diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 1e97afa..3f37de7 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,4 +1,6 @@ - Fix errors uncovered by sediff. +- Added policies: + kudzu * Thu Sep 22 2005 Chris PeBenito - 20050922 - Make logrotate, sendmail, sshd, and rpm policies diff --git a/refpolicy/policy/modules/admin/kudzu.fc b/refpolicy/policy/modules/admin/kudzu.fc new file mode 100644 index 0000000..9e3ea80 --- /dev/null +++ b/refpolicy/policy/modules/admin/kudzu.fc @@ -0,0 +1,4 @@ + +/sbin/kmodule -- context_template(system_u:object_r:kudzu_exec_t,s0) + +/usr/sbin/kudzu -- context_template(system_u:object_r:kudzu_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/kudzu.if b/refpolicy/policy/modules/admin/kudzu.if new file mode 100644 index 0000000..16cb3a3 --- /dev/null +++ b/refpolicy/policy/modules/admin/kudzu.if @@ -0,0 +1,51 @@ +## Hardware detection and configuration tools + +######################################## +## +## Execute kudzu in the kudzu domain. +## +## +## The type of the process performing this action. +## +# +interface(`kudzu_domtrans',` + gen_require(` + type kudzu_t, kudzu_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,kudzu_exec_t,kudzu_t) + + allow $1 kudzu_t:fd use; + allow kudzu_t $1:fd use; + allow kudzu_t $1:fifo_file rw_file_perms; + allow kudzu_t $1:process sigchld; +') + +######################################## +## +## Execute kudzu in the kudzu domain, and +## allow the specified role the kudzu domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the kudzu domain. +## +## +## The type of the terminal allow the kudzu domain to use. +## +# +interface(`kudzu_run',` + gen_require(` + type kudzu_t; + class chr_file rw_term_perms; + ') + + kudzu_domtrans($1) + role $2 types kudzu_t; + allow kudzu_t $3:chr_file rw_term_perms; +') diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te new file mode 100644 index 0000000..3427eb5 --- /dev/null +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -0,0 +1,162 @@ + +policy_module(kudzu,1.0) + +######################################## +# +# Declarations +# + +type kudzu_t; +type kudzu_exec_t; +init_system_domain(kudzu_t,kudzu_exec_t) + +type kudzu_tmp_t; +files_tmp_file(kudzu_tmp_t) + +type kudzu_var_run_t; +files_pid_file(kudzu_var_run_t) + +######################################## +# +# Local policy +# + +allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +dontaudit kudzu_t self:capability sys_tty_config; +allow kudzu_t self:process signal_perms; +allow kudzu_t self:fifo_file rw_file_perms; +allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow kudzu_t self:unix_dgram_socket create_socket_perms; +allow kudzu_t self:udp_socket { create ioctl }; + +allow kudzu_t kudzu_tmp_t:{ dir } create_file_perms; +allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms; +files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file }) + +allow kudzu_t kudzu_var_run_t:file create_file_perms; +allow kudzu_t kudzu_var_run_t:dir create_dir_perms; +files_create_pid(kudzu_t,kudzu_var_run_t) + +kernel_change_ring_buffer_level(kudzu_t) +kernel_list_proc(kudzu_t) +kernel_read_device_sysctl(kudzu_t) +kernel_read_kernel_sysctl(kudzu_t) +kernel_read_proc_symlinks(kudzu_t) +kernel_read_network_state(kudzu_t) +kernel_read_system_state(kudzu_t) +kernel_rw_hotplug_sysctl(kudzu_t) +kernel_rw_kernel_sysctl(kudzu_t) + +bootloader_read_kernel_modules(kudzu_t) + +dev_list_sysfs(kudzu_t) +dev_read_usbfs(kudzu_t) +dev_read_sysfs(kudzu_t) +dev_rx_raw_memory(kudzu_t) +dev_wx_raw_memory(kudzu_t) +dev_rw_mouse(kudzu_t) +dev_rwx_zero_dev(kudzu_t) + +fs_search_auto_mountpoints(kudzu_t) +fs_search_ramfs(kudzu_t) +fs_write_ramfs_socket(kudzu_t) + +modutils_read_mods_deps(kudzu_t) + +storage_read_scsi_generic(kudzu_t) +storage_read_tape_device(kudzu_t) +storage_raw_write_fixed_disk(kudzu_t) +storage_raw_read_fixed_disk(kudzu_t) + +term_search_ptys(kudzu_t) +term_dontaudit_use_console(kudzu_t) +# so it can write messages to the console +term_use_unallocated_tty(kudzu_t) + +corecmd_exec_sbin(kudzu_t) +corecmd_exec_bin(kudzu_t) + +domain_exec_all_entry_files(kudzu_t) +domain_use_wide_inherit_fd(kudzu_t) + +files_search_var(kudzu_t) +files_search_locks(kudzu_t) +files_exec_etc_files(kudzu_t) +files_manage_etc_files(kudzu_t) +files_manage_etc_runtime_files(kudzu_t) +files_manage_mnt_files(kudzu_t) +files_manage_mnt_symlinks(kudzu_t) +files_dontaudit_search_src(kudzu_t) +# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux +files_read_usr_files(kudzu_t) +# for /etc/sysconfig/hwconf - probably need a new type +files_rw_etc_runtime_files(kudzu_t) +# for file systems that are not yet mounted +files_dontaudit_search_isid_type_dir(kudzu_t) + +init_use_fd(kudzu_t) +init_use_script_pty(kudzu_t) +init_unix_connect_script(kudzu_t) + +libs_exec_ld_so(kudzu_t) +libs_exec_lib_files(kudzu_t) +libs_use_ld_so(kudzu_t) +libs_use_shared_libs(kudzu_t) +# Read /usr/lib/gconv/gconv-modules.* +libs_read_lib(kudzu_t) + +logging_send_syslog_msg(kudzu_t) + +miscfiles_read_localization(kudzu_t) + +modutils_read_module_conf(kudzu_t) + +sysnet_read_config(kudzu_t) + +userdom_search_sysadm_home_dir(kudzu_t) +userdom_dontaudit_use_unpriv_user_fd(kudzu_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(kudzu_t) + term_dontaudit_use_generic_pty(kudzu_t) + files_dontaudit_read_root_file(kudzu_t) +') + +tunable_policy(`allow_execmem',` + allow kudzu_t self:process execmem; +') + +optional_policy(`gpm.te',` + gpm_getattr_gpmctl(kudzu_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(kudzu_t) +') + +optional_policy(`udev.te',` + udev_read_db(kudzu_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(kudzu_t) +') +optional_policy(`anaconda.te', ` + domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) +') +optional_policy(`lpd.te',` + allow kudzu_t printconf_t:file { getattr read }; +') +optional_policy(`xserver.te',` + allow kudzu_t xserver_exec_t:file getattr; +') +optional_policy(`rhgb.te',` + allow kudzu_t rhgb_t:unix_stream_socket connectto; +') +optional_policy(`userhelper.te',` + role system_r types sysadm_userhelper_t; + domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) +') +allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; +') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index f420bf8..2b57eda 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1435,6 +1435,23 @@ interface(`dev_read_mouse',` ######################################## ## +## Read and write to mouse devices. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_mouse',` + gen_require(` + type device_t, mouse_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 mouse_device_t:chr_file rw_file_perms; +') + +######################################## +## ## Read the mtrr device. ## ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d174806..79b253c 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1451,6 +1451,38 @@ interface(`fs_getattr_ramfs',` ######################################## ## +## Search directories on a ramfs +## +## +## Domain allowed access. +## +# +interface(`fs_search_ramfs',` + gen_require(` + type ramfs_t; + ') + + allow $1 ramfs_t:dir search; +') + +######################################## +## +## Write to named socket on a ramfs filesystem. +## +## +## Domain allowed access. +## +# +interface(`fs_write_ramfs_socket',` + gen_require(` + type ramfs_t; + ') + + allow $1 ramfs_t:sock_file write; +') + +######################################## +## ## Mount a ROM filesystem. ## ## diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 5062aac..6addf2f 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -335,11 +335,10 @@ interface(`storage_read_scsi_generic',` gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; - class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:blk_file r_file_perms; + allow $1 scsi_generic_device_t:chr_file r_file_perms; typeattribute $1 scsi_generic_read; ') @@ -554,11 +553,10 @@ interface(`storage_raw_write_removable_device',` interface(`storage_read_tape_device',` gen_require(` type tape_device_t; - class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) - allow $1 tape_device_t:blk_file r_file_perms; + allow $1 tape_device_t:chr_file r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index b597a2e..0cc7366 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -15,7 +15,6 @@ interface(`term_pty',` gen_require(` attribute ptynode; type devpts_t; - class filesystem associate; ') allow $1 devpts_t:filesystem associate; @@ -105,9 +104,6 @@ interface(`term_tty',` interface(`term_create_pty',` gen_require(` type bsdpty_device_t, devpts_t, ptmx_t; - class filesystem getattr; - class dir r_dir_perms; - class chr_file rw_file_perms; ') dev_list_all_dev_nodes($1) @@ -132,8 +128,6 @@ interface(`term_use_all_terms',` gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; - class dir r_dir_perms; - class chr_file rw_file_perms; ') dev_list_all_dev_nodes($1) @@ -152,7 +146,6 @@ interface(`term_use_all_terms',` interface(`term_write_console',` gen_require(` type console_device_t; - class chr_file write; ') dev_list_all_dev_nodes($1) @@ -170,7 +163,6 @@ interface(`term_write_console',` interface(`term_use_console',` gen_require(` type console_device_t; - class chr_file rw_file_perms; ') dev_list_all_dev_nodes($1) @@ -189,7 +181,6 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; - class chr_file { read write }; ') dontaudit $1 console_device_t:chr_file { read write }; @@ -207,7 +198,6 @@ interface(`term_dontaudit_use_console',` interface(`term_setattr_console',` gen_require(` type console_device_t; - class chr_file setattr; ') dev_list_all_dev_nodes($1) @@ -234,6 +224,23 @@ interface(`term_dontaudit_getattr_pty_dir',` ######################################## ## +## Search the contents of the /dev/pts directory. +## +## +## The type of the process performing this action. +## +# +interface(`term_search_ptys',` + gen_require(` + type devpts_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir search; +') + +######################################## +## ## Read the /dev/pts directory to ## list all ptys. ## diff --git a/refpolicy/policy/modules/services/gpm.if b/refpolicy/policy/modules/services/gpm.if index 12fefe9..f54f007 100644 --- a/refpolicy/policy/modules/services/gpm.if +++ b/refpolicy/policy/modules/services/gpm.if @@ -36,7 +36,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',` ') dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr; + dontaudit $1 gpmctl_t:sock_file getattr; ') ######################################## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1b08279..f59f485 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1919,6 +1919,19 @@ interface(`files_exec_usr_files',` ######################################## # +# files_dontaudit_search_src(domain) +# +interface(`files_dontaudit_search_src',` + gen_require(` + type src_t; + class dir search; + ') + + allow $1 src_t:dir search; +') + +######################################## +# # files_read_usr_src_files(domain) # interface(`files_read_usr_src_files',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index f1f0d9f..1957149 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -392,6 +392,23 @@ interface(`init_run_daemon',` ######################################## ## +## Allow the specified domain to connect to +## init scripts with a unix domain stream socket. +## +## +## Domain allowed access. +## +# +interface(`init_unix_connect_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:unix_stream_socket connectto; +') + +######################################## +## ## Read init scripts. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index be596dc..f18b913 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -162,16 +162,20 @@ ifdef(`targeted_policy',` lvm_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`logrotate.te',` + logrotate_run(sysadm_t,sysadm_r,admin_terminal) + ') + + optional_policy(`kudzu.te',` + kudzu_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`modutils.te',` modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ') - optional_policy(`logrotate.te',` - logrotate_run(sysadm_t,sysadm_r,admin_terminal) - ') - optional_policy(`mount.te',` mount_run(sysadm_t,sysadm_r,admin_terminal) ')