diff --git a/refpolicy/Makefile b/refpolicy/Makefile index e101e2a..d8f1011 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -284,10 +284,6 @@ else include $(ROOT)/Rules.modular endif -test: - # $(MODDIR) - # $(ALL_LAYERS) - ######################################## # # Generated files diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index d324c0b..b383186 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -105,7 +105,7 @@ $(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES) @test -d $(TMPDIR) || mkdir -p $(TMPDIR) $(verbose) cat $^ > $@ -$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES) +$(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) # per-userdomain templates: @test -d $(TMPDIR) || mkdir -p $(TMPDIR) $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@ diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index 9a39f46..ce5ad18 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -137,24 +137,15 @@ level s0:c0.c255; # Only files are constrained by MCS at this stage. # mlsconstrain file { write setattr append unlink link rename - ioctl lock execute relabelfrom } (h1 dom h2); - -mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); + create ioctl lock execute } (h1 dom h2); mlsconstrain file { read } ((h1 dom h2) or ( t1 == mlsfileread )); # new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } ( h1 dom h2 ); -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -mlsconstrain process { ptrace } ( h1 dom h2 ); - -mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or - ( t1 == mcskillall ); define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append link unlink rename relabelfrom relabelto }') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index bf59940..01e8551 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2656,22 +2656,3 @@ interface(`dev_unconfined',` typeattribute $1 memory_raw_write, memory_raw_read; ') - -######################################## -## -## Read and write the USB device. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_usb',` - gen_require(` - type usb_device_t; - ') - - allow $1 device_t:dir r_dir_perms; - allow $1 usb_device_t:chr_file { read write }; -') diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc index fa8a4b1..e69de29 100644 --- a/refpolicy/policy/modules/kernel/mcs.fc +++ b/refpolicy/policy/modules/kernel/mcs.fc @@ -1 +0,0 @@ -# no MCS file contexts diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if index 1ceab9f..e69de29 100644 --- a/refpolicy/policy/modules/kernel/mcs.if +++ b/refpolicy/policy/modules/kernel/mcs.if @@ -1,23 +0,0 @@ -## Multicategory security policy -## -## Contains attributes used in MCS policy. -## - -######################################## -## -## This domain is allowed to sigkill and sigstop -## all domains regardless of their MCS level. -## -## -## -## Domain target for user exemption. -## -## -# -interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; -') diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te index 260d950..e69de29 100644 --- a/refpolicy/policy/modules/kernel/mcs.te +++ b/refpolicy/policy/modules/kernel/mcs.te @@ -1,47 +0,0 @@ - -policy_module(mcs,1.0.0) - -######################################## -# -# Declarations -# - -attribute mcskillall; - -######################################## -# -# THIS IS A HACK -# -# Only the base module can have range_transitions, so we -# temporarily have to break encapsulation to work around this. -# - -type auditd_exec_t; -type crond_exec_t; -type cupsd_exec_t; -type getty_t; -type init_t; -type init_exec_t; -type initrc_t; -type initrc_exec_t; -type login_exec_t; -type sshd_exec_t; -type su_exec_t; -type udev_exec_t; -type unconfined_t; -type xdm_exec_t; - -ifdef(`enable_mcs',` -range_transition getty_t login_exec_t s0 - s0:c0.c255; -range_transition init_t xdm_exec_t s0 - s0:c0.c255; -range_transition initrc_t crond_exec_t s0 - s0:c0.c255; -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; - -# these might be targeted_policy only -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -range_transition unconfined_t initrc_exec_t s0; -') diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 765b065..0b66165 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -53,10 +53,38 @@ attribute mlsrangetrans; # # Only the base module can have range_transitions, so we # temporarily have to break encapsulation to work around this. -# Other types are declared in the mcs module. # +type auditd_exec_t; +type crond_exec_t; +type cupsd_exec_t; +type getty_t; +type init_t; +type init_exec_t; +type initrc_t; +type initrc_exec_t; +type login_exec_t; type lvm_exec_t; +type sshd_exec_t; +type su_exec_t; +type udev_exec_t; +type unconfined_t; +type xdm_exec_t; + +ifdef(`enable_mcs',` +range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition init_t xdm_exec_t s0 - s0:c0.c255; +range_transition initrc_t crond_exec_t s0 - s0:c0.c255; +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; + +# these might be targeted_policy only +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +range_transition unconfined_t initrc_exec_t s0; +') ifdef(`enable_mls',` range_transition initrc_t auditd_exec_t s15:c0.c255; diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 143dd7e..b8305fd 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -101,7 +101,6 @@ corenet_udp_bind_all_nodes(bluetooth_t) dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) -dev_rw_usb(bluetooth_t) dev_read_urand(bluetooth_t) fs_getattr_all_fs(bluetooth_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 62131f9..8e85e00 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -97,8 +97,6 @@ fs_search_auto_mountpoints(hald_t) mls_file_read_up(hald_t) -modutils_domtrans_insmod(hald_t) - selinux_get_fs_mount(hald_t) selinux_validate_context(hald_t) selinux_compute_access_vector(hald_t) @@ -130,7 +128,6 @@ libs_exec_ld_so(hald_t) libs_exec_lib_files(hald_t) logging_send_syslog_msg(hald_t) -logging_search_logs(hald_t) miscfiles_read_localization(hald_t) miscfiles_read_hwdata(hald_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 5cae9f4..91c90a8 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -44,9 +44,6 @@ role system_r types system_mail_t; # System mail local policy # -# newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override }; - allow system_mail_t etc_mail_t:dir { getattr search }; allow system_mail_t etc_mail_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 8cafe53..d257644 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid dontaudit NetworkManager_t self:capability sys_tty_config; allow NetworkManager_t self:process { setcap getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +allow NetworkManager_t self:unix_dgram_socket create_socket_perms; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 37d09ee..f54a670 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -273,8 +273,6 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) corecmd_exec_bin(postfix_local_t) -files_read_etc_files(postfix_local_t) - mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin @@ -397,8 +395,6 @@ allow postfix_pipe_t self:fifo_file { read write }; allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:sock_file write; -allow postfix_pipe_t postfix_public_t:fifo_file { getattr write }; - allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index 4515bbb..8a11fb6 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -22,8 +22,7 @@ ifdef(`targeted_policy', `', ` # # /sbin # -/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) - +/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 6d00dd6..2df8025 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -155,8 +155,6 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) -mcs_killall(init_t) - mls_file_read_up(init_t) mls_file_write_down(init_t) mls_rangetrans_target(init_t) @@ -362,8 +360,6 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_certs(initrc_t) -mcs_killall(initrc_t) - mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) mls_process_read_up(initrc_t) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 3d646fe..a53d338 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -283,7 +283,6 @@ interface(`libs_manage_lib_files',` allow $1 lib_t:dir search_dir_perms; allow $1 lib_t:file manage_file_perms; - allow $1 lib_t:lnk_file unlink; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc index dec2ff1..8364ca4 100644 --- a/refpolicy/policy/modules/system/selinuxutil.fc +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -10,7 +10,6 @@ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) -/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) @@ -40,5 +39,3 @@ ifdef(`distro_debian', ` /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) ') - -/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 70792e9..606c511 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -586,28 +586,6 @@ interface(`seutil_read_file_contexts',` ') ######################################## -## -## Read and write the file_contexts files. -## -## -## -## Domain allowed access. -## -## -# -interface(`seutil_rw_file_contexts',` - gen_require(` - type selinux_config_t, file_context_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir r_dir_perms; - allow $1 file_context_t:file rw_file_perms; - allow $1 file_context_t:lnk_file { getattr read }; -') - -######################################## # # seutil_read_bin_policy(domain) # @@ -705,3 +683,4 @@ interface(`seutil_manage_src_policy',` allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') + diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index bc32cd7..e63d827 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -55,11 +55,10 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; - auditallow $1 self:process execstack; ', ` # These are fairly common but seem to be harmless # caused by using shared libraries built with old tool chains - #dontaudit $1 self:process execstack; + dontaudit $1 self:process execstack; ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index c227152..ac593ef 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -165,13 +165,9 @@ ifdef(`targeted_policy',` ') ifdef(`enable_mls',` - corecmd_exec_shell(secadm_t) - mls_process_read_up(secadm_t) - mls_file_write_down(secadm_t) - mls_file_upgrade(secadm_t) - mls_file_downgrade(secadm_t) logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) + mls_process_read_up(secadm_t) userdom_dontaudit_append_staff_home_files(secadm_t) ', ` logging_domtrans_auditctl(sysadm_t) @@ -358,7 +354,6 @@ ifdef(`targeted_policy',` seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) - seutil_run_restorecon(secadm_t,secadm_r,admin_terminal) ', ` selinux_set_enforce_mode(sysadm_t) selinux_set_boolean(sysadm_t)