diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if new file mode 100644 index 0000000..0cd5e08 --- /dev/null +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -0,0 +1,33 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +####################################### +# +# consoletype_transition(domain) +# +define(`consoletype_transition',` +requires_block_template(consoletype_transition_depend) +allow $1 consoletype_exec_t:file { getattr read execute }; +allow $1 consoletype_t:process transition; +type_transition $1 consoletype_exec_t:file consoletype_t; +dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; +') + +define(`consoletype_transition_depend',` +type consoletype_t, consoletype_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# consoletype_execute(domain) +# +define(`consoletype_execute',` +requires_block_template(consoletype_execute_depend) +allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`consoletype_execute_depend',` +type consoletype_exec_t; +class file { getattr read execute execute_no_trans }; +') diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te new file mode 100644 index 0000000..612defa --- /dev/null +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -0,0 +1,108 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(consoletype, 1.0) + +######################################## +# +# Declarations +# + +type consoletype_t; +domain_make_domain(consoletype_t) +role system_r types consoletype_t; + +type consoletype_exec_t; +domain_make_entrypoint_file(consoletype_t,consoletype_exec_t) + +######################################## +# +# Local declarations +# + +allow consoletype_t self:capability sys_admin; + +allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow consoletype_t self:fd use; +allow consoletype_t self:fifo_file { read getattr lock ioctl write append }; +allow consoletype_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow consoletype_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow consoletype_t self:unix_dgram_socket sendto; +allow consoletype_t self:unix_stream_socket connectto; +allow consoletype_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow consoletype_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow consoletype_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow consoletype_t self:msg { send receive }; + +kernel_use_file_descriptors(consoletype_t) +kernel_ignore_read_system_state(consoletype_t) + +filesystem_get_all_filesystems_attributes(consoletype_t) + +terminal_ignore_use_console(consoletype_t) +terminal_use_general_physical_terminal(consoletype_t) + +init_use_file_descriptors(consoletype_t) +init_script_use_pseudoterminal(consoletype_t) +init_script_use_file_descriptors(consoletype_t) + +domain_use_widely_inheritable_file_descriptors(consoletype_t) + +files_ignore_read_rootfs_file(consoletype_t) + +libraries_use_dynamic_loader(consoletype_t) +libraries_read_shared_libraries(consoletype_t) + +optional_policy(`authlogin.te', ` +authlogin_read_pam_runtime_data(consoletype_t) +') + +ifdef(`TODO',` + +allow consoletype_t unpriv_userdomain:fd use; +allow consoletype_t sysadm_t:fd use; +allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; +allow consoletype_t sysadm_t:fifo_file rw_file_perms; + +allow consoletype_t initrc_t:fifo_file write; +allow consoletype_t nfs_t:file write; + +allow consoletype_t crond_t:fifo_file { read getattr ioctl }; +allow consoletype_t system_crond_t:fd use; + +optional_policy(`ypbind.te', ` +if (allow_ypbind) { +can_network(consoletype_t) +r_dir_file(consoletype_t,var_yp_t) +corenetwork_bind_tcp_on_general_port(consoletype_t) +corenetwork_bind_udp_on_general_port(consoletype_t) +corenetwork_bind_tcp_on_reserved_port(consoletype_t) +corenetwork_bind_udp_on_reserved_port(consoletype_t) +corenetwork_ignore_bind_tcp_on_all_reserved_ports(consoletype_t) +corenetwork_ignore_bind_udp_on_all_reserved_ports(consoletype_t) +dontaudit consoletype_t self:capability net_bind_service; +} else { +dontaudit consoletype_t var_yp_t:dir search; +} +') dnl end ypbind optional_policy + +optional_policy(`automount.te', ` +allow consoletype_t autofs_t:dir { search getattr }; +') + +optional_policy(`xdm.te', ` +domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) +allow consoletype_t xdm_tmp_t:file { read write }; +') + +optional_policy(`lpd.te', ` +allow consoletype_t printconf_t:file { getattr read }; +') + +tunable_policy(`distro_redhat', ` +allow consoletype_t tmpfs_t:chr_file rw_file_perms; +') + +optional_policy(`firstboot.te', ` +allow consoletype_t firstboot_t:fifo_file write; +') +') dnl end TODO diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if new file mode 100644 index 0000000..c38ca94 --- /dev/null +++ b/refpolicy/policy/modules/services/mta.if @@ -0,0 +1,24 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +####################################### +# +# Per user domain template for this module +# +# mta_per_userdomain_template(userdomain_prefix) +# +define(`mta_per_userdomain_template',` +requires_block_template(mta_per_userdomain_template_depend) + +type $1_mail_t; +domain_make_domain($1_mail_t) + +type $1_mail_tmp_t; +files_make_file($1_mail_tmp_t) + +logging_send_system_log_message($1_mail_t) + +') + +define(`mta_per_userdomain_template_depend',` + +') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te new file mode 100644 index 0000000..be458a9 --- /dev/null +++ b/refpolicy/policy/modules/services/mta.te @@ -0,0 +1,15 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(mta,1.0) + +type etc_aliases_t; +files_make_file(etc_aliases_t) + +type etc_mail_t; +files_make_file(etc_mail_t) + +type mqueue_spool_t; +files_make_file(mqueue_spool_t) + +type mail_spool_t; +files_make_file(mail_spool_t) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if new file mode 100644 index 0000000..6747c2b --- /dev/null +++ b/refpolicy/policy/modules/system/hotplug.if @@ -0,0 +1,47 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +####################################### +# +# hotplug_transition(domain) +# +define(`hotplug_transition',` +requires_block_template(hotplug_transition_depend) +allow $1 hotplug_exec_t:file { getattr read execute }; +allow $1 hotplug_t:process transition; +type_transition $1 hotplug_exec_t:file hotplug_t; +dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; +') + +define(`hotplug_transition_depend',` +type hotplug_t, hotplug_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# hotplug_execute(domain) +# +define(`hotplug_execute',` +requires_block_template(hotplug_execute_depend) +allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`hotplug_execute_depend',` +type hotplug_t; +class file { getattr read execute execute_no_trans }; +') + +####################################### +# +# hotplug_use_file_descriptors(domain) +# +define(`hotplug_use_file_descriptors',` +requires_block_template(hotplug_use_file_descriptors_depend) +allow $1 hotplug_t:fd use; +') + +define(`hotplug_use_file_descriptors_depend',` +type hotplug_t; +class fd use; +') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te new file mode 100644 index 0000000..64c4116 --- /dev/null +++ b/refpolicy/policy/modules/system/hotplug.te @@ -0,0 +1,206 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(hotplug, 1.0) + +######################################## +# +# Declarations +# + +type hotplug_t; +type hotplug_exec_t; +domain_make_daemon_domain(hotplug_t,hotplug_exec_t) + +type hotplug_etc_t; #, usercanread; +files_make_file(hotplug_etc_t) + +type hotplug_var_run_t; +files_make_file(hotplug_var_run_t) + +######################################## +# +# Local policy +# + +allow hotplug_t self:capability { net_admin sys_tty_config mknod }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; +# for access("/etc/bashrc", X_OK) on Red Hat +dontaudit hotplug_t self:capability { dac_override dac_read_search }; + +allow hotplug_t self:process { getsession getattr }; + +allow hotplug_t self:fifo_file { read write getattr ioctl }; +allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + +allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl }; +allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl }; +allow hotplug_t hotplug_etc_t:lnk_file { getattr read }; + +allow hotplug_t { hotplug_exec_t hotplug_etc_t }:file { getattr read execute execute_no_trans }; + +allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; +files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t) + +kernel_read_system_state(hotplug_t) +kernel_read_kernel_sysctl(hotplug_t) +kernel_read_hardware_state(hotplug_t) +kernel_read_network_sysctl(hotplug_t) +kernel_read_usb_hardware_state(hotplug_t) +kernel_transition_from(hotplug_t,hotplug_exec_t) + +bootloader_read_kernel_modules(hotplug_t) + +devices_discard_data_stream(hotplug_t) +# for SSP +devices_get_pseudorandom_data(hotplug_t) + +filesystem_get_all_filesystems_attributes(hotplug_t) + +storage_set_fixed_disk_attributes(hotplug_t) +storage_set_removable_device_attributes(hotplug_t) + +terminal_use_controlling_terminal(hotplug_t) +terminal_ignore_use_console(hotplug_t) + +init_use_file_descriptors(hotplug_t) +init_script_use_pseudoterminal(hotplug_t) +# Allow hotplug (including /sbin/ifup-local) to start/stop services and +# run sendmail -q +init_script_transition(hotplug_t) +# kernel threads inherit from shared descriptor table used by init +init_ignore_use_control_channel(hotplug_t) + +domain_use_widely_inheritable_file_descriptors(hotplug_t) + +files_read_general_system_config(hotplug_t) +files_create_runtime_system_config(hotplug_t) +files_execute_system_config_script(hotplug_t) + +corecommands_execute_general_programs(hotplug_t) +corecommands_execute_shell(hotplug_t) +corecommands_execute_system_programs(hotplug_t) + +logging_send_system_log_message(hotplug_t) + +libraries_use_dynamic_loader(hotplug_t) +libraries_read_shared_libraries(hotplug_t) + +modutils_insmod_transition(hotplug_t) +modutils_read_kernel_module_dependencies(hotplug_t) + +miscfiles_read_localization(hotplug_t) + +mount_transition(hotplug_t) + +optional_policy(`consoletype.te',` +consoletype_transition(hotplug_t) +') + +optional_policy(`iptables.te',` +iptables_transition(hotplug_t) +') + +optional_policy(`selinux.te',` +selinux_newrole_sigchld(hotplug_t) +') + +optional_policy(`udev.te', ` +udev_transition(hotplug_t) +udev_read_database(hotplug_t) +') + +tunable_policy(`targeted_policy', ` +terminal_ignore_use_general_physical_terminal(hotplug_t) +terminal_ignore_use_general_pseudoterminal(hotplug_t) +files_ignore_read_rootfs_file(hotplug_t) +') + + +ifdef(`TODO',` +allow hotplug_t null_device_t:chr_file r_file_perms; +dontaudit hotplug_t unpriv_userdomain:fd use; +allow hotplug_t autofs_t:dir { search getattr }; +dontaudit hotplug_t sysadm_home_dir_t:dir search; +optional_policy(`rhgb.te', ` +allow hotplug_t rhgb_t:process sigchld; +allow hotplug_t rhgb_t:fd use; +allow hotplug_t rhgb_t:fifo_file { read write }; +') + +can_exec(hotplug_t, { ls_exec_t }) + +allow kernel_t hotplug_etc_t:dir search; + +allow hotplug_t sound_device_t:chr_file setattr; + +can_network_server(hotplug_t) +can_ypbind(hotplug_t) +dbusd_client(system, hotplug) + +allow initrc_t usbdevfs_t:file { getattr read ioctl }; +allow initrc_t modules_dep_t:file { getattr read ioctl }; +# init scripts run /etc/hotplug/usb.rc +allow initrc_t hotplug_etc_t:dir r_dir_perms; + +allow hotplug_t kernel_t:process sigchld; + +# for when filesystems are not mounted early in the boot +dontaudit hotplug_t file_t:dir { search getattr }; + +# Read /usr/lib/gconv/.* +allow hotplug_t lib_t:file { getattr read }; + +allow hotplug_t udev_runtime_t:file rw_file_perms; + +allow hotplug_t var_log_t:dir search; + +# for ps +dontaudit hotplug_t domain:dir { getattr search }; +dontaudit hotplug_t { init_t kernel_t }:file read; + +optional_policy(`hostname.te',` +hostname_execute(hotplug_t) +dontaudit hostname_t hotplug_t:fd use; +') + +optional_policy(`sysnetwork.te',` +ifconfig_transition(hotplug_t) +') + +tunable_policy(`distro_redhat', ` +optional_policy(`netutils.te', ` +# for arping used for static IP addresses on PCMCIA ethernet +netutils_transition(hotplug_t) +allow hotplug_t tmpfs_t:dir search; +allow hotplug_t tmpfs_t:chr_file rw_file_perms; +') dnl endif netutils optional +allow hotplug_t var_lock_t:dir search; +allow hotplug_t var_lock_t:file getattr; +')dnl end distro_redhat tunable + +optional_policy(`hald.te', ` +allow hotplug_t hald_t:unix_dgram_socket sendto; +allow hald_t hotplug_etc_t:dir search; +allow hald_t hotplug_etc_t:file { getattr read }; +') + +optional_policy(`updfstab.te', ` +domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) +') + +optional_policy(`fsadm.te', ` +domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) +') + +optional_policy(`initrc.te', ` +can_ps(hotplug_t, initrc_t) +') + +optional_policy(`lpd.te', ` +allow hotplug_t printer_device_t:chr_file setattr; +') + +optional_policy(`mta.te', ` +domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if new file mode 100644 index 0000000..c389301 --- /dev/null +++ b/refpolicy/policy/modules/system/iptables.if @@ -0,0 +1,33 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +####################################### +# +# iptables_transition(domain) +# +define(`iptables_transition',` +requires_block_template(iptables_transition_depend) +allow $1 iptables_exec_t:file { getattr read execute }; +allow $1 iptables_t:process transition; +type_transition $1 iptables_exec_t:file iptables_t; +dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; +') + +define(`iptables_transition_depend',` +type iptables_t, iptables_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +####################################### +# +# iptables_execute(domain) +# +define(`iptables_execute',` +requires_block_template(iptables_execute_depend) +allow $1 iptables_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`iptables_execute_depend',` +type iptables_t, iptables_exec_t; +class file { getattr read execute execute_no_trans }; +')