diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 344e1e6..61e8572 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -971,3 +971,29 @@ interface(`corenet_use_tun_tap_device',` dev_list_all_dev_nodes($1) allow $1 tun_tap_device_t:chr_file { read write }; ') + +######################################## +## +## Unconfined access to network objects. +## +## +## The domain allowed access. +## +# +interface(`corenet_unconfined',` + gen_require(` + attribute node_type, netif_type, port_type; + class tcp_socket { send_msg recv_msg node_bind name_bind }; + class udp_socket { send_msg recv_msg node_bind name_bind }; + class rawip_socket node_bind; + ') + + allow $1 node_type:node *; + allow $1 netif_type:netif *; + allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; + + # Bind to any network address. + # cjp: rawip_socket doesnt make any sense + allow $1 port_type:{ tcp_socket udp_socket } name_bind; + allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 1b6de8e..07544d7 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2042,3 +2042,25 @@ interface(`dev_dontaudit_setattr_video_dev',` dontaudit $1 v4l_device_t:chr_file setattr; ') + +######################################## +## +## Unconfined access to devices. +## +## +## Domain allowed access. +## +# +interface(`dev_unconfined',` + gen_require(` + attribute device_node, memory_raw_write, memory_raw_read; + type mtrr_device_t; + ') + + allow $1 device_node:devfile_class_set *; + allow $1 mtrr_device_t:file *; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_write, memory_raw_read; +') + diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index b8618ad..f70cff2 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -1675,3 +1675,23 @@ interface(`fs_getattr_all_files',` allow $1 filesystem_type:sock_file getattr; ') +######################################## +## +## Unconfined access to filesystems +## +## +## Domain allowed access. +## +# +interface(`fs_unconfined',` + gen_require(` + attribute filesystem_type; + ') + + allow $1 filesystem_type:filesystem *; + + # Create/access other files. fs_type is to pick up various + # pseudo filesystem types that are applied to both the filesystem + # and its files. + allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *; +') diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 2c58d7a..9b0abcf 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1015,3 +1015,27 @@ interface(`kernel_relabel_unlabeled',` allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom }; ') +######################################## +## +## Unconfined access to the kernel. +## +## +## Domain allowed access. +## +# +interface(`kernel_unconfined',` + gen_require(` + type kernel_t, unlabeled_t; + attribute can_load_kernmodule, can_receive_kernel_messages; + ') + +# allow $1 proc_fs:{ dir file } *; + + allow $1 sysctl_t:{ dir file } *; + allow $1 kernel_t:system *; + allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *; + + typeattribute $1 can_load_kernmodule, can_receive_kernel_messages; + + kernel_rw_all_sysctl($1) +') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 80398fe..bf5fa47 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -7,9 +7,6 @@ policy_module(kernel,1.0) # # assertion related attributes -attribute can_load_policy; -attribute can_setenforce; -attribute can_setsecparam; attribute can_load_kernmodule; attribute can_receive_kernel_messages; @@ -17,7 +14,7 @@ attribute can_receive_kernel_messages; # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # -type kernel_t, can_load_kernmodule, can_load_policy; +type kernel_t, can_load_kernmodule; role system_r types kernel_t; domain_type(kernel_t) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) @@ -173,6 +170,8 @@ corenet_raw_sendrecv_all_nodes(kernel_t) corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) +selinux_load_policy(kernel_t) + term_use_console(kernel_t) # Mount root file system. Used when loading a policy @@ -200,9 +199,6 @@ logging_send_syslog_msg(kernel_t) seutil_read_config(kernel_t) seutil_read_binary_pol(kernel_t) -neverallow ~can_load_policy security_t:security load_policy; -neverallow ~can_setenforce security_t:security setenforce; -neverallow ~can_setsecparam security_t:security setsecparam; neverallow ~can_load_kernmodule self:capability sys_module; ######################################## diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index a8baa0c..6f79c6e 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -250,3 +250,24 @@ interface(`selinux_compute_user_contexts',` allow $1 security_t:security compute_user; ') +######################################## +## +## Unconfined access to the SELinux security server. +## +## +## Domain allowed access. +## +# +interface(`selinux_unconfined',` + gen_require(` + attribute can_load_policy, can_setenforce, can_setsecparam; + type security_t; + class security { load_policy setenforce setbool }; + ') + + # Access the security API. + allow $1 security_t:security *; + auditallow $1 security_t:security { load_policy setenforce setbool }; + + typeattribute $1 can_load_policy, can_setenforce, can_setsecparam; +') diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te index 25c104a..6953df6 100644 --- a/refpolicy/policy/modules/kernel/selinux.te +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -6,6 +6,10 @@ policy_module(selinux,1.0) # Declarations # +attribute can_load_policy; +attribute can_setenforce; +attribute can_setsecparam; + # # security_t is the target type when checking # the permissions in the security class. It is also @@ -15,3 +19,7 @@ type security_t; fs_type(security_t) sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) + +neverallow ~can_load_policy security_t:security load_policy; +neverallow ~can_setenforce security_t:security setenforce; +neverallow ~can_setsecparam security_t:security setsecparam; diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 996a029..659efa2 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -1,10 +1,10 @@ ## Policy controlling access to storage devices ######################################## -## +## ## Allow the caller to get the attributes of fixed disk ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -20,10 +20,10 @@ interface(`storage_getattr_fixed_disk',` ') ######################################## -## +## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. -## +## ## ## The type of the process to not audit. ## @@ -38,10 +38,10 @@ interface(`storage_dontaudit_getattr_fixed_disk',` ') ######################################## -## +## ## Allow the caller to set the attributes of fixed disk ## device nodes. -## +## ## ## The type of the process performing this action. ## @@ -57,10 +57,10 @@ interface(`storage_setattr_fixed_disk',` ') ######################################## -## +## ## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. -## +## ## ## The type of the process to not audit. ## @@ -75,12 +75,12 @@ interface(`storage_dontaudit_setattr_fixed_disk',` ') ######################################## -## +## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -98,12 +98,12 @@ interface(`storage_raw_read_fixed_disk',` ') ######################################## -## +## ## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -121,9 +121,9 @@ interface(`storage_raw_write_fixed_disk',` ') ######################################## -## +## ## Create block devices in /dev with the fixed disk type. -## +## ## ## The type of the process performing this action. ## @@ -197,12 +197,12 @@ interface(`storage_swapon_fixed_disk',` ') ######################################## -## +## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -220,12 +220,12 @@ interface(`storage_raw_read_lvm_volume',` ') ######################################## -## +## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -243,10 +243,10 @@ interface(`storage_raw_write_lvm_volume',` ') ######################################## -## +## ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. -## +## ## ## The type of the process performing this action. ## @@ -262,10 +262,10 @@ interface(`storage_getattr_scsi_generic',` ') ######################################## -## +## ## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. -## +## ## ## The type of the process performing this action. ## @@ -281,13 +281,13 @@ interface(`storage_setattr_scsi_generic',` ') ######################################## -## +## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -305,13 +305,13 @@ interface(`storage_read_scsi_generic',` ') ######################################## -## +## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -329,10 +329,10 @@ interface(`storage_write_scsi_generic',` ') ######################################## -## +## ## Get attributes of the device nodes ## for the SCSI generic inerface. -## +## ## ## The type of the process performing this action. ## @@ -348,10 +348,10 @@ interface(`storage_getattr_scsi_generic',` ') ######################################## -## +## ## Set attributes of the device nodes ## for the SCSI generic inerface. -## +## ## ## The type of the process performing this action. ## @@ -367,10 +367,10 @@ interface(`storage_set_scsi_generic_attributes',` ') ######################################## -## +## ## Allow the caller to get the attributes of removable ## devices device nodes. -## +## ## ## The type of the process performing this action. ## @@ -386,10 +386,10 @@ interface(`storage_getattr_removable_device',` ') ######################################## -## +## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. -## +## ## ## The type of the process to not audit. ## @@ -404,10 +404,10 @@ interface(`storage_dontaudit_getattr_removable_device',` ') ######################################## -## +## ## Allow the caller to set the attributes of removable ## devices device nodes. -## +## ## ## The type of the process performing this action. ## @@ -423,10 +423,10 @@ interface(`storage_setattr_removable_device',` ') ######################################## -## +## ## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. -## +## ## ## The type of the process to not audit. ## @@ -441,13 +441,13 @@ interface(`storage_dontaudit_setattr_removable_device',` ') ######################################## -## +## ## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -463,13 +463,13 @@ interface(`storage_raw_read_removable_device',` ') ######################################## -## +## ## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## +## ## ## The type of the process performing this action. ## @@ -485,10 +485,10 @@ interface(`storage_raw_write_removable_device',` ') ######################################## -## +## ## Allow the caller to directly read ## a tape device. -## +## ## ## The type of the process performing this action. ## @@ -504,10 +504,10 @@ interface(`storage_read_tape_device',` ') ######################################## -## +## ## Allow the caller to directly read ## a tape device. -## +## ## ## The type of the process performing this action. ## @@ -523,10 +523,10 @@ interface(`storage_write_tape_device',` ') ######################################## -## +## ## Allow the caller to get the attributes ## of device nodes of tape devices. -## +## ## ## The type of the process performing this action. ## @@ -542,10 +542,10 @@ interface(`storage_getattr_tape_device',` ') ######################################## -## +## ## Allow the caller to set the attributes ## of device nodes of tape devices. -## +## ## ## The type of the process performing this action. ## @@ -560,3 +560,23 @@ interface(`storage_setattr_tape_device',` allow $1 tape_device_t:blk_file setattr; ') +######################################## +## +## Unconfined access to storage devices. +## +## +## Domain allowed access. +## +# +interface(`storage_unconfined',` + gen_require(` + type fixed_disk_device_t, removable_device_t; + type lvm_vg_t, scsi_generic_device_t, tape_device_t; + ') + + allow $1 { fixed_disk_device_t removable_device_t }:blk_file *; + allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *; + + typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; + typeattribute $1 scsi_generic_read, scsi_generic_write; +') diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 28da967..2c975b9 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -452,6 +452,45 @@ interface(`domain_read_all_entry_files',` allow $1 entry_type:file r_file_perms; ') +######################################## +## +## Unconfined access to domains. +## +## +## The type of the process performing this action. +## +# +interface(`domain_unconfined',` + gen_require(` + attribute domain, set_curr_context; + class fd use; + class fifo_file rw_file_perms; + class process { transition dyntransition execmem }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; + ') + + # Use/sendto/connectto sockets created by any domain. + allow $1 domain:{ socket_class_set socket key_socket } *; + + # Use descriptors and pipes created by any domain. + allow $1 domain:fd use; + allow $1 domain:fifo_file rw_file_perms; + + # Act upon any other process. + allow $1 domain:process ~{ transition dyntransition execmem }; + typeattribute $1 set_curr_context; + + # Create/access any System V IPC objects. + allow $1 domain:{ sem msgq shm } *; + allow $1 domain:msg { send receive }; + + # For /proc/pid + allow $1 domain:dir r_dir_perms; + allow $1 domain:file r_file_perms; + allow $1 domain:lnk_file r_file_perms; +') # # These next macros are not interfaces, but actually are diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 10dc4da..51ba3d8 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1342,3 +1342,30 @@ interface(`files_manage_generic_spools',` allow $1 var_spool_t:dir rw_dir_perms; allow $1 var_spool_t:file create_file_perms; ') + +######################################## +## +## Unconfined access to files. +## +## +## Domain allowed access. +## +# +interface(`files_unconfined',` + gen_require(` + attribute file_type; + class unix_stream_socket name_bind; + class unix_dgram_socket name_bind; + ') + + # Create/access any file in a labeled filesystem; + allow $1 file_type:{ file chr_file } ~execmod; + allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; + + # Mount/unmount any filesystem with the context= option. + allow $1 file_type:filesystem *; + + # Bind to any network address. + # cjp: need to check this, I dont think this has any effect. + allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; +') diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc new file mode 100644 index 0000000..c3a6c12 --- /dev/null +++ b/refpolicy/policy/modules/system/unconfined.fc @@ -0,0 +1,3 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if new file mode 100644 index 0000000..c74aadb --- /dev/null +++ b/refpolicy/policy/modules/system/unconfined.if @@ -0,0 +1,75 @@ +## The unconfined domain. + +######################################## +## +## A template to make the specified domain unconfined. +## +## +## Domain to make unconfined. +## +# +template(`unconfined_access_template',` + + # Use any Linux capability. + allow $1 self:capability *; + + # Transition to myself, to make get_ordered_context_list happy. + allow $1 self:process transition; + + # Write access is for setting attributes under /proc/self/attr. + allow $1 self:file rw_file_perms; + + # Userland object managers + allow $1 self:nscd *; + allow $1 self:dbus *; + allow $1 self:passwd *; + + kernel_unconfined($1) + dev_unconfined($1) + fs_unconfined($1) + selinux_unconfined($1) + + domain_unconfined($1) + files_unconfined($1) + + tunable_policy(`allow_execmem',` + # Allow loading DSOs that require executable stack. + allow $1 self:process execmem; + ') + + # to satisfy assertions: + optional_policy(`authlogin.te',` + auth_manage_shadow($1) + auth_relabelto_shadow($1) + ') + + optional_policy(`bootloader.te',` + bootloader_manage_kernel_modules($1) + ') + + optional_policy(`selinuxutil.te',` + seutil_create_binary_pol($1) + seutil_relabelto_binary_pol($1) + ') + + optional_policy(`storage.te',` + storage_unconfined($1) + ') + + ifdef(`TODO',` + if (allow_execmod) { + # Allow text relocations on system shared libraries, e.g. libGL. + allow $1 texrel_shlib_t:file execmod; + } + + ifdef(`dbusd.te', ` + # Communicate via dbusd. + allow $1 system_dbusd_t:dbus *; + ') + + ifdef(`nscd.te', ` + # Get info via nscd. + allow $1 nscd_t:nscd *; + ') + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te new file mode 100644 index 0000000..98106af --- /dev/null +++ b/refpolicy/policy/modules/system/unconfined.te @@ -0,0 +1,23 @@ + +policy_module(unconfined,1.0) + +######################################## +# +# Declarations +# + +type unconfined_t; +type unconfined_exec_t; +init_system_domain(unconfined_t,unconfined_exec_t) +role system_r types unconfined_t; + +######################################## +# +# Local policy +# + +unconfined_access_template(unconfined_t) +logging_send_syslog_msg(unconfined_t) + +#role sysadm_r types unconfined_t; +#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)