:fd use; + allow $1 user_tmpfile:file { getattr write append }; ') ######################################## @@ -1371,6 +1498,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',` ######################################## ## +## Inherit the file descriptors from all user domains +## +## +## The type of the process performing this action. +## +# +interface(`userdom_use_all_user_fd',` + gen_require(` + attribute userdomain; + class fd use; + ') + + allow $1 userdomain:fd use; +') + +######################################## +## +## Send general signals to all user domains. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_signal_all_users',` + gen_require(` + attribute userdomain; + class process signal; + ') + + allow $1 userdomain:process signal; +') + +######################################## +## ## Unconfined access to user domains. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index b32e891..2ad973e 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -117,6 +117,10 @@ ifdef(`targeted_policy',` clock_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`firstboot.te',` + firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) + ') + optional_policy(`fstools.te',` fstools_run(sysadm_t,sysadm_r,admin_terminal) ')