diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 68be1e9..d0ee49c 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -144,3 +144,69 @@ type boot_t, boot_runtime_t; class dir { getattr search read write add_name remove_name }; class file { getattr create read write append unlink }; ') + +######################################## +# +# bootloader_list_kernel_modules(domain,[`optional']) +# +define(`bootloader_list_kernel_modules',` +requires_block_template(bootloader_list_kernel_modules_depend,$2) +allow $1 modules_object_t:dir { getattr search read }; +') + +define(`bootloader_list_kernel_modules_depend',` +type modules_object_t; +class dir { getattr search read }; +') + +######################################## +# +# bootloader_read_kernel_modules(domain,[`optional']) +# +define(`bootloader_read_kernel_modules',` +requires_block_template(bootloader_read_kernel_modules_depend,$2) +allow $1 modules_object_t:dir { getattr search read }; +allow $1 modules_object_t:{ lnk_file file } { getattr read }; +') + +define(`bootloader_read_kernel_modules_depend',` +type modules_object_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read }; +') + +######################################## +# +# bootloader_modify_kernel_modules(domain,[`optional']) +# +define(`bootloader_modify_kernel_modules',` +requires_block_template(bootloader_modify_kernel_modules_depend,$2) +allow $1 modules_object_t:file { getattr create read write setattr unlink }; +allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; +') + +define(`bootloader_modify_kernel_modules_depend',` +type modules_object_t; +class file { getattr create read write setattr unlink }; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional']) +# +define(`bootloader_create_private_module_dir_entry',` +requires_block_template(bootloader_create_private_module_dir_entry_depend,$2) +allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 modules_object_t:file $2; +',` +type_transition $1 modules_object_t:$3 $2; +') dnl end ifelse +') + +define(`bootloader_create_private_module_dir_entry_depend',` +type modules_object_t; +class dir { getattr search read write add_name remove_name }; +') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 68b9ab8..cebff46 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,10 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC -type bootloader_t; -domain_make_domain(bootloader_t) - -type bootloader_exec_t; -domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) +attribute can_modify_kernel_modules; # # boot_t is the type for files in /boot @@ -12,9 +8,20 @@ domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) type boot_t; files_make_file(boot_t) +# +# boot_runtime_t is the type for /boot/kernel.h, +# which is automatically generated at boot time. +# only for Red Hat +# type boot_runtime_t; files_make_file(boot_runtime_t) +type bootloader_t; +domain_make_domain(bootloader_t) + +type bootloader_exec_t; +domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) + # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. @@ -23,12 +30,6 @@ type bootloader_etc_t alias etc_bootloader_t; files_make_file(bootloader_etc_t) # -# system_map_t is for the system.map files in /boot -# -type system_map_t; -files_make_file(system_map_t) - -# # The temp file is used for initrd creation; # it consists of files and device nodes # @@ -36,6 +37,19 @@ type bootloader_tmp_t; files_make_file(bootloader_tmp_t) devices_make_device_node(bootloader_tmp_t) +# kernel modules +type modules_object_t; +files_make_file(modules_object_t) + +neverallow ~can_modify_kernel_modules modules_object_t:file { create append write }; + +# +# system_map_t is for the system.map files in /boot +# +type system_map_t; +files_make_file(system_map_t) + + ######################################## # # bootloader local policy @@ -92,6 +106,9 @@ devices_ignore_modify_generic_devices(bootloader_t) # mkinitrd policy # +allow bootloader_t modules_object_t:dir { getattr search read }; +allow bootloader_t modules_object_t:file { getattr read }; + files_read_general_system_resources(bootloader_t) bootloader_install_initrd(bootloader_t) @@ -104,7 +121,6 @@ corecommands_execute_shell(bootloader_t) selinux_read_binary_policy(bootloader_t) selinux_read_load_policy_binary(bootloader_t) -modutils_read_kernel_modules(bootloader_t) modutils_read_kernel_module_dependencies(bootloader_t) modutils_read_kernel_module_loading_config(bootloader_t) modutils_insmod_execute(bootloader_t) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index cb2d021..05b9501 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -2,35 +2,19 @@ ######################################## # -# modutils_read_kernel_modules(domain,[`optional']) -# -define(`modutils_read_kernel_modules',` -requires_block_template(modutils_read_kernel_modules_depend,$2) -allow $1 modules_object_t:dir { getattr search read }; -allow $1 modules_object_t:{ lnk_file file } { getattr read }; -') - -define(`modutils_read_kernel_modules_depend',` -type modules_object_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read }; -') - -######################################## -# # modutils_read_kernel_module_dependencies(domain,[`optional']) # define(`modutils_read_kernel_module_dependencies',` requires_block_template(modutils_read_kernel_module_dependencies_depend,$2) +bootloader_list_kernel_modules($1,optional) allow $1 modules_dep_t:file { getattr read }; -allow $1 modules_object_t:dir { getattr search read }; ') define(`modutils_read_kernel_module_dependencies_depend',` -type modules_object_t, modules_dep_t; +type modules_dep_t; class file { getattr create read write setattr unlink }; class dir { search read write add_name remove_name }; +bootloader_list_kernel_modules_depend ') ######################################## @@ -49,22 +33,6 @@ class file { getattr create read write setattr unlink }; ######################################## # -# modutils_modify_kernel_modules(domain,[`optional']) -# -define(`modutils_modify_kernel_modules',` -requires_block_template(modutils_modify_kernel_modules_depend,$2) -allow $1 modules_object_t:file { getattr create read write setattr unlink }; -allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; -') - -define(`modutils_modify_kernel_modules_depend',` -type modules_object_t; -class file { getattr create read write setattr unlink }; -class dir { getattr search read write add_name remove_name }; -') - -######################################## -# # modutils_insmod_transition(domain,[`optional']) # define(`modutils_insmod_transition',` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 65c72cd..e6216db 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -1,12 +1,5 @@ # Copyright (C) 2005 Tresys Technology, LLC -attribute can_modify_kernel_modules; -neverallow ~can_modify_kernel_modules modules_object_t:file { create append write }; - -# kernel modules -type modules_object_t; -files_make_file(modules_object_t) - # module loading config type modules_conf_t; files_make_file(modules_conf_t) @@ -49,10 +42,6 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans }; # Read module config and dependency information allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; -# read modules -allow insmod_t modules_object_t:dir { getattr search read }; -allow insmod_t modules_object_t:file { getattr read }; - allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; @@ -68,6 +57,8 @@ kernel_read_kernel_sysctl(insmod_t) kernel_modify_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctl(insmod_t) +bootloader_read_kernel_modules(insmod_t) + terminal_use_controlling_terminal(insmod_t) devices_write_mtrr(insmod_t) @@ -160,22 +151,18 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans }; # Read conf.modules. allow depmod_t modules_conf_t:file { getattr read }; -# Read module objects. -allow depmod_t modules_object_t:dir { getattr search read }; -allow depmod_t modules_object_t:{ file lnk_file } { getattr read }; - -# Create modules.dep. -allow depmod_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write }; allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -type_transition depmod_t modules_object_t:file modules_dep_t; kernel_read_system_state(depmod_t) +bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) + filesystem_get_persistent_filesystem_attributes(depmod_t) terminal_use_console(depmod_t) bootloader_read_kernel_symbol_table(depmod_t) +bootloader_read_kernel_modules(depmod_t) files_read_runtime_system_config(depmod_t) files_read_general_system_config(depmod_t) @@ -218,9 +205,8 @@ allow update_modules_t modules_dep_t:file { getattr read write }; allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans }; allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans }; -allow update_modules_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write }; +bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -type_transition update_modules_t modules_object_t:file modules_conf_t; allow update_modules_t depmod_exec_t:file { getattr read execute }; type_transition update_modules_t depmod_exec_t:process depmod_t;