diff --git a/refpolicy/Makefile b/refpolicy/Makefile new file mode 100644 index 0000000..a4dc0d1 --- /dev/null +++ b/refpolicy/Makefile @@ -0,0 +1,185 @@ +######################################## +# +# Configurable portions of the Makefile +# + +# Build compatibility policies +POLICYCOMPAT = -c 18 + +# set distribution +#override M4PARAM += -D distro_redhat + +# Uncomment this to disable command echoing +#QUIET:=@ + +######################################## +# +# Invariant portions of the Makefile +# + +# executable paths +PREFIX := /usr +BINDIR := $(PREFIX)/bin +SBINDIR := $(PREFIX)/sbin +CHECKPOLICY := $(BINDIR)/checkpolicy +SETFILES := $(SBINDIR)/setfiles + +# determine the policy version and current kernel version if possible +PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') +KV := $(shell cat /selinux/policyvers) + +# dont print version warnings if we are unable to determine +# the currently running kernel's policy version +ifeq ($(KV),) +KV := $(PV) +endif + +FC := file_contexts +POLVER := policy.$(PV) +TYPE := strict + +# install paths +TOPDIR = $(DESTDIR)/etc/selinux +INSTALLDIR = $(TOPDIR)/$(TYPE) +POLICYPATH = $(INSTALLDIR)/policy +SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users +CONTEXTPATH = $(INSTALLDIR)/contexts +LOADPATH = $(POLICYPATH)/$(POLVER) +FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template + +BASE_MODULE = kernel +FLASKDIR = $(BASE_MODULE)/flask/ +MISCDIR = $(BASE_MODULE)/misc/ + +DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) +ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS)) + +PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) +ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if)) +ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te)) +POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts) + +ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) + +POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf + +override M4PARAM += -D monolithic_policy + +######################################## +# +# default action: build policy locally +# +default: policy + +policy: $(POLVER) + +install: $(LOADPATH) + +######################################## +# +# Build a binary policy locally +# +$(POLVER): policy.conf +ifneq ($(PV),$(KV)) + @echo + @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" + @echo +endif + $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER) + +######################################## +# +# Install a binary policy +# +$(LOADPATH): policy.conf + @mkdir -p $(POLICYPATH) +ifneq ($(PV),$(KV)) + @echo + @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" + @echo +endif + $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH) + +######################################## +# +# Construct a monolithic policy.conf +# +policy.conf: $(POLICY_SECTIONS) + $(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp + $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ + $(QUIET) # the ordering of these ocontexts matters: + $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true + $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true + $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true + +tmp/pre_te_files.conf: $(PRE_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te + @test -d tmp || mkdir -p tmp + $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ + $(QUIET) for i in $(ALL_MODULES); do \ + echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ + >> $@ ;\ + done + $(QUIET) echo "')" >> $@ + $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ + echo "define(\`$$i')" >> $@ ;\ + done + $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \ + | sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@ + +tmp/all_interfaces.conf: $(ALL_INTERFACES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/all_te_files.conf: $(ALL_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/post_te_files.conf: $(POST_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +# extract attributes and put them first. extract post te stuff +# like genfscon and put last. portcon, nodecon, and netifcon +# is delayed since they are generated by m4 +tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf + $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true + $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf + $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf + +######################################## +# +# Construct file_contexts +# +$(FC): $(ALL_FC_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) m4 $(M4PARAM) $^ > $@ + +######################################## +# +# Filesystem labeling +# +FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` + +checklabels: $(SETFILES) + $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) + +restorelabels: $(SETFILES) + $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) + +relabel: $(FC) $(SETFILES) + $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) + +clean: + rm -fR tmp + rm -f policy.conf + rm -f policy.$(PV) + rm -f $(FC) + +.PHONY: default clean policy install diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if new file mode 100644 index 0000000..37b0cb1 --- /dev/null +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -0,0 +1,144 @@ +######################################## +# +# bootloader_install_kernel(domain,[`optional']) +# +define(`bootloader_install_kernel',` +requires_block_template(bootloader_install_kernel_depend,$2) +allow $1 boot_t:dir { getattr search read write add_name }; +allow $1 boot_t:file { getattr read write create }; +allow $1 boot_t:lnk_file { getattr read create unlink }; +') + +define(`bootloader_install_kernel_depend',` +type boot_t; +class dir { getattr search read write add_name }; +class file { getattr read write create }; +class lnk_file { getattr read create unlink }; +') + +######################################## +# +# bootloader_install_initrd(domain,[`optional']) +# +define(`bootloader_install_initrd',` +requires_block_template(bootloader_install_initrd_depend,$2) +allow $1 boot_t:dir { getattr search read write add_name }; +allow $1 boot_t:file { getattr read write create }; +allow $1 boot_t:lnk_file { getattr read create unlink }; +') + +define(`bootloader_install_initrd_depend',` +type boot_t; +class dir { getattr search read write add_name }; +class file { getattr read write create }; +class lnk_file { getattr read create unlink }; +') + +######################################## +# +# bootloader_install_kernel_symbol_table(domain,[`optional']) +# +define(`bootloader_install_kernel_symbol_table',` +requires_block_template(bootloader_install_kernel_symbol_table_depend,$2) +allow $1 boot_t:dir { getattr search read write add_name }; +allow $1 system_map_t:file { getattr read write create }; +') + +define(`bootloader_install_kernel_symbol_table_depend',` +type boot_t, system_map_t; +class dir { getattr search read write add_name }; +class file { getattr read write create }; +') + +######################################## +# +# bootloader_read_kernel_symbol_table(domain,[`optional']) +# +define(`bootloader_read_kernel_symbol_table',` +requires_block_template(bootloader_read_kernel_symbol_table_depend,$2) +allow $1 boot_t:dir { getattr search read }; +allow $1 system_map_t:file { getattr read }; +') + +define(`bootloader_read_kernel_symbol_table_depend',` +type boot_t, system_map_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# bootloader_remove_kernel(domain,[`optional']) +# +define(`bootloader_remove_kernel',` +requires_block_template(bootloader_remove_kernel_depend,$2) +allow $1 boot_t:dir { getattr search read write remove_name }; +allow $1 boot_t:file { getattr unlink }; +') + +define(`bootloader_remove_kernel_depend',` +type boot_t; +class dir { getattr search read write remove_name }; +class file { getattr unlink }; +') + +######################################## +# +# bootloader_remove_kernel_symbol_table(domain,[`optional']) +# +define(`bootloader_remove_kernel_symbol_table',` +requires_block_template(bootloader_remove_kernel_symbol_table_depend,$2) +allow $1 boot_t:dir { getattr search read write remove_name }; +allow $1 system_map_t:file { getattr unlink }; +') + +define(`bootloader_remove_kernel_symbol_table_depend',` +type boot_t, system_map_t; +class dir { getattr search read write remove_name }; +class file { getattr unlink }; +') + +######################################## +# +# bootloader_read_config(domain,[`optional']) +# +define(`bootloader_read_config',` +requires_block_template(bootloader_read_config_depend,$2) +allow $1 bootloader_etc_t:file { getattr read }; +') + +define(`bootloader_read_config_depend',` +type bootloader_etc_t; +class file { getattr read }; +') + +######################################## +# +# bootloader_modify_config(domain,[`optional']) +# +define(`bootloader_modify_bootloader_config',` +requires_block_template(bootloader_modify_config_depend,$2) +allow $1 bootloader_etc_t:file { getattr read write append }; +') + +define(`bootloader_modify_bootloader_config_depend',` +type bootloader_etc_t; +class file { getattr read write append }; +') + +######################################## +# +# bootloader_create_runtime_data(domain,[`optional']) +# +define(`bootloader_create_runtime_data',` +requires_block_template(bootloader_create_runtime_data_depend,$2) +allow $1 boot_t:dir { getattr search read write add_name remove_name }; +allow $1 boot_runtime_t:file { getattr create read write append unlink }; +type_transition $1 boot_t:file boot_runtime_t; +') + +define(`bootloader_create_runtime_data_depend',` +type boot_t, boot_runtime_t; +class dir { getattr search read write add_name remove_name }; +class file { getattr create read write append unlink }; +') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te new file mode 100644 index 0000000..5cf15b5 --- /dev/null +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -0,0 +1,198 @@ +type bootloader_t; +domain_make_domain(bootloader_t) + +type bootloader_exec_t; +domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) + +# +# boot_t is the type for files in /boot +# +type boot_t; +files_make_file(boot_t) + +# +# bootloader_etc_t is the configuration file, +# grub.conf, lilo.conf, etc. +# +type bootloader_etc_t alias etc_bootloader_t; +files_make_file(bootloader_etc_t) + +# +# system_map_t is for the system.map files in /boot +# +type system_map_t; +files_make_file(system_map_t) + +# +# The temp file is used for initrd creation; +# it consists of files and device nodes +# +type bootloader_tmp_t; +files_make_file(bootloader_tmp_t) +devices_make_device_node(bootloader_tmp_t) + +allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:process { sigkill sigstop signull signal }; +allow bootloader_t self:fifo_file { getattr read write }; + +kernel_stat_kernel_core_interface(bootloader_t) +kernel_read_system_state(bootloader_t) +kernel_read_software_raid_state(bootloader_t) +kernel_read_kernel_sysctl(bootloader_t) + +storage_raw_read_fixed_disk(bootloader_t) +storage_raw_write_fixed_disk(bootloader_t) +storage_raw_read_removable_device(bootloader_t) +storage_raw_write_removable_device(bootloader_t) + +# for reading BIOS data (cjp: ?) +devices_raw_read_memory(bootloader_t) + +libraries_use_dynamic_loader(bootloader_t) +libraries_read_shared_libraries(bootloader_t) + +files_read_general_system_config(bootloader_t) +files_read_runtime_system_config(bootloader_t) +files_read_system_source_code(bootloader_t) + +# uncomment the following line if you use "lilo -p" +#files_create_private_config(bootloader_t,bootloader_etc_t) +#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + +filesystem_read_persistent_filesystem_stats(bootloader_t) + +terminal_use_controlling_terminal(bootloader_t) + +allow bootloader_t bootloader_etc_t:file { getattr read }; + +define(`initrc_insmod_optional_policy', ` +modutils_insmod_execute(insmod_t) +') + +miscfiles_read_localization(bootloader_t) + +devices_ignore_modify_generic_devices(bootloader_t) + +######################################## +# +# mkinitrd policy +# + +files_read_general_system_resources(bootloader_t) +bootloader_install_initrd(bootloader_t) + +devices_get_random_data(bootloader_t) +devices_get_pseudorandom_data(bootloader_t) +corecommands_execute_general_programs(bootloader_t) +corecommands_execute_system_programs(bootloader_t) +corecommands_execute_shell(bootloader_t) + +selinux_read_binary_policy(bootloader_t) +selinux_read_load_policy_binary(bootloader_t) + +modutils_read_kernel_modules(bootloader_t) +modutils_read_kernel_module_dependencies(bootloader_t) +modutils_read_kernel_module_loading_config(bootloader_t) + +logging_modify_system_logs(bootloader_t) + +files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) +allow bootloader_t bootloader_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow bootloader_t bootloader_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow bootloader_t bootloader_tmp_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow bootloader_t bootloader_tmp_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlink rename }; +# for tune2fs (cjp: ?) +files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t) + +################################################################################ +ifdef(`TODO',` + +# admin runs bootloader: +domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) +allow bootloader_t admin_tty_type:chr_file rw_file_perms; +allow bootloader_t privfd:fd use; + +allow bootloader_t { device_type ttyfile }:chr_file getattr; +allow bootloader_t device_type:blk_file getattr; +allow bootloader_t initctl_t:fifo_file getattr; + +# no transition from initrc to bootloader, +# so why are these rules needed +role system_r types bootloader_t; +allow bootloader_t initrc_devpts_t:chr_file rw_file_perms; +allow bootloader_t initrc_t:fifo_file { read write }; +allow bootloader_t initrc_t:fd use; + +allow bootloader_t lib_t:file { getattr read }; + +allow bootloader_t sysfs_t:dir getattr; + +allow bootloader_t var_t:dir search; +allow bootloader_t var_t:file { getattr read }; + +ifdef(`fsadm.te', ` +allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; +') + +# LVM2 / Device Mapper's /dev/mapper/control +# maybe we should change the labeling for this +ifdef(`lvm.te', ` +allow bootloader_t lvm_control_t:chr_file rw_file_perms; +domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) +allow lvm_t bootloader_tmp_t:file rw_file_perms; +r_dir_file(bootloader_t, lvm_etc_t) +') + +ifdef(`distro_debian', ` +allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; +allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; +allow bootloader_t boot_t:file relabelfrom; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; +allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; +allow bootloader_t tmpfs_t:dir r_dir_perms; +allow bootloader_t initrc_var_run_t:dir r_dir_perms; +allow bootloader_t var_lib_t:dir search; +allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; +allow bootloader_t dpkg_var_lib_t:file { getattr read }; +# for /usr/share/initrd-tools/scripts +can_exec(bootloader_t, usr_t) +') + +ifdef(`distro_redhat', ` +# for mke2fs +domain_auto_trans(bootloader_t, mount_exec_t, mount_t); +allow mount_t bootloader_tmp_t:dir mounton; +allow bootloader_t modules_object_t:lnk_file { getattr read }; + +# new file system defaults to file_t, granting file_t access is still bad. +allow bootloader_t file_t:dir create_dir_perms; +allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; +allow bootloader_t file_t:lnk_file create_lnk_perms; +allow bootloader_t self:unix_stream_socket create_socket_perms; +allow bootloader_t boot_runtime_t:file { read getattr unlink }; + +# for memlock +allow bootloader_t zero_device_t:chr_file { getattr read }; +allow bootloader_t self:capability ipc_lock; +') + +dontaudit bootloader_t selinux_config_t:dir search; +dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; +dontaudit bootloader_t devpts_t:dir create_dir_perms; +# for nscd +dontaudit bootloader_t var_run_t:dir search; + +') dnl end TODO + +######################################## +# +# Conditional policy logic +# + +ifdef(`monolithic_policy',` +ifdef(`modutils.te',`initrc_insmod_optional_policy') +',` +optional modutils { modutils_insmod_execute_depend } +ifopt (modutils) { initrc_insmod_optional_policy } +') dnl end monolithic_policy diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if new file mode 100644 index 0000000..98a0195 --- /dev/null +++ b/refpolicy/policy/modules/kernel/corenetwork.if @@ -0,0 +1,317 @@ +####################################### +# +# corenetwork_send_tcp_on_general_interface(domain,[`optional']) +# +define(`corenetwork_send_tcp_on_general_interface',` +requires_block_template(`corenetwork_send_tcp_on_general_interface_depend',$2) +allow $1 netif_t:netif tcp_send; +') + +define(`corenetwork_send_tcp_on_general_interface_depend',` +type netif_t; +class netif tcp_send; +') + +####################################### +# +# corenetwork_send_udp_on_general_interface(domain,[`optional']) +# +define(`corenetwork_send_udp_on_general_interface',` +requires_block_template(`corenetwork_send_udp_on_general_interface_depend',$2) +allow $1 netif_t:netif udp_send; +') + +define(`corenetwork_send_udp_on_general_interface_depend',` +type netif_t; +class netif udp_send; +') + +####################################### +# +# corenetwork_send_raw_on_general_interface(domain,[`optional']) +# +define(`corenetwork_send_raw_on_general_interface',` +requires_block_template(`corenetwork_send_raw_on_general_interface_depend',$2) +allow $1 netif_t:netif rawip_send; +allow $1 self:capability net_raw; +') + +define(`corenetwork_send_raw_on_general_interface_depend',` +type netif_t; +class netif rawip_send; +class capability net_raw; +') + +####################################### +# +# corenetwork_receive_tcp_on_general_interface(domain,[`optional']) +# +define(`corenetwork_receive_tcp_on_general_interface',` +requires_block_template(`corenetwork_receive_tcp_on_general_interface_depend',$2) +allow $1 netif_t:netif tcp_recv; +') + +define(`corenetwork_receive_tcp_on_general_interface_depend',` +type netif_t; +class netif tcp_recv; +') + +####################################### +# +# corenetwork_receive_udp_on_general_interface(domain,[`optional']) +# +define(`corenetwork_receive_udp_on_general_interface',` +requires_block_template(`corenetwork_receive_udp_on_general_interface_depend',$2) +allow $1 netif_t:netif udp_recv; +') + +define(`corenetwork_receive_udp_on_general_interface_depend',` +type netif_t; +class netif udp_recv; +') + +####################################### +# +# corenetwork_receive_raw_on_general_interface(domain,[`optional']) +# +define(`corenetwork_receive_raw_on_general_interface',` +requires_block_template(`corenetwork_receive_raw_on_general_interface_depend',$2) +allow $1 netif_t:netif rawip_recv; +') + +define(`corenetwork_receive_raw_on_general_interface_depend',` +type netif_t; +class netif rawip_recv; +') + +####################################### +# +# corenetwork_send_tcp_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_send_tcp_on_all_interfaces',` +requires_block_template(`corenetwork_send_tcp_on_all_interfaces_depend',$2) +allow $1 netif_type:netif tcp_send; +') + +define(`corenetwork_send_tcp_on_all_interfaces_depend',` +attribute all_netif_type; +class netif tcp_send; +') + +####################################### +# +# corenetwork_send_udp_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_send_udp_on_all_interfaces',` +requires_block_template(`corenetwork_send_udp_on_all_interfaces_depend',$2) +allow $1 netif_type:netif udp_send; +') + +define(`corenetwork_send_udp_on_all_interfaces_depend',` +attribute netif_type; +class netif udp_send; +') + +####################################### +# +# corenetwork_send_raw_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_send_raw_on_all_interfaces',` +requires_block_template(`corenetwork_send_raw_on_all_interfaces_depend',$2) +allow $1 netif_type:netif rawip_send; +allow $1 self:capability net_raw; +') + +define(`corenetwork_send_raw_on_all_interfaces_depend',` +attribute netif_type; +class netif rawip_send; +class capability net_raw; +') + +####################################### +# +# corenetwork_receive_tcp_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_receive_tcp_on_all_interfaces',` +requires_block_template(`corenetwork_receive_tcp_on_all_interfaces_depend',$2) +allow $1 netif_type:netif tcp_recv; +') + +define(`corenetwork_receive_tcp_on_all_interfaces_depend',` +attribute netif_type; +class netif tcp_recv; +') + +####################################### +# +# corenetwork_receive_udp_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_receive_udp_on_all_interfaces',` +requires_block_template(`corenetwork_receive_udp_on_all_interfaces_depend',$2) +allow $1 netif_type:netif udp_recv; +') + +define(`corenetwork_receive_udp_on_all_interfaces_depend',` +attribute netif_type; +class netif udp_recv; +') + +####################################### +# +# corenetwork_receive_raw_on_all_interfaces(domain,[`optional']) +# +define(`corenetwork_receive_raw_on_all_interfaces',` +requires_block_template(`corenetwork_receive_raw_on_all_interfaces_depend',$2) +allow $1 netif_type:netif rawip_recv; +') + +define(`corenetwork_receive_raw_on_all_interfaces_depend',` +attribute netif_type; +class netif rawip_recv; +') + +######################################## +# +# This section is processed through m4 to create real interfaces +# +######################################## + +# dont generate anything but macros on this pass +ifdef(`interface_pass',` +define(`allow',`dnl') +define(`type',`dnl') +define(`attribute',`dnl') +define(`portcon',`dnl') +define(`devices_make_device_node',`dnl') +') + +define(`create_netif_interfaces',`` +####################################### +# +# corenetwork_send_tcp_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_send_tcp_on_interface_$1',` +requires_block_template(`corenetwork_send_tcp_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif tcp_send; +') + +define(`corenetwork_send_tcp_on_interface_$1_depend',` +type $1_netif_t; +class netif tcp_send; +') + +####################################### +# +# corenetwork_send_udp_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_send_udp_on_interface_$1',` +requires_block_template(`corenetwork_send_udp_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif udp_send; +') + +define(`corenetwork_send_udp_on_interface_$1_depend',` +type $1_netif_t; +class netif udp_send; +') + +####################################### +# +# corenetwork_send_raw_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_send_raw_on_interface_$1',` +requires_block_template(`corenetwork_send_raw_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif rawip_send; +allow dollarsone self:capability net_raw; +') + +define(`corenetwork_send_raw_on_interface_$1_depend',` +type $1_netif_t; +class netif rawip_send; +class capability net_raw; +') + +####################################### +# +# corenetwork_receive_tcp_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_receive_tcp_on_interface_$1',` +requires_block_template(`corenetwork_receive_tcp_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif tcp_recv; +') + +define(`corenetwork_receive_tcp_on_interface_$1_depend',` +type $1_netif_t; +class netif tcp_recv; +') + +####################################### +# +# corenetwork_receive_udp_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_receive_udp_on_interface_$1',` +requires_block_template(`corenetwork_receive_udp_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif udp_recv; +') + +define(`corenetwork_receive_udp_on_interface_$1_depend',` +type $1_netif_t; +class netif udp_recv; +') + +####################################### +# +# corenetwork_receive_raw_on_interface_$1(domain,[`optional']) +# +define(`corenetwork_receive_raw_on_interface_$1',` +requires_block_template(`corenetwork_receive_raw_on_interface_$1_depend',dollarstwo) +allow dollarsone $1_netif_t:netif rawip_recv; +') + +define(`corenetwork_receive_raw_on_interface_$1_depend',` +type $1_netif_t; +class netif rawip_recv; +') +'') dnl end create_interfaces + +# +# network_interface(linux_interfacename) +# +define(`network_interface',` +ifdef(`interface_pass',` +create_netif_interfaces($1) +',` +type $1_netif_t alias netif_$1_t, netif_type; +requires_block_template(`type unlabeled_t') +netifcon $1 system_u:object_r:$1_netif_t system_u:object_r:unlabeled_t +') +') + +# +# network_node(node_name,address,netmask) +# +define(`network_node',` +ifdef(`interface_pass',` +#create_node_interfaces($1) +',` +type $1_node_t alias node_$1_t, node_type; +nodecon $2 $3 system_u:object_r:$1_node_t +') +') + +define(`declare_ports',`dnl +ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') +portcon $2 $3 system_u:object_r:$1 +ifelse(`$4',`',`',`declare_ports($1,shiftn(3,$*))')dnl +') + +# +# network_port(port_name,protocol portnum [,protocol portnum[,...]]) +# +define(`network_port',` +ifdef(`interface_pass',` +#create_port_interfaces($1) +',` +type $1_port_t, port_type; +declare_ports($1_port_t,shift($*)) +') +') diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te new file mode 100644 index 0000000..5260061 --- /dev/null +++ b/refpolicy/policy/modules/kernel/corenetwork.te @@ -0,0 +1,114 @@ +attribute netif_type; +attribute node_type; +attribute port_type; +attribute reserved_port_type; + +# +# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* +# +type tun_tap_device_t; +devices_make_device_node(tun_tap_device_t) + +######################################## +# +# Ports +# + +# +# port_t is the default type of INET port numbers. +# +type port_t, port_type; + +# +# reserved_port_t is the type of INET port numbers below 1024. +# +type reserved_port_t, port_type, reserved_port_type; + +network_port(amanda, udp,10080, tcp,10080, udp,10081, tcp,10081, tcp,10082, tcp,10083) +dnl network_port(biff) # no defined portcon in current strict +network_port(dbskkd, tcp,1178) +network_port(dhcpc, udp,68) +network_port(dhcpd, udp,67) +network_port(dict, tcp,2628) +network_port(dns, udp,53, tcp,53) +network_port(fingerd, tcp,79) +network_port(ftp_data, tcp,20) +network_port(ftp, tcp,21) +network_port(http_cache, tcp,3128, udp,3130, tcp,8080) +network_port(http, tcp,80, tcp,443) +network_port(inetd_child, tcp,7, udp,7, tcp,9, udp,9, tcp,13, udp,13, tcp,19, udp,19, tcp,37, udp,37, tcp,113, tcp,512, tcp,543, tcp,544, tcp,891, udp,891, tcp,892, udp,892, tcp,2105) +network_port(innd, tcp,119) +network_port(ipp, tcp,631, udp,631) +network_port(kerberos_admin, tcp,464, udp,464, tcp,749) +network_port(kerberos_master, tcp,4444, udp,4444) +network_port(kerberos, tcp,88, udp,88, tcp,750, udp,750) +network_port(ldap, tcp,389, udp,389, tcp,636, udp,636) +network_port(mail, tcp,2000) +network_port(nmbd, udp,137, udp,138, udp,139) +network_port(pop, tcp,106, tcp,109, tcp,110) +network_port(portmap, udp,111, tcp,111) +network_port(printer, tcp,515) +network_port(pxe, udp,4011) +network_port(radacct, udp,1646, udp,1813) +network_port(radius, udp,1645, udp,1812) +network_port(rsh, tcp,514) +network_port(smbd, tcp,137-139, tcp,445) +network_port(smtp, tcp,25, tcp,465, tcp,587) +network_port(snmp, udp,161, udp,162, tcp,199) +network_port(ssh, tcp,22) +dnl network_port(stunnel) # no defined portcon in current strict +network_port(swat, tcp,901) +network_port(syslogd, udp,514) +network_port(telnetd, tcp,23) +network_port(tftp, udp,69) +network_port(vnc, tcp,5900) +network_port(xserver, tcp,6001, tcp,6002, tcp,6003, tcp,6004, tcp,6005, tcp,6006, tcp,6007, tcp,6008, tcp,6009, tcp,6010, tcp,6011, tcp,6012, tcp,6013, tcp,6014, tcp,6015, tcp,6016, tcp,6017, tcp,6018, tcp,6019) +network_port(zebra, tcp,2601) + +# Defaults for reserved ports. Earlier portcon entries take precedence; +# these entries just cover any remaining reserved ports not otherwise +# declared or omitted due to removal of a domain. +portcon tcp 1-1023 system_u:object_r:reserved_port_t +portcon udp 1-1023 system_u:object_r:reserved_port_t + +######################################## +# +# Network nodes +# + +# +# node_t is the default type of network nodes. +# The node_*_t types are used for specific network +# nodes in net_contexts or net_contexts.mls. +# +type node_t, node_type; + +network_node(compat_ipv4, ::, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(inaddr_any, 0.0.0.0, 255.255.255.255) +dnl network_node(internal, , ) # no nodecon for this in current strict policy +network_node(link_local, fe80::, ffff:ffff:ffff:ffff::, ) +network_node(lo, 127.0.0.1, 255.255.255.255) +network_node(mapped_ipv4, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(multicast, ff00::, ff00::) +network_node(site_local, fec0::, ffc0::) +network_node(unspec, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) + + +######################################## +# +# Network Interfaces: +# + +# +# netif_t is the default type of network interfaces. +# +type netif_t, netif_type; + +network_interface(lo) +network_interface(eth0) +network_interface(eth1) +network_interface(eth2) +network_interface(ippp0) +network_interface(ipsec0) +network_interface(ipsec1) +network_interface(ipsec2) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if new file mode 100644 index 0000000..18c5bf2 --- /dev/null +++ b/refpolicy/policy/modules/kernel/devices.if @@ -0,0 +1,509 @@ +######################################## +# +# devices_make_device_node(type,[`optional']) +# +define(`devices_make_device_node',` +requires_block_template(devices_make_device_node_depend,$2) +typeattribute $1 device_node; +filesystem_associate($1,optional) +') + +define(`devices_make_device_node_depend',` +attribute device_node; +filesystem_associate_depend +') + +######################################## +# +# devices_list_device_nodes(type,[`optional']) +# +define(`devices_list_device_nodes',` +requires_block_template(devices_list_device_nodes_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 device_t:lnk_file { getattr read }; +') + +define(`devices_list_device_nodes_depend',` +type device_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +') + +######################################## +# +# devices_ignore_list_device_nodes(type,[`optional']) +# +define(`devices_ignore_list_device_nodes',` +requires_block_template(devices_ignore_list_device_nodes_depend,$2) +dontaudit $1 device_t:dir { getattr read search }; +') + +define(`devices_ignore_list_device_nodes_depend',` +type device_t; +class dir { getattr read search }; +') + +######################################## +# +# devices_ignore_modify_generic_devices(type,[`optional']) +# +define(`devices_ignore_modify_generic_devices',` +requires_block_template(devices_ignore_modify_generic_devices_depend,$2) +dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; +') + +define(`devices_ignore_modify_generic_devices_depend',` +type device_t; +class chr_file { getattr read write ioctl }; +class blk_file { getattr read write ioctl }; +') + +######################################## +# +# devices_create_dev_entry(domain,file,objectclass(es),[`optional']) +# +define(`devices_create_dev_entry',` +requires_block_template(devices_set_dev_entry_depend,$4) +allow $1 device_t:dir { getattr search read write add_name remove_name }; +type_transition $1 device_t:$3 $2; +') + +define(`devices_set_dev_entry_depend',` +type device_t; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# devices_raw_read_memory(domain,[`optional']) +# +define(`devices_raw_read_memory',` +requires_block_template(devices_raw_read_memory_depend,$2) +typeattribute $1 memory_raw_read; +allow $1 device_t:dir { getattr read search }; +allow $1 memory_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_raw_read_memory_depend',` +type device_t, memory_device_t; +attribute memory_raw_read; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_raw_write_memory(domain,[`optional']) +# +define(`devices_raw_write_memory',` +requires_block_template(devices_raw_write_memory_depend,$2) +typeattribute $1 memory_raw_write +allow $1 device_t:dir { getattr read search }; +allow $1 memory_device_t:chr_file write; +') + +define(`devices_raw_write_memory_depend',` +type device_t, memory_device_t; +attribute memory_raw_write; +class dir { getattr read search }; +class chr_file write; +') + +######################################## +# +# devices_get_random_data(domain,[`optional']) +# +define(`devices_get_random_data',` +requires_block_template(devices_get_random_data_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 random_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_get_random_data_depend',` +type device_t, random_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_get_pseudorandom_data(domain,[`optional']) +# +define(`devices_get_pseudorandom_data',` +requires_block_template(devices_get_pseudorandom_data_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 urandom_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_get_pseudorandom_data_depend',` +type device_t, urandom_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_add_entropy(domain,[`optional']) +# +define(`devices_add_entropy',` +requires_block_template(devices_add_entropy_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 random_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_add_entropy_depend',` +type device_t, random_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_set_pseudorandom_seed(domain,[`optional']) +# +define(`devices_set_pseudorandom_seed',` +requires_block_template(devices_set_pseudorandom_seed_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 urandom_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_set_pseudorandom_seed_depend',` +type device_t, urandom_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_discard_data_stream(domain,[`optional']) +# +define(`devices_discard_data_stream',` +requires_block_template(devices_discard_data_stream_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 null_device_t:chr_file { getattr write }; +') + +define(`devices_discard_data_stream_depend',` +type device_t, null_device_t; +class device_t:dir { getattr read search }; +class chr_file { getattr write }; +') + +######################################## +# +# devices_get_zeros(domain,[`optional']) +# +define(`devices_get_zeros',` +requires_block_template(devices_get_zeros_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 zero_device_t:chr_file { getattr read }; +') + +define(`devices_get_zeros_depend',` +type device_t, zero_device_t; +class device_t:dir { getattr read search }; +class chr_file { getattr read }; +') + +######################################## +# +# devices_read_realtime_clock(domain,[`optional']) +# +define(`devices_read_realtime_clock',` +requires_block_template(devices_read_realtime_clock_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 clock_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_read_realtime_clock_depend',` +type device_t, clock_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_record_sound_input(domain,[`optional']) +# +define(`devices_record_sound_input',` +requires_block_template(devices_record_sound_input_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 sound_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_record_sound_input_depend',` +type device_t, sound_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_play_sound(domain,[`optional']) +# +define(`devices_play_sound',` +requires_block_template(devices_play_sound_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 sound_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_play_sound_depend',` +type device_t, sound_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_read_sound_mixer_levels(domain,[`optional']) +# +define(`devices_read_sound_mixer_levels',` +requires_block_template(devices_read_sound_mixer_levels_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 sound_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_read_sound_mixer_levels_depend',` +type device_t, sound_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_write_sound_mixer_levels(domain,[`optional']) +# +define(`devices_write_sound_mixer_levels',` +requires_block_template(devices_write_sound_mixer_levels_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 sound_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_write_sound_mixer_levels_depend',` +type device_t, sound_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_direct_agp_access(domain,[`optional']) +# +define(`devices_direct_agp_access',` +requires_block_template(devices_direct_agp_access_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 agp_device_t:chr_file { getattr read write ioctl }; +') + +define(`devices_direct_agp_access_depend',` +type device_t, agp_device_t; +class dir { getattr read search }; +class chr_file { getattr read write ioctl }; +') + +######################################## +# +# devices_use_direct_rendering_interface(domain,[`optional']) +# +define(`devices_use_direct_rendering_interface',` +requires_block_template(devices_use_direct_rendering_interface_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 dri_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_use_direct_rendering_interface_depend',` +type device_t, dri_device_t; +class dir { getattr read search }; +class chr_file { getattr read write ioctl }; +') + +######################################## +# +# devices_read_mtrr(domain,[`optional']) +# +define(`devices_read_mtrr',` +requires_block_template(devices_read_mtrr_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 mtrr_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_read_mtrr_depend',` +type device_t, mtrr_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_write_mtrr(domain,[`optional']) +# +define(`devices_write_mtrr',` +requires_block_template(devices_write_mtrr_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 mtrr_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_write_mtrr_depend',` +type device_t, mtrr_device_t; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_read_framebuffer(domain,[`optional']) +# +define(`devices_read_framebuffer',` +requires_block_template(devices_read_framebuffer_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 framebuf_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_read_framebuffer_depend',` +type framebuf_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_write_framebuffer(domain,[`optional']) +# +define(`devices_write_framebuffer',` +requires_block_template(devices_write_framebuffer_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 framebuf_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_write_framebuffer_depend',` +type device_t, framebuf_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_read_misc(domain,[`optional']) +# +define(`devices_read_misc',` +requires_block_template(devices_read_misc_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 misc_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_read_misc_depend',` +type device_t, misc_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_write_misc(domain,[`optional']) +# +define(`devices_write_misc',` +requires_block_template(devices_write_misc_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 misc_device_t:chr_file { getattr write ioctl }; +') + +define(`devices_write_misc_depend',` +type device_t, misc_device_t; +class dir { getattr read search }; +class chr_file { getattr write ioctl }; +') + +######################################## +# +# devices_get_mouse_input(domain,[`optional']) +# +define(`devices_get_mouse_input',` +requires_block_template(devices_get_mouse_input_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 mouse_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_get_mouse_input_depend',` +type device_t, mouse_device_t; +allow $1 device_t:dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_get_input_event(domain,[`optional']) +# +define(`devices_get_input_event',` +requires_block_template(devices_get_input_event_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 event_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_get_input_event_depend',` +type device_t, event_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_get_cpuid(domain,[`optional']) +# +define(`devices_get_cpuid',` +requires_block_template(devices_get_cpuid_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 cpu_device_t:chr_file { getattr read ioctl }; +') + +define(`devices_get_cpuid_depend',` +type device_t, cpu_device_t; +class dir { getattr read search }; +class chr_file { getattr read ioctl }; +') + +######################################## +# +# devices_load_cpu_microcode(domain,[`optional']) +# +define(`devices_load_cpu_microcode',` +requires_block_template(devices_load_cpu_microcode_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 cpu_device_t:chr_file { getattr read write ioctl }; +') + +define(`devices_load_cpu_microcode_depend',` +type device_t, cpu_device_t; +class dir { getattr read search }; +class chr_file { getattr read write ioctl }; +') + +######################################## +# +# devices_use_scanner(domain,[`optional']) +# +define(`devices_use_scanner',` +requires_block_template(devices_use_scanner_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 scanner_device_t:chr_file { getattr read write ioctl }; +') + +define(`devices_use_scanner_depend',` +type device_t, scanner_device_t; +class dir { getattr read search }; +class chr_file { getattr read write ioctl }; +') + +######################################## +# +# devices_control_system_powermanagement(domain,[`optional']) +# +define(`devices_control_system_powermanagement',` +requires_block_template(devices_control_system_powermanagement_depend,$2) +allow $1 device_t:dir { getattr read search }; +allow $1 power_device_t:chr_file { getattr read write ioctl }; +') + +define(`devices_control_system_powermanagement_depend',` +type device_t, power_device_t; +class dir { getattr read search }; +class chr_file { getattr read write ioctl }; +') diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te new file mode 100644 index 0000000..486b9a3 --- /dev/null +++ b/refpolicy/policy/modules/kernel/devices.te @@ -0,0 +1,101 @@ +# +# Device types +# + +attribute device_node; + +# +# device_t is the type of /dev. +# +type device_t, device_node; +filesystem_associate(device_t) + +# Only directories and symlinks should be labeled device_t. +# If there are other files with this type, it is wrong. +# Relabelto is allowed for setfiles to function, in case +# a device node has no specific type yet, but is for some +# reason labeled with a specific type +neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; + +# +# zero_device_t is the type of /dev/zero. +# +type zero_device_t, device_node; +filesystem_associate(zero_device_t) + +# +# null_device_t is the type of /dev/null. +# +type null_device_t, device_node; +filesystem_associate(null_device_t) + +# +# memory_device_t is the type of /dev/kmem, +# /dev/mem and /dev/port. +# +type memory_device_t, device_node; +filesystem_associate(memory_device_t) + +attribute memory_raw_read; +attribute memory_raw_write; +neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; +neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; + +# +# random_device_t is the type of /dev/random +# urandom_device_t is the type of /dev/urandom +# +type random_device_t, device_node; +type urandom_device_t, device_node; +filesystem_associate(random_device_t) +filesystem_associate(urandom_device_t) + +# +# Type for /dev/agpgart +# +type agp_device_t, device_node; +filesystem_associate(agp_device_t) + +# +# Type for /dev/apm_bios +# +type apm_bios_t, device_node; +filesystem_associate(apm_bios_t) + +# +# clock_device_t is the type of +# /dev/rtc. +# +type clock_device_t, device_node; +filesystem_associate(clock_device_t) + +# +# cpu control devices /dev/cpu/0/* +# +type cpu_device_t, device_node; +filesystem_associate(cpu_device_t) + +# +# Type for framebuffer /dev/fb/* +# +type framebuf_device_t, device_node; +filesystem_associate(framebuf_device_t) + +# +# Type for /dev/cpu/mtrr and /proc/mtrr +# +type mtrr_device_t, device_node; +filesystem_associate(mtrr_device_t) +genfscon proc /mtrr system_u:object_r:mtrr_device_t + +# +# Type for /dev/pmu +# +type power_device_t, device_node; +filesystem_associate(power_device_t) + +# +# Type for sound devices and mixers +# +type sound_device_t, device_node; +filesystem_associate(sound_device_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if new file mode 100644 index 0000000..d3e0b61 --- /dev/null +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -0,0 +1,733 @@ +######################################## +# +# filesystem_make_filesystem(type,[`optional']) +# +define(`filesystem_make_filesystem',` +requires_block_template(filesystem_make_filesystem_depend,$2) +typeattribute $1 fs_type; +') + +define(`filesystem_make_filesystem_depend',` +attribute fs_type; +') + +######################################## +# +# filesystem_mount_persistent_filesystem(domain,[`optional']) +# +define(`filesystem_mount_persistent_filesystem',` +requires_block_template(filesystem_mount_persistent_filesystem_depend,$2) +allow $1 fs_t:filesystem mount; +') + +define(`filesystem_mount_persistent_filesystem_depend',` +type fs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_persistent_filesystem(domain,[`optional']) +# +define(`filesystem_remount_persistent_filesystem',` +requires_block_template(filesystem_remount_persistent_filesystem_depend,$2) +allow $1 fs_t:filesystem remount; +') + +define(`filesystem_remount_persistent_filesystem_depend',` +type fs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_persistent_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_persistent_filesystem',` +requires_block_template(filesystem_unmount_persistent_filesystem_depend,$2) +allow $1 fs_t:filesystem mount; +') + +define(`filesystem_unmount_persistent_filesystem_depend',` +type fs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_persistent_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_persistent_filesystem_stats',` +requires_block_template(filesystem_read_persistent_filesystem_stats_depend,$2) +allow $1 fs_t:filesystem getattr; +') + +define(`filesystem_read_persistent_filesystem_stats_depend',` +type fs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_associate(type,[`optional']) +# +define(`filesystem_associate',` +requires_block_template(filesystem_associate_depend,$2) +allow $1 fs_t:filesystem associate; +') + +define(`filesystem_associate_depend',` +type fs_t; +class filesystem associate; +') + +######################################## +# +# filesystem_mount_automount_filesystem(domain,[`optional']) +# +define(`filesystem_mount_automount_filesystem',` +requires_block_template(filesystem_mount_automount_filesystem_depend,$2) +allow $1 autofs_t:filesystem mount; +') + +define(`filesystem_mount_automount_filesystem_depend',` +type autofs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_automount_filesystem(domain,[`optional']) +# +define(`filesystem_remount_automount_filesystem',` +requires_block_template(filesystem_remount_automount_filesystem_depend,$2) +allow $1 autofs_t:filesystem remount; +') + +define(`filesystem_remount_automount_filesystem_depend',` +type autofs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_automount_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_automount_filesystem',` +requires_block_template(filesystem_unmount_automount_filesystem_depend,$2) +allow $1 autofs_t:filesystem mount; +') + +define(`filesystem_unmount_automount_filesystem_depend',` +type autofs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_automount_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_automount_filesystem_stats',` +requires_block_template(filesystem_read_automount_filesystem_stats_depend,$2) +allow $1 autofs_t:filesystem getattr; +') + +define(`filesystem_read_automount_filesystem_stats_depend',` +type autofs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_register_binary_executable_type(domain,[`optional']) +# +define(`filesystem_register_binary_executable_type',` +requires_block_template(filesystem_register_binary_executable_type_depend,$2) +allow $1 binfmt_misc_fs_t:dir { getattr search }; +allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; +') + +define(`filesystem_register_binary_executable_type_depend',` +type binfmt_misc_fs_t; +class dir { getattr search }; +class file { getattr ioctl write }; +') + +######################################## +# +# filesystem_mount_windows_network_filesystem(domain,[`optional']) +# +define(`filesystem_mount_windows_network_filesystem',` +requires_block_template(filesystem_mount_windows_network_filesystem_depend,$2) +allow $1 cifs_t:filesystem mount; +') + +define(`filesystem_mount_windows_network_filesystem_depend',` +type cifs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_windows_network_filesystem(domain,[`optional']) +# +define(`filesystem_remount_windows_network_filesystem',` +requires_block_template(filesystem_remount_windows_network_filesystem_depend,$2) +allow $1 cifs_t:filesystem remount; +') + +define(`filesystem_remount_windows_network_filesystem_depend',` +type cifs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_windows_network_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_windows_network_filesystem',` +requires_block_template(filesystem_unmount_windows_network_filesystem_depend,$2) +allow $1 cifs_t:filesystem mount; +') + +define(`filesystem_unmount_windows_network_filesystem_depend',` +type cifs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_windows_network_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_windows_network_filesystem_stats',` +requires_block_template(filesystem_read_windows_network_filesystem_stats_depend,$2) +allow $1 cifs_t:filesystem getattr; +') + +define(`filesystem_read_windows_network_filesystem_stats_depend',` +type cifs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_dos_filesystem(domain,[`optional']) +# +define(`filesystem_mount_dos_filesystem',` +requires_block_template(filesystem_mount_dos_filesystem_depend,$2) +allow $1 dosfs_t:filesystem mount; +') + +define(`filesystem_mount_dos_filesystem_depend',` +type dosfs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_dos_filesystem(domain,[`optional']) +# +define(`filesystem_remount_dos_filesystem',` +requires_block_template(filesystem_remount_dos_filesystem_depend,$2) +allow $1 dosfs_t:filesystem remount; +') + +define(`filesystem_remount_dos_filesystem_depend',` +type dosfs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_dos_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_dos_filesystem',` +requires_block_template(filesystem_unmount_dos_filesystem_depend,$2) +allow $1 dosfs_t:filesystem mount; +') + +define(`filesystem_unmount_dos_filesystem_depend',` +type dosfs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_dos_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_dos_filesystem_stats',` +requires_block_template(filesystem_read_dos_filesystem_stats_depend,$2) +allow $1 dosfs_t:filesystem getattr; +') + +define(`filesystem_read_dos_filesystem_stats_depend',` +type dosfs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_cd_filesystem(domain,[`optional']) +# +define(`filesystem_mount_cd_filesystem',` +requires_block_template(filesystem_mount_cd_filesystem_depend,$2) +allow $1 iso9660_t:filesystem mount; +') + +define(`filesystem_mount_cd_filesystem_depend',` +type iso9660_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_cd_filesystem(domain,[`optional']) +# +define(`filesystem_remount_cd_filesystem',` +requires_block_template(filesystem_remount_cd_filesystem_depend,$2) +allow $1 iso9660_t:filesystem remount; +') + +define(`filesystem_remount_cd_filesystem_depend',` +type iso9660_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_cd_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_cd_filesystem',` +requires_block_template(filesystem_unmount_cd_filesystem_depend,$2) +allow $1 iso9660_t:filesystem mount; +') + +define(`filesystem_unmount_cd_filesystem_depend',` +type iso9660_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_cd_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_cd_filesystem_stats',` +requires_block_template(filesystem_read_cd_filesystem_stats_depend,$2) +allow $1 iso9660_t:filesystem getattr; +') + +define(`filesystem_read_cd_filesystem_stats_depend',` +type iso9660_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_nfs_filesystem(domain,[`optional']) +# +define(`filesystem_mount_nfs_filesystem',` +requires_block_template(filesystem_mount_nfs_filesystem_depend,$2) +allow $1 nfs_t:filesystem mount; +') + +define(`filesystem_mount_nfs_filesystem_depend',` +type nfs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_nfs_filesystem(domain,[`optional']) +# +define(`filesystem_remount_nfs_filesystem',` +requires_block_template(filesystem_remount_nfs_filesystem_depend,$2) +allow $1 nfs_t:filesystem remount; +') + +define(`filesystem_remount_nfs_filesystem_depend',` +type nfs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_nfs_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_nfs_filesystem',` +requires_block_template(filesystem_unmount_nfs_filesystem_depend,$2) +allow $1 nfs_t:filesystem mount; +') + +define(`filesystem_unmount_nfs_filesystem_depend',` +type nfs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_nfs_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_nfs_filesystem_stats',` +requires_block_template(filesystem_read_nfs_filesystem_stats_depend,$2) +allow $1 nfs_t:filesystem getattr; +') + +define(`filesystem_read_nfs_filesystem_stats_depend',` +type nfs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_nfsd_filesystem(domain,[`optional']) +# +define(`filesystem_mount_nfsd_filesystem',` +requires_block_template(filesystem_mount_nfsd_filesystem_depend,$2) +allow $1 nfsd_fs_t:filesystem mount; +') + +define(`filesystem_mount_nfsd_filesystem_depend',` +type nfsd_fs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_nfsd_filesystem(domain,[`optional']) +# +define(`filesystem_remount_nfsd_filesystem',` +requires_block_template(filesystem_remount_nfsd_filesystem_depend,$2) +allow $1 nfsd_fs_t:filesystem remount; +') + +define(`filesystem_remount_nfsd_filesystem_depend',` +type nfsd_fs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_nfsd_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_nfsd_filesystem',` +requires_block_template(filesystem_unmount_nfsd_filesystem_depend,$2) +allow $1 nfsd_fs_t:filesystem mount; +') + +define(`filesystem_unmount_nfsd_filesystem_depend',` +type nfsd_fs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_nfsd_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_nfsd_filesystem_stats',` +requires_block_template(filesystem_read_nfsd_filesystem_stats_depend,$2) +allow $1 nfsd_fs_t:filesystem getattr; +') + +define(`filesystem_read_nfsd_filesystem_stats_depend',` +type nfsd_fs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_ram_filesystem(domain,[`optional']) +# +define(`filesystem_mount_ram_filesystem',` +requires_block_template(filesystem_mount_ram_filesystem_depend,$2) +allow $1 ramfs_t:filesystem mount; +') + +define(`filesystem_mount_ram_filesystem_depend',` +type ramfs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_ram_filesystem(domain,[`optional']) +# +define(`filesystem_remount_ram_filesystem',` +requires_block_template(filesystem_remount_ram_filesystem_depend,$2) +allow $1 ramfs_t:filesystem remount; +') + +define(`filesystem_remount_ram_filesystem_depend',` +type ramfs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_ram_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_ram_filesystem',` +requires_block_template(filesystem_unmount_ram_filesystem_depend,$2) +allow $1 ramfs_t:filesystem mount; +') + +define(`filesystem_unmount_ram_filesystem_depend',` +type ramfs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_ram_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_ram_filesystem_stats',` +requires_block_template(filesystem_read_ram_filesystem_stats_depend,$2) +allow $1 ramfs_t:filesystem getattr; +') + +define(`filesystem_read_ram_filesystem_stats_depend',` +type ramfs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_rom_filesystem(domain,[`optional']) +# +define(`filesystem_mount_rom_filesystem',` +requires_block_template(filesystem_mount_rom_filesystem_depend,$2) +allow $1 romfs_t:filesystem mount; +') + +define(`filesystem_mount_rom_filesystem_depend',` +type romfs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_rom_filesystem(domain,[`optional']) +# +define(`filesystem_remount_rom_filesystem',` +requires_block_template(filesystem_remount_rom_filesystem_depend,$2) +allow $1 romfs_t:filesystem remount; +') + +define(`filesystem_remount_rom_filesystem_depend',` +type romfs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_rom_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_rom_filesystem',` +requires_block_template(filesystem_unmount_rom_filesystem_depend,$2) +allow $1 romfs_t:filesystem mount; +') + +define(`filesystem_unmount_rom_filesystem_depend',` +type romfs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_rom_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_rom_filesystem_stats',` +requires_block_template(filesystem_read_rom_filesystem_stats_depend,$2) +allow $1 romfs_t:filesystem getattr; +') + +define(`filesystem_read_rom_filesystem_stats_depend',` +type romfs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_rpc_pipefs_filesystem(domain,[`optional']) +# +define(`filesystem_mount_rpc_pipefs_filesystem',` +requires_block_template(filesystem_mount_rpc_pipefs_filesystem_depend,$2) +allow $1 rpc_pipefs_t:filesystem mount; +') + +define(`filesystem_mount_rpc_pipefs_filesystem_depend',` +type rpc_pipefs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_rpc_pipefs_filesystem(domain,[`optional']) +# +define(`filesystem_remount_rpc_pipefs_filesystem',` +requires_block_template(filesystem_remount_rpc_pipefs_filesystem_depend,$2) +allow $1 rpc_pipefs_t:filesystem remount; +') + +define(`filesystem_remount_rpc_pipefs_filesystem_depend',` +type rpc_pipefs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_rpc_pipefs_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_rpc_pipefs_filesystem',` +requires_block_template(filesystem_unmount_rpc_pipefs_filesystem_depend,$2) +allow $1 rpc_pipefs_t:filesystem mount; +') + +define(`filesystem_unmount_rpc_pipefs_filesystem_depend',` +type rpc_pipefs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_rpc_pipefs_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_rpc_pipefs_filesystem_stats',` +requires_block_template(filesystem_read_rpc_pipefs_filesystem_stats_depend,$2) +allow $1 rpc_pipefs_t:filesystem getattr; +') + +define(`filesystem_read_rpc_pipefs_filesystem_stats_depend',` +type rpc_pipefs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_mount_tmpfs_filesystem(domain,[`optional']) +# +define(`filesystem_mount_tmpfs_filesystem',` +requires_block_template(filesystem_mount_tmpfs_filesystem_depend,$2) +allow $1 tmpfs_t:filesystem mount; +') + +define(`filesystem_mount_tmpfs_filesystem_depend',` +type tmpfs_t; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_tmpfs_filesystem(domain,[`optional']) +# +define(`filesystem_remount_tmpfs_filesystem',` +requires_block_template(filesystem_remount_tmpfs_filesystem_depend,$2) +allow $1 tmpfs_t:filesystem remount; +') + +define(`filesystem_remount_tmpfs_filesystem_depend',` +type tmpfs_t; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_tmpfs_filesystem(domain,[`optional']) +# +define(`filesystem_unmount_tmpfs_filesystem',` +requires_block_template(filesystem_unmount_tmpfs_filesystem_depend,$2) +allow $1 tmpfs_t:filesystem mount; +') + +define(`filesystem_unmount_tmpfs_filesystem_depend',` +type tmpfs_t; +class filesystem unmount; +') + +######################################## +# +# filesystem_read_tmpfs_filesystem_stats(domain,[`optional']) +# +define(`filesystem_read_tmpfs_filesystem_stats',` +requires_block_template(filesystem_read_tmpfs_filesystem_stats_depend,$2) +allow $1 tmpfs_t:filesystem getattr; +') + +define(`filesystem_read_tmpfs_filesystem_stats_depend',` +type tmpfs_t; +class filesystem getattr; +') + +######################################## +# +# filesystem_tmpfs_associate(type,[`optional']) +# +define(`filesystem_tmpfs_associate',` +requires_block_template(filesystem_tmpfs_associate_depend,$2) +allow $1 tmpfs_t:filesystem associate; +') + +define(`filesystem_tmpfs_associate_depend',` +type tmpfs_t; +class filesystem associate; +') + +######################################## +# +# filesystem_create_private_tmpfs_data(domain,derivedtype,[class],[`optional']) +# +define(`filesystem_create_private_tmpfs_data',` +requires_block_template(filesystem_create_private_tmpfs_data_depend,$4) +allow $1 tmpfs_t:dir { getattr search read write add_name }; +ifelse(`$3',`',` +type_transition $1 tmpfs_t:file $2; +',` +type_transition $1 tmpfs_t:$3 $2; +') +') + +define(`filesystem_create_private_tmpfs_data_depend',` +type tmpfs_t; +class dir { getattr search read write add_name }; +') + +######################################## +# +# filesystem_mount_all_filesystems(type,[`optional']) +# +define(`filesystem_mount_all_filesystems',` +requires_block_template(filesystem_mount_all_filesystems_depend,$2) +allow $1 fs_type:filesystem mount; +') + +define(`filesystem_mount_all_filesystems_depend',` +attribute fs_type; +class filesystem mount; +') + +######################################## +# +# filesystem_remount_all_filesystems(type,[`optional']) +# +define(`filesystem_remount_all_filesystems',` +requires_block_template(filesystem_remount_all_filesystems_depend,$2) +allow $1 fs_type:filesystem remount; +') + +define(`filesystem_remount_all_filesystems_depend',` +attribute fs_type; +class filesystem remount; +') + +######################################## +# +# filesystem_unmount_all_filesystems(type,[`optional']) +# +define(`filesystem_unmount_all_filesystems',` +requires_block_template(filesystem_unmount_all_filesystems_depend,$2) +allow $1 fs_type:filesystem unmount; +') + +define(`filesystem_mount_all_filesystems_depend',` +attribute fs_type; +class filesystem unmount; +') diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te new file mode 100644 index 0000000..204eba2 --- /dev/null +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -0,0 +1,93 @@ +attribute fs_type; + +######################################## +# +# fs_t is the default type for persistent +# filesystems with extended attributes +# +type fs_t, fs_type; + +######################################## +# +# Non-persistent/pseudo filesystems +# +type bdev_t, fs_type; +genfscon bdev / system_u:object_r:bdev_t + +type binfmt_misc_fs_t, fs_type; +genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t + +type eventpollfs_t, fs_type; +genfscon eventpollfs / system_u:object_r:eventpollfs_t + +type futexfs_t, fs_type; +genfscon futexfs / system_u:object_r:futexfs_t + +type nfsd_fs_t, fs_type; +genfscon nfsd / system_u:object_r:nfsd_fs_t + +type ramfs_t, fs_type; +allow ramfs_t self:filesystem associate; +genfscon ramfs / system_u:object_r:ramfs_t + +type romfs_t, fs_type; +allow romfs_t self:filesystem associate; +genfscon romfs / system_u:object_r:romfs_t +genfscon cramfs / system_u:object_r:romfs_t + +type rpc_pipefs_t, fs_type; +genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t + +# +# tmpfs_t is the type for tmpfs filesystems +# +type tmpfs_t, fs_type; +allow tmpfs_t self:filesystem associate; + +######################################## +# +# Filesystems without extended attribute support +# +type autofs_t, fs_type; +allow autofs_t self:filesystem associate; +genfscon autofs / system_u:object_r:autofs_t +genfscon automount / system_u:object_r:autofs_t + +# +# cifs_t is the type for filesystems and their +# files shared from Windows servers +# +type cifs_t alias sambafs_t, fs_type; +allow cifs_t self:filesystem associate; +genfscon cifs / system_u:object_r:cifs_t +genfscon smbfs / system_u:object_r:cifs_t + +# +# dosfs_t is the type for fat and vfat +# filesystems and their files. +# +type dosfs_t, fs_type; +allow dosfs_t self:filesystem associate; +genfscon vfat / system_u:object_r:dosfs_t +genfscon msdos / system_u:object_r:dosfs_t +genfscon fat / system_u:object_r:dosfs_t +genfscon ntfs / system_u:object_r:dosfs_t + +# +# iso9660_t is the type for CD filesystems +# and their files. +# +type iso9660_t, fs_type; +allow iso9660_t self:filesystem associate; +genfscon iso9660 / system_u:object_r:iso9660_t +genfscon udf / system_u:object_r:iso9660_t + +# +# nfs_t is the default type for NFS file systems +# and their files. +# +type nfs_t, fs_type; +allow nfs_t self:filesystem associate; +genfscon nfs / system_u:object_r:nfs_t +genfscon nfs4 / system_u:object_r:nfs_t +genfscon afs / system_u:object_r:nfs_t diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if new file mode 100644 index 0000000..2682a18 --- /dev/null +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -0,0 +1,1056 @@ +######################################## +# +# kernel_system_role_change(role,[`optional']) +# +define(`kernel_system_role_change',` +requires_block_template(kernel_system_role_change_depend,$2) +allow $1 system_r; +') + +define(`kernel_system_role_change_depend',` +role system_r; +') + +######################################## +# +# kernel_system_role_transition(role,entrypoint,[`optional']) +# +define(`kernel_system_role_transition',` +requires_block_template(kernel_system_role_transition_depend,$2) +allow $1 system_r; +role_transition $1 $2 system_r; +') + +define(`kernel_system_role_change_depend',` +role system_r; +') + +######################################## +# +# kernel_share_state(domain,[`optional']) +# +define(`kernel_share_state',` +requires_block_template(kernel_share_state_depend,$2) +allow kernel_t $1:process share; +') + +define(`kernel_share_state_depend',` +type kernel_t; +class process share; +') + +######################################## +# +# kernel_use_kernel_fd(domain,[`optional']) +# +define(`kernel_use_kernel_fd',` +requires_block_template(kernel_use_kernel_fd_depend,$2) +allow $1 kernel_t:fd use; +') + +define(`kernel_use_kernel_fd_depend',` +type kernel_t; +class fd use; +') + +######################################## +# +# kernel_make_root_filesystem_mountpoint(domain,[`optional']) +# +define(`kernel_make_root_filesystem_mountpoint',` +requires_block_template(kernel_make_root_filesystem_mountpoint_depend,$2) +allow kernel_t $1:dir mounton; +') + +define(`kernel_make_root_filesystem_mountpoint_depend',` +type kernel_t; +class dir mounton; +') + +######################################## +# +# kernel_load_module(domain,[`optional']) +# +define(`kernel_load_module',` +requires_block_template(kernel_load_module_depend,$2) +allow $1 self:capability sys_module; +typeattribute $1 can_load_kernmodule; +') + +define(`kernel_load_module_depend',` +attribute can_load_kernmodule; +class capability sys_module; +') + +######################################## +# +# kernel_relabeling_privilege(domain,[`optional']) +# +define(`kernel_relabeling_privilege',` +requires_block_template(kernel_relabeling_privilege_depend,$2) +typeattribute $1 can_relabel; +') + +define(`kernel_relabeling_privilege_depend',` +attribute can_relabel; +') + +######################################## +# +# kernel_kill_unlabeled_process(domain,[`optional']) +# +define(`kernel_kill_unlabeled_process',` +requires_block_template(kernel_kill_unlabeled_process_depend,$2) +allow $1 unlabeled_t:process sigkill; +') + +define(`kernel_kill_unlabeled_process_depend',` +type unlabeled_t; +class process sigkill; +') + +######################################## +# +# kernel_relabel_unlabeled_object(domain,[`optional']) +# +define(`kernel_relabel_unlabeled_object',` +requires_block_template(kernel_relabel_unlabeled_object_depend,$2) +allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } relabelfrom; +typeattribute $1 can_relabel; +') + +define(`kernel_relabel_unlabeled_object_depend',` +attribute can_relabel; +type unlabeled_t; +class dir relabelfrom; +class file relabelfrom; +class lnk_file relabelfrom; +class fifo_file relabelfrom; +class sock_file relabelfrom; +class chr_file relabelfrom; +class blk_file relabelfrom; +') + +######################################## +# +# kernel_get_selinux_enforcement_mode(domain,[`optional']) +# +define(`kernel_get_selinux_enforcement_mode',` +requires_block_template(kernel_get_selinux_enforcement_mode_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read }; +') + +define(`kernel_get_selinux_enforcement_mode_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read }; +') + +######################################## +# +# kernel_set_selinux_enforcement_mode(domain,[`optional']) +# +define(`kernel_set_selinux_enforcement_mode',` +requires_block_template(kernel_set_selinux_enforcement_mode_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setenforce; +auditallow $1 security_t:security setenforce; +typeattribute $1 can_setenforce; +') + +define(`kernel_set_selinux_enforcement_mode_depend',` +type security_t; +attribute can_setenforce; +class dir { read search getattr }; +class file { getattr read write }; +class security setenforce; +') + +######################################## +# +# kernel_load_selinux_policy(domain,[`optional']) +# +define(`kernel_load_selinux_policy',` +requires_block_template(kernel_load_selinux_policy_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security load_policy; +auditallow $1 security_t:security load_policy; +typeattribute $1 can_load_policy; +') + +define(`kernel_load_selinux_policy_depend',` +type security_t; +attribute can_load_policy; +class dir { read search getattr }; +class file { getattr read write }; +class security load_policy; +') + +######################################## +# +# kernel_set_selinux_boolean(domain,[booltype],[`optional']) +# +define(`kernel_set_selinux_boolean',` +requires_block_template(kernel_set_selinux_boolean_depend,$3) +ifelse(`$2',`',` +allow $1 security_t:dir { getattr search read }; +allow $1 security_t:file { getattr read write }; +',` +allow $1 $2:dir { getattr search read }; +allow $1 $2:file { getattr read write }; +') +allow $1 security_t:dir search; +allow $1 security_t:security setbool; +auditallow $1 security_t:security setbool; +') + +define(`kernel_set_selinux_boolean_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security setbool; +') + +######################################## +# +# kernel_setsecparam(domain,[`optional']) +# +define(`kernel_security_setsecparam',` +requires_block_template(kernel_setsecparam_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setsecparam; +auditallow $1 security_t:security setsecparam; +typeattribute $1 can_setsecparam; +') + +define(`kernel_setsecparam_depend',` +type security_t; +attribute can_setsecparam; +class dir { read search getattr }; +class file { getattr read write }; +class security setsecparam; +') + +######################################## +# +# kernel_validate_selinux_context(domain,[`optional']) +# +define(`kernel_validate_selinux_context',` +requires_block_template(kernel_validate_selinux_context_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security check_context; +') + +define(`kernel_validate_selinux_context_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security check_context; +') + +######################################## +# +# kernel_compute_selinux_av(domain,[`optional']) +# +define(`kernel_compute_selinux_av',` +requires_block_template(kernel_compute_selinux_av_depend) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security compute_av; +') + +define(`kernel_compute_selinux_av_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security compute_av; +') + +######################################## +# +# kernel_compute_selinux_create(domain,[`optional']) +# +define(`kernel_compute_create',` +requires_block_template(kernel_compute_create_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security compute_create; +') + +define(`kernel_compute_create_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security compute_create; +') + +######################################## +# +# kernel_compute_relabel(domain,[`optional']) +# +define(`kernel_compute_relabel',` +requires_block_template(kernel_compute_relabel_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security compute_relabel; +') + +define(`kernel_compute_relabel_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security compute_relabel; +') + +######################################## +# +# kernel_compute_reachable_user_contexts(domain,[`optional']) +# +define(`kernel_compute_reachable_user_contexts',` +requires_block_template(kernel_compute_reachable_user_contexts_depend,$2) +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security compute_user; +') + +define(`kernel_compute_reachable_user_contexts_depend',` +type security_t; +class dir { read search getattr }; +class file { getattr read write }; +class security compute_user; +') + +######################################## +# +# kernel_read_ring_buffer(domain,[`optional']) +# +define(`kernel_read_ring_buffer',` +requires_block_template(kernel_read_ring_buffer_depend,$2) +allow $1 kernel_t:system syslog_read; +') + +define(`kernel_read_ring_buffer_depend',` +type kernel_t; +class system syslog_read; +') + +######################################## +# +# kernel_change_ring_buffer_level(domain,[`optional']) +# +define(`kernel_change_ring_buffer_level',` +requires_block_template(kernel_change_ring_buffer_level_depend,$2) +allow $1 kernel_t:system syslog_console; +') + +define(`kernel_change_ring_buffer_level_depend',` +type kernel_t; +class system syslog_console; +') + +######################################## +# +# kernel_clear_ring_buffer(domain,[`optional']) +# +define(`kernel_clear_ring_buffer',` +requires_block_template(kernel_clear_ring_buffer_depend,$2) +allow $1 kernel_t:system syslog_mod; +') + +define(`kernel_clear_ring_buffer_depend',` +type kernel_t; +class system syslog_mod; +') + +######################################## +# +# kernel_get_sysvipc_info(domain,[`optional']) +# +define(`kernel_get_sysvipc_info',` +requires_block_template(kernel_get_sysvipc_info_depend,$2) +allow $1 kernel_t:system ipc_info; +') + +define(`kernel_get_sysvipc_info_depend',` +type kernel_t; +class system ipc_info; +') + +######################################## +# +# kernel_read_kernel_messages(domain,[`optional']) +# +define(`kernel_read_kernel_messages',` +requires_block_template(kernel_read_kernel_messages_depend,$2) +allow $1 proc_kmsg_t:file { getattr read }; +typeattribute $1 can_receive_kernel_messages; +') + +define(`kernel_read_kenel_messages_depend',` +attribute can_receive_kernel_messages; +type proc_kmsg_t; +class file { getattr read }; +') + +######################################## +# +# kernel_get_selinuxfs_mount_point(domain,[`optional']) +# +define(`kernel_get_selinuxfs_mount_point',` +requires_block_template(kernel_get_selinuxfs_mount_point_depend,$2) +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +') + +ifdef(`kernel_get_selinuxfs_mount_point_depend',` +type proc_t; +class dir search; +class lnk_file read; +class file { getattr read }; +') + +######################################## +# +# kernel_read_system_state(domain,[`optional']) +# +define(`kernel_read_system_state',` +requires_block_template(kernel_read_system_state_depend,$2) +allow $1 proc_t:dir { getattr search read }; +allow $1 proc_t:{ lnk_file file } { getattr read }; +') + +ifdef(`kernel_read_system_state_depend',` +type proc_t; +class dir { search getattr read }; +class lnk_file { getattr read }; +class file { getattr read }; +') + +####################################### +# +# kernel_read_software_raid_state(domain,[`optional']) +# +define(`kernel_read_software_raid_state',` +requires_block_template(kernel_read_software_raid_state_depend,$2) +allow $1 proc_t:dir { getattr search read }; +allow $1 proc_mdstat_t:file { getattr read }; +') + +ifdef(`kernel_read_software_raid_state_depend',` +type proc_t, proc_mdstat_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_stat_kernel_core_interface(domain,[`optional']) +# +define(`kernel_stat_kernel_core_interface',` +requires_block_template(kernel_stat_kernel_core_interface_depend,$2) +allow $1 proc_t:dir { getattr search read }; +allow $1 proc_kcore_t:file getattr; +') + +ifdef(`kernel_stat_kernel_core_interface_depend',` +type proc_t, proc_kcore_t; +class dir { search getattr read }; +class file getattr; +') + +######################################## +# +# kernel_read_network_state(domain,[`optional']) +# +define(`kernel_read_network_state',` +requires_block_template(kernel_read_network_state_depend,$2) +allow $1 proc_t:dir search; +allow $1 proc_net_t:dir { getattr search read }; +allow $1 proc_net_t:file { getattr read }; +') + +ifdef(`kernel_read_network_state_depend',` +type proc_t, proc_net_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_read_device_sysctl(domain,[`optional']) +# +define(`kernel_read_device_sysctl',` +requires_block_template(kernel_read_device_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_dev_t:file { getattr read }; +') + +ifdef(`kernel_read_device_sysctl_depend',` +type proc_t, sysctl_t, sysctl_dev_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_device_sysctl(domain,[`optional']) +# +define(`kernel_modify_device_sysctl',` +requires_block_template(kernel_modify_device_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_dev_t:file { getattr read write }; +') + +ifdef(`kernel_modify_device_sysctl_depend',` +type proc_t, sysctl_t, sysctl_dev_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_virtual_memory_sysctl(domain,[`optional']) +# +define(`kernel_read_virtual_memory_sysctl',` +requires_block_template(kernel_read_virtual_memory_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_vm_t:file { getattr read }; +') + +ifdef(`kernel_read_virtual_memory_sysctl_depend',` +type proc_t, sysctl_t, sysctl_vm_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_virtual_memory_sysctl(domain,[`optional']) +# +define(`kernel_modify_virtual_memory_sysctl',` +requires_block_template(kernel_modify_virtual_memory_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_vm_t:file { getattr read write }; +') + +ifdef(`kernel_modify_virtual_memory_sysctl_depend',` +type proc_t, sysctl_t, sysctl_vm_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_network_sysctl(domain,[`optional']) +# +define(`kernel_read_network_sysctl',` +requires_block_template(kernel_read_network_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_net_t:dir { getattr search read }; +allow $1 sysctl_net_t:file { getattr read }; +') + +ifdef(`kernel_read_network_sysctl_depend',` +type proc_t, sysctl_t, sysctl_net_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_network_sysctl(domain,[`optional']) +# +define(`kernel_modify_network_sysctl',` +requires_block_template(kernel_modify_network_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_net_t:dir { getattr search read }; +allow $1 sysctl_net_t:file { getattr read write }; +') + +ifdef(`kernel_modify_network_sysctl_depend',` +type proc_t, sysctl_t, sysctl_net_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_unix_sysctl(domain,[`optional']) +# +define(`kernel_read_unix_sysctl',` +requires_block_template(kernel_read_unix_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_net_t:dir { getattr search read }; +allow $1 sysctl_net_unix_t:file { getattr read }; +') + +ifdef(`kernel_read_net_sysctl_depend',` +type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_unix_sysctl(domain,[`optional']) +# +define(`kernel_modify_unix_sysctl',` +requires_block_template(kernel_modify_unix_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_net_t:dir { getattr search read }; +allow $1 sysctl_net_unix_t:file { getattr read write }; +') + +ifdef(`kernel_modify_net_sysctl_depend',` +type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_hotplug_sysctl(domain,[`optional']) +# +define(`kernel_read_hotplug_sysctl',` +requires_block_template(kernel_read_hotplug_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_hotplug_t:file { getattr read }; +') + +ifdef(`kernel_read_hotplug_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_hotplug_sysctl(domain,[`optional']) +# +define(`kernel_modify_hotplug_sysctl',` +requires_block_template(kernel_modify_hotplug_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_hotplug_t:file { getattr read write }; +') + +ifdef(`kernel_modify_hotplug_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_modprobe_sysctl(domain,[`optional']) +# +define(`kernel_read_modprobe_sysctl',` +requires_block_template(kernel_read_modprobe_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_modprobe_t:file { getattr read }; +') + +ifdef(`kernel_read_modprobe_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_modprobe_sysctl(domain,[`optional']) +# +define(`kernel_modify_modprobe_sysctl',` +requires_block_template(kernel_modify_modprobe_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_modprobe_t:file { getattr read write }; +') + +ifdef(`kernel_modify_modprobe_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_kernel_sysctl(domain,[`optional']) +# +define(`kernel_read_kernel_sysctl',` +requires_block_template(kernel_read_kernel_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:file { getattr read }; +') + +ifdef(`kernel_read_kernel_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_kernel_sysctl(domain,[`optional']) +# +define(`kernel_modify_kernel_sysctl',` +requires_block_template(kernel_modify_kernel_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:dir { getattr search read }; +allow $1 sysctl_kernel_t:file { getattr read write }; +') + +ifdef(`kernel_modify_kernel_sysctl_depend',` +type proc_t, sysctl_t, sysctl_kernel_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_filesystem_sysctl(domain,[`optional']) +# +define(`kernel_read_filesystem_sysctl',` +requires_block_template(kernel_read_filesystem_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_fs_t:dir { getattr search read }; +allow $1 sysctl_fs_t:file { getattr read }; +') + +ifdef(`kernel_read_filesystem_sysctl_depend',` +type proc_t, sysctl_t, sysctl_fs_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_filesystem_sysctl(domain,[`optional']) +# +define(`kernel_modify_filesystem_sysctl',` +requires_block_template(kernel_modify_filesystem_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_t:dir { getattr search read }; +allow $1 sysctl_fs_t:dir { getattr search read }; +allow $1 sysctl_fs_t:file { getattr read write }; +') + +ifdef(`kernel_modify_filesystem_sysctl_depend',` +type proc_t, sysctl_t, sysctl_fs_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_irq_sysctl(domain,[`optional']) +# +define(`kernel_read_irq_sysctl',` +requires_block_template(kernel_read_irq_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_irq_t:dir { getattr search read }; +allow $1 sysctl_irq_t:file { getattr read }; +') + +ifdef(`kernel_read_irq_sysctl_depend',` +type proc_t, sysctl_irq_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_irq_sysctl(domain,[`optional']) +# +define(`kernel_modify_irq_sysctl',` +requires_block_template(kernel_modify_irq_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 sysctl_irq_t:dir { getattr search read }; +allow $1 sysctl_irq_t:file { getattr read write }; +') + +ifdef(`kernel_modify_irq_sysctl_depend',` +type proc_t, sysctl_irq_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_rpc_sysctl(domain,[`optional']) +# +define(`kernel_read_rpc_sysctl',` +requires_block_template(kernel_read_rpc_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 proc_net_t:dir search; +allow $1 sysctl_rpc_t:dir { getattr search read }; +allow $1 sysctl_rpc_t:file { getattr read }; +') + +ifdef(`kernel_read_rpc_sysctl_depend',` +type proc_t, proc_net_t, sysctl_rpc_t; +class dir { search getattr read }; +class file { getattr read }; +') + +######################################## +# +# kernel_modify_rpc_sysctl(domain,[`optional']) +# +define(`kernel_modify_rpc_sysctl',` +requires_block_template(kernel_modify_rpc_sysctl_depend,$2) +allow $1 proc_t:dir search; +allow $1 proc_net_t:dir search; +allow $1 sysctl_rpc_t:dir { getattr search read }; +allow $1 sysctl_rpc_t:file { getattr read write }; +') + +ifdef(`kernel_modify_rpc_sysctl_depend',` +type proc_t, proc_net_t, sysctl_rpc_t; +class dir { search getattr read }; +class file { getattr read write }; +') + +######################################## +# +# kernel_read_all_sysctl(domain,[`optional']) +# +define(`kernel_read_all_sysctl',` +requires_block_template(kernel_read_all_sysctl_depend,$2) +kernel_read_device_sysctl($1,optional) +kernel_read_virtual_memory_sysctl($1,optional) +kernel_read_network_sysctl($1,optional) +kernel_read_unix_sysctl($1,optional) +kernel_read_hotplug_sysctl($1,optional) +kernel_read_modprobe_sysctl($1,optional) +kernel_read_kernel_sysctl($1,optional) +kernel_read_filesystem_sysctl($1,optional) +kernel_read_irq_sysctl($1,optional) +kernel_read_rpc_sysctl($1,optional) +') + +ifdef(`kernel_read_all_sysctl_depend',` +kernel_read_device_sysctl_depend +kernel_read_virtual_memory_sysctl_depend +kernel_read_network_sysctl_depend +kernel_read_unix_sysctl_depend +kernel_read_hotplug_sysctl_depend +kernel_read_modprobe_sysctl_depend +kernel_read_kernel_sysctl_depend +kernel_read_filesystem_sysctl_depend +kernel_read_irq_sysctl_depend +kernel_read_rpc_sysctl_depend +') + +######################################## +# +# kernel_modify_all_sysctl(domain,[`optional']) +# +define(`kernel_modify_all_sysctl',` +requires_block_template(kernel_modify_all_sysctl_depend,$2) +kernel_modify_device_sysctl($1,optional) +kernel_modify_virtual_memory_sysctl($1,optional) +kernel_modify_network_sysctl($1,optional) +kernel_modify_unix_sysctl($1,optional) +kernel_modify_hotplug_sysctl($1,optional) +kernel_modify_modprobe_sysctl($1,optional) +kernel_modify_kernel_sysctl($1,optional) +kernel_modify_filesystem_sysctl($1,optional) +kernel_modify_irq_sysctl($1,optional) +kernel_modify_rpc_sysctl($1,optional) +') + +ifdef(`kernel_modify_all_sysctl_depend',` +kernel_modify_device_sysctl_depend +kernel_modify_virtual_memory_sysctl_depend +kernel_modify_network_sysctl_depend +kernel_modify_unix_sysctl_depend +kernel_modify_hotplug_sysctl_depend +kernel_modify_modprobe_sysctl_depend +kernel_modify_kernel_sysctl_depend +kernel_modify_filesystem_sysctl_depend +kernel_modify_irq_sysctl_depend +kernel_modify_rpc_sysctl_depend +') + +######################################## +# +# kernel_read_hardware_state(domain,[`optional']) +# +define(`kernel_read_hardware_state',` +requires_block_template(kernel_read_hardware_state_depend,$2) +allow $1 sysfs_t:dir { getattr search read }; +allow $1 sysfs_t:{ file lnk_file } { getattr read }; +') + +define(`kernel_read_hardware_state_depend',` +type sysfs_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# kernel_modify_hardware_config_option(domain,[`optional']) +# +define(`kernel_modify_hardware_config_option',` +requires_block_template(kernel_modify_hardware_config_option_depend,$2) +allow $1 sysfs_t:dir { getattr search read }; +allow $1 sysfs_t:lnk_file { getattr read }; +allow $1 sysfs_t:file { getattr read write }; +') + +define(`kernel_modify_hardware_config_option_depend',` +type sysfs_t; +class dir { getattr search read }; +class file { getattr read write }; +class lnk_file { getattr read }; +') + +######################################## +# +# kernel_list_usb_hardware(domain,[`optional']) +# +define(`kernel_list_usb_hardware',` +requires_block_template(kernel_list_usb_hardware_depend,$2) +allow $1 usbfs_t:dir { getattr search read }; +allow $1 usbfs_t:lnk_file { getattr read }; +allow $1 usbfs_t:file getattr; +') + +define(`kernel_list_usb_hardware_depend',` +type usbfs_t; +class dir { getattr search read }; +class file getattr; +class lnk_file { getattr read }; +') + +######################################## +# +# kernel_read_usb_hardware_state(domain,[`optional']) +# +define(`kernel_read_usb_hardware_state',` +requires_block_template(kernel_read_usb_hardware_state_depend,$2) +allow $1 usbfs_t:dir { getattr search read }; +allow $1 usbfs_t:{ file lnk_file } { getattr read }; +') + +define(`kernel_read_usb_hardware_state_depend',` +type usbfs_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# kernel_modify_usb_hardware_config_option(domain,[`optional']) +# +define(`kernel_modify_usb_hardware_config_option',` +requires_block_template(kernel_modify_usb_hardware_config_option_depend,$2) +allow $1 usbfs_t:dir { getattr search read }; +allow $1 usbfs_t:lnk_file { getattr read }; +allow $1 usbfs_t:file { getattr read write }; +') + +define(`kernel_modify_usb_hardware_config_option_depend',` +type usbfs_t; +class dir { getattr search read }; +class file { getattr read write }; +class lnk_file { getattr read }; +') + +################################################################### +# # +# These interfaces are reversed, to decouple the base module from # +# the programs that the kernel runs, such as init and insmod, so # +# the base module is self-contained. These styles of interfaces # +# should not be used anywhere else. # +# # +################################################################### + +######################################## +# +# kernel_transition_from(domain,entrypoint,[`optional']) +# +define(`kernel_transition_from',` +requires_block_template(kernel_transition_from_depend,$3) +allow kernel_t $2:file { getattr read execute }; +allow kernel_t $1:process transition; +type_transition kernel_t $2:process $1; +dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; +') + +define(`kernel_transition_from_depend',` +type kernel_t; +class file { getattr read execute }; +class process transition; +') + +######################################## +# +# kernel_sigchld_from(domain,[`optional']) +# +define(`kernel_sigchld_from',` +requires_block_template(kernel_sigchld_from_depend,$2) +allow kernel_t $1:process sigchld; +') + +define(`kernel_sigchld_from_depend',` +type kernel_t; +class process sigchld; +') + +######################################## +# +# kernel_unlabeled_sigchld_from(domain,[`optional']) +# +define(`kernel_unlabeled_sigchld_from',` +requires_block_template(kernel_unlabeled_sigchld_from_depend,$2) +allow unlabeled_t $1:process sigchld; +') + +define(`kernel_unlabeled_sigchld_from_depend',` +type unlabeled_t; +class process sigchld; +') + +######################################## +# +# kernel_read_directory_from(domain,[`optional']) +# +define(`kernel_read_directory_from',` +requires_block_template(kernel_read_directory_from_depend,$2) +allow kernel_t $1:dir { getattr search read }; +') + +define(`kernel_read_directory_from_depend',` +type kernel_t; +class dir { getattr search read }; +') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te new file mode 100644 index 0000000..b89320e --- /dev/null +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -0,0 +1,148 @@ +######################################## +# kernel_t is the domain of kernel threads. +# It is also the target type when checking permissions in the system class. +# +type kernel_t; +role system_r types kernel_t; + +domain_make_base_domain(kernel_t) + +terminal_use_console(kernel_t) +domain_signal_all_domains(kernel_t) + +# Use capabilities. need to investigate which capabilities are actually used +#allow kernel_t self:capability *; + +# Mount root file system. Used when loading a policy +# from initrd, then mounting the root filesystem +filesystem_mount_all_filesystems(kernel_t) + +# Other possible mount points for the root fs are in sysfiles +allow kernel_t unlabeled_t:dir mounton; + +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +#can_exec(kernel_t, bin_t.sys) + +# Kernel-generated traffic, e.g. ICMP replies. +corenetwork_send_raw_on_all_interfaces(kernel_t) +corenetwork_receive_raw_on_all_interfaces(kernel_t) + +# Kernel-generated traffic, e.g. TCP resets. +corenetwork_send_tcp_on_all_interfaces(kernel_t) +corenetwork_receive_tcp_on_all_interfaces(kernel_t) + +######################################## +# +# unlabeled_t is the type of unlabeled objects. +# Objects that have no known labeling information or that +# have labels that are no longer valid are treated as having this type. +# +type unlabeled_t; + +############################################ +# +# security_t is the target type when checking +# the permissions in the security class. It is also +# applied to selinuxfs inodes. +# +type security_t; +genfscon selinuxfs / system_u:object_r:security_t + +attribute can_load_policy; +attribute can_setenforce; +attribute can_setsecparam; +neverallow ~can_load_policy security_t:security load_policy; +neverallow ~can_setenforce security_t:security setenforce; +neverallow ~can_setsecparam security_t:security setsecparam; + +######################################## +# +# sysfs_t is the type for /sys +# +type sysfs_t; +filesystem_make_filesystem(sysfs_t) +genfscon sysfs / system_u:object_r:sysfs_t + +######################################## +# +# usbfs_t is the type for /proc/bus/usb +# +type usbfs_t alias usbdevfs_t; +filesystem_make_filesystem(usbfs_t) +genfscon usbfs / system_u:object_r:usbfs_t +genfscon usbdevfs / system_u:object_r:usbfs_t + +############################################ +# +# Procfs types +# + +type proc_t; +genfscon proc / system_u:object_r:proc_t +genfscon proc /sysvipc system_u:object_r:proc_t + +# kernel message interface +type proc_kmsg_t; +genfscon proc /kmsg system_u:object_r:proc_kmsg_t +attribute can_receive_kernel_messages; +neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; + +# /proc kcore: inaccessible +type proc_kcore_t; +neverallow * proc_kcore_t:file ~getattr; +genfscon proc /kcore system_u:object_r:proc_kcore_t + +type proc_mdstat_t; +genfscon proc /mdstat system_u:object_r:proc_mdstat_t + +type proc_net_t; +genfscon proc /net system_u:object_r:proc_net_t + +############################################ +# +# Sysctl types +# + +# /proc/irq directory and files +type sysctl_irq_t; +genfscon proc /irq system_u:object_r:sysctl_irq_t + +# /proc/net/rpc directory and files +type sysctl_rpc_t; +genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t + +# /proc/sys directory, base directory of sysctls +type sysctl_t; +genfscon proc /sys system_u:object_r:sysctl_t + +# /proc/sys/fs directory and files +type sysctl_fs_t; +genfscon proc /sys/fs system_u:object_r:sysctl_fs_t + +# /proc/sys/kernel directory and files +type sysctl_kernel_t; +genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t + +# /proc/sys/kernel/modprobe file +type sysctl_modprobe_t; +genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t + +# /proc/sys/kernel/hotplug file +type sysctl_hotplug_t; +genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t + +# /proc/sys/net directory and files +type sysctl_net_t; +genfscon proc /sys/net system_u:object_r:sysctl_net_t + +# /proc/sys/net/unix directory and files +type sysctl_net_unix_t; +genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t + +# /proc/sys/vm directory and files +type sysctl_vm_t; +genfscon proc /sys/vm system_u:object_r:sysctl_vm_t + +# /proc/sys/dev directory and files +type sysctl_dev_t; +genfscon proc /sys/dev system_u:object_r:sysctl_dev_t diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if new file mode 100644 index 0000000..c2375c0 --- /dev/null +++ b/refpolicy/policy/modules/kernel/storage.if @@ -0,0 +1,135 @@ +######################################## +# +# storage_raw_read_fixed_disk(domain,[`optional']) +# +define(`storage_raw_read_fixed_disk',` +requires_block_template(storage_raw_read_fixed_disk_depend,$2) +typeattribute $1 fixed_disk_raw_read; +devices_list_device_nodes($1,optional) +allow $1 fixed_disk_device_t:blk_file { getattr read ioctl }; +') + +define(`storage_raw_read_fixed_disk_depend',` +type fixed_disk_device_t; +attribute fixed_disk_raw_read; +class blk_file { getattr read ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_raw_write_fixed_disk(domain,[`optional']) +# +define(`storage_raw_write_fixed_disk',` +requires_block_template(storage_raw_write_fixed_disk_depend,$2) +typeattribute $1 fixed_disk_raw_write; +devices_list_device_nodes($1,optional) +allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; +') + +define(`storage_raw_write_fixed_disk_depend',` +type fixed_disk_device_t; +attribute fixed_disk_raw_write; +class blk_file { getattr write ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_read_scsi_generic(domain,[`optional']) +# +define(`storage_read_scsi_generic',` +requires_block_template(storage_read_scsi_generic_depend,$2) +typeattribute $1 scsi_generic_read; +devices_list_device_nodes($1,optional) +allow $1 scsi_generic_device_t:blk_file { getattr read ioctl }; +') + +define(`storage_read_scsi_generic_depend',` +type scsi_generic_device_t; +attribute scsi_generic_read; +class blk_file { getattr read ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_write_scsi_generic(domain,[`optional']) +# +define(`storage_write_scsi_generic',` +requires_block_template(storage_write_scsi_generic_depend,$2) +typeattribute $1 scsi_generic_write; +devices_list_device_nodes($1,optional) +allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; +') + +define(`storage_write_scsi_generic_depend',` +type scsi_generic_device_t; +attribute scsi_generic_write; +class blk_file { getattr write ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_raw_read_removable_device(domain,[`optional']) +# +define(`storage_raw_read_removable_device',` +requires_block_template(storage_raw_read_removable_device_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 removable_device_t:blk_file { getattr read ioctl }; +') + +define(`storage_raw_read_removable_device_depend',` +type removable_device_t; +class blk_file { getattr read ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_raw_write_removable_device(domain,[`optional']) +# +define(`storage_raw_write_removable_device',` +requires_block_template(storage_raw_write_removable_device_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 removable_device_t:blk_file { getattr write ioctl }; +') + +define(`storage_raw_write_removable_device_depend',` +type removable_device_t; +class blk_file { getattr write ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_read_tape_device(domain,[`optional']) +# +define(`storage_read_tape_device',` +requires_block_template(storage_read_tape_device_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 tape_device_t:blk_file { getattr read ioctl }; +') + +define(`storage_read_tape_device_depend',` +type tape_device_t; +class blk_file { getattr read ioctl }; +devices_list_device_nodes_depend +') + +######################################## +# +# storage_write_tape_device(domain,[`optional']) +# +define(`storage_write_tape_device',` +requires_block_template(storage_write_tape_device_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 tape_device_t:blk_file { getattr write ioctl }; +') + +define(`storage_write_tape_device_depend',` +type tape_device_t; +class blk_file { getattr write ioctl }; +devices_list_device_nodes_depend +') diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te new file mode 100644 index 0000000..592038b --- /dev/null +++ b/refpolicy/policy/modules/kernel/storage.te @@ -0,0 +1,38 @@ +# +# fixed_disk_device_t is the type of +# /dev/hd* and /dev/sd*. +# +type fixed_disk_device_t; + +attribute fixed_disk_raw_read; +attribute fixed_disk_raw_write; +neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read; +neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write }; +devices_make_device_node(fixed_disk_device_t) + +# +# scsi_generic_device_t is the type of /dev/sg* +# it gives access to ALL SCSI devices (both fixed and removable) +# +type scsi_generic_device_t; + +attribute scsi_generic_read; +attribute scsi_generic_write; +neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read; +neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write }; +devices_make_device_node(scsi_generic_device_t) + +# +# removable_device_t is the type of +# /dev/scd* and /dev/fd*. +# +type removable_device_t; + +devices_make_device_node(removable_device_t) + +# +# tape_device_t is the type of +# +type tape_device_t; + +devices_make_device_node(tape_device_t) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if new file mode 100644 index 0000000..3a421ea --- /dev/null +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -0,0 +1,107 @@ +######################################## +# +# terminal_use_console(domain,[`optional']) +# +define(`terminal_use_console',` +requires_block_template(terminal_use_console_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 console_device_t:chr_file { read write }; +') + +define(`terminal_use_console_depend',` +type console_device_t; +class chr_file { read write }; +devices_list_device_nodes_depend +') + +######################################## +# +# terminal_use_controlling_terminal(domain,[`optional']) +# +define(`terminal_use_controlling_terminal',` +requires_block_template(terminal_use_controlling_terminal_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 devtty_t:chr_file { read write }; +') + +define(`terminal_use_controlling_terminal_depend',` +type devtty_t; +class chr_file { read write }; +devices_list_device_nodes_depend +') + +######################################## +# +# terminal_make_pty(domain,ptytype,[`optional']) +# +define(`terminal_make_pty',` +requires_block_template(terminal_make_pty_depend,$3) +devices_list_device_nodes($1,optional) +allow $1 ptmx_t:chr_file { getattr read write }; +allow $1 devpts_t:dir { getattr search read }; +allow $1 devpts_t:filesystem getattr; +allow $2 devpts_t:filesystem associate; +type_transition $1 devpts_t:chr_file $2; +typeattribute $2 ptynode; +') + +define(`terminal_make_pty_depend',` +attribute ptynode; +type ptmx_t, devpts_t; +class filesystem { getattr associate }; +class dir { getattr search read }; +class chr_file { getattr read write }; +devices_list_device_nodes_depend +') + +######################################## +# +# terminal_use_all_terminals(domain,[`optional']) +# +define(`terminal_use_all_terminals',` +requires_block_template(terminal_use_all_terminals_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 devpts_t:dir { getattr read search }; +allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write }; +') + +define(`terminal_use_all_terminals_depend',` +attribute ttynode, ptynode; +type console_device_t, devtty_t, devpts_t; +class chr_file { read write }; +devices_list_device_nodes_depend +') + +######################################## +# +# terminal_reset_labels(domain,[`optional']) +# +define(`terminal_reset_labels',` +requires_block_template(terminal_reset_labels_depend,$2) +devices_list_device_nodes($1,optional) +kernel_relabeling_privilege($1,optional) +allow $1 ttynode:chr_file relabelfrom; +allow $1 tty_device_t:chr_file relabelto; +') + +define(`terminal_reset_labels_depend',` +attribute ttynode; +type tty_device_t; +class chr_file { relabelfrom relabelto }; +devices_list_device_nodes_depend +kernel_relabeling_privilege_depend +') + +######################################## +# +# terminal_ignore_list_ptys(domain,[`optional']) +# +define(`terminal_ignore_list_ptys',` +requires_block_template(terminal_ignore_list_ptys_depend,$2) +allow $1 console_device_t:chr_file { read write }; +') + +define(`terminal_ignore_list_ptys_depend',` +type devpts_t; +class dir { getattr search read }; +') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te new file mode 100644 index 0000000..ee844d0 --- /dev/null +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -0,0 +1,41 @@ +attribute ttynode; +attribute ptynode; + +# +# console_device_t is the type of /dev/console. +# +type console_device_t; + +devices_make_device_node(console_device_t) + +# +# devtty_t is the type of /dev/tty. +# +type devtty_t; + +devices_make_device_node(devtty_t) + +# +# tty_device_t is the type of /dev/*tty* +# +type tty_device_t, ttynode; + +devices_make_device_node(tty_device_t) + +# +# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] +type bsdpty_device_t, ptynode; + +devices_make_device_node(bsdpty_device_t) + + +# ptmx_t is the type for /dev/ptmx. +type ptmx_t; + +devices_make_device_node(ptmx_t) + +# +# devpts_t is the type of the devpts file system and +# the type of the root directory of the file system. +# +type devpts_t; diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if new file mode 100644 index 0000000..89e182b --- /dev/null +++ b/refpolicy/policy/modules/system/authlogin.if @@ -0,0 +1,27 @@ +####################################### +# +# authlogin_modify_login_records(type,[`optional']) +# +define(`authlogin_modify_login_records',` +requires_block_template(authlogin_modify_login_records_depend,$2) +allow $1 wtmp_t:file { getattr read write setattr }; +') + +define(`authlogin_modify_login_records_depend',` +type wtmp_t; +class file { getattr read write setattr }; +') + +####################################### +# +# authlogin_modify_last_login_log(type,[`optional']) +# +define(`authlogin_modify_last_login_log',` +requires_block_template(authlogin_modify_last_login_log_depend,$2) +allow $1 lastlog_t:file { getattr read write setattr }; +') + +define(`authlogin_modify_last_login_log_depend',` +type lastlog_t; +class file { getattr read write setattr }; +') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te new file mode 100644 index 0000000..8f9aecb --- /dev/null +++ b/refpolicy/policy/modules/system/authlogin.te @@ -0,0 +1,5 @@ +type lastlog_t; +logging_make_log_file(lastlog_t) + +type wtmp_t; +logging_make_log_file(wtmp_t) diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if new file mode 100644 index 0000000..d9c7a3e --- /dev/null +++ b/refpolicy/policy/modules/system/corecommands.if @@ -0,0 +1,70 @@ +######################################## +# +# corecommands_execute_general_programs(domain,[`optional'] +# +define(`corecommands_execute_general_programs',` +requires_block_template(corecommands_execute_general_programs_depend,$2) +allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:lnk_file { getattr read }; +allow $1 bin_t:file { getattr read execute execute_no_trans }; +') + +define(`corecommands_execute_general_programs_depend',` +type bin_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') + +######################################## +# +# corecommands_execute_system_programs(domain,[`optional'] +# +define(`corecommands_execute_system_programs',` +requires_block_template(corecommands_execute_system_programs_depend,$2) +allow $1 sbin_t:dir { getattr search read }; +allow $1 sbin_t:lnk_file { getattr read }; +allow $1 sbin_t:file { getattr read execute execute_no_trans }; +') + +define(`corecommands_execute_system_programs_depend',` +type sbin_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') + +######################################## +# +# corecommands_execute_shell(domain,[`optional'] +# +define(`corecommands_execute_shell',` +requires_block_template(corecommands_execute_shell_depend,$2) +allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:lnk_file { getattr read }; +allow $1 shell_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`corecommands_execute_shell_depend',` +type bin_t, shell_exec_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') + +######################################## +# +# corecommands_chroot(domain,[`optional'] +# +define(`corecommands_chroot',` +requires_block_template(corecommands_chroot_depend,$2) +allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; +# could go to a generic chroot priv: +allow $1 self:capability sys_chroot; +') + +define(`corecommands_chroot_depend',` +type chroot_exec_t; +class file { getattr read execute execute_no_trans }; +class capability sys_chroot; +') diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te new file mode 100644 index 0000000..026790c --- /dev/null +++ b/refpolicy/policy/modules/system/corecommands.te @@ -0,0 +1,27 @@ +# +# bin_t is the type of files in the system bin directories. +# +type bin_t; +files_make_file(bin_t) + +# +# sbin_t is the type of files in the system sbin directories. +# +type sbin_t; +files_make_file(sbin_t) +kernel_read_directory_from(sbin_t) + +# +# ls_exec_t is the type of the ls program. +# +#type ls_exec_t; +typealias bin_t alias ls_exec_t; + +# +# shell_exec_t is the type of user shells such as /bin/bash. +# +type shell_exec_t; +files_make_file(sbin_t) + +type chroot_exec_t; +files_make_file(chroot_exec_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if new file mode 100644 index 0000000..6cf693f --- /dev/null +++ b/refpolicy/policy/modules/system/domain.if @@ -0,0 +1,108 @@ +######################################## +# +# domain_make_base_domain(domain,[`optional']) +# +define(`domain_make_base_domain',` +requires_block_template(domain_make_base_domain_depend,$2) + +# mark as a domain +typeattribute $1 domain; + +# allow the domain to read its /proc/pid entries +allow $1 self:dir { getattr search read }; +allow $1 self:{ file lnk_file } { getattr read }; + +# allow $1 to create child processes in this domain +allow $1 self:process { fork sigchld }; +') + +define(`domain_make_base_domain_depend',` +attribute domain; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# domain_make_domain(domain,[`optional']) +# +define(`domain_make_domain',` +requires_block_template(domain_make_domain_depend,$2) + +domain_make_base_domain($1,optional) + +files_read_root_dir($1,optional) +init_sigchld($1,optional) +') + +define(`domain_make_domain_depend',` +domain_make_base_domain_depend +files_read_root_dir_depend +init_send_sigchld_depend +') + +######################################## +# +# domain_make_entrypoint_file(domain,entrypointfile,[`optional']) +# +define(`domain_make_entrypoint_file',` +requires_block_template(domain_make_entrypoint_file_depend,$3) +allow $1 $2:file entrypoint; +neverallow $1 ~{ $2 }:file entrypoint; +files_make_file($2,$3) +') + +define(`domain_make_entrypoint_file_depend',` +class file entrypoint; +') + +######################################## +# +# domain_signal_all_domains(domain,[`optional']) +# +define(`domain_signal_all_domains',` +requires_block_template(domain_signal_all_domains_depend,$2) +allow $1 domain:process signal; +') + +define(`domain_signal_all_domains_depend',` +attribute domain; +class process signal; +') + +######################################## +# +# domain_kill_all_domains(domain,[`optional']) +# +define(`domain_kill_all_domains',` +requires_block_template(domain_kill_all_domains_depend,$2) +allow $1 domain:process sigkill; +allow $1 self:capability kill; +') + +define(`domain_kill_all_domains_depend',` +attribute domain; +class process sigkill; +class capability kill; +') + +######################################## +# +# domain_read_all_domains_process_state(domain,[`optional']) +# +define(`domain_read_all_domains_process_state',` +requires_block_template(domain_read_all_domains_process_state_depend,$2) +allow $1 domain:dir { getattr search read }; +allow $1 domain:lnk_file { getattr read }; +allow $1 domain:file { getattr read }; +allow $1 domain:process { getattr getsession }; +') + +define(`domain_read_all_domains_process_state_depend',` +attribute domain; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read }; +class process { getattr getsession }; +') diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te new file mode 100644 index 0000000..63afbcb --- /dev/null +++ b/refpolicy/policy/modules/system/domain.te @@ -0,0 +1,4 @@ +# Mark process types as domains +attribute domain; + +neverallow domain ~domain:process { transition dyntransition }; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if new file mode 100644 index 0000000..b8a9488 --- /dev/null +++ b/refpolicy/policy/modules/system/files.if @@ -0,0 +1,412 @@ +######################################## +# +# files_make_file(type,[`optional']) +# +define(`files_make_file',` +requires_block_template(files_make_file_depend,$2) +typeattribute $1 file_type; +filesystem_associate($1,optional) +') + +define(`files_make_file_depend',` +attribute file_type; +filesystem_associate_depend +') + +######################################## +# +# files_get_all_file_stats(type,[`optional']) +# +define(`files_get_all_file_stats',` +requires_block_template(files_get_all_file_stats_depend,$2) +allow $1 file_type:dir { search getattr }; +allow $1 file_type:file getattr; +allow $1 file_type:lnk_file getattr; +allow $1 file_type:fifo_file getattr; +allow $1 file_type:sock_file getattr; +') + +define(`files_get_all_file_stats_depend',` +attribute file_type; +class dir { search getattr }; +class file getattr; +class lnk_file getattr; +class fifo_file getattr; +class sock_file getattr; +') + +######################################## +# +# files_read_root_dir(domain,[`optional']) +# +define(`files_read_root_dir',` +requires_block_template(files_read_root_dir_depend,$2) +allow $1 root_t:dir { getattr search read }; +allow $1 root_t:lnk_file { getattr read }; +') + +define(`files_read_root_dir_depend',` +type root_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +') + +######################################## +# +# files_create_root_dir_entry(domain,[`optional']) +# +define(`files_create_root_dir_entry',` +requires_block_template(files_create_root_dir_entry_depend,$2) +allow $1 root_t:dir { getattr search read write add_name }; +') + +define(`files_create_root_dir_entry_depend',` +type root_t; +class dir { getattr search read write add_name }; +') + +######################################## +# +# files_create_private_root_dir_entry(domain,privatetype,[class(es)],[`optional']) +# +define(`files_create_private_root_dir_entry',` +requires_block_template(files_create_private_root_dir_entry_depend,$2) +allow $1 root_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 root_t:file $2; +',` +type_transition $1 root_t:$3 $2; +') dnl end ifelse +') + +define(`files_create_private_root_dir_entry_depend',` +type root_t; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# files_remove_root_dir_entry(domain,[`optional']) +# +define(`files_remove_root_dir_entry',` +requires_block_template(files_remove_root_dir_entry_depend,$2) +allow $1 root_t:dir { getattr search read write remove_name }; +') + +define(`files_remove_root_dir_entry_depend',` +type root_t; +class dir { getattr search read write remove_name }; +') + +######################################## +# +# files_read_general_system_config(type,[`optional']) +# +define(`files_read_general_system_config',` +requires_block_template(files_read_general_system_config_depend,$2) +allow $1 etc_t:dir { getattr search read }; +allow $1 etc_t:file { getattr read }; +allow $1 etc_t:lnk_file { getattr read }; +') + +define(`files_read_general_system_config_depend',` +type etc_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# files_execute_system_config_script(domain,[`optional']) +# +define(`files_execute_system_config_script',` +requires_block_template(files_execute_system_config_script_depend,$2) +allow $1 etc_t:dir { getattr search read }; +allow $1 etc_t:lnk_file { getattr read }; +allow $1 etc_t:file { getattr read execute execute_no_trans }; +') + +define(`files_execute_system_config_script_depend',` +type etc_t, etc_runtime_t; +class dir { getattr search read }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') + +######################################## +# +# files_create_boot_flag(type,[`optional']) +# +# /halt, /.autofsck, etc +# +define(`files_create_boot_flag',` +requires_block_template(files_create_boot_flag_depend,$2) +allow $1 root_t:dir { getattr search read write add_name remove_name }; +allow $1 etc_runtime_t:file { create read write setattr unlink }; +type_transition $1 root_t:file etc_runtime_t; +') + +define(`files_create_boot_flag_depend',` +type root_t, etc_runtime_t; +class dir { getattr search read write add_name }; +class file { create read write setattr }; +') + +######################################## +# +# files_create_runtime_system_config(type,[`optional']) +# +define(`files_create_runtime_system_config',` +requires_block_template(files_create_runtime_system_config_depend,$2) +allow $1 etc_t:dir { getattr search read write add_name remove_name }; +allow $1 etc_runtime_t:file { create read write setattr unlink }; +type_transition $1 etc_t:file etc_runtime_t; +') + +define(`files_create_runtime_system_config_depend',` +type etc_t, etc_runtime_t; +class dir { getattr search read write add_name }; +class file { create read write setattr }; +') + +######################################## +# +# files_read_runtime_system_config(domain,[`optional']) +# +define(`files_read_runtime_system_config',` +requires_block_template(files_read_runtime_system_config_depend,$2) +allow $1 etc_t:dir { getattr search read }; +allow $1 etc_runtime_t:file { getattr read }; +') + +define(`files_create_runtime_system_config_depend',` +type etc_t, etc_runtime_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# files_create_private_config(domain,privatetype,[class(es)],[`optional']) +# +define(`files_create_private_config',` +requires_block_template(files_create_private_config_depend,$4) +allow $1 etc_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 etc_t:file $2; +',` +type_transition $1 etc_t:$3 $2; +') dnl end ifelse +') + +define(`files_create_private_config_depend',` +type etc_t; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# files_read_general_shared_resources(domain,[`optional']) +# +define(`files_read_general_shared_resources',` +requires_block_template(files_read_general_shared_resources_depend,$2) +allow $1 usr_t:dir { getattr search read }; +allow $1 usr_t:{ file lnk_file } { getattr read }; +') + +define(`files_read_general_shared_resources_depend',` +type usr_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# files_manage_pseudorandom_saved_seed(domain,[`optional']) +# +define(`files_manage_pseudorandom_saved_seed',` +requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2) +allow $1 var_t:dir search; +allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; +allow $1 var_lib_t:file { getattr create read write setattr unlink }; +') + +define(`files_manage_pseudorandom_saved_seed_depend',` +type usr_t; +class dir { getattr search read write add_name remove_name }; +class file { getattr create read write setattr unlink }; +') + +######################################## +# +# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional']) +# +define(`files_create_daemon_runtime_data',` +requires_block_template(files_create_daemon_runtime_data_depend,$4) +allow $1 var_t:dir search; +allow $1 var_run_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 var_run_t:file $2; +',` +type_transition $1 var_run_t:$3 $2; +') dnl end ifelse +typeattribute $1 pidfile; +') + +define(`files_create_daemon_runtime_data_depend',` +attribute pidfile; +type var_t, var_run_t; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# files_modify_system_runtime_data(domain,[`optional']) +# +define(`files_modify_system_runtime_data',` +requires_block_template(files_modify_system_runtime_data_depend,$2) +allow $1 var_t:dir search; +allow $1 var_run_t:dir { getattr search read }; +allow $1 var_run_t:file { getattr read write }; +') + +define(`files_modify_system_runtime_data_depend',` +type var_t, var_run_t; +class dir { getattr search read }; +class file { getattr read write }; +') + +######################################## +# +# files_remove_all_daemon_runtime_data(domain,[`optional']) +# +define(`files_remove_all_daemon_runtime_data',` +requires_block_template(files_remove_all_daemon_runtime_data_depend,$2) +allow $1 var_t:dir search; +allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; +allow $1 var_run_t:dir rmdir; +allow $1 pidfile:dir { getattr search read write add_name remove_name }; +allow $1 pidfile:file { getattr unlink }; +allow $1 pidfile:sock_file { getattr unlink }; +') + +define(`files_remove_all_daemon_runtime_data_depend',` +attribute pidfile; +type var_t, var_run_t; +class dir { getattr search read write add_name remove_name rmdir }; +class file { getattr unlink }; +class lnk_file { getattr unlink }; +class sock_file { getattr unlink }; +') + +######################################## +# +# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional']) +# +define(`files_create_private_tmp_data',` +requires_block_template(files_create_private_tmp_data_depend,$2) +allow $1 tmp_t:dir { getattr search read write add_name remove_name }; +ifelse(`$3',`',` +type_transition $1 tmp_t:file $2; +',` +type_transition $1 tmp_t:$3 $2; +') +typeattribute $1 tmpfile; +') + +define(`files_create_private_tmp_data_depend',` +attribute tmpfile; +type etc_t; +class dir { getattr search read write add_name }; +') + +######################################## +# +# files_remove_all_tmp_data(domain,[`optional']) +# +define(`files_remove_all_tmp_data',` +requires_block_template(files_remove_all_tmp_data_depend,$2) +allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; +allow $1 tmpfile:file { getattr unlink }; +allow $1 tmpfile:lnk_file { getattr unlink }; +allow $1 tmpfile:fifo_file { getattr unlink }; +allow $1 tmpfile:sock_file { getattr unlink }; +') + +define(`files_remove_all_tmp_data_depend',` +attribute tmpfile; +class dir { getattr search read write add_name remove_name rmdir }; +class file { getattr unlink }; +class lnk_file { getattr unlink }; +class fifo_file { getattr unlink }; +class sock_file { getattr unlink }; +') + +######################################## +# +# files_manage_general_lock_files(domain,[`optional']) +# +define(`files_manage_general_lock_files',` +requires_block_template(files_manage_general_lock_files_depend,$2) +allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; +allow $1 var_lock_t:file { getattr create read write setattr unlink }; +') + +define(`files_remove_general_lock_files_depend',` +type var_lock_t; +class dir { getattr search create read write setattr add_name remove_name rmdir }; +class file { getattr create read write setattr unlink }; +') + +######################################## +# +# files_remove_all_lock_files(domain,[`optional']) +# +define(`files_remove_all_lock_files',` +requires_block_template(files_remove_all_lock_files_depend,$2) +allow $1 lockfile:dir { getattr search read write add_name remove_name }; +allow $1 lockfile:file { getattr unlink }; +') + +define(`files_remove_all_lock_files_depend',` +attribute lockfile; +class dir { getattr search read write add_name remove_name }; +class file { getattr unlink }; +') + +######################################## +# +# files_read_general_system_resources(domain,[`optional']) +# +define(`files_read_general_system_resources',` +requires_block_template(files_read_general_system_resources_depend,$2) +allow $1 usr_t:dir { getattr search read }; +allow $1 usr_t:{ file lnk_file } { getattr read }; +') + +define(`files_read_general_system_resources_depend',` +type usr_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') + +######################################## +# +# files_read_system_source_code(type,[`optional']) +# +define(`files_read_system_source_code',` +requires_block_template(files_read_system_source_code_depend,$2) +allow $1 usr_t:dir search; +allow $1 src_t:dir { getattr search read }; +allow $1 src_t:{ file lnk_file } { getattr read }; +') + +define(`files_read_system_source_code_depend',` +type usr_t, src_t; +class dir { getattr search read }; +class file { getattr read }; +class lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te new file mode 100644 index 0000000..614b3ed --- /dev/null +++ b/refpolicy/policy/modules/system/files.te @@ -0,0 +1,116 @@ +attribute file_type; +attribute lockfile; +attribute pidfile; +attribute tmpfile; + +# default_t is the default type for files that do not +# match any specification in the file_contexts configuration +# other than the generic /.* specification. +type default_t, file_type; +filesystem_associate(default_t) + +# +# etc_t is the type of the system etc directories. +# +type etc_t, file_type; +filesystem_associate(etc_t) + +# +# etc_runtime_t is the type of various +# files in /etc that are automatically +# generated during initialization. +# +type etc_runtime_t, file_type; +filesystem_associate(etc_runtime_t) + +# +# file_t is the default type of a file that has not yet been +# assigned an extended attribute (EA) value (when using a filesystem +# that supports EAs). +# +type file_t, file_type; +filesystem_associate(file_t) +kernel_make_root_filesystem_mountpoint(file_t) + +# +# removable_t is the default type of all removable media +# +type removable_t, file_type; +filesystem_associate(removable_t) + +# +# root_t is the type for rootfs and the root directory. +# +type root_t, file_type; +filesystem_associate(root_t) +kernel_read_directory_from(root_t) +kernel_make_root_filesystem_mountpoint(root_t) +genfscon rootfs / system_u:object_r:root_t + +# +# home_root_t is the type for the directory where user home directories +# are created +# +type home_root_t, file_type; +filesystem_associate(home_root_t) + +# +# lost_found_t is the type for the lost+found directories. +# +type lost_found_t, file_type; +filesystem_associate(lost_found_t) + +# +# mnt_t is the type for mount points such as /mnt/cdrom +# +type mnt_t, file_type; +filesystem_associate(mnt_t) + +# +# src_t is the type of files in the system src directories. +# +type src_t, file_type; +filesystem_associate(src_t) + +# +# tmp_t is the type of the temporary directories +# +type tmp_t, file_type, tmpfile; +filesystem_associate(tmp_t) + +# +# usr_t is the type for /usr. +# +type usr_t, file_type; +filesystem_associate(usr_t) + +# +# var_t is the type of /var +# +type var_t, file_type; +filesystem_associate(var_t) + +# +# var_lib_t is the type of /var/lib +# +type var_lib_t, file_type; +filesystem_associate(var_lib_t) + +# +# var_lock_t is tye type of /var/lock +# +type var_lock_t, file_type, lockfile; +filesystem_associate(var_lock_t) + +# +# var_run_t is the type of /var/run, usually +# used for pid and other runtime files. +# +type var_run_t, file_type, pidfile; +filesystem_associate(var_run_t) + +# +# var_spool_t is the type of /var/spool +# +type var_spool_t, file_type; +filesystem_associate(var_spool_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if new file mode 100644 index 0000000..c2dc2d2 --- /dev/null +++ b/refpolicy/policy/modules/system/init.if @@ -0,0 +1,69 @@ +######################################## +# +# init_transition(domain,[`optional']) +# +define(`init_transition',` +requires_block_template(init_transition_depend,$2) +allow $1 init_exec_t:file { getattr read execute }; +allow $1 init_t:process transition; +type_transition $1 init_exec_t:file init_t; +dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; +') + +define(`init_transition_depend',` +type init_t, init_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# +# init_sigchld(domain,[`optional']) +# +define(`init_sigchld',` +requires_block_template(init_sigchld_depend,$2) +allow $1 init_t:process sigchld; +') + +define(`init_sigchld_depend',` +type init_t; +class process sigchld; +') + +######################################## +# +# init_script_transition(domain,[`optional']) +# +define(`init_script_transition',` +requires_block_template(init_script_transition_depend,$2) +allow $1 initrc_exec_t:file { getattr read execute }; +allow $1 initrc_t:process transition; +type_transition $1 initrc_exec_t:file init_t; +dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; +') + +define(`init_script_transition_depend',` +type initrc_t, initrc_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# +# init_script_direct_admin_transition(role,domain,[`optional']) +# +define(`init_script_direct_admin_transition',` +requires_block_template(init_script_direct_admin_transition_depend,$2) +allow $2 initrc_exec_t:file { getattr read execute }; +allow $2 initrc_t:process transition; +type_transition $2 initrc_exec_t:file init_t; +kernel_system_role_transition($1,initrc_exec_t,optional) +dontaudit $2 init_t:process { noatsecure siginh rlimitinh }; +') + +define(`init_script_direct_admin_transition_depend',` +type initrc_t, initrc_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +kernel_system_role_transition_depend +') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te new file mode 100644 index 0000000..7fec32b --- /dev/null +++ b/refpolicy/policy/modules/system/init.te @@ -0,0 +1,444 @@ +# init_t is the domain of the init process. +# init_exec_t is the type of the init program. +# init_var_run_t is the type for /var/run/shutdown.pid. +# initctl_t is the type of the named pipe created +# by init during initialization. This pipe is used +# to communicate with init. +# +type init_t; +domain_make_domain(init_t) +role system_r types init_t; + +type init_exec_t; +domain_make_entrypoint_file(init_t,init_exec_t) + +type initctl_t; +files_make_file(initctl_t) +devices_create_dev_entry(init_t,initctl_t,fifo_file) + +type init_var_run_t; +files_make_file(init_var_run_t) +files_create_daemon_runtime_data(init_t,init_var_run_t) + +kernel_transition_from(init_t,init_exec_t) +kernel_sigchld_from(init_t) + +# If you load a new policy that removes active domains, processes can +# get stuck if you do not allow unlabeled processes to signal init +# If you load an incompatible policy, you should probably reboot, +# since you may have compromised system security. +kernel_unlabeled_sigchld_from(init_t) + +kernel_set_selinux_boolean(init_t) +kernel_read_system_state(init_t) +kernel_read_hardware_state(init_t) +kernel_share_state(init_t) + +terminal_use_all_terminals(init_t) + +domain_signal_all_domains(init_t) +domain_kill_all_domains(init_t) + +files_modify_system_runtime_data(init_t) + +libraries_use_dynamic_loader(init_t) +libraries_read_shared_libraries(init_t) + +corecommands_chroot(init_t) +corecommands_execute_general_programs(init_t) +corecommands_execute_system_programs(init_t) + +selinux_read_config(init_t) + +miscfiles_read_localization(init_t) + +# Re-exec itself +allow init_t init_exec_t:file { getattr read execute execute_no_trans }; + +# For /var/run/shutdown.pid. +allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; + +# Run init scripts. this is ok since initrc +# is also in this module +allow init_t initrc_t:process transition; +allow init_t initrc_exec_t:file { getattr read execute }; + +# Create unix sockets +allow init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow init_t self:fifo_file { read write ioctl }; + +######################################## +# +# the following seem questionable +# + +libraries_modify_dynamic_loader_cache(init_t) +files_create_runtime_system_config(init_t) +authlogin_modify_login_records(init_t) +logging_modify_system_logs(init_t) + +# Use capabilities. old rule: +#allow init_t self:capability ~sys_module; +# is ~sys_module really needed? observed: +# sys_boot +# sys_tty_config +# kill: now provided by domain_kill_all_domains() +# setuid (from /sbin/shutdown) +# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() +allow init_t self:capability { sys_boot sys_tty_config setuid }; + +# Modify utmp. +allow init_t initrc_var_run_t:file { getattr read write setattr }; + +define(`init_consoletype_optional_policy',` +consoletype_execute(init_t,optional) +') + +######################################## +# +# Conditional policy logic +# + +ifdef(`monolithic_policy',` +ifdef(`consoletype.te',`init_consoletype_optional_policy') +',` +optional consoletype { consoletype_execute_depend } +ifopt (consoletype) { init_consoletype_optional_policy } +') dnl end monolithic_policy + +######################################## +# +# the following still need to be converted over +# + +# something other then static libs +allow init_t lib_t:file { getattr read }; + +# for mount points +allow init_t file_t:dir search; + +# file descriptors inherited from the rootfs. +dontaudit init_t root_t:{ file chr_file } { read write }; + + + + + +type initrc_t; +domain_make_domain(initrc_t) +role system_r types initrc_t; + +type initrc_exec_t; +domain_make_entrypoint_file(initrc_t,initrc_exec_t) + +type initrc_devpts_t; +terminal_make_pty(initrc_t,initrc_devpts_t) + +type initrc_var_run_t; +files_make_file(initrc_var_run_t) +files_create_daemon_runtime_data(initrc_t,initrc_var_run_t) + +type initrc_state_t; +files_make_file(initrc_state_t) + +type initrc_tmp_t; +files_make_file(initrc_tmp_t) +files_create_private_tmp_data(initrc_t,initrc_tmp_t) + +allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; +allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:passwd rootok; + +# Allow IPC with self +allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; +allow initrc_t self:fifo_file { read write ioctl }; + +allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; + +allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir }; +allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; + +kernel_read_system_state(initrc_t) +kernel_read_software_raid_state(initrc_t) +kernel_read_network_state(initrc_t) +kernel_read_ring_buffer(initrc_t) +kernel_change_ring_buffer_level(initrc_t) +kernel_clear_ring_buffer(initrc_t) +kernel_get_sysvipc_info(initrc_t) +kernel_read_hardware_state(initrc_t) +kernel_modify_hardware_config_option(initrc_t) +kernel_read_all_sysctl(initrc_t) +kernel_modify_all_sysctl(initrc_t) +kernel_get_selinux_enforcement_mode(initrc_t) +kernel_list_usb_hardware(initrc_t) + +filesystem_register_binary_executable_type(initrc_t) +# cjp: not sure why these are here; should use mount policy +filesystem_mount_all_filesystems(initrc_t) +filesystem_unmount_all_filesystems(initrc_t) + +# can_network(initrc_t): +allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown }; +corenetwork_send_tcp_on_all_interfaces(initrc_t) +corenetwork_send_raw_on_all_interfaces(initrc_t) +corenetwork_send_udp_on_all_interfaces(initrc_t) +#corenetwork_send_tcp_on_all_nodes(initrc_t) +#corenetwork_send_raw_on_all_nodes(initrc_t) +#corenetwork_send_udp_on_all_nodes(initrc_t) +#corenetwork_send_tcp_on_all_ports(initrc_t) +#corenetwork_send_udp_on_all_ports(initrc_t) +corenetwork_receive_tcp_on_all_interfaces(initrc_t) +corenetwork_receive_raw_on_all_interfaces(initrc_t) +corenetwork_receive_udp_on_all_interfaces(initrc_t) +#corenetwork_receive_tcp_on_all_nodes(initrc_t) +#corenetwork_receive_raw_on_all_nodes(initrc_t) +#corenetwork_receive_udp_on_all_nodes(initrc_t) +#corenetwork_receive_tcp_on_all_ports(initrc_t) +#corenetwork_receive_udp_on_all_ports(initrc_t) +#corenetwork_bind_tcp_on_all_nodes(initrc_t) +#corenetwork_bind_udp_on_all_nodes(initrc_t) +#allow initrc_t net_conf_t:file r_file_perms; +#sysnetwork_read_network_config(initrc_t) + +domain_kill_all_domains(initrc_t) +domain_read_all_domains_process_state(initrc_t) + +devices_get_random_data(initrc_t) +devices_get_pseudorandom_data(initrc_t) +devices_add_entropy(initrc_t) +devices_set_pseudorandom_seed(initrc_t) +devices_read_framebuffer(initrc_t) +devices_read_realtime_clock(initrc_t) +devices_read_sound_mixer_levels(initrc_t) +devices_write_sound_mixer_levels(initrc_t) + +terminal_use_all_terminals(initrc_t) +terminal_reset_labels(initrc_t) + +bootloader_read_kernel_symbol_table(initrc_t) + +libraries_modify_dynamic_loader_cache(initrc_t) +libraries_use_dynamic_loader(initrc_t) +libraries_read_shared_libraries(initrc_t) +libraries_execute_library_scripts(initrc_t) + +files_get_all_file_stats(initrc_t) +files_remove_all_tmp_data(initrc_t) +files_remove_all_lock_files(initrc_t) +files_remove_all_daemon_runtime_data(initrc_t) +files_read_general_system_config(initrc_t) +files_create_runtime_system_config(initrc_t) +files_manage_general_lock_files(initrc_t) +files_execute_system_config_script(initrc_t) +files_read_general_shared_resources(initrc_t) +files_manage_pseudorandom_saved_seed(initrc_t) + +corecommands_execute_general_programs(initrc_t) +corecommands_execute_system_programs(initrc_t) + +selinux_read_config(initrc_t) +selinux_read_default_contexts(run_init_t) + +modutils_read_kernel_module_loading_config(initrc_t) + +authlogin_modify_login_records(initrc_t) +authlogin_modify_last_login_log(initrc_t) + +miscfiles_read_localization(initrc_t) + +logging_modify_system_logs(initrc_t) +logging_read_all_logs(initrc_t) +logging_append_all_logs(initrc_t) + +ifdef(`distro_redhat',` +kernel_set_selinux_enforcement_mode(initrc_t) + +files_create_boot_flag(initrc_t) + +# Create and read /boot/kernel.h and /boot/System.map. +# Redhat systems typically create this file at boot time. +bootloader_create_runtime_data(initrc_t) +') + +################################# +# +# Rules for the run_init_t domain. +# + +type run_init_t; +domain_make_domain(run_init_t) + +type run_init_exec_t; +files_make_file(run_init_exec_t) + + +ifdef(`targeted_policy',` +# targeted/unconfined stuff +',` +corecommands_execute_general_programs(run_init_t) +corecommands_execute_shell(run_init_t) + +filesystem_read_persistent_filesystem_stats(run_init_t) + +files_read_general_system_config(run_init_t) + +libraries_use_dynamic_loader(run_init_t) +libraries_read_shared_libraries(run_init_t) + +selinux_read_config(run_init_t) + +miscfiles_read_localization(run_init_t) + +allow run_init_t initrc_t:process transition; +allow run_init_t initrc_exec_t:file { getattr read execute }; + +# for utmp +allow run_init_t initrc_var_run_t:file { getattr read write }; + +allow run_init_t self:process setexec; +allow run_init_t self:capability setuid; + +allow run_init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow run_init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + +allow run_init_t self:fifo_file { getattr read write }; + +# often the administrator runs such programs from a directory that is owned +# by a different user or has restrictive SE permissions, do not want to audit +# the failed access to the current directory +dontaudit run_init_t self:capability { dac_override dac_read_search }; + +devices_ignore_list_device_nodes(run_init_t) +terminal_ignore_list_ptys(run_init_t) +') dnl end ifdef targeted policy + + +ifdef(`TODO',` + +# Mount and unmount file systems. +allow initrc_t { file_t default_t }:dir { read search getattr mounton }; + +allow initrc_t var_spool_t:file rw_file_perms; + +allow initrc_t privfd:fd use; + +# for cryptsetup +allow initrc_t fixed_disk_device_t:blk_file getattr; + +# Set device ownerships/modes. +allow initrc_t device_type:chr_file setattr; +allow initrc_t misc_device_t:{ chr_file blk_file } setattr; +allow initrc_t fixed_disk_device_t:blk_file setattr; +allow initrc_t removable_device_t:blk_file setattr; +allow initrc_t xconsole_device_t:fifo_file setattr; +allow initrc_t sound_device_t:chr_file setattr; + +# Allow access to the sysadm TTYs. Note that this will give access to the +# TTYs to any process in the initrc_t domain. Therefore, daemons and such +# started from init should be placed in their own domain. +allow initrc_t admin_tty_type:chr_file rw_file_perms; + +# Read user home directories. +allow initrc_t { home_root_t home_type }:dir r_dir_perms; +allow initrc_t home_type:file r_file_perms; + +allow initrc_t udev_runtime_t:file rw_file_perms; + +# for lsof in shutdown scripts +can_kerberos(initrc_t) + +# +# Wants to remove udev.tbl +# +allow initrc_t device_t:dir rw_dir_perms; +allow initrc_t device_t:lnk_file unlink; + +# +# These rules are here to allow init scripts to su +# +ifdef(`su.te', ` +su_restricted_domain(initrc,system) +role system_r types initrc_su_t; +') + +ifdef(`distro_debian', ` +allow initrc_t { etc_t device_t }:dir setattr; + +# for storing state under /dev/shm +allow initrc_t tmpfs_t:dir setattr; +file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) +file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) +allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; +') + +ifdef(`distro_redhat', ` +# Create and read /boot/kernel.h and /boot/System.map. +# Redhat systems typically create this file at boot time. +allow initrc_t boot_t:lnk_file rw_file_perms; + +allow initrc_t tmpfs_t:chr_file rw_file_perms; +allow initrc_t tmpfs_t:dir r_dir_perms; + +# +# readahead asks for these +# +allow initrc_t etc_aliases_t:file { getattr read }; +allow initrc_t var_lib_nfs_t:file { getattr read }; + +')dnl end distro_redhat + +# +# Shutting down xinet causes these +# +# Fam +dontaudit initrc_t device_t:dir { read write }; +# Rsync +dontaudit initrc_t mail_spool_t:lnk_file read; + +# for lsof which is used by alsa shutdown +dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; +dontaudit initrc_t proc_kmsg_t:file getattr; + + +################################# +# +# Rules for the run_init_t domain. +# + + +ifdef(`targeted_policy', ` +domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) +allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; +allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; +domain_trans(initrc_t, shell_exec_t, unconfined_t) +', ` +domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) +role sysadm_r types run_init_t; + +domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) + +# for utmp +allow run_init_t admin_tty_type:chr_file rw_file_perms; + +allow run_init_t privfd:fd use; +allow run_init_t lib_t:file { getattr read }; + +dontaudit run_init_t shadow_t:file { getattr read }; + +# often the administrator runs such programs from a directory that is owned +# by a different user or has restrictive SE permissions, do not want to audit +# the failed access to the current directory +dontaudit run_init_t file_type:dir search; + +') dnl endif targeted policy + +ifdef(`distro_gentoo', ` +# Gentoo integrated run_init+open_init_pty-runscript: +domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) +') + +') dnl end TODO diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if new file mode 100644 index 0000000..22e28bb --- /dev/null +++ b/refpolicy/policy/modules/system/libraries.if @@ -0,0 +1,85 @@ +######################################## +# +# libraries_use_dynamic_loader(domain,[`optional'] +# +define(`libraries_use_dynamic_loader',` +requires_block_template(libraries_use_dynamic_loader_depend,$2) +allow $1 lib_t:dir { getattr read search }; +allow $1 lib_t:lnk_file { getattr read }; +allow $1 ld_so_t:file { getattr read execute }; +allow $1 ld_so_cache_t:file { getattr read }; +') + +define(`libraries_use_dynamic_loader_depend',` +type lib_t, ld_so_t, ld_so_cache_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read execute }; +') + +######################################## +# +# libraries_modify_dynamic_loader_cache(domain,[`optional'] +# +define(`libraries_modify_dynamic_loader_cache',` +requires_block_template(libraries_modify_dynamic_loader_cache_depend,$2) +allow $1 ld_so_cache_t:file { getattr read write }; +') + +define(`libraries_modify_dynamic_loader_cache_depend',` +type ld_so_cache_t; +class file { getattr read write }; +') + +######################################## +# +# libraries_read_shared_libraries(domain,[`optional'] +# +define(`libraries_read_shared_libraries',` +requires_block_template(libraries_read_shared_libraries_depend,$2) +allow $1 lib_t:dir { getattr read search }; +allow $1 lib_t:lnk_file { getattr read }; +allow $1 { shlib_t textrel_shlib_t }:file { getattr read execute }; +') + +define(`libraries_read_shared_libraries_depend',` +type lib_t, shlib_t, textrel_shlib_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read execute }; +') + +######################################## +# +# libraries_read_static_libraries(domain,[`optional'] +# +define(`libraries_read_static_libraries',` +requires_block_template(libraries_read_static_libraries_depend,$2) +allow $1 lib_t:dir { getattr read search }; +allow $1 lib_t:{ file lnk_file } { getattr read }; +') + +define(`libraries_read_static_libraries_depend',` +type lib_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read }; +') + +######################################## +# +# libraries_execute_library_scripts(domain,[`optional'] +# +define(`libraries_execute_library_scripts',` +requires_block_template(libraries_execute_library_scripts_depend,$2) +allow $1 lib_t:dir { getattr read search }; +allow $1 lib_t:lnk_file { getattr read }; +allow $1 lib_t:file { getattr read execute execute_no_trans }; +') + +define(`libraries_execute_library_scripts_depend',` +type lib_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read execute execute_no_trans }; +') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te new file mode 100644 index 0000000..81aa681 --- /dev/null +++ b/refpolicy/policy/modules/system/libraries.te @@ -0,0 +1,30 @@ +# +# ld_so_cache_t is the type of /etc/ld.so.cache. +# +type ld_so_cache_t; +files_make_file(ld_so_cache_t) + +# ld_so_t is the type of the system dynamic loaders. +# +type ld_so_t; +files_make_file(ld_so_t) + +# +# lib_t is the type of files in the system lib directories. +# +type lib_t; +files_make_file(lib_t) + +# +# shlib_t is the type of shared objects in the system lib +# directories. +# +type shlib_t; +files_make_file(shlib_t) + +# +# textrel_shlib_t is the type of shared objects in the system lib +# directories, which require text relocation. +# +type textrel_shlib_t; +files_make_file(textrel_shlib_t) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if new file mode 100644 index 0000000..480d069 --- /dev/null +++ b/refpolicy/policy/modules/system/logging.if @@ -0,0 +1,64 @@ +####################################### +# +# logging_make_log_file(type,[`optional']) +# +define(`logging_make_log_file',` +requires_block_template(logging_make_log_file_depend,$2) +files_make_file($1,optional) +typeattribute $1 logfile; +') + +define(`logging_make_log_file_depend',` +attribute logfile; +files_make_file_depend +') + +####################################### +# +# logging_append_all_logs(type,[`optional']) +# +define(`logging_append_all_logs',` +requires_block_template(logging_append_all_logs_depend,$2) +allow $1 var_log_t:dir { getattr search read }; +allow $1 logfile:file { getattr append }; +') + +define(`logging_append_all_logs_depend',` +attribute logfile; +type var_log_t; +class dir { getattr search read }; +class file { getattr append }; +') + +####################################### +# +# logging_read_all_logs(type,[`optional']) +# +define(`logging_read_all_logs',` +requires_block_template(logging_read_all_logs_depend,$2) +allow $1 var_log_t:dir { getattr search read }; +allow $1 logfile:file { getattr read }; +') + +define(`logging_read_all_logs_depend',` +attribute logfile; +type var_log_t; +class dir { getattr search read }; +class file { getattr read }; +') + +####################################### +# +# logging_modify_system_logs(type,[`optional']) +# +define(`logging_modify_system_logs',` +requires_block_template(logging_modify_system_logs_depend,$2) +allow $1 var_log_t:dir { getattr search read }; +allow $1 var_log_t:file { getattr read write append }; +') + +define(`logging_modify_system_logs_depend',` +type var_log_t; +class dir { getattr search read }; +class file { getattr read write append }; +') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te new file mode 100644 index 0000000..491ad72 --- /dev/null +++ b/refpolicy/policy/modules/system/logging.te @@ -0,0 +1,4 @@ +attribute logfile; + +type var_log_t; +files_make_file(var_log_t) diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if new file mode 100644 index 0000000..da95b11 --- /dev/null +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -0,0 +1,20 @@ +######################################## +# +# miscfiles_read_localization(domain,[`optional']) +# +define(`miscfiles_read_localization',` +requires_block_template(miscfiles_read_localization_depend,$2) +# FIXME: $1 read etc_t:lnk_file here +# FIXME: $1 search usr_t:dir here +# FIXME: $1 read lib_t:file(?) +allow $1 locale_t:dir { getattr read search }; +allow $1 locale_t:lnk_file { getattr read }; +allow $1 locale_t:file { getattr read }; +') + +define(`miscfiles_read_localization_depend',` +type locale_t; +class dir { getattr read search }; +class lnk_file { getattr read }; +class file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te new file mode 100644 index 0000000..59b28ab --- /dev/null +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -0,0 +1,42 @@ +# +# catman_t is the type for /var/catman. +# +type catman_t; # , file_type, sysadmfile, tmpfile; +files_make_file(catman_t) + +# +# cert_t is the type of files in the system certs directories. +# +type cert_t; +files_make_file(cert_t) + +# +# fonts_t is the type of various font +# files in /usr +# +type fonts_t; +files_make_file(cert_t) + +# +# locale_t is the type for system localization +# +type locale_t; +files_make_file(locale_t) + +# +# man_t is the type for the man directories. +# +type man_t; +files_make_file(man_t) + +# +# Base type for the tests directory. +# +#type test_file_t; +#files_make_file(test_file_t) + +# +# for /var/{spool,lib}/texmf index files +# +type tetex_data_t; # , file_type, sysadmfile, tmpfile; +files_make_file(tetex_data_t) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if new file mode 100644 index 0000000..294502c --- /dev/null +++ b/refpolicy/policy/modules/system/modutils.if @@ -0,0 +1,93 @@ +######################################## +# +# modutils_read_kernel_modules(domain,[`optional']) +# +define(`modutils_read_kernel_modules',` +requires_block_template(modutils_read_kernel_modules_depend,$2) +allow $1 modules_object_t:file { getattr read }; +allow $1 modules_object_t:dir { getattr search read }; +') + +define(`modutils_read_kernel_modules_depend',` +type modules_object_t; +class file { getattr read }; +class dir { getattr search read }; +') + +######################################## +# +# modutils_read_kernel_module_dependencies(domain,[`optional']) +# +define(`modutils_read_kernel_module_dependencies',` +requires_block_template(modutils_read_kernel_module_dependencies_depend,$2) +allow $1 modules_dep_t:file { getattr read }; +allow $1 modules_object_t:dir { getattr search read }; +') + +define(`modutils_read_kernel_module_dependencies_depend',` +type modules_object_t, modules_dep_t; +class file { getattr create read write setattr unlink }; +class dir { search read write add_name remove_name }; +') + +######################################## +# +# modutils_read_kernel_module_loading_config(domain,[`optional']) +# +define(`modutils_read_kernel_module_loading_config',` +requires_block_template(modutils_read_kernel_module_loading_config_depend,$2) +allow $1 modules_conf_t:file { getattr read }; +') + +define(`modutils_read_kernel_module_loading_config_depend',` +type modules_conf_t; +class file { getattr create read write setattr unlink }; +') + +######################################## +# +# modutils_modify_kernel_modules(domain,[`optional']) +# +define(`modutils_modify_kernel_modules',` +requires_block_template(modutils_modify_kernel_modules_depend,$2) +allow $1 modules_object_t:file { getattr create read write setattr unlink }; +allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; +') + +define(`modutils_modify_kernel_modules_depend',` +type modules_object_t; +class file { getattr create read write setattr unlink }; +class dir { getattr search read write add_name remove_name }; +') + +######################################## +# +# modutils_insmod_transition(domain,[`optional']) +# +define(`modutils_insmod_transition',` +requires_block_template(modutils_insmod_transition_depend,$2) +allow $1 insmod_exec_t:file { getattr read execute }; +allow $1 insmod_t:process transition; +type_transition $1 insmod_exec_t:file insmod_t; +dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; +') + +define(`modutils_insmod_transition_depend',` +type insmod_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# +# modutils_insmod_execute(domain,[`optional']) +# +define(`modutils_insmod_execute',` +requires_block_template(modutils_insmod_execute_depend,$2) +allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`modutils_insmod_execute_depend',` +type insmod_t; +class file { getattr read execute execute_no_trans }; +') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te new file mode 100644 index 0000000..fe6ea2e --- /dev/null +++ b/refpolicy/policy/modules/system/modutils.te @@ -0,0 +1,114 @@ +attribute can_modify_kernel_modules; +neverallow ~can_modify_kernel_modules modules_object_t:file { create append write }; + +# kernel modules +type modules_object_t; +files_make_file(modules_object_t) + +# module loading config +type modules_conf_t; +files_make_file(modules_conf_t) + +# module dependencies +type modules_dep_t; +files_make_file(modules_dep_t) + +type insmod_t; +domain_make_domain(insmod_t) +kernel_load_module(insmod_t) +role system_r types insmod_t; + +type insmod_exec_t; +domain_make_entrypoint_file(insmod_t,insmod_exec_t) + +# Rules for /proc/sys/kernel/tainted +kernel_read_kernel_sysctl(insmod_t) +kernel_modify_kernel_sysctl(insmod_t) +kernel_read_hotplug_sysctl(insmod_t) + +terminal_use_controlling_terminal(insmod_t) + +devices_write_mtrr(insmod_t) +devices_get_pseudorandom_data(insmod_t) +devices_direct_agp_access(insmod_t) +devices_get_zeros(insmod_t) + +filesystem_read_persistent_filesystem_stats(insmod_t) + +files_read_runtime_system_config(insmod_t) +files_read_general_system_config(insmod_t) + +domain_signal_all_domains(insmod_t) + +libraries_use_dynamic_loader(insmod_t) +libraries_read_shared_libraries(insmod_t) + +corecommands_execute_general_programs(insmod_t) +corecommands_execute_system_programs(insmod_t) +corecommands_execute_shell(insmod_t) + +miscfiles_read_localization(insmod_t) + +allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans }; + +# Read module config and dependency information +allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; + +# read modules +allow insmod_t modules_object_t:dir { getattr search read }; +allow insmod_t modules_object_t:file { getattr read }; + +allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; + +allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow insmod_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow insmod_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + +# +# +# TODO rules: +# +# +ifdef(`TODO_list',` + +allow insmod_t self:capability { dac_override net_raw sys_tty_config }; + +# for loading modules at boot time +allow insmod_t { init_t initrc_t }:fd use; +allow insmod_t initrc_t:fifo_file { getattr read write }; + +allow insmod_t usr_t:file { getattr read }; +allow insmod_t lib_t:file { getattr read }; +allow insmod_t { var_t var_log_t }:dir search; + +allow insmod_t privfd:fd use; + +allow insmod_t apm_bios_t:chr_file { read write }; + +allow insmod_t sound_device_t:chr_file { read ioctl write }; + +ifdef(`xserver.te', ` +allow insmod_t xserver_log_t:file getattr; +') + +allow insmod_t sysfs_t:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount; + +allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write }; +allow insmod_t devpts_t:dir { getattr search }; + +can_exec(insmod_t,etc_t) + +ifdef(`mount.te', ` +# Run mount in the mount_t domain. +domain_auto_trans(insmod_t, mount_exec_t, mount_t) +') +# for when /var is not mounted early in the boot +dontaudit insmod_t file_t:dir search; + +# for nscd +dontaudit insmod_t var_run_t:dir search; + +') dnl if TODO_list diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if new file mode 100644 index 0000000..9d033f0 --- /dev/null +++ b/refpolicy/policy/modules/system/selinux.if @@ -0,0 +1,82 @@ +######################################## +# +# selinux_read_config(domain,[`optional']) +# +define(`selinux_read_config',` +requires_block_template(selinux_read_config_depend,$2) +allow $1 selinux_config_t:dir { getattr search read }; +allow $1 selinux_config_t:file { getattr read }; +') + +define(`selinux_read_config_depend',` +type selinux_config_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_read_default_contexts(domain,[`optional']) +# +define(`selinux_read_default_contexts',` +requires_block_template(selinux_read_default_contexts_depend,$2) +allow $1 selinux_config_t:dir search; +allow $1 default_context_t:dir { getattr search read }; +allow $1 default_context_t:file { getattr read }; +') + +define(`selinux_read_default_contexts_depend',` +type selinux_config_t, default_context_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_read_binary_policy(domain,[`optional']) +# +define(`selinux_read_binary_policy',` +requires_block_template(selinux_read_binary_policy_depend,$2) +allow $1 policy_config_t:dir { getattr search read }; +allow $1 policy_config_t:file { getattr read }; +typeattribute $1 can_write_binary_policy; +') + +define(`selinux_write_binary_policy_depend',` +type policy_config_t; +attribute can_write_binary_policy; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_write_binary_policy(domain,[`optional']) +# +define(`selinux_write_binary_policy',` +requires_block_template(selinux_write_binary_policy_depend,$2) +allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; +allow $1 policy_config_t:file { getattr create write unlink }; +typeattribute $1 can_write_binary_policy; +') + +define(`selinux_write_binary_policy_depend',` +type policy_config_t; +attribute can_write_binary_policy; +class dir { getattr search read write add_name remove_name }; +class file { getattr create write unlink }; +') + +####################################### +# +# selinux_read_load_policy_binary(domain,[`optional']) +# +define(`selinux_read_load_policy_binary',` +requires_block_template(selinux_read_load_policy_binary_depend,$2) +allow $1 load_policy_exec_t:file { getattr read }; +') + +define(`selinux_read_load_policy_binary_depend',` +type load_policy_exec_t; +class file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te new file mode 100644 index 0000000..be532a1 --- /dev/null +++ b/refpolicy/policy/modules/system/selinux.te @@ -0,0 +1,47 @@ +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +type selinux_config_t; +files_make_file(selinux_config_t) + +# +# policy_config_t is the type of /etc/security/selinux/* +# the security server policy configuration. +# +type policy_config_t; +files_make_file(policy_config_t) + +attribute can_write_binary_policy; +attribute can_relabelto_binary_policy; +neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; +neverallow ~can_write_binary_policy policy_config_t:file { write append }; + +# +# policy_src_t is the type of the policy source +# files. +# +type policy_src_t; +files_make_file(policy_src_t) + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t; +files_make_file(default_context_t) + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t; +files_make_file(file_context_t) + +type load_policy_t; +domain_make_domain(load_policy_t) + +type load_policy_exec_t; +domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) + +selinux_read_binary_policy(load_policy_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if new file mode 100644 index 0000000..9d033f0 --- /dev/null +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -0,0 +1,82 @@ +######################################## +# +# selinux_read_config(domain,[`optional']) +# +define(`selinux_read_config',` +requires_block_template(selinux_read_config_depend,$2) +allow $1 selinux_config_t:dir { getattr search read }; +allow $1 selinux_config_t:file { getattr read }; +') + +define(`selinux_read_config_depend',` +type selinux_config_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_read_default_contexts(domain,[`optional']) +# +define(`selinux_read_default_contexts',` +requires_block_template(selinux_read_default_contexts_depend,$2) +allow $1 selinux_config_t:dir search; +allow $1 default_context_t:dir { getattr search read }; +allow $1 default_context_t:file { getattr read }; +') + +define(`selinux_read_default_contexts_depend',` +type selinux_config_t, default_context_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_read_binary_policy(domain,[`optional']) +# +define(`selinux_read_binary_policy',` +requires_block_template(selinux_read_binary_policy_depend,$2) +allow $1 policy_config_t:dir { getattr search read }; +allow $1 policy_config_t:file { getattr read }; +typeattribute $1 can_write_binary_policy; +') + +define(`selinux_write_binary_policy_depend',` +type policy_config_t; +attribute can_write_binary_policy; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# selinux_write_binary_policy(domain,[`optional']) +# +define(`selinux_write_binary_policy',` +requires_block_template(selinux_write_binary_policy_depend,$2) +allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; +allow $1 policy_config_t:file { getattr create write unlink }; +typeattribute $1 can_write_binary_policy; +') + +define(`selinux_write_binary_policy_depend',` +type policy_config_t; +attribute can_write_binary_policy; +class dir { getattr search read write add_name remove_name }; +class file { getattr create write unlink }; +') + +####################################### +# +# selinux_read_load_policy_binary(domain,[`optional']) +# +define(`selinux_read_load_policy_binary',` +requires_block_template(selinux_read_load_policy_binary_depend,$2) +allow $1 load_policy_exec_t:file { getattr read }; +') + +define(`selinux_read_load_policy_binary_depend',` +type load_policy_exec_t; +class file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te new file mode 100644 index 0000000..be532a1 --- /dev/null +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -0,0 +1,47 @@ +# +# selinux_config_t is the type applied to +# /etc/selinux/config +# +type selinux_config_t; +files_make_file(selinux_config_t) + +# +# policy_config_t is the type of /etc/security/selinux/* +# the security server policy configuration. +# +type policy_config_t; +files_make_file(policy_config_t) + +attribute can_write_binary_policy; +attribute can_relabelto_binary_policy; +neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; +neverallow ~can_write_binary_policy policy_config_t:file { write append }; + +# +# policy_src_t is the type of the policy source +# files. +# +type policy_src_t; +files_make_file(policy_src_t) + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t; +files_make_file(default_context_t) + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t; +files_make_file(file_context_t) + +type load_policy_t; +domain_make_domain(load_policy_t) + +type load_policy_exec_t; +domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) + +selinux_read_binary_policy(load_policy_t)