diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 35a5b3b..1350fa5 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -156,7 +156,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) APPDIR := $(CONTEXTPATH) APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media -USER_FILES := $(POLDIR)/users +USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) @@ -178,6 +178,8 @@ MODMOD := module BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) +HOMEDIR_TEMPLATE = tmp/homedir_template + ######################################## # # Load appropriate rules diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index a8eef96..6c70f1f 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -13,7 +13,7 @@ BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_in BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls BASE_TE_FILES := $(BASE_MODS) -BASE_POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints +BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints BASE_FC_FILES := $(BASE_MODS:.te=.fc) MOD_MODULES := $(MOD_MODS:.te=.mod) @@ -118,7 +118,7 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi # # Construct base module file contexts # -$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) +$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) ifeq ($(BASE_FC_FILES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @@ -150,5 +150,6 @@ clean: rm -fR tmp rm -f base.conf rm -f *.pp + rm -f $(BASE_FC) .PHONY: default base modules clean diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 0833fa3..1d5c6cb 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -19,12 +19,10 @@ ALL_TE_FILES := $(ALL_MODULES) ALL_FC_FILES := $(ALL_MODULES:.te=.fc) PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls -POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints +POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf -HOMEDIR_TEMPLATE = tmp/homedir_template - ######################################## # # default action: build policy locally diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 90eb00a..41dec5e 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -569,7 +569,7 @@ interface(`kernel_dontaudit_search_network_state',` class dir search; ') - allow $1 proc_net_t:dir search; + dontaudit $1 proc_net_t:dir search; ') ######################################## @@ -1306,3 +1306,230 @@ interface(`kernel_unconfined',` kernel_rw_all_sysctl($1) ') + +################################################################################ +# +# Reversed interfaces +# +# The following are reversed interfaces, meaning the point of view of the caller +# of the interface is the object (target) type, rather than the subject (source) +# type, like all other interfaces in the policy. These interfaces are here to +# decouple policy from the base module, and should not be used anywhere else. +# +################################################################################ + +######################################## +## +## Allow the kernel to send a SIGCHLD +## signal to the specified domain. +## +## +## Domain receiving the SIGCHLD. +## +# +interface(`kernel_sigchld_from',` + gen_require(` + type kernel_t; + class process sigchld; + ') + + allow kernel_t $1:process sigchld; +') + +######################################## +## +## Allow unlabeled processes to send a SIGCHLD +## signal to the specified domain. +## +## +## Domain receiving the SIGCHLD. +## +# +interface(`kernel_sigchld_from_unlabeled',` + gen_require(` + type unlabeled_t; + class process sigchld; + ') + + allow unlabeled_t $1:process sigchld; +') + +######################################## +## +## Allow the kernel to search the +## specified directory. +## +## +## Directory type to search. +## +# +interface(`kernel_search_from',` + gen_require(` + type kernel_t; + class dir search; + ') + + allow kernel_t $1:dir search; +') + +######################################## +## +## Allow the kernel to read the contents +## of the specified directory. +## +## +## Directory type to list. +## +# +interface(`kernel_list_from',` + gen_require(` + type kernel_t; + class dir r_dir_perms; + ') + + allow kernel_t $1:dir r_dir_perms; +') + +######################################## +## +## Allow the kernel to read the +## specified file. +## +## +## Directory type to list. +## +# +interface(`kernel_read_file_from',` + gen_require(` + type kernel_t; + class dir r_dir_perms; + ') + + allow kernel_t $1:file r_file_perms; +') + +######################################## +## +## Allow the kernel to search the +## specified directory. +## +## +## Directory type to search. +## +# +interface(`kernel_search_from',` + gen_require(` + type kernel_t; + class dir search; + ') + + allow kernel_t $1:dir search; +') + +######################################## +## +## Use the specified types for /lib directory +## and use the dynamic link/loader for automatic loading +## of shared libraries, and the link/loader +## cache. +## +## +## The type of the lib directories. +## +## +## The type of the dynamic link/loader. +## +## +## The type of the dynamic link/loader cache. +## +# +interface(`kernel_use_ld_so_from',` + gen_require(` + type kernel_t; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file rx_file_perms; + ') + + files_list_etc(kernel_t) + allow kernel_t $1:dir r_dir_perms; + allow kernel_t $1:lnk_file r_file_perms; + allow kernel_t $2:lnk_file r_file_perms; + allow kernel_t $2:file rx_file_perms; + allow kernel_t $3:file r_file_perms; +') + +######################################## +## +## Allow the kernel to load and execute +## functions from the specified shared libraries. +## +## +## The type of the lib directories. +## +## +## Shared library type. +## +# +interface(`kernel_use_shared_libs_from',` + gen_require(` + type kernel_t; + class lnk_file r_file_perms; + class file rx_dir_perms; + ') + + allow kernel_t $1:dir r_dir_perms; + allow kernel_t $1:lnk_file r_file_perms; + allow kernel_t $2:lnk_file r_file_perms; + allow kernel_t $2:file rx_file_perms; +') + +####################################### +## +## Allow the kernel to send a syslog +## message to the specified domain, +## connecting over the specified named +## socket. +## +## +## The type of the named socket file. +## +## +## The domain of the syslog daemon. +## +# +interface(`kernel_send_syslog_msg_from',` + gen_require(` + type syslogd_t, devlog_t; + class lnk_file read; + class sock_file rw_file_perms; + class unix_dgram_socket sendto; + class unix_stream_socket connectto; + ') + + allow kernel_t $1:lnk_file read; + allow kernel_t $1:sock_file rw_file_perms; + + # the type of socket depends on the syslog daemon + allow kernel_t $2:unix_dgram_socket sendto; + allow kernel_t $2:unix_stream_socket connectto; +') + +######################################## +## +## Allow the kernel to send UDP network traffic +## the specified domain. +## +## +## The type of the receiving domain. +## +# +interface(`kernel_udp_sendfrom',` + gen_require(` + type portmap_t; + class udp_socket { sendto recvfrom }; + ') + + allow kernel_t $1:udp_socket sendto; + allow $1 kernel_t:udp_socket recvfrom; +') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 8fd5ae9..94f7780 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -10,6 +10,8 @@ policy_module(kernel,1.0) attribute can_load_kernmodule; attribute can_receive_kernel_messages; +neverallow ~can_load_kernmodule self:capability sys_module; + # domains with unconfined access to kernel resources attribute kern_unconfined; @@ -190,32 +192,15 @@ corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) files_list_root(kernel_t) +files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) -init_sigchld(kernel_t) - -libs_use_ld_so(kernel_t) -libs_use_shared_libs(kernel_t) - -logging_send_syslog_msg(kernel_t) - -seutil_read_config(kernel_t) -seutil_read_binary_pol(kernel_t) - -neverallow ~can_load_kernmodule self:capability sys_module; - ######################################## # # Unlabeled process local policy # -# If you load a new policy that removes active domains, processes can -# get stuck if you do not allow unlabeled processes to signal init. -# If you load an incompatible policy, you should probably reboot, -# since you may have compromised system security. -init_sigchld(unlabeled_t) - ifdef(`targeted_policy',` allow unlabeled_t self:filesystem associate; ') diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index 5cc17e6..85c9c8c 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -44,6 +44,7 @@ files_create_pid(portmap_t,portmap_var_run_t) kernel_read_kernel_sysctl(portmap_t) kernel_list_proc(portmap_t) kernel_read_proc_symlinks(portmap_t) +kernel_udp_sendfrom(portmap_t) corenet_tcp_sendrecv_all_if(portmap_t) corenet_udp_sendrecv_all_if(portmap_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 6a69a96..1beb5de 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -13,6 +13,7 @@ init_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; files_type(hotplug_etc_t) +kernel_search_from(hotplug_etc_t) type hotplug_var_run_t; files_pid_file(hotplug_var_run_t) @@ -184,8 +185,6 @@ optional_policy(`rhgb.te',` rhgb_domain(hotplug_t) ') -allow kernel_t hotplug_etc_t:dir search; - # for ps dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index fe82ecb..c44c2c4 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -95,6 +95,12 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t) kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_sigchld_from(init_t) +# If you load a new policy that removes active domains, processes can +# get stuck if you do not allow unlabeled processes to signal init. +# If you load an incompatible policy, you should probably reboot, +# since you may have compromised system security. +kernel_sigchld_from_unlabeled(init_t) dev_read_sysfs(init_t) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 5b83f34..d1a0700 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -38,6 +38,9 @@ files_type(shlib_t) type texrel_shlib_t; files_type(texrel_shlib_t) +kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t) +kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t }) + ######################################## # # ldconfig local policy diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 1625b3d..3090e0a 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -190,6 +190,7 @@ files_create_pid(syslogd_t,syslogd_var_run_t) kernel_read_kernel_sysctl(syslogd_t) kernel_read_proc_symlinks(syslogd_t) +kernel_send_syslog_msg_from(devlog_t,syslogd_t) dev_create_dev_node(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 5e0db52..fb66048 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -52,6 +52,8 @@ domain_entry_file(newrole_t,newrole_exec_t) # type policy_config_t; files_type(policy_config_t) +kernel_list_from(policy_config_t) +kernel_read_file_from(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -81,6 +83,8 @@ domain_entry_file(run_init_t,run_init_exec_t) # type selinux_config_t; files_type(selinux_config_t) +kernel_list_from(selinux_config_t) +kernel_read_file_from(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; domain_obj_id_change_exempt(setfiles_t) diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt index 8b3b94c..60bb608 100644 --- a/refpolicy/policy/support/misc_macros.spt +++ b/refpolicy/policy/support/misc_macros.spt @@ -13,6 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') ######################################## # +# gen_user(username, role_set, mls_defaultlevel, mls_range) +# +define(`gen_user',` +user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); +') + +######################################## +# # gen_con(context,sensitivity) # # Optionally put the sensitivity for the file diff --git a/refpolicy/policy/systemuser b/refpolicy/policy/systemuser new file mode 100644 index 0000000..ff30b50 --- /dev/null +++ b/refpolicy/policy/systemuser @@ -0,0 +1,22 @@ +################################## +# +# System User configuration. +# + +# +# gen_user(username, role_set, mls_defaultlevel, mls_range) +# +define(`gen_user',` +user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); +') + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u, system_r, s0, s0 - s9:c0.c127) + +# Normal users should not be added to this file, +# but instead added to the users file. diff --git a/refpolicy/policy/users b/refpolicy/policy/users index d477c41..517c9e3 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -5,19 +5,8 @@ # # -# gen_user(username, role_set, defaultlevel, range) +# gen_user(username, role_set, mls_defaultlevel, mls_range) # -define(`gen_user',` -user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); -') - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u, system_r, s0, s0 - s9:c0.c127) # # user_u is a generic user identity for Linux users who have no