diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide index a5122ec..037d07e 100644 --- a/docs/macro_conversion_guide +++ b/docs/macro_conversion_guide @@ -13,11 +13,6 @@ # $1 is the type this attribute is on # -# admin_tty_type: complete -# -{ sysadm_tty_device_t sysadm_devpts_t } - -# # auth: complete # auth_read_shadow($1) @@ -30,7 +25,7 @@ auth_domtrans_chk_passwd($1) # # file_type: complete # -files_file_type($1) +files_type($1) # # fs_domain: complete @@ -42,7 +37,9 @@ storage_raw_write_fixed_disk($1) # # nscd_client_domain: complete # -nscd_use_socket($1) +optional_policy(`nscd.te',` + nscd_use_socket($1) +') # # privfd: complete @@ -55,13 +52,9 @@ domain_wide_inherit_fd($1) logging_send_syslog_msg($1) # -# privmail: +# privmail: complete # mta_send_mail($1) -# this needs more work: -allow mta_user_agent $1:fd use; -allow mta_user_agent $1:process sigchld; -allow mta_user_agent $1:fifo_file { read write }; # # privmodule: complete @@ -137,22 +130,11 @@ type $1_t; type $1_exec_t; domain_type($1_t) domain_entry_file($1_t,$1_exec_t) -role sysadm_r types $1_t; -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) - -# -# base_can_network($1,$2): -# -allow $1 self:$2_socket connected_socket_perms; -corenet_$2_sendrecv_all_if($1) -corenet_raw_sendrecv_all_if($1) -corenet_$2_sendrecv_all_nodes($1) -corenet_raw_sendrecv_all_nodes($1) -corenet_$2_sendrecv_all_ports($1) -corenet_$2_bind_all_nodes($1) -sysnet_read_config($1) +# a "run" interface needs to be +# added, and have sysadm_t use it +# in a optional_policy block. # # base_can_network($1,$2,$3): @@ -163,19 +145,28 @@ corenet_raw_sendrecv_all_if($1) corenet_$2_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_$2_bind_all_nodes($1) -corenet_$2_sendrecv_$3_port($1) sysnet_read_config($1) +# if $3 is specified (remove _port_t from $3): +corenet_$2_sendrecv_$3_port($1) +# else: +corenet_$2_sendrecv_all_ports($1) # -# base_file_read_access(): +# base_file_read_access(): complete # +kernel_read_kernel_sysctl($1) +corecmd_list_bin($1) +corecmd_read_bin_symlink($1) +corecmd_read_bin_file($1) +corecmd_read_bin_pipe($1) +corecmd_read_bin_socket($1) +corecmd_list_sbin($1) +corecmd_read_sbin_symlink($1) +corecmd_read_sbin_file($1) +corecmd_read_sbin_pipe($1) +corecmd_read_sbin_socket($1) files_list_home($1) files_read_usr_files($1) -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:notdevfile_class_set r_file_perms; -allow $1 sbin_t:dir r_dir_perms; -allow $1 sbin_t:notdevfile_class_set r_file_perms; -kernel_read_kernel_sysctl($1) seutil_read_config($1) tunable_policy(`read_default_t',` files_list_default($1) @@ -194,31 +185,21 @@ allow $1_t devpts_t:dir { getattr read search }; dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; # -# can_create(): +# can_create($1,$2,$3): complete # -# for each i in $3 -can_create_internal($1,$2,$i) - -# -# can_create_internal($1,$2,dir): -# -allow $1 $2:$3 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - -# -# can_create_internal($1,$2,lnk_file): -# -allow $1 $2:$3 { create read getattr setattr link unlink rename }; - -# -# can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]): -# -allow $1 $2:$3 { create ioctl read getattr lock write setattr append link unlink rename }; +# for each object class in $3: +# if dir: +allow $1 $2:dir create_dir_perms; +# else if lnk_file: +allow $1 $2:lnk_file create_lnk_perms; +# else: +allow $1 $2:$3 create_file_perms; # # can_create_other_pty(): complete # +allow $1_t $2_devpts_t:chr_file { rw_file_perms setattr }; term_create_pty($1_t,$2_devpts_t) -allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append }; # # can_create_pty(): complete @@ -226,16 +207,16 @@ allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append } # $2 may require more conversion type $1_devpts_t $2; term_pty($1_devpts_t) -allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; +allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr }; term_create_pty($1_t,$1_devpts_t) # # can_exec_any(): complete # -domain_exec_all_entry_files($1) -files_exec_generic_etc_files($1) corecmd_exec_bin($1) corecmd_exec_sbin($1) +domain_exec_all_entry_files($1) +files_exec_etc_files($1) libs_use_ld_so($1) libs_use_shared_libs($1) libs_exec_ld_so($1) @@ -337,7 +318,7 @@ allow $1 self:tcp_socket create_stream_socket_perms; base_can_network($1, tcp, `$2') # -# can_network_tcp(): complete +# can_network_tcp(): # can_network_server_tcp($1, `$2') can_network_client_tcp($1, `$2') @@ -432,7 +413,7 @@ kernel_setsecparam($1) kernel_rw_all_sysctl($1) # -# can_tcp_connect +# can_tcp_connect(): # allow $1 $2:tcp_socket { connectto recvfrom }; allow $2 $1:tcp_socket { acceptfrom recvfrom }; @@ -471,16 +452,16 @@ allow $1 $2:file { create ioctl getattr setattr append link }; # # create_dir_file(): # -allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; +allow $1 $2:dir create_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; # # create_dir_notdevfile(): # -allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 $2:{ file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; +allow $1 $2:dir create_dir_perms; +allow $1 $2:{ file sock_file fifo_file } create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; # # daemon_base_domain(): @@ -488,9 +469,10 @@ allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; type $1_t; type $1_exec_t; init_daemon_domain($1_t,$1_exec_t) -role system_r types $1_t; dontaudit $1_t self:capability sys_tty_config; -allow $1_t self:process { sigchld sigkill sigstop signull signal }; +allow $1_t self:process signal_perms; +kernel_list_proc($1_t) +kernel_read_proc_symlinks($1_t) kernel_read_kernel_sysctl($1_t) dev_read_sysfs($1_t) fs_search_auto_mountpoints($1_t) @@ -510,15 +492,12 @@ ifdef(`targeted_policy',` optional_policy(`rhgb.te',` rhgb_domain($1_t) ') -optional_policy(`selinux.te',` +optional_policy(`selinuxutil.te',` seutil_newrole_sigchld($1_t) ') optional_policy(`udev.te', ` udev_read_db($1_t) ') -allow $1_t proc_t:dir r_dir_perms; -allow $1_t proc_t:lnk_file read; - # # daemon_domain(): @@ -529,11 +508,11 @@ init_daemon_domain($1_t,$1_exec_t) type $1_var_run_t; files_pid_file($1_var_run_t) dontaudit $1_t self:capability sys_tty_config; -allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink }; +allow $1_t $1_var_run_t:file create_file_perms; files_create_pid($1_t,$1_var_run_t) kernel_read_kernel_sysctl($1_t) kernel_list_proc($1_t) -kernel_read_proc_symlink($1_t) +kernel_read_proc_symlinks($1_t) dev_read_sysfs($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) @@ -555,7 +534,7 @@ ifdef(`targeted_policy', ` optional_policy(`rhgb.te',` rhgb_domain($1_t) ') -optional_policy(`selinuxutils.te',` +optional_policy(`selinuxutil.te',` seutil_sigchld_newrole($1_t) ') optional_policy(`udev.te', ` @@ -565,51 +544,53 @@ optional_policy(`udev.te', ` # # daemon_sub_domain(): # -# $1 is the parent domain (or domains), $2_t is the child domain, -# and $3 is any attributes to apply to the child -type $2_t, domain, privlog, daemon $3; -type $2_exec_t, file_type, sysadmfile, exec_type; +# $3 may need more work +type $2_t; #, daemon $3; +domain_type($2_t) +type $2_exec_t; +domain_entry_file($2_t,$2_exec_t) role system_r types $2_t; -domain_auto_trans($1, $2_exec_t, $2_t) -allow $2_t $1:fd use; -allow $2_t $1:process sigchld; allow $2_t self:process signal_perms; +domain_auto_trans($1, $2_exec_t, $2_t) +logging_send_syslog_msg($1_t) libs_use_ld_so($2_t) libs_use_shared_libs($2_t) -allow $2_t proc_t:dir r_dir_perms; -allow $2_t proc_t:lnk_file read; -allow $2_t device_t:dir getattr; +kernel_list_proc($1_t) +kernel_read_proc_symlinks($1_t) # -# etc_domain(): +# etc_domain(): complete # type $1_etc_t; #, usercanread; -files_file_type($1_etc_t) +files_type($1_etc_t) allow $1_t $1_etc_t:file { getattr read }; +files_search_etc($1_t) # -# etcdir_domain(): +# etcdir_domain(): complete # type $1_etc_t; #, usercanread; files_file_type($1_etc_t) allow $1_t $1_etc_t:file r_file_perms; allow $1_t $1_etc_t:dir r_dir_perms; allow $1_t $1_etc_t:lnk_file { getattr read }; +files_search_etc($1_t) # -# file_type_auto_trans($1,$2,$3): +# file_type_auto_trans($1,$2,$3): complete # -allow $1 $3:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 $3:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 $3:lnk_file { create read getattr setattr link unlink rename }; -allow $1 $3:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 $3:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3; +allow $1 $2:dir rw_dir_perms; +allow $1 $3:dir create_dir_perms; +allow $1 $3:file create_file_perms; +allow $1 $3:lnk_file create_lnk_perms; +allow $1 $3:sock_file create_file_perms; +allow $1 $3:fifo_file create_sock_perms; +type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3; # -# file_type_auto_trans($1,$2,$3,$4): +# file_type_auto_trans($1,$2,$3,$4): complete # -allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; +allow $1 $2:dir rw_dir_perms; # for each i in $4: can_create_internal($1,$3,$i) type_transition $1 $2:$i $3; @@ -638,59 +619,41 @@ optional_policy(`nis.te',` # general_proc_read_access(): complete # kernel_read_system_state($1) -kernel_read_sendrecv_state($1) +kernel_read_network_state($1) kernel_read_software_raid_state($1) kernel_getattr_core($1) kernel_getattr_message_if($1) kernel_read_kernel_sysctl($1) # -# home_domain(): -# - -# -# home_domain_access(): -# - -# -# home_domain_ro(): -# - -# -# home_domain_ro_access(): -# - -# # in_user_role(): # -role user_r types $1; -role staff_r types $1; +# this is replaced by run interfaces # -# init_service_domain(): +# init_service_domain(): complete # type $1_t; type $1_exec_t; -init_daemon_domain($1_t,$1_exec_t) +init_domain($1_t,$1_exec_t) dontaudit $1_t self:capability sys_tty_config; +allow self:process signal_perms; +kernel_list_proc($1_t) +kernel_read_proc_symlinks($1_t) dev_read_sysfs($1_t) term_dontaudit_use_console($1_t) -init_use_fd($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) -tunable_policy(`targeted_policy', ` -term_dontaudit_use_unallocated_tty($1_t) -term_dontaudit_use_generic_pty($1_t) -files_dontaudit_read_root_file($1_t) -')dnl end targeted_policy tunable -allow $1_t proc_t:dir r_dir_perms; -allow $1_t proc_t:lnk_file read; -optional_policy(`udev.te', ` -udev_read_db($1_t) +userdom_dontaudit_use_unpriv_user_fd($1_t) +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty($1_t) + term_dontaudit_use_generic_pty($1_t) + files_dontaudit_read_root_file($1_t) +') +optional_policy(`udev.te',` + udev_read_db($1_t) ') -allow $1_t autofs_t:dir { search getattr }; -dontaudit $1_t unpriv_userdomain:fd use; # # inetd_child_domain(): @@ -774,10 +737,6 @@ allow $1_t $1_log_t:dir rw_dir_perms; logging_search_logs($1_t,$1_log_t,{ file dir }) # -# mini_user_domain(): -# - -# # network_home_dir(): # create_dir_file($1, $2) @@ -793,21 +752,21 @@ type_transition $1_t devpts_t:chr_file $1_devpts_t; allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; # -# r_dir_file(): +# r_dir_file(): complete # allow $1 $2:dir { getattr read search }; allow $1 $2:file { read getattr }; allow $1 $2:lnk_file { getattr read }; # -# ra_dir_create_file(): +# ra_dir_create_file(): complete # allow $1 $2:dir ra_dir_perms; allow $1 $2:file { create ra_file_perms }; allow $1 $2:lnk_file { create read getattr }; # -# ra_dir_file(): +# ra_dir_file(): complete # allow $1 $2:dir ra_dir_perms; allow $1 $2:file ra_file_perms; @@ -831,38 +790,32 @@ kernel_read_all_sysctl($1) # # rhgb_domain(): # -ifdef(`rhgb.te', ` -allow $1 rhgb_t:process sigchld; -allow $1 rhgb_t:fd use; -allow $1 rhgb_t:fifo_file { read write }; -') # -# rw_dir_create_file(): +# rw_dir_create_file(): complete # -allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; +allow $1 $2:dir rw_dir_perms; +allow $1 $2:file create_file_perms; +allow $1 $2:lnk_file create_lnk_perms; # -# rw_dir_file(): +# rw_dir_file(): complete # -allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; +# cjp: rw_dir_perms here doesnt make sense +allow $1 $2:dir rw_dir_perms; allow $1 $2:file rw_file_perms; allow $1 $2:lnk_file { getattr read }; # -# system_domain(): +# system_domain(): complete # type $1_t; -domain_type($1_t) -role system_r types $1_t; type $1_exec_t; -domain_entry_file($1_t,$1_exec_t) +init_system_domain($1_t,$1_exec_t) +files_list_etc($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) -allow $1_t etc_t:dir r_dir_perms; # # tmp_domain(): complete @@ -876,8 +829,8 @@ allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:file create_file_perms; files_create_tmp_files($1_t, $1_tmp_t, { file dir }) # class specified: -files_create_tmp_files($1_t, $1_tmp_t, $3) # $3 manage object perms here +files_create_tmp_files($1_t, $1_tmp_t, $3) # # tmp_domain($1,$2,$3): complete @@ -886,8 +839,8 @@ files_create_tmp_files($1_t, $1_tmp_t, $3) # type $1_tmp_t $2; files_tmp_file($1_tmp_t) -files_create_tmp_files($1_t, $1_tmp_t, $3) allow $1_t $1_tmp_t:$3 manage_obj_perms; +files_create_tmp_files($1_t, $1_tmp_t, $3) # # tmpfs_domain(): complete @@ -902,20 +855,23 @@ allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr a filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # -# unconfined_domain(): +# unconfined_domain(): complete # +unconfined_domain_template($1) # -# user_application_domain(): +# user_application_domain(): complete # -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types $1_t; -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) +type $1_t $2; +domain_type($1_t) +type $1_exec_t; +domain_entry_file($1_t,$1_exec_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) -in_user_role($1_t) -domain_auto_trans(userdomain, $1_exec_t, $1_t) +logging_send_syslog_msg($1_t) +# a "run" interface needs to be +# added, and use it in the base user domain +# template, in a optional_policy block. # # uses_authbind(): @@ -926,15 +882,15 @@ allow authbind_t $1:fd use; allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; # -# var_lib_domain(): +# var_lib_domain(): complete # -type $1_var_lib_t, file_type, sysadmfile; -typealias $1_var_lib_t alias var_lib_$1_t; -file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) -allow $1_t $1_var_lib_t:dir rw_dir_perms; +type $1_var_lib_t; +files_type($1_var_lib_t) +allow $1_t $1_var_lib_t:file create_file_perms; +files_create_var_lib($1_t,$1_var_lib_t) # -# var_run_domain($1): +# var_run_domain($1): complete # type $1_var_run_t; files_pid_file($1_var_run_t) @@ -942,9 +898,15 @@ allow $1_t $1_var_run_t:file create_file_perms; files_create_pid($1_t,$1_var_run_t) # -# var_run_domain($1,$2): +# var_run_domain($1,$2): complete # -type $1_var_run_t, file_type, sysadmfile, pidfile; -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) -allow $1_t var_t:dir search; -allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write }; +type $1_var_run_t; +files_pid_file($1_var_run_t) +files_create_pid($1_t,$1_var_run_t,$2) +# for each object class in $2: +# if dir: +allow $1 $1_var_run_t:dir create_dir_perms; +# else if lnk_file: +allow $1 $1_var_run_t:lnk_file create_lnk_perms; +# else: +allow $1 $1_var_run_t:$2 create_file_perms;