diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index eddbb0d..57ab907 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) term_getattr_all_user_ttys(bootloader_t) +term_dontaudit_manage_pty_dir(bootloader_t) corecmd_exec_bin(bootloader_t) corecmd_exec_sbin(bootloader_t) @@ -149,8 +150,18 @@ ifdef(`distro_debian',` allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; + fs_list_tmpfs(bootloader_t) + + files_relabelto_usr_files(bootloader_t) + files_search_var_lib(bootloader_t) + files_list_script_pids(bootloader_t) # for /usr/share/initrd-tools/scripts files_exec_usr_files(bootloader_t) + + fstools_manage_entry_files(bootloader_t) + fstools_relabelto_entry_files(bootloader_t) + + libs_relabelto_lib_files(bootloader_t) ') ifdef(`distro_redhat',` @@ -204,16 +215,15 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` -dontaudit bootloader_t devpts_t:dir create_dir_perms; ifdef(`distro_debian', ` - allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; - allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; - allow bootloader_t tmpfs_t:dir r_dir_perms; - allow bootloader_t initrc_var_run_t:dir r_dir_perms; - allow bootloader_t var_lib_t:dir search; + # cjp: there is no setfscreate or type_transition, and + # bootloader_t cannot rw a usr_t or lib_t directory, so + # how can this work? This is probably rw_file_perms, + # possibly with unlink. Files are probably "created" + # by the above relabeling permissions. + allow bootloader_t { usr_t lib_t }:file create_file_perms; + allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; allow bootloader_t dpkg_var_lib_t:file { getattr read }; - ') - ') dnl end TODO diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 36c1184..15eb72e 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -233,7 +233,7 @@ interface(`term_list_ptys',` ######################################## ## ## Do not audit attempts to read the -## /dev/pts directory to. +## /dev/pts directory. ## ## ## The type of the process to not audit. @@ -250,6 +250,24 @@ interface(`term_dontaudit_list_ptys',` ######################################## ## +## Do not audit attempts to create, read, +## write, or delete the /dev/pts directory. +## +## +## The type of the process to not audit. +## +# +interface(`term_dontaudit_manage_pty_dir',` + gen_require(` + type devpts_t; + class dir create_dir_perms; + ') + + dontaudit $1 devpts_t:dir create_dir_perms; +') + +######################################## +## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 576dfde..6acc26c 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1593,6 +1593,23 @@ interface(`files_read_usr_files',` ######################################## ## +## Relabel a file to the type used in /usr. +## +## +## Domain allowed access. +## +# +interface(`files_relabelto_usr_files',` + gen_require(` + type usr_t; + class file relabelto; + ') + + allow $1 usr_t:file relabelto; +') + +######################################## +## ## Read symbolic links in /usr. ## ## diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if index bb2f5fa..f6a52b9 100644 --- a/refpolicy/policy/modules/system/fstools.if +++ b/refpolicy/policy/modules/system/fstools.if @@ -65,3 +65,38 @@ interface(`fstools_exec',` can_exec($1,fsadm_exec_t) ') + +######################################## +## +## Relabel a file to the type used by the +## filesystem tools programs. +## +## +## The type of the process performing this action. +## +# +interface(`fstools_relabelto_entry_files',` + gen_require(` + type fsadm_exec_t; + ') + + allow $1 fsadm_exec_t:file relabelto; +') + +######################################## +## +## Create, read, write, and delete a file used by the +## filesystem tools programs. +## +## +## The type of the process performing this action. +## +# +interface(`fstools_manage_entry_files',` + gen_require(` + type fsadm_exec_t; + class file create_file_perms; + ') + + allow $1 fsadm_exec_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index d9c14e9..ad9cce6 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -485,6 +485,24 @@ interface(`init_rw_script_tmp_files',` ') ######################################## +## +## List the contents of an init script +## process id directory. +## +## +## Domain allowed access. +## +interface(`init_list_script_pids',` + gen_require(` + type initrc_var_run_t; + class dir r_dir_perms; + ') + + files_search_pids($1) + allow $1 initrc_var_run_t:dir r_dir_perms; +') + +######################################## # # init_read_script_pid(domain) # diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index d3e8a70..a651e4d 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -197,6 +197,23 @@ interface(`libs_exec_lib_files',` ######################################## ## +## Relabel files to the type used in library directories. +## +## +## The type of the process performing this action. +## +# +interface(`libs_relabelto_lib_files',` + gen_require(` + type lib_t; + class file relabelto; + ') + + allow $1 lib_t:file relabelto; +') + +######################################## +## ## Load and execute functions from shared libraries. ## ##