diff --git a/Changelog b/Changelog index a9cac97..4fdeaea 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Add policy patterns support macros. This changes the behavior of + the create_dir_perms and create_file_perms permission sets. - Association polmatch MLS constraint making unlabeled_t an exception is no longer needed, patch from Venkat Yekkirala. - Context contains checking for PAM and cron from James Antill. diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if index 831295c..7fa62c3 100644 --- a/policy/modules/admin/acct.if +++ b/policy/modules/admin/acct.if @@ -16,12 +16,7 @@ interface(`acct_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,acct_exec_t,acct_t) - - allow $1 acct_t:fd use; - allow acct_t $1:fd use; - allow acct_t $1:fifo_file rw_file_perms; - allow acct_t $1:process sigchld; + domtrans_pattern($1,acct_exec_t,acct_t) ') ######################################## @@ -80,7 +75,6 @@ interface(`acct_manage_data',` ') files_search_var($1) - allow $1 acct_data_t:dir rw_dir_perms; - allow $1 acct_data_t:file create_file_perms; - allow $1 acct_data_t:lnk_file create_lnk_perms; + manage_files_pattern($1,acct_data_t,acct_data_t) + manage_lnk_files_pattern($1,acct_data_t,acct_data_t) ') diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te index 7d06f6b..1e53451 100644 --- a/policy/modules/admin/acct.te +++ b/policy/modules/admin/acct.te @@ -26,9 +26,8 @@ dontaudit acct_t self:capability { kill sys_tty_config }; allow acct_t self:fifo_file { read write getattr }; allow acct_t self:process signal_perms; -allow acct_t acct_data_t:dir rw_dir_perms; -allow acct_t acct_data_t:file create_file_perms; -allow acct_t acct_data_t:lnk_file create_lnk_perms; +manage_files_pattern(acct_t,acct_data_t,acct_data_t) +manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t) can_exec(acct_t,acct_exec_t) @@ -98,4 +97,3 @@ optional_policy(` optional_policy(` udev_read_db(acct_t) ') - diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 0381c21..791fdaa 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -16,12 +16,7 @@ interface(`alsa_domtrans',` type alsa_exec_t; ') - domain_auto_trans($1, alsa_exec_t, alsa_t) - - allow $1 alsa_t:fd use; - allow alsa_t $1:fd use; - allow alsa_t $1:fifo_file rw_file_perms; - allow alsa_t $1:process sigchld; + domtrans_pattern($1, alsa_exec_t, alsa_t) ') ######################################## @@ -75,7 +70,7 @@ interface(`alsa_read_rw_config',` type alsa_etc_rw_t; ') - allow $1 alsa_etc_rw_t:dir r_dir_perms; - allow $1 alsa_etc_rw_t:file r_file_perms; - allow $1 alsa_etc_rw_t:lnk_file { getattr read }; + allow $1 alsa_etc_rw_t:dir list_dir_perms; + read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) + read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) ') diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index e93af95..d4f222c 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -27,9 +27,8 @@ allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket create_stream_socket_perms; allow alsa_t self:unix_dgram_socket create_socket_perms; -allow alsa_t alsa_etc_rw_t:dir rw_dir_perms; -allow alsa_t alsa_etc_rw_t:file create_file_perms; -allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms; +manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) +manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) files_read_etc_files(alsa_t) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index 318ce38..aa9d193 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -15,12 +15,7 @@ interface(`amanda_domtrans_recover',` type amanda_recover_t, amanda_recover_exec_t; ') - domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t) - - allow $1 amanda_recover_t:fd use; - allow amanda_recover_t $1:fd use; - allow amanda_recover_t $1:fifo_file rw_file_perms; - allow amanda_recover_t $1:process sigchld; + domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t) ') ######################################## @@ -70,7 +65,7 @@ interface(`amanda_search_lib',` type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir search; + allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) ') @@ -144,7 +139,5 @@ interface(`amanda_append_log_files',` type amanda_log_t; ') - allow $1 amanda_log_t:file ra_file_perms; + allow $1 amanda_log_t:file { read_file_perms append_file_perms }; ') - - diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 7bbcc1b..ad8a6c0 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -97,12 +97,12 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; -allow amanda_t amanda_log_t:file create_file_perms; -allow amanda_t amanda_log_t:dir manage_dir_perms; +manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t) +manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t) logging_log_filetrans(amanda_t,amanda_log_t,{ file dir }) -allow amanda_t amanda_tmp_t:dir create_dir_perms; -allow amanda_t amanda_tmp_t:file create_file_perms; +manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t) +manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t) files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) kernel_read_system_state(amanda_t) @@ -180,23 +180,22 @@ allow amanda_recover_t self:unix_stream_socket { connect create read write }; allow amanda_recover_t self:tcp_socket create_stream_socket_perms; allow amanda_recover_t self:udp_socket create_socket_perms; -allow amanda_recover_t amanda_log_t:dir rw_dir_perms; -allow amanda_recover_t amanda_log_t:file manage_file_perms; -allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms; +manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t) +manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t) # access to amanda_recover_dir_t -allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms; -allow amanda_recover_t amanda_recover_dir_t:file create_file_perms; -allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms; -allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms; -allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms; +manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) +manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) +manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) +manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) +manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file }) -allow amanda_recover_t amanda_tmp_t:dir create_dir_perms; -allow amanda_recover_t amanda_tmp_t:file create_file_perms; -allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms; -allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms; -allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms; +manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) +manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) +manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) +manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) +manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_system_state(amanda_recover_t) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 1f97994..13991f9 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -17,13 +17,7 @@ interface(`apt_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,apt_exec_t,apt_t) - - # allow basic communication - allow $1 apt_t:fd use; - allow apt_t $1:fd use; - allow apt_t $1:fifo_file rw_file_perms; - allow apt_t $1:process sigchld; + domtrans_pattern($1,apt_exec_t,apt_t) ') ######################################## @@ -92,7 +86,7 @@ interface(`apt_read_pipes',` type apt_t; ') - allow $1 apt_t:fifo_file r_file_perms; + allow $1 apt_t:fifo_file read_fifo_file_perms; # TODO: enforce dpkg_read_pipes? ') @@ -131,9 +125,9 @@ interface(`apt_read_db',` ') files_search_var_lib($1) - allow $1 apt_var_lib_t:dir r_dir_perms; - allow $1 apt_var_lib_t:file { getattr read }; - allow $1 apt_var_lib_t:lnk_file r_file_perms; + allow $1 apt_var_lib_t:dir list_dir_perms; + read_files_pattern($1,apt_var_lib_t,apt_var_lib_t) + read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t) ') ######################################## @@ -152,9 +146,10 @@ interface(`apt_manage_db',` ') files_search_var_lib($1) - allow $1 apt_var_lib_t:dir rw_dir_perms; - allow $1 apt_var_lib_t:file { getattr create read write append unlink }; - allow $1 apt_var_lib_t:lnk_file { getattr read write unlink }; + manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t) + # cjp: shouldnt this be manage_lnk_files? + rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t) + delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t) ') ######################################## @@ -174,6 +169,6 @@ interface(`apt_dontaudit_manage_db',` ') dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file create_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms; + dontaudit $1 apt_var_lib_t:file manage_file_perms; + dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms; ') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index ff92a03..e0fa44a 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -34,7 +34,7 @@ files_type(apt_var_cache_t) allow apt_t self:capability { chown dac_override fowner fsetid }; allow apt_t self:process { signal setpgid fork }; allow apt_t self:fd use; -allow apt_t self:fifo_file rw_file_perms; +allow apt_t self:fifo_file rw_fifo_file_perms; allow apt_t self:unix_dgram_socket create_socket_perms; allow apt_t self:unix_stream_socket rw_stream_socket_perms; allow apt_t self:unix_dgram_socket sendto; @@ -47,24 +47,22 @@ allow apt_t self:msgq create_msgq_perms; allow apt_t self:msg { send receive }; # Access /var/cache/apt files -allow apt_t apt_var_cache_t:file create_file_perms; -allow apt_t apt_var_cache_t:dir rw_dir_perms; +manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t) files_var_filetrans(apt_t,apt_var_cache_t,dir) -allow apt_t apt_tmp_t:dir create_dir_perms; -allow apt_t apt_tmp_t:file create_file_perms; +manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t) +manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t) files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) -allow apt_t apt_tmpfs_t:dir create_dir_perms; -allow apt_t apt_tmpfs_t:file create_file_perms; -allow apt_t apt_tmpfs_t:lnk_file create_file_perms; -allow apt_t apt_tmpfs_t:sock_file create_file_perms; -allow apt_t apt_tmpfs_t:fifo_file create_file_perms; +manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t) +manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t) +manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t) +manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t) +manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t) fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/apt files -allow apt_t apt_var_lib_t:file create_file_perms; -allow apt_t apt_var_lib_t:dir rw_dir_perms; +manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t) files_var_lib_filetrans(apt_t,apt_var_lib_t,dir) kernel_read_system_state(apt_t) diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if index 12098a2..87d1349 100644 --- a/policy/modules/admin/backup.if +++ b/policy/modules/admin/backup.if @@ -15,10 +15,7 @@ interface(`backup_domtrans',` type backup_t, backup_exec_t; ') - domain_auto_trans($1,backup_exec_t,backup_t) - allow backup_t $1:fd use; - allow backup_t $1:fifo_file rw_file_perms; - allow backup_t $1:process sigchld; + domtrans_pattern($1,backup_exec_t,backup_t) ') ######################################## diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te index 306cdb9..277c49a 100644 --- a/policy/modules/admin/backup.te +++ b/policy/modules/admin/backup.te @@ -22,13 +22,14 @@ files_type(backup_store_t) allow backup_t self:capability dac_override; allow backup_t self:process signal; -allow backup_t self:fifo_file rw_file_perms; +allow backup_t self:fifo_file rw_fifo_file_perms; allow backup_t self:tcp_socket create_socket_perms; allow backup_t self:udp_socket create_socket_perms; -allow backup_t backup_store_t:dir ra_dir_perms; -allow backup_t backup_store_t:file { create rw_file_perms setattr }; -allow backup_t backup_store_t:lnk_file { getattr read }; +allow backup_t backup_store_t:file setattr; +create_files_pattern(backup_t,backup_store_t,backup_store_t) +rw_files_pattern(backup_t,backup_store_t,backup_store_t) +read_lnk_files_pattern(backup_t,backup_store_t,backup_store_t) kernel_read_system_state(backup_t) kernel_read_kernel_sysctls(backup_t) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index 315882e..57800cc 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -15,12 +15,7 @@ interface(`bootloader_domtrans',` type bootloader_t, bootloader_exec_t; ') - domain_auto_trans($1, bootloader_exec_t, bootloader_t) - - allow $1 bootloader_t:fd use; - allow bootloader_t $1:fd use; - allow bootloader_t $1:fifo_file rw_file_perms; - allow bootloader_t $1:process sigchld; + domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') ######################################## @@ -53,7 +48,7 @@ interface(`bootloader_run',` bootloader_domtrans($1) role $2 types bootloader_t; - allow bootloader_t $3:chr_file rw_file_perms; + allow bootloader_t $3:chr_file rw_term_perms; ') ######################################## @@ -71,7 +66,7 @@ interface(`bootloader_read_config',` type bootloader_etc_t; ') - allow $1 bootloader_etc_t:file r_file_perms; + allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## @@ -127,10 +122,9 @@ interface(`bootloader_rw_tmp_files',` # interface(`bootloader_create_runtime_file',` gen_require(` - type boot_t, boot_runtime_t; + type boot_runtime_t; ') - allow $1 boot_t:dir rw_dir_perms; - allow $1 boot_runtime_t:file { rw_file_perms create unlink }; - type_transition $1 boot_t:file boot_runtime_t; + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1,boot_runtime_t,file) ') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 7668ee2..b5582c5 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -50,18 +50,18 @@ logging_log_file(var_log_ksyms_t) allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:process { sigkill sigstop signull signal execmem }; -allow bootloader_t self:fifo_file rw_file_perms; +allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file r_file_perms; +allow bootloader_t bootloader_etc_t:file read_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) -allow bootloader_t bootloader_tmp_t:dir create_dir_perms; -allow bootloader_t bootloader_tmp_t:file create_file_perms; -allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; -allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; -allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; +manage_dirs_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t) +manage_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t) +manage_lnk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t) +manage_blk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t) +manage_chr_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t) files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t,bootloader_tmp_t,file) @@ -161,7 +161,7 @@ ifdef(`distro_redhat',` allow bootloader_t self:capability ipc_lock; # new file system defaults to file_t, granting file_t access is still bad. - allow bootloader_t boot_runtime_t:file { r_file_perms unlink }; + allow bootloader_t boot_runtime_t:file { read_file_perms unlink }; # mkinitrd mount initrd on bootloader temp dir files_mountpoint(bootloader_tmp_t) diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if index c5f9e2a..88ea0ba 100644 --- a/policy/modules/admin/certwatch.if +++ b/policy/modules/admin/certwatch.if @@ -17,12 +17,7 @@ interface(`certwatch_domtrans',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,certwatch_exec_t,certwatch_t) - - allow $1 certwatch_t:fd use; - allow certwatch_t $1:fd use; - allow certwatch_t $1:fifo_file rw_file_perms; - allow certwatch_t $1:process sigchld; + domtrans_pattern($1,certwatch_exec_t,certwatch_t) ') ######################################## diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if index b791540..665fab9 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -18,12 +18,7 @@ interface(`consoletype_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,consoletype_exec_t,consoletype_t) - - allow $1 consoletype_t:fd use; - allow consoletype_t $1:fd use; - allow consoletype_t $1:fifo_file rw_file_perms; - allow consoletype_t $1:process sigchld; + domtrans_pattern($1,consoletype_exec_t,consoletype_t) ') ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index dc641ee..d111d6e 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -25,8 +25,8 @@ ifdef(`targeted_policy',`',` allow consoletype_t self:capability sys_admin; allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow consoletype_t self:fd use; -allow consoletype_t self:fifo_file rw_file_perms; -allow consoletype_t self:sock_file r_file_perms; +allow consoletype_t self:fifo_file rw_fifo_file_perms; +allow consoletype_t self:sock_file read_sock_file_perms; allow consoletype_t self:unix_dgram_socket create_socket_perms; allow consoletype_t self:unix_stream_socket create_stream_socket_perms; allow consoletype_t self:unix_dgram_socket sendto; diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if index 8a7ea14..e3ea6cc 100644 --- a/policy/modules/admin/ddcprobe.if +++ b/policy/modules/admin/ddcprobe.if @@ -15,12 +15,7 @@ interface(`ddcprobe_domtrans',` type ddcprobe_t, ddcprobe_exec_t; ') - domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t) - - allow $1 ddcprobe_t:fd use; - allow ddcprobe_t $1:fd use; - allow ddcprobe_t $1:fifo_file rw_file_perms; - allow ddcprobe_t $1:process sigchld; + domtrans_pattern($1,ddcprobe_exec_t,ddcprobe_t) ') ######################################## diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if index b4dcfc4..99bffc8 100644 --- a/policy/modules/admin/dpkg.if +++ b/policy/modules/admin/dpkg.if @@ -19,13 +19,7 @@ interface(`dpkg_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,dpkg_exec_t,dpkg_t) - - # allow basic communication - allow $1 dpkg_t:fd use; - allow dpkg_t $1:fd use; - allow dpkg_t $1:fifo_file rw_file_perms; - allow dpkg_t $1:process sigchld; + domtrans_pattern($1,dpkg_exec_t,dpkg_t) ') ######################################## @@ -45,8 +39,6 @@ interface(`dpkg_domtrans_script',` # transition to dpkg script: corecmd_shell_domtrans($1,dpkg_script_t) - - allow $1 dpkg_script_t:fd use; allow dpkg_script_t $1:fd use; allow dpkg_script_t $1:fifo_file rw_file_perms; allow dpkg_script_t $1:process sigchld; @@ -118,7 +110,7 @@ interface(`dpkg_read_pipes',` type dpkg_t; ') - allow $1 dpkg_t:fifo_file r_file_perms; + allow $1 dpkg_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -136,7 +128,7 @@ interface(`dpkg_rw_pipes',` type dpkg_t; ') - allow $1 dpkg_t:fifo_file rw_file_perms; + allow $1 dpkg_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -173,9 +165,9 @@ interface(`dpkg_read_db',` ') files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir r_dir_perms; - allow $1 dpkg_var_lib_t:file { getattr read }; - allow $1 dpkg_var_lib_t:lnk_file r_file_perms; + allow $1 dpkg_var_lib_t:dir list_dir_perms; + read_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t) + read_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t) ') ######################################## @@ -194,9 +186,8 @@ interface(`dpkg_manage_db',` ') files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir rw_dir_perms; - allow $1 dpkg_var_lib_t:file manage_file_perms; - allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink }; + manage_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t) + manage_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t) ') ######################################## @@ -217,7 +208,7 @@ interface(`dpkg_dontaudit_manage_db',` dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; dontaudit $1 dpkg_var_lib_t:file manage_file_perms; - dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms; + dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; ') ######################################## @@ -236,6 +227,6 @@ interface(`dpkg_lock_db',` ') files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir r_dir_perms; + allow $1 dpkg_var_lib_t:dir list_dir_perms; allow $1 dpkg_lock_t:file { getattr create read write append unlink lock }; ') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index ce31e22..5b506cf 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -55,7 +55,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; allow dpkg_t self:process { setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; -allow dpkg_t self:fifo_file rw_file_perms; +allow dpkg_t self:fifo_file rw_fifo_file_perms; allow dpkg_t self:unix_dgram_socket create_socket_perms; allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; allow dpkg_t self:unix_dgram_socket sendto; @@ -69,20 +69,19 @@ allow dpkg_t self:msg { send receive }; allow dpkg_t dpkg_lock_t:file manage_file_perms; -allow dpkg_t dpkg_tmp_t:dir manage_dir_perms; -allow dpkg_t dpkg_tmp_t:file manage_file_perms; +manage_dirs_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t) +manage_files_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t) files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) -allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms; -allow dpkg_t dpkg_tmpfs_t:file manage_file_perms; -allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms; -allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms; -allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms; +manage_dirs_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t) +manage_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t) +manage_lnk_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t) +manage_sock_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t) +manage_fifo_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t) fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/dpkg files -allow dpkg_t dpkg_var_lib_t:file manage_file_perms; -allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms; +manage_files_pattern(dpkg_t,dpkg_var_lib_t,dpkg_var_lib_t) files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir) kernel_read_system_state(dpkg_t) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index 266e43d..d55f6dd 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -18,12 +18,7 @@ interface(`firstboot_domtrans',` type firstboot_t, firstboot_exec_t; ') - domain_auto_trans($1,firstboot_exec_t,firstboot_t) - - allow $1 firstboot_t:fd use; - allow firstboot_t $1:fd use; - allow firstboot_t $1:fifo_file rw_file_perms; - allow firstboot_t $1:process sigchld; + domtrans_pattern($1,firstboot_exec_t,firstboot_t) ') ######################################## diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if index 8d10285..06f4c11 100644 --- a/policy/modules/admin/kudzu.if +++ b/policy/modules/admin/kudzu.if @@ -15,12 +15,7 @@ interface(`kudzu_domtrans',` type kudzu_t, kudzu_exec_t; ') - domain_auto_trans($1,kudzu_exec_t,kudzu_t) - - allow $1 kudzu_t:fd use; - allow kudzu_t $1:fd use; - allow kudzu_t $1:fifo_file rw_file_perms; - allow kudzu_t $1:process sigchld; + domtrans_pattern($1,kudzu_exec_t,kudzu_t) ') ######################################## diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 7a49ddd..187cb03 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -24,17 +24,18 @@ files_pid_file(kudzu_var_run_t) allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; -allow kudzu_t self:fifo_file rw_file_perms; +allow kudzu_t self:fifo_file rw_fifo_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow kudzu_t self:unix_dgram_socket create_socket_perms; allow kudzu_t self:udp_socket { create ioctl }; -allow kudzu_t kudzu_tmp_t:dir create_file_perms; -allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms; +manage_dirs_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t) +manage_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t) +manage_chr_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t) files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) -allow kudzu_t kudzu_var_run_t:file create_file_perms; -allow kudzu_t kudzu_var_run_t:dir create_dir_perms; +manage_dirs_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t) +manage_files_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t) files_pid_filetrans(kudzu_t,kudzu_var_run_t,file) kernel_change_ring_buffer_level(kudzu_t) diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if index 480120c..f9efabd 100644 --- a/policy/modules/admin/logrotate.if +++ b/policy/modules/admin/logrotate.if @@ -15,12 +15,7 @@ interface(`logrotate_domtrans',` type logrotate_t, logrotate_exec_t; ') - domain_auto_trans($1,logrotate_exec_t,logrotate_t) - - allow $1 logrotate_t:fd use; - allow logrotate_t $1:fd use; - allow logrotate_t $1:fifo_file rw_file_perms; - allow logrotate_t $1:process sigchld; + domtrans_pattern($1,logrotate_exec_t,logrotate_t) ') ######################################## @@ -125,5 +120,5 @@ interface(`logrotate_read_tmp_files',` ') files_search_tmp($1) - allow $1 logrotate_tmp_t:file r_file_perms; + allow $1 logrotate_tmp_t:file read_file_perms; ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index fdd4403..ebd7e45 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -40,7 +40,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi allow logrotate_t self:process setfscreate; allow logrotate_t self:fd use; -allow logrotate_t self:fifo_file rw_file_perms; +allow logrotate_t self:fifo_file rw_fifo_file_perms; allow logrotate_t self:unix_dgram_socket create_socket_perms; allow logrotate_t self:unix_stream_socket create_stream_socket_perms; allow logrotate_t self:unix_dgram_socket sendto; @@ -50,18 +50,18 @@ allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; -allow logrotate_t logrotate_lock_t:file create_file_perms; +allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t,logrotate_lock_t,file) can_exec(logrotate_t, logrotate_tmp_t) -allow logrotate_t logrotate_tmp_t:dir create_dir_perms; -allow logrotate_t logrotate_tmp_t:file create_file_perms; +manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t) +manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t) files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck -allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms }; -allow logrotate_t logrotate_var_lib_t:file create_file_perms; +create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t) +manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if index 5dd8bdf..d878e75 100644 --- a/policy/modules/admin/logwatch.if +++ b/policy/modules/admin/logwatch.if @@ -16,7 +16,7 @@ interface(`logwatch_read_tmp_files',` ') files_search_tmp($1) - allow $1 logwatch_tmp_t:file r_file_perms; + allow $1 logwatch_tmp_t:file read_file_perms; ') ######################################## @@ -34,5 +34,5 @@ interface(`logwatch_search_cache_dir',` type logwatch_cache_t; ') - allow $1 logwatch_cache_t:dir search; + allow $1 logwatch_cache_t:dir search_dir_perms; ') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index a964e04..9627ca9 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -31,14 +31,14 @@ allow logwatch_t self:process signal; allow logwatch_t self:fifo_file rw_file_perms; allow logwatch_t self:unix_stream_socket create_stream_socket_perms; -allow logwatch_t logwatch_cache_t:dir create_dir_perms; -allow logwatch_t logwatch_cache_t:file create_file_perms; +manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t) +manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t) allow logwatch_t logwatch_lock_t:file manage_file_perms; files_lock_filetrans(logwatch_t,logwatch_lock_t,file) -allow logwatch_t logwatch_tmp_t:dir create_dir_perms; -allow logwatch_t logwatch_tmp_t:file create_file_perms; +manage_dirs_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t) +manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) kernel_read_fs_sysctls(logwatch_t) diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if index fab860b..b82864f 100644 --- a/policy/modules/admin/mrtg.if +++ b/policy/modules/admin/mrtg.if @@ -14,6 +14,7 @@ interface(`mrtg_append_create_logs',` gen_require(` type mrtg_log_t; ') - allow $1 mrtg_log_t:dir rw_dir_perms; - allow $1 mrtg_log_t:file { create append getattr }; + + append_files_pattern($1,mrtg_log_t,mrtg_log_t) + create_files_pattern($1,mrtg_log_t,mrtg_log_t) ') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 2c53638..6dc3ac3 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -38,31 +38,24 @@ allow mrtg_t self:unix_stream_socket create_socket_perms; allow mrtg_t self:tcp_socket create_socket_perms; allow mrtg_t self:udp_socket create_socket_perms; -allow mrtg_t mrtg_etc_t:file r_file_perms; -allow mrtg_t mrtg_etc_t:dir r_dir_perms; -allow mrtg_t mrtg_etc_t:lnk_file { getattr read }; -files_search_etc(mrtg_t) +allow mrtg_t mrtg_etc_t:dir list_dir_perms; +read_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t) +read_lnk_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t) +dontaudit mrtg_t mrtg_etc_t:dir write; +dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; -allow mrtg_t mrtg_lock_t:dir rw_dir_perms; -allow mrtg_t mrtg_lock_t:file create_file_perms; -allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms; +manage_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t) +manage_lnk_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t) -allow mrtg_t mrtg_log_t:file create_file_perms; -allow mrtg_t mrtg_log_t:dir rw_dir_perms; +manage_files_pattern(mrtg_t,mrtg_log_t,mrtg_log_t) logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir }) -allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms; -allow mrtg_t mrtg_var_lib_t:file create_file_perms; -allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms; +manage_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t) +manage_lnk_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t) allow mrtg_t mrtg_var_run_t:file manage_file_perms; files_pid_filetrans(mrtg_t,mrtg_var_run_t,file) -# read config files -dontaudit mrtg_t mrtg_etc_t:dir write; -dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; -files_read_etc_files(mrtg_t) - kernel_read_system_state(mrtg_t) kernel_read_network_state(mrtg_t) kernel_read_kernel_sysctls(mrtg_t) @@ -94,6 +87,8 @@ files_search_spool(mrtg_t) files_getattr_tmp_dirs(mrtg_t) # for uptime files_read_etc_runtime_files(mrtg_t) +# read config files +files_read_etc_files(mrtg_t) fs_search_auto_mountpoints(mrtg_t) fs_getattr_xattr_fs(mrtg_t) @@ -127,9 +122,8 @@ ifdef(`enable_mls',` ') ifdef(`distro_redhat',` - allow mrtg_t mrtg_etc_t:dir rw_dir_perms; - allow mrtg_t mrtg_lock_t:file create_file_perms; - type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t; + allow mrtg_t mrtg_lock_t:file manage_file_perms; + filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file) ') ifdef(`targeted_policy',` diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index e562e6d..3025d02 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -15,12 +15,7 @@ interface(`netutils_domtrans',` type netutils_t, netutils_exec_t; ') - domain_auto_trans($1,netutils_exec_t,netutils_t) - - allow $1 netutils_t:fd use; - allow netutils_t $1:fd use; - allow netutils_t $1:fifo_file rw_file_perms; - allow netutils_t $1:process sigchld; + domtrans_pattern($1,netutils_exec_t,netutils_t) ') ######################################## @@ -88,12 +83,7 @@ interface(`netutils_domtrans_ping',` type ping_t, ping_exec_t; ') - domain_auto_trans($1,ping_exec_t,ping_t) - - allow $1 ping_t:fd use; - allow ping_t $1:fd use; - allow ping_t $1:fifo_file rw_file_perms; - allow ping_t $1:process sigchld; + domtrans_pattern($1,ping_exec_t,ping_t) ') ######################################## @@ -233,12 +223,7 @@ interface(`netutils_domtrans_traceroute',` type traceroute_t, traceroute_exec_t; ') - domain_auto_trans($1,traceroute_exec_t,traceroute_t) - - allow $1 traceroute_t:fd use; - allow traceroute_t $1:fd use; - allow traceroute_t $1:fifo_file rw_file_perms; - allow traceroute_t $1:process sigchld; + domtrans_pattern($1,traceroute_exec_t,traceroute_t) ') ######################################## diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index c544322..bd0f354 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -37,8 +37,8 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; -allow netutils_t netutils_tmp_t:dir create_dir_perms; -allow netutils_t netutils_tmp_t:file create_file_perms; +manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t) +manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) @@ -98,7 +98,6 @@ optional_policy(` allow ping_t self:capability { setuid net_raw }; dontaudit ping_t self:capability sys_tty_config; - allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; @@ -120,11 +119,11 @@ files_dontaudit_search_var(ping_t) libs_use_ld_so(ping_t) libs_use_shared_libs(ping_t) +logging_send_syslog_msg(ping_t) + sysnet_read_config(ping_t) sysnet_dns_name_resolve(ping_t) -logging_send_syslog_msg(ping_t) - ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) ') diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index e343df2..b4bde15 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -28,10 +28,7 @@ interface(`portage_domtrans',` allow portage_t $1:process sigchld; # transition to portage - domain_auto_trans($1,portage_exec_t,portage_t.merge) - allow portage_t.merge $1:fd use; - allow portage_t.merge $1:fifo_file rw_file_perms; - allow portage_t.merge $1:process sigchld; + domtrans_pattern($1,portage_exec_t,portage_t.merge) ') ######################################## @@ -102,7 +99,7 @@ interface(`portage_compile_domain',` allow $1 self:process { setpgid setsched setrlimit signal_perms execmem }; allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1 self:fd use; - allow $1 self:fifo_file rw_file_perms; + allow $1 self:fifo_file rw_fifo_file_perms; allow $1 self:shm create_shm_perms; allow $1 self:sem create_sem_perms; allow $1 self:msgq create_msgq_perms; @@ -120,7 +117,7 @@ interface(`portage_compile_domain',` allow $1 self:netlink_selinux_socket { bind create read }; allow $1 self:dbus send_msg; - allow $1 portage_devpts_t:chr_file { rw_file_perms setattr }; + allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1,portage_devpts_t) # write compile logs @@ -130,18 +127,17 @@ interface(`portage_compile_domain',` # run scripts out of the build directory can_exec(portage_sandbox_t,portage_tmp_t) - allow $1 portage_tmp_t:dir manage_dir_perms; - allow $1 portage_tmp_t:file manage_file_perms; - allow $1 portage_tmp_t:lnk_file create_lnk_perms; - allow $1 portage_tmp_t:fifo_file manage_file_perms; - allow $1 portage_tmp_t:sock_file manage_file_perms; + manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t) + manage_files_pattern($1,portage_tmp_t,portage_tmp_t) + manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t) + manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t) + manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t) files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file }) - allow $1 portage_tmpfs_t:dir rw_dir_perms; - allow $1 portage_tmpfs_t:file manage_file_perms; - allow $1 portage_tmpfs_t:lnk_file create_lnk_perms; - allow $1 portage_tmpfs_t:sock_file manage_file_perms; - allow $1 portage_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t) + manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t) + manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t) + manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t) fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_system_state($1) @@ -229,13 +225,13 @@ interface(`portage_fetch_domain',` allow $1 self:tcp_socket create_stream_socket_perms; allow $1 portage_conf_t:dir list_dir_perms; - allow $1 portage_conf_t:file read_file_perms; + read_files_pattern($1,portage_conf_t,portage_conf_t) - allow $1 portage_ebuild_t:dir manage_dir_perms; - allow $1 portage_ebuild_t:file manage_file_perms; + manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t) + manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t) - allow $1 portage_fetch_tmp_t:dir manage_dir_perms; - allow $1 portage_fetch_tmp_t:file manage_file_perms; + manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t) + manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t) # portage makes home dir the portage tmp dir, so # wget looks for .wgetrc there @@ -302,7 +298,7 @@ interface(`portage_main_domain',` # performed in the main domain portage_compile_domain($1) - allow $1 portage_log_t:file create_file_perms; + allow $1 portage_log_t:file manage_file_perms; logging_log_filetrans($1,portage_log_t,file) # run scripts out of the build directory @@ -371,10 +367,7 @@ interface(`portage_domtrans_gcc_config',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,gcc_config_exec_t,gcc_config_t) - allow gcc_config_t $1:fd use; - allow gcc_config_t $1:fifo_file rw_file_perms; - allow gcc_config_t $1:process sigchld; + domtrans_pattern($1,gcc_config_exec_t,gcc_config_t) ') ######################################## diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 1523fad..8b1e5f2 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -75,14 +75,12 @@ files_tmpfs_file(portage_tmpfs_t) allow gcc_config_t self:capability { chown fsetid }; allow gcc_config_t self:fifo_file rw_file_perms; -allow gcc_config_t portage_cache_t:dir rw_dir_perms; -allow gcc_config_t portage_cache_t:file create_file_perms; +manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t) -allow gcc_config_t portage_conf_t:dir search_dir_perms; -allow gcc_config_t portage_conf_t:file read_file_perms; +read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t) allow gcc_config_t portage_ebuild_t:dir list_dir_perms; -allow gcc_config_t portage_ebuild_t:file read_file_perms; +read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t) allow gcc_config_t portage_exec_t:file { execute getattr }; diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index 28052a3..406b489 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -16,12 +16,7 @@ interface(`prelink_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1, prelink_exec_t, prelink_t) - - allow $1 prelink_t:fd use; - allow prelink_t $1:fd use; - allow prelink_t $1:fifo_file rw_file_perms; - allow prelink_t $1:process sigchld; + domtrans_pattern($1, prelink_exec_t, prelink_t) ') ######################################## @@ -98,6 +93,5 @@ interface(`prelink_manage_log',` ') logging_search_logs($1) - allow $1 prelink_log_t:dir rw_dir_perms; - allow $1 prelink_log_t:file create_file_perms; + manage_files_pattern($1,prelink_log_t,prelink_log_t) ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index ccec1e2..d6244fb 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -25,20 +25,21 @@ logging_log_file(prelink_log_t) allow prelink_t self:capability { chown dac_override fowner fsetid }; allow prelink_t self:process { execheap execmem execstack signal }; -allow prelink_t self:fifo_file rw_file_perms; +allow prelink_t self:fifo_file rw_fifo_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; files_etc_filetrans(prelink_t, prelink_cache_t, file) files_var_lib_filetrans(prelink_t, prelink_cache_t, file) -allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; -allow prelink_t prelink_log_t:file { create ra_file_perms }; -allow prelink_t prelink_log_t:lnk_file read; +allow prelink_t prelink_log_t:dir setattr; +create_files_pattern(prelink_t,prelink_log_t,prelink_log_t) +append_files_pattern(prelink_t,prelink_log_t,prelink_log_t) +read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) # prelink misc objects that are not system # libraries or entrypoints -allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom }; +allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; kernel_read_system_state(prelink_t) kernel_dontaudit_search_kernel_sysctl(prelink_t) diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if index 1e954d0..9f4618e 100644 --- a/policy/modules/admin/quota.if +++ b/policy/modules/admin/quota.if @@ -15,12 +15,7 @@ interface(`quota_domtrans',` type quota_t, quota_exec_t; ') - domain_auto_trans($1,quota_exec_t,quota_t) - - allow $1 quota_t:fd use; - allow quota_t $1:fd use; - allow quota_t $1:fifo_file rw_file_perms; - allow quota_t $1:process sigchld; + domtrans_pattern($1,quota_exec_t,quota_t) ') ######################################## @@ -91,6 +86,5 @@ interface(`quota_manage_flags',` ') files_search_var_lib($1) - allow $1 quota_flag_t:dir rw_dir_perms; - allow $1 quota_flag_t:file create_file_perms; + manage_files_pattern($1,quota_flag_t,quota_flag_t) ') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index fa48c69..ba9f393 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -16,6 +16,11 @@ files_type(quota_db_t) type quota_flag_t; files_type(quota_flag_t) +######################################## +# +# Local policy +# + allow quota_t self:capability { sys_admin dac_override }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index dbf2ebe..9223035 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -21,8 +21,7 @@ files_pid_file(readahead_var_run_t) dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config }; allow readahead_t self:process signal_perms; -allow readahead_t readahead_var_run_t:file create_file_perms; -allow readahead_t readahead_var_run_t:dir rw_dir_perms; +manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t) files_pid_filetrans(readahead_t,readahead_var_run_t,file) kernel_read_kernel_sysctls(readahead_t) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index c58a2bb..11b8297 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -17,12 +17,7 @@ interface(`rpm_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,rpm_exec_t,rpm_t) - - allow $1 rpm_t:fd use; - allow rpm_t $1:fd use; - allow rpm_t $1:fifo_file rw_file_perms; - allow rpm_t $1:process sigchld; + domtrans_pattern($1,rpm_exec_t,rpm_t) ') ######################################## @@ -42,8 +37,6 @@ interface(`rpm_domtrans_script',` # transition to rpm script: corecmd_shell_domtrans($1,rpm_script_t) - - allow $1 rpm_script_t:fd use; allow rpm_script_t $1:fd use; allow rpm_script_t $1:fifo_file rw_file_perms; allow rpm_script_t $1:process sigchld; @@ -137,7 +130,7 @@ interface(`rpm_read_pipes',` type rpm_t; ') - allow $1 rpm_t:fifo_file r_file_perms; + allow $1 rpm_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -155,7 +148,7 @@ interface(`rpm_rw_pipes',` type rpm_t; ') - allow $1 rpm_t:fifo_file rw_file_perms; + allow $1 rpm_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -195,7 +188,7 @@ interface(`rpm_manage_log',` ') logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file create_file_perms; + allow $1 rpm_log_t:file manage_file_perms; ') ######################################## @@ -232,9 +225,9 @@ interface(`rpm_read_db',` ') files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir r_dir_perms; - allow $1 rpm_var_lib_t:file r_file_perms; - allow $1 rpm_var_lib_t:lnk_file r_file_perms; + allow $1 rpm_var_lib_t:dir list_dir_perms; + read_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t) + read_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t) ') ######################################## @@ -253,9 +246,8 @@ interface(`rpm_manage_db',` ') files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir rw_dir_perms; - allow $1 rpm_var_lib_t:file manage_file_perms; - allow $1 rpm_var_lib_t:lnk_file create_lnk_perms; + manage_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t) + manage_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t) ') ######################################## @@ -275,6 +267,6 @@ interface(`rpm_dontaudit_manage_db',` ') dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file create_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms; + dontaudit $1 rpm_var_lib_t:file manage_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index ad11d34..3248647 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -56,7 +56,7 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; -allow rpm_t self:fifo_file rw_file_perms; +allow rpm_t self:fifo_file rw_fifo_file_perms; allow rpm_t self:unix_dgram_socket create_socket_perms; allow rpm_t self:unix_stream_socket rw_stream_socket_perms; allow rpm_t self:unix_dgram_socket sendto; @@ -71,20 +71,19 @@ allow rpm_t self:msg { send receive }; allow rpm_t self:dir search; allow rpm_t self:file rw_file_perms;; -allow rpm_t rpm_tmp_t:dir create_dir_perms; -allow rpm_t rpm_tmp_t:file create_file_perms; +manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) +manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) -allow rpm_t rpm_tmpfs_t:dir create_dir_perms; -allow rpm_t rpm_tmpfs_t:file create_file_perms; -allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms; -allow rpm_t rpm_tmpfs_t:sock_file create_file_perms; -allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms; +manage_dirs_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t) +manage_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t) +manage_lnk_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t) +manage_fifo_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t) +manage_sock_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files -allow rpm_t rpm_var_lib_t:file create_file_perms; -allow rpm_t rpm_var_lib_t:dir rw_dir_perms; +manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t) files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) @@ -184,7 +183,7 @@ ifdef(`targeted_policy',` # cjp: these are here to stop type_transition # conflicts since rpm_t is an alias of # unconfined in the targeted policy - allow rpm_t rpm_log_t:file create_file_perms; + allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t,rpm_log_t,file) ') @@ -230,7 +229,7 @@ allow rpm_t sysadm_gph_t:fd use; allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow rpm_script_t self:fd use; -allow rpm_script_t self:fifo_file rw_file_perms; +allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; allow rpm_script_t self:unix_dgram_socket sendto; @@ -240,25 +239,20 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; -allow rpm_script_t rpm_tmp_t:file r_file_perms; +allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; -allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; -allow rpm_script_t rpm_script_tmp_t:file create_file_perms; +manage_dirs_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t) +manage_files_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t) files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) -allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms; -allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; -allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms; -allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; -allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; +manage_dirs_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t) +manage_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t) +manage_lnk_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t) +manage_fifo_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t) +manage_sock_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow rpm_t rpm_script_t:fd use; -allow rpm_script_t rpm_t:fd use; -allow rpm_script_t rpm_t:fifo_file rw_file_perms; -allow rpm_script_t rpm_t:process sigchld; - kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a12e817..dee1ca1 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -45,15 +45,12 @@ template(`su_restricted_domain_template', ` dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_file_perms; + allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; # Transition from the user domain to this domain. - domain_auto_trans($2, su_exec_t, $1_su_t) - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; + domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t,$2) @@ -178,14 +175,11 @@ template(`su_per_role_template',` allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_file_perms; + allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; # Transition from the user domain to this domain. - domain_auto_trans($2, su_exec_t, $1_su_t) - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; + domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t,$2) @@ -310,7 +304,7 @@ template(`su_per_role_template',` ') ifdef(`TODO',` - allow $1_su_t $1_home_t:file create_file_perms; + allow $1_su_t $1_home_t:file manage_file_perms; # Access sshd cookie files. allow $1_su_t sshd_tmp_t:file rw_file_perms; diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 07e894f..e0ae7c0 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -61,7 +61,7 @@ template(`sudo_per_role_template',` allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; - allow $1_sudo_t self:fifo_file rw_file_perms; + allow $1_sudo_t self:fifo_file rw_fifo_file_perms; allow $1_sudo_t self:shm create_shm_perms; allow $1_sudo_t self:sem create_sem_perms; allow $1_sudo_t self:msgq create_msgq_perms; @@ -73,18 +73,13 @@ template(`sudo_per_role_template',` allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; # Enter this derived domain from the user domain - domain_auto_trans($2, sudo_exec_t, $1_sudo_t) - allow $1_sudo_t $2:fd use; - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t,$2) allow $2 $1_sudo_t:fd use; - allow $1_sudo_t $2:fd use; - allow $1_sudo_t $2:fifo_file rw_file_perms; - allow $1_sudo_t $2:process sigchld; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) @@ -146,8 +141,8 @@ template(`sudo_per_role_template',` ') ifdef(`pam.te', ` - allow $1_sudo_t pam_var_run_t:dir create_dir_perms; - allow $1_sudo_t pam_var_run_t:file create_file_perms; + allow $1_sudo_t pam_var_run_t:dir manage_dir_perms; + allow $1_sudo_t pam_var_run_t:file manage_file_perms; ') ') dnl end TODO ') diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if index 114fad0..dd8ac62 100644 --- a/policy/modules/admin/sxid.if +++ b/policy/modules/admin/sxid.if @@ -18,5 +18,5 @@ interface(`sxid_read_log',` ') logging_search_logs($1) - allow $1 sxid_log_t:file r_file_perms; + allow $1 sxid_log_t:file read_file_perms; ') diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te index 9501fb1..08b5738 100644 --- a/policy/modules/admin/sxid.te +++ b/policy/modules/admin/sxid.te @@ -25,15 +25,15 @@ files_tmp_file(sxid_tmp_t) allow sxid_t self:capability { dac_override dac_read_search fsetid }; dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; allow sxid_t self:process signal_perms; -allow sxid_t self:fifo_file rw_file_perms; +allow sxid_t self:fifo_file rw_fifo_file_perms; allow sxid_t self:tcp_socket create_stream_socket_perms; allow sxid_t self:udp_socket create_socket_perms; -allow sxid_t sxid_log_t:file create_file_perms; +allow sxid_t sxid_log_t:file manage_file_perms; logging_log_filetrans(sxid_t,sxid_log_t,file) -allow sxid_t sxid_tmp_t:dir create_dir_perms; -allow sxid_t sxid_tmp_t:file create_file_perms; +manage_dirs_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t) +manage_files_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t) files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) kernel_read_system_state(sxid_t) diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if index 4db23aa..2f2daf8 100644 --- a/policy/modules/admin/tripwire.if +++ b/policy/modules/admin/tripwire.if @@ -28,10 +28,7 @@ interface(`tripwire_domtrans_tripwire',` type tripwire_t, tripwire_exec_t; ') - domain_auto_trans($1,tripwire_exec_t,tripwire_t) - allow tripwire_t $1:fd use; - allow tripwire_t $1:fifo_file rw_file_perms; - allow tripwire_t $1:process sigchld; + domtrans_pattern($1,tripwire_exec_t,tripwire_t) ') ######################################## @@ -81,10 +78,7 @@ interface(`tripwire_domtrans_twadmin',` type twadmin_t, twadmin_exec_t; ') - domain_auto_trans($1,twadmin_exec_t,twadmin_t) - allow twadmin_t $1:fd use; - allow twadmin_t $1:fifo_file rw_file_perms; - allow twadmin_t $1:process sigchld; + domtrans_pattern($1,twadmin_exec_t,twadmin_t) ') ######################################## @@ -134,10 +128,7 @@ interface(`tripwire_domtrans_twprint',` type twprint_t, twprint_exec_t; ') - domain_auto_trans($1,twprint_exec_t,twprint_t) - allow twprint_t $1:fd use; - allow twprint_t $1:fifo_file rw_file_perms; - allow twprint_t $1:process sigchld; + domtrans_pattern($1,twprint_exec_t,twprint_t) ') ######################################## @@ -187,10 +178,7 @@ interface(`tripwire_domtrans_siggen',` type siggen_t, siggen_exec_t; ') - domain_auto_trans($1,siggen_exec_t,siggen_t) - allow siggen_t $1:fd use; - allow siggen_t $1:fifo_file rw_file_perms; - allow siggen_t $1:process sigchld; + domtrans_pattern($1,siggen_exec_t,siggen_t) ') ######################################## diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te index cb6a7c5..04def15 100644 --- a/policy/modules/admin/tripwire.te +++ b/policy/modules/admin/tripwire.te @@ -46,29 +46,24 @@ domain_entry_file(twprint_t,twprint_exec_t) allow tripwire_t self:capability { setgid setuid dac_override }; -allow tripwire_t tripwire_etc_t:file r_file_perms; -allow tripwire_t tripwire_etc_t:dir r_dir_perms; -allow tripwire_t tripwire_etc_t:lnk_file { getattr read }; +allow tripwire_t tripwire_etc_t:dir list_dir_perms; +read_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t) +read_lnk_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t) files_search_etc(tripwire_t) -allow tripwire_t tripwire_tmp_t:dir manage_dir_perms; -allow tripwire_t tripwire_tmp_t:file manage_file_perms; -files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir }) - # Tripwire report files -allow tripwire_t tripwire_report_t:dir manage_dir_perms; -allow tripwire_t tripwire_report_t:file manage_file_perms; -allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms; - -allow tripwire_t tripwire_tmp_t:dir manage_dir_perms; -allow tripwire_t tripwire_tmp_t:file manage_file_perms; -allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms; -allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms; -allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms; -files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file }) - -allow tripwire_t tripwire_var_lib_t:file manage_file_perms; -allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms; +manage_dirs_pattern(tripwire_t,tripwire_report_t,tripwire_report_t) +manage_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t) +manage_lnk_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t) + +manage_dirs_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t) +manage_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t) +manage_lnk_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t) +manage_fifo_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t) +manage_sock_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t) +files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(tripwire_t,tripwire_var_lib_t,tripwire_var_lib_t) files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file) kernel_read_system_state(tripwire_t) @@ -102,9 +97,9 @@ optional_policy(` # Twadmin local policy # -allow twadmin_t tripwire_etc_t:dir manage_dir_perms; -allow twadmin_t tripwire_etc_t:file manage_file_perms; -allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms; +manage_dirs_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t) +manage_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t) +manage_lnk_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t) domain_use_interactive_fds(twadmin_t) @@ -120,17 +115,17 @@ miscfiles_read_localization(twadmin_t) # Twprint local policy # -allow twprint_t tripwire_etc_t:dir r_dir_perms; -allow twprint_t tripwire_etc_t:file r_file_perms; -allow twprint_t tripwire_etc_t:lnk_file { getattr read }; +allow twprint_t tripwire_etc_t:dir list_dir_perms; +read_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t) +read_lnk_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t) -allow twprint_t tripwire_report_t:dir r_dir_perms; -allow twprint_t tripwire_report_t:file r_file_perms; -allow twprint_t tripwire_report_t:lnk_file { getattr read }; +allow twprint_t tripwire_report_t:dir list_dir_perms; +read_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t) +read_lnk_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t) -allow twprint_t tripwire_var_lib_t:dir r_dir_perms; -allow twprint_t tripwire_var_lib_t:file r_file_perms; -allow twprint_t tripwire_var_lib_t:lnk_file { getattr read }; +allow twprint_t tripwire_var_lib_t:dir list_dir_perms; +read_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t) +read_lnk_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t) files_search_var_lib(twprint_t) domain_use_interactive_fds(twprint_t) diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if index dad4bef..f902aab 100644 --- a/policy/modules/admin/updfstab.if +++ b/policy/modules/admin/updfstab.if @@ -17,10 +17,5 @@ interface(`updfstab_domtrans',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,updfstab_exec_t,updfstab_t) - - allow $1 updfstab_t:fd use; - allow updfstab_t $1:fd use; - allow updfstab_t $1:fifo_file rw_file_perms; - allow updfstab_t $1:process sigchld; + domtrans_pattern($1,updfstab_exec_t,updfstab_t) ') diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if index fea1445..50c1dc3 100644 --- a/policy/modules/admin/usbmodules.if +++ b/policy/modules/admin/usbmodules.if @@ -15,13 +15,7 @@ interface(`usbmodules_domtrans',` type usbmodules_t, usbmodules_exec_t; ') - domain_auto_trans($1, usbmodules_exec_t, usbmodules_t) - - allow $1 usbmodules_t:fd use; - allow usbmodules_t $1:fd use; - allow usbmodules_t $1:fifo_file rw_file_perms; - allow usbmodules_t $1:process sigchld; - + domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) ') ######################################## diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index b49086d..f71a57f 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,12 +17,7 @@ interface(`usermanage_domtrans_chfn',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,chfn_exec_t,chfn_t) - - allow $1 chfn_t:fd use; - allow chfn_t $1:fd use; - allow chfn_t $1:fifo_file rw_file_perms; - allow chfn_t $1:process sigchld; + domtrans_pattern($1,chfn_exec_t,chfn_t) ') ######################################## @@ -73,12 +68,7 @@ interface(`usermanage_domtrans_groupadd',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,groupadd_exec_t,groupadd_t) - - allow $1 groupadd_t:fd use; - allow groupadd_t $1:fd use; - allow groupadd_t $1:fifo_file rw_file_perms; - allow groupadd_t $1:process sigchld; + domtrans_pattern($1,groupadd_exec_t,groupadd_t) ') ######################################## @@ -130,12 +120,7 @@ interface(`usermanage_domtrans_passwd',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,passwd_exec_t,passwd_t) - - allow $1 passwd_t:fd use; - allow passwd_t $1:fd use; - allow passwd_t $1:fifo_file rw_file_perms; - allow passwd_t $1:process sigchld; + domtrans_pattern($1,passwd_exec_t,passwd_t) ') ######################################## @@ -187,12 +172,7 @@ interface(`usermanage_domtrans_admin_passwd',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t) - - allow $1 sysadm_passwd_t:fd use; - allow sysadm_passwd_t $1:fd use; - allow sysadm_passwd_t $1:fifo_file rw_file_perms; - allow sysadm_passwd_t $1:process sigchld; + domtrans_pattern($1,admin_passwd_exec_t,sysadm_passwd_t) ') ######################################## @@ -245,12 +225,7 @@ interface(`usermanage_domtrans_useradd',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,useradd_exec_t,useradd_t) - - allow $1 useradd_t:fd use; - allow useradd_t $1:fd use; - allow useradd_t $1:fifo_file rw_file_perms; - allow useradd_t $1:process sigchld; + domtrans_pattern($1,useradd_exec_t,useradd_t) ') ######################################## @@ -300,5 +275,5 @@ interface(`usermanage_read_crack_db',` type crack_db_t; ') - allow $1 crack_db_t:file r_file_perms; + allow $1 crack_db_t:file read_file_perms; ') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index d48cd01..5c0c5d3 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -68,8 +68,8 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; -allow chfn_t self:fifo_file rw_file_perms; -allow chfn_t self:sock_file r_file_perms; +allow chfn_t self:fifo_file rw_fifo_file_perms; +allow chfn_t self:sock_file read_sock_file_perms; allow chfn_t self:shm create_shm_perms; allow chfn_t self:sem create_sem_perms; allow chfn_t self:msgq create_msgq_perms; @@ -146,15 +146,14 @@ optional_policy(` # allow crack_t self:process { sigkill sigstop signull signal }; -allow crack_t self:fifo_file rw_file_perms; +allow crack_t self:fifo_file rw_fifo_file_perms; -allow crack_t crack_db_t:dir rw_dir_perms; -allow crack_t crack_db_t:file create_file_perms; -allow crack_t crack_db_t:lnk_file create_file_perms; +manage_files_pattern(crack_t,crack_db_t,crack_db_t) +manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t) files_search_var(crack_t) -allow crack_t crack_tmp_t:dir create_dir_perms; -allow crack_t crack_tmp_t:file create_file_perms; +manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t) +manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t) files_tmp_filetrans(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) @@ -193,7 +192,7 @@ dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:fd use; -allow groupadd_t self:fifo_file rw_file_perms; +allow groupadd_t self:fifo_file rw_fifo_file_perms; allow groupadd_t self:shm create_shm_perms; allow groupadd_t self:sem create_sem_perms; allow groupadd_t self:msgq create_msgq_perms; @@ -274,8 +273,8 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; -allow passwd_t self:fifo_file rw_file_perms; -allow passwd_t self:sock_file r_file_perms; +allow passwd_t self:fifo_file rw_fifo_file_perms; +allow passwd_t self:sock_file read_sock_file_perms; allow passwd_t self:unix_dgram_socket create_socket_perms; allow passwd_t self:unix_stream_socket create_stream_socket_perms; allow passwd_t self:unix_dgram_socket sendto; @@ -286,8 +285,8 @@ allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; -allow passwd_t crack_db_t:dir r_dir_perms; -allow passwd_t crack_db_t:file r_file_perms; +allow passwd_t crack_db_t:dir list_dir_perms; +read_files_pattern(passwd_t,crack_db_t,crack_db_t) kernel_read_kernel_sysctls(passwd_t) @@ -363,8 +362,8 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; -allow sysadm_passwd_t self:fifo_file rw_file_perms; -allow sysadm_passwd_t self:sock_file r_file_perms; +allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; +allow sysadm_passwd_t self:sock_file read_sock_file_perms; allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; allow sysadm_passwd_t self:unix_dgram_socket sendto; @@ -375,8 +374,8 @@ allow sysadm_passwd_t self:msgq create_msgq_perms; allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover -allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; -allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; +manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t) +manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t) files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) files_dontaudit_search_home(sysadm_passwd_t) @@ -458,7 +457,7 @@ dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; -allow useradd_t self:fifo_file rw_file_perms; +allow useradd_t self:fifo_file rw_fifo_file_perms; allow useradd_t self:shm create_shm_perms; allow useradd_t self:sem create_sem_perms; allow useradd_t self:msgq create_msgq_perms; diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if index 729e9a0..c5faff5 100644 --- a/policy/modules/admin/vbetool.if +++ b/policy/modules/admin/vbetool.if @@ -16,11 +16,5 @@ interface(`vbetool_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,vbetool_exec_t,vbetool_t) - - allow $1 vbetool_t:fd use; - allow vbetool_t $1:fd use; - allow vbetool_t $1:fifo_file rw_file_perms; - allow vbetool_t $1:process sigchld; - + domtrans_pattern($1,vbetool_exec_t,vbetool_t) ') diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if index fea1dd4..76916e1 100644 --- a/policy/modules/admin/vpn.if +++ b/policy/modules/admin/vpn.if @@ -15,12 +15,7 @@ interface(`vpn_domtrans',` type vpnc_t, vpnc_exec_t; ') - domain_auto_trans($1,vpnc_exec_t,vpnc_t) - - allow $1 vpnc_t:fd use; - allow vpnc_t $1:fd use; - allow vpnc_t $1:fifo_file rw_file_perms; - allow vpnc_t $1:process sigchld; + domtrans_pattern($1,vpnc_exec_t,vpnc_t) ') ######################################## diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 275fb94..f6af2c3 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -36,12 +36,11 @@ allow vpnc_t self:unix_stream_socket create_socket_perms; # cjp: this needs to be fixed allow vpnc_t self:socket create_socket_perms; -allow vpnc_t vpnc_tmp_t:dir create_dir_perms; -allow vpnc_t vpnc_tmp_t:file create_file_perms; +manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t) +manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t) files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) -allow vpnc_t vpnc_var_run_t:file create_file_perms; -allow vpnc_t vpnc_var_run_t:dir rw_dir_perms; +manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t) files_pid_filetrans(vpnc_t,vpnc_var_run_t,file) kernel_read_system_state(vpnc_t) diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if index c2ba698..e07b7a5 100644 --- a/policy/modules/apps/ada.if +++ b/policy/modules/apps/ada.if @@ -17,12 +17,7 @@ interface(`ada_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1, ada_exec_t, ada_t) - - allow $1 ada_t:fd use; - allow ada_t $1:fd use; - allow ada_t $1:fifo_file rw_file_perms; - allow ada_t $1:process sigchld; + domtrans_pattern($1, ada_exec_t, ada_t) ',` refpolicywarn(`$0($1) has no effect in strict policy.') ') diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if index 84134d0..e17ee67 100644 --- a/policy/modules/apps/authbind.if +++ b/policy/modules/apps/authbind.if @@ -15,9 +15,6 @@ interface(`authbind_domtrans',` type authbind_t, authbind_exec_t; ') - domain_auto_trans($1,authbind_exec_t,authbind_t) - allow authbind_t $1:fd use; - allow authbind_t $1:fifo_file rw_file_perms; - allow authbind_t $1:process sigchld; + domtrans_pattern($1,authbind_exec_t,authbind_t) allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; ') diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te index 292dda2..2fd4f95 100644 --- a/policy/modules/apps/authbind.te +++ b/policy/modules/apps/authbind.te @@ -22,10 +22,10 @@ files_config_file(authbind_etc_t) allow authbind_t self:capability net_bind_service; -can_exec(authbind_t, authbind_etc_t) -allow authbind_t authbind_etc_t:file r_file_perms; -allow authbind_t authbind_etc_t:dir r_dir_perms; -allow authbind_t authbind_etc_t:lnk_file { getattr read }; +allow authbind_t authbind_etc_t:dir list_dir_perms; +exec_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t) +read_lnk_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t) + files_list_etc(authbind_t) term_use_console(authbind_t) diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if index e180a59..767a181 100644 --- a/policy/modules/apps/calamaris.if +++ b/policy/modules/apps/calamaris.if @@ -15,7 +15,7 @@ interface(`calamaris_read_www_files',` type calamaris_www_t; ') - allow $1 calamaris_www_t:dir r_dir_perms; - allow $1 calamaris_www_t:file r_file_perms; - allow $1 calamaris_www_t:lnk_file { getattr read }; + allow $1 calamaris_www_t:dir list_dir_perms; + read_files_pattern($1,calamaris_www_t,calamaris_www_t) + read_lnk_files_pattern($1,calamaris_www_t,calamaris_www_t) ') diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te index 98c8832..5bb18e3 100644 --- a/policy/modules/apps/calamaris.te +++ b/policy/modules/apps/calamaris.te @@ -29,12 +29,10 @@ allow calamaris_t self:unix_stream_socket create_stream_socket_perms; allow calamaris_t self:tcp_socket create_stream_socket_perms; allow calamaris_t self:udp_socket create_socket_perms; -allow calamaris_t calamaris_www_t:dir rw_dir_perms; -allow calamaris_t calamaris_www_t:file manage_file_perms; -allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms; +manage_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t) +manage_lnk_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t) -allow calamaris_t calamaris_log_t:file create_file_perms; -allow calamaris_t calamaris_log_t:dir rw_dir_perms; +manage_files_pattern(calamaris_t,calamaris_log_t,calamaris_log_t) logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir }) kernel_read_all_sysctls(calamaris_t) diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if index d20691e..09ea3c9 100644 --- a/policy/modules/apps/cdrecord.if +++ b/policy/modules/apps/cdrecord.if @@ -61,17 +61,11 @@ template(`cdrecord_per_role_template', ` allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; # allow ps to show cdrecord and allow the user to kill it - allow $2 $1_cdrecord_t:dir { search getattr read }; - allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr }; - allow $2 $1_cdrecord_t:process getattr; + ps_process_pattern($2,$1_cdrecord_t) allow $2 $1_cdrecord_t:process signal; # Transition from the user domain to the derived domain. - domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t) - allow $2 $1_cdrecord_t:fd use; - allow $1_cdrecord_t $2:fd use; - allow $1_cdrecord_t $2:fifo_file rw_file_perms; - allow $1_cdrecord_t $2:process sigchld; + domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t) # allow searching for cdrom-drive dev_list_all_dev_nodes($1_cdrecord_t) diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if index 6d0eda3..91789da 100644 --- a/policy/modules/apps/ethereal.if +++ b/policy/modules/apps/ethereal.if @@ -70,36 +70,38 @@ template(`ethereal_per_role_template',` allow $1_ethereal_t self:tcp_socket create_socket_perms; allow $1_ethereal_t self:udp_socket create_socket_perms; - # Store temporary files - allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms; - allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms; - files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) - # Re-execute itself (why?) can_exec($1_ethereal_t, ethereal_exec_t) corecmd_search_sbin($1_ethereal_t) # /home/.ethereal - allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms; - allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms; - allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t) + manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t) + manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t) userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir) - allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms; - allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms; - allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms; - allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms; - allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms; + # Store temporary files + manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t) + manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t) + files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) + + manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t) + manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t) + manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t) + manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t) + manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t) fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t) allow $1_ethereal_t $2:fd use; allow $1_ethereal_t $2:process sigchld; - allow $2 $1_ethereal_home_t:dir manage_dir_perms; - allow $2 $1_ethereal_home_t:file manage_file_perms; - allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms; - allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) + manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) + manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) + relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) + relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) + relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t) kernel_read_kernel_sysctls($1_ethereal_t) kernel_read_system_state($1_ethereal_t) @@ -240,12 +242,7 @@ template(`ethereal_domtrans_user_ethereal',` type $1_ethereal_t, ethereal_exec_t; ') - domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t) - - allow $2 $1_ethereal_t:fd use; - allow $1_ethereal_t $2:fd use; - allow $1_ethereal_t $2:fifo_file rw_file_perms; - allow $1_ethereal_t $2:process sigchld; + domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t) ') ######################################## @@ -263,12 +260,7 @@ template(`ethereal_domtrans_tethereal',` type tethereal_t, tethereal_exec_t; ') - domain_auto_trans($1,tethereal_exec_t,tethereal_t) - - allow $1 tethereal_t:fd use; - allow tethereal_t $1:fd use; - allow tethereal_t $1:fifo_file rw_file_perms; - allow tethereal_t $1:process sigchld; + domtrans_pattern($1,tethereal_exec_t,tethereal_t) ') ######################################## diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index 7e9743b..433765a 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -30,8 +30,8 @@ allow tethereal_t self:tcp_socket create_socket_perms; allow tethereal_t self:udp_socket create_socket_perms; # Store temporary files -allow tethereal_t tethereal_tmp_t:dir create_dir_perms; -allow tethereal_t tethereal_tmp_t:file create_file_perms; +manage_dirs_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t) +manage_files_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t) files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file }) # /proc diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 9f197dc..02ccdba 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -442,7 +442,7 @@ template(`evolution_per_role_template',` # Put secret files in .gnome2_private allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms; - allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms; + allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms; type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t; allow $2 $1_evolution_secret_t:file unlink; @@ -535,16 +535,16 @@ template(`evolution_per_role_template',` allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write; # Access evolution home - allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms; - allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms; + allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms; + allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms; allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms; allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto; allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write; # /tmp/.exchange-$USER - allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms; + allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms; + allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms; files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir }) allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms; @@ -619,8 +619,8 @@ template(`evolution_per_role_template',` allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write; # Access evolution home - allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms; - allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms; + allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms; + allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms; allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms; allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto; diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index 685a656..91fe9e7 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -62,23 +62,21 @@ template(`games_per_role_template',` allow $1_games_t self:tcp_socket create_stream_socket_perms; allow $1_games_t self:udp_socket create_socket_perms; - allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms; - allow $1_games_t $1_games_tmpfs_t:file manage_file_perms; - allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms; - allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms; - allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms; - fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - allow $1_games_t $1_games_tmp_t:dir manage_dir_perms; - allow $1_games_t $1_games_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir }) + manage_files_pattern($1_games_t,games_data_t,games_data_t) + manage_lnk_files_pattern($1_games_t,games_data_t,games_data_t) - allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr }; + allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_games_t,$1_games_devpts_t) - allow $1_games_t games_data_t:dir rw_dir_perms; - allow $1_games_t games_data_t:file manage_file_perms; - allow $1_games_t games_data_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t) + manage_files_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t) + files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir }) + + manage_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t) + manage_lnk_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t) + manage_fifo_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t) + manage_sock_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t) + fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ file lnk_file sock_file fifo_file }) can_exec($1_games_t, games_exec_t) @@ -159,8 +157,8 @@ template(`games_per_role_template',` gnome_file_dialog($1_games, $1) # Access /home/user/.gnome2 # FIXME: Change to use per app types - allow $1_games_t $1_gnome_settings_t:dir create_dir_perms; - allow $1_games_t $1_gnome_settings_t:file create_file_perms; + allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms; + allow $1_games_t $1_gnome_settings_t:file manage_file_perms; allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms; #missing policy optional_policy(` diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index fea04e7..cf2d88e 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -26,12 +26,10 @@ files_pid_file(games_var_run_t) dontaudit games_t self:capability sys_tty_config; allow games_t self:process signal_perms; -allow games_t games_data_t:dir rw_dir_perms; -allow games_t games_data_t:file manage_file_perms; -allow games_t games_data_t:lnk_file create_lnk_perms; +manage_files_pattern(games_t,games_data_t,games_data_t) +manage_lnk_files_pattern(games_t,games_data_t,games_data_t) -allow games_t games_var_run_t:file manage_file_perms; -allow games_t games_var_run_t:dir rw_dir_perms; +manage_files_pattern(games_t,games_var_run_t,games_var_run_t) files_pid_filetrans(games_t,games_var_run_t,file) can_exec(games_t,games_exec_t) diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if index 5a707ef..1895947 100644 --- a/policy/modules/apps/gift.if +++ b/policy/modules/apps/gift.if @@ -63,40 +63,34 @@ template(`gift_per_role_template',` allow $1_gift_t self:tcp_socket create_socket_perms; - allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms; - allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms; - allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms; - allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms; - allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) + manage_lnk_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) + manage_fifo_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) + manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - allow $1_gift_t $1_gift_home_t:dir manage_dir_perms; - allow $1_gift_t $1_gift_home_t:file manage_file_perms; - allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) + manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) + manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir) # Launch gift daemon - domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) - allow $1_giftd_t $1_gift_t:fd use; - allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms; - allow $1_giftd_t $1_gift_t:process sigchld; + domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t) # transition from user domain - domain_auto_trans($2, gift_exec_t, $1_gift_t) - allow $1_gift_t $2:fd use; - allow $1_gift_t $2:fifo_file rw_file_perms; - allow $1_gift_t $2:process sigchld; + domtrans_pattern($2, gift_exec_t, $1_gift_t) # user managed content - allow $2 $1_gift_home_t:dir manage_dir_perms; - allow $2 $1_gift_home_t:file manage_file_perms; - allow $2 $1_gift_home_t:lnk_file create_lnk_perms; - allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) + manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t) + manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) + relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) + relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t) + relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) # Allow the user domain to signal/ps. - allow $2 $1_gift_t:dir { search getattr read }; - allow $2 $1_gift_t:{ file lnk_file } { read getattr }; - allow $2 $1_gift_t:process { getattr signal_perms }; + ps_process_pattern($2,$1_gift_t) + allow $2 $1_gift_t:process signal_perms; # Read /proc/meminfo kernel_read_system_state($1_giftd_t) @@ -150,15 +144,12 @@ template(`gift_per_role_template',` allow $1_giftd_t self:tcp_socket create_stream_socket_perms; allow $1_giftd_t self:udp_socket create_socket_perms; - allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms; - allow $1_giftd_t $1_gift_home_t:file manage_file_perms; - allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) + manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) + manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir) - domain_auto_trans($2, giftd_exec_t, $1_giftd_t) - allow $1_giftd_t $2:fd use; - allow $1_giftd_t $2:fifo_file rw_file_perms; - allow $1_giftd_t $2:process sigchld; + domtrans_pattern($2, giftd_exec_t, $1_giftd_t) kernel_read_system_state($1_giftd_t) kernel_read_kernel_sysctls($1_giftd_t) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 46ee2da..d9b5fc9 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -59,12 +59,12 @@ template(`gnome_per_role_template',` allow $1_gconfd_t self:process getsched; - allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms; - allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms; + manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) + manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir) - allow $1_gconfd_t $1_gconf_tmp_t:dir manage_dir_perms; - allow $1_gconfd_t $1_gconf_tmp_t:file manage_file_perms; + manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) + manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file }) domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t) @@ -73,7 +73,7 @@ template(`gnome_per_role_template',` allow $1_gconfd_t $2:unix_stream_socket connectto; allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; - allow $1_gconfd_t gconf_etc_t:file read_file_perms; + read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t) dev_read_urand($1_gconfd_t) @@ -125,5 +125,5 @@ template(`gnome_stream_connect_gconf_template',` ') allow $2 $1_gconfd_t:unix_stream_socket connectto; - allow $2 $1_gconf_tmp_t:file r_file_perms; + allow $2 $1_gconf_tmp_t:file read_file_perms; ') diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index b125e78..e3fbe91 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -81,23 +81,20 @@ template(`gpg_per_role_template',` # setrlimit is for ulimit -c 0 allow $1_gpg_t self:process { setrlimit setcap setpgid }; - allow $1_gpg_t self:fifo_file rw_file_perms; + allow $1_gpg_t self:fifo_file rw_fifo_file_perms; allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms; - allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; - allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; + # transition from the gpg domain to the helper domain + domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) + + manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) + manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) # transition from the userdomain to the derived domain - domain_auto_trans($2,gpg_exec_t,$1_gpg_t) - allow $1_gpg_t $2:fd use; - allow $1_gpg_t $2:fifo_file rw_file_perms; - allow $1_gpg_t $2:process sigchld; + domtrans_pattern($2,gpg_exec_t,$1_gpg_t) # allow ps to show gpg - allow $2 $1_gpg_t:dir { search getattr read }; - allow $2 $1_gpg_t:{ file lnk_file } { read getattr }; - allow $2 $1_gpg_t:process getattr; + ps_process_pattern($2,$1_gpg_t) corenet_non_ipsec_sendrecv($1_gpg_t) corenet_tcp_sendrecv_all_if($1_gpg_t) @@ -152,21 +149,14 @@ template(`gpg_per_role_template',` # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. - # communicate with the user - allow $1_gpg_helper_t $2:fd use; - allow $1_gpg_helper_t $2:fifo_file write; - - # transition from the gpg domain to the helper domain - domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) - allow $1_gpg_helper_t $1_gpg_t:fd use; - allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; - allow $1_gpg_helper_t $1_gpg_t:process sigchld; - allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; + # communicate with the user + allow $1_gpg_helper_t $2:fd use; + allow $1_gpg_helper_t $2:fifo_file write; + dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; corenet_tcp_sendrecv_all_if($1_gpg_helper_t) @@ -215,36 +205,29 @@ template(`gpg_per_role_template',` allow $1_gpg_agent_t self:process setrlimit; allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; - allow $1_gpg_agent_t self:fifo_file rw_file_perms; + allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms; - allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms; - allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) + manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) + manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) # allow gpg to connect to the gpg agent - allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; - allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; - allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto; + stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) # allow ps to show gpg-agent - allow $2 $1_gpg_agent_t:dir { search getattr read }; - allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr }; - allow $2 $1_gpg_agent_t:process getattr; + ps_process_pattern($2,$1_gpg_agent_t) # Allow the user shell to signal the gpg-agent program. allow $2 $1_gpg_agent_t:process { signal sigkill }; - allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms; - allow $2 $1_gpg_agent_tmp_t:file create_file_perms; - allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; + manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) + manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) + manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) # Transition from the user domain to the derived domain. - domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t) - allow $1_gpg_agent_t $2:fd use; - allow $1_gpg_agent_t $2:fifo_file rw_file_perms; - allow $1_gpg_agent_t $2:process sigchld; + domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) corecmd_search_bin($1_gpg_agent_t) @@ -277,15 +260,12 @@ template(`gpg_per_role_template',` # Pinentry local policy # + allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; + allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; + # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. - domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) - allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; - allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; - allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; - - allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - allow $1_gpg_pinentry_t self:fifo_file rw_file_perms; + domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) # read /proc/meminfo kernel_read_system_state($1_gpg_pinentry_t) @@ -366,11 +346,7 @@ template(`gpg_domtrans_user_gpg',` type $1_gpg_t, gpg_exec_t; ') - domain_auto_trans($2, gpg_exec_t, $1_gpg_t) - allow $2 $1_gpg_t:fd use; - allow $1_gpg_t $2:fd use; - allow $1_gpg_t $2:fifo_file rw_file_perms; - allow $1_gpg_t $2:process sigchld; + domtrans_pattern($2, gpg_exec_t, $1_gpg_t) ') ######################################## diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if index 16b2ae9..6debc0b 100644 --- a/policy/modules/apps/irc.if +++ b/policy/modules/apps/irc.if @@ -62,40 +62,31 @@ template(`irc_per_role_template',` # Local policy # - allow $1_irc_t self:dir search; - allow $1_irc_t self:lnk_file read; allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; allow $1_irc_t self:tcp_socket create_socket_perms; allow $1_irc_t self:udp_socket create_socket_perms; - allow $1_irc_t $1_irc_home_t:dir create_dir_perms; - allow $1_irc_t $1_irc_home_t:file create_file_perms; - allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) + manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) + manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) # access files under /tmp - allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms; - allow $1_irc_t $1_irc_tmp_t:file create_file_perms; - allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms; - allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms; - allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms; + manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) + manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) + manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) + manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) + manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. - domain_auto_trans($2,irc_exec_t,$1_irc_t) - allow $2 $1_irc_t:fd use; - allow $1_irc_t $2:fd use; - allow $1_irc_t $2:fifo_file rw_file_perms; - allow $1_irc_t $2:process sigchld; + domtrans_pattern($2,irc_exec_t,$1_irc_t) - allow $2 $1_irc_t:process signal; - - allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; + allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms }; # allow ps to show irc - allow $2 $1_irc_t:dir { search getattr read }; - allow $2 $1_irc_t:{ file lnk_file } { read getattr }; - allow $2 $1_irc_t:process getattr; + ps_process_pattern($2,$1_irc_t) + allow $2 $1_irc_t:process signal; kernel_read_proc_symlinks($1_irc_t) diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 8617525..00e7744 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -59,7 +59,7 @@ template(`java_per_role_template',` # allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; - allow $1_javaplugin_t self:fifo_file rw_file_perms; + allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms; allow $1_javaplugin_t self:tcp_socket create_socket_perms; allow $1_javaplugin_t self:udp_socket create_socket_perms; @@ -67,21 +67,18 @@ template(`java_per_role_template',` allow $1_javaplugin_t $2:unix_stream_socket { read write }; userdom_write_user_tmp_sockets($1,$1_javaplugin_t) - allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms; - allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms; + manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) + manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) - allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_fifo_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file }) - # cjp: rw_dir_perms here doesnt make sense - allow $1_javaplugin_t $1_home_t:dir rw_dir_perms; - allow $1_javaplugin_t $1_home_t:file rw_file_perms; - allow $1_javaplugin_t $1_home_t:lnk_file { getattr read }; + rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) + read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) can_exec($1_javaplugin_t, java_exec_t) @@ -189,12 +186,7 @@ interface(`java_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1, java_exec_t, java_t) - - allow $1 java_t:fd use; - allow java_t $1:fd use; - allow java_t $1:fifo_file rw_file_perms; - allow java_t $1:process sigchld; + domtrans_pattern($1, java_exec_t, java_t) ',` refpolicywarn(`$0($1) has no effect in strict policy.') ') diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if index d85b82c..8515073 100644 --- a/policy/modules/apps/loadkeys.if +++ b/policy/modules/apps/loadkeys.if @@ -17,12 +17,7 @@ interface(`loadkeys_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1, loadkeys_exec_t, loadkeys_t) - - allow $1 loadkeys_t:fd use; - allow loadkeys_t $1:fd use; - allow loadkeys_t $1:fifo_file rw_file_perms; - allow loadkeys_t $1:process sigchld; + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) ',` refpolicywarn(`$0($*) has no effect in targeted policy.') ') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 8e7daf3..a8e2e11 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -30,7 +30,7 @@ ifdef(`targeted_policy',` # loadkeys domain disabled in targeted policy ',` allow loadkeys_t self:capability { setuid sys_tty_config }; - allow loadkeys_t self:fifo_file rw_file_perms; + allow loadkeys_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(loadkeys_t) diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if index c462bcc..3230ffa 100644 --- a/policy/modules/apps/lockdev.if +++ b/policy/modules/apps/lockdev.if @@ -61,13 +61,9 @@ template(`lockdev_per_role_template',` allow $1_lockdev_t $2:process signull; # Transition from the user domain to the derived domain. - domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t) - allow $2 $1_lockdev_t:fd use; - allow $1_lockdev_t $2:fd use; - allow $1_lockdev_t $2:fifo_file rw_file_perms; - allow $1_lockdev_t $2:process sigchld; + domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t) - allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms; + allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms; files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file) files_read_all_locks($1_lockdev_t) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index 257fa43..2468754 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -16,10 +16,5 @@ interface(`mono_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1, mono_exec_t, mono_t) - - allow $1 mono_t:fd use; - allow mono_t $1:fd use; - allow mono_t $1:fifo_file rw_file_perms; - allow mono_t $1:process sigchld; + domtrans_pattern($1, mono_exec_t, mono_t) ') diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 6f6f6a4..2e443c1 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -57,6 +57,7 @@ template(`mozilla_per_role_template',` # # Local policy # + allow $1_mozilla_t self:capability { sys_nice setgid setuid }; allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow $1_mozilla_t self:fifo_file { getattr read write }; @@ -72,13 +73,13 @@ template(`mozilla_per_role_template',` can_exec($1_mozilla_t, mozilla_exec_t) # X access, Home files - allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms; - allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms; - allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms; - fs_search_auto_mountpoints($1_mozilla_t) + manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) + manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) + manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) + userdom_search_user_home_dirs($1,$1_mozilla_t) # Mozpluggerrc - allow $1_mozilla_t mozilla_conf_t:file r_file_perms; + allow $1_mozilla_t mozilla_conf_t:file read_file_perms; allow $1_mozilla_t $2:fd use; allow $1_mozilla_t $2:process sigchld; @@ -89,28 +90,23 @@ template(`mozilla_per_role_template',` allow $2 $1_mozilla_t:unix_stream_socket connectto; # X access, Home files - allow $2 $1_mozilla_home_t:dir manage_dir_perms; - allow $2 $1_mozilla_home_t:file manage_file_perms; - allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms; - allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - userdom_search_user_home_dirs($1,$1_mozilla_t) + manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) + + manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) + manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) + manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) + manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) + fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file }) - allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms; - allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms; - allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms; - allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms; - allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms; - fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - # Unrestricted inheritance from the caller. - allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; allow $1_mozilla_t $2:process signull; # Allow the user domain to signal/ps. - allow $2 $1_mozilla_t:dir { search getattr read }; - allow $2 $1_mozilla_t:{ file lnk_file } { read getattr }; - allow $2 $1_mozilla_t:process getattr; - + ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; kernel_read_kernel_sysctls($1_mozilla_t) @@ -164,6 +160,7 @@ template(`mozilla_per_role_template',` files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) + fs_search_auto_mountpoints($1_mozilla_t) fs_search_inotifyfs($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) @@ -208,6 +205,8 @@ template(`mozilla_per_role_template',` # Type transition tunable_policy(`! disable_mozilla_trans',` domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + # Unrestricted inheritance from the caller. + allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; ') # Uploads, local html diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 45c3bf5..47ee8ec 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -61,26 +61,20 @@ template(`mplayer_per_role_template',` # mencoder local policy # - allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms; - allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms; - allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) # Read global config - allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms; - allow $1_mencoder_t mplayer_etc_t:file r_file_perms; - allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read }; + allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms; + read_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t) + read_lnk_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t) # domain transition - domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t) - allow $2 $1_mencoder_t:fd use; - allow $1_mencoder_t $2:fd use; - allow $1_mencoder_t $2:fifo_file rw_file_perms; - allow $1_mencoder_t $2:process sigchld; + domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t) # Allow the user domain to signal/ps. - allow $2 $1_mencoder_t:dir { search getattr read }; - allow $2 $1_mencoder_t:{ file lnk_file } { read getattr }; - allow $2 $1_mencoder_t:process getattr; + ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t) allow $2 $1_mencoder_t:process signal_perms; # Read /proc files and directories @@ -254,42 +248,37 @@ template(`mplayer_per_role_template',` # allow $1_mplayer_t self:process { signal_perms getsched }; - allow $1_mplayer_t self:fifo_file rw_file_perms; + allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; - allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms; - allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms; - allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) userdom_search_user_home_dirs($1,$1_mplayer_t) - allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms; - allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms; - allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms; - allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms; - allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) + manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) + manage_fifo_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) + manage_sock_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Read global config - allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms; - allow $1_mplayer_t mplayer_etc_t:file r_file_perms; - allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read }; + allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms; + read_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t) + read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t) # Home access - allow $2 $1_mplayer_home_t:dir manage_dir_perms; - allow $2 $1_mplayer_home_t:file manage_file_perms; - allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms; - allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) # domain transition - domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t) - allow $2 $1_mplayer_t:fd use; - allow $1_mplayer_t $2:fd use; - allow $1_mplayer_t $2:fifo_file rw_file_perms; - allow $1_mplayer_t $2:process sigchld; + domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) # Allow the user domain to signal/ps. - allow $2 $1_mplayer_t:dir { search getattr read }; - allow $2 $1_mplayer_t:{ file lnk_file } { read getattr }; - allow $2 $1_mplayer_t:process getattr; + ps_process_pattern($2,$1_mplayer_t) allow $2 $1_mplayer_t:process signal_perms; kernel_dontaudit_list_unlabeled($1_mplayer_t) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if index 965e988..8ed37fb 100644 --- a/policy/modules/apps/rssh.if +++ b/policy/modules/apps/rssh.if @@ -53,7 +53,7 @@ template(`rssh_per_role_template',` allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_rssh_t self:fd use; - allow $1_rssh_t self:fifo_file rw_file_perms; + allow $1_rssh_t self:fifo_file rw_fifo_file_perms; allow $1_rssh_t self:unix_dgram_socket create_socket_perms; allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms; allow $1_rssh_t self:unix_dgram_socket sendto; @@ -67,10 +67,10 @@ template(`rssh_per_role_template',` term_create_pty($1_rssh_t,$1_rssh_devpts_t) allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms; - allow $1_rssh_t $1_rssh_ro_t:file read_file_perms; + read_files_pattern($1_rssh_t,$1_rssh_ro_t,$1_rssh_ro_t) - allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms; - allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms; + manage_dirs_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t) + manage_files_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t) kernel_read_system_state($1_rssh_t) kernel_read_kernel_sysctls($1_rssh_t) @@ -116,10 +116,7 @@ interface(`rssh_spec_domtrans_all_users',` type rssh_exec_t; ') - domain_trans($1,rssh_exec_t,rssh_domain_type) - allow rssh_domain_type $1:fd use; - allow rssh_domain_type $1:fifo_file rw_file_perms; - allow rssh_domain_type $1:process sigchld; + spec_domtrans_pattern($1,rssh_exec_t,rssh_domain_type) ') ######################################## @@ -137,7 +134,7 @@ interface(`rssh_read_all_users_ro_content',` attribute rssh_ro_content_type; ') - allow $1 rssh_ro_content_type:dir r_dir_perms; - allow $1 rssh_ro_content_type:file r_file_perms; - allow $1 rssh_ro_content_type:lnk_file { getattr read }; + allow $1 rssh_ro_content_type:dir list_dir_perms; + read_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type) + read_lnk_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type) ') diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 48eb884..ad5c105 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -71,33 +71,33 @@ template(`screen_per_role_template',` allow $1_screen_t self:unix_stream_socket create_socket_perms; allow $1_screen_t self:unix_dgram_socket create_socket_perms; - allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms; - allow $1_screen_t $1_screen_tmp_t:file create_file_perms; - allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms; + manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) + manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) + manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir }) # Create fifo - allow $1_screen_t screen_dir_t:dir rw_dir_perms; - allow $1_screen_t screen_dir_t:dir create_dir_perms; - allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms; - type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t; + manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t) + manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t) + filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) files_pid_filetrans($1_screen_t,screen_dir_t,dir) - allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms; - allow $1_screen_t $1_screen_ro_home_t:file r_file_perms; - allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr }; + allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; + read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) + read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) - domain_auto_trans($2, screen_exec_t, $1_screen_t) + allow $1_screen_t $2:process signal; + + domtrans_pattern($2, screen_exec_t, $1_screen_t) allow $2 $1_screen_t:process signal; - allow $1_screen_t $2:process { signal sigchld }; - allow $1_screen_t $2:fd use; - allow $1_screen_t $2:fifo_file rw_file_perms; - allow $1_screen_t $1_home_dir_t:dir { search getattr }; - - allow $2 $1_screen_ro_home_t:dir create_dir_perms; - allow $2 $1_screen_ro_home_t:file create_file_perms; - allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms; - allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + allow $1_screen_t $2:process signal; + + manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) @@ -190,11 +190,4 @@ template(`screen_per_role_template',` optional_policy(` nscd_socket_use($1_screen_t) ') - - ifdef(`TODO',` - # Inherit and use descriptors from gnome-pty-helper. - optional_policy(` - allow $1_screen_t $1_gph_t:fd use; - ') - ') dnl TODO ') diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if index 4abc8b2..1d3e061 100644 --- a/policy/modules/apps/slocate.if +++ b/policy/modules/apps/slocate.if @@ -16,6 +16,6 @@ interface(`slocate_create_append_log',` ') logging_search_logs($1) - allow $1 locate_log_t:dir ra_dir_perms; - allow $1 locate_log_t:file { create append getattr }; + create_files_pattern($1,locate_log_t,locate_log_t) + append_files_pattern($1,locate_log_t,locate_log_t) ') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index e93fb0f..28c3b0b 100644 --- a/policy/modules/apps/slocate.te +++ b/policy/modules/apps/slocate.te @@ -23,11 +23,11 @@ files_type(locate_var_lib_t) allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; allow locate_t self:process { execmem execheap execstack }; -allow locate_t self:fifo_file rw_file_perms; +allow locate_t self:fifo_file rw_fifo_file_perms; allow locate_t self:unix_stream_socket create_socket_perms; -allow locate_t locate_var_lib_t:dir create_dir_perms; -allow locate_t locate_var_lib_t:file create_file_perms; +manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t) +manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t) kernel_read_system_state(locate_t) kernel_dontaudit_search_sysctl(locate_t) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index 1e5f7a1..9a77b22 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -64,16 +64,15 @@ template(`thunderbird_per_role_template',` allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; # Access ~/.thunderbird - allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms; - allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms; - allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) userdom_search_user_home_dirs($1,$1_thunderbird_t) - allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms; - allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms; - allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms; - allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms; - allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) + manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) + manage_fifo_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) + manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $2 $1_thunderbird_t:fd use; @@ -84,15 +83,15 @@ template(`thunderbird_per_role_template',` allow $1_thunderbird_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. - allow $2 $1_thunderbird_t:dir { search getattr read }; - allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr }; - allow $2 $1_thunderbird_t:process getattr; + ps_process_pattern($2,$1_thunderbird_t) # Access ~/.thunderbird - allow $2 $1_thunderbird_home_t:dir manage_dir_perms; - allow $2 $1_thunderbird_home_t:file manage_file_perms; - allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms; - allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) # Allow netstat kernel_read_network_state($1_thunderbird_t) diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index f743169..679e1b9 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -65,40 +65,34 @@ template(`tvtime_per_role_template',` allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; # X access, Home files - allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms; - allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms; - allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms; - type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t; + manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) + manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) + manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir) - allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms; - allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms; - files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file }) + manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) + manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) + files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir }) - allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) + manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) + manage_fifo_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) + manage_sock_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) + fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) # Type transition - domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t) - allow $2 $1_tvtime_t:fd use; - allow $1_tvtime_t $2:fd use; - allow $1_tvtime_t $2:fifo_file rw_file_perms; - allow $1_tvtime_t $2:process sigchld; + domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) # X access, Home files - allow $2 $1_tvtime_home_t:dir manage_dir_perms; - allow $2 $1_tvtime_home_t:file manage_file_perms; - allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms; - allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) # Allow the user domain to signal/ps. - allow $2 $1_tvtime_t:dir { search getattr read }; - allow $2 $1_tvtime_t:{ file lnk_file } { read getattr }; - allow $2 $1_tvtime_t:process getattr; + ps_process_pattern($2,$1_tvtime_t) allow $2 $1_tvtime_t:process signal_perms; kernel_read_all_sysctls($1_tvtime_t) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index a599b7d..37c5c7e 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -64,7 +64,8 @@ template(`uml_per_role_template',` # # Local policy # - allow $1_uml_t self:fifo_file rw_file_perms; + + allow $1_uml_t self:fifo_file rw_fifo_file_perms; allow $1_uml_t self:process { signal_perms ptrace }; allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; allow $1_uml_t self:unix_dgram_socket create_socket_perms; @@ -79,52 +80,58 @@ template(`uml_per_role_template',` allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr }; term_create_pty($1_uml_t,$1_uml_devpts_t) - allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms; - allow $1_uml_t $1_uml_tmp_t:file create_file_perms; + manage_dirs_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t) + manage_files_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t) files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir }) can_exec($1_uml_t, $1_uml_tmp_t) - allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) + manage_lnk_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) + manage_fifo_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) + manage_sock_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) + fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ file lnk_file sock_file fifo_file }) can_exec($1_uml_t, $1_uml_tmpfs_t) # access config files - allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms; - allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms; - allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read }; - - allow $1_uml_t $1_uml_rw_t:dir create_dir_perms; - allow $1_uml_t $1_uml_rw_t:file create_file_perms; - allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms; - allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms; - allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms; + allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms; + read_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t }) + read_lnk_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t }) + + manage_dirs_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) + manage_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) + manage_lnk_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) + manage_fifo_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) + manage_sock_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file }) - allow $2 uml_ro_t:dir r_dir_perms; - allow $2 uml_ro_t:file r_file_perms; - allow $2 uml_ro_t:lnk_file { getattr read }; - - allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; - allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; - allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; - allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; - - allow $2 $1_uml_t:process ptrace; - allow $2 $1_uml_t:process signal_perms; + allow $2 uml_ro_t:dir list_dir_perms; + read_files_pattern($2,uml_ro_t,uml_ro_t) + read_lnk_files_pattern($2,uml_ro_t,uml_ro_t) + + manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + manage_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + manage_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + manage_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + relabel_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + relabel_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + relabel_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) + + manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) + manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) + relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) + relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) # allow ps, ptrace, signal - allow $2 $1_uml_t:dir { search getattr read }; - allow $2 $1_uml_t:{ file lnk_file } { read getattr }; - allow $2 $1_uml_t:process getattr; + ps_process_pattern($2,$1_uml_t) + allow $2 $1_uml_t:process { ptrace signal_perms }; - allow $2 $1_uml_tmp_t:dir create_dir_perms; - allow $2 $1_uml_tmp_t:file create_file_perms; - allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms; - allow $2 $1_uml_tmp_t:sock_file create_file_perms; + manage_dirs_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) + manage_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) + manage_lnk_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) + manage_sock_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) # Transition from the user domain to this domain. domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t) @@ -245,7 +252,6 @@ interface(`uml_manage_util_files',` type uml_switch_var_run_t; ') - allow $1 uml_switch_var_run_t:dir rw_dir_perms; - allow $1 uml_switch_var_run_t:file create_file_perms; - allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms; + manage_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t) + manage_lnk_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t) ') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index ccce2af..4791630 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -29,9 +29,8 @@ allow uml_switch_t self:process signal_perms; allow uml_switch_t self:unix_dgram_socket create_socket_perms; allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; -allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; -allow uml_switch_t uml_switch_var_run_t:file create_file_perms; -allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms; +manage_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t) +manage_sock_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t) files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file) kernel_read_kernel_sysctls(uml_switch_t) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if index e755216..4cd3e01 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -57,8 +57,9 @@ template(`userhelper_per_role_template',` # allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_userhelper_t self:process setexec; allow $1_userhelper_t self:fd use; - allow $1_userhelper_t self:fifo_file rw_file_perms; + allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; allow $1_userhelper_t self:shm create_shm_perms; allow $1_userhelper_t self:sem create_sem_perms; allow $1_userhelper_t self:msgq create_msgq_perms; @@ -67,19 +68,13 @@ template(`userhelper_per_role_template',` allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; allow $1_userhelper_t self:unix_dgram_socket sendto; allow $1_userhelper_t self:unix_stream_socket connectto; - allow $1_userhelper_t self:sock_file r_file_perms; + allow $1_userhelper_t self:sock_file read_sock_file_perms; #Transition to the derived domain. - domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t) - allow $2 $1_userhelper_t:fd use; - allow $1_userhelper_t $2:fd use; - allow $1_userhelper_t $2:fifo_file rw_file_perms; - allow $1_userhelper_t $2:process sigchld; + domtrans_pattern($2,userhelper_exec_t,$1_userhelper_t) - allow $1_userhelper_t self:process setexec; - - allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + rw_files_pattern($1_userhelper_t,userhelper_conf_t,userhelper_conf_t) can_exec($1_userhelper_t, userhelper_exec_t) @@ -199,11 +194,11 @@ template(`userhelper_per_role_template',` allow $1_userhelper_t gphdomain:fd use; ') optional_policy(` - domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) + domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t) allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; ') optional_policy(` - domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) + domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) ') # for when the network connection is killed dontaudit unpriv_userdomain $1_userhelper_t:process signal; @@ -269,6 +264,7 @@ template(`userhelper_use_user_fd',` allow $2 $1_userhelper_t:fd use; ') + ######################################## ## ## Allow domain to send sigchld to userhelper. diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if index 49a9779..9b2d76e 100644 --- a/policy/modules/apps/usernetctl.if +++ b/policy/modules/apps/usernetctl.if @@ -16,12 +16,7 @@ interface(`usernetctl_domtrans',` ') tunable_policy(`user_net_control',` - domain_auto_trans($1,usernetctl_exec_t,usernetctl_t) - - allow $1 usernetctl_t:fd use; - allow usernetctl_t $1:fd use; - allow usernetctl_t $1:fifo_file rw_file_perms; - allow usernetctl_t $1:process sigchld; + domtrans_pattern($1,usernetctl_exec_t,usernetctl_t) ',` can_exec($1,usernetctl_exec_t) ') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index 8a51e3f..e45c4a7 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -20,7 +20,7 @@ domain_interactive_fd(usernetctl_t) allow usernetctl_t self:capability { setuid setgid dac_override }; allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow usernetctl_t self:fd use; -allow usernetctl_t self:fifo_file rw_file_perms; +allow usernetctl_t self:fifo_file rw_fifo_file_perms; allow usernetctl_t self:shm create_shm_perms; allow usernetctl_t self:sem create_sem_perms; allow usernetctl_t self:msgq create_msgq_perms; diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index 8ed664a..2033523 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -64,17 +64,12 @@ template(`vmware_per_role_template',` # Local policy # - domain_auto_trans($2, vmware_exec_t, $1_vmware_t) - allow $1_vmware_t $2:fd use; - allow $1_vmware_t $2:fifo_file rw_file_perms; - allow $1_vmware_t $2:process sigchld; - allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; dontaudit $1_vmware_t self:capability sys_tty_config; allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_vmware_t self:process { execmem execstack }; allow $1_vmware_t self:fd use; - allow $1_vmware_t self:fifo_file rw_file_perms; + allow $1_vmware_t self:fifo_file rw_fifo_file_perms; allow $1_vmware_t self:unix_dgram_socket create_socket_perms; allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms; allow $1_vmware_t self:unix_dgram_socket sendto; @@ -90,33 +85,34 @@ template(`vmware_per_role_template',` allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms; # VMWare disks - allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; - allow $1_vmware_t $1_vmware_file_t:file manage_file_perms; - allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms; + manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t) + manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t) - allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms; - allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute }; - allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms; + allow $1_vmware_t $1_vmware_tmp_t:file execute; + manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t) + manage_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t) + manage_sock_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t) files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir }) - allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms; - allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms; - allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms; - allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms; - allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t) + manage_lnk_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t) + manage_fifo_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t) + manage_sock_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t) fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Read clobal configuration files - allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms; - allow $1_vmware_t vmware_sys_conf_t:file r_file_perms; - allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read }; - - allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms; - allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms; - allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms; - allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms; + allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms; + read_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t) + read_lnk_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t) + + manage_dirs_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t) + manage_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t) + manage_lnk_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t) + manage_sock_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t) files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file }) + domtrans_pattern($2, vmware_exec_t, $1_vmware_t) + kernel_read_system_state($1_vmware_t) kernel_read_network_state($1_vmware_t) kernel_read_kernel_sysctls($1_vmware_t) diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index e41d16c..2fd5956 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -30,17 +30,15 @@ files_pid_file(vmware_var_run_t) allow vmware_host_t self:capability { setuid net_raw }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process signal_perms; -allow vmware_host_t self:fifo_file rw_file_perms; +allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; # cjp: the ro and rw files should be split up -allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms; -allow vmware_host_t vmware_sys_conf_t:file manage_file_perms; +manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t) -allow vmware_host_t vmware_var_run_t:file manage_file_perms; -allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms; -allow vmware_host_t vmware_var_run_t:dir rw_dir_perms; +manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) +manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(vmware_host_t) diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if index b754943..823dc07 100644 --- a/policy/modules/apps/webalizer.if +++ b/policy/modules/apps/webalizer.if @@ -15,12 +15,7 @@ interface(`webalizer_domtrans',` type webalizer_t, webalizer_exec_t; ') - domain_auto_trans($1,webalizer_exec_t,webalizer_t) - - allow $1 webalizer_t:fd use; - allow webalizer_t $1:fd use; - allow webalizer_t $1:fifo_file rw_file_perms; - allow webalizer_t $1:process sigchld; + domtrans_pattern($1,webalizer_exec_t,webalizer_t) ') ######################################## diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index 4fd3263..ace13c2 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -5,6 +5,7 @@ policy_module(webalizer,1.3.0) # # Declarations # + type webalizer_t; type webalizer_exec_t; domain_type(webalizer_t) @@ -30,11 +31,12 @@ files_type(webalizer_write_t) # # Local policy # + allow webalizer_t self:capability dac_override; allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow webalizer_t self:fd use; -allow webalizer_t self:fifo_file rw_file_perms; -allow webalizer_t self:sock_file r_file_perms; +allow webalizer_t self:fifo_file rw_fifo_file_perms; +allow webalizer_t self:sock_file read_sock_file_perms; allow webalizer_t self:shm create_shm_perms; allow webalizer_t self:sem create_sem_perms; allow webalizer_t self:msgq create_msgq_perms; @@ -49,12 +51,11 @@ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; allow webalizer_t webalizer_etc_t:file { getattr read }; -allow webalizer_t webalizer_tmp_t:dir create_dir_perms; -allow webalizer_t webalizer_tmp_t:file create_file_perms; +manage_dirs_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t) +manage_files_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t) files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) -allow webalizer_t webalizer_var_lib_t:file create_file_perms; -allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; +manage_files_pattern(webalizer_t,webalizer_var_lib_t,webalizer_var_lib_t) files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file) kernel_read_kernel_sysctls(webalizer_t) @@ -93,17 +94,17 @@ ifdef(`targeted_policy',` ') optional_policy(` - ftp_read_log(webalizer_t) + cron_system_entry(webalizer_t,webalizer_exec_t) ') optional_policy(` - nis_use_ypbind(webalizer_t) + ftp_read_log(webalizer_t) ') optional_policy(` - nscd_socket_use(webalizer_t) + nis_use_ypbind(webalizer_t) ') optional_policy(` - cron_system_entry(webalizer_t,webalizer_exec_t) + nscd_socket_use(webalizer_t) ') diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 00b468e..84b362a 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -16,10 +16,5 @@ interface(`wine_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1, wine_exec_t, wine_t) - - allow $1 wine_t:fd use; - allow wine_t $1:fd use; - allow wine_t $1:fifo_file rw_file_perms; - allow wine_t $1:process sigchld; + domtrans_pattern($1, wine_exec_t, wine_t) ') diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if index 57e30ea..cb13e77 100644 --- a/policy/modules/apps/yam.if +++ b/policy/modules/apps/yam.if @@ -16,12 +16,7 @@ interface(`yam_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,yam_exec_t,yam_t) - - allow $1 yam_t:fd use; - allow yam_t $1:fd use; - allow yam_t $1:fifo_file rw_file_perms; - allow yam_t $1:process sigchld; + domtrans_pattern($1,yam_exec_t,yam_t) ') ######################################## @@ -72,6 +67,6 @@ interface(`yam_read_content',` ') allow $1 yam_content_t:dir list_dir_perms; - allow $1 yam_content_t:file read_file_perms; - allow $1 yam_content_t:lnk_file { getattr read }; + read_files_pattern($1,yam_content_t,yam_content_t) + read_lnk_files_pattern($1,yam_content_t,yam_content_t) ') diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te index 9181eba..bd82b0d 100644 --- a/policy/modules/apps/yam.te +++ b/policy/modules/apps/yam.te @@ -29,7 +29,7 @@ allow yam_t self:capability { chown fowner fsetid dac_override }; allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow yam_t self:process execmem; allow yam_t self:fd use; -allow yam_t self:fifo_file rw_file_perms; +allow yam_t self:fifo_file rw_fifo_file_perms; allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow yam_t self:unix_dgram_socket { create_socket_perms sendto }; allow yam_t self:shm create_shm_perms; @@ -39,15 +39,15 @@ allow yam_t self:msg { send receive }; allow yam_t self:tcp_socket create_socket_perms; # Update the content being managed by yam. -allow yam_t yam_content_t:dir create_dir_perms; -allow yam_t yam_content_t:file create_file_perms; -allow yam_t yam_content_t:lnk_file create_lnk_perms; +manage_dirs_pattern(yam_t,yam_content_t,yam_content_t) +manage_files_pattern(yam_t,yam_content_t,yam_content_t) +manage_lnk_files_pattern(yam_t,yam_content_t,yam_content_t) allow yam_t yam_etc_t:file { getattr read }; files_search_etc(yam_t) -allow yam_t yam_tmp_t:dir create_dir_perms; -allow yam_t yam_tmp_t:file create_file_perms; +manage_files_pattern(yam_t,yam_tmp_t,yam_tmp_t) +manage_dirs_pattern(yam_t,yam_tmp_t,yam_tmp_t) files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) kernel_read_kernel_sysctls(yam_t) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 338068d..6531489 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -133,7 +133,7 @@ interface(`corecmd_search_bin',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; + search_dirs_pattern($1,bin_t,bin_t) ') ######################################## @@ -151,7 +151,7 @@ interface(`corecmd_list_bin',` type bin_t; ') - allow $1 bin_t:dir list_dir_perms; + list_dirs_pattern($1,bin_t,bin_t) ') ######################################## @@ -169,7 +169,7 @@ interface(`corecmd_getattr_bin_files',` type bin_t; ') - allow $1 bin_t:file getattr; + getattr_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -187,8 +187,7 @@ interface(`corecmd_read_bin_files',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:file read_file_perms; + read_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -206,8 +205,7 @@ interface(`corecmd_read_bin_symlinks',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; + read_lnk_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -225,8 +223,7 @@ interface(`corecmd_read_bin_pipes',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:fifo_file read_file_perms; + read_fifo_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -244,8 +241,7 @@ interface(`corecmd_read_bin_sockets',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:sock_file read_file_perms; + read_sock_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -264,10 +260,9 @@ interface(`corecmd_exec_bin',` type bin_t; ') - allow $1 bin_t:dir list_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; + read_lnk_files_pattern($1,bin_t,bin_t) + list_dirs_pattern($1,bin_t,bin_t) can_exec($1,bin_t) - ') ######################################## @@ -285,8 +280,7 @@ interface(`corecmd_manage_bin_files',` type bin_t; ') - allow $1 bin_t:dir rw_dir_perms; - allow $1 bin_t:file manage_file_perms; + manage_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -304,8 +298,7 @@ interface(`corecmd_relabel_bin_files',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,bin_t,bin_t) ') ######################################## @@ -368,10 +361,8 @@ interface(`corecmd_bin_spec_domtrans',` type bin_t; ') - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:lnk_file { getattr read }; - - domain_trans($1,bin_t,$2) + read_lnk_files_pattern($1,bin_t,bin_t) + domain_transition_pattern($1,bin_t,$2) ') ######################################## @@ -469,7 +460,7 @@ interface(`corecmd_list_sbin',` type sbin_t; ') - allow $1 sbin_t:dir list_dir_perms; + list_dirs_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -487,7 +478,7 @@ interface(`corecmd_getattr_sbin_files',` type sbin_t; ') - allow $1 sbin_t:file getattr; + getattr_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -524,8 +515,7 @@ interface(`corecmd_read_sbin_files',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:file read_file_perms; + read_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -543,8 +533,7 @@ interface(`corecmd_read_sbin_symlinks',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:lnk_file read_file_perms; + read_lnk_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -562,8 +551,7 @@ interface(`corecmd_read_sbin_pipes',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:fifo_file read_file_perms; + read_fifo_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -581,8 +569,7 @@ interface(`corecmd_read_sbin_sockets',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:sock_file read_file_perms; + read_sock_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -601,8 +588,8 @@ interface(`corecmd_exec_sbin',` type sbin_t; ') - allow $1 sbin_t:dir list_dir_perms; - allow $1 sbin_t:lnk_file read_file_perms; + list_dirs_pattern($1,sbin_t,sbin_t) + read_lnk_files_pattern($1,sbin_t,sbin_t) can_exec($1,sbin_t) ') @@ -622,8 +609,7 @@ interface(`corecmd_manage_sbin_files',` type sbin_t; ') - allow $1 sbin_t:dir rw_dir_perms; - allow $1 sbin_t:file manage_file_perms; + manage_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -642,8 +628,7 @@ interface(`corecmd_relabel_sbin_files',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,sbin_t,sbin_t) ') ######################################## @@ -705,10 +690,8 @@ interface(`corecmd_sbin_domtrans',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:lnk_file { getattr read }; - - domain_auto_trans($1,sbin_t,$2) + read_lnk_files_pattern($1,sbin_t,sbin_t) + domain_auto_transition_pattern($1,sbin_t,$2) ') ######################################## @@ -752,10 +735,8 @@ interface(`corecmd_sbin_spec_domtrans',` type sbin_t; ') - allow $1 sbin_t:dir search_dir_perms; - allow $1 sbin_t:lnk_file { getattr read }; - - domain_trans($1,sbin_t,$2) + read_lnk_files_pattern($1,sbin_t,sbin_t) + domain_transition_pattern($1,sbin_t,$2) ') ######################################## @@ -773,8 +754,8 @@ interface(`corecmd_check_exec_shell',` type bin_t, shell_exec_t; ') - allow $1 bin_t:dir list_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; + list_dirs_pattern($1,bin_t,bin_t) + read_lnk_files_pattern($1,bin_t,bin_t) allow $1 shell_exec_t:file execute; ') @@ -793,8 +774,8 @@ interface(`corecmd_exec_shell',` type bin_t, shell_exec_t; ') - allow $1 bin_t:dir list_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; + list_dirs_pattern($1,bin_t,bin_t) + read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,shell_exec_t) ') @@ -813,8 +794,8 @@ interface(`corecmd_exec_ls',` type bin_t, ls_exec_t; ') - allow $1 bin_t:dir list_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; + list_dirs_pattern($1,bin_t,bin_t) + read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,ls_exec_t) ') @@ -852,10 +833,9 @@ interface(`corecmd_shell_spec_domtrans',` type bin_t, shell_exec_t; ') - allow $1 bin_t:dir list_dir_perms; - allow $1 bin_t:lnk_file read_file_perms; - - domain_trans($1,shell_exec_t,$2) + list_dirs_pattern($1,bin_t,bin_t) + read_lnk_files_pattern($1,bin_t,bin_t) + domain_transition_pattern($1,shell_exec_t,$2) ') ######################################## @@ -907,6 +887,7 @@ interface(`corecmd_exec_chroot',` type chroot_exec_t; ') + read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,chroot_exec_t) allow $1 self:capability sys_chroot; ') @@ -929,8 +910,8 @@ interface(`corecmd_exec_all_executables',` ') can_exec($1,exec_type) - allow $1 { bin_t sbin_t }:dir list_dir_perms; - allow $1 { bin_t sbin_t }:lnk_file read_file_perms; + list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) + read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) ') ######################################## @@ -950,9 +931,8 @@ interface(`corecmd_manage_all_executables',` type bin_t, sbin_t; ') - allow $1 exec_type:file manage_file_perms; - allow $1 { bin_t sbin_t }:dir rw_dir_perms; - allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms; + manage_files_pattern($1,{ bin_t sbin_t },exec_type) + manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) ') ######################################## @@ -971,7 +951,7 @@ interface(`corecmd_relabel_all_executables',` attribute exec_type; ') - allow $1 exec_type:file { relabelfrom relabelto }; + allow $1 exec_type:file relabel_file_perms; ') ######################################## diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index b19784e..fc2e6c8 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -63,13 +63,13 @@ interface(`dev_relabel_all_dev_nodes',` type device_t; ') - allow $1 device_node:dir { getattr relabelfrom }; - allow $1 device_node:file { getattr relabelfrom }; - allow $1 device_node:lnk_file { getattr relabelfrom }; - allow $1 device_node:fifo_file { getattr relabelfrom }; - allow $1 device_node:sock_file { getattr relabelfrom }; - allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto }; - allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto }; + relabelfrom_dirs_pattern($1,device_t,device_node) + relabelfrom_files_pattern($1,device_t,device_node) + relabelfrom_lnk_files_pattern($1,device_t,device_node) + relabelfrom_fifo_files_pattern($1,device_t,device_node) + relabelfrom_sock_files_pattern($1,device_t,device_node) + relabel_blk_files_pattern($1,device_t,{ device_t device_node }) + relabel_chr_files_pattern($1,device_t,{ device_t device_node }) ') ######################################## @@ -87,8 +87,9 @@ interface(`dev_list_all_dev_nodes',` type device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_t:lnk_file { getattr read }; + + list_dirs_pattern($1,device_t,device_t) + read_lnk_files_pattern($1,device_t,device_t) ') ######################################## @@ -106,7 +107,7 @@ interface(`dev_setattr_generic_dirs',` type device_t; ') - allow $1 device_t:dir setattr; + setattr_dirs_pattern($1,device_t,device_t) ') ######################################## @@ -124,7 +125,25 @@ interface(`dev_dontaudit_list_all_dev_nodes',` type device_t; ') - dontaudit $1 device_t:dir r_dir_perms; + dontaudit $1 device_t:dir list_dir_perms; +') + +######################################## +## +## Add entries to directories in /dev. +## +## +## +## Domain allowed to add entries. +## +## +# +interface(`dev_add_entry_generic_dirs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir add_entry_dir_perms; ') ######################################## @@ -143,6 +162,7 @@ interface(`dev_create_generic_dirs',` ') allow $1 device_t:dir { ra_dir_perms create }; + create_dirs_pattern($1,device_t,device_t) ') ######################################## @@ -160,7 +180,7 @@ interface(`dev_delete_generic_dirs',` type device_t; ') - allow $1 device_t:dir { del_entry_dir_perms rmdir }; + delete_dirs_pattern($1,device_t,device_t) ') ######################################## @@ -178,7 +198,7 @@ interface(`dev_relabel_generic_dev_dirs',` type device_t; ') - allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; + relabel_dirs_pattern($1,device_t,device_t) ') ######################################## @@ -214,8 +234,7 @@ interface(`dev_rw_generic_files',` type device_t; ') - allow $1 device_t:dir search; - allow $1 device_t:file rw_file_perms; + rw_files_pattern($1,device_t,device_t) ') ######################################## @@ -233,8 +252,7 @@ interface(`dev_delete_generic_files',` type device_t; ') - allow $1 device_t:dir { search write remove_name }; - allow $1 device_t:file unlink; + delete_files_pattern($1,device_t,device_t) ') ######################################## @@ -252,8 +270,7 @@ interface(`dev_manage_generic_files',` type device_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_t:file manage_file_perms; + manage_files_pattern($1,device_t,device_t) ') ######################################## @@ -289,8 +306,7 @@ interface(`dev_getattr_generic_blk_files',` type device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_t:blk_file getattr; + getattr_blk_files_pattern($1,device_t,device_t) ') ######################################## @@ -344,10 +360,7 @@ interface(`dev_create_generic_chr_files',` type device_t; ') - allow $1 device_t:dir ra_dir_perms; - allow $1 device_t:chr_file create; - - allow $1 self:capability mknod; + create_chr_files_pattern($1,device_t,device_t) ') ######################################## @@ -365,8 +378,7 @@ interface(`dev_getattr_generic_chr_files',` type device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,device_t) ') ######################################## @@ -439,8 +451,7 @@ interface(`dev_create_generic_symlinks',` type device_t; ') - allow $1 device_t:dir add_entry_dir_perms; - allow $1 device_t:lnk_file create; + create_lnk_files_pattern($1,device_t,device_t) ') ######################################## @@ -458,8 +469,7 @@ interface(`dev_delete_generic_symlinks',` type device_t; ') - allow $1 device_t:dir del_entry_dir_perms; - allow $1 device_t:lnk_file unlink; + delete_lnk_files_pattern($1,device_t,device_t) ') ######################################## @@ -477,8 +487,7 @@ interface(`dev_manage_generic_symlinks',` type device_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,device_t,device_t) ') ######################################## @@ -496,8 +505,7 @@ interface(`dev_relabel_generic_symlinks',` type device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_t:lnk_file { relabelfrom relabelto }; + relabel_lnk_files_pattern($1,device_t,device_t) ') ######################################## @@ -516,11 +524,14 @@ interface(`dev_manage_all_dev_nodes',` type device_t; ') - allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; - allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; - allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + manage_dirs_pattern($1,device_t,device_t) + manage_sock_files_pattern($1,device_t,device_t) + manage_lnk_files_pattern($1,device_t,device_t) + manage_chr_files_pattern($1,device_t,{ device_t device_node }) + manage_blk_files_pattern($1,device_t,{ device_t device_node }) + relabel_dirs_pattern($1,device_t,device_t) + relabel_chr_files_pattern($1,device_t,{ device_t device_node }) + relabel_blk_files_pattern($1,device_t,{ device_t device_node }) # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot @@ -566,9 +577,7 @@ interface(`dev_manage_generic_blk_files',` type device_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_t:blk_file create_file_perms; - allow $1 self:capability mknod; + manage_blk_files_pattern($1,device_t,device_t) ') ######################################## @@ -586,9 +595,7 @@ interface(`dev_manage_generic_chr_files',` type device_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_t:chr_file create_file_perms; - allow $1 self:capability mknod; + manage_chr_files_pattern($1,device_t,device_t) ') ######################################## @@ -618,8 +625,7 @@ interface(`dev_filetrans',` type device_t; ') - allow $1 device_t:dir rw_dir_perms; - type_transition $1 device_t:$3 $2; + filetrans_pattern($1,device_t,$2,$3) fs_associate_tmpfs($2) files_associate_tmp($2) @@ -639,9 +645,10 @@ interface(`dev_filetrans',` interface(`dev_getattr_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') - allow $1 device_node:blk_file getattr; + getattr_blk_files_pattern($1,device_t,device_node) ') ######################################## @@ -678,7 +685,7 @@ interface(`dev_getattr_all_chr_files',` attribute device_node; ') - allow $1 device_node:chr_file getattr; + getattr_chr_files_pattern($1,device_t,device_node) ') ######################################## @@ -715,8 +722,7 @@ interface(`dev_setattr_all_blk_files',` attribute device_node; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_node:blk_file setattr; + setattr_blk_files_pattern($1,device_t,device_node) ') ######################################## @@ -735,8 +741,7 @@ interface(`dev_setattr_all_chr_files',` attribute device_node; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_node:chr_file setattr; + setattr_chr_files_pattern($1,device_t,device_node) ') ######################################## @@ -790,9 +795,7 @@ interface(`dev_create_all_blk_files',` attribute device_node; ') - allow $1 self:capability mknod; - allow $1 device_t:dir add_entry_dir_perms; - allow $1 device_node:blk_file create; + create_blk_files_pattern($1,device_t,device_node) ') ######################################## @@ -810,9 +813,7 @@ interface(`dev_create_all_chr_files',` attribute device_node; ') - allow $1 self:capability mknod; - allow $1 device_t:dir add_entry_dir_perms; - allow $1 device_node:chr_file create; + create_chr_files_pattern($1,device_t,device_node) ') ######################################## @@ -830,8 +831,7 @@ interface(`dev_delete_all_blk_files',` attribute device_node; ') - allow $1 device_t:dir del_entry_dir_perms; - allow $1 device_node:blk_file delete_file_perms; + delete_blk_files_pattern($1,device_t,device_node) ') ######################################## @@ -849,8 +849,7 @@ interface(`dev_delete_all_chr_files',` attribute device_node; ') - allow $1 device_t:dir del_entry_dir_perms; - allow $1 device_node:chr_file delete_file_perms; + delete_chr_files_pattern($1,device_t,device_node) ') ######################################## @@ -868,8 +867,7 @@ interface(`dev_rename_all_blk_files',` attribute device_node; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_node:blk_file rename; + rename_blk_files_pattern($1,device_t,device_node) ') ######################################## @@ -887,8 +885,7 @@ interface(`dev_rename_all_chr_files',` attribute device_node; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_node:chr_file rename; + rename_chr_files_pattern($1,device_t,device_node) ') ######################################## @@ -906,8 +903,7 @@ interface(`dev_manage_all_blk_files',` attribute device_node; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_node:blk_file create_file_perms; + manage_blk_files_pattern($1,device_t,device_node) # these next rules are to satisfy assertions broken by the above lines. storage_raw_read_fixed_disk($1) @@ -931,8 +927,7 @@ interface(`dev_manage_all_chr_files',` attribute device_node, memory_raw_read, memory_raw_write; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 device_node:chr_file create_file_perms; + manage_chr_files_pattern($1,device_t,device_node) typeattribute $1 memory_raw_read, memory_raw_write; ') @@ -952,8 +947,7 @@ interface(`dev_getattr_agp_dev',` type device_t, agp_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 agp_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,agp_device_t) ') ######################################## @@ -971,8 +965,7 @@ interface(`dev_rw_agp',` type device_t, agp_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 agp_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,agp_device_t) ') ######################################## @@ -990,8 +983,7 @@ interface(`dev_getattr_apm_bios_dev',` type device_t, apm_bios_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 apm_bios_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,apm_bios_t) ') ######################################## @@ -1028,8 +1020,7 @@ interface(`dev_setattr_apm_bios_dev',` type device_t, apm_bios_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 apm_bios_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,apm_bios_t) ') ######################################## @@ -1066,8 +1057,7 @@ interface(`dev_rw_apm_bios',` type device_t, apm_bios_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 apm_bios_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,apm_bios_t) ') ######################################## @@ -1085,8 +1075,7 @@ interface(`dev_rw_cardmgr',` type cardmgr_dev_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 cardmgr_dev_t:chr_file { read write }; + rw_chr_files_pattern($1,device_t,cardmgr_dev_t) ') ######################################## @@ -1124,8 +1113,8 @@ interface(`dev_manage_cardmgr_dev',` type device_t, cardmgr_dev_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; + manage_chr_files_pattern($1,device_t,cardmgr_dev_t) + manage_blk_files_pattern($1,device_t,cardmgr_dev_t) ') ######################################## @@ -1145,9 +1134,9 @@ interface(`dev_create_cardmgr_dev',` type device_t, cardmgr_dev_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; - type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t; + create_chr_files_pattern($1,device_t,cardmgr_dev_t) + create_blk_files_pattern($1,device_t,cardmgr_dev_t) + filetrans_pattern($1,device_t,cardmgr_dev_t,{ chr_file blk_file }) ') ######################################## @@ -1166,8 +1155,7 @@ interface(`dev_getattr_cpu_dev',` type device_t, cpu_device_t; ') - allow $1 device_t:dir search; - allow $1 cpu_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,cpu_device_t) ') ######################################## @@ -1185,8 +1173,7 @@ interface(`dev_read_cpuid',` type device_t, cpu_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 cpu_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,cpu_device_t) ') ######################################## @@ -1205,8 +1192,7 @@ interface(`dev_rw_cpu_microcode',` type device_t, cpu_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 cpu_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,cpu_device_t) ') ######################################## @@ -1224,8 +1210,7 @@ interface(`dev_rw_crypto',` type device_t, crypt_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 crypt_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,crypt_device_t) ') ######################################## @@ -1243,8 +1228,7 @@ interface(`dev_getattr_dri_dev',` type device_t, dri_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 dri_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,dri_device_t) ') ######################################## @@ -1262,8 +1246,7 @@ interface(`dev_setattr_dri_dev',` type device_t, dri_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 dri_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,dri_device_t) ') ######################################## @@ -1281,8 +1264,7 @@ interface(`dev_rw_dri',` type device_t, dri_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 dri_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,dri_device_t) ') ######################################## @@ -1318,9 +1300,8 @@ interface(`dev_manage_dri_dev',` type device_t, dri_device_t; ') - allow $1 device_t:dir rw_dir_perms; - allow $1 dri_device_t:chr_file manage_file_perms; - type_transition $1 device_t:chr_file dri_device_t; + manage_chr_files_pattern($1,device_t,dri_device_t) + filetrans_pattern($1,device_t,dri_device_t,chr_file) ') ######################################## @@ -1338,8 +1319,7 @@ interface(`dev_read_input',` type device_t, event_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 event_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,event_device_t) ') ######################################## @@ -1357,8 +1337,7 @@ interface(`dev_rw_input_dev',` type device_t, event_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 event_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,event_device_t) ') ######################################## @@ -1376,8 +1355,7 @@ interface(`dev_getattr_framebuffer_dev',` type device_t, framebuf_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 framebuf_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,framebuf_device_t) ') ######################################## @@ -1395,8 +1373,7 @@ interface(`dev_setattr_framebuffer_dev',` type device_t, framebuf_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 framebuf_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,framebuf_device_t) ') ######################################## @@ -1433,8 +1410,7 @@ interface(`dev_read_framebuffer',` type framebuf_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 framebuf_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,framebuf_device_t) ') ######################################## @@ -1470,8 +1446,7 @@ interface(`dev_write_framebuffer',` type device_t, framebuf_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 framebuf_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,framebuf_device_t) ') ######################################## @@ -1489,8 +1464,7 @@ interface(`dev_rw_framebuffer',` type device_t, framebuf_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 framebuf_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,framebuf_device_t) ') ######################################## @@ -1508,8 +1482,7 @@ interface(`dev_read_lvm_control',` type device_t, lvm_control_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 lvm_control_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,lvm_control_t) ') ######################################## @@ -1527,8 +1500,7 @@ interface(`dev_rw_lvm_control',` type device_t, lvm_control_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 lvm_control_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,lvm_control_t) ') ######################################## @@ -1546,8 +1518,7 @@ interface(`dev_delete_lvm_control_dev',` type device_t, lvm_control_t; ') - allow $1 device_t:dir { getattr search read write remove_name }; - allow $1 lvm_control_t:chr_file unlink; + delete_chr_files_pattern($1,device_t,lvm_control_t) ') ######################################## @@ -1584,8 +1555,7 @@ interface(`dev_read_raw_memory',` attribute memory_raw_read; ') - allow $1 device_t:dir r_dir_perms; - allow $1 memory_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_read; @@ -1607,8 +1577,7 @@ interface(`dev_write_raw_memory',` attribute memory_raw_write; ') - allow $1 device_t:dir r_dir_perms; - allow $1 memory_device_t:chr_file write; + write_chr_files_pattern($1,device_t,memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write; @@ -1667,8 +1636,7 @@ interface(`dev_getattr_misc_dev',` type device_t, misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 misc_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,misc_device_t) ') ######################################## @@ -1705,8 +1673,7 @@ interface(`dev_setattr_misc_dev',` type device_t, misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 misc_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,misc_device_t) ') ######################################## @@ -1743,8 +1710,7 @@ interface(`dev_read_misc',` type device_t, misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 misc_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,misc_device_t) ') ######################################## @@ -1762,8 +1728,7 @@ interface(`dev_write_misc',` type device_t, misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 misc_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,misc_device_t) ') ######################################## @@ -1799,8 +1764,7 @@ interface(`dev_getattr_mouse_dev',` type device_t, mouse_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mouse_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,mouse_device_t) ') ######################################## @@ -1818,8 +1782,7 @@ interface(`dev_setattr_mouse_dev',` type device_t, mouse_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mouse_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,mouse_device_t) ') ######################################## @@ -1837,8 +1800,7 @@ interface(`dev_read_mouse',` type device_t, mouse_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mouse_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,mouse_device_t) ') ######################################## @@ -1856,8 +1818,7 @@ interface(`dev_rw_mouse',` type device_t, mouse_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mouse_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,mouse_device_t) ') ######################################## @@ -1876,8 +1837,8 @@ interface(`dev_getattr_mtrr_dev',` type device_t, mtrr_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mtrr_device_t:{ file chr_file } getattr; + getattr_files_pattern($1,device_t,mtrr_device_t) + getattr_chr_files_pattern($1,device_t,mtrr_device_t) ') ######################################## @@ -1953,8 +1914,8 @@ interface(`dev_rw_mtrr',` type device_t, mtrr_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 mtrr_device_t:{ file chr_file } rw_file_perms; + rw_files_pattern($1,device_t,mtrr_device_t) + rw_chr_files_pattern($1,device_t,mtrr_device_t) ') ######################################## @@ -1972,8 +1933,7 @@ interface(`dev_rw_null',` type device_t, null_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 null_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,null_device_t) ') ######################################## @@ -1991,10 +1951,7 @@ interface(`dev_create_null_dev',` type device_t, null_device_t; ') - allow $1 device_t:dir add_entry_dir_perms; - allow $1 null_device_t:chr_file create; - - allow $1 self:capability mknod; + create_chr_files_pattern($1,device_t,null_device_t) ') ######################################## @@ -2031,8 +1988,7 @@ interface(`dev_rw_nvram',` type nvram_device_t; ') - allow $1 device_t:dir search_dir_perms; - allow $1 nvram_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,nvram_device_t) ') ######################################## @@ -2050,8 +2006,7 @@ interface(`dev_getattr_printer_dev',` type device_t, printer_device_t; ') - allow $1 device_t:dir search_dir_perms; - allow $1 printer_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,printer_device_t) ') ######################################## @@ -2069,8 +2024,7 @@ interface(`dev_setattr_printer_dev',` type device_t, printer_device_t; ') - allow $1 device_t:dir search_dir_perms; - allow $1 printer_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,printer_device_t) ') ######################################## @@ -2089,8 +2043,7 @@ interface(`dev_append_printer',` type device_t, printer_device_t; ') - allow $1 device_t:dir search; - allow $1 printer_device_t:chr_file { getattr append }; + append_chr_files_pattern($1,device_t,printer_device_t) ') ######################################## @@ -2108,8 +2061,7 @@ interface(`dev_rw_printer',` type device_t, printer_device_t; ') - allow $1 device_t:dir search; - allow $1 printer_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,printer_device_t) ') ######################################## @@ -2128,8 +2080,7 @@ interface(`dev_read_rand',` type device_t, random_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 random_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,random_device_t) ') ######################################## @@ -2168,8 +2119,7 @@ interface(`dev_write_rand',` type device_t, random_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 random_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,random_device_t) ') ######################################## @@ -2187,8 +2137,7 @@ interface(`dev_read_realtime_clock',` type device_t, clock_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 clock_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,clock_device_t) ') ######################################## @@ -2206,8 +2155,9 @@ interface(`dev_write_realtime_clock',` type device_t, clock_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; + write_chr_files_pattern($1,device_t,clock_device_t) + + allow $1 clock_device_t:chr_file setattr; ') ######################################## @@ -2240,8 +2190,7 @@ interface(`dev_getattr_scanner_dev',` type device_t, scanner_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 scanner_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,scanner_device_t) ') ######################################## @@ -2278,8 +2227,7 @@ interface(`dev_setattr_scanner_dev',` type device_t, scanner_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 scanner_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,scanner_device_t) ') ######################################## @@ -2316,8 +2264,7 @@ interface(`dev_rw_scanner',` type device_t, scanner_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 scanner_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,scanner_device_t) ') ######################################## @@ -2335,8 +2282,7 @@ interface(`dev_getattr_sound_dev',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2354,8 +2300,7 @@ interface(`dev_setattr_sound_dev',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2373,8 +2318,7 @@ interface(`dev_read_sound',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2392,8 +2336,7 @@ interface(`dev_write_sound',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2411,8 +2354,7 @@ interface(`dev_read_sound_mixer',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file { getattr read ioctl }; + read_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2430,8 +2372,7 @@ interface(`dev_write_sound_mixer',` type device_t, sound_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,sound_device_t) ') ######################################## @@ -2449,8 +2390,7 @@ interface(`dev_getattr_power_mgmt_dev',` type device_t, power_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 power_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,power_device_t) ') ######################################## @@ -2468,8 +2408,7 @@ interface(`dev_setattr_power_mgmt_dev',` type device_t, power_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 power_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,power_device_t) ') ######################################## @@ -2487,8 +2426,7 @@ interface(`dev_rw_power_management',` type device_t, power_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 power_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,power_device_t) ') ######################################## @@ -2506,7 +2444,7 @@ interface(`dev_getattr_sysfs_dirs',` type sysfs_t; ') - allow $1 sysfs_t:dir getattr; + allow $1 sysfs_t:dir getattr_dir_perms; ') ######################################## @@ -2524,7 +2462,7 @@ interface(`dev_search_sysfs',` type sysfs_t; ') - allow $1 sysfs_t:dir search; + search_dirs_pattern($1,sysfs_t,sysfs_t) ') ######################################## @@ -2542,7 +2480,7 @@ interface(`dev_dontaudit_search_sysfs',` type sysfs_t; ') - dontaudit $1 sysfs_t:dir search; + dontaudit $1 sysfs_t:dir search_dir_perms; ') ######################################## @@ -2560,7 +2498,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') - allow $1 sysfs_t:dir r_dir_perms; + list_dirs_pattern($1,sysfs_t,sysfs_t) ') ######################################## @@ -2578,8 +2516,10 @@ interface(`dev_read_sysfs',` type sysfs_t; ') - allow $1 sysfs_t:dir r_dir_perms; - allow $1 sysfs_t:{ file lnk_file } r_file_perms; + read_files_pattern($1,sysfs_t,sysfs_t) + read_lnk_files_pattern($1,sysfs_t,sysfs_t) + + list_dirs_pattern($1,sysfs_t,sysfs_t) ') ######################################## @@ -2597,9 +2537,11 @@ interface(`dev_rw_sysfs',` type sysfs_t; ') - allow $1 sysfs_t:dir r_dir_perms; - allow $1 sysfs_t:lnk_file r_file_perms; - allow $1 sysfs_t:file rw_file_perms; + + rw_files_pattern($1,sysfs_t,sysfs_t) + read_lnk_files_pattern($1,sysfs_t,sysfs_t) + + list_dirs_pattern($1,sysfs_t,sysfs_t) ') ######################################## @@ -2617,8 +2559,7 @@ interface(`dev_read_urand',` type device_t, urandom_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 urandom_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,urandom_device_t) ') ######################################## @@ -2656,8 +2597,7 @@ interface(`dev_write_urand',` type device_t, urandom_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 urandom_device_t:chr_file { getattr write ioctl }; + write_chr_files_pattern($1,device_t,urandom_device_t) ') ######################################## @@ -2675,8 +2615,7 @@ interface(`dev_getattr_generic_usb_dev',` type usb_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 usb_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,usb_device_t) ') ######################################## @@ -2694,8 +2633,7 @@ interface(`dev_setattr_generic_usb_dev',` type usb_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 usb_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,usb_device_t) ') ######################################## @@ -2713,8 +2651,7 @@ interface(`dev_rw_generic_usb_dev',` type usb_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 usb_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,usb_device_t) ') ######################################## @@ -2768,7 +2705,7 @@ interface(`dev_getattr_usbfs_dirs',` type usbfs_t; ') - allow $1 usbfs_t:dir getattr; + allow $1 usbfs_t:dir getattr_dir_perms; ') ######################################## @@ -2787,7 +2724,7 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` type usbfs_t; ') - dontaudit $1 usbfs_t:dir getattr; + dontaudit $1 usbfs_t:dir getattr_dir_perms; ') ######################################## @@ -2805,7 +2742,7 @@ interface(`dev_search_usbfs',` type usbfs_t; ') - allow $1 usbfs_t:dir search; + search_dirs_pattern($1,usbfs_t,usbfs_t) ') ######################################## @@ -2823,9 +2760,10 @@ interface(`dev_list_usbfs',` type usbfs_t; ') - allow $1 usbfs_t:dir r_dir_perms; - allow $1 usbfs_t:lnk_file r_file_perms; - allow $1 usbfs_t:file getattr; + read_lnk_files_pattern($1,usbfs_t,usbfs_t) + getattr_files_pattern($1,usbfs_t,usbfs_t) + + list_dirs_pattern($1,usbfs_t,usbfs_t) ') ######################################## @@ -2843,8 +2781,8 @@ interface(`dev_setattr_usbfs_files',` type usbfs_t; ') - allow $1 usbfs_t:dir r_dir_perms; - allow $1 usbfs_t:file setattr; + setattr_files_pattern($1,usbfs_t,usbfs_t) + list_dirs_pattern($1,usbfs_t,usbfs_t) ') ######################################## @@ -2863,8 +2801,9 @@ interface(`dev_read_usbfs',` type usbfs_t; ') - allow $1 usbfs_t:dir r_dir_perms; - allow $1 usbfs_t:{ file lnk_file } r_file_perms; + read_files_pattern($1,usbfs_t,usbfs_t) + read_lnk_files_pattern($1,usbfs_t,usbfs_t) + list_dirs_pattern($1,usbfs_t,usbfs_t) ') ######################################## @@ -2882,9 +2821,9 @@ interface(`dev_rw_usbfs',` type usbfs_t; ') - allow $1 usbfs_t:dir r_dir_perms; - allow $1 usbfs_t:lnk_file r_file_perms; - allow $1 usbfs_t:file rw_file_perms; + list_dirs_pattern($1,usbfs_t,usbfs_t) + rw_files_pattern($1,usbfs_t,usbfs_t) + read_lnk_files_pattern($1,usbfs_t,usbfs_t) ') ######################################## @@ -2902,8 +2841,7 @@ interface(`dev_getattr_video_dev',` type device_t, v4l_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 v4l_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,v4l_device_t) ') ######################################## @@ -2940,8 +2878,7 @@ interface(`dev_setattr_video_dev',` type device_t, v4l_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 v4l_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,v4l_device_t) ') ######################################## @@ -2978,9 +2915,7 @@ interface(`dev_read_video_dev',` type device_t, v4l_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 device_t:lnk_file { getattr read }; - allow $1 v4l_device_t:chr_file r_file_perms; + read_chr_files_pattern($1,device_t,v4l_device_t) ') ######################################## @@ -2998,8 +2933,7 @@ interface(`dev_rw_vmware',` type device_t, vmware_device_t; ') - allow $1 device_t:dir list_dir_perms; - allow $1 vmware_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,vmware_device_t) ') ######################################## @@ -3017,8 +2951,8 @@ interface(`dev_rwx_vmware',` type device_t, vmware_device_t; ') - allow $1 device_t:dir list_dir_perms; - allow $1 vmware_device_t:chr_file { rw_file_perms execute }; + dev_rw_vmware($1) + allow $1 vmware_device_t:chr_file execute; ') ######################################## @@ -3036,8 +2970,7 @@ interface(`dev_write_watchdog',` type device_t, watchdog_device_t; ') - allow $1 device_t:dir list_dir_perms; - allow $1 watchdog_device_t:chr_file { getattr write }; + write_chr_files_pattern($1,device_t,watchdog_device_t) ') ######################################## @@ -3055,8 +2988,7 @@ interface(`dev_rw_xen',` type device_t, xen_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 xen_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,xen_device_t) ') ######################################## @@ -3074,8 +3006,7 @@ interface(`dev_manage_xen',` type device_t, xen_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 xen_device_t:chr_file manage_file_perms; + manage_chr_files_pattern($1,device_t,xen_device_t) ') ######################################## @@ -3094,8 +3025,7 @@ interface(`dev_filetrans_xen',` type device_t, xen_device_t; ') - allow $1 device_t:dir rw_dir_perms; - type_transition $1 device_t:chr_file xen_device_t; + filetrans_pattern($1,device_t,xen_device_t,chr_file) ') ######################################## @@ -3113,8 +3043,7 @@ interface(`dev_getattr_xserver_misc_dev',` type device_t, xserver_misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 xserver_misc_device_t:chr_file getattr; + getattr_chr_files_pattern($1,device_t,xserver_misc_device_t) ') ######################################## @@ -3132,8 +3061,7 @@ interface(`dev_setattr_xserver_misc_dev',` type device_t, xserver_misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 xserver_misc_device_t:chr_file setattr; + setattr_chr_files_pattern($1,device_t,xserver_misc_device_t) ') ######################################## @@ -3151,8 +3079,7 @@ interface(`dev_rw_xserver_misc',` type device_t, xserver_misc_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 xserver_misc_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,xserver_misc_device_t) ') ######################################## @@ -3170,8 +3097,7 @@ interface(`dev_rw_zero',` type device_t, zero_device_t; ') - allow $1 device_t:dir r_dir_perms; - allow $1 zero_device_t:chr_file rw_file_perms; + rw_chr_files_pattern($1,device_t,zero_device_t) ') ######################################## @@ -3227,10 +3153,7 @@ interface(`dev_create_zero_dev',` type device_t, zero_device_t; ') - allow $1 device_t:dir add_entry_dir_perms; - allow $1 zero_device_t:chr_file create; - - allow $1 self:capability mknod; + create_chr_files_pattern($1,device_t,zero_device_t) ') ######################################## diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index d1b3087..b2557fd 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -562,9 +562,9 @@ interface(`domain_read_all_domains_state',` ') kernel_search_proc($1) - allow $1 domain:dir r_dir_perms; - allow $1 domain:lnk_file r_file_perms; - allow $1 domain:file r_file_perms; + allow $1 domain:dir list_dir_perms; + read_files_pattern($1,domain,domain) + read_lnk_files_pattern($1,domain,domain) ') ######################################## @@ -621,11 +621,11 @@ interface(`domain_read_confined_domains_state',` ') kernel_search_proc($1) - allow $1 { domain -unconfined_domain_type }:dir r_dir_perms; - allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms; - allow $1 { domain -unconfined_domain_type }:file r_file_perms; + allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; + read_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type }) + read_lnk_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type }) - dontaudit $1 unconfined_domain_type:dir search; + dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file { getattr read }; ') @@ -740,13 +740,13 @@ interface(`domain_dontaudit_read_all_domains_state',` attribute domain; ') - dontaudit $1 domain:dir r_dir_perms; - dontaudit $1 domain:lnk_file r_file_perms; - dontaudit $1 domain:file r_file_perms; + dontaudit $1 domain:dir list_dir_perms; + dontaudit $1 domain:lnk_file read_file_perms; + dontaudit $1 domain:file read_file_perms; # cjp: these should be removed: - dontaudit $1 domain:sock_file r_file_perms; - dontaudit $1 domain:fifo_file r_file_perms; + dontaudit $1 domain:sock_file read_file_perms; + dontaudit $1 domain:fifo_file read_file_perms; ') ######################################## @@ -765,7 +765,7 @@ interface(`domain_dontaudit_list_all_domains_state',` attribute domain; ') - dontaudit $1 domain:dir r_dir_perms; + dontaudit $1 domain:dir list_dir_perms; ') ######################################## @@ -1069,8 +1069,8 @@ interface(`domain_getattr_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:lnk_file getattr; - allow $1 entry_type:file r_file_perms; + allow $1 entry_type:lnk_file read_lnk_file_perms; + allow $1 entry_type:file getattr; ') ######################################## @@ -1088,8 +1088,8 @@ interface(`domain_read_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:lnk_file r_file_perms; - allow $1 entry_type:file r_file_perms; + allow $1 entry_type:lnk_file read_lnk_file_perms; + allow $1 entry_type:file read_file_perms; ') ######################################## @@ -1149,7 +1149,7 @@ interface(`domain_relabel_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:file { relabelfrom relabelto }; + allow $1 entry_type:file relabel_file_perms; ') ######################################## @@ -1168,7 +1168,7 @@ interface(`domain_mmap_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:file { getattr read execute }; + allow $1 entry_type:file mmap_file_perms; ') ######################################## @@ -1187,7 +1187,7 @@ interface(`domain_entry_file_spec_domtrans',` attribute entry_type; ') - domain_trans($1,entry_type,$2) + domain_transition_pattern($1,entry_type,$2) ') ######################################## @@ -1217,62 +1217,3 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; ') - -# -# These next macros are not templates, but actually are -# support macros. Due to the domain_ prefix, they -# are placed in this module, to try to prevent confusion. -# They are called templates since regular m4 defines -# wont work here. -# - -######################################## -## -## Specified domain transition requiring setexeccon. -## -## -## -## Domain to transition from. -## -## -## -## -## Type of program to execute. -## -## -## -## -## Domain to transition to. -## -## -# -template(`domain_trans',` - allow $1 $2:file { getattr read execute }; - allow $1 $3:process transition; - dontaudit $1 $3:process { noatsecure siginh rlimitinh }; -') - -######################################## -## -## Automatic domain transition by type_transition. -## -## -## -## Domain to transition from. -## -## -## -## -## Type of program to execute. -## -## -## -## -## Domain to transition to. -## -## -# -template(`domain_auto_trans',` - domain_trans($1,$2,$3) - type_transition $1 $2:process $3; -') diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index c5527ec..5e78a96 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -284,15 +284,12 @@ interface(`files_tmpfs_file',` ## ## # -# cjp: this is an odd interface, because to getattr -# all dirs, you need to search all the parent directories -# interface(`files_getattr_all_dirs',` gen_require(` attribute file_type; ') - allow $1 file_type:dir { getattr search }; + getattr_dirs_pattern($1,file_type,file_type) ') ######################################## @@ -329,7 +326,7 @@ interface(`files_list_non_security',` attribute file_type, security_file_type; ') - allow $1 { file_type -security_file_type }:dir r_dir_perms; + list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type }) ') ######################################## @@ -348,7 +345,7 @@ interface(`files_dontaudit_list_non_security',` attribute file_type, security_file_type; ') - dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; + dontaudit $1 { file_type -security_file_type }:dir list_dir_perms; ') ######################################## @@ -404,9 +401,8 @@ interface(`files_getattr_all_files',` attribute file_type; ') - allow $1 file_type:dir search; - allow $1 file_type:file getattr; - allow $1 file_type:lnk_file getattr; + getattr_files_pattern($1,file_type,file_type) + getattr_lnk_files_pattern($1,file_type,file_type) ') ######################################## @@ -463,7 +459,7 @@ interface(`files_read_all_files',` ') allow $1 file_type:dir list_dir_perms; - allow $1 file_type:file read_file_perms; + read_files_pattern($1,file_type,file_type) optional_policy(` auth_read_shadow($1) @@ -517,9 +513,8 @@ interface(`files_read_non_security_files',` attribute file_type, security_file_type; ') - allow $1 { file_type -security_file_type }:dir search_dir_perms; - allow $1 { file_type -security_file_type }:file r_file_perms; - allow $1 { file_type -security_file_type }:lnk_file { getattr read }; + read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type }) + read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type }) ') ######################################## @@ -544,7 +539,7 @@ interface(`files_read_all_dirs_except',` attribute file_type; ') - allow $1 { file_type $2 }:dir r_dir_perms; + allow $1 { file_type $2 }:dir list_dir_perms; ') ######################################## @@ -569,9 +564,7 @@ interface(`files_read_all_files_except',` attribute file_type; ') - allow $1 { file_type $2 }:dir search; - allow $1 { file_type $2 }:file r_file_perms; - + read_files_pattern($1,{ file_type $2 },{ file_type $2 }) ') ######################################## @@ -596,9 +589,7 @@ interface(`files_read_all_symlinks_except',` attribute file_type; ') - allow $1 { file_type $2 }:dir search; - allow $1 { file_type $2 }:lnk_file r_file_perms; - + read_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 }) ') ######################################## @@ -616,8 +607,7 @@ interface(`files_getattr_all_symlinks',` attribute file_type; ') - allow $1 file_type:dir search; - allow $1 file_type:lnk_file getattr; + getattr_lnk_files_pattern($1,file_type,file_type) ') ######################################## @@ -731,7 +721,7 @@ interface(`files_read_all_symlinks',` ') allow $1 file_type:dir list_dir_perms; - allow $1 file_type:lnk_file { getattr read }; + read_lnk_files_pattern($1,file_type,file_type) ') ######################################## @@ -750,7 +740,7 @@ interface(`files_getattr_all_pipes',` ') allow $1 file_type:dir list_dir_perms; - allow $1 file_type:fifo_file getattr; + getattr_fifo_files_pattern($1,file_type,file_type) ') ######################################## @@ -807,7 +797,7 @@ interface(`files_getattr_all_sockets',` ') allow $1 file_type:dir list_dir_perms; - allow $1 file_type:sock_file getattr; + getattr_sock_files_pattern($1,file_type,file_type) ') ######################################## @@ -863,8 +853,7 @@ interface(`files_read_all_blk_files',` attribute file_type; ') - allow $1 file_type:dir search; - allow $1 file_type:blk_file { getattr read }; + read_blk_files_pattern($1,file_type,file_type) ') ######################################## @@ -882,8 +871,7 @@ interface(`files_read_all_chr_files',` attribute file_type; ') - allow $1 file_type:dir search; - allow $1 file_type:chr_file { getattr read }; + read_chr_files_pattern($1,file_type,file_type) ') ######################################## @@ -909,13 +897,14 @@ interface(`files_relabel_all_files',` attribute file_type; ') - allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; - allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; - allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; - allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; - allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto }; - allow $1 { file_type $2 }:blk_file { getattr relabelfrom }; - allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; + allow $1 { file_type $2 }:dir list_dir_perms; + relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_sock_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabelfrom_blk_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabelfrom_chr_files_pattern($1,{ file_type $2 },{ file_type $2 }) # satisfy the assertions: seutil_relabelto_bin_policy($1) @@ -944,11 +933,11 @@ interface(`files_manage_all_files',` attribute file_type; ') - allow $1 { file_type $2 }:dir create_dir_perms; - allow $1 { file_type $2 }:file create_file_perms; - allow $1 { file_type $2 }:lnk_file create_lnk_perms; - allow $1 { file_type $2 }:fifo_file create_file_perms; - allow $1 { file_type $2 }:sock_file create_file_perms; + manage_dirs_pattern($1,{ file_type $2 },{ file_type $2 }) + manage_files_pattern($1,{ file_type $2 },{ file_type $2 }) + manage_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 }) + manage_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 }) + manage_sock_files_pattern($1,{ file_type $2 },{ file_type $2 }) # satisfy the assertions: seutil_create_bin_policy($1) @@ -971,7 +960,7 @@ interface(`files_search_all',` attribute file_type; ') - allow $1 file_type:dir search; + allow $1 file_type:dir search_dir_perms; ') ######################################## @@ -990,7 +979,7 @@ interface(`files_list_all',` attribute file_type; ') - allow $1 file_type:dir r_dir_perms; + allow $1 file_type:dir list_dir_perms; ') ######################################## @@ -1119,7 +1108,7 @@ interface(`files_list_root',` type root_t; ') - allow $1 root_t:dir r_dir_perms; + allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file r_file_perms; ') @@ -1149,8 +1138,7 @@ interface(`files_root_filetrans',` type root_t; ') - allow $1 root_t:dir rw_dir_perms; - type_transition $1 root_t:$3 $2; + filetrans_pattern($1,root_t,$2,$3) ') ######################################## @@ -1363,8 +1351,7 @@ interface(`files_boot_filetrans',` type boot_t; ') - allow $1 boot_t:dir rw_dir_perms; - type_transition $1 boot_t:$3 $2; + filetrans_pattern($1,boot_t,$2,$3) ') ######################################## @@ -1384,8 +1371,7 @@ interface(`files_manage_boot_files',` type boot_t; ') - allow $1 boot_t:dir rw_dir_perms; - allow $1 boot_t:file manage_file_perms; + manage_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1403,7 +1389,7 @@ interface(`files_relabelfrom_boot_files',` type boot_t; ') - allow $1 boot_t:file relabelfrom; + relabelfrom_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1422,8 +1408,8 @@ interface(`files_rw_boot_symlinks',` type boot_t; ') - allow $1 boot_t:dir r_dir_perms; - allow $1 boot_t:lnk_file rw_file_perms; + allow $1 boot_t:dir list_dir_perms; + rw_lnk_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1442,8 +1428,7 @@ interface(`files_manage_boot_symlinks',` type boot_t; ') - allow $1 boot_t:dir rw_dir_perms; - allow $1 boot_t:lnk_file manage_file_perms; + manage_lnk_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1457,13 +1442,13 @@ interface(`files_manage_boot_symlinks',` ## # interface(`files_read_kernel_img',` - gen_require(` - type boot_t; - ') + gen_require(` + type boot_t; + ') - allow $1 boot_t:dir list_dir_perms; - allow $1 boot_t:file { getattr read }; - allow $1 boot_t:lnk_file { getattr read }; + allow $1 boot_t:dir list_dir_perms; + read_files_pattern($1,boot_t,boot_t) + read_lnk_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1482,9 +1467,8 @@ interface(`files_create_kernel_img',` type boot_t; ') - allow $1 boot_t:dir ra_dir_perms; allow $1 boot_t:file { getattr read write create }; - allow $1 boot_t:lnk_file { getattr read create unlink }; + manage_lnk_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1503,8 +1487,7 @@ interface(`files_delete_kernel',` type boot_t; ') - allow $1 boot_t:dir { r_dir_perms write remove_name }; - allow $1 boot_t:file { getattr unlink }; + delete_files_pattern($1,boot_t,boot_t) ') ######################################## @@ -1559,7 +1542,7 @@ interface(`files_search_default',` type default_t; ') - allow $1 default_t:dir search; + allow $1 default_t:dir search_dir_perms; ') ######################################## @@ -1577,7 +1560,7 @@ interface(`files_list_default',` type default_t; ') - allow $1 default_t:dir r_dir_perms; + allow $1 default_t:dir list_dir_perms; ') ######################################## @@ -1596,7 +1579,7 @@ interface(`files_dontaudit_list_default',` type default_t; ') - dontaudit $1 default_t:dir r_dir_perms; + dontaudit $1 default_t:dir list_dir_perms; ') ######################################## @@ -1651,7 +1634,7 @@ interface(`files_read_default_files',` type default_t; ') - allow $1 default_t:file r_file_perms; + allow $1 default_t:file read_file_perms; ') ######################################## @@ -1670,7 +1653,7 @@ interface(`files_dontaudit_read_default_files',` type default_t; ') - dontaudit $1 default_t:file r_file_perms; + dontaudit $1 default_t:file read_file_perms; ') ######################################## @@ -1688,7 +1671,7 @@ interface(`files_read_default_symlinks',` type default_t; ') - allow $1 default_t:lnk_file r_file_perms; + allow $1 default_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -1706,7 +1689,7 @@ interface(`files_read_default_sockets',` type default_t; ') - allow $1 default_t:sock_file r_file_perms; + allow $1 default_t:sock_file read_sock_file_perms; ') ######################################## @@ -1724,7 +1707,7 @@ interface(`files_read_default_pipes',` type default_t; ') - allow $1 default_t:fifo_file r_file_perms; + allow $1 default_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -1742,7 +1725,7 @@ interface(`files_search_etc',` type etc_t; ') - allow $1 etc_t:dir search; + allow $1 etc_t:dir search_dir_perms; ') ######################################## @@ -1778,7 +1761,7 @@ interface(`files_list_etc',` type etc_t; ') - allow $1 etc_t:dir r_dir_perms; + allow $1 etc_t:dir list_dir_perms; ') ######################################## @@ -1814,9 +1797,9 @@ interface(`files_read_etc_files',` type etc_t; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_t:file r_file_perms; - allow $1 etc_t:lnk_file r_file_perms; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1,etc_t,etc_t) + read_lnk_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1853,9 +1836,9 @@ interface(`files_rw_etc_files',` type etc_t; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_t:file rw_file_perms; - allow $1 etc_t:lnk_file r_file_perms; + allow $1 etc_t:dir list_dir_perms; + rw_files_pattern($1,etc_t,etc_t) + read_lnk_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1875,9 +1858,8 @@ interface(`files_manage_etc_files',` type etc_t; ') - allow $1 etc_t:dir rw_dir_perms; - allow $1 etc_t:file create_file_perms; - allow $1 etc_t:lnk_file r_file_perms; + manage_files_pattern($1,etc_t,etc_t) + read_lnk_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1895,8 +1877,7 @@ interface(`files_delete_etc_files',` type etc_t; ') - allow $1 etc_t:dir rw_dir_perms; - allow $1 etc_t:file unlink; + delete_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1914,10 +1895,9 @@ interface(`files_exec_etc_files',` type etc_t; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_t:lnk_file r_file_perms; - can_exec($1,etc_t) - + allow $1 etc_t:dir list_dir_perms; + read_lnk_files_pattern($1,etc_t,etc_t) + exec_files_pattern($1,etc_t,etc_t) ') ####################################### @@ -1936,7 +1916,7 @@ interface(`files_relabel_etc_files',` ') allow $1 etc_t:dir list_dir_perms; - allow $1 etc_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1954,8 +1934,7 @@ interface(`files_read_etc_symlinks',` type etc_t; ') - allow $1 etc_t:dir search_dir_perms; - allow $1 etc_t:lnk_file { getattr read }; + read_lnk_files_pattern($1,etc_t,etc_t) ') ######################################## @@ -1984,8 +1963,7 @@ interface(`files_etc_filetrans',` type etc_t; ') - allow $1 etc_t:dir rw_dir_perms; - type_transition $1 etc_t:$3 $2; + filetrans_pattern($1,etc_t,$2,$3) ') ######################################## @@ -2010,9 +1988,8 @@ interface(`files_create_boot_flag',` type root_t, etc_runtime_t; ') - allow $1 root_t:dir rw_dir_perms; - allow $1 etc_runtime_t:file { create read write setattr unlink }; - type_transition $1 root_t:file etc_runtime_t; + allow $1 etc_runtime_t:file manage_file_perms; + filetrans_pattern($1,root_t,etc_runtime_t,file) ') ######################################## @@ -2032,9 +2009,9 @@ interface(`files_read_etc_runtime_files',` type etc_t, etc_runtime_t; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_runtime_t:file r_file_perms; - allow $1 etc_runtime_t:lnk_file { getattr read }; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1,etc_t,etc_runtime_t) + read_lnk_files_pattern($1,etc_t,etc_runtime_t) ') ######################################## @@ -2074,8 +2051,8 @@ interface(`files_rw_etc_runtime_files',` type etc_t, etc_runtime_t; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_runtime_t:file rw_file_perms; + allow $1 etc_t:dir list_dir_perms; + rw_files_pattern($1,etc_t,etc_runtime_t) ') ######################################## @@ -2096,9 +2073,7 @@ interface(`files_manage_etc_runtime_files',` type etc_t, etc_runtime_t; ') - allow $1 etc_t:dir rw_dir_perms; - allow $1 etc_runtime_t:dir rw_dir_perms; - allow $1 etc_runtime_t:file manage_file_perms; + manage_files_pattern($1,{ etc_t etc_runtime_t },etc_runtime_t) ') ######################################## @@ -2122,8 +2097,7 @@ interface(`files_etc_filetrans_etc_runtime',` type etc_t, etc_runtime_t; ') - allow $1 etc_t:dir rw_dir_perms; - type_transition $1 etc_t:$2 etc_runtime_t; + filetrans_pattern($1,etc_t,etc_runtime_t,$2) ') ######################################## @@ -2180,7 +2154,7 @@ interface(`files_list_isid_type_dirs',` type file_t; ') - allow $1 file_t:dir r_dir_perms; + allow $1 file_t:dir list_dir_perms; ') ######################################## @@ -2218,7 +2192,7 @@ interface(`files_manage_isid_type_dirs',` type file_t; ') - allow $1 file_t:dir create_dir_perms; + allow $1 file_t:dir manage_dir_perms; ') ######################################## @@ -2237,7 +2211,7 @@ interface(`files_mounton_isid_type_dirs',` type file_t; ') - allow $1 file_t:dir { getattr search mounton }; + allow $1 file_t:dir { search_dir_perms mounton }; ') ######################################## @@ -2256,8 +2230,7 @@ interface(`files_read_isid_type_files',` type file_t; ') - allow $1 file_t:dir search; - allow $1 file_t:file r_file_perms; + allow $1 file_t:file read_file_perms; ') ######################################## @@ -2276,8 +2249,7 @@ interface(`files_manage_isid_type_files',` type file_t; ') - allow $1 file_t:dir rw_dir_perms; - allow $1 file_t:file create_file_perms; + allow $1 file_t:file manage_file_perms; ') ######################################## @@ -2296,8 +2268,7 @@ interface(`files_manage_isid_type_symlinks',` type file_t; ') - allow $1 file_t:dir rw_dir_perms; - allow $1 file_t:lnk_file create_lnk_perms; + allow $1 file_t:lnk_file manage_lnk_file_perms; ') ######################################## @@ -2316,8 +2287,7 @@ interface(`files_rw_isid_type_blk_files',` type file_t; ') - allow $1 file_t:dir search; - allow $1 file_t:blk_file rw_file_perms; + allow $1 file_t:blk_file rw_blk_file_perms; ') ######################################## @@ -2336,8 +2306,7 @@ interface(`files_manage_isid_type_blk_files',` type file_t; ') - allow $1 file_t:dir rw_dir_perms; - allow $1 file_t:blk_file create_file_perms; + allow $1 file_t:blk_file manage_blk_file_perms; ') ######################################## @@ -2356,8 +2325,7 @@ interface(`files_manage_isid_type_chr_files',` type file_t; ') - allow $1 file_t:dir rw_dir_perms; - allow $1 file_t:chr_file create_file_perms; + allow $1 file_t:chr_file manage_chr_file_perms; ') ######################################## @@ -2452,7 +2420,7 @@ interface(`files_dontaudit_list_home',` type home_root_t; ') - dontaudit $1 home_root_t:dir r_dir_perms; + dontaudit $1 home_root_t:dir list_dir_perms; ') ######################################## @@ -2470,7 +2438,7 @@ interface(`files_list_home',` type home_root_t; ') - allow $1 home_root_t:dir r_dir_perms; + allow $1 home_root_t:dir list_dir_perms; ') ######################################## @@ -2498,8 +2466,7 @@ interface(`files_home_filetrans',` type home_root_t; ') - allow $1 home_root_t:dir rw_dir_perms; - type_transition $1 home_root_t:$3 $2; + filetrans_pattern($1,home_root_t,$2,$3) ') ######################################## @@ -2537,11 +2504,11 @@ interface(`files_manage_lost_found',` type lost_found_t; ') - allow $1 lost_found_t:dir create_dir_perms; - allow $1 lost_found_t:file create_file_perms; - allow $1 lost_found_t:sock_file create_file_perms; - allow $1 lost_found_t:fifo_file create_file_perms; - allow $1 lost_found_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,lost_found_t,lost_found_t) + manage_files_pattern($1,lost_found_t,lost_found_t) + manage_lnk_files_pattern($1,lost_found_t,lost_found_t) + manage_fifo_files_pattern($1,lost_found_t,lost_found_t) + manage_sock_files_pattern($1,lost_found_t,lost_found_t) ') ######################################## @@ -2595,7 +2562,7 @@ interface(`files_list_mnt',` type mnt_t; ') - allow $1 mnt_t:dir r_dir_perms; + allow $1 mnt_t:dir list_dir_perms; ') ######################################## @@ -2613,7 +2580,7 @@ interface(`files_mounton_mnt',` type mnt_t; ') - allow $1 mnt_t:dir { search mounton }; + allow $1 mnt_t:dir { search_dir_perms mounton }; ') ######################################## @@ -2632,7 +2599,7 @@ interface(`files_manage_mnt_dirs',` type mnt_t; ') - allow $1 mnt_t:dir create_dir_perms; + allow $1 mnt_t:dir manage_dir_perms; ') ######################################## @@ -2650,8 +2617,7 @@ interface(`files_manage_mnt_files',` type mnt_t; ') - allow $1 mnt_t:dir rw_dir_perms; - allow $1 mnt_t:file create_file_perms; + manage_files_pattern($1,mnt_t,mnt_t) ') ######################################## @@ -2669,8 +2635,7 @@ interface(`files_manage_mnt_symlinks',` type mnt_t; ') - allow $1 mnt_t:dir rw_dir_perms; - allow $1 mnt_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,mnt_t,mnt_t) ') ######################################## @@ -2688,7 +2653,7 @@ interface(`files_search_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir search; + allow $1 modules_object_t:dir search_dir_perms; ') ######################################## @@ -2706,7 +2671,7 @@ interface(`files_list_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir r_dir_perms; + allow $1 modules_object_t:dir list_dir_perms; ') ######################################## @@ -2724,8 +2689,7 @@ interface(`files_getattr_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir search; - allow $1 modules_object_t:dir getattr; + getattr_files_pattern($1,modules_object_t,modules_object_t) ') ######################################## @@ -2743,9 +2707,9 @@ interface(`files_read_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir r_dir_perms; - allow $1 modules_object_t:lnk_file r_file_perms; - allow $1 modules_object_t:file r_file_perms; + allow $1 modules_object_t:dir list_dir_perms; + read_files_pattern($1,modules_object_t,modules_object_t) + read_lnk_files_pattern($1,modules_object_t,modules_object_t) ') ######################################## @@ -2763,8 +2727,8 @@ interface(`files_write_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir r_dir_perms; - allow $1 modules_object_t:file { write append }; + allow $1 modules_object_t:dir list_dir_perms; + write_files_pattern($1,modules_object_t,modules_object_t) ') ######################################## @@ -2782,8 +2746,7 @@ interface(`files_delete_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:dir { list_dir_perms write remove_name }; - allow $1 modules_object_t:file unlink; + delete_files_pattern($1,modules_object_t,modules_object_t) ') ######################################## @@ -2803,8 +2766,7 @@ interface(`files_manage_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; - allow $1 modules_object_t:dir rw_dir_perms; + manage_files_pattern($1,modules_object_t,modules_object_t) ') ######################################## @@ -2822,7 +2784,7 @@ interface(`files_relabel_kernel_modules',` type modules_object_t; ') - allow $1 modules_object_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,modules_object_t,modules_object_t) allow $1 modules_object_t:dir list_dir_perms; ') @@ -2852,8 +2814,7 @@ interface(`files_kernel_modules_filetrans',` type modules_object_t; ') - allow $1 modules_object_t:dir rw_dir_perms; - type_transition $1 modules_object_t:$3 $2; + filetrans_pattern($1,modules_object_t,$2,$3) ') ######################################## @@ -2872,7 +2833,7 @@ interface(`files_list_world_readable',` type readable_t; ') - allow $1 readable_t:dir r_dir_perms; + allow $1 readable_t:dir list_dir_perms; ') ######################################## @@ -2891,7 +2852,7 @@ interface(`files_read_world_readable_files',` type readable_t; ') - allow $1 readable_t:file r_file_perms; + allow $1 readable_t:file read_file_perms; ') ######################################## @@ -2910,7 +2871,7 @@ interface(`files_read_world_readable_symlinks',` type readable_t; ') - allow $1 readable_t:lnk_file r_file_perms; + allow $1 readable_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2928,7 +2889,7 @@ interface(`files_read_world_readable_pipes',` type readable_t; ') - allow $1 readable_t:fifo_file r_file_perms; + allow $1 readable_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -2946,7 +2907,7 @@ interface(`files_read_world_readable_sockets',` type readable_t; ') - allow $1 readable_t:sock_file r_file_perms; + allow $1 readable_t:sock_file read_sock_file_perms; ') ######################################## @@ -3075,7 +3036,7 @@ interface(`files_dontaudit_list_tmp',` type tmp_t; ') - dontaudit $1 tmp_t:dir { read getattr search }; + dontaudit $1 tmp_t:dir list_dir_perms; ') ######################################## @@ -3093,8 +3054,7 @@ interface(`files_read_generic_tmp_files',` type tmp_t; ') - allow $1 tmp_t:dir search_dir_perms; - allow $1 tmp_t:file r_file_perms; + read_files_pattern($1,tmp_t,tmp_t) ') ######################################## @@ -3112,8 +3072,7 @@ interface(`files_manage_generic_tmp_files',` type tmp_t; ') - allow $1 tmp_t:dir rw_dir_perms; - allow $1 tmp_t:file manage_file_perms; + manage_files_pattern($1,tmp_t,tmp_t) ') ######################################## @@ -3131,8 +3090,7 @@ interface(`files_read_generic_tmp_symlinks',` type tmp_t; ') - allow $1 tmp_t:dir search_dir_perms; - allow $1 tmp_t:lnk_file r_file_perms; + read_lnk_files_pattern($1,tmp_t,tmp_t) ') ######################################## @@ -3150,8 +3108,7 @@ interface(`files_rw_generic_tmp_sockets',` type tmp_t; ') - allow $1 tmp_t:dir search_dir_perms; - allow $1 tmp_t:sock_file { read write }; + rw_sock_files_pattern($1,tmp_t,tmp_t) ') ######################################## @@ -3169,7 +3126,7 @@ interface(`files_setattr_all_tmp_dirs',` attribute tmpfile; ') - allow $1 tmpfile:dir { search setattr }; + allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## @@ -3198,8 +3155,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') - allow $1 tmp_t:dir rw_dir_perms; - type_transition $1 tmp_t:$3 $2; + filetrans_pattern($1,tmp_t,$2,$3) ') ######################################## @@ -3217,8 +3173,12 @@ interface(`files_purge_tmp',` attribute tmpfile; ') - allow $1 tmpfile:dir { rw_dir_perms rmdir }; - allow $1 tmpfile:notdevfile_class_set { getattr unlink }; + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1,tmpfile,tmpfile) + delete_files_pattern($1,tmpfile,tmpfile) + delete_lnk_files_pattern($1,tmpfile,tmpfile) + delete_fifo_files_pattern($1,tmpfile,tmpfile) + delete_sock_files_pattern($1,tmpfile,tmpfile) ') ######################################## @@ -3236,7 +3196,7 @@ interface(`files_search_usr',` type usr_t; ') - allow $1 usr_t:dir search; + allow $1 usr_t:dir search_dir_perms; ') ######################################## @@ -3255,7 +3215,7 @@ interface(`files_list_usr',` type usr_t; ') - allow $1 usr_t:dir r_dir_perms; + allow $1 usr_t:dir list_dir_perms; ') ######################################## @@ -3273,8 +3233,7 @@ interface(`files_getattr_usr_files',` type usr_t; ') - allow $1 usr_t:dir search; - allow $1 usr_t:file getattr; + getattr_files_pattern($1,usr_t,usr_t) ') ######################################## @@ -3292,8 +3251,9 @@ interface(`files_read_usr_files',` type usr_t; ') - allow $1 usr_t:dir r_dir_perms; - allow $1 usr_t:{ file lnk_file } r_file_perms; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1,usr_t,usr_t) + read_lnk_files_pattern($1,usr_t,usr_t) ') ######################################## @@ -3311,10 +3271,9 @@ interface(`files_exec_usr_files',` type usr_t; ') - allow $1 usr_t:dir r_dir_perms; - allow $1 usr_t:lnk_file r_file_perms; - can_exec($1,usr_t) - + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1,usr_t,usr_t) + read_lnk_files_pattern($1,usr_t,usr_t) ') ######################################## @@ -3332,7 +3291,7 @@ interface(`files_relabelto_usr_files',` type usr_t; ') - allow $1 usr_t:file relabelto; + relabelto_files_pattern($1,usr_t,usr_t) ') ######################################## @@ -3350,8 +3309,7 @@ interface(`files_read_usr_symlinks',` type usr_t; ') - allow $1 usr_t:dir search; - allow $1 usr_t:lnk_file r_file_perms; + read_lnk_files_pattern($1,usr_t,usr_t) ') ######################################## @@ -3379,8 +3337,7 @@ interface(`files_usr_filetrans',` type usr_t; ') - allow $1 usr_t:dir rw_dir_perms; - type_transition $1 usr_t:$3 $2; + filetrans_pattern($1,usr_t,$2,$3) ') ######################################## @@ -3398,7 +3355,7 @@ interface(`files_dontaudit_search_src',` type src_t; ') - dontaudit $1 src_t:dir search; + dontaudit $1 src_t:dir search_dir_perms; ') ######################################## @@ -3416,10 +3373,10 @@ interface(`files_getattr_usr_src_files',` type usr_t, src_t; ') - allow $1 { usr_t src_t }:dir search_dir_perms; + getattr_files_pattern($1,src_t,src_t) - allow $1 src_t:lnk_file { getattr read }; - allow $1 src_t:file getattr; + # /usr/src/linux symlink: + read_lnk_files_pattern($1,usr_t,src_t) ') ######################################## @@ -3437,9 +3394,10 @@ interface(`files_read_usr_src_files',` type usr_t, src_t; ') - allow $1 usr_t:dir search; - allow $1 src_t:dir r_dir_perms; - allow $1 src_t:{ file lnk_file } r_file_perms; + allow $1 usr_t:dir search_dir_perms; + read_files_pattern($1,{ usr_t src_t },src_t) + read_lnk_files_pattern($1,{ usr_t src_t },src_t) + allow $1 src_t:dir list_dir_perms; ') ######################################## @@ -3457,10 +3415,9 @@ interface(`files_exec_usr_src_files',` type usr_t, src_t; ') - allow $1 usr_t:dir search; - allow $1 src_t:dir r_dir_perms; - allow $1 src_t:lnk_file r_file_perms; - can_exec($1,src_t) + list_dirs_pattern($1,usr_t,src_t) + exec_files_pattern($1,src_t,src_t) + read_lnk_files_pattern($1,src_t,src_t) ') ######################################## @@ -3497,11 +3454,8 @@ interface(`files_read_kernel_symbol_table',` type boot_t, system_map_t; ') - allow $1 boot_t:dir r_dir_perms; - allow $1 system_map_t:file r_file_perms; - - # cjp: this should be dropped: - allow $1 boot_t:file { getattr read }; + allow $1 boot_t:dir list_dir_perms; + read_files_pattern($1,boot_t,system_map_t) ') ######################################## @@ -3519,8 +3473,8 @@ interface(`files_delete_kernel_symbol_table',` type boot_t, system_map_t; ') - allow $1 boot_t:dir { r_dir_perms write remove_name }; - allow $1 system_map_t:file { getattr unlink }; + allow $1 boot_t:dir list_dir_perms; + delete_files_pattern($1,boot_t,system_map_t) ') ######################################## @@ -3593,7 +3547,7 @@ interface(`files_list_var',` type var_t; ') - allow $1 var_t:dir r_dir_perms; + allow $1 var_t:dir list_dir_perms; ') ######################################## @@ -3612,7 +3566,7 @@ interface(`files_manage_var_dirs',` type var_t; ') - allow $1 var_t:dir create_dir_perms; + allow $1 var_t:dir manage_dir_perms; ') ######################################## @@ -3630,8 +3584,7 @@ interface(`files_read_var_files',` type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_t:file r_file_perms; + read_files_pattern($1,var_t,var_t) ') ######################################## @@ -3649,8 +3602,7 @@ interface(`files_rw_var_files',` type var_t; ') - allow $1 var_t:dir rw_dir_perms; - allow $1 var_t:file create_file_perms; + rw_files_pattern($1,var_t,var_t) ') ######################################## @@ -3668,8 +3620,7 @@ interface(`files_manage_var_files',` type var_t; ') - allow $1 var_t:dir rw_dir_perms; - allow $1 var_t:file create_file_perms; + manage_files_pattern($1,var_t,var_t) ') ######################################## @@ -3687,8 +3638,7 @@ interface(`files_read_var_symlinks',` type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_t:lnk_file { getattr read }; + read_lnk_files_pattern($1,var_t,var_t) ') ######################################## @@ -3707,8 +3657,7 @@ interface(`files_manage_var_symlinks',` type var_t; ') - allow $1 var_t:dir rw_dir_perms; - allow $1 var_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,var_t,var_t) ') ######################################## @@ -3736,8 +3685,7 @@ interface(`files_var_filetrans',` type var_t; ') - allow $1 var_t:dir rw_dir_perms; - type_transition $1 var_t:$3 $2; + filetrans_pattern($1,var_t,$2,$3) ') ######################################## @@ -3755,8 +3703,7 @@ interface(`files_getattr_var_lib_dirs',` type var_t, var_lib_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir getattr; + getattr_dirs_pattern($1,var_t,var_lib_t) ') ######################################## @@ -3774,7 +3721,7 @@ interface(`files_search_var_lib',` type var_t, var_lib_t; ') - allow $1 { var_t var_lib_t }:dir search_dir_perms; + search_dirs_pattern($1,var_t,var_lib_t) ') ######################################## @@ -3792,8 +3739,7 @@ interface(`files_list_var_lib',` type var_t, var_lib_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir r_dir_perms; + list_dirs_pattern($1,var_t,var_lib_t) ') ######################################## @@ -3822,8 +3768,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir rw_dir_perms; - type_transition $1 var_lib_t:$3 $2; + filetrans_pattern($1,var_lib_t,$2,$3) ') ######################################## @@ -3841,8 +3786,7 @@ interface(`files_read_var_lib_files',` type var_t, var_lib_t; ') - allow $1 { var_t var_lib_t }:dir search_dir_perms; - allow $1 var_lib_t:file r_file_perms; + read_files_pattern($1,{ var_t var_lib_t },var_lib_t) ') ######################################## @@ -3860,8 +3804,7 @@ interface(`files_read_var_lib_symlinks',` type var_t, var_lib_t; ') - allow $1 { var_t var_lib_t }:dir search_dir_perms; - allow $1 var_lib_t:lnk_file { getattr read }; + read_lnk_files_pattern($1,{ var_t var_lib_t },var_lib_t) ') # cjp: the next two interfaces really need to be fixed @@ -3884,8 +3827,7 @@ interface(`files_manage_urandom_seed',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir rw_dir_perms; - allow $1 var_lib_t:file manage_file_perms; + manage_files_pattern($1,var_lib_t,var_lib_t) ') ######################################## @@ -3905,8 +3847,7 @@ interface(`files_manage_mounttab',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir rw_dir_perms; - allow $1 var_lib_t:file manage_file_perms; + manage_files_pattern($1,var_lib_t,var_lib_t) ') ######################################## @@ -3924,7 +3865,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') - allow $1 { var_t var_lock_t }:dir search_dir_perms; + search_dirs_pattern($1,var_t,var_lock_t) ') ######################################## @@ -3962,8 +3903,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:dir rw_dir_perms; + rw_dirs_pattern($1,var_t,var_lock_t) ') ######################################## @@ -3982,8 +3922,8 @@ interface(`files_getattr_generic_locks',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:dir r_dir_perms; - allow $1 var_lock_t:file getattr; + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1,var_lock_t,var_lock_t) ') ######################################## @@ -4002,8 +3942,8 @@ interface(`files_manage_generic_locks',` type var_lock_t; ') - allow $1 var_lock_t:dir rw_dir_perms; - allow $1 var_lock_t:file manage_file_perms; + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1,var_lock_t,var_lock_t) ') ######################################## @@ -4022,8 +3962,8 @@ interface(`files_delete_all_locks',` attribute lockfile; ') - allow $1 lockfile:dir rw_dir_perms; - allow $1 lockfile:file { getattr unlink }; + allow $1 var_t:dir search_dir_perms; + delete_files_pattern($1,lockfile,lockfile) ') ######################################## @@ -4043,9 +3983,9 @@ interface(`files_read_all_locks',` ') allow $1 { var_t var_lock_t }:dir search_dir_perms; - allow $1 lockfile:dir r_dir_perms; - allow $1 lockfile:file r_file_perms; - allow $1 lockfile:lnk_file { getattr read }; + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1,lockfile,lockfile) + read_lnk_files_pattern($1,lockfile,lockfile) ') ######################################## @@ -4074,9 +4014,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') - allow $1 var_t:dir search; - allow $1 var_lock_t:dir rw_dir_perms; - type_transition $1 var_lock_t:$3 $2; + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1,var_lock_t,$2,$3) ') ######################################## @@ -4114,8 +4053,7 @@ interface(`files_search_pids',` type var_t, var_run_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir search_dir_perms; + search_dirs_pattern($1,var_t,var_run_t) ') ######################################## @@ -4153,8 +4091,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir r_dir_perms; + list_dirs_pattern($1,var_t,var_run_t) ') ######################################## @@ -4184,8 +4121,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir rw_dir_perms; - type_transition $1 var_run_t:$3 $2; + filetrans_pattern($1,var_run_t,$2,$3) ') ######################################## @@ -4203,9 +4139,8 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') - allow $1 var_t:dir search; - allow $1 var_run_t:dir r_dir_perms; - allow $1 var_run_t:file rw_file_perms; + list_dirs_pattern($1,var_t,var_run_t) + rw_files_pattern($1,var_run_t,var_run_t) ') ######################################## @@ -4261,9 +4196,8 @@ interface(`files_read_all_pids',` type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 pidfile:dir r_dir_perms; - allow $1 pidfile:file r_file_perms; + list_dirs_pattern($1,var_t,pidfile) + read_files_pattern($1,pidfile,pidfile) ') ######################################## @@ -4302,13 +4236,12 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') - allow $1 var_t:dir search; - allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; + allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rmdir; - allow $1 pidfile:dir rw_dir_perms; - allow $1 pidfile:file { getattr unlink }; - allow $1 pidfile:sock_file { getattr unlink }; - allow $1 pidfile:fifo_file { getattr unlink }; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1,pidfile,pidfile) + delete_fifo_files_pattern($1,pidfile,pidfile) + delete_sock_files_pattern($1,pidfile,{ pidfile var_run_t }) ') ######################################## @@ -4327,8 +4260,8 @@ interface(`files_delete_all_pid_dirs',` type var_t; ') - allow $1 var_t:dir search; - allow $1 pidfile:dir { rw_dir_perms rmdir }; + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1,pidfile,pidfile) ') ######################################## @@ -4347,8 +4280,7 @@ interface(`files_search_spool',` type var_t, var_spool_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_spool_t:dir search_dir_perms; + search_dirs_pattern($1,var_t,var_spool_t) ') ######################################## @@ -4386,8 +4318,7 @@ interface(`files_list_spool',` type var_t, var_spool_t; ') - allow $1 var_t:dir search; - allow $1 var_spool_t:dir r_dir_perms; + list_dirs_pattern($1,var_t,var_spool_t) ') ######################################## @@ -4406,8 +4337,8 @@ interface(`files_manage_generic_spool_dirs',` type var_t, var_spool_t; ') - allow $1 var_t:dir search; - allow $1 var_spool_t:dir create_dir_perms; + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1,var_spool_t,var_spool_t) ') ######################################## @@ -4425,9 +4356,8 @@ interface(`files_read_generic_spool',` type var_t, var_spool_t; ') - allow $1 var_t:dir search; - allow $1 var_spool_t:dir r_dir_perms; - allow $1 var_spool_t:file r_file_perms; + list_dirs_pattern($1,var_t,var_spool_t) + read_files_pattern($1,var_spool_t,var_spool_t) ') ######################################## @@ -4446,9 +4376,8 @@ interface(`files_manage_generic_spool',` type var_t, var_spool_t; ') - allow $1 var_t:dir search; - allow $1 var_spool_t:dir rw_dir_perms; - allow $1 var_spool_t:file create_file_perms; + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1,var_spool_t,var_spool_t) ') ######################################## @@ -4468,8 +4397,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_spool_t:dir rw_dir_perms; - type_transition $1 var_spool_t:$3 $2; + filetrans_pattern($1,var_spool_t,$2,$3) ') ######################################## @@ -4549,31 +4477,5 @@ interface(`files_manage_non_security_dirs',` attribute file_type, security_file_type; ') - allow $1 { file_type -security_file_type }:dir create_dir_perms; -') - -######################################## -## -## Create a aliased type to etc_runtime_t files. -## -## -## -## Create a aliased type to etc runtime files. -## -## -## This is added to remove types that should have been etc_runtime_t -## -## -## -## -## Alias type for etc_runtime_t. -## -## -# -interface(`corecmd_etc_runtime_alias',` - gen_require(` - type etc_runtime_t; - ') - - typealias etc_runtime_t alias $1; + allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 443433a..3effc68 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -360,7 +360,7 @@ interface(`fs_search_auto_mountpoints',` type autofs_t; ') - allow $1 autofs_t:dir { getattr search }; + allow $1 autofs_t:dir search_dir_perms; ') ######################################## @@ -380,7 +380,7 @@ interface(`fs_list_auto_mountpoints',` type autofs_t; ') - allow $1 autofs_t:dir r_dir_perms; + allow $1 autofs_t:dir list_dir_perms; ') ######################################## @@ -399,7 +399,7 @@ interface(`fs_dontaudit_list_auto_mountpoints',` type autofs_t; ') - dontaudit $1 autofs_t:dir r_dir_perms; + dontaudit $1 autofs_t:dir list_dir_perms; ') ######################################## @@ -418,8 +418,7 @@ interface(`fs_manage_autofs_symlinks',` type autofs_t; ') - allow $1 autofs_t:dir rw_dir_perms; - allow $1 autofs_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,autofs_t,autofs_t) ') ######################################## @@ -474,8 +473,7 @@ interface(`fs_register_binary_executable_type',` type binfmt_misc_fs_t; ') - allow $1 binfmt_misc_fs_t:dir { getattr search }; - allow $1 binfmt_misc_fs_t:file { getattr ioctl write read }; + rw_files_pattern($1,binfmt_misc_fs_t,binfmt_misc_fs_t) ') ######################################## @@ -568,7 +566,7 @@ interface(`fs_search_cifs',` type cifs_t; ') - allow $1 cifs_t:dir search; + allow $1 cifs_t:dir search_dir_perms; ') ######################################## @@ -587,7 +585,7 @@ interface(`fs_list_cifs',` type cifs_t; ') - allow $1 cifs_t:dir r_dir_perms; + allow $1 cifs_t:dir list_dir_perms; ') ######################################## @@ -606,7 +604,7 @@ interface(`fs_dontaudit_list_cifs',` type cifs_t; ') - dontaudit $1 cifs_t:dir r_dir_perms; + dontaudit $1 cifs_t:dir list_dir_perms; ') ######################################## @@ -625,8 +623,8 @@ interface(`fs_read_cifs_files',` type cifs_t; ') - allow $1 cifs_t:dir r_dir_perms; - allow $1 cifs_t:file r_file_perms; + allow $1 cifs_t:dir list_dir_perms; + read_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -664,8 +662,7 @@ interface(`fs_list_noxattr_fs',` attribute noxattrfs; ') - allow $1 noxattrfs:dir r_dir_perms; - + allow $1 noxattrfs:dir list_dir_perms; ') ######################################## @@ -701,9 +698,7 @@ interface(`fs_read_noxattr_fs_files',` attribute noxattrfs; ') - allow $1 noxattrfs:dir search_dir_perms; - allow $1 noxattrfs:file r_file_perms; - + read_files_pattern($1,noxattrfs,noxattrfs) ') ######################################## @@ -721,8 +716,7 @@ interface(`fs_manage_noxattr_fs_files',` attribute noxattrfs; ') - allow $1 noxattrfs:dir rw_dir_perms; - allow $1 noxattrfs:file manage_file_perms; + manage_files_pattern($1,noxattrfs,noxattrfs) ') ######################################## @@ -740,8 +734,7 @@ interface(`fs_read_noxattr_fs_symlinks',` attribute noxattrfs; ') - allow $1 noxattrfs:dir search_dir_perms; - allow $1 noxattrfs:lnk_file r_file_perms; + read_lnk_files_pattern($1,noxattrfs,noxattrfs) ') ######################################## @@ -760,7 +753,7 @@ interface(`fs_dontaudit_read_cifs_files',` type cifs_t; ') - dontaudit $1 cifs_t:file r_file_perms; + dontaudit $1 cifs_t:file read_file_perms; ') ######################################## @@ -797,8 +790,8 @@ interface(`fs_read_cifs_symlinks',` type cifs_t; ') - allow $1 cifs_t:dir r_dir_perms; - allow $1 cifs_t:lnk_file r_file_perms; + allow $1 cifs_t:dir list_dir_perms; + read_lnk_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -819,8 +812,8 @@ interface(`fs_exec_cifs_files',` type cifs_t; ') - allow $1 cifs_t:dir r_dir_perms; - can_exec($1, cifs_t) + allow $1 cifs_t:dir list_dir_perms; + exec_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -840,7 +833,7 @@ interface(`fs_manage_cifs_dirs',` type cifs_t; ') - allow $1 cifs_t:dir create_dir_perms; + allow $1 cifs_t:dir manage_dir_perms; ') ######################################## @@ -860,7 +853,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',` type cifs_t; ') - dontaudit $1 cifs_t:dir create_dir_perms; + dontaudit $1 cifs_t:dir manage_dir_perms; ') ######################################## @@ -880,8 +873,7 @@ interface(`fs_manage_cifs_files',` type cifs_t; ') - allow $1 cifs_t:dir rw_dir_perms; - allow $1 cifs_t:file create_file_perms; + manage_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -901,7 +893,7 @@ interface(`fs_dontaudit_manage_cifs_files',` type cifs_t; ') - dontaudit $1 cifs_t:file create_file_perms; + dontaudit $1 cifs_t:file manage_file_perms; ') ######################################## @@ -920,8 +912,7 @@ interface(`fs_manage_cifs_symlinks',` type cifs_t; ') - allow $1 cifs_t:dir rw_dir_perms; - allow $1 cifs_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -940,8 +931,7 @@ interface(`fs_manage_cifs_named_pipes',` type cifs_t; ') - allow $1 cifs_t:dir rw_dir_perms; - allow $1 cifs_t:fifo_file create_file_perms; + manage_fifo_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -960,8 +950,7 @@ interface(`fs_manage_cifs_named_sockets',` type cifs_t; ') - allow $1 cifs_t:dir rw_file_perms; - allow $1 cifs_t:sock_file create_file_perms; + manage_sock_files_pattern($1,cifs_t,cifs_t) ') ######################################## @@ -1004,9 +993,8 @@ interface(`fs_cifs_domtrans',` type cifs_t; ') - allow $1 cifs_t:dir search; - - domain_auto_trans($1,cifs_t,$2) + allow $1 cifs_t:dir search_dir_perms; + domain_auto_transition_pattern($1,cifs_t,$2) ') ######################################## @@ -1122,8 +1110,7 @@ interface(`fs_manage_dos_files',` type dosfs_t; ') - allow $1 dosfs_t:dir rw_dir_perms; - allow $1 dosfs_t:file manage_file_perms; + manage_files_pattern($1,dosfs_t,dosfs_t) ') ######################################## @@ -1182,7 +1169,7 @@ interface(`fs_list_inotifyfs',` type inotifyfs_t; ') - allow $1 inotifyfs_t:dir r_dir_perms; + allow $1 inotifyfs_t:dir list_dir_perms; ') ######################################## @@ -1280,8 +1267,8 @@ interface(`fs_read_iso9660_files',` ') allow $1 iso9660_t:dir list_dir_perms; - allow $1 iso9660_t:file read_file_perms; - allow $1 iso9660_t:lnk_file { getattr read }; + read_files_pattern($1,iso9660_t,iso9660_t) + read_lnk_files_pattern($1,iso9660_t,iso9660_t) ') ######################################## @@ -1373,7 +1360,7 @@ interface(`fs_search_nfs',` type nfs_t; ') - allow $1 nfs_t:dir search; + allow $1 nfs_t:dir search_dir_perms; ') ######################################## @@ -1391,7 +1378,7 @@ interface(`fs_list_nfs',` type nfs_t; ') - allow $1 nfs_t:dir r_dir_perms; + allow $1 nfs_t:dir list_dir_perms; ') ######################################## @@ -1410,7 +1397,7 @@ interface(`fs_dontaudit_list_nfs',` type nfs_t; ') - dontaudit $1 nfs_t:dir r_dir_perms; + dontaudit $1 nfs_t:dir list_dir_perms; ') ######################################## @@ -1429,8 +1416,8 @@ interface(`fs_read_nfs_files',` type nfs_t; ') - allow $1 nfs_t:dir r_dir_perms; - allow $1 nfs_t:file r_file_perms; + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1449,7 +1436,7 @@ interface(`fs_dontaudit_read_nfs_files',` type nfs_t; ') - dontaudit $1 nfs_t:file r_file_perms; + dontaudit $1 nfs_t:file read_file_perms; ') ######################################## @@ -1467,8 +1454,8 @@ interface(`fs_write_nfs_files',` type nfs_t; ') - allow $1 nfs_t:dir r_dir_perms; - allow $1 nfs_t:file write; + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1487,8 +1474,8 @@ interface(`fs_exec_nfs_files',` type nfs_t; ') - allow $1 nfs_t:dir r_dir_perms; - can_exec($1, nfs_t) + allow $1 nfs_t:dir list_dir_perms; + exec_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1525,8 +1512,8 @@ interface(`fs_read_nfs_symlinks',` type nfs_t; ') - allow $1 nfs_t:dir r_dir_perms; - allow $1 nfs_t:lnk_file r_file_perms; + allow $1 nfs_t:dir list_dir_perms; + read_lnk_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1581,8 +1568,7 @@ interface(`fs_search_removable',` type removable_t; ') - allow $1 removable_t:dir { getattr read search }; - + allow $1 removable_t:dir search_dir_perms; ') ######################################## @@ -1599,7 +1585,8 @@ interface(`fs_dontaudit_list_removable',` gen_require(` type removable_t; ') - dontaudit $1 removable_t:dir r_dir_perms; + + dontaudit $1 removable_t:dir list_dir_perms; ') ######################################## @@ -1617,8 +1604,7 @@ interface(`fs_read_removable_files',` type removable_t; ') - allow $1 removable_t:file { read getattr }; - + read_files_pattern($1,removable_t,removable_t) ') ######################################## @@ -1635,7 +1621,8 @@ interface(`fs_dontaudit_read_removable_files',` gen_require(` type removable_t; ') - dontaudit $1 removable_t:file r_file_perms; + + dontaudit $1 removable_t:file read_file_perms; ') ######################################## @@ -1653,8 +1640,7 @@ interface(`fs_read_removable_symlinks',` type removable_t; ') - allow $1 removable_t:lnk_file { getattr read }; - + read_lnk_files_pattern($1,removable_t,removable_t) ') ######################################## @@ -1672,8 +1658,7 @@ interface(`fs_list_rpc',` type rpc_pipefs_t; ') - allow $1 rpc_pipefs_t:dir { getattr read search }; - + allow $1 rpc_pipefs_t:dir list_dir_perms; ') ######################################## @@ -1691,8 +1676,7 @@ interface(`fs_read_rpc_files',` type rpc_pipefs_t; ') - allow $1 rpc_pipefs_t:file { read getattr }; - + read_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t) ') ######################################## @@ -1710,8 +1694,7 @@ interface(`fs_read_rpc_symlinks',` type rpc_pipefs_t; ') - allow $1 rpc_pipefs_t:lnk_file { getattr read }; - + read_lnk_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t) ') ######################################## @@ -1750,7 +1733,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') - allow $1 nfs_t:dir create_dir_perms; + allow $1 nfs_t:dir manage_dir_perms; ') ######################################## @@ -1770,7 +1753,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',` type nfs_t; ') - dontaudit $1 nfs_t:dir create_dir_perms; + dontaudit $1 nfs_t:dir manage_dir_perms; ') ######################################## @@ -1790,8 +1773,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') - allow $1 nfs_t:dir rw_dir_perms; - allow $1 nfs_t:file create_file_perms; + manage_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1811,7 +1793,7 @@ interface(`fs_dontaudit_manage_nfs_files',` type nfs_t; ') - dontaudit $1 nfs_t:file create_file_perms; + dontaudit $1 nfs_t:file manage_file_perms; ') ######################################### @@ -1831,8 +1813,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') - allow $1 nfs_t:dir rw_dir_perms; - allow $1 nfs_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,nfs_t,nfs_t) ') ######################################### @@ -1851,8 +1832,7 @@ interface(`fs_manage_nfs_named_pipes',` type nfs_t; ') - allow $1 nfs_t:dir rw_dir_perms; - allow $1 nfs_t:fifo_file create_file_perms; + manage_fifo_files_pattern($1,nfs_t,nfs_t) ') ######################################### @@ -1871,8 +1851,7 @@ interface(`fs_manage_nfs_named_sockets',` type nfs_t; ') - allow $1 nfs_t:dir rw_dir_perms; - allow $1 nfs_t:sock_file create_file_perms; + manage_sock_files_pattern($1,nfs_t,nfs_t) ') ######################################## @@ -1915,9 +1894,8 @@ interface(`fs_nfs_domtrans',` type nfs_t; ') - allow $1 nfs_t:dir search; - - domain_auto_trans($1,nfs_t,$2) + allow $1 nfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1,nfs_t,$2) ') ######################################## @@ -2009,7 +1987,7 @@ interface(`fs_search_nfsd_fs',` type nfsd_fs_t; ') - allow $1 nfsd_fs_t:dir search; + allow $1 nfsd_fs_t:dir search_dir_perms; ') ######################################## @@ -2027,7 +2005,7 @@ interface(`fs_rw_nfsd_fs',` type nfsd_fs_t; ') - allow $1 nfsd_fs_t:file rw_file_perms; + rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t) ') ######################################## @@ -2136,7 +2114,7 @@ interface(`fs_dontaudit_search_ramfs',` type ramfs_t; ') - dontaudit $1 ramfs_t:dir search; + dontaudit $1 ramfs_t:dir search_dir_perms; ') ######################################## @@ -2210,8 +2188,7 @@ interface(`fs_manage_ramfs_files',` type ramfs_t; ') - allow $1 ramfs_t:dir rw_dir_perms; - allow $1 ramfs_t:file manage_file_perms; + manage_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2229,8 +2206,7 @@ interface(`fs_write_ramfs_pipes',` type ramfs_t; ') - allow $1 ramfs_t:dir search_dir_perms; - allow $1 ramfs_t:fifo_file write; + write_fifo_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2267,8 +2243,7 @@ interface(`fs_rw_ramfs_pipes',` type ramfs_t; ') - allow $1 ramfs_t:dir search_dir_perms; - allow $1 ramfs_t:fifo_file rw_file_perms; + rw_fifo_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2287,8 +2262,7 @@ interface(`fs_manage_ramfs_pipes',` type ramfs_t; ') - allow $1 ramfs_t:dir rw_dir_perms; - allow $1 ramfs_t:fifo_file manage_file_perms; + manage_fifo_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2306,7 +2280,7 @@ interface(`fs_write_ramfs_sockets',` type ramfs_t; ') - allow $1 ramfs_t:sock_file write; + write_sock_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2325,8 +2299,7 @@ interface(`fs_manage_ramfs_sockets',` type ramfs_t; ') - allow $1 ramfs_t:dir rw_dir_perms; - allow $1 ramfs_t:sock_file manage_file_perms; + manage_sock_files_pattern($1,ramfs_t,ramfs_t) ') ######################################## @@ -2657,7 +2630,7 @@ interface(`fs_search_tmpfs',` type tmpfs_t; ') - allow $1 tmpfs_t:dir search; + allow $1 tmpfs_t:dir search_dir_perms; ') ######################################## @@ -2675,7 +2648,7 @@ interface(`fs_list_tmpfs',` type tmpfs_t; ') - allow $1 tmpfs_t:dir r_dir_perms; + allow $1 tmpfs_t:dir list_dir_perms; ') ######################################## @@ -2694,7 +2667,7 @@ interface(`fs_dontaudit_list_tmpfs',` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir r_dir_perms; + dontaudit $1 tmpfs_t:dir list_dir_perms; ') ######################################## @@ -2713,7 +2686,7 @@ interface(`fs_manage_tmpfs_dirs',` type tmpfs_t; ') - allow $1 tmpfs_t:dir create_dir_perms; + allow $1 tmpfs_t:dir manage_dir_perms; ') ######################################## @@ -2743,8 +2716,7 @@ interface(`fs_tmpfs_filetrans',` ') allow $2 tmpfs_t:filesystem associate; - allow $1 tmpfs_t:dir rw_dir_perms; - type_transition $1 tmpfs_t:$3 $2; + filetrans_pattern($1,tmpfs_t,$2,$3) ') ######################################## @@ -2800,8 +2772,7 @@ interface(`fs_rw_tmpfs_files',` type tmpfs_t; ') - fs_search_tmpfs($1) - allow $1 tmpfs_t:file rw_file_perms; + rw_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2819,8 +2790,7 @@ interface(`fs_read_tmpfs_symlinks',` type tmpfs_t; ') - fs_search_tmpfs($1) - allow $1 tmpfs_t:lnk_file read; + read_lnk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2838,8 +2808,8 @@ interface(`fs_rw_tmpfs_chr_files',` type tmpfs_t; ') - allow $1 tmpfs_t:dir r_dir_perms; - allow $1 tmpfs_t:chr_file rw_file_perms; + allow $1 tmpfs_t:dir list_dir_perms; + rw_chr_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2857,8 +2827,8 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir r_dir_perms; - dontaudit $1 tmpfs_t:chr_file rw_file_perms; + dontaudit $1 tmpfs_t:dir list_dir_perms; + dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ') ######################################## @@ -2876,8 +2846,8 @@ interface(`fs_relabel_tmpfs_chr_file',` type tmpfs_t; ') - allow $1 tmpfs_t:dir r_dir_perms; - allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; + allow $1 tmpfs_t:dir list_dir_perms; + relabel_chr_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2895,8 +2865,8 @@ interface(`fs_rw_tmpfs_blk_files',` type tmpfs_t; ') - allow $1 tmpfs_t:dir r_dir_perms; - allow $1 tmpfs_t:blk_file rw_file_perms; + allow $1 tmpfs_t:dir list_dir_perms; + rw_blk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2914,8 +2884,8 @@ interface(`fs_relabel_tmpfs_blk_file',` type tmpfs_t; ') - allow $1 tmpfs_t:dir r_dir_perms; - allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; + allow $1 tmpfs_t:dir list_dir_perms; + relabel_blk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2934,8 +2904,7 @@ interface(`fs_manage_tmpfs_files',` type tmpfs_t; ') - allow $1 tmpfs_t:dir rw_dir_perms; - allow $1 tmpfs_t:file create_file_perms; + manage_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2954,8 +2923,7 @@ interface(`fs_manage_tmpfs_symlinks',` type tmpfs_t; ') - allow $1 tmpfs_t:dir rw_dir_perms; - allow $1 tmpfs_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2974,8 +2942,7 @@ interface(`fs_manage_tmpfs_sockets',` type tmpfs_t; ') - allow $1 tmpfs_t:dir rw_dir_perms; - allow $1 tmpfs_t:sock_file create_file_perms; + manage_sock_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -2994,8 +2961,7 @@ interface(`fs_manage_tmpfs_chr_files',` type tmpfs_t; ') - allow $1 tmpfs_t:dir rw_dir_perms; - allow $1 tmpfs_t:chr_file create_file_perms; + manage_chr_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -3014,8 +2980,7 @@ interface(`fs_manage_tmpfs_blk_files',` type tmpfs_t; ') - allow $1 tmpfs_t:dir rw_dir_perms; - allow $1 tmpfs_t:blk_file create_file_perms; + manage_blk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## @@ -3220,7 +3185,7 @@ interface(`fs_list_all',` attribute filesystem_type; ') - allow $1 filesystem_type:dir r_dir_perms; + allow $1 filesystem_type:dir list_dir_perms; ') ######################################## @@ -3239,8 +3204,7 @@ interface(`fs_getattr_all_files',` attribute filesystem_type; ') - allow $1 filesystem_type:dir { search getattr }; - allow $1 filesystem_type:file getattr; + getattr_files_pattern($1,filesystem_type,filesystem_type) ') ######################################## @@ -3259,8 +3223,7 @@ interface(`fs_getattr_all_symlinks',` attribute filesystem_type; ') - allow $1 filesystem_type:dir { search getattr }; - allow $1 filesystem_type:lnk_file getattr; + getattr_lnk_files_pattern($1,filesystem_type,filesystem_type) ') ######################################## @@ -3279,8 +3242,7 @@ interface(`fs_getattr_all_pipes',` attribute filesystem_type; ') - allow $1 filesystem_type:dir { search getattr }; - allow $1 filesystem_type:fifo_file getattr; + getattr_fifo_files_pattern($1,filesystem_type,filesystem_type) ') ######################################## @@ -3299,8 +3261,7 @@ interface(`fs_getattr_all_sockets',` attribute filesystem_type; ') - allow $1 filesystem_type:dir { search getattr }; - allow $1 filesystem_type:sock_file getattr; + getattr_sock_files_pattern($1,filesystem_type,filesystem_type) ') ######################################## @@ -3413,11 +3374,12 @@ interface(`fs_relabelfrom_noxattr_fs',` attribute noxattrfs; ') - allow $1 noxattrfs:dir { list_dir_perms relabelfrom }; - allow $1 noxattrfs:file { getattr relabelfrom }; - allow $1 noxattrfs:lnk_file { getattr relabelfrom }; - allow $1 noxattrfs:fifo_file { getattr relabelfrom }; - allow $1 noxattrfs:sock_file { getattr relabelfrom }; - allow $1 noxattrfs:blk_file { getattr relabelfrom }; - allow $1 noxattrfs:chr_file { getattr relabelfrom }; + allow $1 noxattrfs:dir list_dir_perms; + relabelfrom_dirs_pattern($1,noxattrfs,noxattrfs) + relabelfrom_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_lnk_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_fifo_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_sock_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 14194f2..1b65900 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -27,12 +27,7 @@ interface(`kernel_domtrans_to',` type kernel_t; ') - domain_auto_trans(kernel_t, $2, $1) - - allow kernel_t $1:fd use; - allow $1 kernel_t:fd use; - allow $1 kernel_t:fifo_file rw_file_perms; - allow $1 kernel_t:process sigchld; + domtrans_pattern(kernel_t, $2, $1) ') ######################################## @@ -534,7 +529,7 @@ interface(`kernel_search_debugfs',` type debugfs_t; ') - allow $1 debugfs_t:dir search; + search_dirs_pattern($1,debugfs_t,debugfs_t) ') ######################################## @@ -552,9 +547,9 @@ interface(`kernel_read_debugfs',` type debugfs_t; ') - allow $1 debugfs_t:dir r_dir_perms; - allow $1 debugfs_t:file r_file_perms; - allow $1 debugfs_t:lnk_file { getattr read }; + read_files_pattern($1,debugfs_t,debugfs_t) + read_lnk_files_pattern($1,debugfs_t,debugfs_t) + list_dirs_pattern($1,debugfs_t,debugfs_t) ') ######################################## @@ -608,7 +603,7 @@ interface(`kernel_search_proc',` type proc_t; ') - allow $1 proc_t:dir search; + search_dirs_pattern($1,proc_t,proc_t) ') ######################################## @@ -626,7 +621,7 @@ interface(`kernel_list_proc',` type proc_t; ') - allow $1 proc_t:dir r_dir_perms; + list_dirs_pattern($1,proc_t,proc_t) ') ######################################## @@ -663,8 +658,7 @@ interface(`kernel_getattr_proc_files',` type proc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_t:file getattr; + getattr_files_pattern($1,proc_t,proc_t) ') ######################################## @@ -682,8 +676,7 @@ interface(`kernel_read_proc_symlinks',` type proc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_t:lnk_file { getattr read }; + read_lnk_files_pattern($1,proc_t,proc_t) ') ######################################## @@ -702,9 +695,10 @@ interface(`kernel_read_system_state',` type proc_t; ') - allow $1 proc_t:dir r_dir_perms; - allow $1 proc_t:lnk_file { getattr read }; - allow $1 proc_t:file r_file_perms; + read_files_pattern($1,proc_t,proc_t) + read_lnk_files_pattern($1,proc_t,proc_t) + + list_dirs_pattern($1,proc_t,proc_t) ') ######################################## @@ -727,8 +721,7 @@ interface(`kernel_write_proc_files',` type proc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_t:file { append write }; + write_files_pattern($1,proc_t,proc_t) ') ######################################## @@ -785,8 +778,9 @@ interface(`kernel_read_software_raid_state',` type proc_t, proc_mdstat_t; ') - allow $1 proc_t:dir r_dir_perms; - allow $1 proc_mdstat_t:file r_file_perms; + read_files_pattern($1,proc_t,proc_mdstat_t) + + list_dirs_pattern($1,proc_t,proc_t) ') ####################################### @@ -804,8 +798,9 @@ interface(`kernel_rw_software_raid_state',` type proc_t, proc_mdstat_t; ') - allow $1 proc_t:dir r_dir_perms; - allow $1 proc_mdstat_t:file rw_file_perms; + rw_files_pattern($1,proc_t,proc_mdstat_t) + + list_dirs_pattern($1,proc_t,proc_t) ') ######################################## @@ -823,8 +818,9 @@ interface(`kernel_getattr_core_if',` type proc_t, proc_kcore_t; ') - allow $1 proc_t:dir r_dir_perms; - allow $1 proc_kcore_t:file getattr; + getattr_files_pattern($1,proc_t,proc_kcore_t) + + list_dirs_pattern($1,proc_t,proc_t) ') ######################################## @@ -863,8 +859,8 @@ interface(`kernel_read_messages',` type proc_kmsg_t, proc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_kmsg_t:file r_file_perms; + read_files_pattern($1,proc_t,proc_kmsg_t) + typeattribute $1 can_receive_kernel_messages; ') @@ -884,8 +880,7 @@ interface(`kernel_getattr_message_if',` type proc_kmsg_t, proc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_kmsg_t:file getattr; + getattr_files_pattern($1,proc_t,proc_kmsg_t) ') ######################################## @@ -943,7 +938,7 @@ interface(`kernel_search_network_state',` type proc_net_t; ') - allow $1 proc_net_t:dir search; + search_dirs_pattern($1,proc_t,proc_net_t) ') ######################################## @@ -962,10 +957,10 @@ interface(`kernel_read_network_state',` type proc_t, proc_net_t; ') - allow $1 proc_t:dir search; - allow $1 proc_net_t:dir r_dir_perms; - allow $1 proc_net_t:file r_file_perms; - allow $1 proc_net_t:lnk_file { getattr read }; + read_files_pattern($1,{ proc_t proc_net_t },proc_net_t) + read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t) + + list_dirs_pattern($1,proc_t,proc_net_t) ') ######################################## @@ -983,9 +978,9 @@ interface(`kernel_read_network_state_symlinks',` type proc_t, proc_net_t; ') - allow $1 proc_t:dir search; - allow $1 proc_net_t:dir r_dir_perms; - allow $1 proc_net_t:lnk_file r_file_perms; + read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t) + + list_dirs_pattern($1,proc_t,proc_net_t) ') ######################################## @@ -1004,8 +999,7 @@ interface(`kernel_search_xen_state',` type proc_t, proc_xen_t; ') - allow $1 proc_t:dir search_dir_perms; - allow $1 proc_xen_t:dir search_dir_perms; + search_dirs_pattern($1,proc_t,proc_xen_t) ') ######################################## @@ -1044,10 +1038,10 @@ interface(`kernel_read_xen_state',` type proc_t, proc_xen_t; ') - allow $1 proc_t:dir search_dir_perms; - allow $1 proc_xen_t:dir r_dir_perms; - allow $1 proc_xen_t:file r_file_perms; - allow $1 proc_xen_t:lnk_file { getattr read }; + read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) + read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) + + list_dirs_pattern($1,proc_t,proc_xen_t) ') ######################################## @@ -1066,9 +1060,9 @@ interface(`kernel_read_xen_state_symlinks',` type proc_t, proc_xen_t; ') - allow $1 proc_t:dir search; - allow $1 proc_xen_t:dir r_dir_perms; - allow $1 proc_xen_t:lnk_file r_file_perms; + read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) + + list_dirs_pattern($1,proc_t,proc_xen_t) ') ######################################## @@ -1087,9 +1081,7 @@ interface(`kernel_write_xen_state',` type proc_t, proc_xen_t; ') - allow $1 proc_t:dir search; - allow $1 proc_xen_t:dir r_dir_perms; - allow $1 proc_xen_t:file write; + write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) ') ######################################## @@ -1146,7 +1138,7 @@ interface(`kernel_read_sysctl',` type sysctl_t; ') - allow $1 sysctl_t:dir r_dir_perms; + list_dirs_pattern($1,proc_t,sysctl_t) ') ######################################## @@ -1165,10 +1157,9 @@ interface(`kernel_read_device_sysctls',` type proc_t, sysctl_t, sysctl_dev_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_dev_t:dir r_dir_perms; - allow $1 sysctl_dev_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t) ') ######################################## @@ -1187,9 +1178,9 @@ interface(`kernel_rw_device_sysctls',` type proc_t, sysctl_t, sysctl_dev_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_dev_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t) ') ######################################## @@ -1207,7 +1198,7 @@ interface(`kernel_search_vm_sysctl',` type proc_t, sysctl_t, sysctl_vm_t; ') - allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms; + search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) ') ######################################## @@ -1226,9 +1217,9 @@ interface(`kernel_read_vm_sysctls',` type proc_t, sysctl_t, sysctl_vm_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_vm_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) ') ######################################## @@ -1247,10 +1238,8 @@ interface(`kernel_rw_vm_sysctls',` type proc_t, sysctl_t, sysctl_vm_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_vm_t:dir list_dir_perms; - allow $1 sysctl_vm_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t) + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) # hal needs this allow $1 sysctl_vm_t:dir write; @@ -1271,7 +1260,7 @@ interface(`kernel_search_network_sysctl',` type proc_t, sysctl_t, sysctl_net_t; ') - allow $1 { proc_t sysctl_t sysctl_net_t }:dir search; + search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ') ######################################## @@ -1308,10 +1297,9 @@ interface(`kernel_read_net_sysctls',` type proc_t, sysctl_t, sysctl_net_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_net_t:dir r_dir_perms; - allow $1 sysctl_net_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ') ######################################## @@ -1330,10 +1318,9 @@ interface(`kernel_rw_net_sysctls',` type proc_t, sysctl_t, sysctl_net_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_net_t:dir r_dir_perms; - allow $1 sysctl_net_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ') ######################################## @@ -1353,10 +1340,9 @@ interface(`kernel_read_unix_sysctls',` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_net_t:dir r_dir_perms; - allow $1 sysctl_net_unix_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ') ######################################## @@ -1376,10 +1362,9 @@ interface(`kernel_rw_unix_sysctls',` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_net_t:dir r_dir_perms; - allow $1 sysctl_net_unix_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ') ######################################## @@ -1398,10 +1383,9 @@ interface(`kernel_read_hotplug_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_hotplug_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1420,10 +1404,9 @@ interface(`kernel_rw_hotplug_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_hotplug_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1442,10 +1425,9 @@ interface(`kernel_read_modprobe_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_modprobe_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1464,10 +1446,9 @@ interface(`kernel_rw_modprobe_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_modprobe_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1503,10 +1484,9 @@ interface(`kernel_read_kernel_sysctls',` type proc_t, sysctl_t, sysctl_kernel_t; ') - allow $1 proc_t:dir search_dir_perms; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1543,10 +1523,9 @@ interface(`kernel_rw_kernel_sysctl',` type proc_t, sysctl_t, sysctl_kernel_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:dir r_dir_perms; - allow $1 sysctl_kernel_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ') ######################################## @@ -1565,10 +1544,9 @@ interface(`kernel_read_fs_sysctls',` type proc_t, sysctl_t, sysctl_fs_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_fs_t:dir r_dir_perms; - allow $1 sysctl_fs_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t) ') ######################################## @@ -1587,10 +1565,9 @@ interface(`kernel_rw_fs_sysctls',` type proc_t, sysctl_t, sysctl_fs_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_t:dir r_dir_perms; - allow $1 sysctl_fs_t:dir r_dir_perms; - allow $1 sysctl_fs_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t) + + list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t) ') ######################################## @@ -1609,9 +1586,9 @@ interface(`kernel_read_irq_sysctls',` type proc_t, sysctl_irq_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_irq_t:dir r_dir_perms; - allow $1 sysctl_irq_t:file r_file_perms; + read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t) + + list_dirs_pattern($1,proc_t,sysctl_irq_t) ') ######################################## @@ -1630,9 +1607,9 @@ interface(`kernel_rw_irq_sysctls',` type proc_t, sysctl_irq_t; ') - allow $1 proc_t:dir search; - allow $1 sysctl_irq_t:dir r_dir_perms; - allow $1 sysctl_irq_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t) + + list_dirs_pattern($1,proc_t,sysctl_irq_t) ') ######################################## @@ -1651,10 +1628,9 @@ interface(`kernel_read_rpc_sysctls',` type proc_t, proc_net_t, sysctl_rpc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_net_t:dir search; - allow $1 sysctl_rpc_t:dir r_dir_perms; - allow $1 sysctl_rpc_t:file r_file_perms; + read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t) + + list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t) ') ######################################## @@ -1673,10 +1649,9 @@ interface(`kernel_rw_rpc_sysctls',` type proc_t, proc_net_t, sysctl_rpc_t; ') - allow $1 proc_t:dir search; - allow $1 proc_net_t:dir search; - allow $1 sysctl_rpc_t:dir r_dir_perms; - allow $1 sysctl_rpc_t:file rw_file_perms; + rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t) + + list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t) ') ######################################## @@ -1715,10 +1690,9 @@ interface(`kernel_read_all_sysctls',` ') # proc_net_t for /proc/net/rpc sysctls - allow $1 { proc_t proc_net_t }:dir search; + read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type) - allow $1 sysctl_type:dir r_dir_perms; - allow $1 sysctl_type:file r_file_perms; + list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type) ') ######################################## @@ -1739,10 +1713,11 @@ interface(`kernel_rw_all_sysctls',` ') # proc_net_t for /proc/net/rpc sysctls - allow $1 { proc_t proc_net_t }:dir search; + rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type) - allow $1 sysctl_type:dir r_dir_perms; - allow $1 sysctl_type:file { rw_file_perms setattr }; + allow $1 sysctl_type:dir list_dir_perms; + # why is setattr needed? + allow $1 sysctl_type:file setattr; ') ######################################## @@ -1850,7 +1825,7 @@ interface(`kernel_list_unlabeled',` type unlabeled_t; ') - allow $1 unlabeled_t:dir r_dir_perms; + allow $1 unlabeled_t:dir list_dir_perms; ') ######################################## diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 4ee5f72..bc7c840 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -99,7 +99,7 @@ interface(`storage_raw_read_fixed_disk',` ') dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file r_file_perms; + allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; typeattribute $1 fixed_disk_raw_read; ') @@ -143,7 +143,7 @@ interface(`storage_raw_write_fixed_disk',` ') dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl }; + allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; typeattribute $1 fixed_disk_raw_write; ') @@ -164,7 +164,7 @@ interface(`storage_dontaudit_write_fixed_disk',` ') - dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl }; + dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; ') ######################################## @@ -184,7 +184,7 @@ interface(`storage_manage_fixed_disk',` ') dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file create_file_perms; + allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') @@ -242,7 +242,7 @@ interface(`storage_relabel_fixed_disk',` ') dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto }; + allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; ') ######################################## @@ -325,7 +325,7 @@ interface(`storage_read_scsi_generic',` ') dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file r_file_perms; + allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; typeattribute $1 scsi_generic_read; ') @@ -350,7 +350,7 @@ interface(`storage_write_scsi_generic',` ') dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file { getattr write ioctl }; + allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; typeattribute $1 scsi_generic_write; ') @@ -511,7 +511,7 @@ interface(`storage_raw_read_removable_device',` ') dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file r_file_perms; + allow $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## @@ -529,7 +529,7 @@ interface(`storage_dontaudit_raw_read_removable_device',` type removable_device_t; ') - dontaudit $1 removable_device_t:blk_file r_file_perms; + dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## @@ -552,7 +552,7 @@ interface(`storage_raw_write_removable_device',` ') dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file { getattr write ioctl }; + allow $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## @@ -570,7 +570,7 @@ interface(`storage_dontaudit_raw_write_removable_device',` type removable_device_t; ') - dontaudit $1 removable_device_t:blk_file { write append ioctl }; + dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## @@ -590,7 +590,7 @@ interface(`storage_read_tape',` ') dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file r_file_perms; + allow $1 tape_device_t:chr_file read_chr_file_perms; ') ######################################## @@ -610,7 +610,7 @@ interface(`storage_write_tape',` ') dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file { getattr write ioctl }; + allow $1 tape_device_t:chr_file write_chr_file_perms; ') ######################################## diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index a73376b..1e2d703 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -153,7 +153,7 @@ interface(`term_create_pty',` dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:filesystem getattr; dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; type_transition $1 devpts_t:chr_file $2; @@ -178,7 +178,7 @@ interface(`term_use_all_terms',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') @@ -199,7 +199,7 @@ interface(`term_write_console',` ') dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file { getattr write append }; + allow $1 console_device_t:chr_file write_chr_file_perms; ') ######################################## @@ -219,7 +219,7 @@ interface(`term_read_console',` ') dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file read; + allow $1 console_device_t:chr_file read_chr_file_perms; ') ######################################## @@ -239,7 +239,7 @@ interface(`term_use_console',` ') dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file rw_file_perms; + allow $1 console_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -258,7 +258,7 @@ interface(`term_dontaudit_use_console',` type console_device_t; ') - dontaudit $1 console_device_t:chr_file rw_file_perms; + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -294,12 +294,11 @@ interface(`term_setattr_console',` # interface(`term_create_console_dev',` gen_require(` - type device_t, console_device_t; + type console_device_t; ') - allow $1 device_t:dir add_entry_dir_perms; + dev_add_entry_generic_dirs($1) allow $1 console_device_t:chr_file create; - allow $1 self:capability mknod; ') @@ -356,7 +355,7 @@ interface(`term_search_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; + allow $1 devpts_t:dir search_dir_perms; ') ######################################## @@ -376,7 +375,7 @@ interface(`term_dontaudit_search_ptys',` ') dev_dontaudit_list_all_dev_nodes($1) - dontaudit $1 devpts_t:dir search; + dontaudit $1 devpts_t:dir search_dir_perms; ') ######################################## @@ -396,7 +395,7 @@ interface(`term_list_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; ') ######################################## @@ -434,7 +433,7 @@ interface(`term_dontaudit_manage_pty_dirs',` type devpts_t; ') - dontaudit $1 devpts_t:dir create_dir_perms; + dontaudit $1 devpts_t:dir manage_dir_perms; ') ######################################## @@ -575,6 +574,7 @@ interface(`term_use_ptmx',` type ptmx_t; ') + dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; ') @@ -615,7 +615,7 @@ interface(`term_getattr_all_user_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file getattr; ') @@ -657,7 +657,7 @@ interface(`term_setattr_all_user_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file setattr; ') @@ -697,7 +697,7 @@ interface(`term_use_all_user_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file { rw_term_perms lock append }; ') @@ -738,8 +738,7 @@ interface(`term_relabel_all_user_ptys',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 ptynode:chr_file { relabelfrom relabelto }; + relabel_chr_files_pattern($1,devpts_t,ptynode) ') ######################################## diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te index d61c92d..6d44970 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te @@ -67,37 +67,25 @@ allow afs_bosserver_t self:udp_socket create_socket_perms; can_exec(afs_bosserver_t,afs_bosserver_exec_t) -allow afs_bosserver_t afs_config_t:file manage_file_perms; -allow afs_bosserver_t afs_config_t:dir manage_dir_perms; +manage_dirs_pattern(afs_bosserver_t,afs_config_t,afs_config_t) +manage_files_pattern(afs_bosserver_t,afs_config_t,afs_config_t) allow afs_bosserver_t afs_dbdir_t:dir { search read getattr }; allow afs_bosserver_t afs_fsserver_t:process signal_perms; -domain_auto_trans(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) -allow afs_fsserver_t afs_bosserver_t:fd use; -allow afs_fsserver_t afs_bosserver_t:fifo_file rw_file_perms; -allow afs_fsserver_t afs_bosserver_t:process sigchld; +domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) allow afs_bosserver_t afs_kaserver_t:process signal_perms; -domain_auto_trans(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) -allow afs_kaserver_t afs_bosserver_t:fd use; -allow afs_kaserver_t afs_bosserver_t:fifo_file rw_file_perms; -allow afs_kaserver_t afs_bosserver_t:process sigchld; +domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) -allow afs_bosserver_t afs_logfile_t:file create_file_perms; -allow afs_bosserver_t afs_logfile_t:dir create_dir_perms; +allow afs_bosserver_t afs_logfile_t:file manage_file_perms; +allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; allow afs_bosserver_t afs_ptserver_t:process signal_perms; -domain_auto_trans(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) -allow afs_ptserver_t afs_bosserver_t:fd use; -allow afs_ptserver_t afs_bosserver_t:fifo_file rw_file_perms; -allow afs_ptserver_t afs_bosserver_t:process sigchld; +domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) allow afs_bosserver_t afs_vlserver_t:process signal_perms; -domain_auto_trans(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) -allow afs_vlserver_t afs_bosserver_t:fd use; -allow afs_vlserver_t afs_bosserver_t:fifo_file rw_file_perms; -allow afs_vlserver_t afs_bosserver_t:process sigchld; +domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) kernel_read_kernel_sysctls(afs_bosserver_t) @@ -133,29 +121,28 @@ sysnet_read_config(afs_bosserver_t) allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; dontaudit afs_fsserver_t self:capability fsetid; allow afs_fsserver_t self:process { setsched signal_perms }; -allow afs_fsserver_t self:fifo_file rw_file_perms; +allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; allow afs_fsserver_t self:udp_socket create_socket_perms; -allow afs_fsserver_t afs_config_t:file r_file_perms; -allow afs_fsserver_t afs_config_t:dir r_dir_perms; +read_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t) +allow afs_fsserver_t afs_config_t:dir list_dir_perms; -allow afs_fsserver_t afs_config_t:file manage_file_perms; -allow afs_fsserver_t afs_config_t:dir manage_dir_perms; +manage_dirs_pattern(afs_fsserver_t,afs_config_t,afs_config_t) +manage_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t) allow afs_fsserver_t afs_files_t:filesystem getattr; -allow afs_fsserver_t afs_files_t:dir manage_dir_perms; -allow afs_fsserver_t afs_files_t:file manage_file_perms; -allow afs_fsserver_t afs_files_t:lnk_file create_lnk_perms; -allow afs_fsserver_t afs_files_t:sock_file manage_file_perms; -allow afs_fsserver_t afs_files_t:fifo_file manage_file_perms; -type_transition afs_fsserver_t afs_config_t:{ file lnk_file sock_file fifo_file } afs_files_t; -allow afs_fsserver_t afs_config_t:dir rw_dir_perms; +manage_dirs_pattern(afs_fsserver_t,afs_files_t,afs_files_t) +manage_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t) +manage_lnk_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t) +manage_fifo_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t) +manage_sock_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t) +filetrans_pattern(afs_fsserver_t,afs_config_t,afs_files_t,{ file lnk_file sock_file fifo_file }) can_exec(afs_fsserver_t, afs_fsserver_exec_t) -allow afs_fsserver_t afs_logfile_t:file create_file_perms; -allow afs_fsserver_t afs_logfile_t:dir create_dir_perms; +manage_dirs_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t) +manage_files_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t) kernel_read_system_state(afs_fsserver_t) kernel_read_kernel_sysctls(afs_fsserver_t) @@ -209,15 +196,13 @@ allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; allow afs_kaserver_t self:udp_socket create_socket_perms; -allow afs_kaserver_t afs_config_t:file manage_file_perms; -allow afs_kaserver_t afs_config_t:dir rw_dir_perms; +manage_files_pattern(afs_kaserver_t,afs_config_t,afs_config_t) -allow afs_kaserver_t afs_ka_db_t:file manage_file_perms; -allow afs_kaserver_t afs_dbdir_t:dir rw_dir_perms; -type_transition afs_kaserver_t afs_dbdir_t:file afs_ka_db_t; +manage_files_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t) +filetrans_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t,file) -allow afs_kaserver_t afs_logfile_t:file manage_file_perms; -allow afs_kaserver_t afs_logfile_t:dir manage_dir_perms; +manage_dirs_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t) +manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t) kernel_read_kernel_sysctls(afs_kaserver_t) @@ -259,15 +244,14 @@ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; allow afs_ptserver_t self:udp_socket create_socket_perms; -allow afs_ptserver_t afs_config_t:file r_file_perms; -allow afs_ptserver_t afs_config_t:dir r_dir_perms; +read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t) +allow afs_ptserver_t afs_config_t:dir list_dir_perms; -allow afs_ptserver_t afs_logfile_t:file create_file_perms; -allow afs_ptserver_t afs_logfile_t:dir create_dir_perms; +manage_dirs_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t) +manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t) -allow afs_ptserver_t afs_pt_db_t:file manage_file_perms; -allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms; -type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t; +manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t) +filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file) corenet_non_ipsec_sendrecv(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) @@ -301,15 +285,14 @@ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; allow afs_vlserver_t self:udp_socket create_socket_perms; -allow afs_vlserver_t afs_config_t:file r_file_perms; -allow afs_vlserver_t afs_config_t:dir r_dir_perms; +read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t) +allow afs_vlserver_t afs_config_t:dir list_dir_perms; -allow afs_vlserver_t afs_logfile_t:file create_file_perms; -allow afs_vlserver_t afs_logfile_t:dir create_dir_perms; +manage_dirs_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t) +manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t) -allow afs_vlserver_t afs_vl_db_t:file manage_file_perms; -allow afs_vlserver_t afs_dbdir_t:dir rw_dir_perms; -type_transition afs_vlserver_t afs_dbdir_t:file afs_vl_db_t; +manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t) +filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file) corenet_non_ipsec_sendrecv(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if index 7723362..2e5f50d 100644 --- a/policy/modules/services/aide.if +++ b/policy/modules/services/aide.if @@ -16,11 +16,7 @@ interface(`aide_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,aide_exec_t,aide_t) - - allow aide_t $1:fd use; - allow aide_t $1:fifo_file rw_file_perms; - allow aide_t $1:process sigchld; + domtrans_pattern($1,aide_exec_t,aide_t) ') @@ -51,5 +47,5 @@ interface(`aide_run',` aide_domtrans($1) role $2 types aide_t; - allow aide_t $3:chr_file rw_file_perms; + allow aide_t $3:chr_file rw_chr_file_perms; ') diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te index 620c674..84fe2eb 100644 --- a/policy/modules/services/aide.te +++ b/policy/modules/services/aide.te @@ -25,17 +25,15 @@ files_type(aide_db_t) # allow aide_t self:capability { dac_override fowner }; -# audit -allow aide_t self:capability audit_write; -allow aide_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +send_audit_msgs_pattern(aide_t) # database actions -allow aide_t aide_db_t:dir rw_dir_perms; -allow aide_t aide_db_t:file manage_file_perms; +manage_files_pattern(aide_t,aide_db_t,aide_db_t) # logs -logging_log_filetrans(aide_t,aide_log_t,file) allow aide_t aide_log_t:file manage_file_perms; +logging_log_filetrans(aide_t,aide_log_t,file) files_read_all_files(aide_t) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index f236899..41fa0b4 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -18,12 +18,7 @@ interface(`amavis_domtrans',` type amavis_t, amavis_exec_t; ') - domain_auto_trans($1,amavis_exec_t,amavis_t) - - allow $1 amavis_t:fd use; - allow amavis_t $1:fd use; - allow amavis_t $1:fifo_file rw_file_perms; - allow amavis_t $1:process sigchld; + domtrans_pattern($1,amavis_exec_t,amavis_t) ') ######################################## @@ -61,8 +56,8 @@ interface(`amavis_manage_spool_files',` ') files_search_spool($1) - allow $1 amavis_spool_t:dir manage_dir_perms; - allow $1 amavis_spool_t:file manage_file_perms; + manage_dirs_pattern($1,amavis_spool_t,amavis_spool_t) + manage_files_pattern($1,amavis_spool_t,amavis_spool_t) ') ######################################## @@ -92,8 +87,7 @@ interface(`amavis_spool_filetrans',` ') files_search_spool($1) - allow $1 amavis_spool_t:dir rw_dir_perms; - type_transition $1 amavis_spool_t:$3 $2; + filetrans_pattern($1,amavis_spool_t,$2,$3) ') ######################################## @@ -130,7 +124,7 @@ interface(`amavis_read_lib_files',` type amavis_var_lib_t; ') - allow $1 amavis_var_lib_t:file r_file_perms; + read_files_pattern($1,amavis_var_lib_t,amavis_var_lib_t) allow $1 amavis_var_lib_t:dir list_dir_perms; files_search_var_lib($1) ') @@ -151,8 +145,7 @@ interface(`amavis_manage_lib_files',` type amavis_var_lib_t; ') - allow $1 amavis_var_lib_t:file manage_file_perms; - allow $1 amavis_var_lib_t:dir rw_dir_perms; + manage_files_pattern($1,amavis_var_lib_t,amavis_var_lib_t) files_search_var_lib($1) ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index c26c5d3..ef89f9b 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -46,48 +46,47 @@ files_type(amavis_spool_t) allow amavis_t self:capability { kill chown dac_override setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process { signal sigchld signull }; -allow amavis_t self:fifo_file rw_file_perms; +allow amavis_t self:fifo_file rw_fifo_file_perms; allow amavis_t self:unix_stream_socket create_stream_socket_perms; allow amavis_t self:unix_dgram_socket create_socket_perms; allow amavis_t self:tcp_socket { listen accept }; # configuration files -allow amavis_t amavis_etc_t:dir r_dir_perms; -allow amavis_t amavis_etc_t:file r_file_perms; -allow amavis_t amavis_etc_t:lnk_file { getattr read }; +allow amavis_t amavis_etc_t:dir list_dir_perms; +read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t) +read_lnk_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t) # mail quarantine -allow amavis_t amavis_quarantine_t:file create_file_perms; -allow amavis_t amavis_quarantine_t:sock_file create_file_perms; -allow amavis_t amavis_quarantine_t:dir create_dir_perms; +manage_dirs_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t) +manage_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t) +manage_sock_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t) # Spool Files +manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t) +manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t) +manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t) +filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file) files_search_spool(amavis_t) -allow amavis_t amavis_spool_t:dir manage_dir_perms; -allow amavis_t amavis_spool_t:file manage_file_perms; -allow amavis_t amavis_spool_t:sock_file manage_file_perms; -type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t; # tmp files -allow amavis_t amavis_tmp_t:file create_file_perms; -allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr }; +manage_files_pattern(amavis_t,amavis_tmp_t,amavis_tmp_t) +allow amavis_t amavis_tmp_t:dir setattr; files_tmp_filetrans(amavis_t,amavis_tmp_t,file) # var/lib files for amavis -allow amavis_t amavis_var_lib_t:file create_file_perms; -allow amavis_t amavis_var_lib_t:sock_file create_file_perms; -allow amavis_t amavis_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t) +manage_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t) +manage_sock_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t) # log files -allow amavis_t amavis_var_log_t:file create_file_perms; -allow amavis_t amavis_var_log_t:sock_file create_file_perms; -allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr }; +allow amavis_t amavis_var_log_t:dir setattr; +manage_files_pattern(amavis_t,amavis_var_log_t,amavis_var_log_t) +manage_sock_files_pattern(amavis_t,amavis_var_log_t,amavis_var_log_t) logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir }) # pid file -allow amavis_t amavis_var_run_t:file manage_file_perms; -allow amavis_t amavis_var_run_t:sock_file manage_file_perms; -allow amavis_t amavis_var_run_t:dir rw_dir_perms; +manage_files_pattern(amavis_t,amavis_var_run_t,amavis_var_run_t) +manage_sock_files_pattern(amavis_t,amavis_var_run_t,amavis_var_run_t) files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(amavis_t) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 76f9dfa..5b38902 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -51,15 +51,11 @@ template(`apache_content_template',` type httpd_$1_script_ra_t, httpdcontent; # customizable files_type(httpd_$1_script_ra_t) - allow httpd_t httpd_$1_htaccess_t:file r_file_perms; + allow httpd_t httpd_$1_htaccess_t:file read_file_perms; - domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_suexec_t httpd_$1_script_t:fd use; - allow httpd_$1_script_t httpd_suexec_t:fd use; - allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms; - allow httpd_$1_script_t httpd_suexec_t:process sigchld; + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; @@ -69,28 +65,28 @@ template(`apache_content_template',` dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; + allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; - allow httpd_$1_script_t httpd_log_t:file { getattr append }; - allow httpd_$1_script_t httpd_log_t:dir search; + append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; - - allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms; - allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms; - allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read }; - - allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search }; - allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr }; - allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read }; - - allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms; - allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms; - allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; - allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; - allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; + allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; + + allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + + allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; + read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + + manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) @@ -117,9 +113,10 @@ template(`apache_content_template',` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t httpdcontent:file entrypoint; - allow httpd_$1_script_t httpdcontent:dir create_dir_perms; - allow httpd_$1_script_t httpdcontent:file create_file_perms; - allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; + + manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) + manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) + manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) can_exec(httpd_$1_script_t, httpdcontent) ') @@ -129,44 +126,36 @@ template(`apache_content_template',` # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms; - allow httpd_t httpd_$1_script_rw_t:file create_file_perms; - allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; - allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; - - allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms; - allow httpd_t httpd_$1_script_ra_t:file ra_file_perms; - allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read }; - - allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms; - allow httpd_t httpd_$1_script_ro_t:file r_file_perms; - allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read }; - - allow httpd_t httpd_$1_content_t:dir r_dir_perms; - allow httpd_t httpd_$1_content_t:file r_file_perms; - allow httpd_t httpd_$1_content_t:lnk_file { getattr read }; + manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + + allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + + allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; + read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) + read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: - domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_exec_scripts httpd_$1_script_t:fd use; - allow httpd_$1_script_t httpd_exec_scripts:fd use; - allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms; - allow httpd_$1_script_t httpd_exec_scripts:process sigchld; + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) # apache runs the script: - domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_t httpd_$1_script_t:fd use; - allow httpd_$1_script_t httpd_t:fd use; - allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms; - allow httpd_$1_script_t httpd_t:process sigchld; + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; - allow httpd_t httpd_$1_script_exec_t:file r_file_perms; + allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; @@ -287,45 +276,45 @@ template(`apache_per_role_template', ` allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; - - allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom }; - - allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom }; - - allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom }; - - allow $2 httpd_$1_script_exec_t:dir create_dir_perms; - allow $2 httpd_$1_script_exec_t:file create_file_perms; - allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms; - - allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom }; - allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom }; + allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; + + manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) + + manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) + + manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) + + manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context - domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; + domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t httpdcontent:file entrypoint; - domain_auto_trans($2, httpdcontent, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; + domtrans_pattern($2, httpdcontent, httpd_$1_script_t) ') # allow accessing files/dirs below the users home dir @@ -357,9 +346,9 @@ template(`apache_read_user_scripts',` type httpd_$1_script_exec_t; ') - allow $2 httpd_$1_script_exec_t:dir r_dir_perms; - allow $2 httpd_$1_script_exec_t:file r_file_perms; - allow $2 httpd_$1_script_exec_t:lnk_file { getattr read }; + allow $2 httpd_$1_script_exec_t:dir list_dir_perms; + read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) ') ######################################## @@ -383,9 +372,9 @@ template(`apache_read_user_content',` type httpd_$1_content_t; ') - allow $2 httpd_$1_content_t:dir r_dir_perms; - allow $2 httpd_$1_content_t:file r_file_perms; - allow $2 httpd_$1_content_t:lnk_file { getattr read }; + allow $2 httpd_$1_content_t:dir list_dir_perms; + read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) + read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) ') ######################################## @@ -404,12 +393,7 @@ interface(`apache_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,httpd_exec_t,httpd_t) - - allow $1 httpd_t:fd use; - allow httpd_t $1:fd use; - allow httpd_t $1:fifo_file rw_file_perms; - allow httpd_t $1:process sigchld; + domtrans_pattern($1,httpd_exec_t,httpd_t) ') ######################################## @@ -520,14 +504,13 @@ interface(`apache_manage_all_content',` attribute httpdcontent, httpd_script_exec_type; ') - allow $1 httpdcontent:dir manage_dir_perms; - allow $1 httpdcontent:file manage_file_perms; - allow $1 httpdcontent:lnk_file create_lnk_perms; - - allow $1 httpd_script_exec_type:dir manage_dir_perms; - allow $1 httpd_script_exec_type:file manage_file_perms; - allow $1 httpd_script_exec_type:lnk_file create_lnk_perms; + manage_dirs_pattern($1,httpdcontent,httpdcontent) + manage_files_pattern($1,httpdcontent,httpdcontent) + manage_lnk_files_pattern($1,httpdcontent,httpdcontent) + manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type) + manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type) + manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type) ') ######################################## @@ -567,9 +550,9 @@ interface(`apache_read_config',` ') files_search_etc($1) - allow $1 httpd_config_t:dir r_dir_perms; - allow $1 httpd_config_t:file r_file_perms; - allow $1 httpd_config_t:lnk_file { getattr read }; + allow $1 httpd_config_t:dir list_dir_perms; + read_files_pattern($1,httpd_config_t,httpd_config_t) + read_lnk_files_pattern($1,httpd_config_t,httpd_config_t) ') ######################################## @@ -589,9 +572,9 @@ interface(`apache_manage_config',` ') files_search_etc($1) - allow $1 httpd_config_t:dir manage_dir_perms; - allow $1 httpd_config_t:file manage_file_perms; - allow $1 httpd_config_t:lnk_file { getattr read }; + manage_dirs_pattern($1,httpd_config_t,httpd_config_t) + manage_files_pattern($1,httpd_config_t,httpd_config_t) + read_lnk_files_pattern($1,httpd_config_t,httpd_config_t) ') ######################################## @@ -611,12 +594,7 @@ interface(`apache_domtrans_helper',` ') corecmd_search_sbin($1) - domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t) - - allow $1 httpd_helper_t:fd use; - allow httpd_helper_t $1:fd use; - allow httpd_helper_t $1:fifo_file rw_file_perms; - allow httpd_helper_t $1:process sigchld; + domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t) ') ######################################## @@ -670,9 +648,9 @@ interface(`apache_read_log',` ') logging_search_logs($1) - allow $1 httpd_log_t:dir r_dir_perms; - allow $1 httpd_log_t:file r_file_perms; - allow $1 httpd_log_t:lnk_file { getattr read }; + allow $1 httpd_log_t:dir list_dir_perms; + read_files_pattern($1,httpd_log_t,httpd_log_t) + read_lnk_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## @@ -692,8 +670,8 @@ interface(`apache_append_log',` ') logging_search_logs($1) - allow $1 httpd_log_t:dir r_dir_perms; - allow $1 httpd_log_t:file append; + allow $1 httpd_log_t:dir list_dir_perms; + append_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## @@ -732,9 +710,9 @@ interface(`apache_manage_log',` ') logging_search_logs($1) - allow $1 httpd_log_t:dir manage_dir_perms; - allow $1 httpd_log_t:file manage_file_perms; - allow $1 httpd_log_t:lnk_file { getattr read }; + manage_dirs_pattern($1,httpd_log_t,httpd_log_t) + manage_files_pattern($1,httpd_log_t,httpd_log_t) + read_lnk_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## @@ -773,7 +751,7 @@ interface(`apache_list_modules',` type httpd_modules_t; ') - allow $1 httpd_modules_t:dir r_dir_perms; + allow $1 httpd_modules_t:dir list_dir_perms; ') ######################################## @@ -792,8 +770,8 @@ interface(`apache_exec_modules',` type httpd_modules_t; ') - allow $1 httpd_modules_t:dir r_dir_perms; - allow $1 httpd_modules_t:lnk_file r_file_perms; + allow $1 httpd_modules_t:dir list_dir_perms; + allow $1 httpd_modules_t:lnk_file read_file_perms; can_exec($1,httpd_modules_t) ') @@ -812,11 +790,7 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') - domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t) - - allow httpd_rotatelogs_t $1:fd use; - allow httpd_rotatelogs_t $1:fifo_file rw_file_perms; - allow httpd_rotatelogs_t $1:process sigchld; + domtrans_pattern($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t) ') ######################################## @@ -838,9 +812,9 @@ interface(`apache_manage_sys_content',` ') files_search_var($1) - allow $1 httpd_sys_content_t:dir create_dir_perms; - allow $1 httpd_sys_content_t:file create_file_perms; - allow $1 httpd_sys_content_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,httpd_sys_content_t,httpd_sys_content_t) + manage_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) + manage_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) ') ######################################## @@ -863,12 +837,7 @@ interface(`apache_domtrans_sys_script',` ') tunable_policy(`httpd_enable_cgi && httpd_unified',` - domain_auto_trans($1, httpdcontent, httpd_sys_script_t) - - allow $1 httpd_sys_script_t:fd use; - allow httpd_sys_script_t $1:fd use; - allow httpd_sys_script_t $1:fifo_file rw_file_perms; - allow httpd_sys_script_t $1:process sigchld; + domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') ') @@ -1009,9 +978,9 @@ interface(`apache_read_sys_content',` type httpd_sys_content_t; ') - allow $1 httpd_sys_content_t:dir r_dir_perms; - allow $1 httpd_sys_content_t:file { getattr read }; - allow $1 httpd_sys_content_t:lnk_file { getattr read }; + allow $1 httpd_sys_content_t:dir list_dir_perms; + read_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) + read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) ') ######################################## @@ -1029,5 +998,5 @@ interface(`apache_search_sys_script_state',` type httpd_sys_script_t; ') - allow $1 httpd_sys_script_t:dir search; + allow $1 httpd_sys_script_t:dir search_dir_perms; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index a041e6e..b3aa497 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -133,8 +133,8 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -allow httpd_t self:sock_file r_file_perms; -allow httpd_t self:fifo_file rw_file_perms; +allow httpd_t self:sock_file read_sock_file_perms; +allow httpd_t self:fifo_file rw_fifo_file_perms; allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; @@ -145,68 +145,68 @@ allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; # Allow httpd_t to put files in /var/cache/httpd etc -allow httpd_t httpd_cache_t:dir create_dir_perms; -allow httpd_t httpd_cache_t:file create_file_perms; -allow httpd_t httpd_cache_t:lnk_file create_lnk_perms; +manage_dirs_pattern(httpd_t,httpd_cache_t,httpd_cache_t) +manage_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t) +manage_lnk_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t) # Allow the httpd_t to read the web servers config files -allow httpd_t httpd_config_t:dir r_dir_perms; -allow httpd_t httpd_config_t:file r_file_perms; -allow httpd_t httpd_config_t:lnk_file { getattr read }; +allow httpd_t httpd_config_t:dir list_dir_perms; +read_files_pattern(httpd_t,httpd_config_t,httpd_config_t) +read_lnk_files_pattern(httpd_t,httpd_config_t,httpd_config_t) can_exec(httpd_t, httpd_exec_t) -allow httpd_t httpd_lock_t:file create_file_perms; +allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t,httpd_lock_t,file) -allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; -allow httpd_t httpd_log_t:file { create ra_file_perms }; -allow httpd_t httpd_log_t:lnk_file read; +allow httpd_t httpd_log_t:dir setattr; +create_files_pattern(httpd_t,httpd_log_t,httpd_log_t) +append_files_pattern(httpd_t,httpd_log_t,httpd_log_t) +read_files_pattern(httpd_t,httpd_log_t,httpd_log_t) +read_lnk_files_pattern(httpd_t,httpd_log_t,httpd_log_t) # cjp: need to refine create interfaces to # cut this back to add_name only logging_log_filetrans(httpd_t,httpd_log_t,file) -allow httpd_t httpd_modules_t:file rx_file_perms; -allow httpd_t httpd_modules_t:dir r_dir_perms; -allow httpd_t httpd_modules_t:lnk_file r_file_perms; +allow httpd_t httpd_modules_t:dir list_dir_perms; +mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) +read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. allow httpd_t httpd_rotatelogs_t:process signal_perms; -allow httpd_t httpd_squirrelmail_t:dir create_dir_perms; -allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms; -allow httpd_t httpd_squirrelmail_t:file create_file_perms; +manage_dirs_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) +manage_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) +manage_lnk_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file { getattr read }; -allow httpd_t httpd_sys_content_t:dir r_dir_perms; -allow httpd_t httpd_sys_content_t:file r_file_perms; -allow httpd_t httpd_sys_content_t:lnk_file r_file_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) +read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) -allow httpd_t httpd_tmp_t:dir create_dir_perms; -allow httpd_t httpd_tmp_t:file create_file_perms; +manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) +manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) -allow httpd_t httpd_tmpfs_t:dir create_dir_perms; -allow httpd_t httpd_tmpfs_t:file create_file_perms; -allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms; -allow httpd_t httpd_tmpfs_t:sock_file create_file_perms; -allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms; +manage_dirs_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) +manage_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) +manage_lnk_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) +manage_fifo_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) +manage_sock_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow httpd_t httpd_var_lib_t:file create_file_perms; -allow httpd_t httpd_var_lib_t:dir rw_dir_perms; +manage_files_pattern(httpd_t,httpd_var_lib_t,httpd_var_lib_t) files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file) -allow httpd_t httpd_var_run_t:file create_file_perms; -allow httpd_t httpd_var_run_t:sock_file create_file_perms; -allow httpd_t httpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) +manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file }) -allow httpd_t squirrelmail_spool_t:dir create_dir_perms; -allow httpd_t squirrelmail_spool_t:file create_file_perms; -allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) +manage_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) +manage_lnk_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo @@ -330,26 +330,18 @@ tunable_policy(`httpd_can_network_relay',` ') tunable_policy(`httpd_enable_cgi',` - domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - allow httpd_t httpd_unconfined_script_t:fd use; - allow httpd_unconfined_script_t httpd_t:fd use; - allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms; - allow httpd_unconfined_script_t httpd_t:process sigchld; + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; + allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; ') tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) - allow httpd_t httpd_sys_script_t:fd use; - allow httpd_sys_script_t httpd_t:fd use; - allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; - allow httpd_sys_script_t httpd_t:process sigchld; + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) - allow httpd_t httpdcontent:dir create_dir_perms; - allow httpd_t httpdcontent:file create_file_perms; - allow httpd_t httpdcontent:lnk_file create_lnk_perms; + manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent) + manage_files_pattern(httpd_t,httpdcontent,httpdcontent) + manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent) ') tunable_policy(`httpd_enable_ftp_server',` @@ -368,7 +360,6 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) - allow httpd_t httpd_sys_script_t:fd use; allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_t:process sigchld; @@ -446,11 +437,7 @@ optional_policy(` # Apache helper local policy # -domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) -allow httpd_t httpd_helper_t:fd use; -allow httpd_helper_t httpd_t:fd use; -allow httpd_helper_t httpd_t:fifo_file rw_file_perms; -allow httpd_helper_t httpd_t:process sigchld; +domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) allow httpd_helper_t httpd_config_t:file { getattr read }; @@ -475,8 +462,8 @@ tunable_policy(`httpd_tty_comm',` allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_php_t self:fd use; -allow httpd_php_t self:fifo_file rw_file_perms; -allow httpd_php_t self:sock_file r_file_perms; +allow httpd_php_t self:fifo_file rw_fifo_file_perms; +allow httpd_php_t self:sock_file read_sock_file_perms; allow httpd_php_t self:unix_dgram_socket create_socket_perms; allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; allow httpd_php_t self:unix_dgram_socket sendto; @@ -486,17 +473,13 @@ allow httpd_php_t self:sem create_sem_perms; allow httpd_php_t self:msgq create_msgq_perms; allow httpd_php_t self:msg { send receive }; -domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) -allow httpd_t httpd_php_t:fd use; -allow httpd_php_t httpd_t:fd use; -allow httpd_php_t httpd_t:fifo_file rw_file_perms; -allow httpd_php_t httpd_t:process sigchld; +domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) # allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file ra_file_perms; +allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; -allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms; -allow httpd_php_t httpd_php_tmp_t:file create_file_perms; +manage_dirs_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t) +manage_files_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t) files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) @@ -529,20 +512,18 @@ ifdef(`targeted_policy',` gen_tunable(httpd_suexec_disable_trans,false) tunable_policy(`httpd_suexec_disable_trans',`',` - domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - allow httpd_t httpd_suexec_t:fd use; - allow httpd_suexec_t httpd_t:fd use; - allow httpd_suexec_t httpd_t:fifo_file rw_file_perms; - allow httpd_suexec_t httpd_t:process sigchld; + domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) ') ') -allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; -allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; +create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) +append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) +read_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) + allow httpd_suexec_t httpd_t:fifo_file getattr; -allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; -allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; +manage_dirs_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) +manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) kernel_read_kernel_sysctls(httpd_suexec_t) @@ -594,19 +575,11 @@ tunable_policy(`httpd_can_network_connect',` ') tunable_policy(`httpd_enable_cgi',` - domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - allow httpd_suexec_t httpd_unconfined_script_t:fd use; - allow httpd_unconfined_script_t httpd_suexec_t:fd use; - allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms; - allow httpd_unconfined_script_t httpd_suexec_t:process sigchld; + domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` - domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) - allow httpd_suexec_t httpd_sys_script_t:fd use; - allow httpd_sys_script_t httpd_suexec_t:fd use; - allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms; - allow httpd_sys_script_t httpd_suexec_t:process sigchld; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -655,9 +628,9 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; -allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms; -allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms; -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read }; +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) +read_lnk_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -720,8 +693,7 @@ optional_policy(` # httpd_rotatelogs local policy # -allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms; -allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms; +manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if index 8fd6d54..901788f 100644 --- a/policy/modules/services/apm.if +++ b/policy/modules/services/apm.if @@ -16,12 +16,7 @@ interface(`apm_domtrans_client',` ') corecmd_search_bin($1) - domain_auto_trans($1,apm_exec_t,apm_t) - - allow $1 apm_t:fd use; - allow apm_t $1:fd use; - allow apm_t $1:fifo_file rw_file_perms; - allow apm_t $1:process sigchld; + domtrans_pattern($1,apm_exec_t,apm_t) ') ######################################## diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 7287896..f4875ea 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -67,20 +67,19 @@ logging_send_syslog_msg(apm_t) allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; -allow apmd_t self:fifo_file rw_file_perms; +allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; -allow apmd_t apmd_log_t:file create_file_perms; +allow apmd_t apmd_log_t:file manage_file_perms; logging_log_filetrans(apmd_t,apmd_log_t,file) -allow apmd_t apmd_tmp_t:dir create_dir_perms; -allow apmd_t apmd_tmp_t:file create_file_perms; +manage_dirs_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t) +manage_files_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t) files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) -allow apmd_t apmd_var_run_t:dir rw_dir_perms; -allow apmd_t apmd_var_run_t:file create_file_perms; -allow apmd_t apmd_var_run_t:sock_file create_file_perms; +manage_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t) +manage_sock_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t) files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(apmd_t) @@ -148,7 +147,7 @@ userdom_dontaudit_search_sysadm_home_dirs(apmd_t) userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive? ifdef(`distro_redhat',` - allow apmd_t apmd_lock_t:file create_file_perms; + allow apmd_t apmd_lock_t:file manage_file_perms; files_lock_filetrans(apmd_t,apmd_lock_t,file) can_exec(apmd_t, apmd_var_run_t) @@ -172,8 +171,8 @@ ifdef(`distro_redhat',` ') ifdef(`distro_suse',` - allow apmd_t apmd_var_lib_t:file create_file_perms; - allow apmd_t apmd_var_lib_t:dir create_dir_perms; + manage_dirs_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t) + manage_files_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t) files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file) ') diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if index f354902..7f830f9 100644 --- a/policy/modules/services/arpwatch.if +++ b/policy/modules/services/arpwatch.if @@ -15,7 +15,7 @@ interface(`arpwatch_search_data',` type arpwatch_data_t; ') - allow $1 arpwatch_data_t:dir search; + allow $1 arpwatch_data_t:dir search_dir_perms; ') ######################################## @@ -33,8 +33,7 @@ interface(`arpwatch_manage_data_files',` type arpwatch_data_t; ') - allow $1 arpwatch_data_t:dir rw_dir_perms; - allow $1 arpwatch_data_t:file create_file_perms; + manage_files_pattern($1,arpwatch_data_t,arpwatch_data_t) ') ######################################## diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te index be4cc26..51ef5be 100644 --- a/policy/modules/services/arpwatch.te +++ b/policy/modules/services/arpwatch.te @@ -33,16 +33,15 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t arpwatch_data_t:dir create_dir_perms; -allow arpwatch_t arpwatch_data_t:file create_file_perms; -allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms; +manage_dirs_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) +manage_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) +manage_lnk_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) -allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms; -allow arpwatch_t arpwatch_tmp_t:file create_file_perms; +manage_dirs_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t) +manage_files_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t) files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) -allow arpwatch_t arpwatch_var_run_t:file create_file_perms; -allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms; +manage_files_pattern(arpwatch_t,arpwatch_var_run_t,arpwatch_var_run_t) files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file) kernel_read_kernel_sysctls(arpwatch_t) @@ -112,4 +111,3 @@ optional_policy(` optional_policy(` udev_read_db(arpwatch_t) ') - diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 59ac279..80eecdd 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -40,44 +40,40 @@ files_pid_file(asterisk_var_run_t) allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; dontaudit asterisk_t self:capability sys_tty_config; allow asterisk_t self:process { setsched signal_perms }; -allow asterisk_t self:fifo_file rw_file_perms; +allow asterisk_t self:fifo_file rw_fifo_file_perms; allow asterisk_t self:sem create_sem_perms; allow asterisk_t self:shm create_shm_perms; allow asterisk_t self:tcp_socket create_stream_socket_perms; allow asterisk_t self:udp_socket create_socket_perms; -allow asterisk_t asterisk_etc_t:file r_file_perms; -allow asterisk_t asterisk_etc_t:dir r_dir_perms; -allow asterisk_t asterisk_etc_t:lnk_file { getattr read }; +allow asterisk_t asterisk_etc_t:dir list_dir_perms; +read_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t) +read_lnk_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t) files_search_etc(asterisk_t) -allow asterisk_t asterisk_log_t:file manage_file_perms; -allow asterisk_t asterisk_log_t:dir rw_dir_perms; +manage_files_pattern(asterisk_t,asterisk_log_t,asterisk_log_t) logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir }) -allow asterisk_t asterisk_spool_t:dir manage_dir_perms; -allow asterisk_t asterisk_spool_t:file manage_file_perms; -allow asterisk_t asterisk_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t) +manage_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t) +manage_lnk_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t) -allow asterisk_t asterisk_tmp_t:dir create_dir_perms; -allow asterisk_t asterisk_tmp_t:file create_file_perms; +manage_dirs_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t) +manage_files_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t) files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) -allow asterisk_t asterisk_tmpfs_t:dir rw_dir_perms; -allow asterisk_t asterisk_tmpfs_t:file manage_file_perms; -allow asterisk_t asterisk_tmpfs_t:lnk_file create_lnk_perms; -allow asterisk_t asterisk_tmpfs_t:sock_file manage_file_perms; -allow asterisk_t asterisk_tmpfs_t:fifo_file manage_file_perms; +manage_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t) +manage_lnk_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t) +manage_fifo_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t) +manage_sock_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t) fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow asterisk_t asterisk_var_lib_t:file manage_file_perms; -allow asterisk_t asterisk_var_lib_t:dir rw_dir_perms; +manage_files_pattern(asterisk_t,asterisk_var_lib_t,asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file) -allow asterisk_t asterisk_var_run_t:sock_file manage_file_perms; -allow asterisk_t asterisk_var_run_t:fifo_file manage_file_perms; -allow asterisk_t asterisk_var_run_t:file manage_file_perms; -allow asterisk_t asterisk_var_run_t:dir rw_dir_perms; +manage_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t) +manage_fifo_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t) +manage_sock_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t) files_pid_filetrans(asterisk_t,asterisk_var_run_t,file) kernel_read_system_state(asterisk_t) @@ -157,4 +153,3 @@ ifdef(`TODO',` allow initrc_t asterisk_var_run_t:fifo_file unlink; allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; ') - diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 17e3572..3d071f5 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -22,8 +22,7 @@ allow entropyd_t self:capability { ipc_lock sys_admin }; dontaudit entropyd_t self:capability sys_tty_config; allow entropyd_t self:process signal_perms; -allow entropyd_t entropyd_var_run_t:file manage_file_perms; -allow entropyd_t entropyd_var_run_t:dir rw_dir_perms; +manage_files_pattern(entropyd_t,entropyd_var_run_t,entropyd_var_run_t) files_pid_filetrans(entropyd_t,entropyd_var_run_t,file) kernel_read_kernel_sysctls(entropyd_t) @@ -69,4 +68,3 @@ optional_policy(` optional_policy(` udev_read_db(entropyd_t) ') - diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index 5f97e34..ac6cf1b 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -16,13 +16,7 @@ interface(`automount_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1, automount_exec_t, automount_t) - - allow $1 automount_t:fd use; - allow automount_t $1:fd use; - allow automount_t $1:fifo_file rw_file_perms; - allow automount_t $1:process sigchld; - + domtrans_pattern($1, automount_exec_t, automount_t) ') ######################################## @@ -59,8 +53,7 @@ interface(`automount_read_state',` type automount_t; ') - allow $1 automount_t:dir search_dir_perms; - allow $1 automount_t:file r_file_perms; + read_files_pattern($1,automount_t,automount_t) ') ######################################## diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 39a1156..effc0a6 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -31,7 +31,7 @@ files_mountpoint(automount_tmp_t) allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; -allow automount_t self:fifo_file rw_file_perms; +allow automount_t self:fifo_file rw_fifo_file_perms; allow automount_t self:unix_stream_socket create_socket_perms; allow automount_t self:unix_dgram_socket create_socket_perms; allow automount_t self:tcp_socket create_stream_socket_perms; @@ -45,20 +45,19 @@ allow automount_t automount_etc_t:file { getattr read }; can_exec(automount_t, automount_etc_t) can_exec(automount_t, automount_exec_t) -allow automount_t automount_lock_t:file create_file_perms; +allow automount_t automount_lock_t:file manage_file_perms; files_lock_filetrans(automount_t,automount_lock_t,file) -allow automount_t automount_tmp_t:dir create_dir_perms; -allow automount_t automount_tmp_t:file create_file_perms; +manage_dirs_pattern(automount_t,automount_tmp_t,automount_tmp_t) +manage_files_pattern(automount_t,automount_tmp_t,automount_tmp_t) files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) # Allow automount to create and delete directories in / and /home -allow automount_t automount_tmp_t:dir create_dir_perms; +allow automount_t automount_tmp_t:dir manage_dir_perms; files_home_filetrans(automount_t,automount_tmp_t,dir) files_root_filetrans(automount_t,automount_tmp_t,dir) -allow automount_t automount_var_run_t:file create_file_perms; -allow automount_t automount_var_run_t:dir rw_dir_perms; +manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) files_pid_filetrans(automount_t,automount_var_run_t,file) kernel_read_kernel_sysctls(automount_t) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 4c2ee43..5eaf2ad 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -37,7 +37,5 @@ interface(`avahi_stream_connect',` ') files_search_pids($1) - allow $1 avahi_var_run_t:dir search_dir_perms; - allow $1 avahi_var_run_t:sock_file rw_file_perms; - allow $1 avahi_t:unix_stream_socket connectto; + stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index d9dbc91..9de9b61 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -28,9 +28,9 @@ allow avahi_t self:netlink_route_socket r_netlink_socket_perms; allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; -allow avahi_t avahi_var_run_t:sock_file create_file_perms; -allow avahi_t avahi_var_run_t:file create_file_perms; -allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr }; +manage_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t) +manage_sock_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t) +allow avahi_t avahi_var_run_t:dir setattr; files_pid_filetrans(avahi_t,avahi_var_run_t,file) kernel_read_kernel_sysctls(avahi_t) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 6266137..f367bd8 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -15,12 +15,7 @@ interface(`bind_domtrans_ndc',` type ndc_t, ndc_exec_t; ') - domain_auto_trans($1,ndc_exec_t,ndc_t) - - allow $1 ndc_t:fd use; - allow ndc_t $1:fd use; - allow ndc_t $1:fifo_file rw_file_perms; - allow ndc_t $1:process sigchld; + domtrans_pattern($1,ndc_exec_t,ndc_t) ') ######################################## @@ -88,12 +83,7 @@ interface(`bind_domtrans',` type named_t, named_exec_t; ') - domain_auto_trans($1,named_exec_t,named_t) - - allow $1 named_t:fd use; - allow named_t $1:fd use; - allow named_t $1:fifo_file rw_file_perms; - allow named_t $1:process sigchld; + domtrans_pattern($1,named_exec_t,named_t) ') ######################################## @@ -111,8 +101,7 @@ interface(`bind_read_dnssec_keys',` type named_conf_t, named_zone_t, dnssec_t; ') - allow $1 { named_conf_t named_zone_t }:dir search; - allow $1 dnssec_t:file { getattr read }; + read_files_pattern($1,{ named_conf_t named_zone_t },dnssec_t) ') ######################################## @@ -130,8 +119,7 @@ interface(`bind_read_config',` type named_conf_t; ') - allow $1 named_conf_t:dir search; - allow $1 named_conf_t:file { getattr read }; + read_files_pattern($1,named_conf_t,named_conf_t) ') ######################################## @@ -149,8 +137,8 @@ interface(`bind_write_config',` type named_conf_t; ') - allow $1 named_conf_t:dir search; - allow $1 named_conf_t:file { write setattr }; + write_files_pattern($1,named_conf_t,named_conf_t) + allow $1 named_conf_t:file setattr; ') ######################################## @@ -169,7 +157,7 @@ interface(`bind_manage_config_dirs',` type named_conf_t; ') - allow $1 named_conf_t:dir create_dir_perms; + manage_dirs_pattern($1,named_conf_t,named_conf_t) ') ######################################## @@ -211,9 +199,8 @@ interface(`bind_manage_cache',` files_search_var($1) allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir rw_dir_perms; - allow $1 named_cache_t:file create_file_perms; - allow $1 named_cache_t:lnk_file create_lnk_perms; + manage_files_pattern($1,named_cache_t,named_cache_t) + manage_lnk_files_pattern($1,named_cache_t,named_cache_t) ') ######################################## @@ -251,8 +238,7 @@ interface(`bind_read_zone',` ') files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_zone_t:file r_file_perms; + read_files_pattern($1,named_zone_t,named_zone_t) ') ######################################## diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index c612b1c..20f7f2b 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -53,7 +53,7 @@ role system_r types ndc_t; allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; allow named_t self:process { setsched setcap setrlimit signal_perms }; -allow named_t self:fifo_file rw_file_perms; +allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket create_stream_socket_perms; allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:tcp_socket create_stream_socket_perms; @@ -63,34 +63,31 @@ allow named_t self:netlink_route_socket r_netlink_socket_perms; allow named_t dnssec_t:file { getattr read }; # read configuration -allow named_t named_conf_t:dir r_dir_perms; -allow named_t named_conf_t:file r_file_perms; -allow named_t named_conf_t:lnk_file r_file_perms; +allow named_t named_conf_t:dir list_dir_perms; +read_files_pattern(named_t,named_conf_t,named_conf_t) +read_lnk_files_pattern(named_t,named_conf_t,named_conf_t) # write cache for secondary zones -allow named_t named_cache_t:dir rw_dir_perms; -allow named_t named_cache_t:file create_file_perms; -allow named_t named_cache_t:lnk_file create_lnk_perms; +manage_files_pattern(named_t,named_cache_t,named_cache_t) +manage_lnk_files_pattern(named_t,named_cache_t,named_cache_t) can_exec(named_t, named_exec_t) -allow named_t named_log_t:file create_file_perms; -allow named_t named_log_t:dir rw_dir_perms; +manage_files_pattern(named_t,named_log_t,named_log_t) logging_log_filetrans(named_t,named_log_t,{ file dir }) -allow named_t named_tmp_t:dir create_dir_perms; -allow named_t named_tmp_t:file create_file_perms; +manage_dirs_pattern(named_t,named_tmp_t,named_tmp_t) +manage_files_pattern(named_t,named_tmp_t,named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) -allow named_t named_var_run_t:dir rw_dir_perms; -allow named_t named_var_run_t:file create_file_perms; -allow named_t named_var_run_t:sock_file create_file_perms; +manage_files_pattern(named_t,named_var_run_t,named_var_run_t) +manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t) files_pid_filetrans(named_t,named_var_run_t,{ file sock_file }) # read zone files -allow named_t named_zone_t:dir r_dir_perms; -allow named_t named_zone_t:file r_file_perms; -allow named_t named_zone_t:lnk_file r_file_perms; +allow named_t named_zone_t:dir list_dir_perms; +read_files_pattern(named_t,named_zone_t,named_zone_t) +read_lnk_files_pattern(named_t,named_zone_t,named_zone_t) kernel_read_kernel_sysctls(named_t) kernel_read_system_state(named_t) @@ -154,9 +151,9 @@ ifdef(`targeted_policy',` ') tunable_policy(`named_write_master_zones',` - allow named_t named_zone_t:dir create_dir_perms; - allow named_t named_zone_t:file create_file_perms; - allow named_t named_zone_t:lnk_file create_lnk_perms; + manage_dirs_pattern(named_t,named_zone_t,named_zone_t) + manage_files_pattern(named_t,named_zone_t,named_zone_t) + manage_lnk_files_pattern(named_t,named_zone_t,named_zone_t) ') optional_policy(` diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index dcbb5aa..e031f39 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -15,10 +15,7 @@ interface(`bluetooth_domtrans',` type bluetooth_t, bluetooth_exec_t; ') - domain_auto_trans($1,bluetooth_exec_t,bluetooth_t) - allow bluetooth_t $1:fd use; - allow bluetooth_t $1:fifo_file rw_file_perms; - allow bluetooth_t $1:process sigchld; + domtrans_pattern($1,bluetooth_exec_t,bluetooth_t) ') ######################################## @@ -54,12 +51,7 @@ interface(`bluetooth_domtrans_helper',` type bluetooth_helper_t, bluetooth_helper_exec_t; ') - domain_auto_trans($1,bluetooth_helper_exec_t,bluetooth_helper_t) - - allow $1 bluetooth_helper_t:fd use; - allow bluetooth_helper_t $1:fd use; - allow bluetooth_helper_t $1:fifo_file rw_file_perms; - allow bluetooth_helper_t $1:process sigchld; + domtrans_pattern($1,bluetooth_helper_exec_t,bluetooth_helper_t) ') ######################################## diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 74dde42..2fb24ac 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -44,7 +44,7 @@ files_pid_file(bluetooth_var_run_t) allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getsched signal_perms }; -allow bluetooth_t self:fifo_file rw_file_perms; +allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; @@ -52,36 +52,30 @@ allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; -allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms; -allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; +read_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_t) -allow bluetooth_t bluetooth_conf_rw_t:dir manage_dir_perms; -allow bluetooth_t bluetooth_conf_rw_t:file manage_file_perms; -allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms; -allow bluetooth_t bluetooth_conf_rw_t:sock_file manage_file_perms; -allow bluetooth_t bluetooth_conf_rw_t:fifo_file manage_file_perms; -type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t; +manage_dirs_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) +manage_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) +manage_lnk_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) +manage_fifo_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) +manage_sock_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) +filetrans_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t,{ dir file lnk_file sock_file fifo_file }) -domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) -allow bluetooth_t bluetooth_helper_t:fd use; -allow bluetooth_helper_t bluetooth_t:fd use; -allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms; -allow bluetooth_helper_t bluetooth_t:process sigchld; +domtrans_pattern(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) allow bluetooth_t bluetooth_lock_t:file manage_file_perms; files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file) -allow bluetooth_t bluetooth_tmp_t:dir manage_dir_perms; -allow bluetooth_t bluetooth_tmp_t:file manage_file_perms; +manage_dirs_pattern(bluetooth_t,bluetooth_tmp_t,bluetooth_tmp_t) +manage_files_pattern(bluetooth_t,bluetooth_tmp_t,bluetooth_tmp_t) files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) -allow bluetooth_t bluetooth_var_lib_t:file manage_file_perms; -allow bluetooth_t bluetooth_var_lib_t:dir manage_dir_perms; +manage_dirs_pattern(bluetooth_t,bluetooth_var_lib_t,bluetooth_var_lib_t) +manage_files_pattern(bluetooth_t,bluetooth_var_lib_t,bluetooth_var_lib_t) files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,{ dir file } ) -allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; -allow bluetooth_t bluetooth_var_run_t:file create_file_perms; -allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; +manage_files_pattern(bluetooth_t,bluetooth_var_run_t,bluetooth_var_run_t) +manage_sock_files_pattern(bluetooth_t,bluetooth_var_run_t,bluetooth_var_run_t) files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(bluetooth_t) @@ -169,7 +163,7 @@ optional_policy(` allow bluetooth_helper_t self:capability sys_nice; allow bluetooth_helper_t self:process getsched; -allow bluetooth_helper_t self:fifo_file rw_file_perms; +allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; allow bluetooth_helper_t self:shm create_shm_perms; allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow bluetooth_helper_t self:tcp_socket create_socket_perms; @@ -177,9 +171,9 @@ allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; allow bluetooth_helper_t bluetooth_t:socket { read write }; -allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms; -allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms; -allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms; +manage_dirs_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) +manage_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) +manage_sock_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) kernel_read_system_state(bluetooth_helper_t) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if index c3f5b1d..5fc24e5 100644 --- a/policy/modules/services/canna.if +++ b/policy/modules/services/canna.if @@ -16,7 +16,5 @@ interface(`canna_stream_connect',` ') files_search_pids($1) - allow $1 canna_var_run_t:dir search; - allow $1 canna_var_run_t:sock_file write; - allow $1 canna_t:unix_stream_socket connectto; + stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t) ') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 63e3397..cc40946 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -31,18 +31,17 @@ allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; allow canna_t self:unix_dgram_socket create_stream_socket_perms; allow canna_t self:tcp_socket create_stream_socket_perms; -allow canna_t canna_log_t:file create_file_perms; -allow canna_t canna_log_t:dir { rw_dir_perms setattr }; +manage_files_pattern(canna_t,canna_log_t,canna_log_t) +allow canna_t canna_log_t:dir setattr; logging_log_filetrans(canna_t,canna_log_t,{ file dir }) -allow canna_t canna_var_lib_t:dir create_dir_perms; -allow canna_t canna_var_lib_t:file create_file_perms; -allow canna_t canna_var_lib_t:lnk_file create_lnk_perms; +manage_dirs_pattern(canna_t,canna_var_lib_t,canna_var_lib_t) +manage_files_pattern(canna_t,canna_var_lib_t,canna_var_lib_t) +manage_lnk_files_pattern(canna_t,canna_var_lib_t,canna_var_lib_t) files_var_lib_filetrans(canna_t,canna_var_lib_t,file) -allow canna_t canna_var_run_t:dir rw_dir_perms; -allow canna_t canna_var_run_t:file create_file_perms; -allow canna_t canna_var_run_t:sock_file create_file_perms; +manage_files_pattern(canna_t,canna_var_run_t,canna_var_run_t) +manage_sock_files_pattern(canna_t,canna_var_run_t,canna_var_run_t) files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(canna_t) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if index 366e5eb..5259f46 100644 --- a/policy/modules/services/ccs.if +++ b/policy/modules/services/ccs.if @@ -15,10 +15,7 @@ interface(`ccs_domtrans',` type ccs_t, ccs_exec_t; ') - domain_auto_trans($1,ccs_exec_t,ccs_t) - allow ccs_t $1:fd use; - allow ccs_t $1:fifo_file rw_file_perms; - allow ccs_t $1:process sigchld; + domtrans_pattern($1,ccs_exec_t,ccs_t) ') ######################################## @@ -37,9 +34,7 @@ interface(`ccs_stream_connect',` ') files_search_pids($1) - allow $1 ccs_var_run_t:dir list_dir_perms; - allow $1 ccs_var_run_t:sock_file write; - allow $1 ccs_t:unix_stream_socket connectto; + stream_connect_pattern($1,ccs_var_run_t,ccs_var_run_t,ccs_t) ') ######################################## @@ -57,8 +52,7 @@ interface(`ccs_read_config',` type cluster_conf_t; ') - allow $1 cluster_conf_t:dir search_dir_perms; - allow $1 cluster_conf_t:file { getattr read }; + read_files_pattern($1,cluster_conf_t,cluster_conf_t) ') ######################################## @@ -76,6 +70,6 @@ interface(`ccs_manage_config',` type cluster_conf_t; ') - allow $1 cluster_conf_t:dir manage_dir_perms; - allow $1 cluster_conf_t:file manage_file_perms; + manage_dirs_pattern($1,cluster_conf_t,cluster_conf_t) + manage_files_pattern($1,cluster_conf_t,cluster_conf_t) ') diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 97939d7..ce2c80f 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -38,19 +38,18 @@ allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg }; # cjp: this needs to be fixed to be specific allow ccs_t self:socket create_socket_perms; -allow ccs_t cluster_conf_t:dir rw_dir_perms; -allow ccs_t cluster_conf_t:file manage_file_perms; +manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t) # log files -allow ccs_t ccs_var_log_t:file create_file_perms; -allow ccs_t ccs_var_log_t:sock_file create_file_perms; -allow ccs_t ccs_var_log_t:dir { rw_dir_perms setattr }; +manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t) +manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t) +allow ccs_t ccs_var_log_t:dir setattr; logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir }) # pid file -allow ccs_t ccs_var_run_t:file manage_file_perms; -allow ccs_t ccs_var_run_t:sock_file manage_file_perms; -allow ccs_t ccs_var_run_t:dir manage_dir_perms; +manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t) +manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t) +manage_sock_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t) files_pid_filetrans(ccs_t,ccs_var_run_t, { dir file sock_file }) kernel_read_kernel_sysctls(ccs_t) diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te index f7944b6..0dd7abd 100644 --- a/policy/modules/services/cipe.te +++ b/policy/modules/services/cipe.te @@ -18,7 +18,7 @@ init_daemon_domain(ciped_t,ciped_exec_t) allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; dontaudit ciped_t self:capability sys_tty_config; allow ciped_t self:process signal_perms; -allow ciped_t self:fifo_file rw_file_perms; +allow ciped_t self:fifo_file rw_fifo_file_perms; allow ciped_t self:unix_dgram_socket create_socket_perms; allow ciped_t self:unix_stream_socket create_socket_perms; allow ciped_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 9c9c3fa..c7694b7 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -15,12 +15,7 @@ interface(`clamav_domtrans',` type clamd_t, clamd_exec_t; ') - domain_auto_trans($1,clamd_exec_t,clamd_t) - - allow $1 clamd_t:fd use; - allow clamd_t $1:fd use; - allow clamd_t $1:fifo_file rw_file_perms; - allow clamd_t $1:process sigchld; + domtrans_pattern($1,clamd_exec_t,clamd_t) ') ######################################## @@ -38,9 +33,7 @@ interface(`clamav_stream_connect',` type clamd_t, clamd_var_run_t; ') - allow $1 clamd_var_run_t:dir search; - allow $1 clamd_var_run_t:sock_file write; - allow $1 clamd_t:unix_stream_socket connectto; + stream_connect_pattern($1,clamd_var_run_t,clamd_var_run_t,clamd_t) ') ######################################## @@ -59,7 +52,7 @@ interface(`clamav_read_config',` ') files_search_etc($1) - allow $1 clamd_etc_t:file r_file_perms; + allow $1 clamd_etc_t:file read_file_perms; ') ######################################## @@ -96,9 +89,5 @@ interface(`clamav_domtrans_clamscan',` type clamscan_t, clamscan_exec_t; ') - domain_auto_trans($1,clamscan_exec_t,clamscan_t) - - allow clamscan_t $1:fd use; - allow clamscan_t $1:fifo_file rw_file_perms; - allow clamscan_t $1:process sigchld; + domtrans_pattern($1,clamscan_exec_t,clamscan_t) ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index fd85353..9eb1742 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -54,34 +54,33 @@ logging_log_file(freshclam_var_log_t) # allow clamd_t self:capability { kill setgid setuid dac_override }; -allow clamd_t self:fifo_file rw_file_perms; +allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket create_stream_socket_perms; allow clamd_t self:unix_dgram_socket create_socket_perms; allow clamd_t self:tcp_socket { listen accept }; # configuration files -allow clamd_t clamd_etc_t:dir r_dir_perms; -allow clamd_t clamd_etc_t:file r_file_perms; -allow clamd_t clamd_etc_t:lnk_file { getattr read }; +allow clamd_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t) +read_lnk_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t) # tmp files -allow clamd_t clamd_tmp_t:file create_file_perms; -allow clamd_t clamd_tmp_t:dir create_dir_perms; +manage_dirs_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t) +manage_files_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t) files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir }) # var/lib files for clamd -allow clamd_t clamd_var_lib_t:file create_file_perms; -allow clamd_t clamd_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t) +manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t) # log files -allow clamd_t clamd_var_log_t:file create_file_perms; -allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr }; +allow clamd_t clamd_var_log_t:dir setattr; +manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t) logging_log_filetrans(clamd_t,clamd_var_log_t,file) # pid file -allow clamd_t clamd_var_run_t:file manage_file_perms; -allow clamd_t clamd_var_run_t:sock_file manage_file_perms; -allow clamd_t clamd_var_run_t:dir rw_dir_perms; +manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t) +manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t) files_pid_filetrans(clamd_t,clamd_var_run_t,file) kernel_dontaudit_list_proc(clamd_t) @@ -138,30 +137,29 @@ optional_policy(` # allow freshclam_t self:capability { setgid setuid dac_override }; -allow freshclam_t self:fifo_file rw_file_perms; +allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket create_stream_socket_perms; allow freshclam_t self:unix_dgram_socket create_socket_perms; allow freshclam_t self:tcp_socket { listen accept }; # configuration files -allow freshclam_t clamd_etc_t:dir r_dir_perms; -allow freshclam_t clamd_etc_t:file r_file_perms; -allow freshclam_t clamd_etc_t:lnk_file { getattr read }; +allow freshclam_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t) +read_lnk_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t) # var/lib files together with clamd -allow freshclam_t clamd_var_lib_t:file create_file_perms; -allow freshclam_t clamd_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t) +manage_files_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t) # pidfiles- var/run together with clamd -allow freshclam_t clamd_var_run_t:file manage_file_perms; -allow freshclam_t clamd_var_run_t:sock_file manage_file_perms; -allow freshclam_t clamd_var_run_t:dir rw_dir_perms; +manage_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t) +manage_sock_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t) files_pid_filetrans(freshclam_t,clamd_var_run_t,file) # log files (own logfiles only) -allow freshclam_t freshclam_var_log_t:file create_file_perms; -allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr }; -allow freshclam_t clamd_var_log_t:dir search; +manage_files_pattern(freshclam_t,freshclam_var_log_t,freshclam_var_log_t) +allow freshclam_t freshclam_var_log_t:dir setattr; +allow freshclam_t clamd_var_log_t:dir search_dir_perms; logging_log_filetrans(freshclam_t,freshclam_var_log_t,file) corenet_non_ipsec_sendrecv(freshclam_t) @@ -208,18 +206,18 @@ allow clamscan_t self:unix_dgram_socket create_socket_perms; allow clamscan_t self:tcp_socket { listen accept }; # configuration files -allow clamscan_t clamd_etc_t:dir r_dir_perms; -allow clamscan_t clamd_etc_t:file r_file_perms; -allow clamscan_t clamd_etc_t:lnk_file { getattr read }; +allow clamscan_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t) +read_lnk_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t) # tmp files -allow clamscan_t clamscan_tmp_t:file manage_file_perms; -allow clamscan_t clamscan_tmp_t:dir manage_dir_perms; +manage_dirs_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t) +manage_files_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t) files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir }) # var/lib files together with clamd -allow clamscan_t clamd_var_lib_t:file r_file_perms; -allow clamscan_t clamd_var_lib_t:dir r_dir_perms; +read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t) +allow clamscan_t clamd_var_lib_t:dir list_dir_perms; kernel_read_kernel_sysctls(clamscan_t) diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if index cc5e29d..27dcff5 100644 --- a/policy/modules/services/clockspeed.if +++ b/policy/modules/services/clockspeed.if @@ -15,10 +15,7 @@ interface(`clockspeed_domtrans_cli',` type clockspeed_cli_t, clockspeed_cli_exec_t; ') - domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t) - allow clockspeed_cli_t $1:fd use; - allow clockspeed_cli_t $1:fifo_file { read write }; - allow clockspeed_cli_t $1:process sigchld; + domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) ') ######################################## diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te index 3c95baf..1b22e77 100644 --- a/policy/modules/services/clockspeed.te +++ b/policy/modules/services/clockspeed.te @@ -25,8 +25,8 @@ files_type(clockspeed_var_lib_t) allow clockspeed_cli_t self:capability sys_time; allow clockspeed_cli_t self:udp_socket create_socket_perms; -allow clockspeed_cli_t clockspeed_var_lib_t:dir search; -allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read }; + +read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t) corenet_non_ipsec_sendrecv(clockspeed_cli_t) corenet_udp_sendrecv_generic_if(clockspeed_cli_t) @@ -52,9 +52,8 @@ allow clockspeed_srv_t self:udp_socket create_socket_perms; allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; -allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms; -allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms; -allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms; +manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t) +manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t) corenet_non_ipsec_sendrecv(clockspeed_srv_t) corenet_udp_sendrecv_generic_if(clockspeed_srv_t) diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te index c092006..97c376b 100644 --- a/policy/modules/services/comsat.te +++ b/policy/modules/services/comsat.te @@ -24,19 +24,16 @@ files_pid_file(comsat_var_run_t) allow comsat_t self:capability { setuid setgid }; allow comsat_t self:process signal_perms; -allow comsat_t self:dir search; -allow comsat_t self:fifo_file rw_file_perms; -allow comsat_t self:{ lnk_file file } { getattr read }; +allow comsat_t self:fifo_file rw_fifo_file_perms; allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow comsat_t self:tcp_socket connected_stream_socket_perms; allow comsat_t self:udp_socket create_socket_perms; -allow comsat_t comsat_tmp_t:dir create_dir_perms; -allow comsat_t comsat_tmp_t:file create_file_perms; +manage_dirs_pattern(comsat_t,comsat_tmp_t,comsat_tmp_t) +manage_files_pattern(comsat_t,comsat_tmp_t,comsat_tmp_t) files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) -allow comsat_t comsat_var_run_t:file create_file_perms; -allow comsat_t comsat_var_run_t:dir rw_dir_perms; +manage_files_pattern(comsat_t,comsat_var_run_t,comsat_var_run_t) files_pid_filetrans(comsat_t,comsat_var_run_t,file) kernel_read_kernel_sysctls(comsat_t) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index d5866bb..7735e91 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -35,13 +35,12 @@ template(`courier_domain_template',` can_exec(courier_$1_t, courier_$1_exec_t) - allow courier_$1_t courier_etc_t:file r_file_perms; - allow courier_$1_t courier_etc_t:dir r_dir_perms; + read_files_pattern(courier_$1_t,courier_etc_t,courier_etc_t) + allow courier_$1_t courier_etc_t:dir list_dir_perms; - allow courier_$1_t courier_var_run_t:dir rw_dir_perms; - allow courier_$1_t courier_var_run_t:file create_file_perms; - allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms; - allow courier_$1_t courier_var_run_t:sock_file create_file_perms; + manage_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t) + manage_lnk_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t) + manage_sock_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t) files_search_pids(courier_$1_t) kernel_read_system_state(courier_$1_t) @@ -113,10 +112,7 @@ interface(`courier_domtrans_authdaemon',` type courier_authdaemon_t, courier_authdaemon_exec_t; ') - domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t) - allow courier_authdaemon_t $1:fd use; - allow courier_authdaemon_t $1:fifo_file rw_file_perms; - allow courier_authdaemon_t $1:process sigchld; + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) ') ######################################## @@ -135,8 +131,5 @@ interface(`courier_domtrans_pop',` type courier_pop_t, courier_pop_exec_t; ') - domain_auto_trans($1, courier_pop_exec_t, courier_pop_t) - allow courier_pop_t $1:fd use; - allow courier_pop_t $1:fifo_file rw_file_perms; - allow courier_pop_t $1:process sigchld; + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index ab13cad..0292cf0 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -41,7 +41,7 @@ can_exec(courier_authdaemon_t, courier_exec_t) allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; @@ -112,9 +112,8 @@ allow courier_tcpd_t self:capability kill; can_exec(courier_tcpd_t, courier_exec_t) -allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms; -allow courier_tcpd_t courier_var_lib_t:file manage_file_perms; -allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms; +manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t) +manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t) files_search_var_lib(courier_tcpd_t) corecmd_search_sbin(courier_tcpd_t) diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index cc94f06..bedc36f 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -29,9 +29,9 @@ allow cpucontrol_t self:capability { ipc_lock sys_rawio }; dontaudit cpucontrol_t self:capability sys_tty_config; allow cpucontrol_t self:process signal_perms; -allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms; -allow cpucontrol_t cpucontrol_conf_t:file r_file_perms; -allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read }; +allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; +read_files_pattern(cpucontrol_t,cpucontrol_conf_t,cpucontrol_conf_t) +read_lnk_files_pattern(cpucontrol_t,cpucontrol_conf_t,cpucontrol_conf_t) kernel_list_proc(cpucontrol_t) kernel_read_proc_symlinks(cpucontrol_t) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 59d8735..1c56bb1 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -64,7 +64,7 @@ template(`cron_per_role_template',` allow $1_crond_t self:capability dac_override; allow $1_crond_t self:process { signal_perms setsched }; - allow $1_crond_t self:fifo_file rw_file_perms; + allow $1_crond_t self:fifo_file rw_fifo_file_perms; allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; allow $1_crond_t self:unix_dgram_socket create_socket_perms; @@ -149,7 +149,7 @@ template(`cron_per_role_template',` # userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) tunable_policy(`fcron_crond', ` - allow crond_t $1_cron_spool_t:file create_file_perms; + allow crond_t $1_cron_spool_t:file manage_file_perms; ') optional_policy(` @@ -183,30 +183,23 @@ template(`cron_per_role_template',` allow $1_crontab_t self:process signal_perms; # Transition from the user domain to the derived domain. - domain_auto_trans($2, crontab_exec_t, $1_crontab_t) - allow $2 $1_crontab_t:fd use; - allow $1_crontab_t $2:fd use; - allow $1_crontab_t $2:fifo_file rw_file_perms; - allow $1_crontab_t $2:process sigchld; + domtrans_pattern($2, crontab_exec_t, $1_crontab_t) # crontab shows up in user ps - allow $2 $1_crontab_t:dir { search getattr read }; - allow $2 $1_crontab_t:{ file lnk_file } { read getattr }; - allow $2 $1_crontab_t:process getattr; + ps_process_pattern($2,$1_crontab_t) # for ^Z allow $2 $1_crontab_t:process signal; # Allow crond to read those crontabs in cron spool. - allow crond_t $1_cron_spool_t:file create_file_perms; + allow crond_t $1_cron_spool_t:file manage_file_perms; allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file) # create files in /var/spool/cron - allow $1_crontab_t cron_spool_t:dir rw_dir_perms; - allow $1_crontab_t $1_cron_spool_t:file manage_file_perms; - type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t; + manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t) + filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file) files_search_spool($1_crontab_t) # crontab signals crond by updating the mtime on the spooldir @@ -394,7 +387,7 @@ interface(`cron_read_pipes',` type crond_t; ') - allow $1 crond_t:fifo_file r_file_perms; + allow $1 crond_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -467,7 +460,7 @@ interface(`cron_search_spool',` ') files_search_spool($1) - allow $1 cron_spool_t:dir search; + allow $1 cron_spool_t:dir search_dir_perms; ') ######################################## @@ -485,12 +478,7 @@ interface(`cron_anacron_domtrans_system_job',` type system_crond_t, anacron_exec_t; ') - domain_auto_trans($1,anacron_exec_t,system_crond_t) - - allow $1 system_crond_t:fd use; - allow system_crond_t $1:fd use; - allow system_crond_t $1:fifo_file rw_file_perms; - allow system_crond_t $1:process sigchld; + domtrans_pattern($1,anacron_exec_t,system_crond_t) ') ######################################## @@ -545,7 +533,7 @@ interface(`cron_rw_system_job_pipes',` type system_crond_t; ') - allow $1 system_crond_t:fifo_file rw_file_perms; + allow $1 system_crond_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -564,7 +552,7 @@ interface(`cron_read_system_job_tmp_files',` ') files_search_tmp($1) - allow $1 system_crond_tmp_t:file r_file_perms; + allow $1 system_crond_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 3e08b8a..3a6bc15 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -77,7 +77,7 @@ dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; -allow crond_t self:fifo_file rw_file_perms; +allow crond_t self:fifo_file rw_fifo_file_perms; allow crond_t self:unix_dgram_socket create_socket_perms; allow crond_t self:unix_stream_socket create_stream_socket_perms; allow crond_t self:unix_dgram_socket sendto; @@ -88,13 +88,14 @@ allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; -allow crond_t crond_var_run_t:file create_file_perms; +allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) allow crond_t cron_spool_t:dir rw_dir_perms; -allow crond_t cron_spool_t:file r_file_perms; -allow crond_t system_cron_spool_t:dir r_dir_perms; -allow crond_t system_cron_spool_t:file r_file_perms; +allow crond_t cron_spool_t:file read_file_perms; + +allow crond_t system_cron_spool_t:dir list_dir_perms; +allow crond_t system_cron_spool_t:file read_file_perms; kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) @@ -172,11 +173,11 @@ optional_policy(` ') ifdef(`targeted_policy',` - allow crond_t system_crond_tmp_t:dir create_dir_perms; - allow crond_t system_crond_tmp_t:file create_file_perms; - allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms; - allow crond_t system_crond_tmp_t:sock_file create_file_perms; - allow crond_t system_crond_tmp_t:fifo_file create_file_perms; + manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) + manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) + manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) + manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) + manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) unconfined_domain(crond_t) @@ -195,13 +196,13 @@ ifdef(`targeted_policy',` mono_domtrans(crond_t) ') ',` - allow crond_t crond_tmp_t:dir create_dir_perms; - allow crond_t crond_tmp_t:file create_file_perms; + manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t) + manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t) files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) ') tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file create_file_perms; + allow crond_t system_cron_spool_t:file manage_file_perms; ') optional_policy(` @@ -265,7 +266,7 @@ ifdef(`targeted_policy',` ',` allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; allow system_crond_t self:process { signal_perms setsched }; - allow system_crond_t self:fifo_file rw_file_perms; + allow system_crond_t self:fifo_file rw_fifo_file_perms; allow system_crond_t self:passwd rootok; # The entrypoint interface is not used as this is not @@ -277,7 +278,7 @@ ifdef(`targeted_policy',` # for this purpose. allow system_crond_t system_cron_spool_t:file entrypoint; - allow system_crond_t system_cron_spool_t:file r_file_perms; + allow system_crond_t system_cron_spool_t:file read_file_perms; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond @@ -291,21 +292,18 @@ ifdef(`targeted_policy',` allow system_crond_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. - allow system_crond_t system_crond_lock_t:file create_file_perms; + allow system_crond_t system_crond_lock_t:file manage_file_perms; files_lock_filetrans(system_crond_t,system_crond_lock_t,file) # write temporary files - allow system_crond_t system_crond_tmp_t:file manage_file_perms; - allow system_crond_t system_crond_tmp_t:lnk_file create_lnk_perms; + manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) + manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) + filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) - # write temporary files in crond tmp dir: - allow system_crond_t crond_tmp_t:dir rw_dir_perms; - type_transition system_crond_t crond_tmp_t:{ file lnk_file } system_crond_tmp_t; - # Read from /var/spool/cron. - allow system_crond_t cron_spool_t:dir r_dir_perms; - allow system_crond_t cron_spool_t:file r_file_perms; + allow system_crond_t cron_spool_t:dir list_dir_perms; + allow system_crond_t cron_spool_t:file read_file_perms; kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) @@ -397,7 +395,7 @@ ifdef(`targeted_policy',` ') optional_policy(` - # Needed for certwatch + # Needed for certwatch apache_exec_modules(system_crond_t) apache_read_config(system_crond_t) apache_read_log(system_crond_t) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index e639ffa..00da561 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -15,12 +15,7 @@ interface(`cups_domtrans',` type cupsd_t, cupsd_exec_t; ') - domain_auto_trans($1,cupsd_exec_t,cupsd_t) - - allow $1 cupsd_t:fd use; - allow cupsd_t $1:fd use; - allow cupsd_t $1:fifo_file rw_file_perms; - allow cupsd_t $1:process sigchld; + domtrans_pattern($1,cupsd_exec_t,cupsd_t) ') ######################################## @@ -39,9 +34,7 @@ interface(`cups_stream_connect',` ') files_search_pids($1) - allow $1 cupsd_var_run_t:dir search; - allow $1 cupsd_var_run_t:sock_file { getattr write }; - allow $1 cupsd_t:unix_stream_socket connectto; + stream_connect_pattern($1,cupsd_var_run_t,cupsd_var_run_t,cupsd_t) ') ######################################## @@ -95,7 +88,7 @@ interface(`cups_read_pid_files',` ') files_search_pids($1) - allow $1 cupsd_var_run_t:file r_file_perms; + allow $1 cupsd_var_run_t:file read_file_perms; ') ######################################## @@ -113,12 +106,7 @@ interface(`cups_domtrans_config',` type cupsd_config_t, cupsd_config_exec_t; ') - domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t) - - allow $1 cupsd_config_t:fd use; - allow cupsd_config_t $1:fd use; - allow cupsd_config_t $1:fifo_file rw_file_perms; - allow cupsd_config_t $1:process sigchld; + domtrans_pattern($1,cupsd_config_exec_t,cupsd_config_t) ') ######################################## @@ -178,9 +166,8 @@ interface(`cups_read_config',` ') files_search_etc($1) - allow $1 cupsd_etc_t:dir search_dir_perms; - allow $1 cupsd_etc_t:file { getattr read }; - allow $1 cupsd_rw_etc_t:file { getattr read }; + read_files_pattern($1,cupsd_etc_t,cupsd_etc_t) + read_files_pattern($1,cupsd_etc_t,cupsd_rw_etc_t) ') ######################################## @@ -200,8 +187,7 @@ interface(`cups_read_rw_config',` ') files_search_etc($1) - allow $1 cupsd_etc_t:dir search_dir_perms; - allow $1 cupsd_rw_etc_t:file { getattr read }; + read_files_pattern($1,cupsd_etc_t,cupsd_rw_etc_t) ') ######################################## @@ -259,7 +245,5 @@ interface(`cups_stream_connect_ptal',` ') files_search_pids($1) - allow $1 ptal_var_run_t:dir search; - allow $1 ptal_var_run_t:sock_file write; - allow $1 ptal_t:unix_stream_socket connectto; + stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t) ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 1960ed6..36a8680 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -81,13 +81,12 @@ ifdef(`enable_mls',` # # /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write }; +allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; allow cupsd_t self:process { setsched signal_perms }; allow cupsd_t self:fifo_file rw_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow cupsd_t self:netlink_selinux_socket create_socket_perms; allow cupsd_t self:netlink_route_socket r_netlink_socket_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; @@ -96,14 +95,16 @@ allow cupsd_t self:appletalk_socket create_socket_perms; # generic socket here until appletalk socket is available in kernels allow cupsd_t self:socket create_socket_perms; -allow cupsd_t cupsd_etc_t:file { r_file_perms setattr }; -allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr }; -allow cupsd_t cupsd_etc_t:lnk_file { getattr read }; +send_audit_msgs_pattern(cupsd_t) + +allow cupsd_t cupsd_etc_t:{ dir file } setattr; +read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t) +read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t) files_search_etc(cupsd_t) -allow cupsd_t cupsd_rw_etc_t:file manage_file_perms; -allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms; -type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t; +manage_dirs_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t) +manage_files_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t) +filetrans_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t,file) files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file }) # allow cups to execute its backend scripts @@ -111,28 +112,26 @@ can_exec(cupsd_t, cupsd_exec_t) allow cupsd_t cupsd_exec_t:dir search; allow cupsd_t cupsd_exec_t:lnk_file read; -allow cupsd_t cupsd_log_t:file create_file_perms; -allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms }; +manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) +allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir }) -allow cupsd_t cupsd_tmp_t:dir create_dir_perms; -allow cupsd_t cupsd_tmp_t:file create_file_perms; -allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms; +manage_dirs_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) +manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) +manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) -allow cupsd_t cupsd_var_run_t:file create_file_perms; -allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms }; -allow cupsd_t cupsd_var_run_t:sock_file create_file_perms; +allow cupsd_t cupsd_var_run_t:dir setattr; +manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) +manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) -allow cupsd_t hplip_etc_t:file r_file_perms; -allow cupsd_t hplip_etc_t:dir r_dir_perms; +read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t) allow cupsd_t hplip_var_run_t:file { read getattr }; -allow cupsd_t ptal_var_run_t:dir search; -allow cupsd_t ptal_var_run_t:sock_file { write setattr }; -allow cupsd_t ptal_t:unix_stream_socket connectto; +stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) +allow cupsd_t ptal_var_run_t : sock_file setattr; kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) @@ -312,42 +311,35 @@ optional_policy(` allow cupsd_config_t self:capability { chown sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; -allow cupsd_config_t self:fifo_file rw_file_perms; +allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; allow cupsd_config_t self:tcp_socket create_stream_socket_perms; allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms; -# old can_ps() on cupsd_t: -allow cupsd_config_t cupsd_t:process { signal }; -allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; -allow cupsd_config_t cupsd_t:dir { search getattr read }; -allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr }; -allow cupsd_config_t cupsd_t:process getattr; +allow cupsd_config_t cupsd_t:process signal; +ps_process_pattern(cupsd_config_t,cupsd_t) -allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms; -allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms; -files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file) +manage_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t) +manage_lnk_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t) +filetrans_pattern(cupsd_config_t,cupsd_etc_t,cupsd_rw_etc_t,file) -can_exec(cupsd_config_t, cupsd_config_exec_t) +manage_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t) +manage_lnk_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t) +files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) -allow cupsd_config_t cupsd_etc_t:dir rw_dir_perms; -allow cupsd_config_t cupsd_etc_t:file create_file_perms; -allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms; -type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t; +can_exec(cupsd_config_t, cupsd_config_exec_t) allow cupsd_config_t cupsd_log_t:file rw_file_perms; -allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms; -allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; -allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; -files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) - -allow cupsd_config_t cupsd_tmp_t:file create_file_perms; +allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) allow cupsd_config_t cupsd_var_run_t:file { getattr read }; +manage_files_pattern(cupsd_config_t,cupsd_config_var_run_t,cupsd_config_var_run_t) +files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file) + kernel_read_system_state(cupsd_config_t) kernel_read_kernel_sysctls(cupsd_config_t) @@ -473,7 +465,7 @@ optional_policy(` # allow cupsd_lpd_t self:process signal_perms; -allow cupsd_lpd_t self:fifo_file rw_file_perms; +allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; allow cupsd_lpd_t self:udp_socket create_socket_perms; allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms; @@ -489,21 +481,20 @@ optional_policy(` #end for identd allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms; -allow cupsd_lpd_t cupsd_etc_t:file r_file_perms; -allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read }; +read_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t) +read_lnk_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t) + +allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; +read_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t) +read_lnk_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t) -allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms; -allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms; +manage_dirs_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t) +manage_files_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t) files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) -allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms; -allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(cupsd_lpd_t,cupsd_lpd_var_run_t,cupsd_lpd_var_run_t) files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file) -allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; -allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms; -allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read }; - kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) @@ -557,7 +548,7 @@ optional_policy(` # Needed for USB Scanneer and xsane allow hplip_t self:capability { dac_override dac_read_search net_raw }; dontaudit hplip_t self:capability sys_tty_config; -allow hplip_t self:fifo_file rw_file_perms; +allow hplip_t self:fifo_file rw_fifo_file_perms; allow hplip_t self:process signal_perms; allow hplip_t self:unix_dgram_socket create_socket_perms; allow hplip_t self:unix_stream_socket create_socket_perms; @@ -570,13 +561,12 @@ allow hplip_t cupsd_etc_t:dir search; cups_stream_connect(hplip_t) -allow hplip_t hplip_etc_t:file r_file_perms; -allow hplip_t hplip_etc_t:dir r_dir_perms; -allow hplip_t hplip_etc_t:lnk_file { getattr read }; +allow hplip_t hplip_etc_t:dir list_dir_perms; +read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) +read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) files_search_etc(hplip_t) -allow hplip_t hplip_var_run_t:file create_file_perms; -allow hplip_t hplip_var_run_t:dir rw_dir_perms; +manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) kernel_read_system_state(hplip_t) @@ -664,27 +654,23 @@ optional_policy(` allow ptal_t self:capability { chown sys_rawio }; dontaudit ptal_t self:capability sys_tty_config; -allow ptal_t self:fifo_file rw_file_perms; +allow ptal_t self:fifo_file rw_fifo_file_perms; allow ptal_t self:unix_dgram_socket create_socket_perms; allow ptal_t self:unix_stream_socket create_stream_socket_perms; allow ptal_t self:tcp_socket create_stream_socket_perms; -allow ptal_t ptal_etc_t:file r_file_perms; -allow ptal_t ptal_etc_t:dir r_dir_perms; -allow ptal_t ptal_etc_t:lnk_file { getattr read }; +allow ptal_t ptal_etc_t:dir list_dir_perms; +read_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t) +read_lnk_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t) files_search_etc(ptal_t) -allow ptal_t ptal_var_run_t:dir create_dir_perms; -allow ptal_t ptal_var_run_t:file create_file_perms; -allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms; -allow ptal_t ptal_var_run_t:sock_file create_file_perms; -allow ptal_t ptal_var_run_t:fifo_file create_file_perms; +manage_dirs_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t) +manage_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t) +manage_lnk_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t) +manage_fifo_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t) +manage_sock_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t) files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) -allow ptal_t ptal_var_run_t:file create_file_perms; -allow ptal_t ptal_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ptal_t,ptal_var_run_t,file) - kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index 380a139..5d2de39 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -36,4 +36,3 @@ interface(`cvs_exec',` can_exec($1,cvs_exec_t) ') - diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index a0ff5be..c45ec7f 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -26,22 +26,21 @@ files_pid_file(cvs_var_run_t) # allow cvs_t self:process signal_perms; -allow cvs_t self:fifo_file rw_file_perms; +allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:tcp_socket connected_stream_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cvs_t self:capability { setuid setgid }; -allow cvs_t cvs_data_t:dir create_dir_perms; -allow cvs_t cvs_data_t:file create_file_perms; -allow cvs_t cvs_data_t:lnk_file create_lnk_perms; +manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t) +manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t) +manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t) -allow cvs_t cvs_tmp_t:dir create_dir_perms; -allow cvs_t cvs_tmp_t:file create_file_perms; +manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) +manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) -allow cvs_t cvs_var_run_t:file create_file_perms; -allow cvs_t cvs_var_run_t:dir rw_dir_perms; +manage_files_pattern(cvs_t,cvs_var_run_t,cvs_var_run_t) files_pid_filetrans(cvs_t,cvs_var_run_t,file) kernel_read_kernel_sysctls(cvs_t) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if index 30d552e..c7e26a8 100644 --- a/policy/modules/services/cyrus.if +++ b/policy/modules/services/cyrus.if @@ -17,8 +17,7 @@ interface(`cyrus_manage_data',` ') files_search_var_lib($1) - allow $1 cyrus_var_lib_t:dir rw_dir_perms; - allow $1 cyrus_var_lib_t:file manage_file_perms; + manage_files_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t) ') @@ -38,7 +37,5 @@ interface(`cyrus_stream_connect',` ') files_search_var_lib($1) - allow $1 cyrus_var_lib_t:dir search; - allow $1 cyrus_var_lib_t:sock_file write; - allow $1 cyrus_t:unix_stream_socket connectto; + stream_connect_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t,cyrus_t) ') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 48e2c41..3acb626 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -29,8 +29,8 @@ dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; allow cyrus_t self:fd use; -allow cyrus_t self:fifo_file rw_file_perms; -allow cyrus_t self:sock_file r_file_perms; +allow cyrus_t self:fifo_file rw_fifo_file_perms; +allow cyrus_t self:sock_file read_sock_file_perms; allow cyrus_t self:shm create_shm_perms; allow cyrus_t self:sem create_sem_perms; allow cyrus_t self:msgq create_msgq_perms; @@ -43,17 +43,18 @@ allow cyrus_t self:tcp_socket create_stream_socket_perms; allow cyrus_t self:udp_socket create_socket_perms; allow cyrus_t self:netlink_route_socket r_netlink_socket_perms; -allow cyrus_t cyrus_tmp_t:dir create_dir_perms; -allow cyrus_t cyrus_tmp_t:file create_file_perms; +manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) +manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) -allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; -allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; +manage_dirs_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t) +manage_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t) +manage_lnk_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t) +manage_sock_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t) files_pid_filetrans(cyrus_t,cyrus_var_run_t,file) -allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; -allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; -allow cyrus_t cyrus_var_run_t:file create_file_perms; +manage_files_pattern(cyrus_t,cyrus_var_run_t,cyrus_var_run_t) +manage_sock_files_pattern(cyrus_t,cyrus_var_run_t,cyrus_var_run_t) files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(cyrus_t) diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te index 7a15ea2..2eb457d 100644 --- a/policy/modules/services/dante.te +++ b/policy/modules/services/dante.te @@ -28,11 +28,10 @@ allow dante_t self:fifo_file { read write }; allow dante_t self:tcp_socket create_stream_socket_perms; allow dante_t self:udp_socket create_socket_perms; -allow dante_t dante_conf_t:dir r_dir_perms; -allow dante_t dante_conf_t:file r_file_perms; +allow dante_t dante_conf_t:dir list_dir_perms; +allow dante_t dante_conf_t:file read_file_perms; -allow dante_t dante_var_run_t:file create_file_perms; -allow dante_t dante_var_run_t:dir rw_dir_perms; +manage_files_pattern(dante_t,dante_var_run_t,dante_var_run_t) files_pid_filetrans(dante_t,dante_var_run_t,file) kernel_read_kernel_sysctls(dante_t) diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te index c0b2560..27b5d93 100644 --- a/policy/modules/services/dbskk.te +++ b/policy/modules/services/dbskk.te @@ -23,7 +23,7 @@ files_pid_file(dbskkd_var_run_t) # allow dbskkd_t self:process signal_perms; -allow dbskkd_t self:fifo_file rw_file_perms; +allow dbskkd_t self:fifo_file rw_fifo_file_perms; allow dbskkd_t self:tcp_socket connected_stream_socket_perms; allow dbskkd_t self:udp_socket create_socket_perms; @@ -37,12 +37,11 @@ optional_policy(` ') #end for identd -allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms; -allow dbskkd_t dbskkd_tmp_t:file create_file_perms; +manage_dirs_pattern(dbskkd_t,dbskkd_tmp_t,dbskkd_tmp_t) +manage_files_pattern(dbskkd_t,dbskkd_tmp_t,dbskkd_tmp_t) files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) -allow dbskkd_t dbskkd_var_run_t:file create_file_perms; -allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms; +manage_files_pattern(dbskkd_t,dbskkd_var_run_t,dbskkd_var_run_t) files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file) kernel_read_kernel_sysctls(dbskkd_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index f971482..4dca3f6 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -69,16 +69,16 @@ template(`dbus_per_role_template',` # Local policy # - allow $1_dbusd_t self:capability audit_write; allow $1_dbusd_t self:process { getattr sigkill signal }; allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t self:dbus { send_msg acquire_svc }; allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; - allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; + send_audit_msgs_pattern($1_dbusd_t) + # For connecting to the bus allow $2 $1_dbusd_t:unix_stream_socket connectto; type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; @@ -88,20 +88,15 @@ template(`dbus_per_role_template',` allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; - allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms; - allow $1_dbusd_t dbusd_etc_t:file r_file_perms; - allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read }; + allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) + read_lnk_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) - allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms; - allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms; + manage_dirs_pattern($1_dbusd_t,$1_dbusd_tmp_t,$1_dbusd_tmp_t) + manage_files_pattern($1_dbusd_t,$1_dbusd_tmp_t,$1_dbusd_tmp_t) files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) - domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t) - allow $2 $1_dbusd_t:fd use; - allow $1_dbusd_t $2:fd use; - allow $1_dbusd_t $2:fifo_file rw_file_perms; - allow $1_dbusd_t $2:process sigchld; - + domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) allow $2 $1_dbusd_t:process { sigkill signal }; kernel_read_system_state($1_dbusd_t) @@ -207,9 +202,7 @@ template(`dbus_system_bus_client_template',` # For connecting to the bus files_search_pids($2) - allow $2 system_dbusd_var_run_t:dir search; - allow $2 system_dbusd_var_run_t:sock_file write; - allow $2 system_dbusd_t:unix_stream_socket connectto; + stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) ') ####################################### @@ -292,7 +285,7 @@ interface(`dbus_read_config',` type dbusd_etc_t; ') - allow $1 dbusd_etc_t:file r_file_perms; + allow $1 dbusd_etc_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index c81ed90..4d71284 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -30,28 +30,28 @@ files_pid_file(system_dbusd_var_run_t) # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid audit_write }; +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr signal_perms setcap }; allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; -allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; -allow system_dbusd_t dbusd_etc_t:dir r_dir_perms; -allow system_dbusd_t dbusd_etc_t:file r_file_perms; -allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read }; +send_audit_msgs_pattern(system_dbusd_t) -allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms; -allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms; +allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; +read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) +read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) + +manage_dirs_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t) +manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t) files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) -allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms; -allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; -allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; +manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t) +manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t) files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file) kernel_read_system_state(system_dbusd_t) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if index 0f3a273..867ee4c 100644 --- a/policy/modules/services/dcc.if +++ b/policy/modules/services/dcc.if @@ -16,10 +16,7 @@ interface(`dcc_domtrans_cdcc',` ') corecmd_search_sbin($1) - domain_auto_trans($1,cdcc_exec_t,cdcc_t) - allow cdcc_t $1:fd use; - allow cdcc_t $1:fifo_file rw_file_perms; - allow cdcc_t $1:process sigchld; + domtrans_pattern($1,cdcc_exec_t,cdcc_t) ') ######################################## @@ -70,10 +67,7 @@ interface(`dcc_domtrans_client',` ') corecmd_search_sbin($1) - domain_auto_trans($1,dcc_client_exec_t,dcc_client_t) - allow dcc_client_t $1:fd use; - allow dcc_client_t $1:fifo_file rw_file_perms; - allow dcc_client_t $1:process sigchld; + domtrans_pattern($1,dcc_client_exec_t,dcc_client_t) ') ######################################## @@ -124,10 +118,7 @@ interface(`dcc_domtrans_dbclean',` ') corecmd_search_sbin($1) - domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t) - allow dcc_dbclean_t $1:fd use; - allow dcc_dbclean_t $1:fifo_file rw_file_perms; - allow dcc_dbclean_t $1:process sigchld; + domtrans_pattern($1,dcc_dbclean_exec_t,dcc_dbclean_t) ') ######################################## @@ -178,7 +169,5 @@ interface(`dcc_stream_connect_dccifd',` ') files_search_var($1) - allow $1 dcc_var_t:dir search; - allow $1 dccifd_var_run_t:sock_file { getattr write }; - allow $1 dccifd_t:unix_stream_socket connectto; + stream_connect_pattern($1,dcc_var_t,dccifd_var_run_t,dccifd_t) ') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index edafebc..52723ce 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -88,16 +88,16 @@ allow cdcc_t self:capability setuid; allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; -allow cdcc_t cdcc_tmp_t:dir manage_dir_perms; -allow cdcc_t cdcc_tmp_t:file create_file_perms; +manage_dirs_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t) +manage_files_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t) files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) allow cdcc_t dcc_client_map_t:file rw_file_perms; # Access files in /var/dcc. The map file can be updated -allow cdcc_t dcc_var_t:dir r_dir_perms; -allow cdcc_t dcc_var_t:file r_file_perms; -allow cdcc_t dcc_var_t:lnk_file { getattr read }; +allow cdcc_t dcc_var_t:dir list_dir_perms; +read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t) +read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t) corenet_non_ipsec_sendrecv(cdcc_t) corenet_udp_sendrecv_generic_if(cdcc_t) @@ -132,14 +132,14 @@ allow dcc_client_t self:udp_socket create_socket_perms; allow dcc_client_t dcc_client_map_t:file rw_file_perms; -allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms; -allow dcc_client_t dcc_client_tmp_t:file create_file_perms; +manage_dirs_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t) +manage_files_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t) files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) # Access files in /var/dcc. The map file can be updated -allow dcc_client_t dcc_var_t:dir r_dir_perms; -allow dcc_client_t dcc_var_t:file r_file_perms; -allow dcc_client_t dcc_var_t:lnk_file { getattr read }; +allow dcc_client_t dcc_var_t:dir list_dir_perms; +read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t) +read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t) corenet_non_ipsec_sendrecv(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t) @@ -173,13 +173,13 @@ allow dcc_dbclean_t self:udp_socket create_socket_perms; allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; -allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms; -allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms; +manage_dirs_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t) +manage_files_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t) files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) -allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms; -allow dcc_dbclean_t dcc_var_t:file manage_file_perms; -allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms; +manage_dirs_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t) +manage_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t) +manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t) kernel_read_system_state(dcc_dbclean_t) @@ -220,28 +220,24 @@ allow dccd_t self:udp_socket create_socket_perms; allow dccd_t dcc_client_map_t:file rw_file_perms; # Access files in /var/dcc. The map file can be updated -allow dccd_t dcc_var_t:dir r_dir_perms; -allow dccd_t dcc_var_t:file r_file_perms; -allow dccd_t dcc_var_t:lnk_file { getattr read }; +allow dccd_t dcc_var_t:dir list_dir_perms; +read_files_pattern(dccd_t,dcc_var_t,dcc_var_t) +read_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t) # Runs the dbclean program -domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) +domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) corecmd_search_bin(dccd_t) -allow dcc_dbclean_t dccd_t:fd use; -allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms; -allow dcc_dbclean_t dccd_t:process sigchld; # Updating dcc_db, flod, ... -allow dccd_t dcc_var_t:dir manage_dir_perms; -allow dccd_t dcc_var_t:file manage_file_perms; -allow dccd_t dcc_var_t:lnk_file create_lnk_perms; +manage_dirs_pattern(dccd_t,dcc_var_t,dcc_var_t) +manage_files_pattern(dccd_t,dcc_var_t,dcc_var_t) +manage_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t) -allow dccd_t dccd_tmp_t:dir manage_dir_perms; -allow dccd_t dccd_tmp_t:file create_file_perms; +manage_dirs_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t) +manage_files_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t) files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) -allow dccd_t dccd_var_run_t:file create_file_perms; -allow dccd_t dccd_var_run_t:dir rw_dir_perms; +manage_files_pattern(dccd_t,dccd_var_run_t,dccd_var_run_t) files_pid_filetrans(dccd_t,dccd_var_run_t,file) kernel_read_system_state(dccd_t) @@ -315,21 +311,19 @@ allow dccifd_t self:udp_socket create_socket_perms; allow dccifd_t dcc_client_map_t:file rw_file_perms; # Updating dcc_db, flod, ... -allow dccifd_t dcc_var_t:dir manage_dir_perms; -allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms; -allow dccifd_t dcc_var_t:lnk_file create_lnk_perms; - -allow dccifd_t dccifd_tmp_t:dir manage_dir_perms; -allow dccifd_t dccifd_tmp_t:file manage_file_perms; +manage_dirs_pattern(dccifd_t,dcc_var_t,dcc_var_t) +manage_files_pattern(dccifd_t,dcc_var_t,dcc_var_t) +manage_lnk_files_pattern(dccifd_t,dcc_var_t,dcc_var_t) +manage_fifo_files_pattern(dccifd_t,dcc_var_t,dcc_var_t) +manage_sock_files_pattern(dccifd_t,dcc_var_t,dcc_var_t) + +manage_dirs_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t) +manage_files_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t) files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) -allow dccifd_t dccifd_var_run_t:file manage_file_perms; -allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms; -allow dccifd_t dcc_var_t:dir rw_dir_perms; -type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t; - -allow dccifd_t dccifd_var_run_t:file manage_file_perms; -allow dccifd_t dccifd_var_run_t:dir rw_dir_perms; +manage_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t) +manage_sock_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t) +filetrans_pattern(dccifd_t,dcc_var_t,dccifd_var_run_t,{ file sock_file }) files_pid_filetrans(dccifd_t,dccifd_var_run_t,file) kernel_read_system_state(dccifd_t) @@ -399,21 +393,19 @@ allow dccm_t self:udp_socket create_socket_perms; allow dccm_t dcc_client_map_t:file rw_file_perms; -allow dccm_t dcc_var_t:dir manage_dir_perms; -allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms; -allow dccm_t dcc_var_t:lnk_file create_lnk_perms; +manage_dirs_pattern(dccm_t,dcc_var_t,dcc_var_t) +manage_files_pattern(dccm_t,dcc_var_t,dcc_var_t) +manage_lnk_files_pattern(dccm_t,dcc_var_t,dcc_var_t) +manage_fifo_files_pattern(dccm_t,dcc_var_t,dcc_var_t) +manage_sock_files_pattern(dccm_t,dcc_var_t,dcc_var_t) -allow dccm_t dccm_tmp_t:dir manage_dir_perms; -allow dccm_t dccm_tmp_t:file manage_file_perms; +manage_dirs_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t) +manage_files_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t) files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) -allow dccm_t dccm_var_run_t:file manage_file_perms; -allow dccm_t dccm_var_run_t:sock_file manage_file_perms; -allow dccm_t dcc_var_run_t:dir rw_dir_perms; -type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t; - -allow dccm_t dccm_var_run_t:file manage_file_perms; -allow dccm_t dccm_var_run_t:dir rw_dir_perms; +manage_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t) +manage_sock_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t) +filetrans_pattern(dccm_t,dcc_var_run_t,dccm_var_run_t,{ file sock_file }) files_pid_filetrans(dccm_t,dccm_var_run_t,file) kernel_read_system_state(dccm_t) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if index c1ddf99..1afdd21 100644 --- a/policy/modules/services/ddclient.if +++ b/policy/modules/services/ddclient.if @@ -16,10 +16,5 @@ interface(`ddclient_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1, ddclient_exec_t, ddclient_t) - - allow $1 ddclient_t:fd use; - allow ddclient_t $1:fd use; - allow ddclient_t $1:fifo_file rw_file_perms; - allow ddclient_t $1:process sigchld; + domtrans_pattern($1, ddclient_exec_t, ddclient_t) ') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index 3ce1b4f..c79776d 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -32,28 +32,26 @@ files_pid_file(ddclient_var_run_t) dontaudit ddclient_t self:capability sys_tty_config; allow ddclient_t self:process signal_perms; -allow ddclient_t self:fifo_file rw_file_perms; +allow ddclient_t self:fifo_file rw_fifo_file_perms; allow ddclient_t self:tcp_socket create_socket_perms; allow ddclient_t self:udp_socket create_socket_perms; -allow ddclient_t ddclient_etc_t:file r_file_perms; +allow ddclient_t ddclient_etc_t:file read_file_perms; allow ddclient_t ddclient_log_t:file manage_file_perms; logging_log_filetrans(ddclient_t,ddclient_log_t,file) -allow ddclient_t ddclient_var_t:dir manage_dir_perms; -allow ddclient_t ddclient_var_t:file manage_file_perms; -allow ddclient_t ddclient_var_t:lnk_file create_lnk_perms; -allow ddclient_t ddclient_var_t:sock_file manage_file_perms; -allow ddclient_t ddclient_var_t:fifo_file manage_file_perms; +manage_dirs_pattern(ddclient_t,ddclient_var_t,ddclient_var_t) +manage_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t) +manage_lnk_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t) +manage_fifo_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t) +manage_sock_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t) files_var_filetrans(ddclient_t,ddclient_var_t,{ file lnk_file sock_file fifo_file }) -allow ddclient_t ddclient_var_lib_t:file manage_file_perms; -allow ddclient_t ddclient_var_lib_t:dir rw_dir_perms; +manage_files_pattern(ddclient_t,ddclient_var_lib_t,ddclient_var_lib_t) files_var_lib_filetrans(ddclient_t,ddclient_var_lib_t,file) -allow ddclient_t ddclient_var_run_t:file manage_file_perms; -allow ddclient_t ddclient_var_run_t:dir rw_dir_perms; +manage_files_pattern(ddclient_t,ddclient_var_run_t,ddclient_var_run_t) files_pid_filetrans(ddclient_t,ddclient_var_run_t,file) kernel_read_system_state(ddclient_t) diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index e0e972f..2e011e0 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -39,16 +39,14 @@ allow dhcpd_t self:rawip_socket create_socket_perms; can_exec(dhcpd_t,dhcpd_exec_t) -allow dhcpd_t dhcpd_state_t:dir rw_dir_perms; -allow dhcpd_t dhcpd_state_t:file create_file_perms; +manage_files_pattern(dhcpd_t,dhcpd_state_t,dhcpd_state_t) sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file) -allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms; -allow dhcpd_t dhcpd_tmp_t:file create_file_perms; +manage_dirs_pattern(dhcpd_t,dhcpd_tmp_t,dhcpd_tmp_t) +manage_files_pattern(dhcpd_t,dhcpd_tmp_t,dhcpd_tmp_t) files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) -allow dhcpd_t dhcpd_var_run_t:file create_file_perms; -allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(dhcpd_t,dhcpd_var_run_t,dhcpd_var_run_t) files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file) kernel_read_system_state(dhcpd_t) diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index fdf932d..df5ab1a 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -28,11 +28,11 @@ allow dictd_t self:unix_stream_socket create_stream_socket_perms; allow dictd_t self:tcp_socket create_stream_socket_perms; allow dictd_t self:udp_socket create_socket_perms; -allow dictd_t dictd_etc_t:file r_file_perms; +allow dictd_t dictd_etc_t:file read_file_perms; files_search_etc(dictd_t) -allow dictd_t dictd_var_lib_t:dir r_dir_perms; -allow dictd_t dictd_var_lib_t:file r_file_perms; +allow dictd_t dictd_var_lib_t:dir list_dir_perms; +allow dictd_t dictd_var_lib_t:file read_file_perms; kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index cee6b5a..d884230 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -31,15 +31,14 @@ allow distccd_t self:fifo_file { read write getattr }; allow distccd_t self:tcp_socket create_stream_socket_perms; allow distccd_t self:udp_socket create_socket_perms; -allow distccd_t distccd_log_t:file create_file_perms; +allow distccd_t distccd_log_t:file manage_file_perms; logging_log_filetrans(distccd_t,distccd_log_t,file) -allow distccd_t distccd_tmp_t:dir create_dir_perms; -allow distccd_t distccd_tmp_t:file create_file_perms; +manage_dirs_pattern(distccd_t,distccd_tmp_t,distccd_tmp_t) +manage_files_pattern(distccd_t,distccd_tmp_t,distccd_tmp_t) files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) -allow distccd_t distccd_var_run_t:file create_file_perms; -allow distccd_t distccd_var_run_t:dir rw_dir_perms; +manage_files_pattern(distccd_t,distccd_var_run_t,distccd_var_run_t) files_pid_filetrans(distccd_t,distccd_var_run_t,file) kernel_read_system_state(distccd_t) diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if index e8baf77..ff1d505 100644 --- a/policy/modules/services/djbdns.if +++ b/policy/modules/services/djbdns.if @@ -29,8 +29,8 @@ template(`djbdns_daemontools_domain_template',` allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; allow djbdns_$1_t self:udp_socket create_socket_perms; - allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms; + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; corenet_non_ipsec_sendrecv(djbdns_$1_t) corenet_tcp_sendrecv_all_if(djbdns_$1_t) diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index a91f82d..c58a3a4 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -30,14 +30,14 @@ daemontools_read_svc(djbdns_axfrdns_t) allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms; -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms; +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; -allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms; +allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms; -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms; +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; files_search_var(djbdns_axfrdns_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 0575a51..6ae7ab1 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -35,8 +35,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms; allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) -allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms; -allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms; +manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file) kernel_read_kernel_sysctls(dnsmasq_t) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index ba714cc..57d55ad 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -15,7 +15,6 @@ interface(`dovecot_manage_spool',` type dovecot_spool_t; ') - allow $1 dovecot_spool_t:dir rw_dir_perms; - allow $1 dovecot_spool_t:file create_file_perms; - allow $1 dovecot_spool_t:lnk_file create_lnk_perms; + manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t) + manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t) ') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index e546326..620b278 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -42,33 +42,28 @@ files_pid_file(dovecot_var_run_t) allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:process { setrlimit signal_perms }; -allow dovecot_t self:fifo_file rw_file_perms; +allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; -domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -allow dovecot_t dovecot_auth_t:fd use; -allow dovecot_auth_t dovecot_t:process sigchld; -allow dovecot_auth_t dovecot_t:fd use; -allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append }; +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -allow dovecot_t dovecot_cert_t:dir r_dir_perms; -allow dovecot_t dovecot_cert_t:file r_file_perms; -allow dovecot_t dovecot_cert_t:lnk_file { getattr read }; +allow dovecot_t dovecot_cert_t:dir list_dir_perms; +read_files_pattern(dovecot_t,dovecot_cert_t,dovecot_cert_t) +read_lnk_files_pattern(dovecot_t,dovecot_cert_t,dovecot_cert_t) -allow dovecot_t dovecot_etc_t:file r_file_perms; +allow dovecot_t dovecot_etc_t:file read_file_perms; files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -allow dovecot_t dovecot_spool_t:dir create_dir_perms; -allow dovecot_t dovecot_spool_t:file create_file_perms; -allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) +manage_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) +manage_lnk_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) -allow dovecot_t dovecot_var_run_t:file create_file_perms; -allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; -allow dovecot_t dovecot_var_run_t:dir rw_dir_perms; +manage_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) +manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) kernel_read_kernel_sysctls(dovecot_t) @@ -156,7 +151,7 @@ optional_policy(` allow dovecot_auth_t self:capability { setgid setuid }; allow dovecot_auth_t self:process signal_perms; -allow dovecot_auth_t self:fifo_file rw_file_perms; +allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -165,8 +160,7 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; # Allow dovecot to create and read SSL parameters file -allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms; -allow dovecot_t dovecot_var_lib_t:file manage_file_perms; +manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t) files_search_var_lib(dovecot_t) allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index c6ebf59..169dfc8 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -32,13 +32,12 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; allow fetchmail_t self:tcp_socket create_socket_perms; allow fetchmail_t self:udp_socket create_socket_perms; -allow fetchmail_t fetchmail_etc_t:file r_file_perms; +allow fetchmail_t fetchmail_etc_t:file read_file_perms; -allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms; +allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file) -allow fetchmail_t fetchmail_var_run_t:file create_file_perms; -allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms; +manage_files_pattern(fetchmail_t,fetchmail_var_run_t,fetchmail_var_run_t) files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file) kernel_read_kernel_sysctls(fetchmail_t) diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if index f7b5910..7bdd5cc 100644 --- a/policy/modules/services/finger.if +++ b/policy/modules/services/finger.if @@ -15,12 +15,7 @@ interface(`finger_domtrans',` type fingerd_t, fingerd_exec_t; ') - domain_auto_trans($1,fingerd_exec_t,fingerd_t) - - allow $1 fingerd_t:fd use; - allow fingerd_t $1:fd use; - allow fingerd_t $1:fifo_file rw_file_perms; - allow fingerd_t $1:process sigchld; + domtrans_pattern($1,fingerd_exec_t,fingerd_t) ') ######################################## diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 92a26be..708cfaf 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -34,15 +34,14 @@ allow fingerd_t self:udp_socket create_socket_perms; allow fingerd_t self:unix_dgram_socket create_socket_perms; allow fingerd_t self:unix_stream_socket create_socket_perms; -allow fingerd_t fingerd_var_run_t:file create_file_perms; -allow fingerd_t fingerd_var_run_t:dir rw_dir_perms; +manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t) files_pid_filetrans(fingerd_t,fingerd_var_run_t,file) -allow fingerd_t fingerd_etc_t:file r_file_perms; allow fingerd_t fingerd_etc_t:dir r_dir_perms; -allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; +read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) +read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t) -allow fingerd_t fingerd_log_t:file create_file_perms; +allow fingerd_t fingerd_log_t:file manage_file_perms; logging_log_filetrans(fingerd_t,fingerd_log_t,file) kernel_read_kernel_sysctls(fingerd_t) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 266d62c..86c18ec 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -101,7 +101,7 @@ interface(`ftp_read_log',` ') logging_search_logs($1) - allow $1 xferlog_t:file r_file_perms; + allow $1 xferlog_t:file read_file_perms; ') ######################################## @@ -120,9 +120,5 @@ interface(`ftp_domtrans_ftpdctl',` ') corecmd_search_bin($1) - domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t) - - allow ftpdctl_t $1:fd use; - allow ftpdctl_t $1:fifo_file rw_file_perms; - allow ftpdctl_t $1:process sigchld; + domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) ') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 33599f2..32d3791 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -45,28 +45,27 @@ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_ dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process signal_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; -allow ftpd_t self:fifo_file rw_file_perms; +allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; -allow ftpd_t ftpd_etc_t:file r_file_perms; +allow ftpd_t ftpd_etc_t:file read_file_perms; -allow ftpd_t ftpd_tmp_t:dir create_dir_perms; -allow ftpd_t ftpd_tmp_t:file create_file_perms; +manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) +manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) -allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms; -allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms; -allow ftpd_t ftpd_tmpfs_t:file create_file_perms; -allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; -allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; +manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) +manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) +manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) +manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) +manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow ftpd_t ftpd_var_run_t:file manage_file_perms; -allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; -allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms; +manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) +manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) # proftpd requires the client side to bind a socket so that @@ -77,7 +76,7 @@ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:dir search_dir_perms; -allow ftpd_t xferlog_t:file create_file_perms; +allow ftpd_t xferlog_t:file manage_file_perms; logging_log_filetrans(ftpd_t,xferlog_t,file) kernel_read_kernel_sysctls(ftpd_t) @@ -200,7 +199,7 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',` ') tunable_policy(`ftpd_is_daemon',` - allow ftpd_t ftpd_lock_t:file create_file_perms; + allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t,ftpd_lock_t,file) corenet_tcp_bind_ftp_port(ftpd_t) @@ -257,9 +256,7 @@ optional_policy(` # # Allow ftpdctl to talk to ftpd over a socket connection -allow ftpdctl_t ftpd_t:unix_stream_socket connectto; -allow ftpdctl_t ftpd_var_run_t:dir search; -allow ftpdctl_t ftpd_var_run_t:sock_file write; +stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t) # ftpdctl creates a socket so that the daemon can perform # access control decisions (see comments in ftpd_t rules above) diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index d08f4f9..8c7e609 100644 --- a/policy/modules/services/gatekeeper.te +++ b/policy/modules/services/gatekeeper.te @@ -30,7 +30,7 @@ files_pid_file(gatekeeper_var_run_t) dontaudit gatekeeper_t self:capability sys_tty_config; allow gatekeeper_t self:process { setsched signal_perms }; -allow gatekeeper_t self:fifo_file rw_file_perms; +allow gatekeeper_t self:fifo_file rw_fifo_file_perms; allow gatekeeper_t self:tcp_socket create_stream_socket_perms; allow gatekeeper_t self:udp_socket create_socket_perms; @@ -38,16 +38,14 @@ allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; allow gatekeeper_t gatekeeper_etc_t:file { getattr read }; files_search_etc(gatekeeper_t) -allow gatekeeper_t gatekeeper_log_t:file create_file_perms; -allow gatekeeper_t gatekeeper_log_t:dir rw_dir_perms; +manage_files_pattern(gatekeeper_t,gatekeeper_log_t,gatekeeper_log_t) logging_log_filetrans(gatekeeper_t,gatekeeper_log_t,{ file dir }) -allow gatekeeper_t gatekeeper_tmp_t:dir create_dir_perms; -allow gatekeeper_t gatekeeper_tmp_t:file create_file_perms; +manage_dirs_pattern(gatekeeper_t,gatekeeper_tmp_t,gatekeeper_tmp_t) +manage_files_pattern(gatekeeper_t,gatekeeper_tmp_t,gatekeeper_tmp_t) files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) -allow gatekeeper_t gatekeeper_var_run_t:file create_file_perms; -allow gatekeeper_t gatekeeper_var_run_t:dir rw_dir_perms; +manage_files_pattern(gatekeeper_t,gatekeeper_var_run_t,gatekeeper_var_run_t) files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file) kernel_read_system_state(gatekeeper_t) diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index c8f5af8..23ee78c 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -30,24 +30,21 @@ files_type(gpmctl_t) allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; allow gpm_t self:unix_stream_socket create_stream_socket_perms; -allow gpm_t gpm_conf_t:dir r_dir_perms; -allow gpm_t gpm_conf_t:file r_file_perms; -allow gpm_t gpm_conf_t:lnk_file { getattr read }; +allow gpm_t gpm_conf_t:dir list_dir_perms; +read_files_pattern(gpm_t,gpm_conf_t,gpm_conf_t) +read_lnk_files_pattern(gpm_t,gpm_conf_t,gpm_conf_t) -allow gpm_t gpm_tmp_t:dir create_dir_perms; -allow gpm_t gpm_tmp_t:file create_file_perms; +manage_dirs_pattern(gpm_t,gpm_tmp_t,gpm_tmp_t) +manage_files_pattern(gpm_t,gpm_tmp_t,gpm_tmp_t) files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) -allow gpm_t gpm_var_run_t:file create_file_perms; +allow gpm_t gpm_var_run_t:file manage_file_perms; files_pid_filetrans(gpm_t,gpm_var_run_t,file) -allow gpm_t gpmctl_t:sock_file create_file_perms; -allow gpm_t gpmctl_t:fifo_file create_file_perms; +allow gpm_t gpmctl_t:sock_file manage_file_perms; +allow gpm_t gpmctl_t:fifo_file manage_file_perms; dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file }) -# cjp: this has no effect -allow gpm_t gpmctl_t:unix_stream_socket name_bind; - kernel_read_kernel_sysctls(gpm_t) kernel_list_proc(gpm_t) kernel_read_proc_symlinks(gpm_t) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index abe9a82..6a37e69 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -15,12 +15,7 @@ interface(`hal_domtrans',` type hald_t, hald_exec_t; ') - domain_auto_trans($1,hald_exec_t,hald_t) - - allow $1 hald_t:fd use; - allow hald_t $1:fd use; - allow hald_t $1:fifo_file rw_file_perms; - allow hald_t $1:process sigchld; + domtrans_pattern($1,hald_exec_t,hald_t) ') ######################################## @@ -116,7 +111,7 @@ interface(`hal_read_tmp_files',` type hald_tmp_t; ') - allow $1 hald_tmp_t:file r_file_perms; + allow $1 hald_tmp_t:file read_file_perms; ') ######################################## @@ -135,7 +130,7 @@ interface(`hal_dontaudit_append_lib_files',` type hald_var_lib_t; ') - dontaudit $1 hald_var_lib_t:file ra_file_perms; + dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; ') ######################################## @@ -154,7 +149,7 @@ interface(`hal_read_pid_files',` ') files_search_pids($1) - allow $1 hald_var_run_t:file r_file_perms; + allow $1 hald_var_run_t:file read_file_perms; ') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index e84d7e1..ab6b2d7 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -25,30 +25,30 @@ files_type(hald_var_lib_t) # # execute openvt which needs setuid -allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:process signal_perms; -allow hald_t self:fifo_file rw_file_perms; +allow hald_t self:fifo_file rw_fifo_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; -allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:tcp_socket create_stream_socket_perms; allow hald_t self:udp_socket create_socket_perms; # For backwards compatibility with older kernels allow hald_t self:netlink_socket create_socket_perms; -allow hald_t hald_tmp_t:dir create_dir_perms; -allow hald_t hald_tmp_t:file create_file_perms; +send_audit_msgs_pattern(hald_t) + +manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t) +manage_files_pattern(hald_t,hald_tmp_t,hald_tmp_t) files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) # var/lib files for hald -allow hald_t hald_var_lib_t:file manage_file_perms; -allow hald_t hald_var_lib_t:sock_file manage_file_perms; -allow hald_t hald_var_lib_t:dir manage_dir_perms; +manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) +manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) +manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) -allow hald_t hald_var_run_t:file create_file_perms; -allow hald_t hald_var_run_t:dir rw_dir_perms; +manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t) files_pid_filetrans(hald_t,hald_var_run_t,file) kernel_read_system_state(hald_t) diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te index 83d0fa2..3aa19f1 100644 --- a/policy/modules/services/howl.te +++ b/policy/modules/services/howl.te @@ -21,12 +21,11 @@ files_pid_file(howl_var_run_t) allow howl_t self:capability { kill net_admin }; dontaudit howl_t self:capability sys_tty_config; allow howl_t self:process signal_perms; -allow howl_t self:fifo_file rw_file_perms; +allow howl_t self:fifo_file rw_fifo_file_perms; allow howl_t self:tcp_socket create_stream_socket_perms; allow howl_t self:udp_socket create_socket_perms; -allow howl_t howl_var_run_t:file create_file_perms; -allow howl_t howl_var_run_t:dir rw_dir_perms; +manage_files_pattern(howl_t,howl_var_run_t,howl_var_run_t) files_pid_filetrans(howl_t,howl_var_run_t,file) kernel_read_network_state(howl_t) diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te index 30e5c66..7a7e7e0 100644 --- a/policy/modules/services/i18n_input.te +++ b/policy/modules/services/i18n_input.te @@ -21,15 +21,15 @@ files_pid_file(i18n_input_var_run_t) allow i18n_input_t self:capability { kill setgid setuid }; dontaudit i18n_input_t self:capability sys_tty_config; allow i18n_input_t self:process { signal_perms setsched setpgid }; -allow i18n_input_t self:fifo_file rw_file_perms; +allow i18n_input_t self:fifo_file rw_fifo_file_perms; allow i18n_input_t self:unix_dgram_socket create_socket_perms; allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; allow i18n_input_t self:tcp_socket create_stream_socket_perms; allow i18n_input_t self:udp_socket create_socket_perms; -allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; -allow i18n_input_t i18n_input_var_run_t:file create_file_perms; -allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; +manage_dirs_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t) +manage_files_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t) +manage_sock_files_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t) files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file) can_exec(i18n_input_t, i18n_input_exec_t) diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te index c16259f..3a618d4 100644 --- a/policy/modules/services/imaze.te +++ b/policy/modules/services/imaze.te @@ -30,7 +30,7 @@ files_pid_file(imazesrv_var_run_t) dontaudit imazesrv_t self:capability sys_tty_config; allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow imazesrv_t self:fd use; -allow imazesrv_t self:fifo_file rw_file_perms; +allow imazesrv_t self:fifo_file rw_fifo_file_perms; allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto }; allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow imazesrv_t self:shm create_shm_perms; @@ -41,15 +41,14 @@ allow imazesrv_t self:tcp_socket create_stream_socket_perms; allow imazesrv_t self:udp_socket create_socket_perms; allow imazesrv_t imazesrv_data_t:dir list_dir_perms; -allow imazesrv_t imazesrv_data_t:file read_file_perms; -allow imazesrv_t imazesrv_data_t:lnk_file { getattr read }; +read_files_pattern(imazesrv_t,imazesrv_data_t,imazesrv_data_t) +read_lnk_files_pattern(imazesrv_t,imazesrv_data_t,imazesrv_data_t) allow imazesrv_t imazesrv_log_t:file manage_file_perms; -allow imazesrv_t imazesrv_log_t:dir ra_dir_perms; +allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms; logging_log_filetrans(imazesrv_t,imazesrv_log_t,file) -allow imazesrv_t imazesrv_var_run_t:file manage_file_perms; -allow imazesrv_t imazesrv_var_run_t:dir rw_dir_perms; +manage_files_pattern(imazesrv_t,imazesrv_var_run_t,imazesrv_var_run_t) files_pid_filetrans(imazesrv_t,imazesrv_var_run_t,file) kernel_read_kernel_sysctls(imazesrv_t) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if index 2edfec6..fe24a58 100644 --- a/policy/modules/services/inetd.if +++ b/policy/modules/services/inetd.if @@ -51,21 +51,12 @@ interface(`inetd_core_service_domain',` ') can_exec({ unconfined_t initrc_t },$2) } else { - domain_auto_trans(inetd_t,$2,$1) - allow inetd_t $1:fd use; - allow $1 inetd_t:fd use; - allow $1 inetd_t:fifo_file rw_file_perms; - allow $1 inetd_t:process sigchld; + domtrans_pattern(inetd_t,$2,$1) dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; - allow inetd_t $1:process sigkill; } ',` - domain_auto_trans(inetd_t,$2,$1) - allow inetd_t $1:fd use; - allow $1 inetd_t:fd use; - allow $1 inetd_t:fifo_file rw_file_perms; - allow $1 inetd_t:process sigchld; + domtrans_pattern(inetd_t,$2,$1) dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; allow inetd_t $1:process sigkill; @@ -197,12 +188,7 @@ interface(`inetd_domtrans_child',` ') corecmd_search_sbin($1) - domain_auto_trans($1,inetd_child_exec_t,inetd_child_t) - - allow $1 inetd_child_t:fd use; - allow inetd_child_t $1:fd use; - allow inetd_child_t $1:fifo_file rw_file_perms; - allow inetd_child_t $1:process sigchld; + domtrans_pattern($1,inetd_child_exec_t,inetd_child_t) ') ######################################## diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 703ec74..f1431a2 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -38,18 +38,18 @@ files_pid_file(inetd_child_var_run_t) allow inetd_t self:capability { setuid setgid }; dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process setsched; -allow inetd_t self:fifo_file rw_file_perms; +allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket create_socket_perms; -allow inetd_t inetd_log_t:file create_file_perms; +allow inetd_t inetd_log_t:file manage_file_perms; logging_log_filetrans(inetd_t,inetd_log_t,file) -allow inetd_t inetd_tmp_t:dir create_dir_perms; -allow inetd_t inetd_tmp_t:file create_file_perms; +manage_dirs_pattern(inetd_t,inetd_tmp_t,inetd_tmp_t) +manage_files_pattern(inetd_t,inetd_tmp_t,inetd_tmp_t) files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) -allow inetd_t inetd_var_run_t:file create_file_perms; +allow inetd_t inetd_var_run_t:file manage_file_perms; files_pid_filetrans(inetd_t,inetd_var_run_t,file) kernel_read_kernel_sysctls(inetd_t) @@ -166,23 +166,20 @@ ifdef(`targeted_policy',` # allow inetd_child_t self:process signal_perms; -allow inetd_child_t self:fifo_file rw_file_perms; +allow inetd_child_t self:fifo_file rw_fifo_file_perms; allow inetd_child_t self:tcp_socket connected_stream_socket_perms; allow inetd_child_t self:udp_socket create_socket_perms; # for identd allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow inetd_child_t self:capability { setuid setgid }; -allow inetd_child_t self:dir search; -allow inetd_child_t self:{ lnk_file file } { getattr read }; files_search_home(inetd_child_t) -allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms; -allow inetd_child_t inetd_child_tmp_t:file create_file_perms; +manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) +manage_files_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) -allow inetd_child_t inetd_child_var_run_t:file create_file_perms; -allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms; +manage_files_pattern(inetd_child_t,inetd_child_var_run_t,inetd_child_var_run_t) files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file) kernel_read_kernel_sysctls(inetd_child_t) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index 8fe6b8d..a2c89d6 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -55,7 +55,7 @@ interface(`inn_manage_log',` logging_rw_generic_log_dirs($1) allow $1 innd_log_t:dir search; - allow $1 innd_log_t:file create_file_perms; + allow $1 innd_log_t:file manage_file_perms; ') ######################################## @@ -74,9 +74,8 @@ interface(`inn_manage_pid',` ') files_search_pids($1) - allow $1 innd_var_run_t:dir rw_dir_perms; - allow $1 innd_var_run_t:file create_file_perms; - allow $1 innd_var_run_t:lnk_file create_lnk_perms; + manage_files_pattern($1,innd_var_run_t,innd_var_run_t) + manage_lnk_files_pattern($1,innd_var_run_t,innd_var_run_t) ') ######################################## @@ -175,10 +174,5 @@ interface(`inn_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1,innd_exec_t,innd_t) - - allow innd_t $1:fd use; - allow innd_t $1:fifo_file rw_file_perms; - allow innd_t $1:process sigchld; + domtrans_pattern($1,innd_exec_t,innd_t) ') - diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index ded58fe..d547c01 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -31,35 +31,34 @@ files_type(news_spool_t) allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; -allow innd_t self:fifo_file rw_file_perms; +allow innd_t self:fifo_file rw_fifo_file_perms; allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow innd_t self:tcp_socket create_stream_socket_perms; allow innd_t self:udp_socket create_socket_perms; allow innd_t self:netlink_route_socket r_netlink_socket_perms; -allow innd_t innd_etc_t:file r_file_perms; -allow innd_t innd_etc_t:dir r_dir_perms; -allow innd_t innd_etc_t:lnk_file { getattr read }; +read_files_pattern(innd_t,innd_etc_t,innd_etc_t) +read_lnk_files_pattern(innd_t,innd_etc_t,innd_etc_t) can_exec(innd_t, innd_exec_t) -allow innd_t innd_log_t:file manage_file_perms; -allow innd_t innd_log_t:dir { setattr rw_dir_perms }; +manage_files_pattern(innd_t,innd_log_t,innd_log_t) +allow innd_t innd_log_t:dir setattr; logging_log_filetrans(innd_t,innd_log_t,file) -allow innd_t innd_var_lib_t:dir create_dir_perms; -allow innd_t innd_var_lib_t:file create_file_perms; +manage_dirs_pattern(innd_t,innd_var_lib_t,innd_var_lib_t) +manage_files_pattern(innd_t,innd_var_lib_t,innd_var_lib_t) files_var_lib_filetrans(innd_t,innd_var_lib_t,file) -allow innd_t innd_var_run_t:dir create_dir_perms; -allow innd_t innd_var_run_t:file create_file_perms; -allow innd_t innd_var_run_t:sock_file create_file_perms; +manage_dirs_pattern(innd_t,innd_var_run_t,innd_var_run_t) +manage_files_pattern(innd_t,innd_var_run_t,innd_var_run_t) +manage_sock_files_pattern(innd_t,innd_var_run_t,innd_var_run_t) files_pid_filetrans(innd_t,innd_var_run_t,file) -allow innd_t news_spool_t:dir create_dir_perms; -allow innd_t news_spool_t:file create_file_perms; -allow innd_t news_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(innd_t,news_spool_t,news_spool_t) +manage_files_pattern(innd_t,news_spool_t,news_spool_t) +manage_lnk_files_pattern(innd_t,news_spool_t,news_spool_t) kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te index ed9546e..4bdfc79 100644 --- a/policy/modules/services/ircd.te +++ b/policy/modules/services/ircd.te @@ -32,21 +32,17 @@ allow ircd_t self:process signal_perms; allow ircd_t self:tcp_socket create_stream_socket_perms; allow ircd_t self:udp_socket create_socket_perms; -allow ircd_t ircd_etc_t:file r_file_perms; -allow ircd_t ircd_etc_t:dir r_dir_perms; -allow ircd_t ircd_etc_t:lnk_file { getattr read }; +read_files_pattern(ircd_t,ircd_etc_t,ircd_etc_t) +read_lnk_files_pattern(ircd_t,ircd_etc_t,ircd_etc_t) files_search_etc(ircd_t) -allow ircd_t ircd_log_t:file create_file_perms; -allow ircd_t ircd_log_t:dir rw_dir_perms; +manage_files_pattern(ircd_t,ircd_log_t,ircd_log_t) logging_log_filetrans(ircd_t,ircd_log_t,{ file dir }) -allow ircd_t ircd_var_lib_t:file create_file_perms; -allow ircd_t ircd_var_lib_t:dir rw_dir_perms; +manage_files_pattern(ircd_t,ircd_var_lib_t,ircd_var_lib_t) files_var_lib_filetrans(ircd_t,ircd_var_lib_t,file) -allow ircd_t ircd_var_run_t:file create_file_perms; -allow ircd_t ircd_var_run_t:dir rw_dir_perms; +manage_files_pattern(ircd_t,ircd_var_run_t,ircd_var_run_t) files_pid_filetrans(ircd_t,ircd_var_run_t,file) kernel_read_system_state(ircd_t) diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te index 25368c0..5c73ace 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te @@ -21,8 +21,7 @@ files_pid_file(irqbalance_var_run_t) dontaudit irqbalance_t self:capability sys_tty_config; allow irqbalance_t self:process signal_perms; -allow irqbalance_t irqbalance_var_run_t:file create_file_perms; -allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms; +manage_files_pattern(irqbalance_t,irqbalance_var_run_t,irqbalance_var_run_t) files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file) kernel_read_system_state(irqbalance_t) diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 56a9eda..960808b 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -31,16 +31,13 @@ allow jabberd_t self:fifo_file { read write getattr }; allow jabberd_t self:tcp_socket create_stream_socket_perms; allow jabberd_t self:udp_socket create_socket_perms; -allow jabberd_t jabberd_var_lib_t:file create_file_perms; -allow jabberd_t jabberd_var_lib_t:dir rw_dir_perms; +manage_files_pattern(jabberd_t,jabberd_var_lib_t,jabberd_var_lib_t) files_var_lib_filetrans(jabberd_t,jabberd_var_lib_t,file) -allow jabberd_t jabberd_log_t:file create_file_perms; -allow jabberd_t jabberd_log_t:dir rw_dir_perms; +manage_files_pattern(jabberd_t,jabberd_log_t,jabberd_log_t) logging_log_filetrans(jabberd_t,jabberd_log_t,{ file dir }) -allow jabberd_t jabberd_var_run_t:file create_file_perms; -allow jabberd_t jabberd_var_run_t:dir rw_dir_perms; +manage_files_pattern(jabberd_t,jabberd_var_run_t,jabberd_var_run_t) files_pid_filetrans(jabberd_t,jabberd_var_run_t,file) kernel_read_kernel_sysctls(jabberd_t) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 7d917aa..99a57b8 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -82,7 +82,7 @@ interface(`kerberos_read_config',` ') files_search_etc($1) - allow $1 krb5_conf_t:file r_file_perms; + allow $1 krb5_conf_t:file read_file_perms; ') ######################################## @@ -141,5 +141,5 @@ interface(`kerberos_read_keytab',` ') files_search_etc($1) - allow $1 krb5_keytab_t:file r_file_perms; + allow $1 krb5_keytab_t:file read_file_perms; ') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 1bf464d..8640e1b 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -61,26 +61,24 @@ allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; -allow kadmind_t kadmind_log_t:file create_file_perms; +allow kadmind_t kadmind_log_t:file manage_file_perms; logging_log_filetrans(kadmind_t,kadmind_log_t,file) -allow kadmind_t krb5_conf_t:file r_file_perms; +allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write; -allow kadmind_t krb5kdc_conf_t:dir search; -allow kadmind_t krb5kdc_conf_t:file r_file_perms; +read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t) dontaudit kadmind_t krb5kdc_conf_t:file write; allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; can_exec(kadmind_t, kadmind_exec_t) -allow kadmind_t kadmind_tmp_t:dir create_dir_perms; -allow kadmind_t kadmind_tmp_t:file create_file_perms; +manage_dirs_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t) +manage_files_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t) files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) -allow kadmind_t kadmind_var_run_t:file create_file_perms; -allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; +manage_files_pattern(kadmind_t,kadmind_var_run_t,kadmind_var_run_t) files_pid_filetrans(kadmind_t,kadmind_var_run_t,file) kernel_read_kernel_sysctls(kadmind_t) @@ -161,27 +159,25 @@ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; -allow krb5kdc_t krb5_conf_t:file r_file_perms; +allow krb5kdc_t krb5_conf_t:file read_file_perms; dontaudit krb5kdc_t krb5_conf_t:file write; can_exec(krb5kdc_t, krb5kdc_exec_t) -allow krb5kdc_t krb5kdc_conf_t:dir search; -allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; +read_files_pattern(krb5kdc_t,krb5kdc_conf_t,krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; -allow krb5kdc_t krb5kdc_log_t:file create_file_perms; +allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file) -allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; +allow krb5kdc_t krb5kdc_principal_t:file read_file_perms; dontaudit krb5kdc_t krb5kdc_principal_t:file write; -allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms; -allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms; +manage_dirs_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t) +manage_files_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) -allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms; -allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms; +manage_files_pattern(krb5kdc_t,krb5kdc_var_run_t,krb5kdc_var_run_t) files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file) kernel_read_system_state(krb5kdc_t) diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te index 99da49f..bef8d80 100644 --- a/policy/modules/services/ktalk.te +++ b/policy/modules/services/ktalk.te @@ -26,15 +26,13 @@ files_pid_file(ktalkd_var_run_t) # allow ktalkd_t self:process signal_perms; -allow ktalkd_t self:fifo_file rw_file_perms; +allow ktalkd_t self:fifo_file rw_fifo_file_perms; allow ktalkd_t self:tcp_socket connected_stream_socket_perms; allow ktalkd_t self:udp_socket create_socket_perms; # for identd # cjp: this should probably only be inetd_child rules? allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow ktalkd_t self:capability { setuid setgid }; -allow ktalkd_t self:dir search; -allow ktalkd_t self:{ lnk_file file } { getattr read }; files_search_home(ktalkd_t) optional_policy(` kerberos_use(ktalkd_t) @@ -44,12 +42,11 @@ optional_policy(` allow ktalkd_t ktalkd_log_t:file manage_file_perms; logging_log_filetrans(ktalkd_t,ktalkd_log_t,file) -allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms; -allow ktalkd_t ktalkd_tmp_t:file create_file_perms; +manage_dirs_pattern(ktalkd_t,ktalkd_tmp_t,ktalkd_tmp_t) +manage_files_pattern(ktalkd_t,ktalkd_tmp_t,ktalkd_tmp_t) files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) -allow ktalkd_t ktalkd_var_run_t:file create_file_perms; -allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; +manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t) files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file) kernel_read_kernel_sysctls(ktalkd_t) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index c954c2b..8d5edff 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -16,7 +16,7 @@ interface(`ldap_list_db',` type slapd_db_t; ') - allow $1 slapd_db_t:dir r_dir_perms; + allow $1 slapd_db_t:dir list_dir_perms; ') ######################################## diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index c043c0c..e72bc6f 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -47,32 +47,31 @@ allow slapd_t self:udp_socket create_socket_perms; #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) allow slapd_t self:tcp_socket create_stream_socket_perms; -allow slapd_t slapd_cert_t:dir r_dir_perms; -allow slapd_t slapd_cert_t:file r_file_perms; -allow slapd_t slapd_cert_t:lnk_file { getattr read }; +allow slapd_t slapd_cert_t:dir list_dir_perms; +read_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t) +read_lnk_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t) # Allow access to the slapd databases -allow slapd_t slapd_db_t:dir create_dir_perms; -allow slapd_t slapd_db_t:file create_file_perms; -allow slapd_t slapd_db_t:lnk_file create_lnk_perms; +manage_dirs_pattern(slapd_t,slapd_db_t,slapd_db_t) +manage_files_pattern(slapd_t,slapd_db_t,slapd_db_t) +manage_lnk_files_pattern(slapd_t,slapd_db_t,slapd_db_t) allow slapd_t slapd_etc_t:file { getattr read }; -allow slapd_t slapd_lock_t:file create_file_perms; +allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t,slapd_lock_t,file) # Allow access to write the replication log (should tighten this) -allow slapd_t slapd_replog_t:dir create_dir_perms; -allow slapd_t slapd_replog_t:file create_file_perms; -allow slapd_t slapd_replog_t:lnk_file create_lnk_perms; +manage_dirs_pattern(slapd_t,slapd_replog_t,slapd_replog_t) +manage_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t) +manage_lnk_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t) -allow slapd_t slapd_tmp_t:dir create_dir_perms; -allow slapd_t slapd_tmp_t:file create_file_perms; +manage_dirs_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t) +manage_files_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) -allow slapd_t slapd_var_run_t:file manage_file_perms; -allow slapd_t slapd_var_run_t:sock_file manage_file_perms; -allow slapd_t slapd_var_run_t:dir rw_dir_perms; +manage_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t) +manage_sock_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t) files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file }) kernel_read_system_state(slapd_t) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index b59cd71..84ec5d2 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -77,34 +77,28 @@ template(`lpd_per_role_template',` can_exec($1_lpr_t,lpr_exec_t) - allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms; - allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms; + manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) + manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir }) - allow $1_lpr_t $1_print_spool_t:file create_file_perms; - allow $1_lpr_t print_spool_t:dir rw_dir_perms; - type_transition $1_lpr_t print_spool_t:file $1_print_spool_t; + manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t) + filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file) # Read and write shared files in the spool directory. allow $1_lpr_t print_spool_t:file rw_file_perms; - allow $1_lpr_t printconf_t:dir r_dir_perms; - allow $1_lpr_t printconf_t:file r_file_perms; - allow $1_lpr_t printconf_t:lnk_file { getattr read }; + allow $1_lpr_t printconf_t:dir list_dir_perms; + read_files_pattern($1_lpr_t,printconf_t,printconf_t) + read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t) dontaudit $1_lpr_t $2:unix_stream_socket { read write }; # Transition from the user domain to the derived domain. - allow $2 $1_lpr_t:fd use; - allow $1_lpr_t $2:fd use; - allow $1_lpr_t $2:fifo_file rw_file_perms; - allow $1_lpr_t $2:process sigchld; - domain_auto_trans($2,lpr_exec_t,$1_lpr_t) + domtrans_pattern($2,lpr_exec_t,$1_lpr_t) allow $2 $1_lpr_t:process signull; # Allow lpd to read, rename, and unlink spool files. - allow lpd_t $1_print_spool_t:file r_file_perms; - allow lpd_t $1_print_spool_t:file link_file_perms; + allow lpd_t $1_print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; kernel_read_kernel_sysctls($1_lpr_t) @@ -247,12 +241,7 @@ interface(`lpd_domtrans_checkpc',` type checkpc_t, checkpc_exec_t; ') - domain_auto_trans($1,checkpc_exec_t,checkpc_t) - - allow $1 checkpc_t:fd use; - allow checkpc_t $1:fd use; - allow checkpc_t $1:fifo_file rw_file_perms; - allow checkpc_t $1:process sigchld; + domtrans_pattern($1,checkpc_exec_t,checkpc_t) ') ######################################## @@ -322,10 +311,10 @@ interface(`lpd_manage_spool',` ') files_search_spool($1) + manage_files_pattern($1,print_spool_t,print_spool_t) # cjp: cups wants setattr - allow $1 print_spool_t:dir { rw_dir_perms setattr }; - allow $1 print_spool_t:file manage_file_perms; + allow $1 print_spool_t:dir setattr; ') ######################################## @@ -364,7 +353,7 @@ interface(`lpd_read_config',` ') allow $1 printconf_t:dir list_dir_perms; - allow $1 printconf_t:file r_file_perms; + read_files_pattern($1,printconf_t,printconf_t) ') ######################################## @@ -397,10 +386,5 @@ template(`lpd_domtrans_user_lpr',` type $1_lpr_t, lpr_exec_t; ') - domain_auto_trans($2, lpr_exec_t, $1_lpr_t) - allow $2 $1_lpr_t:fd use; - allow $1_lpr_t $2:fd use; - allow $1_lpr_t $2:fifo_file rw_file_perms; - allow $1_lpr_t $2:process sigchld; + domtrans_pattern($2, lpr_exec_t, $1_lpr_t) ') - diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 4d098e2..ade931e 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -50,14 +50,14 @@ allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t self:tcp_socket create_socket_perms; allow checkpc_t self:udp_socket create_socket_perms; -allow checkpc_t checkpc_log_t:file create_file_perms; +allow checkpc_t checkpc_log_t:file manage_file_perms; logging_log_filetrans(checkpc_t,checkpc_log_t,file) -allow checkpc_t lpd_var_run_t:dir { search getattr }; +allow checkpc_t lpd_var_run_t:dir search_dir_perms; files_search_pids(checkpc_t) -allow checkpc_t print_spool_t:file { rw_file_perms unlink }; -allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; +rw_files_pattern(checkpc_t,print_spool_t,print_spool_t) +delete_files_pattern(checkpc_t,print_spool_t,print_spool_t) files_search_spool(checkpc_t) allow checkpc_t printconf_t:file getattr; @@ -121,25 +121,22 @@ optional_policy(` allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; dontaudit lpd_t self:capability sys_tty_config; allow lpd_t self:process signal_perms; -allow lpd_t self:fifo_file rw_file_perms; +allow lpd_t self:fifo_file rw_fifo_file_perms; allow lpd_t self:unix_stream_socket create_stream_socket_perms; allow lpd_t self:unix_dgram_socket create_socket_perms; allow lpd_t self:tcp_socket create_stream_socket_perms; allow lpd_t self:udp_socket create_stream_socket_perms; -allow lpd_t lpd_tmp_t:dir create_dir_perms; -allow lpd_t lpd_tmp_t:file create_file_perms; +manage_dirs_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t) +manage_files_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) -allow lpd_t lpd_var_run_t:dir rw_dir_perms; -allow lpd_t lpd_var_run_t:file create_file_perms; -allow lpd_t lpd_var_run_t:sock_file create_file_perms; +manage_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t) +manage_sock_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t) files_pid_filetrans(lpd_t,lpd_var_run_t,file) # Write to /var/spool/lpd. -allow lpd_t print_spool_t:dir rw_dir_perms; -allow lpd_t print_spool_t:file create_file_perms; -allow lpd_t print_spool_t:file rw_file_perms; +manage_files_pattern(lpd_t,print_spool_t,print_spool_t) files_search_spool(lpd_t) # lpd must be able to execute the filter utilities in /usr/share/printconf. @@ -147,11 +144,8 @@ allow lpd_t printconf_t:dir { getattr search read }; can_exec(lpd_t, printconf_t) # Create and bind to /dev/printer. -allow lpd_t printer_t:lnk_file create_lnk_perms; +allow lpd_t printer_t:lnk_file manage_lnk_file_perms; dev_filetrans(lpd_t,printer_t,lnk_file) -# cjp: I believe these have no effect: -allow lpd_t printer_t:unix_stream_socket name_bind; -allow lpd_t printer_t:unix_dgram_socket name_bind; kernel_read_kernel_sysctls(lpd_t) # bash wants access to /proc/meminfo diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if index 68a2588..e7344da 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if @@ -31,20 +31,18 @@ template(`mailman_domain_template', ` allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; - allow mailman_$1_t mailman_data_t:dir create_dir_perms; - allow mailman_$1_t mailman_data_t:file create_file_perms; - allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms; + manage_dirs_pattern(mailman_$1_t,mailman_data_t,mailman_data_t) + manage_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t) + manage_lnk_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t) - allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; - allow mailman_$1_t mailman_lock_t:file create_file_perms; + manage_files_pattern(mailman_$1_t,mailman_lock_t,mailman_lock_t) files_lock_filetrans(mailman_$1_t,mailman_lock_t,file) - allow mailman_$1_t mailman_log_t:dir rw_dir_perms; - allow mailman_$1_t mailman_log_t:file create_file_perms; + manage_files_pattern(mailman_$1_t,mailman_log_t,mailman_log_t) logging_log_filetrans(mailman_$1_t,mailman_log_t,file) - allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; - allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; + manage_dirs_pattern(mailman_$1_t,mailman_$1_tmp_t,mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t,mailman_$1_tmp_t,mailman_$1_tmp_t) files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_kernel_sysctls(mailman_$1_t) @@ -106,12 +104,7 @@ interface(`mailman_domtrans',` type mailman_mail_exec_t, mailman_mail_t; ') - domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t) - - allow $1 mailman_mail_t:fd use; - allow mailman_mail_t $1:fd use; - allow mailman_mail_t $1:fifo_file rw_file_perms; - allow mailman_mail_t $1:process sigchld; + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) ') ####################################### @@ -130,12 +123,7 @@ interface(`mailman_domtrans_cgi',` type mailman_cgi_exec_t, mailman_cgi_t; ') - domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t) - - allow $1 mailman_cgi_t:fd use; - allow mailman_cgi_t $1:fd use; - allow mailman_cgi_t $1:fifo_file rw_file_perms; - allow mailman_cgi_t $1:process sigchld; + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) ') ####################################### @@ -207,8 +195,7 @@ interface(`mailman_read_data_files',` type mailman_data_t; ') - allow $1 mailman_data_t:dir search_dir_perms; - allow $1 mailman_data_t:file read_file_perms; + read_files_pattern($1,mailman_data_t,mailman_data_t) ') ####################################### @@ -227,8 +214,7 @@ interface(`mailman_manage_data_files',` type mailman_data_t; ') - allow $1 mailman_data_t:dir rw_dir_perms; - allow $1 mailman_data_t:file manage_file_perms; + manage_files_pattern($1,mailman_data_t,mailman_data_t) ') ####################################### @@ -246,7 +232,7 @@ interface(`mailman_list_data',` type mailman_data_t; ') - allow $1 mailman_data_t:dir r_dir_perms; + allow $1 mailman_data_t:dir list_dir_perms; ') ####################################### @@ -264,8 +250,7 @@ interface(`mailman_read_data_symlinks',` type mailman_data_t; ') - allow $1 mailman_data_t:dir search; - allow $1 mailman_data_t:lnk_file read; + read_lnk_files_pattern($1,mailman_data_t,mailman_data_t) ') ####################################### @@ -284,9 +269,8 @@ interface(`mailman_manage_log',` type mailman_log_t; ') - allow $1 mailman_log_t:dir rw_dir_perms; - allow $1 mailman_log_t:file create_file_perms; - allow $1 mailman_log_t:lnk_file create_lnk_perms; + manage_files_pattern($1,mailman_log_t,mailman_log_t) + manage_lnk_files_pattern($1,mailman_log_t,mailman_log_t) ') ####################################### @@ -305,11 +289,10 @@ interface(`mailman_read_archive',` ') allow $1 mailman_archive_t:dir list_dir_perms; - allow $1 mailman_archive_t:file r_file_perms; - allow $1 mailman_archive_t:lnk_file { getattr read }; + read_files_pattern($1,mailman_archive_t,mailman_archive_t) + read_lnk_files_pattern($1,mailman_archive_t,mailman_archive_t) ') - ####################################### ## ## Execute mailman_queue in the mailman_queue domain. @@ -325,11 +308,5 @@ interface(`mailman_domtrans_queue',` type mailman_queue_exec_t, mailman_queue_t; ') - domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t) - - allow $1 mailman_queue_t:fd use; - allow mailman_queue_t $1:fd use; - allow mailman_queue_t $1:fifo_file rw_file_perms; - allow mailman_queue_t $1:process sigchld; + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') - diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index cd1469c..a523541 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -40,9 +40,9 @@ optional_policy(` dev_read_urand(mailman_cgi_t) - allow mailman_cgi_t mailman_archive_t:dir create_dir_perms; - allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; - allow mailman_cgi_t mailman_archive_t:file create_file_perms; + manage_dirs_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t) + manage_files_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t) + manage_lnk_files_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t) files_search_spool(mailman_cgi_t) @@ -85,13 +85,13 @@ optional_policy(` allow mailman_queue_t self:capability { setgid setuid }; allow mailman_queue_t self:process signal; -allow mailman_queue_t self:fifo_file rw_file_perms; +allow mailman_queue_t self:fifo_file rw_fifo_file_perms; allow mailman_queue_t self:unix_dgram_socket create_socket_perms; allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; -allow mailman_queue_t mailman_archive_t:dir create_dir_perms; -allow mailman_queue_t mailman_archive_t:file create_file_perms; -allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms; +manage_dirs_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t) +manage_files_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t) +manage_lnk_files_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t) kernel_read_proc_symlinks(mailman_queue_t) diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te index c069460..3404d4f 100644 --- a/policy/modules/services/monop.te +++ b/policy/modules/services/monop.te @@ -32,12 +32,11 @@ allow monopd_t self:udp_socket create_socket_perms; allow monopd_t monopd_etc_t:file { getattr read }; files_search_etc(monopd_t) -allow monopd_t monopd_share_t:dir r_dir_perms; -allow monopd_t monopd_share_t:file r_file_perms; -allow monopd_t monopd_share_t:lnk_file { getattr read }; +allow monopd_t monopd_share_t:dir list_dir_perms; +read_files_pattern(monopd_t,monopd_share_t,monopd_share_t) +read_lnk_files_pattern(monopd_t,monopd_share_t,monopd_share_t) -allow monopd_t monopd_var_run_t:file create_file_perms; -allow monopd_t monopd_var_run_t:dir rw_dir_perms; +manage_files_pattern(monopd_t,monopd_var_run_t,monopd_var_run_t) files_pid_filetrans(monopd_t,monopd_var_run_t,file) kernel_read_kernel_sysctls(monopd_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index e388b87..1a03d84 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -63,7 +63,7 @@ template(`mta_base_mail_template',` # re-exec itself can_exec($1_mail_t, sendmail_exec_t) - allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; + allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; kernel_read_kernel_sysctls($1_mail_t) @@ -118,17 +118,15 @@ template(`mta_base_mail_template',` type etc_mail_t, mail_spool_t, mqueue_spool_t; ') - allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; - allow $1_mail_t $1_mail_tmp_t:file create_file_perms; + manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t) + manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t) files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) allow $1_mail_t etc_mail_t:dir { getattr search }; # Write to /var/spool/mail and /var/spool/mqueue. - allow $1_mail_t mail_spool_t:dir rw_dir_perms; - allow $1_mail_t mail_spool_t:file create_file_perms; - allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; - allow $1_mail_t mqueue_spool_t:file create_file_perms; + manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t) + manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t) # Check available space. fs_getattr_xattr_fs($1_mail_t) @@ -191,14 +189,9 @@ template(`mta_per_role_template',` # # Transition from the user domain to the derived domain. - domain_auto_trans($2, sendmail_exec_t, $1_mail_t) + domtrans_pattern($2, sendmail_exec_t, $1_mail_t) allow $2 sendmail_exec_t:lnk_file { getattr read }; - allow $2 $1_mail_t:fd use; - allow $1_mail_t $2:fd use; - allow $1_mail_t $2:fifo_file rw_file_perms; - allow $1_mail_t $2:process sigchld; - domain_use_interactive_fds($1_mail_t) userdom_use_user_terminals($1,$1_mail_t) @@ -275,11 +268,11 @@ template(`mta_admin_template',` allow mta_user_agent $2:fifo_file { read write }; - allow $1_mail_t etc_aliases_t:dir create_dir_perms; - allow $1_mail_t etc_aliases_t:file create_file_perms; - allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms; - allow $1_mail_t etc_aliases_t:sock_file create_file_perms; - allow $1_mail_t etc_aliases_t:fifo_file create_file_perms; + manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) + manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) + manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) + manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) + manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t) files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) # postfix needs this for newaliases @@ -390,9 +383,11 @@ interface(`mta_mailserver_delivery',` typeattribute $1 mailserver_delivery; - allow $1 mail_spool_t:dir ra_dir_perms; - allow $1 mail_spool_t:file { create ioctl read getattr lock append }; - allow $1 mail_spool_t:lnk_file { create read getattr }; + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1,mail_spool_t,mail_spool_t) + read_files_pattern($1,mail_spool_t,mail_spool_t) + create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) + read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) optional_policy(` dovecot_manage_spool($1) @@ -449,7 +444,7 @@ interface(`mta_send_mail',` type system_mail_t, sendmail_exec_t; ') - allow $1 sendmail_exec_t:lnk_file r_file_perms; + allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; domain_auto_trans($1, sendmail_exec_t, system_mail_t) allow $1 system_mail_t:fd use; @@ -533,8 +528,8 @@ interface(`mta_read_config',` files_search_etc($1) allow $1 etc_mail_t:dir list_dir_perms; - allow $1 etc_mail_t:file r_file_perms; - allow $1 etc_mail_t:lnk_file { getattr read }; + read_files_pattern($1,etc_mail_t,etc_mail_t) + read_lnk_files_pattern($1,etc_mail_t,etc_mail_t) ') ######################################## @@ -553,7 +548,7 @@ interface(`mta_read_aliases',` ') files_search_etc($1) - allow $1 etc_aliases_t:file r_file_perms; + allow $1 etc_aliases_t:file read_file_perms; ') ######################################## @@ -663,7 +658,7 @@ interface(`mta_getattr_spool',` ') files_search_spool($1) - allow $1 mail_spool_t:dir r_dir_perms; + allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:lnk_file read; allow $1 mail_spool_t:file getattr; ') @@ -717,8 +712,7 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) - allow $1 mail_spool_t:dir rw_dir_perms; - type_transition $1 mail_spool_t:$3 $2; + filetrans_pattern($1,mail_spool_t,$2,$3) ') ######################################## @@ -737,9 +731,10 @@ interface(`mta_rw_spool',` ') files_search_spool($1) - allow $1 mail_spool_t:dir r_dir_perms; - allow $1 mail_spool_t:lnk_file { getattr read }; - allow $1 mail_spool_t:file { rw_file_perms setattr }; + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file setattr; + rw_files_pattern($1,mail_spool_t,mail_spool_t) + read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) ') ####################################### @@ -758,9 +753,10 @@ interface(`mta_append_spool',` ') files_search_spool($1) - allow $1 mail_spool_t:dir ra_dir_perms; - allow $1 mail_spool_t:lnk_file { getattr read }; - allow $1 mail_spool_t:file create_file_perms; + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1,mail_spool_t,mail_spool_t) + write_files_pattern($1,mail_spool_t,mail_spool_t) + read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) ') ####################################### @@ -779,8 +775,7 @@ interface(`mta_delete_spool',` ') files_search_spool($1) - allow $1 mail_spool_t:dir { list_dir_perms write remove_name }; - allow $1 mail_spool_t:file unlink; + delete_files_pattern($1,mail_spool_t,mail_spool_t) ') ######################################## @@ -799,9 +794,9 @@ interface(`mta_manage_spool',` ') files_search_spool($1) - allow $1 mail_spool_t:dir manage_dir_perms; - allow $1 mail_spool_t:lnk_file create_lnk_perms; - allow $1 mail_spool_t:file manage_file_perms; + manage_dirs_pattern($1,mail_spool_t,mail_spool_t) + manage_files_pattern($1,mail_spool_t,mail_spool_t) + manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t) ') ####################################### @@ -841,8 +836,7 @@ interface(`mta_manage_queue',` ') files_search_spool($1) - allow $1 mqueue_spool_t:dir rw_dir_perms; - allow $1 mqueue_spool_t:file create_file_perms; + manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ') ####################################### @@ -861,7 +855,7 @@ interface(`mta_read_sendmail_bin',` type sendmail_exec_t; ') - allow $1 sendmail_exec_t:file r_file_perms; + allow $1 sendmail_exec_t:file read_file_perms; ') ####################################### diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 4754967..e6fdef4 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -47,8 +47,7 @@ role system_r types system_mail_t; # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override }; -allow system_mail_t etc_mail_t:dir { getattr search }; -allow system_mail_t etc_mail_t:file r_file_perms; +read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) @@ -63,14 +62,10 @@ userdom_use_sysadm_terms(system_mail_t) ifdef(`targeted_policy',` typealias system_mail_t alias sysadm_mail_t; - allow system_mail_t mail_spool_t:dir create_dir_perms; - allow system_mail_t mail_spool_t:file create_file_perms; - allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; - allow system_mail_t mail_spool_t:fifo_file rw_file_perms; - - allow system_mail_t mqueue_spool_t:dir create_dir_perms; - allow system_mail_t mqueue_spool_t:file create_file_perms; - allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; + manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t) + manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) + manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) + manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir @@ -133,11 +128,11 @@ optional_policy(` ') optional_policy(` - allow system_mail_t etc_aliases_t:dir create_dir_perms; - allow system_mail_t etc_aliases_t:file create_file_perms; - allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; - allow system_mail_t etc_aliases_t:sock_file create_file_perms; - allow system_mail_t etc_aliases_t:fifo_file create_file_perms; + manage_dirs_pattern(system_mail_t,etc_aliases_t,etc_aliases_t) + manage_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t) + manage_lnk_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t) + manage_fifo_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t) + manage_sock_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t) files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index e59c782..9b3bd9a 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -38,27 +38,26 @@ allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; -allow munin_t munin_etc_t:file r_file_perms; -allow munin_t munin_etc_t:dir r_dir_perms; -allow munin_t munin_etc_t:lnk_file { getattr read }; +allow munin_t munin_etc_t:dir list_dir_perms; +read_files_pattern(munin_t,munin_etc_t,munin_etc_t) +read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file create_file_perms; +allow munin_t munin_log_t:file manage_file_perms; logging_log_filetrans(munin_t,munin_log_t,file) -allow munin_t munin_tmp_t:dir create_dir_perms; -allow munin_t munin_tmp_t:file create_file_perms; +manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) +manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) files_tmp_filetrans(munin_t, munin_tmp_t, { file dir }) # Allow access to the munin databases -allow munin_t munin_var_lib_t:dir create_dir_perms; -allow munin_t munin_var_lib_t:file create_file_perms; -allow munin_t munin_var_lib_t:lnk_file create_lnk_perms; +manage_dirs_pattern(munin_t,munin_var_lib_t,munin_var_lib_t) +manage_files_pattern(munin_t,munin_var_lib_t,munin_var_lib_t) +manage_lnk_files_pattern(munin_t,munin_var_lib_t,munin_var_lib_t) files_search_var_lib(munin_t) -allow munin_t munin_var_run_t:sock_file manage_file_perms; -allow munin_t munin_var_run_t:file manage_file_perms; -allow munin_t munin_var_run_t:dir rw_dir_perms; +manage_files_pattern(munin_t,munin_var_run_t,munin_var_run_t) +manage_sock_files_pattern(munin_t,munin_var_run_t,munin_var_run_t) files_pid_filetrans(munin_t,munin_var_run_t,file) kernel_read_system_state(munin_t) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index b75e9d0..2f14308 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -34,9 +34,7 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t; ') - allow $1 mysqld_var_run_t:dir search; - allow $1 mysqld_var_run_t:sock_file write; - allow $1 mysqld_t:unix_stream_socket connectto; + stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t) ') ######################################## @@ -117,7 +115,7 @@ interface(`mysql_manage_db_dirs',` ') files_search_var_lib($1) - allow $1 mysqld_db_t:dir create_dir_perms; + allow $1 mysqld_db_t:dir manage_dir_perms; ') ######################################## diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index e7c23ab..a75f518 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -38,25 +38,24 @@ allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; -allow mysqld_t mysqld_db_t:dir create_dir_perms; -allow mysqld_t mysqld_db_t:file create_file_perms; -allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms; +manage_dirs_pattern(mysqld_t,mysqld_db_t,mysqld_db_t) +manage_files_pattern(mysqld_t,mysqld_db_t,mysqld_db_t) +manage_lnk_files_pattern(mysqld_t,mysqld_db_t,mysqld_db_t) files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file }) allow mysqld_t mysqld_etc_t:file { getattr read }; allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; allow mysqld_t mysqld_etc_t:dir list_dir_perms; -allow mysqld_t mysqld_log_t:file create_file_perms; +allow mysqld_t mysqld_log_t:file manage_file_perms; logging_log_filetrans(mysqld_t,mysqld_log_t,file) -allow mysqld_t mysqld_tmp_t:dir create_dir_perms; -allow mysqld_t mysqld_tmp_t:file create_file_perms; +manage_dirs_pattern(mysqld_t,mysqld_tmp_t,mysqld_tmp_t) +manage_files_pattern(mysqld_t,mysqld_tmp_t,mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) -allow mysqld_t mysqld_var_run_t:dir rw_dir_perms; -allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; -allow mysqld_t mysqld_var_run_t:file create_file_perms; +manage_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t) +manage_sock_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t) files_pid_filetrans(mysqld_t,mysqld_var_run_t,file) kernel_read_system_state(mysqld_t) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 6aa14d2..d34c035 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -18,7 +18,7 @@ interface(`nagios_read_config',` ') allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file r_file_perms; + allow $1 nagios_etc_t:file read_file_perms; files_search_etc($1) ') @@ -38,7 +38,7 @@ interface(`nagios_read_tmp_files',` type nagios_tmp_t; ') - allow $1 nagios_tmp_t:file r_file_perms; + allow $1 nagios_tmp_t:file read_file_perms; files_search_tmp($1) ') @@ -58,10 +58,7 @@ interface(`nagios_domtrans_cgi',` type nagios_cgi_t, nagios_cgi_exec_t; ') - domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t) - allow nagios_cgi_t $1:fd use; - allow nagios_cgi_t $1:fifo_file rw_file_perms; - allow nagios_cgi_t $1:process sigchld; + domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) ') ######################################## @@ -80,8 +77,5 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') - domain_auto_trans($1,nrpe_exec_t,nrpe_t) - allow nrpe_t $1:fd use; - allow nrpe_t $1:fifo_file rw_file_perms; - allow nrpe_t $1:process sigchld; + domtrans_pattern($1,nrpe_exec_t,nrpe_t) ') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 90c47fe..8572d5a 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -45,21 +45,19 @@ allow nagios_t self:fifo_file rw_file_perms; allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; -allow nagios_t nagios_etc_t:file r_file_perms; -allow nagios_t nagios_etc_t:dir r_dir_perms; -allow nagios_t nagios_etc_t:lnk_file { getattr read }; +read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) +read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t) +allow nagios_t nagios_etc_t:dir list_dir_perms; -allow nagios_t nagios_log_t:file manage_file_perms; -allow nagios_t nagios_log_t:fifo_file manage_file_perms; -allow nagios_t nagios_log_t:dir rw_dir_perms; +manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t) +manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t) logging_log_filetrans(nagios_t,nagios_log_t,{ file dir }) -allow nagios_t nagios_tmp_t:dir create_dir_perms; -allow nagios_t nagios_tmp_t:file create_file_perms; +manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) +manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t) files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) -allow nagios_t nagios_var_run_t:file create_file_perms; -allow nagios_t nagios_var_run_t:dir rw_dir_perms; +manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t) files_pid_filetrans(nagios_t,nagios_var_run_t,file) kernel_read_system_state(nagios_t) @@ -148,20 +146,19 @@ optional_policy(` # Nagios CGI local policy # -allow nagios_cgi_t self:process { fork signal_perms }; -allow nagios_cgi_t self:fifo_file rw_file_perms; +allow nagios_cgi_t self:process signal_perms; +allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -allow nagios_cgi_t nagios_t:dir r_dir_perms; -allow nagios_cgi_t nagios_t:file r_file_perms; -allow nagios_cgi_t nagios_t:lnk_file { getattr read }; +read_files_pattern(nagios_cgi_t,nagios_t,nagios_t) +read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t) -allow nagios_cgi_t nagios_etc_t:dir r_dir_perms; -allow nagios_cgi_t nagios_etc_t:file r_file_perms; -allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read }; +allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) +read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) -allow nagios_cgi_t nagios_log_t:dir r_dir_perms; -allow nagios_cgi_t nagios_log_t:file r_file_perms; -allow nagios_cgi_t nagios_log_t:lnk_file { getattr read }; +allow nagios_cgi_t nagios_log_t:dir list_dir_perms; +read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) +read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) kernel_read_system_state(nagios_cgi_t) @@ -192,7 +189,7 @@ optional_policy(` dontaudit nrpe_t self:capability sys_tty_config; allow nrpe_t self:process { setpgid signal_perms }; -allow nrpe_t self:fifo_file rw_file_perms; +allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t nrpe_etc_t:file { getattr read }; files_search_etc(nrpe_t) diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te index 24657c6..0c76b00 100644 --- a/policy/modules/services/nessus.te +++ b/policy/modules/services/nessus.te @@ -37,20 +37,18 @@ allow nessusd_t self:rawip_socket create_socket_perms; allow nessusd_t self:packet_socket create_socket_perms; # Allow access to the nessusd authentication database -allow nessusd_t nessusd_db_t:dir create_dir_perms; -allow nessusd_t nessusd_db_t:file create_file_perms; -allow nessusd_t nessusd_db_t:lnk_file create_lnk_perms; +manage_dirs_pattern(nessusd_t,nessusd_db_t,nessusd_db_t) +manage_files_pattern(nessusd_t,nessusd_db_t,nessusd_db_t) +manage_lnk_files_pattern(nessusd_t,nessusd_db_t,nessusd_db_t) files_list_var_lib(nessusd_t) allow nessusd_t nessusd_etc_t:file { getattr read }; files_search_etc(nessusd_t) -allow nessusd_t nessusd_log_t:file create_file_perms; -allow nessusd_t nessusd_log_t:dir rw_dir_perms; +manage_files_pattern(nessusd_t,nessusd_log_t,nessusd_log_t) logging_log_filetrans(nessusd_t,nessusd_log_t,{ file dir }) -allow nessusd_t nessusd_var_run_t:file create_file_perms; -allow nessusd_t nessusd_var_run_t:dir rw_dir_perms; +manage_files_pattern(nessusd_t,nessusd_var_run_t,nessusd_var_run_t) files_pid_filetrans(nessusd_t,nessusd_var_run_t,file) kernel_read_system_state(nessusd_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index be2f7a1..01b7dc9 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -20,10 +20,10 @@ files_pid_file(NetworkManager_var_run_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock}; +allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap getsched signal_perms }; -allow NetworkManager_t self:fifo_file rw_file_perms; +allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; @@ -31,9 +31,9 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms; -allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms; -allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms; +manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) +manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) +manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) kernel_read_system_state(NetworkManager_t) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index 1a83ef4..df40154 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -33,9 +33,9 @@ interface(`nis_use_ypbind_uncond',` allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; - allow $1 var_yp_t:dir r_dir_perms; + allow $1 var_yp_t:dir list_dir_perms; allow $1 var_yp_t:lnk_file { getattr read }; - allow $1 var_yp_t:file r_file_perms; + allow $1 var_yp_t:file read_file_perms; corenet_non_ipsec_sendrecv($1) corenet_tcp_sendrecv_all_if($1) @@ -102,12 +102,7 @@ interface(`nis_domtrans_ypbind',` ') corecmd_search_bin($1) - domain_auto_trans($1,ypbind_exec_t,ypbind_t) - - allow $1 ypbind_t:fd use; - allow ypbind_t $1:fd use; - allow ypbind_t $1:fifo_file rw_file_perms; - allow ypbind_t $1:process sigchld; + domtrans_pattern($1,ypbind_exec_t,ypbind_t) ') ######################################## @@ -144,7 +139,7 @@ interface(`nis_list_var_yp',` ') files_search_var($1) - allow $1 var_yp_t:dir r_dir_perms; + allow $1 var_yp_t:dir list_dir_perms; ') ######################################## @@ -191,7 +186,7 @@ interface(`nis_read_ypbind_pid',` ') files_search_pids($1) - allow $1 ypbind_var_run_t:file r_file_perms; + allow $1 ypbind_var_run_t:file read_file_perms; ') ######################################## @@ -249,9 +244,5 @@ interface(`nis_domtrans_ypxfr',` corecmd_search_bin($1) corecmd_search_sbin($1) - domain_auto_trans($1,ypxfr_exec_t,ypxfr_t) - - allow ypxfr_t $1:fd use; - allow ypxfr_t $1:fifo_file rw_file_perms; - allow ypxfr_t $1:process sigchld; + domtrans_pattern($1,ypxfr_exec_t,ypxfr_t) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index ac504f9..30b1523 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -49,23 +49,21 @@ init_daemon_domain(ypxfr_t,ypxfr_exec_t) # ypbind local policy dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:fifo_file rw_file_perms; +allow ypbind_t self:fifo_file rw_fifo_file_perms; allow ypbind_t self:process signal_perms; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; allow ypbind_t self:udp_socket create_socket_perms; -allow ypbind_t ypbind_tmp_t:dir create_dir_perms; -allow ypbind_t ypbind_tmp_t:file create_file_perms; +manage_dirs_pattern(ypbind_t,ypbind_tmp_t,ypbind_tmp_t) +manage_files_pattern(ypbind_t,ypbind_tmp_t,ypbind_tmp_t) files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) -allow ypbind_t ypbind_var_run_t:file manage_file_perms; -allow ypbind_t ypbind_var_run_t:dir rw_dir_perms; +manage_files_pattern(ypbind_t,ypbind_var_run_t,ypbind_var_run_t) files_pid_filetrans(ypbind_t,ypbind_var_run_t,file) -allow ypbind_t var_yp_t:dir rw_dir_perms; -allow ypbind_t var_yp_t:file create_file_perms; +manage_files_pattern(ypbind_t,var_yp_t,var_yp_t) kernel_read_kernel_sysctls(ypbind_t) kernel_list_proc(ypbind_t) @@ -140,7 +138,7 @@ optional_policy(` # dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:fifo_file rw_file_perms; +allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; @@ -148,13 +146,11 @@ allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; allow yppasswdd_t self:tcp_socket create_stream_socket_perms; allow yppasswdd_t self:udp_socket create_socket_perms; -allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms; -allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms; +manage_files_pattern(yppasswdd_t,yppasswdd_var_run_t,yppasswdd_var_run_t) files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file) -allow yppasswdd_t var_yp_t:dir rw_dir_perms; -allow yppasswdd_t var_yp_t:file create_file_perms; -allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms; +manage_files_pattern(yppasswdd_t,var_yp_t,var_yp_t) +manage_lnk_files_pattern(yppasswdd_t,var_yp_t,var_yp_t) kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) @@ -239,7 +235,7 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:fifo_file rw_file_perms; +allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:unix_stream_socket create_stream_socket_perms; @@ -247,17 +243,15 @@ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -allow ypserv_t var_yp_t:dir rw_dir_perms; -allow ypserv_t var_yp_t:file create_file_perms; +manage_files_pattern(ypserv_t,var_yp_t,var_yp_t) allow ypserv_t ypserv_conf_t:file { getattr read }; -allow ypserv_t ypserv_tmp_t:dir create_dir_perms; -allow ypserv_t ypserv_tmp_t:file create_file_perms; +manage_dirs_pattern(ypserv_t,ypserv_tmp_t,ypserv_tmp_t) +manage_files_pattern(ypserv_t,ypserv_tmp_t,ypserv_tmp_t) files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) -allow ypserv_t ypserv_var_run_t:dir rw_dir_perms; -allow ypserv_t ypserv_var_run_t:file manage_file_perms; +manage_files_pattern(ypserv_t,ypserv_var_run_t,ypserv_var_run_t) files_pid_filetrans(ypserv_t,ypserv_var_run_t,file) kernel_read_kernel_sysctls(ypserv_t) @@ -331,12 +325,11 @@ optional_policy(` allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; -allow ypxfr_t var_yp_t:dir search_dir_perms; -allow ypxfr_t var_yp_t:file read_file_perms; - allow ypxfr_t ypserv_t:tcp_socket { read write }; allow ypxfr_t ypserv_t:udp_socket { read write }; +read_files_pattern(ypxfr_t,var_yp_t,var_yp_t) + corenet_non_ipsec_sendrecv(ypxfr_t) corenet_tcp_sendrecv_all_if(ypxfr_t) corenet_udp_sendrecv_all_if(ypxfr_t) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index f72739d..edeb217 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -34,12 +34,7 @@ interface(`nscd_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,nscd_exec_t,nscd_t) - - allow $1 nscd_t:fd use; - allow nscd_t $1:fd use; - allow nscd_t $1:fifo_file rw_file_perms; - allow nscd_t $1:process sigchld; + domtrans_pattern($1,nscd_exec_t,nscd_t) ') ######################################## @@ -80,14 +75,12 @@ interface(`nscd_socket_use',` allow $1 self:unix_stream_socket create_socket_perms; - allow $1 nscd_t:unix_stream_socket connectto; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; files_search_pids($1) - allow $1 nscd_var_run_t:dir r_dir_perms; - allow $1 nscd_var_run_t:sock_file rw_file_perms; + stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; ') @@ -108,7 +101,7 @@ interface(`nscd_shm_use',` class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ') - allow $1 nscd_var_run_t:dir r_dir_perms; + allow $1 nscd_var_run_t:dir list_dir_perms; allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; # Receive fd from nscd and map the backing file with read access. @@ -159,8 +152,7 @@ interface(`nscd_read_pid',` ') files_search_pids($1) - allow $1 nscd_var_run_t:dir search; - allow $1 nscd_var_run_t:file { getattr read }; + read_files_pattern($1,nscd_var_run_t,nscd_var_run_t) ') ######################################## diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 3ec3240..3a4925b 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -44,12 +44,11 @@ allow nscd_t self:udp_socket create_socket_perms; # Transition occurs to nscd_t due to direct_sysadm_daemon. allow nscd_t self:nscd { admin getstat }; -allow nscd_t nscd_log_t:file create_file_perms; +allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t,nscd_log_t,file) -allow nscd_t nscd_var_run_t:file create_file_perms; -allow nscd_t nscd_var_run_t:sock_file create_file_perms; -allow nscd_t nscd_var_run_t:dir rw_dir_perms; +manage_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) +manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(nscd_t) diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index c4dd8cd..03af5e4 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -41,21 +41,19 @@ allow nsd_t self:process signal_perms; allow nsd_t self:tcp_socket create_stream_socket_perms; allow nsd_t self:udp_socket create_socket_perms; -allow nsd_t nsd_conf_t:dir r_dir_perms; -allow nsd_t nsd_conf_t:file r_file_perms; -allow nsd_t nsd_conf_t:lnk_file { getattr read }; +allow nsd_t nsd_conf_t:dir list_dir_perms; +read_files_pattern(nsd_t,nsd_conf_t,nsd_conf_t) +read_lnk_files_pattern(nsd_t,nsd_conf_t,nsd_conf_t) allow nsd_t nsd_db_t:file manage_file_perms; -type_transition nsd_t nsd_zone_t:file nsd_db_t; -allow nsd_t nsd_zone_t:dir rw_dir_perms; +filetrans_pattern(nsd_t,nsd_zone_t,nsd_db_t,file) -allow nsd_t nsd_var_run_t:file create_file_perms; -allow nsd_t nsd_var_run_t:dir rw_dir_perms; +manage_files_pattern(nsd_t,nsd_var_run_t,nsd_var_run_t) files_pid_filetrans(nsd_t,nsd_var_run_t,file) -allow nsd_t nsd_zone_t:dir r_dir_perms; -allow nsd_t nsd_zone_t:file r_file_perms; -allow nsd_t nsd_zone_t:lnk_file { getattr read }; +allow nsd_t nsd_zone_t:dir list_dir_perms; +read_files_pattern(nsd_t,nsd_zone_t,nsd_zone_t) +read_lnk_files_pattern(nsd_t,nsd_zone_t,nsd_zone_t) can_exec(nsd_t,nsd_exec_t) @@ -131,26 +129,22 @@ optional_policy(` allow nsd_crond_t self:capability { dac_override kill }; dontaudit nsd_crond_t self:capability sys_nice; allow nsd_crond_t self:process { setsched signal_perms }; -allow nsd_crond_t self:fifo_file rw_file_perms; +allow nsd_crond_t self:fifo_file rw_fifo_file_perms; allow nsd_crond_t self:tcp_socket create_socket_perms; allow nsd_crond_t self:udp_socket create_socket_perms; allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; allow nsd_crond_t nsd_db_t:file manage_file_perms; -type_transition nsd_crond_t nsd_zone_t:file nsd_db_t; -allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; +filetrans_pattern(nsd_crond_t,nsd_zone_t,nsd_db_t,file) files_search_var_lib(nsd_crond_t) allow nsd_crond_t nsd_t:process signal; -allow nsd_crond_t nsd_t:dir { search getattr read }; -allow nsd_crond_t nsd_t:{ file lnk_file } { read getattr }; -allow nsd_crond_t nsd_t:process getattr; - -allow nsd_crond_t nsd_zone_t:file manage_file_perms; -allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; -type_transition nsd_crond_t nsd_conf_t:file nsd_zone_t; -allow nsd_crond_t nsd_conf_t:dir rw_dir_perms; + +ps_process_pattern(nsd_crond_t,nsd_t) + +manage_files_pattern(nsd_crond_t,nsd_zone_t,nsd_zone_t) +filetrans_pattern(nsd_crond_t,nsd_conf_t,nsd_zone_t,file) can_exec(nsd_crond_t,nsd_exec_t) diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index 7a2b124..4c45ebe 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -38,23 +38,22 @@ allow ntop_t self:tcp_socket create_stream_socket_perms; allow ntop_t self:udp_socket create_socket_perms; allow ntop_t self:packet_socket create_socket_perms; -allow ntop_t ntop_etc_t:file r_file_perms; -allow ntop_t ntop_etc_t:dir r_dir_perms; -allow ntop_t ntop_etc_t:lnk_file { getattr read }; +allow ntop_t ntop_etc_t:dir list_dir_perms; +read_files_pattern(ntop_t,ntop_etc_t,ntop_etc_t) +read_lnk_files_pattern(ntop_t,ntop_etc_t,ntop_etc_t) -allow ntop_t ntop_http_content_t:file r_file_perms; -allow ntop_t ntop_http_content_t:dir r_dir_perms; +allow ntop_t ntop_http_content_t:dir list_dir_perms; +read_files_pattern(ntop_t,ntop_http_content_t,ntop_http_content_t) -allow ntop_t ntop_tmp_t:dir create_dir_perms; -allow ntop_t ntop_tmp_t:file create_file_perms; +manage_dirs_pattern(ntop_t,ntop_tmp_t,ntop_tmp_t) +manage_files_pattern(ntop_t,ntop_tmp_t,ntop_tmp_t) files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) -allow ntop_t ntop_var_lib_t:file create_file_perms; -allow ntop_t ntop_var_lib_t:dir { create rw_dir_perms }; +create_dirs_pattern(ntop_t,ntop_var_lib_t,ntop_var_lib_t) +manage_files_pattern(ntop_t,ntop_var_lib_t,ntop_var_lib_t) files_var_lib_filetrans(ntop_t,ntop_var_lib_t,file) -allow ntop_t ntop_var_run_t:file manage_file_perms; -allow ntop_t ntop_var_run_t:dir rw_dir_perms; +manage_files_pattern(ntop_t,ntop_var_run_t,ntop_var_run_t) files_pid_filetrans(ntop_t,ntop_var_run_t,file) kernel_read_network_state(ntop_t) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index bbae8f8..8752184 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -32,12 +32,7 @@ interface(`ntp_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,ntpd_exec_t,ntpd_t) - - allow $1 ntpd_t:fd use; - allow ntpd_t $1:fd use; - allow ntpd_t $1:fifo_file rw_file_perms; - allow ntpd_t $1:process sigchld; + domtrans_pattern($1,ntpd_exec_t,ntpd_t) ') ######################################## @@ -56,10 +51,5 @@ interface(`ntp_domtrans_ntpdate',` ') corecmd_search_sbin($1) - domain_auto_trans($1,ntpdate_exec_t,ntpd_t) - - allow $1 ntpd_t:fd use; - allow ntpd_t $1:fd use; - allow ntpd_t $1:fifo_file rw_file_perms; - allow ntpd_t $1:process sigchld; + domtrans_pattern($1,ntpdate_exec_t,ntpd_t) ') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 5c2ded0..251fe71 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -41,22 +41,20 @@ allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; allow ntpd_t self:udp_socket create_socket_perms; -allow ntpd_t ntp_drift_t:dir rw_dir_perms; -allow ntpd_t ntp_drift_t:file create_file_perms; +manage_files_pattern(ntpd_t,ntp_drift_t,ntp_drift_t) can_exec(ntpd_t,ntpd_exec_t) -allow ntpd_t ntpd_log_t:file create_file_perms; -allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr }; +allow ntpd_t ntpd_log_t:dir setattr; +manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) # for some reason it creates a file in /tmp -allow ntpd_t ntpd_tmp_t:dir create_dir_perms; -allow ntpd_t ntpd_tmp_t:file create_file_perms; +manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) +manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) -allow ntpd_t ntpd_var_run_t:file create_file_perms; -allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(ntpd_t,ntpd_var_run_t,ntpd_var_run_t) files_pid_filetrans(ntpd_t,ntpd_var_run_t,file) kernel_read_kernel_sysctls(ntpd_t) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if index 2287f85..0e345be 100644 --- a/policy/modules/services/nx.if +++ b/policy/modules/services/nx.if @@ -15,8 +15,5 @@ interface(`nx_spec_domtrans_server',` type nx_server_t, nx_server_exec_t; ') - domain_trans($1,nx_server_exec_t,nx_server_t) - allow nx_server_t $1:fd use; - allow nx_server_t $1:fifo_file rw_file_perms; - allow nx_server_t $1:process sigchld; + spec_domtrans_pattern($1,nx_server_exec_t,nx_server_t) ') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index 0a0d592..ff9b491 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -34,15 +34,14 @@ allow nx_server_t self:fifo_file { getattr ioctl read write }; allow nx_server_t self:tcp_socket create_socket_perms; allow nx_server_t self:udp_socket create_socket_perms; -allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr }; +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(nx_server_t,nx_server_devpts_t) -allow nx_server_t nx_server_tmp_t:dir manage_dir_perms; -allow nx_server_t nx_server_tmp_t:file manage_file_perms; +manage_dirs_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t) +manage_files_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t) files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) -allow nx_server_t nx_server_var_run_t:file manage_file_perms; -allow nx_server_t nx_server_var_run_t:dir rw_dir_perms; +manage_files_pattern(nx_server_t,nx_server_var_run_t,nx_server_var_run_t) files_pid_filetrans(nx_server_t,nx_server_var_run_t,file) kernel_read_system_state(nx_server_t) diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if index 8f28e33..5e08305 100644 --- a/policy/modules/services/oav.if +++ b/policy/modules/services/oav.if @@ -16,12 +16,7 @@ interface(`oav_domtrans_update',` ') corecmd_search_sbin($1) - domain_auto_trans($1,oav_update_exec_t,oav_update_t) - - allow $1 oav_update_t:fd use; - allow oav_update_t $1:fd use; - allow oav_update_t $1:fifo_file rw_file_perms; - allow oav_update_t $1:process sigchld; + domtrans_pattern($1,oav_update_exec_t,oav_update_t) ') ######################################## diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index b16233b..02e9968 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -40,13 +40,13 @@ allow oav_update_t self:tcp_socket create_stream_socket_perms; allow oav_update_t self:udp_socket create_socket_perms; # Can read /etc/oav-update/* files -allow oav_update_t oav_update_etc_t:dir r_dir_perms; -allow oav_update_t oav_update_etc_t:file r_file_perms; +allow oav_update_t oav_update_etc_t:dir list_dir_perms; +allow oav_update_t oav_update_etc_t:file read_file_perms; # Can read /var/lib/oav-update/current -allow oav_update_t oav_update_var_lib_t:dir manage_dir_perms; -allow oav_update_t oav_update_var_lib_t:file manage_file_perms; -allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; +manage_dirs_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t) +manage_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t) +read_lnk_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t) corecmd_exec_all_executables(oav_update_t) @@ -86,17 +86,16 @@ allow scannerdaemon_t self:fifo_file { read write }; allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; allow scannerdaemon_t self:udp_socket create_socket_perms; -allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms; +allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; +allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; files_search_var_lib(scannerdaemon_t) -allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms; +allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; -allow scannerdaemon_t scannerdaemon_log_t:file create_file_perms; +allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; logging_log_filetrans(scannerdaemon_t,scannerdaemon_log_t,file) -allow scannerdaemon_t scannerdaemon_var_run_t:file create_file_perms; -allow scannerdaemon_t scannerdaemon_var_run_t:dir rw_dir_perms; +manage_files_pattern(scannerdaemon_t,scannerdaemon_var_run_t,scannerdaemon_var_run_t) files_pid_filetrans(scannerdaemon_t,scannerdaemon_var_run_t,file) kernel_read_system_state(scannerdaemon_t) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if index 7696c78..3338e8f 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if @@ -19,10 +19,7 @@ interface(`oddjob_domtrans',` type oddjob_t, oddjob_exec_t; ') - domain_auto_trans($1,oddjob_exec_t,oddjob_t) - allow oddjob_t $1:fd use; - allow oddjob_t $1:fifo_file rw_file_perms; - allow oddjob_t $1:process sigchld; + domtrans_pattern($1,oddjob_exec_t,oddjob_t) ') ######################################## @@ -46,13 +43,9 @@ interface(`oddjob_system_entry',` type oddjob_t; ') - domain_auto_trans(oddjob_t, $2, $1) - allow $1 oddjob_t:fd use; - allow $1 oddjob_t:fifo_file rw_file_perms; - allow $1 oddjob_t:process sigchld; + domtrans_pattern(oddjob_t, $2, $1) ') - ######################################## ## ## Send and receive messages from @@ -89,8 +82,5 @@ interface(`oddjob_domtrans_mkhomedir',` type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; ') - domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t) - allow oddjob_mkhomedir_t $1:fd use; - allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms; - allow oddjob_mkhomedir_t $1:process sigchld; + domtrans_pattern($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t) ') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 4b08b3f..23d6794 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -32,9 +32,8 @@ allow oddjob_t self:process { setexec signal }; allow oddjob_t self:fifo_file { read write }; allow oddjob_t self:unix_stream_socket create_stream_socket_perms; -allow oddjob_t oddjob_var_run_t:file manage_file_perms; -allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms; -allow oddjob_t oddjob_var_run_t:dir rw_dir_perms; +manage_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t) +manage_sock_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t) files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file }) kernel_read_system_state(oddjob_t) @@ -96,4 +95,3 @@ userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) - diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if index d84d2ed..0d5402c 100644 --- a/policy/modules/services/openca.if +++ b/policy/modules/services/openca.if @@ -16,13 +16,9 @@ interface(`openca_domtrans',` type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; ') - domain_auto_trans($1,openca_ca_exec_t,openca_ca_t) + domtrans_pattern($1,openca_ca_exec_t,openca_ca_t) allow httpd_t openca_usr_share_t:dir search_dir_perms; files_search_usr(httpd_t) - - allow openca_ca_t $1:fd use; - allow openca_ca_t $1:fifo_file rw_file_perms; - allow openca_ca_t $1:process sigchld; ') ######################################## diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te index 04fc293..c776b2c 100644 --- a/policy/modules/services/openca.te +++ b/policy/modules/services/openca.te @@ -46,25 +46,25 @@ files_type(openca_var_lib_keys_t) # # Allow access to other files under /etc/openca -allow openca_ca_t openca_etc_t:file r_file_perms; -allow openca_ca_t openca_etc_t:dir r_dir_perms; +allow openca_ca_t openca_etc_t:file read_file_perms; +allow openca_ca_t openca_etc_t:dir list_dir_perms; # Allow access to writeable files under /etc/openca -allow openca_ca_t openca_etc_writeable_t:file manage_file_perms; -allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms; +manage_dirs_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t) +manage_files_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t) # Allow access to other /var/lib/openca files -allow openca_ca_t openca_var_lib_t:file manage_file_perms; -allow openca_ca_t openca_var_lib_t:dir manage_dir_perms; +manage_dirs_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t) +manage_files_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t) # Allow access to private CA key -allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms; -allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms; +manage_dirs_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t) +manage_files_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t) # Allow access to other /usr/share/openca files -allow openca_ca_t openca_usr_share_t:file r_file_perms; -allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; -allow openca_ca_t openca_usr_share_t:dir r_dir_perms; +read_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t) +read_lnk_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t) +allow openca_ca_t openca_usr_share_t:dir list_dir_perms; # the perl executable will be able to run a perl script corecmd_exec_bin(openca_ca_t) diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te index 3e55f55..b379ed1 100644 --- a/policy/modules/services/openct.te +++ b/policy/modules/services/openct.te @@ -21,8 +21,7 @@ files_pid_file(openct_var_run_t) dontaudit openct_t self:capability sys_tty_config; allow openct_t self:process signal_perms; -allow openct_t openct_var_run_t:file create_file_perms; -allow openct_t openct_var_run_t:dir rw_dir_perms; +manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) files_pid_filetrans(openct_t,openct_var_run_t,file) kernel_read_kernel_sysctls(openct_t) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if index b21e1ce..ea6ec75 100644 --- a/policy/modules/services/openvpn.if +++ b/policy/modules/services/openvpn.if @@ -18,7 +18,7 @@ interface(`openvpn_read_config',` ') files_search_etc($1) - allow $1 openvpn_etc_t:dir r_dir_perms; - allow $1 openvpn_etc_t:file r_file_perms; - allow $1 openvpn_etc_t:lnk_file { getattr read }; + allow $1 openvpn_etc_t:dir list_dir_perms; + read_files_pattern($1,openvpn_etc_t,openvpn_etc_t) + read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t) ') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 9a499a5..5f0e997 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -35,14 +35,14 @@ allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket create_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; -allow openvpn_t openvpn_etc_t:dir r_dir_perms; -allow openvpn_t openvpn_etc_t:file r_file_perms; -allow openvpn_t openvpn_etc_t:lnk_file { getattr read }; +allow openvpn_t openvpn_etc_t:dir list_dir_perms; +read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) +read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) -allow openvpn_t openvpn_var_log_t:file create_file_perms; +allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) -allow openvpn_t openvpn_var_run_t:file create_file_perms; +allow openvpn_t openvpn_var_run_t:file manage_file_perms; files_pid_filetrans(openvpn_t, openvpn_var_run_t, file) kernel_read_kernel_sysctls(openvpn_t) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index d338947..d849ae6 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -30,37 +30,36 @@ files_pid_file(pegasus_var_run_t) # Local policy # -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write }; +allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; -allow pegasus_t self:fifo_file rw_file_perms; +allow pegasus_t self:fifo_file rw_fifo_file_perms; allow pegasus_t self:unix_dgram_socket create_socket_perms; allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow pegasus_t self:tcp_socket create_stream_socket_perms; +send_audit_msgs_pattern(pegasus_t) + allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink }; -allow pegasus_t pegasus_conf_t:lnk_file r_file_perms; +allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; +allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; -allow pegasus_t pegasus_data_t:dir rw_dir_perms; -allow pegasus_t pegasus_data_t:file create_file_perms; -allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms; -type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t; +manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) +manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) +filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) can_exec(pegasus_t,pegasus_exec_t) -allow pegasus_t pegasus_mof_t:dir r_dir_perms; -allow pegasus_t pegasus_mof_t:file r_file_perms; -allow pegasus_t pegasus_mof_t:lnk_file { getattr read }; +allow pegasus_t pegasus_mof_t:dir list_dir_perms; +read_files_pattern(pegasus_t,pegasus_mof_t,pegasus_mof_t) +read_lnk_files_pattern(pegasus_t,pegasus_mof_t,pegasus_mof_t) -allow pegasus_t pegasus_tmp_t:dir create_dir_perms; -allow pegasus_t pegasus_tmp_t:file create_file_perms; +manage_dirs_pattern(pegasus_t,pegasus_tmp_t,pegasus_tmp_t) +manage_files_pattern(pegasus_t,pegasus_tmp_t,pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) -allow pegasus_t pegasus_var_run_t:file create_file_perms; allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; -allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; +manage_files_pattern(pegasus_t,pegasus_var_run_t,pegasus_var_run_t) files_pid_filetrans(pegasus_t,pegasus_var_run_t,file) kernel_read_kernel_sysctls(pegasus_t) diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te index 876bbfd..f02f658 100644 --- a/policy/modules/services/perdition.te +++ b/policy/modules/services/perdition.te @@ -30,8 +30,7 @@ allow perdition_t self:udp_socket create_socket_perms; allow perdition_t perdition_etc_t:file { getattr read }; files_search_etc(perdition_t) -allow perdition_t perdition_var_run_t:file create_file_perms; -allow perdition_t perdition_var_run_t:dir rw_dir_perms; +manage_files_pattern(perdition_t,perdition_var_run_t,perdition_var_run_t) files_pid_filetrans(perdition_t,perdition_var_run_t,file) kernel_read_kernel_sysctls(perdition_t) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if index 5cc32e7..bcc66e9 100644 --- a/policy/modules/services/portmap.if +++ b/policy/modules/services/portmap.if @@ -16,12 +16,7 @@ interface(`portmap_domtrans_helper',` ') corecmd_search_bin($1) - domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t) - - allow $1 portmap_helper_t:fd use; - allow portmap_helper_t $1:fd use; - allow portmap_helper_t $1:fifo_file rw_file_perms; - allow portmap_helper_t $1:process sigchld; + domtrans_pattern($1,portmap_helper_exec_t,portmap_helper_t) ') ######################################## diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 376c90a..eb80fe1 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -34,12 +34,11 @@ allow portmap_t self:unix_stream_socket create_stream_socket_perms; allow portmap_t self:tcp_socket create_stream_socket_perms; allow portmap_t self:udp_socket create_socket_perms; -allow portmap_t portmap_tmp_t:dir create_dir_perms; -allow portmap_t portmap_tmp_t:file create_file_perms; +manage_dirs_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t) +manage_files_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t) files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) -allow portmap_t portmap_var_run_t:file create_file_perms; -allow portmap_t portmap_var_run_t:dir rw_dir_perms; +manage_files_pattern(portmap_t,portmap_var_run_t,portmap_var_run_t) files_pid_filetrans(portmap_t,portmap_var_run_t,file) kernel_read_kernel_sysctls(portmap_t) @@ -126,7 +125,7 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; allow portmap_helper_t self:tcp_socket create_stream_socket_perms; allow portmap_helper_t self:udp_socket create_socket_perms; -allow portmap_helper_t portmap_var_run_t:file create_file_perms; +allow portmap_helper_t portmap_var_run_t:file manage_file_perms; files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file) corenet_tcp_sendrecv_all_if(portmap_helper_t) diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if index 410cdb1..a55ca53 100644 --- a/policy/modules/services/portslave.if +++ b/policy/modules/services/portslave.if @@ -15,10 +15,5 @@ interface(`portslave_domtrans',` type portslave_t, portslave_exec_t; ') - domain_auto_trans($1,portslave_exec_t,portslave_t) - - allow $1 portslave_t:fd use; - allow portslave_t $1:fd use; - allow portslave_t $1:fifo_file rw_file_perms; - allow portslave_t $1:process sigchld; + domtrans_pattern($1,portslave_exec_t,portslave_t) ') diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te index 6dcab88..73118a6 100644 --- a/policy/modules/services/portslave.te +++ b/policy/modules/services/portslave.te @@ -30,7 +30,7 @@ dontaudit portslave_t self:capability sys_admin; allow portslave_t self:process signal_perms; allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow portslave_t self:fd use; -allow portslave_t self:fifo_file rw_file_perms; +allow portslave_t self:fifo_file rw_fifo_file_perms; allow portslave_t self:unix_dgram_socket create_socket_perms; allow portslave_t self:unix_stream_socket create_stream_socket_perms; allow portslave_t self:unix_dgram_socket sendto; @@ -42,11 +42,11 @@ allow portslave_t self:msg { send receive }; allow portslave_t self:tcp_socket create_stream_socket_perms; allow portslave_t self:udp_socket create_socket_perms; -allow portslave_t portslave_etc_t:dir r_dir_perms; -allow portslave_t portslave_etc_t:file r_file_perms; -allow portslave_t portslave_etc_t:lnk_file { getattr read }; +allow portslave_t portslave_etc_t:dir list_dir_perms; +read_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t) +read_lnk_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t) -allow portslave_t portslave_lock_t:file create_file_perms; +allow portslave_t portslave_lock_t:file manage_file_perms; files_lock_filetrans(portslave_t,portslave_lock_t,file) kernel_read_system_state(portslave_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index ab9632b..6e9dbbc 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -42,18 +42,16 @@ template(`postfix_domain_template',` allow postfix_master_t postfix_$1_t:process signal; - allow postfix_$1_t postfix_etc_t:dir r_dir_perms; - allow postfix_$1_t postfix_etc_t:file r_file_perms; + allow postfix_$1_t postfix_etc_t:dir list_dir_perms; + read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) can_exec(postfix_$1_t, postfix_$1_exec_t) allow postfix_$1_t postfix_exec_t:file rx_file_perms; - # cjp: ??? - allow postfix_$1_t postfix_exec_t:dir r_dir_perms; allow postfix_$1_t postfix_master_t:process sigchld; - allow postfix_$1_t postfix_spool_t:dir r_dir_perms; + allow postfix_$1_t postfix_spool_t:dir list_dir_perms; allow postfix_$1_t postfix_var_run_t:file manage_file_perms; files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file) @@ -129,11 +127,7 @@ template(`postfix_server_domain_template',` allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; - domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) - allow postfix_master_t postfix_$1_t:fd use; - allow postfix_$1_t postfix_master_t:fd use; - allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms; - allow postfix_$1_t postfix_master_t:process sigchld; + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) corenet_non_ipsec_sendrecv(postfix_$1_t) corenet_tcp_sendrecv_all_if(postfix_$1_t) @@ -176,11 +170,7 @@ template(`postfix_user_domain_template',` allow postfix_$1_t self:capability dac_override; - domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - allow postfix_user_domtrans postfix_$1_t:fd use; - allow postfix_$1_t postfix_user_domtrans:fd use; - allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms; - allow postfix_$1_t postfix_user_domtrans:process sigchld; + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) ') @@ -263,8 +253,7 @@ interface(`postfix_config_filetrans',` ') files_search_etc($1) - allow $1 postfix_etc_t:dir rw_dir_perms; - type_transition $1 postfix_etc_t:$3 $2; + filetrans_pattern($1,postfix_etc_t,$2,$3) ') ######################################## @@ -322,12 +311,7 @@ interface(`postfix_domtrans_map',` type postfix_map_t, postfix_map_exec_t; ') - domain_auto_trans($1,postfix_map_exec_t,postfix_map_t) - - allow $1 postfix_map_t:fd use; - allow postfix_map_t $1:fd use; - allow postfix_map_t $1:fifo_file rw_file_perms; - allow postfix_map_t $1:process sigchld; + domtrans_pattern($1,postfix_map_exec_t,postfix_map_t) ') ######################################## @@ -378,12 +362,7 @@ interface(`postfix_domtrans_master',` type postfix_master_t, postfix_master_exec_t; ') - domain_auto_trans($1,postfix_master_exec_t,postfix_master_t) - - allow $1 postfix_master_t:fd use; - allow postfix_master_t $1:fd use; - allow postfix_master_t $1:fifo_file rw_file_perms; - allow postfix_master_t $1:process sigchld; + domtrans_pattern($1,postfix_master_exec_t,postfix_master_t) ') ######################################## @@ -421,11 +400,7 @@ interface(`postfix_domtrans_smtp',` type postfix_smtp_t, postfix_smtp_exec_t; ') - domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t) - - allow postfix_smtp_t $1:fd use; - allow postfix_smtp_t $1:fifo_file rw_file_perms; - allow postfix_smtp_t $1:process sigchld; + domtrans_pattern($1,postfix_smtp_exec_t,postfix_smtp_t) ') ######################################## diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index eb3344a..d26924e 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -91,7 +91,7 @@ files_pid_file(postfix_var_run_t) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t self:fifo_file rw_file_perms; +allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -105,29 +105,31 @@ allow postfix_master_t postfix_postdrop_exec_t:file getattr; allow postfix_master_t postfix_postqueue_exec_t:file getattr; -allow postfix_master_t postfix_private_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:sock_file create_file_perms; -allow postfix_master_t postfix_private_t:fifo_file create_file_perms; +manage_fifo_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t) +manage_sock_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t) + +domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) allow postfix_master_t postfix_prng_t:file rw_file_perms; -allow postfix_master_t postfix_public_t:fifo_file create_file_perms; -allow postfix_master_t postfix_public_t:sock_file create_file_perms; -allow postfix_master_t postfix_public_t:dir rw_dir_perms; +manage_fifo_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t) +manage_sock_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t) + +domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) # allow access to deferred queue and allow removing bogus incoming entries -allow postfix_master_t postfix_spool_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_t:file create_file_perms; +manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) +manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; -allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_flush_t:file create_file_perms; -allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t) +manage_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t) +manage_lnk_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t) -allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; +delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) +rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) kernel_read_all_sysctls(postfix_master_t) @@ -196,21 +198,11 @@ optional_policy(` ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases - allow postfix_master_t etc_t:dir rw_dir_perms; - allow postfix_master_t etc_aliases_t:dir create_dir_perms; - allow postfix_master_t etc_aliases_t:file create_file_perms; - allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms; - allow postfix_master_t etc_aliases_t:sock_file create_file_perms; - allow postfix_master_t etc_aliases_t:fifo_file create_file_perms; - type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t; - - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t etc_aliases_t:dir create_dir_perms; - allow postfix_master_t etc_aliases_t:file create_file_perms; - allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms; - allow postfix_master_t etc_aliases_t:sock_file create_file_perms; - allow postfix_master_t etc_aliases_t:fifo_file create_file_perms; - type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t; + allow postfix_master_t etc_aliases_t:dir manage_dir_perms; + allow postfix_master_t etc_aliases_t:file manage_file_perms; + allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; + mta_etc_filetrans_aliases(postfix_master_t) + filetrans_pattern(postfix_master_t,postfix_etc_t,etc_aliases_t,{ dir file lnk_file }) ') # end partially converted rules @@ -226,13 +218,13 @@ allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; allow postfix_bounce_t postfix_public_t:dir search; -allow postfix_bounce_t postfix_spool_t:dir create_dir_perms; -allow postfix_bounce_t postfix_spool_t:file create_file_perms; -allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t) +manage_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t) +manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t) -allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms; -allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms; -allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t) +manage_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t) +manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t) ######################################## # @@ -242,19 +234,16 @@ allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms; allow postfix_cleanup_t self:process setrlimit; # connect to master process -allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_cleanup_t postfix_private_t:dir search; -allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; +stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t) -allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; -allow postfix_cleanup_t postfix_public_t:dir search; +rw_fifo_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t) +write_sock_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t) -allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms; -allow postfix_cleanup_t postfix_spool_t:file create_file_perms; -allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t) +manage_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t) +manage_lnk_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t) -allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; +allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) @@ -263,21 +252,18 @@ corecmd_exec_bin(postfix_cleanup_t) # Postfix local local policy # -allow postfix_local_t self:fifo_file rw_file_perms; +allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; -allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms; -allow postfix_local_t postfix_local_tmp_t:file create_file_perms; +manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t) +manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t) files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir }) # connect to master process -allow postfix_local_t postfix_master_t:unix_stream_socket connectto; -allow postfix_local_t postfix_public_t:dir search; -allow postfix_local_t postfix_public_t:sock_file write; +stream_connect_pattern(postfix_local_t,postfix_public_t,postfix_public_t,postfix_master_t) # for .forward - maybe we need a new type for it? -allow postfix_local_t postfix_private_t:dir search; -allow postfix_local_t postfix_private_t:sock_file rw_file_perms; +rw_sock_files_pattern(postfix_local_t,postfix_private_t,postfix_private_t) allow postfix_local_t postfix_spool_t:file rw_file_perms; @@ -315,12 +301,12 @@ allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; allow postfix_map_t self:udp_socket create_socket_perms; -allow postfix_map_t postfix_etc_t:dir create_dir_perms; -allow postfix_map_t postfix_etc_t:file create_file_perms; -allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t) +manage_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t) +manage_lnk_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t) -allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms; -allow postfix_map_t postfix_map_tmp_t:file create_file_perms; +manage_dirs_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t) +manage_files_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t) files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) kernel_read_kernel_sysctls(postfix_map_t) @@ -393,19 +379,15 @@ optional_policy(` allow postfix_pickup_t self:tcp_socket create_socket_perms; -allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; +stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t) -allow postfix_pickup_t postfix_private_t:dir search; -allow postfix_pickup_t postfix_private_t:sock_file write; - -allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; -allow postfix_pickup_t postfix_public_t:dir search; +rw_fifo_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t) +rw_sock_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t) postfix_list_spool(postfix_pickup_t) -allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; + +read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) +delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) ######################################## # @@ -414,14 +396,11 @@ allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; allow postfix_pipe_t self:fifo_file { read write }; -allow postfix_pipe_t postfix_private_t:dir search; -allow postfix_pipe_t postfix_private_t:sock_file write; +write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -allow postfix_pipe_t postfix_public_t:fifo_file { getattr write }; -allow postfix_pipe_t postfix_public_t:dir search; +write_fifo_files_pattern(postfix_pipe_t,postfix_public_t,postfix_public_t) -allow postfix_pipe_t postfix_spool_t:dir search; -allow postfix_pipe_t postfix_spool_t:file rw_file_perms; +rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` procmail_domtrans(postfix_pipe_t) @@ -445,12 +424,10 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; -allow postfix_postdrop_t postfix_public_t:dir search; -allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; +rw_fifo_files_pattern(postfix_postdrop_t,postfix_public_t,postfix_public_t) postfix_list_spool(postfix_postdrop_t) -allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; +manage_files_pattern(postfix_postdrop_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) corenet_udp_sendrecv_all_if(postfix_postdrop_t) corenet_udp_sendrecv_all_nodes(postfix_postdrop_t) @@ -485,24 +462,12 @@ allow postfix_postqueue_t self:tcp_socket create; allow postfix_postqueue_t self:udp_socket { create ioctl }; # wants to write to /var/spool/postfix/public/showq -allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; -allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; +stream_connect_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t,postfix_master_t) -allow postfix_postqueue_t postfix_public_t:dir search; # write to /var/spool/postfix/public/qmgr -allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write }; +write_fifo_files_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t) -domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -allow postfix_master_t postfix_postqueue_t:fd use; -allow postfix_postqueue_t postfix_master_t:fd use; -allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms; -allow postfix_postqueue_t postfix_master_t:process sigchld; - -domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_postqueue_t postfix_showq_t:fd use; -allow postfix_showq_t postfix_postqueue_t:fd use; -allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms; -allow postfix_showq_t postfix_postqueue_t:process sigchld; +domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! term_use_all_user_ptys(postfix_postqueue_t) @@ -518,19 +483,14 @@ sysnet_dontaudit_read_config(postfix_postqueue_t) # Postfix qmgr local policy # -allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; - -allow postfix_qmgr_t postfix_private_t:dir search; -allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; +stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_qmgr_t postfix_public_t:sock_file write; -allow postfix_qmgr_t postfix_public_t:dir search; +rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t) # for /var/spool/postfix/active -allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms; -allow postfix_qmgr_t postfix_spool_t:file create_file_perms; -allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t) +manage_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t) +manage_lnk_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t) allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search }; allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr }; @@ -546,16 +506,9 @@ corecmd_exec_bin(postfix_qmgr_t) allow postfix_showq_t self:capability { setuid setgid }; allow postfix_showq_t self:tcp_socket create_socket_perms; -# the following auto_trans is usually in postfix server domain -domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_master_t postfix_showq_t:fd use; -allow postfix_showq_t postfix_master_t:fd use; -allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms; -allow postfix_showq_t postfix_master_t:process sigchld; - allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; -allow postfix_showq_t postfix_spool_t:file r_file_perms; +allow postfix_showq_t postfix_spool_t:file read_file_perms; postfix_list_spool(postfix_showq_t) @@ -577,9 +530,9 @@ sysnet_dns_name_resolve(postfix_showq_t) allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms; # connect to master process -allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; +stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) + +allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -594,13 +547,11 @@ optional_policy(` allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; # connect to master process -allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; +stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; -allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; +allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; corecmd_exec_bin(postfix_smtpd_t) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 2025d03..da913c4 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -52,12 +52,7 @@ interface(`postgresql_domtrans',` type postgresql_t, postgresql_exec_t; ') - domain_auto_trans($1,postgresql_exec_t,postgresql_t) - - allow $1 postgresql_t:fd use; - allow postgresql_t $1:fd use; - allow postgresql_t $1:fifo_file rw_file_perms; - allow postgresql_t $1:process sigchld; + domtrans_pattern($1,postgresql_exec_t,postgresql_t) ') ######################################## diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index d0452c6..4188081 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -44,38 +44,36 @@ allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; allow postgresql_t self:netlink_route_socket r_netlink_socket_perms; -allow postgresql_t postgresql_db_t:dir create_dir_perms; -allow postgresql_t postgresql_db_t:fifo_file create_file_perms; -allow postgresql_t postgresql_db_t:file create_file_perms; -allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms; -allow postgresql_t postgresql_db_t:sock_file create_file_perms; +manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) -allow postgresql_t postgresql_etc_t:dir r_dir_perms; -allow postgresql_t postgresql_etc_t:file r_file_perms; -allow postgresql_t postgresql_etc_t:lnk_file { getattr read }; +allow postgresql_t postgresql_etc_t:dir list_dir_perms; +read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) +read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) -allow postgresql_t postgresql_lock_t:file create_file_perms; +allow postgresql_t postgresql_lock_t:file manage_file_perms; files_lock_filetrans(postgresql_t,postgresql_lock_t,file) -allow postgresql_t postgresql_log_t:dir rw_dir_perms; -allow postgresql_t postgresql_log_t:file create_file_perms; +manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t) logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) -allow postgresql_t postgresql_tmp_t:dir create_dir_perms; -allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms; -allow postgresql_t postgresql_tmp_t:file create_file_perms; -allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms; -allow postgresql_t postgresql_tmp_t:sock_file create_file_perms; +manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) -allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; -allow postgresql_t postgresql_var_run_t:file create_file_perms; -allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; +manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) +manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) kernel_read_kernel_sysctls(postgresql_t) @@ -187,7 +185,6 @@ bool allow_user_postgresql_connect false; if (allow_user_postgresql_connect) { # allow any user domain to connect to the database server -can_tcp_connect(userdomain, postgresql_t) allow userdomain postgresql_t:unix_stream_socket connectto; allow userdomain postgresql_var_run_t:sock_file write; allow userdomain postgresql_tmp_t:sock_file write; diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index 90bccd5..308652d 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -29,17 +29,15 @@ dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:tcp_socket create_stream_socket_perms; -allow postgrey_t postgrey_etc_t:file r_file_perms; -allow postgrey_t postgrey_etc_t:dir r_dir_perms; -allow postgrey_t postgrey_etc_t:lnk_file { getattr read }; +allow postgrey_t postgrey_etc_t:dir list_dir_perms; +read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) +read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) -allow postgrey_t postgrey_var_lib_t:file create_file_perms; -allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms; +manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) -allow postgrey_t postgrey_var_run_t:file create_file_perms; -allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms; -allow postgrey_t postgrey_var_run_t:dir rw_dir_perms; +manage_files_pattern(postgrey_t,postgrey_var_run_t,postgrey_var_run_t) +manage_sock_files_pattern(postgrey_t,postgrey_var_run_t,postgrey_var_run_t) files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file }) kernel_read_system_state(postgrey_t) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 4617701..036f91e 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -90,12 +90,7 @@ interface(`ppp_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1, pppd_exec_t, pppd_t) - - allow $1 pppd_t:fd use; - allow pppd_t $1:fd use; - allow pppd_t $1:fifo_file rw_file_perms; - allow pppd_t $1:process sigchld; + domtrans_pattern($1, pppd_exec_t, pppd_t) ') ######################################## @@ -217,7 +212,7 @@ interface(`ppp_read_pid_files',` type pppd_var_run_t; ') - allow $1 pppd_var_run_t:file r_file_perms; + allow $1 pppd_var_run_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 70ff15f..16c9270 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -60,7 +60,7 @@ files_pid_file(pptp_var_run_t) allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process signal; -allow pppd_t self:fifo_file rw_file_perms; +allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; allow pppd_t self:unix_stream_socket create_socket_perms; @@ -69,42 +69,36 @@ allow pppd_t self:tcp_socket create_stream_socket_perms; allow pppd_t self:udp_socket { connect connected_socket_perms }; allow pppd_t self:packet_socket create_socket_perms; -domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) -allow pppd_t pptp_t:fd use; -allow pptp_t pppd_t:fd use; -allow pptp_t pppd_t:fifo_file rw_file_perms; -allow pptp_t pppd_t:process sigchld; +domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; +allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; allow pppd_t pppd_etc_t:dir rw_dir_perms; -allow pppd_t pppd_etc_t:file r_file_perms; +allow pppd_t pppd_etc_t:file read_file_perms; allow pppd_t pppd_etc_t:lnk_file { getattr read }; -allow pppd_t pppd_etc_rw_t:dir rw_dir_perms; -allow pppd_t pppd_etc_rw_t:file create_file_perms; +manage_files_pattern(pppd_t,pppd_etc_rw_t,pppd_etc_rw_t) # Automatically label newly created files under /etc/ppp with this type -type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t; +filetrans_pattern(pppd_t,pppd_etc_t,pppd_etc_rw_t,file) -allow pppd_t pppd_lock_t:file create_file_perms; +allow pppd_t pppd_lock_t:file manage_file_perms; files_lock_filetrans(pppd_t,pppd_lock_t,file) -allow pppd_t pppd_log_t:file create_file_perms; +allow pppd_t pppd_log_t:file manage_file_perms; logging_log_filetrans(pppd_t,pppd_log_t,file) -allow pppd_t pppd_tmp_t:dir create_dir_perms; -allow pppd_t pppd_tmp_t:file create_file_perms; +manage_dirs_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t) +manage_files_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t) files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) -allow pppd_t pppd_var_run_t:dir rw_dir_perms; -allow pppd_t pppd_var_run_t:file create_file_perms; +manage_files_pattern(pppd_t,pppd_var_run_t,pppd_var_run_t) files_pid_filetrans(pppd_t,pppd_var_run_t,file) allow pppd_t pptp_t:process signal; # for SSP # Access secret files -allow pppd_t pppd_secret_t:file r_file_perms; +allow pppd_t pppd_secret_t:file read_file_perms; kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) @@ -253,12 +247,11 @@ can_exec(pptp_t, pppd_etc_rw_t) # Allow pptp to append to pppd log files allow pptp_t pppd_log_t:file append; -allow pptp_t pptp_log_t:file create_file_perms; +allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t,pptp_log_t,file) -allow pptp_t pptp_var_run_t:file create_file_perms; -allow pptp_t pptp_var_run_t:dir rw_dir_perms; -allow pptp_t pptp_var_run_t:sock_file create_file_perms; +manage_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t) +manage_sock_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t) files_pid_filetrans(pptp_t,pptp_var_run_t,file) kernel_list_proc(pptp_t) @@ -334,8 +327,4 @@ optional_policy(` ') # FIXME: -domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) -allow pppd_t initrc_t:fd use; -allow initrc_t pppd_t:fd use; -allow initrc_t pppd_t:fifo_file rw_file_perms; -allow initrc_t pppd_t:process sigchld; +domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 56dd679..3cf9156 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -30,12 +30,10 @@ allow privoxy_t self:tcp_socket create_stream_socket_perms; allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; -allow privoxy_t privoxy_log_t:file create_file_perms; -allow privoxy_t privoxy_log_t:dir rw_dir_perms; +manage_files_pattern(privoxy_t,privoxy_log_t,privoxy_log_t) logging_log_filetrans(privoxy_t,privoxy_log_t,file) -allow privoxy_t privoxy_var_run_t:file create_file_perms; -allow privoxy_t privoxy_var_run_t:dir rw_dir_perms; +manage_files_pattern(privoxy_t,privoxy_var_run_t,privoxy_var_run_t) files_pid_filetrans(privoxy_t,privoxy_var_run_t,file) kernel_read_kernel_sysctls(privoxy_t) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if index 078fca3..440565a 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if @@ -17,12 +17,7 @@ interface(`procmail_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,procmail_exec_t,procmail_t) - - allow $1 procmail_t:fd use; - allow procmail_t $1:fd use; - allow procmail_t $1:fifo_file rw_file_perms; - allow procmail_t $1:process sigchld; + domtrans_pattern($1,procmail_exec_t,procmail_t) ') ######################################## diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index a841b19..03fc8c3 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -19,7 +19,7 @@ role system_r types procmail_t; allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; allow procmail_t self:process { setsched signal }; -allow procmail_t self:fifo_file rw_file_perms; +allow procmail_t self:fifo_file rw_fifo_file_perms; allow procmail_t self:unix_stream_socket create_socket_perms; allow procmail_t self:unix_dgram_socket create_socket_perms; allow procmail_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te index 7b91ac9..42a09bc 100644 --- a/policy/modules/services/publicfile.te +++ b/policy/modules/services/publicfile.te @@ -20,8 +20,8 @@ files_type(publicfile_content_t) # allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; -allow publicfile_t publicfile_content_t:dir r_dir_perms; -allow publicfile_t publicfile_content_t:file r_file_perms; +allow publicfile_t publicfile_content_t:dir list_dir_perms; +allow publicfile_t publicfile_content_t:file read_file_perms; files_search_var(publicfile_t) diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te index d992e7d..4903e40 100644 --- a/policy/modules/services/pxe.te +++ b/policy/modules/services/pxe.te @@ -27,11 +27,10 @@ allow pxe_t self:capability { chown setgid setuid }; dontaudit pxe_t self:capability sys_tty_config; allow pxe_t self:process signal_perms; -allow pxe_t pxe_log_t:file create_file_perms; +allow pxe_t pxe_log_t:file manage_file_perms; logging_log_filetrans(pxe_t,pxe_log_t,file) -allow pxe_t pxe_var_run_t:file create_file_perms; -allow pxe_t pxe_var_run_t:dir rw_dir_perms; +manage_files_pattern(pxe_t,pxe_var_run_t,pxe_var_run_t) files_pid_filetrans(pxe_t,pxe_var_run_t,file) kernel_read_kernel_sysctls(pxe_t) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index c611aa5..0b98efe 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -17,12 +17,7 @@ interface(`pyzor_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,pyzor_exec_t,pyzor_t) - - allow $1 pyzor_t:fd use; - allow pyzor_t $1:fd use; - allow pyzor_t $1:fifo_file rw_file_perms; - allow pyzor_t $1:process sigchld; + domtrans_pattern($1,pyzor_exec_t,pyzor_t) ') ######################################## @@ -72,9 +67,9 @@ template(`pyzor_per_role_template',` type $1_pyzor_home_t; userdom_user_home_content($1,$1_pyzor_home_t) - allow pyzord_t $1_pyzor_home_t:dir create_dir_perms; - allow pyzord_t $1_pyzor_home_t:file create_file_perms; - allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) + manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) + manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) userdom_search_user_home_dirs($1,pyzord_t) userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file }) ') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 8ba67e5..f430d8f 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -33,8 +33,8 @@ files_type(pyzor_var_lib_t) allow pyzor_t self:udp_socket create_socket_perms; -allow pyzor_t pyzor_var_lib_t:dir r_dir_perms; -allow pyzor_t pyzor_var_lib_t:file r_file_perms; +allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; +read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t) files_search_var_lib(pyzor_t) kernel_read_kernel_sysctls(pyzor_t) @@ -76,17 +76,17 @@ optional_policy(` allow pyzord_t self:udp_socket create_socket_perms; -allow pyzord_t pyzor_var_lib_t:file create_file_perms; -allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr }; +manage_files_pattern(pyzord_t,pyzor_var_lib_t,pyzor_var_lib_t) +allow pyzord_t pyzor_var_lib_t:dir setattr; files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir }) -allow pyzord_t pyzor_etc_t:file create_file_perms; -allow pyzord_t pyzor_etc_t:dir r_dir_perms; +read_files_pattern(pyzord_t,pyzor_etc_t,pyzor_etc_t) +allow pyzord_t pyzor_etc_t:dir list_dir_perms; can_exec(pyzord_t,pyzor_exec_t) -allow pyzord_t pyzord_log_t:file create_file_perms; -allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr }; +manage_files_pattern(pyzord_t,pyzord_log_t,pyzord_log_t) +allow pyzord_t pyzord_log_t:dir setattr; logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } ) kernel_read_kernel_sysctls(pyzord_t) diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if index 09a3863..6cb2442 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -109,10 +109,7 @@ interface(`qmail_domtrans_inject',` type qmail_inject_exec_t; ') - domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t) - allow qmail_inject_t $1:fd use; - allow qmail_inject_t $1:fifo_file { read write }; - allow qmail_inject_t $1:process sigchld; + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) ifdef(`distro_debian',` files_search_usr($1) @@ -139,11 +136,7 @@ interface(`qmail_domtrans_queue',` type qmail_queue_exec_t; ') - domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t) - - allow qmail_queue_t $1:fd use; - allow qmail_queue_t $1:fifo_file { read write }; - allow qmail_queue_t $1:process sigchld; + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) ifdef(`distro_debian',` files_search_usr($1) @@ -202,9 +195,5 @@ interface(`qmail_smtpd_service_domain',` type qmail_smtpd_t; ') - domain_auto_trans(qmail_smtpd_t, $2, $1) - - allow $1 qmail_smtpd_t:fd use; - allow $1 qmail_smtpd_t:fifo_file { read write }; - allow $1 qmail_smtpd_t:process sigchld; + domtrans_pattern(qmail_smtpd_t, $2, $1) ') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 5c02d30..96ee18a 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -65,8 +65,8 @@ domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t) # this component cleans up the queue directory # -allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; -allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; +read_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t) +delete_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t) ######################################## # @@ -99,12 +99,12 @@ allow qmail_local_t self:fifo_file write; allow qmail_local_t self:process signal_perms; allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; -allow qmail_local_t qmail_alias_home_t:dir create_dir_perms; -allow qmail_local_t qmail_alias_home_t:file create_file_perms; +manage_dirs_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t) +manage_files_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t) allow qmail_local_t qmail_queue_exec_t:file read; -allow qmail_local_t qmail_spool_t:file r_file_perms; +allow qmail_local_t qmail_spool_t:file read_file_perms; kernel_read_system_state(qmail_local_t) @@ -133,8 +133,7 @@ can_exec(qmail_lspawn_t, qmail_exec_t) allow qmail_lspawn_t qmail_local_exec_t:file read; -allow qmail_lspawn_t qmail_spool_t:dir search; -allow qmail_lspawn_t qmail_spool_t:file { read getattr }; +read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t) corecmd_search_sbin(qmail_lspawn_t) @@ -155,9 +154,9 @@ allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fifo_file read; allow qmail_queue_t qmail_smtpd_t:process sigchld; -allow qmail_queue_t qmail_spool_t:dir create_dir_perms; -allow qmail_queue_t qmail_spool_t:fifo_file { read write }; -allow qmail_queue_t qmail_spool_t:file create_file_perms; +manage_dirs_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) +manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) +rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) optional_policy(` daemontools_ipc_domain(qmail_queue_t) @@ -172,8 +171,7 @@ optional_policy(` allow qmail_remote_t self:tcp_socket create_socket_perms; allow qmail_remote_t self:udp_socket create_socket_perms; -allow qmail_remote_t qmail_spool_t:dir search; -allow qmail_remote_t qmail_spool_t:file rw_file_perms; +rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t) corenet_non_ipsec_sendrecv(qmail_remote_t) corenet_tcp_sendrecv_generic_if(qmail_remote_t) @@ -201,8 +199,7 @@ allow qmail_rspawn_t self:fifo_file read; allow qmail_rspawn_t qmail_remote_exec_t:file read; -allow qmail_rspawn_t qmail_spool_t:dir search; -allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; +rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t) corecmd_search_bin(qmail_rspawn_t) corecmd_search_sbin(qmail_rspawn_t) @@ -216,9 +213,9 @@ corecmd_search_sbin(qmail_rspawn_t) allow qmail_send_t self:process signal_perms; allow qmail_send_t self:fifo_file write; -allow qmail_send_t qmail_spool_t:dir create_dir_perms; -allow qmail_send_t qmail_spool_t:file create_file_perms; -allow qmail_send_t qmail_spool_t:fifo_file read; +manage_dirs_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t) +manage_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t) +read_fifo_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t) qmail_domtrans_queue(qmail_send_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index a99fd39..5123bc9 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -32,27 +32,26 @@ files_pid_file(radiusd_var_run_t) allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; allow radiusd_t self:process { setsched signal }; -allow radiusd_t self:fifo_file rw_file_perms; +allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; allow radiusd_t self:udp_socket create_socket_perms; -allow radiusd_t radiusd_etc_t:file r_file_perms; allow radiusd_t radiusd_etc_t:dir r_dir_perms; -allow radiusd_t radiusd_etc_t:lnk_file { getattr read }; +read_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t) +read_lnk_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t) files_search_etc(radiusd_t) -allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms; -allow radiusd_t radiusd_etc_rw_t:file create_file_perms; -allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms; -type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t; +manage_dirs_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t) +manage_files_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t) +manage_lnk_files_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t) +filetrans_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_rw_t,{ dir file lnk_file }) -allow radiusd_t radiusd_log_t:file create_file_perms; -allow radiusd_t radiusd_log_t:dir create_dir_perms; +manage_dirs_pattern(radiusd_t,radiusd_log_t,radiusd_log_t) +manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t) logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir }) -allow radiusd_t radiusd_var_run_t:file create_file_perms; -allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; +manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t) files_pid_filetrans(radiusd_t,radiusd_var_run_t,file) kernel_read_kernel_sysctls(radiusd_t) diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index 6fb98a9..970a713 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -30,8 +30,7 @@ allow radvd_t self:udp_socket create_socket_perms; allow radvd_t radvd_etc_t:file { getattr read }; -allow radvd_t radvd_var_run_t:file create_file_perms; -allow radvd_t radvd_var_run_t:dir rw_dir_perms; +manage_files_pattern(radvd_t,radvd_var_run_t,radvd_var_run_t) files_pid_filetrans(radvd_t,radvd_var_run_t,file) kernel_read_kernel_sysctls(radvd_t) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 9a1bff6..c58bfdf 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -26,7 +26,7 @@ template(`razor_common_domain_template',` allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:fd use; - allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; @@ -42,14 +42,14 @@ template(`razor_common_domain_template',` allow $1_t razor_etc_t:file read_file_perms; allow $1_t razor_etc_t:lnk_file { getattr read }; - allow $1_t razor_log_t:dir manage_dir_perms; - allow $1_t razor_log_t:file manage_file_perms; - allow $1_t razor_log_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_t,razor_log_t,razor_log_t) + manage_files_pattern($1_t,razor_log_t,razor_log_t) + manage_lnk_files_pattern($1_t,razor_log_t,razor_log_t) logging_log_filetrans($1_t,razor_log_t,file) - allow $1_t razor_var_lib_t:dir manage_dir_perms; - allow $1_t razor_var_lib_t:file manage_file_perms; - allow $1_t razor_var_lib_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_t,razor_var_lib_t,razor_var_lib_t) + manage_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t) + manage_lnk_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t) files_search_var_lib($1_t) # Razor is one executable and several symlinks @@ -152,24 +152,23 @@ template(`razor_per_role_template',` allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - allow $1_razor_t $1_razor_home_t:dir manage_dir_perms; - allow $1_razor_t $1_razor_home_t:file manage_file_perms; - allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) + manage_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) + manage_lnk_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir) - allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms; - allow $1_razor_t $1_razor_tmp_t:file create_file_perms; + manage_dirs_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) + manage_files_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir }) - domain_auto_trans($2, razor_exec_t, $1_razor_t) - allow $1_razor_t $2:fd use; - allow $1_razor_t $2:fifo_file rw_file_perms; - allow $1_razor_t $2:process sigchld; + domtrans_pattern($2, razor_exec_t, $1_razor_t) - allow $2 $1_razor_home_t:dir manage_dir_perms; - allow $2 $1_razor_home_t:file manage_file_perms; - allow $2 $1_razor_home_t:lnk_file create_lnk_perms; - allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + manage_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) + manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t) + manage_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) + relabel_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) + relabel_files_pattern($2,$1_razor_home_t,$1_razor_home_t) + relabel_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) logging_send_syslog_msg($1_razor_t) @@ -210,8 +209,5 @@ interface(`razor_domtrans',` type razor_t, razor_exec_t; ') - domain_auto_trans($1, razor_exec_t, razor_t) - allow razor_t $1:fd use; - allow razor_t $1:fifo_file rw_file_perms; - allow razor_t $1:process sigchld; + domtrans_pattern($1, razor_exec_t, razor_t) ') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index f1d7164..29916f8 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -29,16 +29,15 @@ files_type(razor_var_lib_t) allow razor_t self:tcp_socket create_socket_perms; -allow razor_t razor_etc_t:dir create_dir_perms; -allow razor_t razor_etc_t:file create_file_perms; -allow razor_t razor_etc_t:lnk_file create_lnk_perms; +manage_dirs_pattern(razor_t,razor_etc_t,razor_etc_t) +manage_files_pattern(razor_t,razor_etc_t,razor_etc_t) +manage_lnk_files_pattern(razor_t,razor_etc_t,razor_etc_t) files_search_etc(razor_t) -allow razor_t razor_log_t:file create_file_perms; +allow razor_t razor_log_t:file manage_file_perms; logging_log_filetrans(razor_t,razor_log_t,file) -allow razor_t razor_var_lib_t:file create_file_perms; -allow razor_t razor_var_lib_t:dir rw_dir_perms; +manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t) files_var_lib_filetrans(razor_t,razor_var_lib_t,file) corenet_non_ipsec_sendrecv(razor_t) diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index ea2114e..b5c10ba 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -23,8 +23,8 @@ allow remote_login_t self:capability { dac_override chown fowner fsetid kill set allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; -allow remote_login_t self:fifo_file rw_file_perms; -allow remote_login_t self:sock_file r_file_perms; +allow remote_login_t self:fifo_file rw_fifo_file_perms; +allow remote_login_t self:sock_file read_sock_file_perms; allow remote_login_t self:unix_dgram_socket create_socket_perms; allow remote_login_t self:unix_stream_socket create_stream_socket_perms; allow remote_login_t self:unix_dgram_socket sendto; @@ -35,8 +35,8 @@ allow remote_login_t self:msgq create_msgq_perms; allow remote_login_t self:msg { send receive }; allow remote_login_t self:key write; -allow remote_login_t remote_login_tmp_t:dir create_dir_perms; -allow remote_login_t remote_login_tmp_t:file create_file_perms; +manage_dirs_pattern(remote_login_t,remote_login_tmp_t,remote_login_tmp_t) +manage_files_pattern(remote_login_t,remote_login_tmp_t,remote_login_tmp_t) files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te index 695d7c6..890c1dd 100644 --- a/policy/modules/services/resmgr.te +++ b/policy/modules/services/resmgr.te @@ -29,7 +29,7 @@ allow resmgrd_t resmgrd_etc_t:file { getattr read }; files_search_etc(resmgrd_t) allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; -allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms; +allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file }) kernel_list_proc(resmgrd_t) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index bd8681d..3a5a375 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -26,16 +26,16 @@ dontaudit rhgb_t self:capability sys_tty_config; allow rhgb_t self:process { setpgid signal_perms }; allow rhgb_t self:shm create_shm_perms; allow rhgb_t self:unix_stream_socket create_stream_socket_perms; -allow rhgb_t self:fifo_file rw_file_perms; +allow rhgb_t self:fifo_file rw_fifo_file_perms; allow rhgb_t self:tcp_socket create_socket_perms; allow rhgb_t self:udp_socket create_socket_perms; allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; -allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms; -allow rhgb_t rhgb_tmpfs_t:file manage_file_perms; -allow rhgb_t rhgb_tmpfs_t:lnk_file create_lnk_perms; -allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms; -allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms; +manage_dirs_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) +manage_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) +manage_lnk_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) +manage_fifo_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) +manage_sock_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(rhgb_t) @@ -116,7 +116,7 @@ xserver_kill_xdm_xserver(rhgb_t) xserver_read_xkb_libs(rhgb_t) ifdef(`strict_policy',` - allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr }; + allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rhgb_t,rhgb_devpts_t) ', ` files_dontaudit_read_root_files(rhgb_t) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 6355d50..be4d466 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -15,10 +15,7 @@ interface(`ricci_domtrans',` type ricci_t, ricci_exec_t; ') - domain_auto_trans($1,ricci_exec_t,ricci_t) - allow ricci_t $1:fd use; - allow ricci_t $1:fifo_file rw_file_perms; - allow ricci_t $1:process sigchld; + domtrans_pattern($1,ricci_exec_t,ricci_t) ') ######################################## @@ -36,10 +33,7 @@ interface(`ricci_domtrans_modcluster',` type ricci_modcluster_t, ricci_modcluster_exec_t; ') - domain_auto_trans($1,ricci_modcluster_exec_t,ricci_modcluster_t) - allow ricci_modcluster_t $1:fd use; - allow ricci_modcluster_t $1:fifo_file rw_file_perms; - allow ricci_modcluster_t $1:process sigchld; + domtrans_pattern($1,ricci_modcluster_exec_t,ricci_modcluster_t) ') ######################################## @@ -115,10 +109,7 @@ interface(`ricci_domtrans_modlog',` type ricci_modlog_t, ricci_modlog_exec_t; ') - domain_auto_trans($1,ricci_modlog_exec_t,ricci_modlog_t) - allow ricci_modlog_t $1:fd use; - allow ricci_modlog_t $1:fifo_file rw_file_perms; - allow ricci_modlog_t $1:process sigchld; + domtrans_pattern($1,ricci_modlog_exec_t,ricci_modlog_t) ') ######################################## @@ -136,10 +127,7 @@ interface(`ricci_domtrans_modrpm',` type ricci_modrpm_t, ricci_modrpm_exec_t; ') - domain_auto_trans($1,ricci_modrpm_exec_t,ricci_modrpm_t) - allow ricci_modrpm_t $1:fd use; - allow ricci_modrpm_t $1:fifo_file rw_file_perms; - allow ricci_modrpm_t $1:process sigchld; + domtrans_pattern($1,ricci_modrpm_exec_t,ricci_modrpm_t) ') ######################################## @@ -157,10 +145,7 @@ interface(`ricci_domtrans_modservice',` type ricci_modservice_t, ricci_modservice_exec_t; ') - domain_auto_trans($1,ricci_modservice_exec_t,ricci_modservice_t) - allow ricci_modservice_t $1:fd use; - allow ricci_modservice_t $1:fifo_file rw_file_perms; - allow ricci_modservice_t $1:process sigchld; + domtrans_pattern($1,ricci_modservice_exec_t,ricci_modservice_t) ') ######################################## @@ -178,8 +163,5 @@ interface(`ricci_domtrans_modstorage',` type ricci_modstorage_t, ricci_modstorage_exec_t; ') - domain_auto_trans($1,ricci_modstorage_exec_t,ricci_modstorage_t) - allow ricci_modstorage_t $1:fd use; - allow ricci_modstorage_t $1:fifo_file rw_file_perms; - allow ricci_modstorage_t $1:process sigchld; + domtrans_pattern($1,ricci_modstorage_exec_t,ricci_modstorage_t) ') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index be60d82..a72c725 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -92,26 +92,25 @@ domain_auto_trans(ricci_t,ricci_modservice_exec_t,ricci_modservice_t) domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t) # tmp file -allow ricci_t ricci_tmp_t:dir create_dir_perms; -allow ricci_t ricci_tmp_t:file create_file_perms; +manage_dirs_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t) +manage_files_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t) files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) # var/lib files for ricci -allow ricci_t ricci_var_lib_t:file create_file_perms; -allow ricci_t ricci_var_lib_t:sock_file create_file_perms; -allow ricci_t ricci_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t) +manage_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t) +manage_sock_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t) files_var_lib_filetrans(ricci_t,ricci_var_lib_t, { file dir sock_file }) # log files -allow ricci_t ricci_var_log_t:file create_file_perms; -allow ricci_t ricci_var_log_t:sock_file create_file_perms; -allow ricci_t ricci_var_log_t:dir { rw_dir_perms setattr }; +allow ricci_t ricci_var_log_t:dir setattr; +manage_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t) +manage_sock_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t) logging_log_filetrans(ricci_t,ricci_var_log_t,{ sock_file file dir }) # pid file -allow ricci_t ricci_var_run_t:file manage_file_perms; -allow ricci_t ricci_var_run_t:sock_file manage_file_perms; -allow ricci_t ricci_var_run_t:dir rw_dir_perms; +manage_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t) +manage_sock_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t) files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) @@ -202,7 +201,7 @@ optional_policy(` allow ricci_modcluster_t self:capability sys_nice; allow ricci_modcluster_t self:process setsched; -allow ricci_modcluster_t self:fifo_file rw_file_perms; +allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; kernel_read_kernel_sysctls(ricci_modcluster_t) kernel_read_system_state(ricci_modcluster_t) @@ -266,7 +265,7 @@ unconfined_domain(ricci_modcluster_t) allow ricci_modclusterd_t self:capability sys_nice; allow ricci_modclusterd_t self:process { signal sigkill setsched }; -allow ricci_modclusterd_t self:fifo_file rw_file_perms; +allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms; @@ -276,15 +275,14 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; # log files -allow ricci_modclusterd_t ricci_modcluster_var_log_t:file create_file_perms; -allow ricci_modclusterd_t ricci_modcluster_var_log_t:sock_file create_file_perms; -allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir { rw_dir_perms setattr }; +allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; +manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t) +manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t) logging_log_filetrans(ricci_modclusterd_t,ricci_modcluster_var_log_t,{ sock_file file dir }) # pid file -allow ricci_modclusterd_t ricci_modcluster_var_run_t:file manage_file_perms; -allow ricci_modclusterd_t ricci_modcluster_var_run_t:sock_file manage_file_perms; -allow ricci_modclusterd_t ricci_modcluster_var_run_t:dir rw_dir_perms; +manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t) +manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t) files_pid_filetrans(ricci_modclusterd_t,ricci_modcluster_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_modclusterd_t) @@ -445,7 +443,7 @@ optional_policy(` allow ricci_modstorage_t self:process { setsched signal }; allow ricci_modstorage_t self:capability { mknod sys_nice }; -allow ricci_modstorage_t self:fifo_file rw_file_perms; +allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; kernel_read_kernel_sysctls(ricci_modstorage_t) diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if index 9326e5a..27bb997 100644 --- a/policy/modules/services/rlogin.if +++ b/policy/modules/services/rlogin.if @@ -16,10 +16,5 @@ interface(`rlogin_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,rlogind_exec_t,rlogind_t) - - allow $1 rlogind_t:fd use; - allow rlogind_t $1:fd use; - allow rlogind_t $1:fifo_file rw_file_perms; - allow rlogind_t $1:process sigchld; + domtrans_pattern($1,rlogind_exec_t,rlogind_t) ') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index b7bbcd7..9fa8c6f 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -27,24 +27,23 @@ files_pid_file(rlogind_var_run_t) allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; -allow rlogind_t self:fifo_file rw_file_perms; +allow rlogind_t self:fifo_file rw_fifo_file_perms; allow rlogind_t self:tcp_socket connected_stream_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow rlogind_t self:capability { setuid setgid }; -allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr }; +allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) # for /usr/lib/telnetlogin can_exec(rlogind_t, rlogind_exec_t) -allow rlogind_t rlogind_tmp_t:dir create_dir_perms; -allow rlogind_t rlogind_tmp_t:file create_file_perms; +manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) +manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t) files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) -allow rlogind_t rlogind_var_run_t:file create_file_perms; -allow rlogind_t rlogind_var_run_t:dir rw_dir_perms; +manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t) files_pid_filetrans(rlogind_t,rlogind_var_run_t,file) kernel_read_kernel_sysctls(rlogind_t) diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te index e9c66e4..5992ac8 100644 --- a/policy/modules/services/roundup.te +++ b/policy/modules/services/roundup.te @@ -28,14 +28,12 @@ allow roundup_t self:unix_stream_socket create_stream_socket_perms; allow roundup_t self:tcp_socket create_stream_socket_perms; allow roundup_t self:udp_socket create_socket_perms; -allow roundup_t roundup_var_run_t:file create_file_perms; -allow roundup_t roundup_var_run_t:dir rw_dir_perms; -files_pid_filetrans(roundup_t,roundup_var_run_t,file) - -allow roundup_t roundup_var_lib_t:file create_file_perms; -allow roundup_t roundup_var_lib_t:dir rw_dir_perms; +manage_files_pattern(roundup_t,roundup_var_lib_t,roundup_var_lib_t) files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file) +manage_files_pattern(roundup_t,roundup_var_run_t,roundup_var_run_t) +files_pid_filetrans(roundup_t,roundup_var_run_t,file) + kernel_read_kernel_sysctls(roundup_t) kernel_list_proc(roundup_t) kernel_read_proc_symlinks(roundup_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 30c3244..1444083 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -57,8 +57,8 @@ template(`rpc_domain_template', ` allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; - allow $1_t var_lib_nfs_t:dir create_dir_perms; - allow $1_t var_lib_nfs_t:file create_file_perms; + manage_dirs_pattern($1_t,var_lib_nfs_t,var_lib_nfs_t) + manage_files_pattern($1_t,var_lib_nfs_t,var_lib_nfs_t) kernel_list_proc($1_t) kernel_read_proc_symlinks($1_t) @@ -184,7 +184,7 @@ interface(`rpc_read_exports',` type exports_t; ') - allow $1 exports_t:file r_file_perms; + allow $1 exports_t:file read_file_perms; ') ######################################## @@ -220,12 +220,7 @@ interface(`rpc_domtrans_nfsd',` type nfsd_t, nfsd_exec_t; ') - domain_auto_trans($1,nfsd_exec_t,nfsd_t) - - allow $1 nfsd_t:fd use; - allow nfsd_t $1:fd use; - allow nfsd_t $1:fifo_file rw_file_perms; - allow nfsd_t $1:process sigchld; + domtrans_pattern($1,nfsd_exec_t,nfsd_t) ') ######################################## @@ -265,9 +260,9 @@ interface(`rpc_manage_nfs_rw_content',` type nfsd_rw_t; ') - allow $1 nfsd_rw_t:dir manage_dir_perms; - allow $1 nfsd_rw_t:file manage_file_perms; - allow $1 nfsd_rw_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,nfsd_rw_t,nfsd_rw_t) + manage_files_pattern($1,nfsd_rw_t,nfsd_rw_t) + manage_lnk_files_pattern($1,nfsd_rw_t,nfsd_rw_t) ') ######################################## @@ -286,9 +281,9 @@ interface(`rpc_manage_nfs_ro_content',` type nfsd_ro_t; ') - allow $1 nfsd_ro_t:dir manage_dir_perms; - allow $1 nfsd_ro_t:file manage_file_perms; - allow $1 nfsd_ro_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,nfsd_ro_t,nfsd_ro_t) + manage_files_pattern($1,nfsd_ro_t,nfsd_ro_t) + manage_lnk_files_pattern($1,nfsd_ro_t,nfsd_ro_t) ') ######################################## @@ -358,6 +353,5 @@ interface(`rpc_read_nfs_state_data',` ') files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search_dir_perms; - allow $1 var_lib_nfs_t:file read_file_perms; + read_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 3e246fe..57d2ac5 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -38,10 +38,10 @@ files_mountpoint(var_lib_nfs_t) # allow rpcd_t self:capability { chown dac_override setgid setuid }; -allow rpcd_t self:fifo_file rw_file_perms; +allow rpcd_t self:fifo_file rw_fifo_file_perms; -allow rpcd_t rpcd_var_run_t:file manage_file_perms; -allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr }; +allow rpcd_t rpcd_var_run_t:dir setattr; +manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) kernel_read_system_state(rpcd_t) @@ -74,7 +74,7 @@ optional_policy(` allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; allow nfsd_t exports_t:file { getattr read }; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) @@ -124,8 +124,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid }; allow gssd_t self:process getsched; allow gssd_t self:fifo_file { read write }; -allow gssd_t gssd_tmp_t:dir create_dir_perms; -allow gssd_t gssd_tmp_t:file create_file_perms; +manage_dirs_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) +manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) kernel_read_network_state(gssd_t) diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if index eefcd30..2e7daee 100644 --- a/policy/modules/services/rshd.if +++ b/policy/modules/services/rshd.if @@ -17,10 +17,5 @@ interface(`rshd_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,rshd_exec_t,rshd_t) - - allow $1 rshd_t:fd use; - allow rshd_t $1:fd use; - allow rshd_t $1:fifo_file rw_file_perms; - allow rshd_t $1:process sigchld; + domtrans_pattern($1,rshd_exec_t,rshd_t) ') diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te index 839bf92..e814bd3 100644 --- a/policy/modules/services/rshd.te +++ b/policy/modules/services/rshd.te @@ -18,7 +18,7 @@ role system_r types rshd_t; # allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; -allow rshd_t self:fifo_file rw_file_perms; +allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; kernel_read_kernel_sysctls(rshd_t) diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 9064c2d..51c1211 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -27,7 +27,7 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability sys_chroot; allow rsync_t self:process signal_perms; -allow rsync_t self:fifo_file rw_file_perms; +allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; allow rsync_t self:udp_socket connected_socket_perms; @@ -38,16 +38,15 @@ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow rsync_t self:capability { setuid setgid }; #end for identd -allow rsync_t rsync_data_t:dir r_dir_perms; -allow rsync_t rsync_data_t:file r_file_perms; -allow rsync_t rsync_data_t:lnk_file r_file_perms; +allow rsync_t rsync_data_t:dir list_dir_perms; +read_files_pattern(rsync_t,rsync_data_t,rsync_data_t) +read_lnk_files_pattern(rsync_t,rsync_data_t,rsync_data_t) -allow rsync_t rsync_tmp_t:dir create_dir_perms; -allow rsync_t rsync_tmp_t:file create_file_perms; +manage_dirs_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t) +manage_files_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t) files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) -allow rsync_t rsync_var_run_t:file create_file_perms; -allow rsync_t rsync_var_run_t:dir rw_dir_perms; +manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) kernel_read_kernel_sysctls(rsync_t) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index c2e220e..3ecc275 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -58,12 +58,7 @@ interface(`samba_domtrans_net',` ') corecmd_search_bin($1) - domain_auto_trans($1,samba_net_exec_t,samba_net_t) - - allow $1 samba_net_t:fd use; - allow samba_net_t $1:fd use; - allow samba_net_t $1:fifo_file rw_file_perms; - allow samba_net_t $1:process sigchld; + domtrans_pattern($1,samba_net_exec_t,samba_net_t) ') ######################################## @@ -114,12 +109,7 @@ interface(`samba_domtrans_smbmount',` ') corecmd_search_bin($1) - domain_auto_trans($1,smbmount_exec_t,smbmount_t) - - allow $1 smbmount_t:fd use; - allow smbmount_t $1:fd use; - allow smbmount_t $1:fifo_file rw_file_perms; - allow smbmount_t $1:process sigchld; + domtrans_pattern($1,smbmount_exec_t,smbmount_t) ') ######################################## @@ -140,8 +130,7 @@ interface(`samba_read_config',` ') files_search_etc($1) - allow $1 samba_etc_t:dir search_dir_perms; - allow $1 samba_etc_t:file { read getattr lock }; + read_files_pattern($1,samba_etc_t,samba_etc_t) ') ######################################## @@ -162,8 +151,7 @@ interface(`samba_rw_config',` ') files_search_etc($1) - allow $1 samba_etc_t:dir search_dir_perms; - allow $1 samba_etc_t:file rw_file_perms; + rw_files_pattern($1,samba_etc_t,samba_etc_t) ') ######################################## @@ -183,8 +171,8 @@ interface(`samba_read_log',` ') logging_search_logs($1) - allow $1 samba_log_t:dir r_dir_perms; - allow $1 samba_log_t:file { read getattr lock }; + allow $1 samba_log_t:dir list_dir_perms; + read_files_pattern($1,samba_log_t,samba_log_t) ') ######################################## @@ -262,8 +250,7 @@ interface(`samba_rw_var_files',` ') files_search_var($1) - allow $1 samba_var_t:dir search_dir_perms; - allow $1 samba_var_t:file rw_file_perms; + rw_files_pattern($1,samba_var_t,samba_var_t) ') ######################################## @@ -317,12 +304,7 @@ interface(`samba_domtrans_winbind_helper',` type winbind_helper_t, winbind_helper_exec_t; ') - domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t) - - allow $1 winbind_helper_t:fd use; - allow winbind_helper_t $1:fd use; - allow winbind_helper_t $1:fifo_file rw_file_perms; - allow winbind_helper_t $1:process sigchld; + domtrans_pattern($1,winbind_helper_exec_t,winbind_helper_t) ') ######################################## @@ -373,7 +355,7 @@ interface(`samba_read_winbind_pid',` ') files_search_pids($1) - allow $1 winbind_var_run_t:file r_file_perms; + allow $1 winbind_var_run_t:file read_file_perms; ') ######################################## @@ -393,7 +375,5 @@ interface(`samba_stream_connect_winbind',` files_search_pids($1) allow $1 samba_var_t:dir search_dir_perms; - allow $1 winbind_var_run_t:dir search_dir_perms; - allow $1 winbind_var_run_t:sock_file { getattr read write }; - allow $1 winbind_t:unix_stream_socket connectto; + stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 7759850..67490b9 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -96,19 +96,18 @@ allow samba_net_t self:unix_stream_socket create_stream_socket_perms; allow samba_net_t self:udp_socket create_socket_perms; allow samba_net_t self:tcp_socket create_socket_perms; -allow samba_net_t samba_etc_t:file r_file_perms; +allow samba_net_t samba_etc_t:file read_file_perms; -allow samba_net_t samba_secrets_t:file create_file_perms; -allow samba_net_t samba_etc_t:dir rw_dir_perms; -type_transition samba_net_t samba_etc_t:file samba_secrets_t; +manage_files_pattern(samba_net_t,samba_etc_t,samba_secrets_t) +filetrans_pattern(samba_net_t,samba_etc_t,samba_secrets_t,file) -allow samba_net_t samba_net_tmp_t:dir create_dir_perms; -allow samba_net_t samba_net_tmp_t:file create_file_perms; +manage_dirs_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t) +manage_files_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t) files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) allow samba_net_t samba_var_t:dir rw_dir_perms; -allow samba_net_t samba_var_t:lnk_file create_lnk_perms; -allow samba_net_t samba_var_t:file create_file_perms; +manage_files_pattern(samba_net_t,samba_var_t,samba_var_t) +manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t) kernel_read_proc_symlinks(samba_net_t) @@ -165,49 +164,49 @@ dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; allow smbd_t self:fd use; -allow smbd_t self:fifo_file rw_file_perms; +allow smbd_t self:fifo_file rw_fifo_file_perms; allow smbd_t self:msg { send receive }; allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file r_file_perms; +allow smbd_t self:sock_file read_file_perms; allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t self:netlink_route_socket r_netlink_socket_perms; -allow smbd_t samba_etc_t:dir rw_dir_perms; allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -allow smbd_t samba_log_t:dir { create ra_dir_perms setattr }; +create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) +create_files_pattern(smbd_t,samba_log_t,samba_log_t) +append_files_pattern(smbd_t,samba_log_t,samba_log_t) +allow smbd_t samba_log_t:dir setattr; dontaudit smbd_t samba_log_t:dir remove_name; -allow smbd_t samba_log_t:file { create ra_file_perms }; allow smbd_t samba_net_tmp_t:file getattr; -allow smbd_t samba_secrets_t:dir rw_dir_perms; -allow smbd_t samba_secrets_t:file create_file_perms; -type_transition smbd_t samba_etc_t:file samba_secrets_t; +manage_files_pattern(smbd_t,samba_secrets_t,samba_secrets_t) +filetrans_pattern(smbd_t,samba_etc_t,samba_secrets_t,file) -allow smbd_t samba_share_t:dir create_dir_perms; -allow smbd_t samba_share_t:file create_file_perms; -allow smbd_t samba_share_t:lnk_file create_lnk_perms; +manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) +manage_files_pattern(smbd_t,samba_share_t,samba_share_t) +manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) -allow smbd_t samba_var_t:dir create_dir_perms; -allow smbd_t samba_var_t:file create_file_perms; -allow smbd_t samba_var_t:lnk_file create_lnk_perms; -allow smbd_t samba_var_t:sock_file create_file_perms; +manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) +manage_files_pattern(smbd_t,samba_var_t,samba_var_t) +manage_lnk_files_pattern(smbd_t,samba_var_t,samba_var_t) +manage_sock_files_pattern(smbd_t,samba_var_t,samba_var_t) -allow smbd_t smbd_tmp_t:dir create_dir_perms; -allow smbd_t smbd_tmp_t:file create_file_perms; +manage_dirs_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t) +manage_files_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) allow smbd_t nmbd_var_run_t:file rw_file_perms; -allow smbd_t smbd_var_run_t:dir create_dir_perms; -allow smbd_t smbd_var_run_t:file create_file_perms; -allow smbd_t smbd_var_run_t:sock_file create_file_perms; +manage_dirs_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) +manage_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) +manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) allow smbd_t winbind_var_run_t:sock_file { read write getattr }; @@ -330,29 +329,29 @@ optional_policy(` dontaudit nmbd_t self:capability sys_tty_config; allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; -allow nmbd_t self:fifo_file rw_file_perms; +allow nmbd_t self:fifo_file rw_fifo_file_perms; allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file r_file_perms; +allow nmbd_t self:sock_file read_file_perms; allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow nmbd_t nmbd_var_run_t:file create_file_perms; -allow nmbd_t nmbd_var_run_t:dir rw_dir_perms; +manage_files_pattern(nmbd_t,nmbd_var_run_t,nmbd_var_run_t) files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) -allow nmbd_t samba_etc_t:dir { search getattr }; -allow nmbd_t samba_etc_t:file { getattr read }; +read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) -allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr }; -allow nmbd_t samba_log_t:file { create ra_file_perms }; +create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) +append_files_pattern(nmbd_t,samba_log_t,samba_log_t) +read_files_pattern(nmbd_t,samba_log_t,samba_log_t) +create_files_pattern(nmbd_t,samba_log_t,samba_log_t) +allow nmbd_t samba_log_t:dir setattr; -allow nmbd_t samba_var_t:dir rw_dir_perms; -allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; +manage_files_pattern(nmbd_t,samba_var_t,samba_var_t) allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -435,19 +434,19 @@ allow smbmount_t self:udp_socket connect; allow smbmount_t self:unix_dgram_socket create_socket_perms; allow smbmount_t self:unix_stream_socket create_socket_perms; -allow smbmount_t samba_etc_t:dir r_dir_perms; -allow smbmount_t samba_etc_t:file r_file_perms; +allow smbmount_t samba_etc_t:dir list_dir_perms; +allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) -allow smbmount_t samba_log_t:dir r_dir_perms; -allow smbmount_t samba_log_t:file create_file_perms; +allow smbmount_t samba_log_t:dir list_dir_perms; +allow smbmount_t samba_log_t:file manage_file_perms; -allow smbmount_t samba_secrets_t:file create_file_perms; +allow smbmount_t samba_secrets_t:file manage_file_perms; allow smbmount_t samba_var_t:dir rw_dir_perms; -allow smbmount_t samba_var_t:file create_file_perms; -allow smbmount_t samba_var_t:lnk_file create_lnk_perms; +manage_files_pattern(smbmount_t,samba_var_t,samba_var_t) +manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) kernel_read_system_state(smbmount_t) @@ -529,11 +528,9 @@ allow swat_t self:netlink_route_socket r_netlink_socket_perms; allow swat_t nmbd_exec_t:file { execute read }; -allow swat_t samba_etc_t:dir search; -allow swat_t samba_etc_t:file { getattr write read }; +rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) -allow swat_t samba_log_t:dir search; -allow swat_t samba_log_t:file append; +append_files_pattern(swat_t,samba_log_t,samba_log_t) allow swat_t smbd_exec_t:file execute ; @@ -541,12 +538,11 @@ allow swat_t smbd_t:process signull; allow swat_t smbd_var_run_t:file read; -allow swat_t swat_tmp_t:dir create_dir_perms; -allow swat_t swat_tmp_t:file create_file_perms; +manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) +manage_files_pattern(swat_t,swat_tmp_t,swat_tmp_t) files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) -allow swat_t swat_var_run_t:file create_file_perms; -allow swat_t swat_var_run_t:dir rw_dir_perms; +manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) allow swat_t winbind_exec_t:file execute; @@ -625,32 +621,29 @@ allow winbind_t self:netlink_route_socket r_netlink_socket_perms; allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -allow winbind_t samba_etc_t:dir r_dir_perms; -allow winbind_t samba_etc_t:lnk_file { getattr read }; -allow winbind_t samba_etc_t:file r_file_perms; +allow winbind_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_t,samba_etc_t,samba_etc_t) +read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t) -allow winbind_t samba_secrets_t:file create_file_perms; -allow winbind_t samba_etc_t:dir rw_dir_perms; -type_transition winbind_t samba_etc_t:file samba_secrets_t; +manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t) +filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file) -allow winbind_t samba_log_t:dir manage_dir_perms; -allow winbind_t samba_log_t:file manage_file_perms; -allow winbind_t samba_log_t:lnk_file create_lnk_perms; +manage_dirs_pattern(winbind_t,samba_log_t,samba_log_t) +manage_files_pattern(winbind_t,samba_log_t,samba_log_t) +manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t) -allow winbind_t samba_var_t:dir rw_dir_perms; -allow winbind_t samba_var_t:file create_file_perms; -allow winbind_t samba_var_t:lnk_file create_lnk_perms; +manage_files_pattern(winbind_t,samba_var_t,samba_var_t) +manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t) -allow winbind_t winbind_log_t:file create_file_perms; +allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t,winbind_log_t,file) -allow winbind_t winbind_tmp_t:dir create_dir_perms; -allow winbind_t winbind_tmp_t:file create_file_perms; +manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) +manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) -allow winbind_t winbind_var_run_t:file create_file_perms; -allow winbind_t winbind_var_run_t:sock_file create_file_perms; -allow winbind_t winbind_var_run_t:dir rw_dir_perms; +manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) +manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) kernel_read_kernel_sysctls(winbind_t) @@ -731,15 +724,13 @@ optional_policy(` allow winbind_helper_t self:unix_dgram_socket create_socket_perms; allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_helper_t samba_etc_t:dir r_dir_perms; -allow winbind_helper_t samba_etc_t:lnk_file { getattr read }; -allow winbind_helper_t samba_etc_t:file r_file_perms; +allow winbind_helper_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) +read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) allow winbind_helper_t samba_var_t:dir search; -allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; -allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write }; -allow winbind_helper_t winbind_t:unix_stream_socket connectto; +stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index 60a8cfe..756f40a 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -16,7 +16,5 @@ interface(`sasl_connect',` ') files_search_pids($1) - allow $1 saslauthd_var_run_t:dir search; - allow $1 saslauthd_var_run_t:sock_file { read write }; - allow $1 saslauthd_t:unix_stream_socket connectto; + stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 77544c3..7835fb3 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -26,9 +26,8 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; -allow saslauthd_t saslauthd_var_run_t:file create_file_perms; -allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; -allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; +manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t) +manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t) files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file) kernel_read_kernel_sysctls(saslauthd_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index afbebee..e0d10d5 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -27,19 +27,19 @@ mta_mailserver_sender(sendmail_t) allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; allow sendmail_t self:process signal; -allow sendmail_t self:fifo_file rw_file_perms; +allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:tcp_socket create_stream_socket_perms; allow sendmail_t self:udp_socket create_socket_perms; allow sendmail_t self:netlink_route_socket r_netlink_socket_perms; -allow sendmail_t sendmail_log_t:file create_file_perms; -allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; +allow sendmail_t sendmail_log_t:dir setattr; +manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t) logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir }) -allow sendmail_t sendmail_tmp_t:dir manage_dir_perms; -allow sendmail_t sendmail_tmp_t:file manage_file_perms; +manage_dirs_pattern(sendmail_t,sendmail_tmp_t,sendmail_tmp_t) +manage_files_pattern(sendmail_t,sendmail_tmp_t,sendmail_tmp_t) files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file manage_file_perms; @@ -142,10 +142,10 @@ optional_policy(` ifdef(`TODO',` allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file create_file_perms; +allow sendmail_t etc_mail_t:file manage_file_perms; # for the start script to run make -C /etc/mail allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file create_file_perms; +allow initrc_t etc_mail_t:file manage_file_perms; allow system_mail_t initrc_t:fd use; allow system_mail_t initrc_t:fifo_file write; diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index a67b52c..d49664b 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -29,27 +29,26 @@ files_pid_file(setroubleshoot_var_run_t) allow setroubleshootd_t self:capability { dac_override sys_tty_config }; allow setroubleshootd_t self:process { signal getattr getsched }; -allow setroubleshootd_t self:fifo_file rw_file_perms; +allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms; # database files -allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms; -allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr }; +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; +manage_files_pattern(setroubleshootd_t,setroubleshoot_var_lib_t,setroubleshoot_var_lib_t) files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir }) # log files -allow setroubleshootd_t setroubleshoot_var_log_t:file manage_file_perms; -allow setroubleshootd_t setroubleshoot_var_log_t:sock_file manage_file_perms; -allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr }; +allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; +manage_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t) +manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t) logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir }) # pid file -allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms; -allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms; -allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms; +manage_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t) +manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t) files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(setroubleshootd_t) diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if index bfac15a..8ff82b3 100644 --- a/policy/modules/services/slrnpull.if +++ b/policy/modules/services/slrnpull.if @@ -36,7 +36,7 @@ interface(`slrnpull_manage_spool',` ') files_search_spool($1) - allow $1 slrnpull_spool_t:dir create_dir_perms; - allow $1 slrnpull_spool_t:file create_file_perms; - allow $1 slrnpull_spool_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,slrnpull_spool_t,slrnpull_spool_t) + manage_files_pattern($1,slrnpull_spool_t,slrnpull_spool_t) + manage_lnk_files_pattern($1,slrnpull_spool_t,slrnpull_spool_t) ') diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te index c7de93a..ff0951c 100644 --- a/policy/modules/services/slrnpull.te +++ b/policy/modules/services/slrnpull.te @@ -27,17 +27,15 @@ logging_log_file(slrnpull_log_t) dontaudit slrnpull_t self:capability sys_tty_config; allow slrnpull_t self:process signal_perms; -allow slrnpull_t slrnpull_log_t:file create_file_perms; +allow slrnpull_t slrnpull_log_t:file manage_file_perms; logging_log_filetrans(slrnpull_t,slrnpull_log_t,file) -allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms; -allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; -allow slrnpull_t slrnpull_spool_t:file create_file_perms; -allow slrnpull_t slrnpull_spool_t:lnk_file create_lnk_perms; +manage_dirs_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t) +manage_files_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t) +manage_lnk_files_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t) files_search_spool(slrnpull_t) -allow slrnpull_t slrnpull_var_run_t:file create_file_perms; -allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms; +manage_files_pattern(slrnpull_t,slrnpull_var_run_t,slrnpull_var_run_t) files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file) kernel_list_proc(slrnpull_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 3ebbdcb..91094fd 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -24,17 +24,16 @@ files_tmp_file(fsdaemon_tmp_t) allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process signal_perms; -allow fsdaemon_t self:fifo_file rw_file_perms; +allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:unix_dgram_socket create_socket_perms; allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; allow fsdaemon_t self:udp_socket create_socket_perms; -allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms; -allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms; +manage_dirs_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t) +manage_files_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t) files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) -allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms; -allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms; +manage_files_pattern(fsdaemon_t,fsdaemon_var_run_t,fsdaemon_var_run_t) files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file) kernel_read_kernel_sysctls(fsdaemon_t) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index cbe73e4..a21eb21 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -42,9 +42,10 @@ interface(`snmp_read_snmp_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') - allow $1 snmpd_var_lib_t:dir r_dir_perms; - allow $1 snmpd_var_lib_t:file r_file_perms; - allow $1 snmpd_var_lib_t:lnk_file { getattr read }; + + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1,snmpd_var_lib_t,snmpd_var_lib_t) + read_lnk_files_pattern($1,snmpd_var_lib_t,snmpd_var_lib_t) ') ######################################## @@ -61,7 +62,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') - dontaudit $1 snmpd_var_lib_t:dir r_dir_perms; - dontaudit $1 snmpd_var_lib_t:file r_file_perms; + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; + dontaudit $1 snmpd_var_lib_t:file read_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 2879796..a4da0e3 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -27,7 +27,7 @@ files_type(snmpd_var_lib_t) # allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability sys_tty_config; -allow snmpd_t self:fifo_file rw_file_perms; +allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; allow snmpd_t self:tcp_socket create_stream_socket_perms; @@ -35,18 +35,17 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; -allow snmpd_t snmpd_log_t:file create_file_perms; +allow snmpd_t snmpd_log_t:file manage_file_perms; logging_log_filetrans(snmpd_t,snmpd_log_t,file) -allow snmpd_t snmpd_var_lib_t:file create_file_perms; -allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; -allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t) +manage_files_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t) +manage_sock_files_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t) files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file) files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file) -allow snmpd_t snmpd_var_run_t:file create_file_perms; -allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(snmpd_t,snmpd_var_run_t,snmpd_var_run_t) files_pid_filetrans(snmpd_t,snmpd_var_run_t,file) kernel_read_device_sysctls(snmpd_t) diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 66ba191..4acfecc 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -35,20 +35,19 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; -allow snort_t snort_etc_t:dir r_dir_perms; -allow snort_t snort_etc_t:file r_file_perms; +allow snort_t snort_etc_t:dir list_dir_perms; +allow snort_t snort_etc_t:file read_file_perms; allow snort_t snort_etc_t:lnk_file { getattr read }; -allow snort_t snort_log_t:file create_file_perms; -allow snort_t snort_log_t:dir { create rw_dir_perms }; +manage_files_pattern(snort_t,snort_log_t,snort_log_t) +create_dirs_pattern(snort_t,snort_log_t,snort_log_t) logging_log_filetrans(snort_t,snort_log_t,{ file dir }) -allow snort_t snort_tmp_t:dir create_dir_perms; -allow snort_t snort_tmp_t:file create_file_perms; +manage_dirs_pattern(snort_t,snort_tmp_t,snort_tmp_t) +manage_files_pattern(snort_t,snort_tmp_t,snort_tmp_t) files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) -allow snort_t snort_var_run_t:file create_file_perms; -allow snort_t snort_var_run_t:dir rw_dir_perms; +manage_files_pattern(snort_t,snort_var_run_t,snort_var_run_t) files_pid_filetrans(snort_t,snort_var_run_t,file) kernel_read_kernel_sysctls(snort_t) diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te index 83eef5e..d43168c 100644 --- a/policy/modules/services/soundserver.te +++ b/policy/modules/services/soundserver.te @@ -42,23 +42,20 @@ allow soundd_t soundd_etc_t:dir list_dir_perms; allow soundd_t soundd_etc_t:file read_file_perms; allow soundd_t soundd_etc_t:lnk_file { getattr read }; -allow soundd_t soundd_state_t:dir rw_dir_perms; -allow soundd_t soundd_state_t:file manage_file_perms; -allow soundd_t soundd_state_t:lnk_file create_lnk_perms; +manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) +manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) -allow soundd_t soundd_tmp_t:dir manage_dir_perms; -allow soundd_t soundd_tmp_t:file manage_file_perms; +manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) +manage_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) -allow soundd_t soundd_tmpfs_t:dir rw_dir_perms; -allow soundd_t soundd_tmpfs_t:file manage_file_perms; -allow soundd_t soundd_tmpfs_t:lnk_file create_lnk_perms; -allow soundd_t soundd_tmpfs_t:sock_file manage_file_perms; -allow soundd_t soundd_tmpfs_t:fifo_file manage_file_perms; +manage_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) +manage_lnk_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) +manage_fifo_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) +manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -allow soundd_t soundd_var_run_t:file manage_file_perms; -allow soundd_t soundd_var_run_t:dir rw_dir_perms; +manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) files_pid_filetrans(soundd_t,soundd_var_run_t,file) kernel_read_kernel_sysctls(soundd_t) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 3ffdc69..46273d2 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -67,8 +67,8 @@ template(`spamassassin_per_role_template',` allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_spamc_t self:fd use; - allow $1_spamc_t self:fifo_file rw_file_perms; - allow $1_spamc_t self:sock_file r_file_perms; + allow $1_spamc_t self:fifo_file rw_fifo_file_perms; + allow $1_spamc_t self:sock_file read_sock_file_perms; allow $1_spamc_t self:shm create_shm_perms; allow $1_spamc_t self:sem create_sem_perms; allow $1_spamc_t self:msgq create_msgq_perms; @@ -80,19 +80,15 @@ template(`spamassassin_per_role_template',` allow $1_spamc_t self:tcp_socket create_stream_socket_perms; allow $1_spamc_t self:udp_socket create_socket_perms; - allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms; - allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms; + manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) + manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) # Allow connecting to a local spamd allow $1_spamc_t spamd_t:unix_stream_socket connectto; allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; - domain_auto_trans($2, spamc_exec_t, $1_spamc_t) - allow $2 $1_spamc_t:fd use; - allow $1_spamc_t $2:fd use; - allow $1_spamc_t $2:fifo_file rw_file_perms; - allow $1_spamc_t $2:process sigchld; + domtrans_pattern($2, spamc_exec_t, $1_spamc_t) kernel_read_kernel_sysctls($1_spamc_t) @@ -180,8 +176,8 @@ template(`spamassassin_per_role_template',` allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_spamassassin_t self:fd use; - allow $1_spamassassin_t self:fifo_file rw_file_perms; - allow $1_spamassassin_t self:sock_file r_file_perms; + allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms; + allow $1_spamassassin_t self:sock_file read_sock_file_perms; allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; allow $1_spamassassin_t self:unix_dgram_socket sendto; @@ -191,32 +187,31 @@ template(`spamassassin_per_role_template',` allow $1_spamassassin_t self:msgq create_msgq_perms; allow $1_spamassassin_t self:msg { send receive }; - allow $1_spamassassin_t $1_spamassassin_home_t:dir create_dir_perms; - allow $1_spamassassin_t $1_spamassassin_home_t:file create_file_perms; - allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms; - allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms; - allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms; + manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) - allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms; - allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms; + manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) + manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) - allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto }; - allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto }; - allow $2 $1_spamassassin_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; - - domain_auto_trans($2, spamassassin_exec_t, $1_spamassassin_t) - allow $2 $1_spamassassin_t:fd use; - allow $1_spamassassin_t $2:fd use; - allow $1_spamassassin_t $2:fifo_file rw_file_perms; - allow $1_spamassassin_t $2:process sigchld; - - allow spamd_t $1_spamassassin_home_t:dir create_dir_perms; - allow spamd_t $1_spamassassin_home_t:file create_file_perms; - allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms; - allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms; - allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms; + manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) + + domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) + + manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) + manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls($1_spamassassin_t) @@ -409,12 +404,7 @@ template(`spamassassin_domtrans_user_client',` type $1_spamc_t, spamc_exec_t; ') - domain_auto_trans($2,spamc_exec_t,$1_spamc_t) - - allow $2 $1_spamc_t:fd use; - allow $1_spamc_t $2:fd use; - allow $1_spamc_t $2:fifo_file rw_file_perms; - allow $1_spamc_t $2:process sigchld; + domtrans_pattern($2,spamc_exec_t,$1_spamc_t) ') ######################################## @@ -462,12 +452,7 @@ template(`spamassassin_domtrans_user_local_client',` type $1_spamassassin_t, spamassassin_exec_t; ') - domain_auto_trans($2,spamassassin_exec_t,$1_spamassassin_t) - - allow $2 $1_spamassassin_t:fd use; - allow $1_spamassassin_t $2:fd use; - allow $1_spamassassin_t $2:fifo_file rw_file_perms; - allow $1_spamassassin_t $2:process sigchld; + domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) ') ######################################## @@ -485,7 +470,7 @@ interface(`spamassassin_read_spamd_tmp_files',` type spamd_tmp_t; ') - allow $1 spamd_tmp_t:file r_file_perms; + allow $1 spamd_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 6b064b8..d27e461 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -39,8 +39,8 @@ allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -allow spamd_t self:fifo_file rw_file_perms; -allow spamd_t self:sock_file r_file_perms; +allow spamd_t self:fifo_file rw_fifo_file_perms; +allow spamd_t self:sock_file read_sock_file_perms; allow spamd_t self:shm create_shm_perms; allow spamd_t self:sem create_sem_perms; allow spamd_t self:msgq create_msgq_perms; @@ -53,16 +53,15 @@ allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; allow spamd_t self:netlink_route_socket r_netlink_socket_perms; -allow spamd_t spamd_spool_t:file create_file_perms; -allow spamd_t spamd_spool_t:dir create_dir_perms; +manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t) +manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t) files_spool_filetrans(spamd_t,spamd_spool_t, { file dir }) -allow spamd_t spamd_tmp_t:dir create_dir_perms; -allow spamd_t spamd_tmp_t:file create_file_perms; +manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t) +manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) -allow spamd_t spamd_var_run_t:file create_file_perms; -allow spamd_t spamd_var_run_t:dir rw_dir_perms; +manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t) files_pid_filetrans(spamd_t,spamd_var_run_t,file) kernel_read_all_sysctls(spamd_t) diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te index edf09ce..025d4a4 100644 --- a/policy/modules/services/speedtouch.te +++ b/policy/modules/services/speedtouch.te @@ -24,12 +24,11 @@ files_pid_file(speedmgmt_var_run_t) dontaudit speedmgmt_t self:capability sys_tty_config; allow speedmgmt_t self:process signal_perms; -allow speedmgmt_t speedmgmt_tmp_t:dir create_dir_perms; -allow speedmgmt_t speedmgmt_tmp_t:file create_file_perms; +manage_dirs_pattern(speedmgmt_t,speedmgmt_tmp_t,speedmgmt_tmp_t) +manage_files_pattern(speedmgmt_t,speedmgmt_tmp_t,speedmgmt_tmp_t) files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) -allow speedmgmt_t speedmgmt_var_run_t:file create_file_perms; -allow speedmgmt_t speedmgmt_var_run_t:dir rw_dir_perms; +manage_files_pattern(speedmgmt_t,speedmgmt_var_run_t,speedmgmt_var_run_t) files_pid_filetrans(speedmgmt_t,speedmgmt_var_run_t,file) kernel_read_kernel_sysctls(speedmgmt_t) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index a819bfc..465bb04 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -16,12 +16,7 @@ interface(`squid_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,squid_exec_t,squid_t) - - allow $1 squid_t:fd use; - allow squid_t $1:fd use; - allow squid_t $1:fifo_file rw_file_perms; - allow squid_t $1:process sigchld; + domtrans_pattern($1,squid_exec_t,squid_t) ') ######################################## @@ -41,7 +36,7 @@ interface(`squid_read_config',` ') files_search_etc($1) - allow $1 squid_conf_t:file r_file_perms; + allow $1 squid_conf_t:file read_file_perms; ') ######################################## @@ -61,8 +56,7 @@ interface(`squid_read_log',` ') logging_search_logs($1) - allow $1 squid_log_t:dir search_dir_perms; - allow $1 squid_log_t:file r_file_perms; + read_files_pattern($1,squid_log_t,squid_log_t) ') ######################################## @@ -81,8 +75,7 @@ interface(`squid_append_log',` ') logging_search_logs($1) - allow $1 squid_log_t:dir search_dir_perms; - allow $1 squid_log_t:file { getattr append }; + append_files_pattern($1,squid_log_t,squid_log_t) ') ######################################## @@ -103,8 +96,7 @@ interface(`squid_manage_logs',` ') logging_search_logs($1) - allow $1 squid_log_t:dir rw_dir_perms; - allow $1 squid_log_t:file create_file_perms; + manage_files_pattern($1,squid_log_t,squid_log_t) ') ######################################## diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 989c83d..33ff7f4 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -31,8 +31,8 @@ files_pid_file(squid_var_run_t) allow squid_t self:capability { setgid setuid dac_override sys_resource }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow squid_t self:fifo_file rw_file_perms; -allow squid_t self:sock_file r_file_perms; +allow squid_t self:fifo_file rw_fifo_file_perms; +allow squid_t self:sock_file read_sock_file_perms; allow squid_t self:fd use; allow squid_t self:shm create_shm_perms; allow squid_t self:sem create_sem_perms; @@ -46,22 +46,20 @@ allow squid_t self:tcp_socket create_stream_socket_perms; allow squid_t self:udp_socket create_socket_perms; # Grant permissions to create, access, and delete cache files. -allow squid_t squid_cache_t:dir create_dir_perms; -allow squid_t squid_cache_t:file create_file_perms; -allow squid_t squid_cache_t:lnk_file create_lnk_perms; +manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t) +manage_files_pattern(squid_t,squid_cache_t,squid_cache_t) +manage_lnk_files_pattern(squid_t,squid_cache_t,squid_cache_t) -allow squid_t squid_conf_t:file r_file_perms; -allow squid_t squid_conf_t:dir r_dir_perms; -allow squid_t squid_conf_t:lnk_file read; +allow squid_t squid_conf_t:dir list_dir_perms; +read_files_pattern(squid_t,squid_conf_t,squid_conf_t) +read_lnk_files_pattern(squid_t,squid_conf_t,squid_conf_t) can_exec(squid_t,squid_exec_t) -allow squid_t squid_log_t:file create_file_perms; -allow squid_t squid_log_t:dir rw_dir_perms; +manage_files_pattern(squid_t,squid_log_t,squid_log_t) logging_log_filetrans(squid_t,squid_log_t,{ file dir }) -allow squid_t squid_var_run_t:file create_file_perms; -allow squid_t squid_var_run_t:dir rw_dir_perms; +manage_files_pattern(squid_t,squid_var_run_t,squid_var_run_t) files_pid_filetrans(squid_t,squid_var_run_t,file) kernel_read_kernel_sysctls(squid_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index d9e71ca..ffc7eb8 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -63,7 +63,7 @@ template(`ssh_basic_client_template',` allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_ssh_t self:fd use; - allow $1_ssh_t self:fifo_file rw_file_perms; + allow $1_ssh_t self:fifo_file rw_fifo_file_perms; allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_ssh_t self:shm create_shm_perms; @@ -78,14 +78,10 @@ template(`ssh_basic_client_template',` allow $1_ssh_t $2:unix_stream_socket connectto; # Read the ssh key file. - allow $1_ssh_t sshd_key_t:file r_file_perms; + allow $1_ssh_t sshd_key_t:file read_file_perms; # Transition from the domain to the derived domain. - domain_auto_trans($2, ssh_exec_t, $1_ssh_t) - allow $2 $1_ssh_t:fd use; - allow $1_ssh_t $2:fd use; - allow $1_ssh_t $2:fifo_file rw_file_perms; - allow $1_ssh_t $2:process sigchld; + domtrans_pattern($2, ssh_exec_t, $1_ssh_t) # inheriting stream sockets is needed for "ssh host command" as no pty # is allocated @@ -94,25 +90,21 @@ template(`ssh_basic_client_template',` allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; # allow ps to show ssh - allow $2 $1_ssh_t:dir { search getattr read }; - allow $2 $1_ssh_t:{ file lnk_file } { read getattr }; - allow $2 $1_ssh_t:process getattr; + ps_process_pattern($2,$1_ssh_t) # user can manage the keys and config - allow $2 $1_home_ssh_t:dir rw_dir_perms; - allow $2 $1_home_ssh_t:file create_file_perms; - allow $2 $1_home_ssh_t:lnk_file create_lnk_perms; - allow $2 $1_home_ssh_t:sock_file create_file_perms; + manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) + manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) + manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) # ssh client can manage the keys and config - allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms; - allow $1_ssh_t $1_home_ssh_t:file create_file_perms; - allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read }; + manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) + read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) # ssh servers can read the user keys and config - allow ssh_server $1_home_ssh_t:dir r_dir_perms; - allow ssh_server $1_home_ssh_t:lnk_file r_file_perms; - allow ssh_server $1_home_ssh_t:file r_file_perms; + allow ssh_server $1_home_ssh_t:dir list_dir_perms; + read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) + read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) kernel_read_kernel_sysctls($1_ssh_t) @@ -157,8 +149,8 @@ template(`ssh_basic_client_template',` ifdef(`strict_policy',` # Access the ssh temporary files. - allow $1_ssh_t sshd_tmp_t:dir create_dir_perms; - allow $1_ssh_t sshd_tmp_t:file create_file_perms; + allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; + allow $1_ssh_t sshd_tmp_t:file manage_file_perms; files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) ') @@ -251,21 +243,18 @@ template(`ssh_per_role_template',` # Client local policy # - allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms; - allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms; - allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms; - allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms; - allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms; + manage_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) + manage_lnk_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) + manage_fifo_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) + manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms; - allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms; + manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) + manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file }) # Allow the ssh program to communicate with ssh-agent. - allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; - allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write; - allow $1_ssh_t $1_ssh_agent_tmp_t:dir search; + stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t) allow $1_ssh_t sshd_t:unix_stream_socket connectto; @@ -327,27 +316,20 @@ template(`ssh_per_role_template',` allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms; - allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms; + manage_dirs_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t) + manage_sock_files_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t) files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file }) # for ssh-add - allow $2 $1_ssh_agent_t:unix_stream_socket connectto; - allow $2 $1_ssh_agent_tmp_t:sock_file write; + stream_connect_pattern($2,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t) # Allow the user shell to signal the ssh program. allow $2 $1_ssh_agent_t:process signal; # allow ps to show ssh - allow $2 $1_ssh_agent_t:dir { search getattr read }; - allow $2 $1_ssh_agent_t:{ file lnk_file } { read getattr }; - allow $2 $1_ssh_agent_t:process getattr; + ps_process_pattern($2,$1_ssh_agent_t) - domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t) - allow $2 $1_ssh_agent_t:fd use; - allow $1_ssh_agent_t $2:fd use; - allow $1_ssh_agent_t $2:fifo_file rw_file_perms; - allow $1_ssh_agent_t $2:process sigchld; + domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t) kernel_read_kernel_sysctls($1_ssh_agent_t) @@ -468,17 +450,17 @@ template(`ssh_server_template', ` files_pid_file($1_var_run_t) allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) - allow $1_t $1_var_run_t:file create_file_perms; + allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t,$1_var_run_t,file) can_exec($1_t, sshd_exec_t) @@ -711,10 +693,7 @@ interface(`ssh_domtrans_keygen',` type ssh_keygen_t, ssh_keygen_exec_t; ') - domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t) - allow ssh_keygen_t $1:fd use; - allow ssh_keygen_t $1:fifo_file rw_file_perms; - allow ssh_keygen_t $1:process sigchld; + domtrans_pattern($1,ssh_keygen_exec_t,ssh_keygen_t) ') ######################################## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 31ac75f..1d1ee44 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -77,9 +77,9 @@ ifdef(`strict_policy',` allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; - allow sshd_t sshd_tmp_t:dir create_dir_perms; - allow sshd_t sshd_tmp_t:file create_file_perms; - allow sshd_t sshd_tmp_t:sock_file create_file_perms; + manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) + manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) + manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) kernel_link_key(sshd_t) @@ -206,7 +206,7 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; -allow ssh_keygen_t sshd_key_t:file create_file_perms; +allow ssh_keygen_t sshd_key_t:file manage_file_perms; files_etc_filetrans(ssh_keygen_t,sshd_key_t,file) kernel_read_kernel_sysctls(ssh_keygen_t) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index eb1d2bb..c6d0070 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -35,7 +35,7 @@ files_pid_file(stunnel_var_run_t) allow stunnel_t self:capability { setgid setuid sys_chroot }; allow stunnel_t self:process signal_perms; -allow stunnel_t self:fifo_file rw_file_perms; +allow stunnel_t self:fifo_file rw_fifo_file_perms; allow stunnel_t self:tcp_socket create_stream_socket_perms; allow stunnel_t self:udp_socket create_socket_perms; allow stunnel_t self:netlink_route_socket r_netlink_socket_perms; @@ -44,12 +44,11 @@ allow stunnel_t stunnel_etc_t:dir { getattr read search }; allow stunnel_t stunnel_etc_t:file { read getattr }; allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; -allow stunnel_t stunnel_tmp_t:dir create_dir_perms; -allow stunnel_t stunnel_tmp_t:file create_file_perms; +manage_dirs_pattern(stunnel_t,stunnel_tmp_t,stunnel_tmp_t) +manage_files_pattern(stunnel_t,stunnel_tmp_t,stunnel_tmp_t) files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) -allow stunnel_t stunnel_var_run_t:file create_file_perms; -allow stunnel_t stunnel_var_run_t:dir rw_dir_perms; +manage_files_pattern(stunnel_t,stunnel_var_run_t,stunnel_var_run_t) files_pid_filetrans(stunnel_t,stunnel_var_run_t,file) kernel_read_kernel_sysctls(stunnel_t) diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if index a3beead..cc47dcd 100644 --- a/policy/modules/services/sysstat.if +++ b/policy/modules/services/sysstat.if @@ -17,6 +17,5 @@ interface(`sysstat_manage_log',` ') logging_search_logs($1) - allow $1 sysstat_log_t:dir rw_dir_perms; - allow $1 sysstat_log_t:file manage_file_perms; + manage_files_pattern($1,sysstat_log_t,sysstat_log_t) ') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 9d59df1..cffc4ef 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -21,12 +21,11 @@ logging_log_file(sysstat_log_t) allow sysstat_t self:capability sys_resource; dontaudit sysstat_t self:capability sys_admin; -allow sysstat_t self:fifo_file rw_file_perms; +allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) -allow sysstat_t sysstat_log_t:file create_file_perms; -allow sysstat_t sysstat_log_t:dir rw_dir_perms; +manage_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir }) # get info from /proc diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if index 16e8fb1..82958cf 100644 --- a/policy/modules/services/tcpd.if +++ b/policy/modules/services/tcpd.if @@ -15,10 +15,5 @@ interface(`tcpd_domtrans',` type tcpd_t, tcpd_exec_t; ') - domain_auto_trans($1,tcpd_exec_t,tcpd_t) - - allow $1 tcpd_t:fd use; - allow tcpd_t $1:fd use; - allow tcpd_t $1:fifo_file rw_file_perms; - allow tcpd_t $1:process sigchld; + domtrans_pattern($1,tcpd_exec_t,tcpd_t) ') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te index 75803f8..ce7592d 100644 --- a/policy/modules/services/tcpd.te +++ b/policy/modules/services/tcpd.te @@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t) # allow tcpd_t self:tcp_socket create_stream_socket_perms; -allow tcpd_t tcpd_tmp_t:dir create_dir_perms; -allow tcpd_t tcpd_tmp_t:file create_file_perms; +manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) +manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) corenet_non_ipsec_sendrecv(tcpd_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index 7f45edb..d731e6b 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t) allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; allow telnetd_t self:process signal_perms; -allow telnetd_t self:fifo_file rw_file_perms; +allow telnetd_t self:fifo_file rw_fifo_file_perms; allow telnetd_t self:tcp_socket connected_stream_socket_perms; allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? @@ -35,15 +35,14 @@ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow telnetd_t self:netlink_route_socket r_netlink_socket_perms; allow telnetd_t self:capability { setuid setgid }; -allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr }; +allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(telnetd_t,telnetd_devpts_t) -allow telnetd_t telnetd_tmp_t:dir create_dir_perms; -allow telnetd_t telnetd_tmp_t:file create_file_perms; +manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) +manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) -allow telnetd_t telnetd_var_run_t:file create_file_perms; -allow telnetd_t telnetd_var_run_t:dir rw_dir_perms; +manage_files_pattern(telnetd_t,telnetd_var_run_t,telnetd_var_run_t) files_pid_filetrans(telnetd_t,telnetd_var_run_t,file) kernel_read_kernel_sysctls(telnetd_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index e3013b9..5ed3318 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -32,8 +32,7 @@ allow tftpd_t tftpdir_t:dir { getattr read search }; allow tftpd_t tftpdir_t:file { read getattr }; allow tftpd_t tftpdir_t:lnk_file { getattr read }; -allow tftpd_t tftpd_var_run_t:file create_file_perms; -allow tftpd_t tftpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t) files_pid_filetrans(tftpd_t,tftpd_var_run_t,file) kernel_read_kernel_sysctls(tftpd_t) diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te index 4b90878..01b20a5 100644 --- a/policy/modules/services/timidity.te +++ b/policy/modules/services/timidity.te @@ -28,11 +28,11 @@ allow timidity_t self:unix_stream_socket create_stream_socket_perms; allow timidity_t self:tcp_socket create_stream_socket_perms; allow timidity_t self:udp_socket create_socket_perms; -allow timidity_t timidity_tmpfs_t:dir create_dir_perms; -allow timidity_t timidity_tmpfs_t:file create_file_perms; -allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms; -allow timidity_t timidity_tmpfs_t:sock_file create_file_perms; -allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms; +manage_dirs_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t) +manage_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t) +manage_lnk_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t) +manage_fifo_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t) +manage_sock_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t) fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(timidity_t) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if index 7427b97..5c9fd02 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if @@ -15,10 +15,5 @@ interface(`tor_domtrans',` type tor_t, tor_exec_t; ') - domain_auto_trans($1,tor_exec_t,tor_t) - - allow $1 tor_t:fd use; - allow tor_t $1:fd use; - allow tor_t $1:fifo_file rw_file_perms; - allow tor_t $1:process sigchld; + domtrans_pattern($1,tor_exec_t,tor_t) ') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 4688c1b..09bd8a5 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -37,28 +37,27 @@ allow tor_t self:netlink_route_socket r_netlink_socket_perms; allow tor_t self:tcp_socket create_stream_socket_perms; # configuration files -allow tor_t tor_etc_t:dir r_dir_perms; -allow tor_t tor_etc_t:file r_file_perms; -allow tor_t tor_etc_t:lnk_file { getattr read }; +allow tor_t tor_etc_t:dir list_dir_perms; +read_files_pattern(tor_t,tor_etc_t,tor_etc_t) +read_lnk_files_pattern(tor_t,tor_etc_t,tor_etc_t) # var/lib/tor files -allow tor_t tor_var_lib_t:file create_file_perms; -allow tor_t tor_var_lib_t:sock_file create_file_perms; -allow tor_t tor_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(tor_t,tor_var_lib_t,tor_var_lib_t) +manage_files_pattern(tor_t,tor_var_lib_t,tor_var_lib_t) +manage_sock_files_pattern(tor_t,tor_var_lib_t,tor_var_lib_t) files_usr_filetrans(tor_t,tor_var_lib_t,file) files_var_filetrans(tor_t,tor_var_lib_t,{ file dir sock_file }) files_var_lib_filetrans(tor_t,tor_var_lib_t,file) # log files -allow tor_t tor_var_log_t:file create_file_perms; -allow tor_t tor_var_log_t:sock_file create_file_perms; -allow tor_t tor_var_log_t:dir { rw_dir_perms setattr }; +allow tor_t tor_var_log_t:dir setattr; +manage_files_pattern(tor_t,tor_var_log_t,tor_var_log_t) +manage_sock_files_pattern(tor_t,tor_var_log_t,tor_var_log_t) logging_log_filetrans(tor_t,tor_var_log_t,{ sock_file file dir }) # pid file -allow tor_t tor_var_run_t:file manage_file_perms; -allow tor_t tor_var_run_t:sock_file manage_file_perms; -allow tor_t tor_var_run_t:dir rw_dir_perms; +manage_files_pattern(tor_t,tor_var_run_t,tor_var_run_t) +manage_sock_files_pattern(tor_t,tor_var_run_t,tor_var_run_t) files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file }) kernel_read_system_state(tor_t) diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te index cf35e98..ba4c2b2 100644 --- a/policy/modules/services/transproxy.te +++ b/policy/modules/services/transproxy.te @@ -23,8 +23,7 @@ dontaudit transproxy_t self:capability sys_tty_config; allow transproxy_t self:process signal_perms; allow transproxy_t self:tcp_socket create_stream_socket_perms; -allow transproxy_t transproxy_var_run_t:file create_file_perms; -allow transproxy_t transproxy_var_run_t:dir rw_dir_perms; +manage_files_pattern(transproxy_t,transproxy_var_run_t,transproxy_var_run_t) files_pid_filetrans(transproxy_t,transproxy_var_run_t,file) kernel_read_kernel_sysctls(transproxy_t) diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if index 03f11c5..259c13e 100644 --- a/policy/modules/services/ucspitcp.if +++ b/policy/modules/services/ucspitcp.if @@ -32,9 +32,7 @@ interface(`ucspitcp_service_domain', ` role system_r types $1; domain_auto_trans(ucspitcp_t, $2, $1) - allow $1 ucspitcp_t:fd use; allow $1 ucspitcp_t:process sigchld; allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; ') - diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te index e514e5d..04650f7 100644 --- a/policy/modules/services/ucspitcp.te +++ b/policy/modules/services/ucspitcp.te @@ -23,8 +23,6 @@ role system_r types ucspitcp_t; ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) -allow rblsmtpd_t self:process { fork sigchld }; - corecmd_search_bin(rblsmtpd_t) corenet_tcp_sendrecv_all_if(rblsmtpd_t) diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index 0e02460..433c59d 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -33,12 +33,11 @@ files_search_etc(uptimed_t) allow uptimed_t uptimed_spool_t:file manage_file_perms; -allow uptimed_t uptimed_var_run_t:file manage_file_perms; -allow uptimed_t uptimed_var_run_t:dir rw_dir_perms; +manage_files_pattern(uptimed_t,uptimed_var_run_t,uptimed_var_run_t) files_pid_filetrans(uptimed_t,uptimed_var_run_t,file) -allow uptimed_t uptimed_spool_t:dir manage_dir_perms; -allow uptimed_t uptimed_spool_t:file manage_file_perms; +manage_dirs_pattern(uptimed_t,uptimed_spool_t,uptimed_spool_t) +manage_files_pattern(uptimed_t,uptimed_spool_t,uptimed_spool_t) files_spool_filetrans(uptimed_t,uptimed_spool_t,{ dir file }) kernel_read_system_state(uptimed_t) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if index 7b7dbfa..57d483d 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -17,8 +17,8 @@ interface(`uucp_append_log',` ') logging_search_logs($1) - allow $1 uucpd_log_t:dir r_dir_perms; - allow $1 uucpd_log_t:file { append getattr }; + allow $1 uucpd_log_t:dir list_dir_perms; + append_files_pattern($1,uucpd_log_t,uucpd_log_t) ') ######################################## @@ -37,9 +37,9 @@ interface(`uucp_manage_spool',` ') files_search_spool($1) - allow $1 uucpd_spool_t:dir manage_dir_perms; - allow $1 uucpd_spool_t:lnk_file create_lnk_perms; - allow $1 uucpd_spool_t:file manage_file_perms; + manage_dirs_pattern($1,uucpd_spool_t,uucpd_spool_t) + manage_files_pattern($1,uucpd_spool_t,uucpd_spool_t) + manage_lnk_files_pattern($1,uucpd_spool_t,uucpd_spool_t) ') ######################################## @@ -58,9 +58,5 @@ interface(`uucp_domtrans_uux',` type uux_t, uux_exec_t; ') - domain_auto_trans($1,uux_exec_t,uux_t) - - allow uux_t $1:fd use; - allow uux_t $1:fifo_file rw_file_perms; - allow uux_t $1:process sigchld; + domtrans_pattern($1,uux_exec_t,uux_t) ') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 40dc8ec..271d1d7 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -40,31 +40,30 @@ role system_r types uux_t; # allow uucpd_t self:capability { setuid setgid }; allow uucpd_t self:process signal_perms; -allow uucpd_t self:fifo_file rw_file_perms; +allow uucpd_t self:fifo_file rw_fifo_file_perms; allow uucpd_t self:tcp_socket connected_stream_socket_perms; allow uucpd_t self:udp_socket create_socket_perms; allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow uucpd_t uucpd_log_t:file create_file_perms; -allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr }; +allow uucpd_t uucpd_log_t:dir setattr; +manage_files_pattern(uucpd_t,uucpd_log_t,uucpd_log_t) logging_log_filetrans(uucpd_t,uucpd_log_t,{ file dir }) -allow uucpd_t uucpd_ro_t:dir r_dir_perms; -allow uucpd_t uucpd_ro_t:file r_file_perms; -allow uucpd_t uucpd_ro_t:lnk_file { getattr read }; +allow uucpd_t uucpd_ro_t:dir list_dir_perms; +read_files_pattern(uucpd_t,uucpd_ro_t,uucpd_ro_t) +read_lnk_files_pattern(uucpd_t,uucpd_ro_t,uucpd_ro_t) -allow uucpd_t uucpd_rw_t:dir create_dir_perms; -allow uucpd_t uucpd_rw_t:file create_file_perms; -allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms; +manage_dirs_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t) +manage_files_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t) +manage_lnk_files_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t) uucp_manage_spool(uucpd_t) -allow uucpd_t uucpd_tmp_t:dir create_dir_perms; -allow uucpd_t uucpd_tmp_t:file create_file_perms; +manage_dirs_pattern(uucpd_t,uucpd_tmp_t,uucpd_tmp_t) +manage_files_pattern(uucpd_t,uucpd_tmp_t,uucpd_tmp_t) files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) -allow uucpd_t uucpd_var_run_t:file create_file_perms; -allow uucpd_t uucpd_var_run_t:dir rw_dir_perms; +manage_files_pattern(uucpd_t,uucpd_var_run_t,uucpd_var_run_t) files_pid_filetrans(uucpd_t,uucpd_var_run_t,file) kernel_read_kernel_sysctls(uucpd_t) diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if index f228be9..276996c 100644 --- a/policy/modules/services/uwimap.if +++ b/policy/modules/services/uwimap.if @@ -16,10 +16,5 @@ interface(`uwimap_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,imapd_exec_t,imapd_t) - - allow $1 imapd_t:fd use; - allow imapd_t $1:fd use; - allow imapd_t $1:fifo_file rw_file_perms; - allow imapd_t $1:process sigchld; + domtrans_pattern($1,imapd_exec_t,imapd_t) ') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te index 408c09d..08cb8fa 100644 --- a/policy/modules/services/uwimap.te +++ b/policy/modules/services/uwimap.te @@ -25,15 +25,14 @@ files_pid_file(imapd_var_run_t) allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; dontaudit imapd_t self:capability sys_tty_config; allow imapd_t self:process signal_perms; -allow imapd_t self:fifo_file rw_file_perms; +allow imapd_t self:fifo_file rw_fifo_file_perms; allow imapd_t self:tcp_socket create_stream_socket_perms; -allow imapd_t imapd_tmp_t:dir create_dir_perms; -allow imapd_t imapd_tmp_t:file create_file_perms; +manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) +manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t) files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) -allow imapd_t imapd_var_run_t:file create_file_perms; -allow imapd_t imapd_var_run_t:dir rw_dir_perms; +manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t) files_pid_filetrans(imapd_t,imapd_var_run_t,file) kernel_read_kernel_sysctls(imapd_t) diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 9865075..3c277f0 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -24,16 +24,15 @@ files_pid_file(watchdog_var_run_t) allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; dontaudit watchdog_t self:capability sys_tty_config; allow watchdog_t self:process { setsched signal_perms }; -allow watchdog_t self:fifo_file rw_file_perms; +allow watchdog_t self:fifo_file rw_fifo_file_perms; allow watchdog_t self:unix_stream_socket create_socket_perms; allow watchdog_t self:tcp_socket create_stream_socket_perms; allow watchdog_t self:udp_socket create_socket_perms; -allow watchdog_t watchdog_log_t:file create_file_perms; +allow watchdog_t watchdog_log_t:file manage_file_perms; logging_log_filetrans(watchdog_t,watchdog_log_t,file) -allow watchdog_t watchdog_var_run_t:file create_file_perms; -allow watchdog_t watchdog_var_run_t:dir rw_dir_perms; +manage_files_pattern(watchdog_t,watchdog_var_run_t,watchdog_var_run_t) files_pid_filetrans(watchdog_t,watchdog_var_run_t,file) kernel_read_system_state(watchdog_t) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if index d8bf4d1..9513df3 100644 --- a/policy/modules/services/xfs.if +++ b/policy/modules/services/xfs.if @@ -16,8 +16,7 @@ interface(`xfs_read_sockets',` ') files_search_tmp($1) - allow $1 xfs_tmp_t:dir search; - allow $1 xfs_tmp_t:sock_file { getattr read }; + read_sock_files_pattern($1,xfs_tmp_t,xfs_tmp_t) ') ######################################## @@ -37,12 +36,9 @@ interface(`xfs_stream_connect',` ') files_search_tmp($1) - allow $1 xfs_tmp_t:dir search; - allow $1 xfs_tmp_t:sock_file write; - allow $1 xfs_t:unix_stream_socket connectto; + stream_connect_pattern($1,xfs_tmp_t,xfs_tmp_t,xfs_t) ') - ######################################## ## ## Allow the specified domain to execute xfs diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index d32efaf..f169179 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -27,18 +27,13 @@ allow xfs_t self:process { signal_perms setpgid }; allow xfs_t self:unix_stream_socket create_stream_socket_perms; allow xfs_t self:unix_dgram_socket create_socket_perms; -allow xfs_t xfs_tmp_t:dir create_dir_perms; -allow xfs_t xfs_tmp_t:sock_file create_file_perms; +manage_dirs_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t) +manage_sock_files_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t) files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) -allow xfs_t xfs_var_run_t:file create_file_perms; -allow xfs_t xfs_var_run_t:dir rw_dir_perms; +manage_files_pattern(xfs_t,xfs_var_run_t,xfs_var_run_t) files_pid_filetrans(xfs_t,xfs_var_run_t,file) -# Bind to /tmp/.font-unix/fs-1. -# cjp: I do not believe this has an effect. -allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; - kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te index b9f7ba2..0912878 100644 --- a/policy/modules/services/xprint.te +++ b/policy/modules/services/xprint.te @@ -24,8 +24,7 @@ allow xprint_t self:fifo_file rw_file_perms; allow xprint_t self:tcp_socket create_stream_socket_perms; allow xprint_t self:udp_socket create_socket_perms; -allow xprint_t xprint_var_run_t:file create_file_perms; -allow xprint_t xprint_var_run_t:dir rw_dir_perms; +manage_files_pattern(xprint_t,xprint_var_run_t,xprint_var_run_t) files_pid_filetrans(xprint_t,xprint_var_run_t,file) kernel_read_system_state(xprint_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 52b8ee4..46bbc13 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -49,8 +49,8 @@ template(`xserver_common_domain_template',` dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:fd use; - allow $1_xserver_t self:fifo_file rw_file_perms; - allow $1_xserver_t self:sock_file r_file_perms; + allow $1_xserver_t self:fifo_file rw_fifo_file_perms; + allow $1_xserver_t self:sock_file read_sock_file_perms; allow $1_xserver_t self:shm create_shm_perms; allow $1_xserver_t self:sem create_sem_perms; allow $1_xserver_t self:msgq create_msgq_perms; @@ -61,29 +61,26 @@ template(`xserver_common_domain_template',` allow $1_xserver_t self:tcp_socket create_stream_socket_perms; allow $1_xserver_t self:udp_socket create_socket_perms; - allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms; - allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms; - allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms; + manage_dirs_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t) + manage_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t) + manage_sock_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t) files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) - allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms; - type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t; + filetrans_pattern($1_xserver_t,xdm_xserver_tmp_t,$1_xserver_tmp_t,sock_file) - allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms; - allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms; - allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms; - allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms; - allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms; + manage_dirs_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t) + manage_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t) + manage_lnk_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t) + manage_fifo_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t) + manage_sock_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t) fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms; - allow $1_xserver_t xkb_var_lib_t:file manage_file_perms; - allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms; + manage_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t) + manage_lnk_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t) files_search_var_lib($1_xserver_t) # Create files in /var/log with the xserver_log_t type. - allow $1_xserver_t xserver_log_t:file manage_file_perms; - allow $1_xserver_t xserver_log_t:dir r_dir_perms; + manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t) logging_log_filetrans($1_xserver_t,xserver_log_t,file) kernel_read_system_state($1_xserver_t) @@ -273,36 +270,28 @@ template(`xserver_per_role_template',` # $1_xserver_t Local policy # - domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) - allow $1_xserver_t $1_xauth_t:fd use; - allow $1_xauth_t $1_xserver_t:fd use; - allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms; - allow $1_xauth_t $1_xserver_t:process sigchld; + domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) allow $1_xserver_t $1_xauth_home_t:file { getattr read }; - domain_auto_trans($2, xserver_exec_t, $1_xserver_t) - allow $2 $1_xserver_t:fd use; - allow $1_xserver_t $2:fd use; - allow $1_xserver_t $2:fifo_file rw_file_perms; - allow $1_xserver_t $2:process { signal sigchld }; + domtrans_pattern($2, xserver_exec_t, $1_xserver_t) + allow $1_xserver_t $2:process signal; allow $1_xserver_t $2:shm rw_shm_perms; - allow $2 $1_fonts_t:dir manage_dir_perms; - allow $2 $1_fonts_t:file manage_file_perms; - allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom }; + manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) + manage_files_pattern($2,$1_fonts_t,$1_fonts_t) + relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t) + relabel_files_pattern($2,$1_fonts_t,$1_fonts_t) - allow $2 $1_fonts_config_t:dir manage_dir_perms; - allow $2 $1_fonts_config_t:file manage_file_perms; - allow $2 $1_fonts_config_t:file { relabelto relabelfrom }; + manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t) + manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) + relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) # For startup relabel allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; - allow $2 $1_xserver_tmp_t:dir r_dir_perms; - allow $2 $1_xserver_tmp_t:sock_file rw_file_perms; - allow $2 $1_xserver_t:unix_stream_socket connectto; + stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) allow $2 $1_xserver_tmpfs_t:file rw_file_perms; @@ -343,22 +332,16 @@ template(`xserver_per_role_template',` allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) - allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms; - allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms; + manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) + manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) - domain_auto_trans($2, xauth_exec_t, $1_xauth_t) - allow $2 $1_xauth_t:fd use; - allow $1_xauth_t $2:fd use; - allow $1_xauth_t $2:fifo_file rw_file_perms; - allow $1_xauth_t $2:process sigchld; + domtrans_pattern($2, xauth_exec_t, $1_xauth_t) allow $2 $1_xauth_t:process signal; # allow ps to show xauth - allow $2 $1_xauth_t:dir { search getattr read }; - allow $2 $1_xauth_t:{ file lnk_file } { read getattr }; - allow $2 $1_xauth_t:process getattr; + ps_process_pattern($2,$1_xauth_t) allow $2 $1_xauth_home_t:file manage_file_perms; allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; @@ -408,19 +391,13 @@ template(`xserver_per_role_template',` # $1_iceauth_t Local policy # - domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t) - allow $2 $1_iceauth_t:fd use; - allow $1_iceauth_t $2:fd use; - allow $1_iceauth_t $2:fifo_file rw_file_perms; - allow $1_iceauth_t $2:process sigchld; + domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file) # allow ps to show iceauth - allow $2 $1_iceauth_t:dir { search getattr read }; - allow $2 $1_iceauth_t:{ file lnk_file } { read getattr }; - allow $2 $1_iceauth_t:process getattr; + ps_process_pattern($2,$1_iceauth_t) allow $2 $1_iceauth_home_t:file manage_file_perms; allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; @@ -485,7 +462,7 @@ template(`xserver_ro_session_template',` # Client read xserver shm allow $2 $1_xserver_t:fd use; allow $2 $1_xserver_t:shm r_shm_perms; - allow $2 $1_xserver_tmpfs_t:file r_file_perms; + allow $2 $1_xserver_tmpfs_t:file read_file_perms; ') ####################################### @@ -622,8 +599,8 @@ template(`xserver_use_user_fonts',` allow $2 $1_fonts_t:file read_file_perms; # Manipulate the global font cache - allow $2 $1_fonts_cache_t:dir manage_dir_perms; - allow $2 $1_fonts_cache_t:file manage_file_perms; + manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) + manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) # Read per user font config allow $2 $1_fonts_config_t:dir list_dir_perms; @@ -662,11 +639,7 @@ template(`xserver_domtrans_user_xauth',` type $1_xauth_t, xauth_exec_t; ') - domain_auto_trans($2, xauth_exec_t, $1_xauth_t) - allow $2 $1_xauth_t:fd use; - allow $1_xauth_t $2:fd use; - allow $1_xauth_t $2:fifo_file rw_file_perms; - allow $1_xauth_t $2:process sigchld; + domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ') ######################################## @@ -690,8 +663,8 @@ interface(`xserver_use_all_users_fonts',` allow $1 fonts_type:file read_file_perms; # Manipulate the global font cache - allow $1 fonts_cache_type:dir manage_dir_perms; - allow $1 fonts_cache_type:file manage_file_perms; + manage_dirs_pattern($1,fonts_cache_type,fonts_cache_type) + manage_files_pattern($1,fonts_cache_type,fonts_cache_type) # Read per user font config allow $1 fonts_config_type:dir list_dir_perms; @@ -828,9 +801,7 @@ interface(`xserver_stream_connect_xdm',` ') files_search_tmp($1) - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:sock_file write; - allow $1 xdm_t:unix_stream_socket connectto; + stream_connect_pattern($1,xdm_tmp_t,xdm_tmp_t,xdm_t) ') ######################################## @@ -849,7 +820,7 @@ interface(`xserver_read_xdm_rw_config',` ') files_search_etc($1) - allow $1 xdm_rw_etc_t:dir { getattr read }; + allow $1 xdm_rw_etc_t:file { getattr read }; ') ######################################## @@ -887,8 +858,8 @@ interface(`xserver_create_xdm_tmp_sockets',` ') files_search_tmp($1) - allow $1 xdm_tmp_t:dir ra_dir_perms; - allow $1 xdm_tmp_t:sock_file create; + allow $1 xdm_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) ') ######################################## @@ -907,7 +878,7 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) - allow $1 xdm_var_run_t:file r_file_perms; + allow $1 xdm_var_run_t:file read_file_perms; ') ######################################## @@ -943,12 +914,7 @@ interface(`xserver_domtrans_xdm_xserver',` type xdm_xserver_t, xserver_exec_t; ') - domain_auto_trans($1,xserver_exec_t,xdm_xserver_t) - - allow $1 xdm_xserver_t:fd use; - allow xdm_xserver_t $1:fd use; - allow xdm_xserver_t $1:fifo_file rw_file_perms; - allow xdm_xserver_t $1:process sigchld; + domtrans_pattern($1,xserver_exec_t,xdm_xserver_t) ') ######################################## @@ -1061,8 +1027,8 @@ interface(`xserver_delete_log',` ') logging_search_logs($1) - allow $1 xserver_log_t:dir rw_dir_perms; - allow $1 xserver_log_t:file unlink; + allow $1 xserver_log_t:dir list_dir_perms; + delete_files_pattern($1,xserver_log_t,xserver_log_t) ') ######################################## @@ -1082,8 +1048,8 @@ interface(`xserver_read_xkb_libs',` files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; - allow $1 xkb_var_lib_t:file r_file_perms; - allow $1 xkb_var_lib_t:lnk_file { getattr read }; + read_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t) + read_lnk_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t) ') ######################################## @@ -1119,8 +1085,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file { getattr read }; + read_files_pattern($1,xdm_tmp_t,xdm_tmp_t) ') ######################################## @@ -1195,7 +1160,5 @@ interface(`xserver_stream_connect_xdm_xserver',` ') files_search_tmp($1) - allow $1 xdm_xserver_tmp_t:dir search_dir_perms; - allow $1 xdm_xserver_tmp_t:sock_file write; - allow $1 xdm_xserver_t:unix_stream_socket connectto; + stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index fd266ef..f9a44da 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -83,7 +83,7 @@ optional_policy(` allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -allow xdm_t self:fifo_file rw_file_perms; +allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -100,9 +100,9 @@ dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -allow xdm_t xdm_tmp_t:dir manage_dir_perms; -allow xdm_t xdm_tmp_t:file manage_file_perms; -allow xdm_t xdm_tmp_t:sock_file manage_file_perms; +manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) +manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) +manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) # Allow gdm to run gdm-binary @@ -110,8 +110,7 @@ can_exec(xdm_t, xdm_exec_t) # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! -allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; -allow xdm_t xdm_rw_etc_t:file create_file_perms; +manage_files_pattern(xdm_t,xdm_rw_etc_t,xdm_rw_etc_t) kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) @@ -221,23 +220,23 @@ userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) ifdef(`strict_policy',` - allow xdm_t xdm_lock_t:file create_file_perms; + allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t,xdm_lock_t,file) - allow xdm_t xdm_tmpfs_t:dir manage_dir_perms; - allow xdm_t xdm_tmpfs_t:file manage_file_perms; - allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms; - allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms; - allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms; + manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - allow xdm_t xdm_var_lib_t:file create_file_perms; - allow xdm_t xdm_var_lib_t:dir create_dir_perms; + manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) + manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) - allow xdm_t xdm_var_run_t:dir manage_dir_perms; - allow xdm_t xdm_var_run_t:file manage_file_perms; - allow xdm_t xdm_var_run_t:fifo_file manage_file_perms; + manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) + manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) + manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) allow xdm_t xdm_xserver_t:process signal; @@ -247,28 +246,22 @@ ifdef(`strict_policy',` allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; # transition to the xdm xserver - domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) - allow xdm_t xdm_xserver_t:fd use; - allow xdm_xserver_t xdm_t:fd use; - allow xdm_xserver_t xdm_t:fifo_file rw_file_perms; - allow xdm_xserver_t xdm_t:process { signal sigchld }; + domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t) + allow xdm_xserver_t xdm_t:process signal; allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; # connect to xdm xserver over stream socket - allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; - allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; - allow xdm_t xdm_xserver_t:unix_stream_socket connectto; + stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) # Remove /tmp/.X11-unix/X0. - allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; - allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - allow xdm_t xdm_xserver_tmp_t:file unlink; + delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) + delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) - allow xdm_t xserver_log_t:dir manage_dir_perms; - allow xdm_t xserver_log_t:file manage_file_perms; - allow xdm_t xserver_log_t:fifo_file manage_file_perms; + manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t) + manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t) + manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t) logging_log_filetrans(xdm_t,xserver_log_t,file) auth_domtrans_pam_console(xdm_t) @@ -387,10 +380,9 @@ dontaudit xdm_xserver_t xdm_var_lib_t:dir search; allow xdm_xserver_t xdm_var_run_t:file { getattr read }; # Label pid and temporary files with derived types. -allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms; -allow xdm_xserver_t xdm_tmp_t:file manage_file_perms; -allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms; -allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms; +manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) +manage_lnk_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) +manage_sock_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) # Run xkbcomp. allow xdm_xserver_t xkb_var_lib_t:lnk_file read; @@ -459,7 +451,7 @@ dontaudit xdm_t usr_t:file write; ifdef(`rhgb.te', ` allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file create_file_perms; +allow xdm_xserver_t ramfs_t:file manage_file_perms; allow rhgb_t xdm_xserver_t:process signal; ') diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 8f23864..398ad93 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -17,7 +17,7 @@ interface(`zebra_read_config',` ') files_search_etc($1) - allow $1 zebra_conf_t:file r_file_perms; - allow $1 zebra_conf_t:dir r_dir_perms; - allow $1 zebra_conf_t:lnk_file r_file_perms; + allow $1 zebra_conf_t:dir list_dir_perms; + read_files_pattern($1,zebra_conf_t,zebra_conf_t) + read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t) ') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index e835d70..0c7f518 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -38,22 +38,21 @@ allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; allow zebra_t self:udp_socket create_socket_perms; allow zebra_t self:rawip_socket create_socket_perms; -allow zebra_t zebra_conf_t:dir r_dir_perms; -allow zebra_t zebra_conf_t:file r_file_perms; -allow zebra_t zebra_conf_t:lnk_file { getattr read }; +allow zebra_t zebra_conf_t:dir list_dir_perms; +read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t) +read_lnk_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t) -allow zebra_t zebra_log_t:file create_file_perms; -allow zebra_t zebra_log_t:sock_file create_file_perms; -allow zebra_t zebra_log_t:dir { rw_dir_perms setattr }; +allow zebra_t zebra_log_t:dir setattr; +manage_files_pattern(zebra_t,zebra_log_t,zebra_log_t) +manage_sock_files_pattern(zebra_t,zebra_log_t,zebra_log_t) logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir }) # /tmp/.bgpd is such a bad idea! -allow zebra_t zebra_tmp_t:sock_file create_file_perms; +allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file) -allow zebra_t zebra_var_run_t:file manage_file_perms; -allow zebra_t zebra_var_run_t:sock_file manage_file_perms; -allow zebra_t zebra_var_run_t:dir rw_dir_perms; +manage_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t) +manage_sock_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t) files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file }) kernel_read_system_state(zebra_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index c8e06f8..d39159e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -27,9 +27,10 @@ template(`authlogin_common_auth_domain_template',` domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) - allow $1_chkpwd_t self:capability { audit_write audit_control setuid }; + allow $1_chkpwd_t self:capability { audit_control setuid }; allow $1_chkpwd_t self:process getattr; - allow $1_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + + send_audit_msgs_pattern($1_chkpwd_t) files_list_etc($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; @@ -113,10 +114,7 @@ template(`authlogin_per_role_template',` dontaudit $2 shadow_t:file { getattr read }; # Transition from the user domain to this domain. - domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - allow $1_chkpwd_t $2:fd use; - allow $1_chkpwd_t $2:fifo_file rw_file_perms; - allow $1_chkpwd_t $2:process sigchld; + domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) domain_use_interactive_fds($1_chkpwd_t) @@ -159,23 +157,15 @@ template(`auth_domtrans_user_chk_passwd',` type system_chkpwd_t, chkpwd_exec_t; ') - domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t) - allow $2 system_chkpwd_t:fd use; - allow system_chkpwd_t $2:fd use; - allow system_chkpwd_t $2:fifo_file rw_file_perms; - allow system_chkpwd_t $2:process sigchld; + corecmd_search_bin($2) + domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t) ',` gen_require(` type $1_chkpwd_t, chkpwd_exec_t; ') corecmd_search_bin($2) - domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - - allow $2 $1_chkpwd_t:fd use; - allow $1_chkpwd_t $2:fd use; - allow $1_chkpwd_t $2:fifo_file rw_file_perms; - allow $1_chkpwd_t $2:process sigchld; + domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) ') ') @@ -274,10 +264,7 @@ interface(`auth_domtrans_login_program',` ') corecmd_search_bin($1) - domain_auto_trans($1,login_exec_t,$2) - allow $2 $1:fd use; - allow $2 $1:fifo_file rw_file_perms; - allow $2 $1:process sigchld; + domtrans_pattern($1,login_exec_t,$2) ') ######################################## @@ -332,15 +319,12 @@ interface(`auth_domtrans_chk_passwd',` type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') - - allow $1 self:capability { audit_write audit_control }; - allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + # cjp: is this really needed? + allow $1 self:capability audit_control; + send_audit_msgs_pattern($1) corecmd_search_sbin($1) - domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) - allow system_chkpwd_t $1:fd use; - allow system_chkpwd_t $1:fifo_file rw_file_perms; - allow system_chkpwd_t $1:process sigchld; + domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) dontaudit $1 shadow_t:file { getattr read }; @@ -473,7 +457,7 @@ interface(`auth_tunable_read_shadow',` ') files_list_etc($1) - allow $1 shadow_t:file r_file_perms; + allow $1 shadow_t:file read_file_perms; ') ######################################## @@ -615,7 +599,7 @@ interface(`auth_append_faillog',` ') logging_search_logs($1) - allow $1 faillog_t:file { getattr append }; + allow $1 faillog_t:file append_file_perms; ') ######################################## @@ -654,7 +638,7 @@ interface(`auth_read_lastlog',` ') logging_search_logs($1) - allow $1 lastlog_t:file { getattr read }; + allow $1 lastlog_t:file read_file_perms; ') ####################################### @@ -673,7 +657,7 @@ interface(`auth_append_lastlog',` ') logging_search_logs($1) - allow $1 lastlog_t:file { getattr lock append }; + allow $1 lastlog_t:file { append_file_perms lock }; ') ####################################### @@ -692,7 +676,7 @@ interface(`auth_rw_lastlog',` ') logging_search_logs($1) - allow $1 lastlog_t:file { getattr read write lock setattr }; + allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') ######################################## @@ -710,10 +694,7 @@ interface(`auth_domtrans_pam',` type pam_t, pam_exec_t; ') - domain_auto_trans($1,pam_exec_t,pam_t) - allow pam_t $1:fd use; - allow pam_t $1:fifo_file rw_file_perms; - allow pam_t $1:process sigchld; + domtrans_pattern($1,pam_exec_t,pam_t) ') ######################################## @@ -803,7 +784,7 @@ interface(`auth_read_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir list_dir_perms; - allow $1 pam_var_run_t:file r_file_perms; + allow $1 pam_var_run_t:file read_file_perms; ') ####################################### @@ -840,8 +821,8 @@ interface(`auth_delete_pam_pid',` ') files_search_pids($1) - allow $1 pam_var_run_t:dir { getattr search read write remove_name }; - allow $1 pam_var_run_t:file { getattr unlink }; + allow $1 pam_var_run_t:dir del_entry_dir_perms; + allow $1 pam_var_run_t:file delete_file_perms; ') ######################################## @@ -879,10 +860,7 @@ interface(`auth_domtrans_pam_console',` type pam_console_t, pam_console_exec_t; ') - domain_auto_trans($1,pam_console_exec_t,pam_console_t) - allow pam_console_t $1:fd use; - allow pam_console_t $1:fifo_file rw_file_perms; - allow pam_console_t $1:process sigchld; + domtrans_pattern($1,pam_console_exec_t,pam_console_t) ') ######################################## @@ -942,7 +920,7 @@ interface(`auth_read_pam_console_data',` files_search_pids($1) allow $1 pam_var_console_t:dir list_dir_perms; - allow $1 pam_var_console_t:file r_file_perms; + allow $1 pam_var_console_t:file read_file_perms; ') ######################################## @@ -962,9 +940,8 @@ interface(`auth_manage_pam_console_data',` ') files_search_pids($1) - allow $1 pam_var_console_t:dir rw_dir_perms; - allow $1 pam_var_console_t:file manage_file_perms; - allow $1 pam_var_console_t:lnk_file create_lnk_perms; + manage_files_pattern($1,pam_var_console_t,pam_var_console_t) + manage_lnk_files_pattern($1,pam_var_console_t,pam_var_console_t) ') ####################################### @@ -984,8 +961,7 @@ interface(`auth_delete_pam_console_data',` files_search_var($1) files_search_pids($1) - allow $1 pam_var_console_t:dir rw_dir_perms; - allow $1 pam_var_console_t:file unlink; + delete_files_pattern($1,pam_var_console_t,pam_var_console_t) ') ######################################## @@ -1131,10 +1107,7 @@ interface(`auth_domtrans_utempter',` type utempter_t, utempter_exec_t; ') - domain_auto_trans($1,utempter_exec_t,utempter_t) - allow utempter_t $1:fd use; - allow utempter_t $1:fifo_file rw_file_perms; - allow utempter_t $1:process sigchld; + domtrans_pattern($1,utempter_exec_t,utempter_t) ') ######################################## @@ -1221,7 +1194,7 @@ interface(`auth_read_login_records',` ') logging_search_logs($1) - allow $1 wtmp_t:file r_file_perms; + allow $1 wtmp_t:file read_file_perms; ') ######################################## @@ -1258,7 +1231,8 @@ interface(`auth_append_login_records',` type wtmp_t; ') - allow $1 wtmp_t:file { getattr append lock }; + allow $1 wtmp_t:file append_file_perms; + logging_search_logs($1) ') ####################################### @@ -1276,7 +1250,7 @@ interface(`auth_write_login_records',` type wtmp_t; ') - allow $1 wtmp_t:file { write lock }; + allow $1 wtmp_t:file { write_file_perms lock }; ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index e8436f4..05d3e3c 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -88,8 +88,8 @@ allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; -allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; -allow pam_t pam_var_run_t:file { getattr read unlink }; +delete_files_pattern(pam_t,pam_var_run_t,pam_var_run_t) +read_files_pattern(pam_t,pam_var_run_t,pam_var_run_t) files_list_pids(pam_t) allow pam_t pam_tmp_t:dir manage_dir_perms; @@ -137,9 +137,8 @@ dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking -allow pam_console_t pam_var_console_t:dir list_dir_perms; -allow pam_console_t pam_var_console_t:lnk_file { getattr read }; -allow pam_console_t pam_var_console_t:file r_file_perms; +read_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t) +read_lnk_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t) dontaudit pam_console_t pam_var_console_t:file write; kernel_read_kernel_sysctls(pam_console_t) @@ -252,8 +251,6 @@ optional_policy(` # System check password local policy # -allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - allow system_chkpwd_t shadow_t:file { getattr read }; corecmd_search_sbin(system_chkpwd_t) diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index 1a2437d..2665fac 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -15,12 +15,7 @@ interface(`clock_domtrans',` type hwclock_t, hwclock_exec_t; ') - domain_auto_trans($1,hwclock_exec_t,hwclock_t) - - allow $1 hwclock_t:fd use; - allow hwclock_t $1:fd use; - allow hwclock_t $1:fifo_file rw_file_perms; - allow hwclock_t $1:process sigchld; + domtrans_pattern($1,hwclock_exec_t,hwclock_t) ') ######################################## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 84c947c..5a69e98 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -21,12 +21,13 @@ role system_r types hwclock_t; # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config audit_write }; +allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; -allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow hwclock_t self:fifo_file { getattr read write }; +send_audit_msgs_pattern(hwclock_t) + # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if index d3227c2..17b5f8f 100644 --- a/policy/modules/system/daemontools.if +++ b/policy/modules/system/daemontools.if @@ -68,12 +68,7 @@ interface(`daemontools_domtrans_start',` type svc_start_t, svc_start_exec_t; ') - domain_auto_trans($1, svc_start_exec_t, svc_start_t) - - allow $1 svc_start_t:fd use; - allow svc_start_t $1:fd use; - allow svc_start_t $1:fifo_file rw_file_perms; - allow svc_start_t $1:process sigchld; + domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') ######################################## @@ -91,12 +86,7 @@ interface(`daemontools_domtrans_run',` type svc_run_t, svc_run_exec_t; ') - domain_auto_trans($1, svc_run_exec_t, svc_run_t) - - allow $1 svc_run_t:fd use; - allow svc_run_t $1:fd use; - allow svc_run_t $1:fifo_file rw_file_perms; - allow svc_run_t $1:process sigchld; + domtrans_pattern($1, svc_run_exec_t, svc_run_t) ') ######################################## @@ -114,12 +104,7 @@ interface(`daemontools_domtrans_multilog',` type svc_multilog_t, svc_multilog_exec_t; ') - domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t) - - allow $1 svc_multilog_t:fd use; - allow svc_multilog_t $1:fd use; - allow svc_multilog_t $1:fifo_file rw_file_perms; - allow svc_multilog_t $1:process sigchld; + domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) ') ######################################## @@ -138,8 +123,8 @@ interface(`daemontools_read_svc',` type svc_svc_t; ') - allow $1 svc_svc_t:dir r_dir_perms; - allow $1 svc_svc_t:file r_file_perms; + allow $1 svc_svc_t:dir list_dir_perms; + allow $1 svc_svc_t:file read_file_perms; ') ######################################## @@ -158,8 +143,8 @@ interface(`daemontools_manage_svc',` type svc_svc_t; ') - allow $1 svc_svc_t:dir create_dir_perms; - allow $1 svc_svc_t:fifo_file create_file_perms; - allow $1 svc_svc_t:file create_file_perms; + allow $1 svc_svc_t:dir manage_dir_perms; + allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; + allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file { read create }; ') diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te index 271bb12..5c41123 100644 --- a/policy/modules/system/daemontools.te +++ b/policy/modules/system/daemontools.te @@ -39,8 +39,7 @@ files_type(svc_svc_t) # # multilog creates /service/*/log/status -allow svc_multilog_t svc_svc_t:dir rw_dir_perms; -allow svc_multilog_t svc_svc_t:file create_file_perms; +manage_files_pattern(svc_multilog_t,svc_svc_t,svc_svc_t) init_use_fds(svc_multilog_t) @@ -61,11 +60,11 @@ daemontools_ipc_domain(svc_multilog_t) allow svc_run_t self:capability { setgid setuid chown fsetid }; allow svc_run_t self:process setrlimit; -allow svc_run_t self:fifo_file rw_file_perms; +allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; -allow svc_run_t svc_conf_t:dir r_dir_perms; -allow svc_run_t svc_conf_t:file r_file_perms; +allow svc_run_t svc_conf_t:dir list_dir_perms; +allow svc_run_t svc_conf_t:file read_file_perms; can_exec(svc_run_t svc_run_exec_t) @@ -102,7 +101,7 @@ optional_policy(` allow svc_start_t svc_run_t:process signal; -allow svc_start_t self:fifo_file rw_file_perms; +allow svc_start_t self:fifo_file rw_fifo_file_perms; allow svc_start_t self:capability kill; allow svc_start_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index 781d949..01a5a77 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -16,12 +16,7 @@ interface(`fstools_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,fsadm_exec_t,fsadm_t) - - allow $1 fsadm_t:fd use; - allow fsadm_t $1:fd use; - allow fsadm_t $1:fifo_file rw_file_perms; - allow fsadm_t $1:process sigchld; + domtrans_pattern($1,fsadm_exec_t,fsadm_t) ') ######################################## @@ -109,7 +104,7 @@ interface(`fstools_manage_entry_files',` type fsadm_exec_t; ') - allow $1 fsadm_exec_t:file create_file_perms; + allow $1 fsadm_exec_t:file manage_file_perms; ') ######################################## diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index b637c6a..e3ed20b 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -43,13 +43,13 @@ allow fsadm_t self:msg { send receive }; can_exec(fsadm_t, fsadm_exec_t) -allow fsadm_t fsadm_tmp_t:dir create_dir_perms; -allow fsadm_t fsadm_tmp_t:file create_file_perms; +allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; +allow fsadm_t fsadm_tmp_t:file manage_file_perms; files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) # log files -allow fsadm_t fsadm_log_t:file manage_file_perms; -allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr }; +allow fsadm_t fsadm_log_t:dir setattr; +manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t) logging_log_filetrans(fsadm_t,fsadm_log_t,file) # Enable swapping to files diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index f60389d..a49363d 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -16,12 +16,7 @@ interface(`getty_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,getty_exec_t,getty_t) - - allow $1 getty_t:fd use; - allow getty_t $1:fd use; - allow getty_t $1:fifo_file rw_file_perms; - allow getty_t $1:process sigchld; + domtrans_pattern($1,getty_exec_t,getty_t) ') ######################################## diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 9d92dba..96f011a 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -37,23 +37,21 @@ allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_c dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid getsession signal_perms }; -allow getty_t getty_etc_t:dir r_dir_perms; -allow getty_t getty_etc_t:file r_file_perms; -allow getty_t getty_etc_t:lnk_file { getattr read }; +read_files_pattern(getty_t,getty_etc_t,getty_etc_t) +read_lnk_files_pattern(getty_t,getty_etc_t,getty_etc_t) files_etc_filetrans(getty_t,getty_etc_t,{ file dir }) -allow getty_t getty_lock_t:file create_file_perms; +allow getty_t getty_lock_t:file manage_file_perms; files_lock_filetrans(getty_t,getty_lock_t,file) -allow getty_t getty_log_t:file create_file_perms; +allow getty_t getty_log_t:file manage_file_perms; logging_log_filetrans(getty_t,getty_log_t,file) -allow getty_t getty_tmp_t:file create_file_perms; -allow getty_t getty_tmp_t:dir create_dir_perms; +allow getty_t getty_tmp_t:file manage_file_perms; +allow getty_t getty_tmp_t:dir manage_dir_perms; files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir }) -allow getty_t getty_var_run_t:file create_file_perms; -allow getty_t getty_var_run_t:dir rw_dir_perms; +manage_files_pattern(getty_t,getty_var_run_t,getty_var_run_t) files_pid_filetrans(getty_t,getty_var_run_t,file) kernel_list_proc(getty_t) diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if index 707499c..f325978 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -16,12 +16,7 @@ interface(`hostname_domtrans',` ') corecmd_search_bin($1) - domain_auto_trans($1,hostname_exec_t,hostname_t) - - allow $1 hostname_t:fd use; - allow hostname_t $1:fd use; - allow hostname_t $1:fifo_file rw_file_perms; - allow hostname_t $1:process sigchld; + domtrans_pattern($1,hostname_exec_t,hostname_t) ') ######################################## diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index 9c8ea78..9d1b4a0 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -19,12 +19,7 @@ interface(`hotplug_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,hotplug_exec_t,hotplug_t) - - allow $1 hotplug_t:fd use; - allow hotplug_t $1:fd use; - allow hotplug_t $1:fifo_file rw_file_perms; - allow hotplug_t $1:process sigchld; + domtrans_pattern($1,hotplug_exec_t,hotplug_t) ') ######################################## @@ -135,7 +130,7 @@ interface(`hotplug_search_config',` type hotplug_etc_t; ') - allow $1 hotplug_etc_t:dir { getattr search }; + allow $1 hotplug_etc_t:dir search_dir_perms; ') ######################################## @@ -155,9 +150,9 @@ interface(`hotplug_read_config',` ') files_search_etc($1) - allow $1 hotplug_etc_t:file r_file_perms; - allow $1 hotplug_etc_t:dir r_dir_perms; - allow $1 hotplug_etc_t:lnk_file r_file_perms; + allow $1 hotplug_etc_t:dir list_dir_perms; + read_files_pattern($1,hotplug_etc_t,hotplug_etc_t) + read_lnk_files_pattern($1,hotplug_etc_t,hotplug_etc_t) ') ######################################## diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 8207e2f..4c258f6 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -33,15 +33,14 @@ allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; allow hotplug_t self:udp_socket create_socket_perms; allow hotplug_t self:tcp_socket connected_stream_socket_perms; -allow hotplug_t hotplug_etc_t:file r_file_perms; -allow hotplug_t hotplug_etc_t:dir r_dir_perms; -allow hotplug_t hotplug_etc_t:lnk_file r_file_perms; +read_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t) +read_lnk_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t) can_exec(hotplug_t,hotplug_etc_t) +allow hotplug_t hotplug_etc_t:dir list_dir_perms; can_exec(hotplug_t,hotplug_exec_t) -allow hotplug_t hotplug_var_run_t:file manage_file_perms; -allow hotplug_t hotplug_var_run_t:dir rw_dir_perms; +manage_files_pattern(hotplug_t,hotplug_var_run_t,hotplug_var_run_t) files_pid_filetrans(hotplug_t,hotplug_var_run_t,file) kernel_sigchld(hotplug_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index c6d853f..e6daaf3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -26,12 +26,7 @@ interface(`init_domain',` role system_r types $1; - domain_auto_trans(init_t,$2,$1) - - allow $1 init_t:fd use; - allow init_t $1:fd use; - allow $1 init_t:fifo_file rw_file_perms; - allow $1 init_t:process sigchld; + domtrans_pattern(init_t,$2,$1) ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray @@ -111,13 +106,8 @@ interface(`init_daemon_domain',` role system_r types $1; ifdef(`direct_sysadm_daemon',` - domain_auto_trans(direct_run_init,$2,$1) - - allow direct_run_init $1:fd use; + domtrans_pattern(direct_run_init,$2,$1) allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - allow $1 direct_run_init:fd use; - allow $1 direct_run_init:fifo_file rw_file_perms; - allow $1 direct_run_init:process sigchld; typeattribute $1 direct_init; typeattribute $2 direct_init_entry; @@ -143,20 +133,11 @@ interface(`init_daemon_domain',` can_exec(initrc_t,$2) can_exec(direct_run_init,$2) } else { - domain_auto_trans(initrc_t,$2,$1) - allow initrc_t $1:fd use; - allow $1 initrc_t:fd use; - allow $1 initrc_t:fifo_file rw_file_perms; - allow $1 initrc_t:process sigchld; + domtrans_pattern(initrc_t,$2,$1) allow initrc_t $1:process { noatsecure siginh rlimitinh }; } ',` - domain_auto_trans(initrc_t,$2,$1) - allow initrc_t $1:fd use; - allow $1 initrc_t:fd use; - allow $1 initrc_t:fifo_file rw_file_perms; - allow $1 initrc_t:process sigchld; - dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; + domtrans_pattern(initrc_t,$2,$1) ') optional_policy(` @@ -228,12 +209,7 @@ interface(`init_system_domain',` role system_r types $1; - domain_auto_trans(initrc_t,$2,$1) - - allow initrc_t $1:fd use; - allow $1 initrc_t:fd use; - allow $1 initrc_t:fifo_file rw_file_perms; - allow $1 initrc_t:process sigchld; + domtrans_pattern(initrc_t,$2,$1) ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray @@ -296,12 +272,7 @@ interface(`init_domtrans',` type init_t, init_exec_t; ') - domain_auto_trans($1,init_exec_t,init_t) - - allow $1 init_t:fd use; - allow init_t $1:fd use; - allow init_t $1:fifo_file rw_file_perms; - allow init_t $1:process sigchld; + domtrans_pattern($1,init_exec_t,init_t) ') ######################################## @@ -517,7 +488,7 @@ interface(`init_telinit',` ') dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_file_perms; + allow $1 initctl_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -536,7 +507,7 @@ interface(`init_rw_initctl',` ') dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_file_perms; + allow $1 initctl_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -593,11 +564,7 @@ interface(`init_spec_domtrans_script',` ') files_list_etc($1) - domain_trans($1,initrc_exec_t,initrc_t) - allow $1 self:process setexec; - allow initrc_t $1:fd use; - allow initrc_t $1:fifo_file rw_file_perms; - allow initrc_t $1:process sigchld; + spec_domtrans_pattern($1,initrc_exec_t,initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; @@ -624,10 +591,7 @@ interface(`init_domtrans_script',` ') files_list_etc($1) - domain_auto_trans($1,initrc_exec_t,initrc_t) - allow initrc_t $1:fd use; - allow initrc_t $1:fifo_file rw_file_perms; - allow initrc_t $1:process sigchld; + domtrans_pattern($1,initrc_exec_t,initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; @@ -781,9 +745,12 @@ interface(`init_read_script_state',` type initrc_t; ') - #FIXME: search proc dir - allow $1 initrc_t:dir r_dir_perms; - allow $1 initrc_t:{ file lnk_file } r_file_perms; + kernel_search_proc($1) + read_files_pattern($1,initrc_t,initrc_t) + read_lnk_files_pattern($1,initrc_t,initrc_t) + list_dirs_pattern($1,initrc_t,initrc_t) + + # should move this to separate interface allow $1 initrc_t:process getattr; ') @@ -1069,7 +1036,7 @@ interface(`init_read_script_files',` ') files_search_etc($1) - allow $1 initrc_exec_t:file r_file_perms; + allow $1 initrc_exec_t:file read_file_perms; ') ######################################## @@ -1088,8 +1055,7 @@ interface(`init_getattr_script_status_files',` type initrc_state_t; ') - allow $1 initrc_state_t:dir search_dir_perms; - allow $1 initrc_state_t:file getattr; + getattr_files_pattern($1,initrc_state_t,initrc_state_t) ') ######################################## @@ -1158,9 +1124,7 @@ interface(`init_script_tmp_filetrans',` ') files_search_tmp($1) - - allow $1 initrc_tmp_t:dir rw_dir_perms; - type_transition $1 initrc_tmp_t:$3 $2; + filetrans_pattern($1,initrc_tmp_t,$2,$3) ') ######################################## @@ -1197,7 +1161,7 @@ interface(`init_read_utmp',` ') files_list_pids($1) - allow $1 initrc_var_run_t:file r_file_perms; + allow $1 initrc_var_run_t:file read_file_perms; ') ######################################## @@ -1309,5 +1273,5 @@ interface(`init_manage_utmp',` ') files_search_pids($1) - allow $1 initrc_var_run_t:file create_file_perms; + allow $1 initrc_var_run_t:file manage_file_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 27ca078..d342a54 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -81,20 +81,20 @@ allow init_t self:capability ~sys_module; # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() -allow init_t self:fifo_file rw_file_perms; +allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself -allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans }; +can_exec(init_t,init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. -allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; +allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t,init_var_run_t,file) -allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; -fs_associate_tmpfs(initctl_t) +allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t,initctl_t,fifo_file) +fs_associate_tmpfs(initctl_t) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -210,17 +210,17 @@ init_exec(initrc_t) can_exec(initrc_t,initrc_exec_t) -allow initrc_t initrc_state_t:dir manage_dir_perms; -allow initrc_t initrc_state_t:file manage_file_perms; -allow initrc_t initrc_state_t:fifo_file manage_file_perms; -allow initrc_t initrc_state_t:lnk_file create_lnk_perms; +manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) +manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) +manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t) +manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -allow initrc_t initrc_var_run_t:file create_file_perms; +allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t,initrc_var_run_t,file) can_exec(initrc_t,initrc_tmp_t) -allow initrc_t initrc_tmp_t:file create_file_perms; -allow initrc_t initrc_tmp_t:dir create_dir_perms; +allow initrc_t initrc_tmp_t:file manage_file_perms; +allow initrc_t initrc_tmp_t:dir manage_dir_perms; files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index b4a643f..5a7d7bc 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -15,12 +15,7 @@ interface(`ipsec_domtrans',` type ipsec_t, ipsec_exec_t; ') - domain_auto_trans($1,ipsec_exec_t,ipsec_t) - - allow $1 ipsec_t:fd use; - allow ipsec_t $1:fd use; - allow ipsec_t $1:fifo_file rw_file_perms; - allow ipsec_t $1:process sigchld; + domtrans_pattern($1,ipsec_exec_t,ipsec_t) ') ######################################## @@ -39,9 +34,7 @@ interface(`ipsec_stream_connect',` ') files_search_pids($1) - allow $1 ipsec_var_run_t:dir search; - allow $1 ipsec_var_run_t:sock_file write; - allow $1 ipsec_t:unix_stream_socket connectto; + stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t) ') ######################################## @@ -97,7 +90,7 @@ interface(`ipsec_read_config',` ') files_search_etc($1) - allow $1 ipsec_conf_file_t:file r_file_perms; + allow $1 ipsec_conf_file_t:file read_file_perms; ') ######################################## @@ -116,6 +109,5 @@ interface(`ipsec_manage_pid',` ') files_search_pids($1) - allow $1 ipsec_var_run_t:dir rw_dir_perms; - allow $1 ipsec_var_run_t:file create_file_perms; + manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) ') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 37b0764..eef0989 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,16 +48,16 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:key_socket { create write read setopt }; allow ipsec_t self:fifo_file { read getattr }; -allow ipsec_t ipsec_conf_file_t:dir r_dir_perms; -allow ipsec_t ipsec_conf_file_t:file r_file_perms; -allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms; +allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; +read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) +read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) -allow ipsec_t ipsec_key_file_t:dir r_dir_perms; -allow ipsec_t ipsec_key_file_t:file r_file_perms; -allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms; +allow ipsec_t ipsec_key_file_t:dir list_dir_perms; +read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) +read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) -allow ipsec_t ipsec_var_run_t:file create_file_perms; -allow ipsec_t ipsec_var_run_t:sock_file create_file_perms; +allow ipsec_t ipsec_var_run_t:file manage_file_perms; +allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms; files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -67,7 +67,6 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t) # letting all sorts of stuff possibly be run... # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t) -allow ipsec_t ipsec_mgmt_t:fd use; allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; @@ -158,22 +157,22 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket { create setopt }; allow ipsec_mgmt_t self:fifo_file rw_file_perms; -allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms; +allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) -allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; +allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) -allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms; -allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms; -allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms; +manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) +manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms; +allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; +read_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t) +read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t) # logger, running in ipsec_mgmt_t needs to use sockets allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; @@ -181,24 +180,18 @@ allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; -allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms; -allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms; -allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms; +manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) +manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t) files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file) # whack needs to connect to pluto -allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; -allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; +stream_connect_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t,ipsec_t) can_exec(ipsec_mgmt_t, ipsec_exec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t) -allow ipsec_mgmt_t ipsec_t:fd use; -allow ipsec_t ipsec_mgmt_t:fd use; -allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms; -allow ipsec_t ipsec_mgmt_t:process sigchld; +domtrans_pattern(ipsec_mgmt_t,ipsec_exec_t,ipsec_t) kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index d81ec11..85f258d 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -16,12 +16,7 @@ interface(`iptables_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1,iptables_exec_t,iptables_t) - - allow $1 iptables_t:fd use; - allow iptables_t $1:fd use; - allow iptables_t $1:fifo_file rw_file_perms; - allow iptables_t $1:process sigchld; + domtrans_pattern($1,iptables_exec_t,iptables_t) ') ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 611e2ae..911061f 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -25,18 +25,17 @@ files_pid_file(iptables_var_run_t) allow iptables_t self:capability { net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +allow iptables_t self:rawip_socket create_socket_perms; allow iptables_t iptables_var_run_t:dir rw_dir_perms; files_pid_filetrans(iptables_t,iptables_var_run_t,file) can_exec(iptables_t,iptables_exec_t) -allow iptables_t iptables_tmp_t:dir create_dir_perms; -allow iptables_t iptables_tmp_t:file create_file_perms; +allow iptables_t iptables_tmp_t:dir manage_dir_perms; +allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) -allow iptables_t self:rawip_socket create_socket_perms; - kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if index 12e8cfb..b8e8f4a 100644 --- a/policy/modules/system/iscsi.if +++ b/policy/modules/system/iscsi.if @@ -15,8 +15,5 @@ interface(`iscsid_domtrans',` type iscsid_t, iscsid_exec_t; ') - domain_auto_trans($1,iscsid_exec_t,iscsid_t) - allow iscsid_t $1:fd use; - allow iscsid_t $1:fifo_file rw_file_perms; - allow iscsid_t $1:process sigchld; + domtrans_pattern($1,iscsid_exec_t,iscsid_t) ') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index a18cbab..bd231f6 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -42,17 +42,16 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms; allow iscsid_t iscsi_lock_t:file manage_file_perms; files_lock_filetrans(iscsid_t,iscsi_lock_t,file) -allow iscsid_t iscsi_tmp_t:dir create_dir_perms; -allow iscsid_t iscsi_tmp_t:file create_file_perms; +allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; +allow iscsid_t iscsi_tmp_t:file manage_file_perms; fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -allow iscsid_t iscsi_var_lib_t:file read_file_perms; -allow iscsid_t iscsi_var_lib_t:lnk_file { getattr read }; +read_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t) +read_lnk_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t) files_search_var_lib(iscsid_t) -allow iscsid_t iscsi_var_run_t:dir rw_dir_perms; -allow iscsid_t iscsi_var_run_t:file manage_file_perms; +manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t) files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) corenet_non_ipsec_sendrecv(iscsid_t) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 1be3f4e..ad0bea8 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -16,12 +16,7 @@ interface(`libs_domtrans_ldconfig',` ') corecmd_search_sbin($1) - domain_auto_trans($1,ldconfig_exec_t,ldconfig_t) - - allow $1 ldconfig_t:fd use; - allow ldconfig_t $1:fd use; - allow ldconfig_t $1:fifo_file rw_file_perms; - allow ldconfig_t $1:process sigchld; + domtrans_pattern($1,ldconfig_exec_t,ldconfig_t) ') ######################################## @@ -72,11 +67,12 @@ interface(`libs_use_ld_so',` ') files_list_etc($1) - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms; - allow $1 ld_so_t:lnk_file r_file_perms; - allow $1 ld_so_t:file rx_file_perms; - allow $1 ld_so_cache_t:file r_file_perms; + allow $1 lib_t:dir list_dir_perms; + + read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t }) + mmap_files_pattern($1,lib_t,ld_so_t) + + allow $1 ld_so_cache_t:file read_file_perms; ') ######################################## @@ -115,10 +111,9 @@ interface(`libs_exec_ld_so',` type lib_t, ld_so_t; ') - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms; - allow $1 ld_so_t:lnk_file r_file_perms; - can_exec($1,ld_so_t) + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t }) + exec_files_pattern($1,lib_t,ld_so_t) ') ######################################## @@ -138,8 +133,7 @@ interface(`libs_manage_ld_so',` type lib_t, ld_so_t; ') - allow $1 lib_t:dir rw_dir_perms; - allow $1 ld_so_t:file manage_file_perms; + manage_files_pattern($1,lib_t,ld_so_t) ') ######################################## @@ -159,8 +153,7 @@ interface(`libs_relabel_ld_so',` type lib_t, ld_so_t; ') - allow $1 lib_t:dir search_dir_perms; - allow $1 ld_so_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,lib_t,ld_so_t) ') ######################################## @@ -198,7 +191,7 @@ interface(`libs_search_lib',` type lib_t; ') - allow $1 lib_t:dir search; + allow $1 lib_t:dir search_dir_perms; ') ######################################## @@ -261,8 +254,9 @@ interface(`libs_read_lib_files',` ') files_search_usr($1) - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:{ file lnk_file } r_file_perms; + list_dirs_pattern($1,lib_t,lib_t) + read_files_pattern($1,lib_t,lib_t) + read_lnk_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -281,9 +275,9 @@ interface(`libs_exec_lib_files',` ') files_search_usr($1) - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms; - can_exec($1,lib_t) + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1,lib_t,lib_t) + exec_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -303,9 +297,9 @@ interface(`libs_use_lib_files',` ') files_list_usr($1) - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms; - allow $1 lib_t:file rx_file_perms; + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1,lib_t,lib_t) + mmap_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -325,8 +319,7 @@ interface(`libs_manage_lib_files',` type lib_t; ') - allow $1 lib_t:dir rw_dir_perms; - allow $1 lib_t:file manage_file_perms; + manage_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -344,8 +337,7 @@ interface(`libs_relabelto_lib_files',` type lib_t; ') - allow $1 lib_t:dir search_dir_perms; - allow $1 lib_t:file relabelto; + relabelto_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -365,8 +357,7 @@ interface(`libs_relabel_lib_files',` type lib_t; ') - allow $1 lib_t:dir search_dir_perms; - allow $1 lib_t:file { relabelfrom relabelto }; + relabel_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -385,8 +376,7 @@ interface(`libs_delete_lib_symlinks',` type lib_t; ') - allow $1 lib_t:dir { getattr search read write remove_name }; - allow $1 lib_t:lnk_file unlink; + delete_lnk_files_pattern($1,lib_t,lib_t) ') ######################################## @@ -405,8 +395,7 @@ interface(`libs_manage_shared_libs',` type lib_t, shlib_t, textrel_shlib_t; ') - allow $1 lib_t:dir rw_dir_perms; - allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms; + manage_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) ') ######################################## @@ -425,10 +414,9 @@ interface(`libs_use_shared_libs',` ') files_list_usr($1) - allow $1 lib_t:dir r_dir_perms; - allow $1 lib_t:lnk_file r_file_perms; - allow $1 { shlib_t textrel_shlib_t }:lnk_file r_file_perms; - allow $1 { shlib_t textrel_shlib_t }:file rx_file_perms; + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1,lib_t,{ lib_t shlib_t textrel_shlib_t }) + mmap_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) allow $1 textrel_shlib_t:file execmod; ') @@ -469,8 +457,7 @@ interface(`libs_relabel_shared_libs',` type lib_t, shlib_t, textrel_shlib_t; ') - allow $1 lib_t:dir search_dir_perms; - allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto }; + relabel_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) ') ######################################## @@ -491,9 +478,8 @@ interface(`libs_relabel_shared_libs',` # interface(`files_lib_filetrans_shared_lib',` gen_require(` - type root_t; + type lib_t, shlib_t; ') - allow $1 root_t:dir rw_dir_perms; - type_transition $1 root_t:$2 shlib_t; + filetrans_pattern($1,lib_t,shlib_t,$2) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 8b7ed0c..6f49c4b 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -51,16 +51,10 @@ type ldconfig_exec_t; init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; -allow ldconfig_t ld_so_cache_t:file create_file_perms; +allow ldconfig_t ld_so_cache_t:file manage_file_perms; files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) -allow ldconfig_t lib_t:dir rw_dir_perms; -allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; -allow ldconfig_t ld_so_t:lnk_file r_file_perms; -allow ldconfig_t ld_so_t:file rx_file_perms; -allow ldconfig_t ld_so_cache_t:file r_file_perms; -allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms; -allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms; +manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t) kernel_read_system_state(ldconfig_t) @@ -77,6 +71,9 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) +libs_use_ld_so(ldconfig_t) +libs_use_shared_libs(ldconfig_t) + logging_send_syslog_msg(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) @@ -88,7 +85,7 @@ ifdef(`hide_broken_symptoms',` ') ifdef(`targeted_policy',` - allow ldconfig_t lib_t:file r_file_perms; + allow ldconfig_t lib_t:file read_file_perms; unconfined_domain(ldconfig_t) ') diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 8f5a1cd..db32b2e 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -94,7 +94,6 @@ interface(`locallogin_search_keys',` allow $1 local_login_t:key search; ') - ######################################## ## ## Allow link to the local_login key ring. diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 8f8faa9..37c70a6 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -49,11 +49,11 @@ allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; allow local_login_t self:key { search write link }; -allow local_login_t local_login_lock_t:file create_file_perms; +allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t,local_login_lock_t,file) -allow local_login_t local_login_tmp_t:dir create_dir_perms; -allow local_login_t local_login_tmp_t:file create_file_perms; +allow local_login_t local_login_tmp_t:dir manage_dir_perms; +allow local_login_t local_login_tmp_t:file manage_file_perms; files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index bdcf860..44f6b5a 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -39,8 +39,8 @@ interface(`logging_read_audit_log',` ') files_search_var($1) - allow $1 auditd_log_t:dir r_dir_perms; - allow $1 auditd_log_t:file r_file_perms; + read_files_pattern($1,auditd_log_t,auditd_log_t) + allow $1 auditd_log_t:dir list_dir_perms; ') ######################################## @@ -58,12 +58,7 @@ interface(`logging_domtrans_auditctl',` type auditctl_t, auditctl_exec_t; ') - domain_auto_trans($1,auditctl_exec_t,auditctl_t) - - allow $1 auditctl_t:fd use; - allow auditctl_t $1:fd use; - allow auditctl_t $1:fifo_file rw_file_perms; - allow auditctl_t $1:process sigchld; + domtrans_pattern($1,auditctl_exec_t,auditctl_t) ') ######################################## @@ -113,11 +108,7 @@ interface(`logging_domtrans_auditd',` type auditd_t, auditd_exec_t; ') - domain_auto_trans($1,auditd_exec_t,auditd_t) - - allow auditd_t $1:fd use; - allow auditd_t $1:fifo_file rw_file_perms; - allow auditd_t $1:process sigchld; + domtrans_pattern($1,auditd_exec_t,auditd_t) ') ######################################## @@ -167,9 +158,7 @@ interface(`logging_stream_connect_auditd',` ') files_search_pids($1) - allow $1 auditd_var_run_t:dir search_dir_perms; - allow $1 auditd_var_run_t:sock_file rw_file_perms; - allow $1 auditd_t:unix_stream_socket connectto; + stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t) ') ######################################## @@ -189,8 +178,7 @@ interface(`logging_manage_audit_config',` ') files_search_etc($1) - allow $1 auditd_etc_t:dir rw_dir_perms; - allow $1 auditd_etc_t:file manage_file_perms; + manage_files_pattern($1,auditd_etc_t,auditd_etc_t) ') ######################################## @@ -210,8 +198,8 @@ interface(`logging_manage_audit_log',` ') files_search_var($1) - allow $1 auditd_log_t:dir create_dir_perms; - allow $1 auditd_log_t:file create_file_perms; + manage_dirs_pattern($1,auditd_log_t,auditd_log_t) + manage_files_pattern($1,auditd_log_t,auditd_log_t) ') ######################################## @@ -230,12 +218,7 @@ interface(`logging_domtrans_syslog',` ') corecmd_search_sbin($1) - domain_auto_trans($1,syslogd_exec_t,syslogd_t) - - allow $1 syslogd_t:fd use; - allow syslogd_t $1:fd use; - allow syslogd_t $1:fifo_file rw_file_perms; - allow syslogd_t $1:process sigchld; + domtrans_pattern($1,syslogd_exec_t,syslogd_t) ') ######################################## @@ -265,8 +248,7 @@ interface(`logging_log_filetrans',` ') files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; - type_transition $1 var_log_t:$3 $2; + filetrans_pattern($1,var_log_t,$2,$3) ') ######################################## @@ -314,8 +296,8 @@ interface(`logging_read_audit_config',` ') files_search_etc($1) - allow $1 auditd_etc_t:dir r_dir_perms; - allow $1 auditd_etc_t:file r_file_perms; + read_files_pattern($1,auditd_etc_t,auditd_etc_t) + allow $1 auditd_etc_t:dir list_dir_perms; ') ######################################## @@ -373,7 +355,7 @@ interface(`logging_list_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; + allow $1 var_log_t:dir list_dir_perms; ') ####################################### @@ -431,7 +413,7 @@ interface(`logging_append_all_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; + allow $1 var_log_t:dir list_dir_perms; allow $1 logfile:file { getattr append }; ') @@ -453,8 +435,8 @@ interface(`logging_read_all_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; - allow $1 logfile:file r_file_perms; + allow $1 var_log_t:dir list_dir_perms; + read_files_pattern($1,var_log_t,logfile) ') ######################################## @@ -475,7 +457,7 @@ interface(`logging_exec_all_logs',` ') files_search_var($1) - allow $1 logfile:dir r_dir_perms; + allow $1 logfile:dir list_dir_perms; can_exec($1,logfile) ') @@ -496,9 +478,8 @@ interface(`logging_manage_all_logs',` ') files_search_var($1) - allow $1 logfile:dir rw_dir_perms; - allow $1 logfile:lnk_file read; - allow $1 logfile:file create_file_perms; + manage_files_pattern($1,logfile,logfile) + read_lnk_files_pattern($1,logfile,logfile) ') ######################################## @@ -518,8 +499,8 @@ interface(`logging_read_generic_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; - allow $1 var_log_t:file r_file_perms; + allow $1 var_log_t:dir list_dir_perms; + read_files_pattern($1,var_log_t,var_log_t) ') ######################################## @@ -538,8 +519,8 @@ interface(`logging_write_generic_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; - allow $1 var_log_t:file { getattr write }; + allow $1 var_log_t:dir list_dir_perms; + write_files_pattern($1,var_log_t,var_log_t) ') ######################################## @@ -558,8 +539,8 @@ interface(`logging_rw_generic_logs',` ') files_search_var($1) - allow $1 var_log_t:dir r_dir_perms; - allow $1 var_log_t:file rw_file_perms; + allow $1 var_log_t:dir list_dir_perms; + rw_files_pattern($1,var_log_t,var_log_t) ') ######################################## @@ -580,6 +561,5 @@ interface(`logging_manage_generic_logs',` ') files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; - allow $1 var_log_t:file create_file_perms; + manage_files_pattern($1,var_log_t,var_log_t) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index b7bf0ad..b185f84 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -67,13 +67,8 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { audit_write audit_control }; allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -libs_use_ld_so(auditctl_t) -libs_use_shared_libs(auditctl_t) - -allow auditctl_t etc_t:file { getattr read }; - -allow auditctl_t auditd_etc_t:dir r_dir_perms; -allow auditctl_t auditd_etc_t:file r_file_perms; +read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) +allow auditctl_t auditd_etc_t:dir list_dir_perms; # Needed for adding watches files_getattr_all_dirs(auditctl_t) @@ -92,6 +87,9 @@ term_use_all_terms(auditctl_t) init_use_script_ptys(auditctl_t) init_dontaudit_use_fds(auditctl_t) +libs_use_ld_so(auditctl_t) +libs_use_shared_libs(auditctl_t) + locallogin_dontaudit_use_fds(auditctl_t) logging_send_syslog_msg(auditctl_t) @@ -114,17 +112,15 @@ allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:fifo_file rw_file_perms; -allow auditd_t auditd_etc_t:dir r_dir_perms; +allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file r_file_perms; -allow auditd_t auditd_log_t:dir rw_dir_perms; -allow auditd_t auditd_log_t:file create_file_perms; -allow auditd_t auditd_log_t:lnk_file create_lnk_perms; -allow auditd_t var_log_t:dir search; +manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t) +manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t) +allow auditd_t var_log_t:dir search_dir_perms; -allow auditd_t auditd_var_run_t:sock_file manage_file_perms; -allow auditd_t auditd_var_run_t:file manage_file_perms; -allow auditd_t auditd_var_run_t:dir rw_dir_perms; +manage_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t) +manage_sock_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t) files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(auditd_t) @@ -199,12 +195,11 @@ allow klogd_t self:capability sys_admin; dontaudit klogd_t self:capability { sys_resource sys_tty_config }; allow klogd_t self:process signal_perms; -allow klogd_t klogd_tmp_t:file create_file_perms; -allow klogd_t klogd_tmp_t:dir create_dir_perms; +manage_dirs_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t) +manage_files_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t) files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir }) -allow klogd_t klogd_var_run_t:file create_file_perms; -allow klogd_t klogd_var_run_t:dir rw_dir_perms; +manage_files_pattern(klogd_t,klogd_var_run_t,klogd_var_run_t) files_pid_filetrans(klogd_t,klogd_var_run_t,file) kernel_read_system_state(klogd_t) @@ -278,26 +273,24 @@ allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t self:udp_socket create_socket_perms; # Create and bind to /dev/log or /var/run/log. -allow syslogd_t devlog_t:sock_file create_file_perms; +allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) # create/append log files. -allow syslogd_t var_log_t:dir rw_dir_perms; -allow syslogd_t var_log_t:file create_file_perms; +manage_files_pattern(syslogd_t,var_log_t,var_log_t) # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files -allow syslogd_t syslogd_tmp_t:file create_file_perms; -allow syslogd_t syslogd_tmp_t:dir create_dir_perms; +manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) +manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) -allow syslogd_t syslogd_var_run_t:file create_file_perms; +allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) # manage pid file -allow syslogd_t syslogd_var_run_t:file create_file_perms; -allow syslogd_t syslogd_var_run_t:dir rw_dir_perms; +manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t) files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) kernel_read_kernel_sysctls(syslogd_t) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 94e3014..a4bd4f3 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -16,12 +16,7 @@ interface(`lvm_domtrans',` ') corecmd_search_sbin($1) - domain_auto_trans($1, lvm_exec_t, lvm_t) - - allow $1 lvm_t:fd use; - allow lvm_t $1:fd use; - allow lvm_t $1:fifo_file rw_file_perms; - allow lvm_t $1:process sigchld; + domtrans_pattern($1, lvm_exec_t, lvm_t) ') ######################################## @@ -72,7 +67,6 @@ interface(`lvm_read_config',` ') files_search_etc($1) - allow $1 lvm_etc_t:dir r_dir_perms; - allow $1 lvm_etc_t:file r_file_perms; + allow $1 lvm_etc_t:dir list_dir_perms; + read_files_pattern($1,lvm_etc_t,lvm_etc_t) ') - diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index f787968..4f67940 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -47,17 +47,15 @@ files_tmp_file(lvm_tmp_t) dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process signal_perms; allow clvmd_t self:socket create_socket_perms; -allow clvmd_t self:fifo_file rw_file_perms; +allow clvmd_t self:fifo_file rw_fifo_file_perms; allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -allow clvmd_t clvmd_var_run_t:file create_file_perms; -allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; +manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) -allow clvmd_t lvm_metadata_t:dir search_dir_perms; -allow clvmd_t lvm_metadata_t:file { getattr read }; +read_files_pattern(clvmd_t,lvm_metadata_t,lvm_metadata_t) kernel_read_kernel_sysctls(clvmd_t) kernel_read_system_state(clvmd_t) @@ -159,38 +157,35 @@ allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; -allow lvm_t lvm_tmp_t:dir create_dir_perms; -allow lvm_t lvm_tmp_t:file create_file_perms; +manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) +manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) # /lib/lvm- holds the actual LVM binaries (and symlinks) -allow lvm_t lvm_exec_t:dir search; -allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; +read_files_pattern(lvm_t,lvm_exec_t,lvm_exec_t) +read_lnk_files_pattern(lvm_t,lvm_exec_t,lvm_exec_t) # LVM is split into many individual binaries can_exec(lvm_t, lvm_exec_t) # Creating lock files -allow lvm_t lvm_lock_t:dir rw_dir_perms; -allow lvm_t lvm_lock_t:file create_file_perms; +manage_files_pattern(lvm_t,lvm_lock_t,lvm_lock_t) files_lock_filetrans(lvm_t,lvm_lock_t,file) -allow lvm_t lvm_var_lib_t:dir manage_dir_perms; -allow lvm_t lvm_var_lib_t:file manage_file_perms; +manage_dirs_pattern(lvm_t,lvm_var_lib_t,lvm_var_lib_t) +manage_files_pattern(lvm_t,lvm_var_lib_t,lvm_var_lib_t) files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file }) -allow lvm_t lvm_var_run_t:file manage_file_perms; -allow lvm_t lvm_var_run_t:sock_file manage_file_perms; -allow lvm_t lvm_var_run_t:dir manage_dir_perms; +manage_dirs_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t) +manage_files_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t) +manage_sock_files_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t) files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file }) -allow lvm_t lvm_etc_t:file r_file_perms; -allow lvm_t lvm_etc_t:lnk_file r_file_perms; +read_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t) +read_lnk_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t) # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d -allow lvm_t lvm_etc_t:dir rw_dir_perms; -allow lvm_t lvm_metadata_t:file create_file_perms; -allow lvm_t lvm_metadata_t:dir rw_dir_perms; -type_transition lvm_t lvm_etc_t:file lvm_metadata_t; +manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) +filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index bcaddcd..276ad3c 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -16,9 +16,9 @@ interface(`miscfiles_read_certs',` type cert_t; ') - allow $1 cert_t:dir r_dir_perms; - allow $1 cert_t:file r_file_perms; - allow $1 cert_t:lnk_file { getattr read }; + allow $1 cert_t:dir list_dir_perms; + read_files_pattern($1,cert_t,cert_t) + read_lnk_files_pattern($1,cert_t,cert_t) ') ######################################## @@ -41,9 +41,9 @@ interface(`miscfiles_read_fonts',` files_search_usr($1) libs_search_lib($1) - allow $1 fonts_t:dir r_dir_perms; - allow $1 fonts_t:file r_file_perms; - allow $1 fonts_t:lnk_file { getattr read }; + allow $1 fonts_t:dir list_dir_perms; + read_files_pattern($1,fonts_t,fonts_t) + read_lnk_files_pattern($1,fonts_t,fonts_t) ') ######################################## @@ -66,9 +66,9 @@ interface(`miscfiles_manage_fonts',` files_search_usr($1) libs_search_lib($1) - allow $1 fonts_t:dir create_dir_perms; - allow $1 fonts_t:file create_file_perms; - allow $1 fonts_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,fonts_t,fonts_t) + manage_files_pattern($1,fonts_t,fonts_t) + manage_lnk_files_pattern($1,fonts_t,fonts_t) ') ######################################## @@ -86,9 +86,9 @@ interface(`miscfiles_read_hwdata',` type hwdata_t; ') - allow $1 hwdata_t:dir r_dir_perms; - allow $1 hwdata_t:file r_file_perms; - allow $1 hwdata_t:lnk_file { getattr read }; + allow $1 hwdata_t:dir list_dir_perms; + read_files_pattern($1,hwdata_t,hwdata_t) + read_lnk_files_pattern($1,hwdata_t,hwdata_t) ') ######################################## @@ -108,9 +108,9 @@ interface(`miscfiles_read_localization',` files_read_etc_symlinks($1) files_search_usr($1) - allow $1 locale_t:dir r_dir_perms; - allow $1 locale_t:lnk_file r_file_perms; - allow $1 locale_t:file r_file_perms; + allow $1 locale_t:dir list_dir_perms; + read_files_pattern($1,locale_t,locale_t) + read_lnk_files_pattern($1,locale_t,locale_t) # why? libs_read_lib_files($1) @@ -133,7 +133,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; - allow $1 locale_t:file rw_file_perms; + rw_files_pattern($1,locale_t,locale_t) ') ######################################## @@ -190,9 +190,9 @@ interface(`miscfiles_read_man_pages',` ') files_search_usr($1) - allow $1 man_t:dir r_dir_perms; - allow $1 man_t:file r_file_perms; - allow $1 man_t:lnk_file r_file_perms; + allow $1 man_t:dir list_dir_perms; + read_files_pattern($1,man_t,man_t) + read_lnk_files_pattern($1,man_t,man_t) ') ######################################## @@ -212,9 +212,11 @@ interface(`miscfiles_delete_man_pages',` ') files_search_usr($1) - allow $1 man_t:dir { setattr rw_dir_perms rmdir }; - allow $1 man_t:file { getattr unlink }; - allow $1 man_t:lnk_file { getattr unlink }; + + allow $1 man_t:dir setattr; + delete_dirs_pattern($1,man_t,man_t) + delete_files_pattern($1,man_t,man_t) + delete_lnk_files_pattern($1,man_t,man_t) ') ######################################## @@ -233,9 +235,9 @@ interface(`miscfiles_manage_man_pages',` ') files_search_usr($1) - allow $1 man_t:dir create_dir_perms; - allow $1 man_t:file create_file_perms; - allow $1 man_t:lnk_file r_file_perms; + manage_dirs_pattern($1,man_t,man_t) + manage_files_pattern($1,man_t,man_t) + read_lnk_files_pattern($1,man_t,man_t) ') ######################################## @@ -255,9 +257,9 @@ interface(`miscfiles_read_public_files',` type public_content_t, public_content_rw_t; ') - allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms; - allow $1 { public_content_t public_content_rw_t }:file r_file_perms; - allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read }; + allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; + read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) + read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) ') ######################################## @@ -277,9 +279,9 @@ interface(`miscfiles_manage_public_files',` type public_content_rw_t; ') - allow $1 public_content_rw_t:dir create_dir_perms; - allow $1 public_content_rw_t:file create_file_perms; - allow $1 public_content_rw_t:lnk_file create_lnk_perms; + manage_dirs_pattern($1,public_content_rw_t,public_content_rw_t) + manage_files_pattern($1,public_content_rw_t,public_content_rw_t) + manage_lnk_files_pattern($1,public_content_rw_t,public_content_rw_t) ') ######################################## @@ -301,9 +303,9 @@ interface(`miscfiles_read_tetex_data',` files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir r_dir_perms; - allow $1 tetex_data_t:file r_file_perms; - allow $1 tetex_data_t:lnk_file r_file_perms; + allow $1 tetex_data_t:dir list_dir_perms; + read_files_pattern($1,tetex_data_t,tetex_data_t) + read_lnk_files_pattern($1,tetex_data_t,tetex_data_t) ') ######################################## @@ -325,8 +327,8 @@ interface(`miscfiles_exec_tetex_data',` files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir r_dir_perms; - can_exec($1,tetex_data_t) + allow $1 tetex_data_t:dir list_dir_perms; + exec_files_pattern($1,tetex_data_t,tetex_data_t) ') ######################################## @@ -363,9 +365,8 @@ interface(`miscfiles_read_test_files',` type test_file_t; ') - allow $1 test_file_t:dir r_dir_perms; - allow $1 test_file_t:file r_file_perms; - allow $1 test_file_t:lnk_file r_file_perms; + read_files_pattern($1,test_file_t,test_file_t) + read_lnk_files_pattern($1,test_file_t,test_file_t) ') ######################################## @@ -383,7 +384,6 @@ interface(`miscfiles_exec_test_files',` type test_file_t; ') - allow $1 test_file_t:dir r_dir_perms; - allow $1 test_file_t:lnk_file r_file_perms; - can_exec($1, test_file_t) + exec_files_pattern($1,test_file_t,test_file_t) + read_lnk_files_pattern($1,test_file_t,test_file_t) ') diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 415ce86..3dea9a1 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -16,7 +16,7 @@ interface(`modutils_read_module_deps',` ') files_list_kernel_modules($1) - allow $1 modules_dep_t:file r_file_perms; + allow $1 modules_dep_t:file read_file_perms; ') ######################################## @@ -41,7 +41,8 @@ interface(`modutils_read_module_config',` files_search_etc($1) files_search_boot($1) - allow $1 modules_conf_t:{ file lnk_file } r_file_perms; + allow $1 modules_conf_t:file read_file_perms; + allow $1 modules_conf_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -60,7 +61,7 @@ interface(`modutils_rename_module_config',` type modules_conf_t; ') - allow $1 modules_conf_t:file rename; + allow $1 modules_conf_t:file rename_file_perms; ') ######################################## @@ -81,12 +82,7 @@ interface(`modutils_domtrans_insmod_uncond',` ') corecmd_search_sbin($1) - domain_auto_trans($1, insmod_exec_t, insmod_t) - - allow $1 insmod_t:fd use; - allow insmod_t $1:fd use; - allow insmod_t $1:fifo_file rw_file_perms; - allow insmod_t $1:process sigchld; + domtrans_pattern($1, insmod_exec_t, insmod_t) ') ######################################## @@ -178,12 +174,7 @@ interface(`modutils_domtrans_depmod',` ') corecmd_search_sbin($1) - domain_auto_trans($1, depmod_exec_t, depmod_t) - - allow $1 depmod_t:fd use; - allow depmod_t $1:fd use; - allow depmod_t $1:fifo_file rw_file_perms; - allow depmod_t $1:process sigchld; + domtrans_pattern($1, depmod_exec_t, depmod_t) ') ######################################## @@ -252,12 +243,7 @@ interface(`modutils_domtrans_update_mods',` ') corecmd_search_sbin($1) - domain_auto_trans($1, update_modules_exec_t, update_modules_t) - - allow $1 update_modules_t:fd use; - allow update_modules_t $1:fd use; - allow update_modules_t $1:fifo_file rw_file_perms; - allow update_modules_t $1:process sigchld; + domtrans_pattern($1, update_modules_exec_t, update_modules_t) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 5c7b59e..81e2f20 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -170,9 +170,9 @@ optional_policy(` can_exec(depmod_t, depmod_exec_t) # Read conf.modules. -allow depmod_t modules_conf_t:file r_file_perms; +allow depmod_t modules_conf_t:file read_file_perms; -allow depmod_t modules_dep_t:file create_file_perms; +allow depmod_t modules_dep_t:file manage_file_perms; files_kernel_modules_filetrans(depmod_t,modules_dep_t,file) kernel_read_system_state(depmod_t) @@ -220,7 +220,7 @@ optional_policy(` # update-modules local policy # -allow update_modules_t self:fifo_file rw_file_perms; +allow update_modules_t self:fifo_file rw_fifo_file_perms; allow update_modules_t modules_dep_t:file rw_file_perms; @@ -228,7 +228,7 @@ can_exec(update_modules_t, insmod_exec_t) can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration -allow update_modules_t modules_conf_t:file create_file_perms; +allow update_modules_t modules_conf_t:file manage_file_perms; files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file) files_etc_filetrans(update_modules_t,modules_conf_t,file) @@ -239,8 +239,8 @@ allow depmod_t update_modules_t:fd use; allow depmod_t update_modules_t:fifo_file rw_file_perms; allow depmod_t update_modules_t:process sigchld; -allow update_modules_t update_modules_tmp_t:dir create_dir_perms; -allow update_modules_t update_modules_tmp_t:file create_file_perms; +manage_dirs_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t) +manage_files_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t) files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctls(update_modules_t) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 19f3dff..e39a5e9 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -15,12 +15,7 @@ interface(`mount_domtrans',` type mount_t, mount_exec_t; ') - domain_auto_trans($1,mount_exec_t,mount_t) - - allow $1 mount_t:fd use; - allow mount_t $1:fd use; - allow mount_t $1:fifo_file rw_file_perms; - allow mount_t $1:process sigchld; + domtrans_pattern($1,mount_exec_t,mount_t) ') ######################################## @@ -71,10 +66,11 @@ interface(`mount_exec',` type mount_exec_t; ') - allow $1 mount_exec_t:dir r_dir_perms; - allow $1 mount_exec_t:lnk_file r_file_perms; - can_exec($1,mount_exec_t) + # cjp: this should be removed: + allow $1 mount_exec_t:dir list_dir_perms; + allow $1 mount_exec_t:lnk_file read_lnk_file_perms; + can_exec($1,mount_exec_t) ') ######################################## @@ -137,13 +133,13 @@ interface(`mount_domtrans_unconfined',` type unconfined_mount_t, mount_exec_t; ') - domain_auto_trans($1,mount_exec_t,unconfined_mount_t) + domtrans_pattern($1,mount_exec_t,unconfined_mount_t) allow $1 unconfined_mount_t:fd use; allow unconfined_mount_t $1:fd use; allow unconfined_mount_t $1:fifo_file rw_file_perms; allow unconfined_mount_t $1:process sigchld; ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + mount_domtrans($1) ') ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 7c0a391..7d4b8a8 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -31,13 +31,14 @@ ifdef(`targeted_policy',` # setuid/setgid needed to mount cifs allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -allow mount_t mount_loopback_t:file r_file_perms; +allow mount_t mount_loopback_t:file read_file_perms; allow mount_t self:netlink_route_socket r_netlink_socket_perms; +allow mount_t mount_tmp_t:file manage_file_perms; +allow mount_t mount_tmp_t:dir manage_dir_perms; + can_exec(mount_t, mount_exec_t) -allow mount_t mount_tmp_t:file create_file_perms; -allow mount_t mount_tmp_t:dir create_dir_perms; files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if index 2cb4b55..93f472d 100644 --- a/policy/modules/system/netlabel.if +++ b/policy/modules/system/netlabel.if @@ -16,10 +16,7 @@ interface(`netlabel_domtrans_mgmt',` ') corecmd_search_sbin($1) - domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t) - allow netlabel_mgmt_t $1:fd use; - allow netlabel_mgmt_t $1:fifo_file rw_file_perms; - allow netlabel_mgmt_t $1:process sigchld; + domtrans_pattern($1,netlabel_mgmt_exec_t,netlabel_mgmt_t) ') ######################################## diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if index 1a01059..4932c0b 100644 --- a/policy/modules/system/pcmcia.if +++ b/policy/modules/system/pcmcia.if @@ -31,12 +31,7 @@ interface(`pcmcia_domtrans_cardmgr',` type cardmgr_t, cardmgr_exec_t; ') - domain_auto_trans($1,cardmgr_exec_t,cardmgr_t) - - allow $1 cardmgr_t:fd use; - allow cardmgr_t $1:fd use; - allow cardmgr_t $1:fifo_file rw_file_perms; - allow cardmgr_t $1:process sigchld; + domtrans_pattern($1,cardmgr_exec_t,cardmgr_t) ') ######################################## @@ -72,12 +67,7 @@ interface(`pcmcia_domtrans_cardctl',` type cardmgr_t, cardctl_exec_t; ') - domain_auto_trans($1,cardctl_exec_t,cardmgr_t) - - allow $1 cardmgr_t:fd use; - allow cardmgr_t $1:fd use; - allow cardmgr_t $1:fifo_file rw_file_perms; - allow cardmgr_t $1:process sigchld; + domtrans_pattern($1,cardctl_exec_t,cardmgr_t) ') ######################################## @@ -128,9 +118,7 @@ interface(`pcmcia_read_pid',` ') files_search_pids($1) - allow $1 cardmgr_var_run_t:dir r_dir_perms; - allow $1 cardmgr_var_run_t:file r_file_perms; - allow $1 cardmgr_var_run_t:lnk_file { getattr read }; + read_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) ') ######################################## @@ -150,8 +138,7 @@ interface(`pcmcia_manage_pid',` ') files_search_pids($1) - allow $1 cardmgr_var_run_t:dir rw_dir_perms; - allow $1 cardmgr_var_run_t:file create_file_perms; + manage_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) ') ######################################## @@ -171,6 +158,5 @@ interface(`pcmcia_manage_pid_chr_files',` ') files_search_pids($1) - allow $1 cardmgr_var_run_t:dir rw_dir_perms; - allow $1 cardmgr_var_run_t:chr_file create_file_perms; + manage_chr_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t) ') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 7e6f19c..01aa654 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -33,19 +33,18 @@ domain_entry_file(cardmgr_t,cardctl_exec_t) allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; dontaudit cardmgr_t self:capability sys_tty_config; allow cardmgr_t self:process signal_perms; -allow cardmgr_t self:fifo_file rw_file_perms; +allow cardmgr_t self:fifo_file rw_fifo_file_perms; allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; -allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; +allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file) # Create stab file -allow cardmgr_t cardmgr_var_lib_t:file create_file_perms; -allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms; +manage_files_pattern(cardmgr_t,cardmgr_var_lib_t,cardmgr_var_lib_t) files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file) -allow cardmgr_t cardmgr_var_run_t:file create_file_perms; +allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file) kernel_read_system_state(cardmgr_t) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index 04673a8..cfe72e8 100644 --- a/policy/modules/system/raid.if +++ b/policy/modules/system/raid.if @@ -16,12 +16,7 @@ interface(`raid_domtrans_mdadm',` ') corecmd_search_sbin($1) - domain_auto_trans($1,mdadm_exec_t,mdadm_t) - - allow $1 mdadm_t:fd use; - allow mdadm_t $1:fd use; - allow mdadm_t $1:fifo_file rw_file_perms; - allow mdadm_t $1:process sigchld; + domtrans_pattern($1,mdadm_exec_t,mdadm_t) ') ######################################## @@ -50,5 +45,5 @@ interface(`raid_manage_mdadm_pid',` # FIXME: maybe should have a type_transition. not # clear what this is doing, from the original # mdadm policy - allow $1 mdadm_var_run_t:file create_file_perms; + allow $1 mdadm_var_run_t:file manage_file_perms; ') diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 1ba3328..2df5d53 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -22,10 +22,9 @@ files_pid_file(mdadm_var_run_t) allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; -allow mdadm_t self:fifo_file rw_file_perms; +allow mdadm_t self:fifo_file rw_fifo_file_perms; -allow mdadm_t mdadm_var_run_t:dir rw_dir_perms; -allow mdadm_t mdadm_var_run_t:file create_file_perms; +manage_files_pattern(mdadm_t,mdadm_var_run_t,mdadm_var_run_t) files_pid_filetrans(mdadm_t,mdadm_var_run_t,file) kernel_read_system_state(mdadm_t) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index b0b5b81..72725a1 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -17,12 +17,7 @@ interface(`seutil_domtrans_checkpolicy',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t) - - allow $1 checkpolicy_t:fd use; - allow checkpolicy_t $1:fd use; - allow checkpolicy_t $1:fifo_file rw_file_perms; - allow checkpolicy_t $1:process sigchld; + domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t) ') ######################################## @@ -95,12 +90,7 @@ interface(`seutil_domtrans_loadpolicy',` ') corecmd_search_sbin($1) - domain_auto_trans($1,load_policy_exec_t,load_policy_t) - - allow $1 load_policy_t:fd use; - allow load_policy_t $1:fd use; - allow load_policy_t $1:fifo_file rw_file_perms; - allow load_policy_t $1:process sigchld; + domtrans_pattern($1,load_policy_exec_t,load_policy_t) ') ######################################## @@ -171,7 +161,7 @@ interface(`seutil_read_loadpolicy',` ') corecmd_search_sbin($1) - allow $1 load_policy_exec_t:file r_file_perms; + allow $1 load_policy_exec_t:file read_file_perms; ') ####################################### @@ -191,12 +181,7 @@ interface(`seutil_domtrans_newrole',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,newrole_exec_t,newrole_t) - - allow $1 newrole_t:fd use; - allow newrole_t $1:fd use; - allow newrole_t $1:fifo_file rw_file_perms; - allow newrole_t $1:process sigchld; + domtrans_pattern($1,newrole_exec_t,newrole_t) ') ######################################## @@ -323,12 +308,7 @@ interface(`seutil_domtrans_restorecon',` ') corecmd_search_sbin($1) - domain_auto_trans($1,restorecon_exec_t,restorecon_t) - - allow $1 restorecon_t:fd use; - allow restorecon_t $1:fd use; - allow restorecon_t $1:fifo_file rw_file_perms; - allow restorecon_t $1:process sigchld; + domtrans_pattern($1,restorecon_exec_t,restorecon_t) ') ######################################## @@ -401,12 +381,7 @@ interface(`seutil_domtrans_runinit',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,run_init_exec_t,run_init_t) - - allow $1 run_init_t:fd use; - allow run_init_t $1:fd use; - allow run_init_t $1:fifo_file rw_file_perms; - allow run_init_t $1:process sigchld; + domtrans_pattern($1,run_init_exec_t,run_init_t) ') ######################################## @@ -432,7 +407,6 @@ interface(`seutil_init_script_domtrans_runinit',` init_script_file_domtrans($1,run_init_t) - allow $1 run_init_t:fd use; allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; @@ -552,12 +526,7 @@ interface(`seutil_domtrans_setfiles',` files_search_usr($1) corecmd_search_sbin($1) - domain_auto_trans($1,setfiles_exec_t,setfiles_t) - - allow $1 setfiles_t:fd use; - allow setfiles_t $1:fd use; - allow setfiles_t $1:fifo_file rw_file_perms; - allow setfiles_t $1:process sigchld; + domtrans_pattern($1,setfiles_exec_t,setfiles_t) ') ######################################## @@ -669,9 +638,9 @@ interface(`seutil_read_config',` ') files_search_etc($1) - allow $1 selinux_config_t:dir r_dir_perms; - allow $1 selinux_config_t:file r_file_perms; - allow $1 selinux_config_t:lnk_file { getattr read }; + allow $1 selinux_config_t:dir list_dir_perms; + read_files_pattern($1,selinux_config_t,selinux_config_t) + read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') ######################################## @@ -692,7 +661,7 @@ interface(`seutil_rw_config',` files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; - allow $1 selinux_config_t:file rw_file_perms; + rw_files_pattern($1,selinux_config_t,selinux_config_t) ') ####################################### @@ -713,9 +682,8 @@ interface(`seutil_manage_selinux_config',` ') files_search_etc($1) - allow $1 selinux_config_t:dir rw_dir_perms; - allow $1 selinux_config_t:file manage_file_perms; - allow $1 selinux_config_t:lnk_file { getattr read }; + manage_files_pattern($1,selinux_config_t,selinux_config_t) + read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') ####################################### @@ -755,7 +723,7 @@ interface(`seutil_search_default_contexts',` ') files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search; + search_dirs_pattern($1,selinux_config_t,default_context_t) ') ######################################## @@ -777,7 +745,7 @@ interface(`seutil_read_default_contexts',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; - allow $1 default_context_t:file r_file_perms; + read_files_pattern($1,default_context_t,default_context_t) ') ######################################## @@ -797,8 +765,7 @@ interface(`seutil_manage_default_contexts',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; - allow $1 default_context_t:dir rw_dir_perms; - allow $1 default_context_t:file manage_file_perms; + manage_files_pattern($1,default_context_t,default_context_t) ') ######################################## @@ -814,14 +781,12 @@ interface(`seutil_manage_default_contexts',` # interface(`seutil_read_file_contexts',` gen_require(` - type selinux_config_t, file_context_t; + type selinux_config_t, default_context_t, file_context_t; ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir r_dir_perms; - allow $1 file_context_t:file r_file_perms; - allow $1 file_context_t:lnk_file { getattr read }; + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + read_files_pattern($1,file_context_t,file_context_t) ') ######################################## @@ -840,10 +805,8 @@ interface(`seutil_rw_file_contexts',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir r_dir_perms; - allow $1 file_context_t:file rw_file_perms; - allow $1 file_context_t:lnk_file { getattr read }; + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + rw_files_pattern($1,file_context_t,file_context_t) ') ######################################## @@ -864,8 +827,7 @@ interface(`seutil_manage_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - allow $1 file_context_t:dir rw_dir_perms; - allow $1 file_context_t:file manage_file_perms; + manage_files_pattern($1,file_context_t,file_context_t) ') ######################################## @@ -884,9 +846,8 @@ interface(`seutil_read_bin_policy',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir r_dir_perms; - allow $1 policy_config_t:file r_file_perms; + allow $1 selinux_config_t:dir search_dir_perms; + read_files_pattern($1,policy_config_t,policy_config_t) ') ######################################## @@ -906,9 +867,9 @@ interface(`seutil_create_bin_policy',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir ra_dir_perms; - allow $1 policy_config_t:file { getattr create write }; + allow $1 selinux_config_t:dir search_dir_perms; + create_files_pattern($1,policy_config_t,policy_config_t) + write_files_pattern($1,policy_config_t,policy_config_t) # typeattribute $1 can_write_binary_policy; ') @@ -950,9 +911,8 @@ interface(`seutil_manage_bin_policy',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir rw_dir_perms; - allow $1 policy_config_t:file create_file_perms; + allow $1 selinux_config_t:dir search_dir_perms; + manage_files_pattern($1,policy_config_t,policy_config_t) typeattribute $1 can_write_binary_policy; ') @@ -972,9 +932,8 @@ interface(`seutil_read_src_policy',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir r_dir_perms; - allow $1 policy_src_t:file r_file_perms; + list_dirs_pattern($1,selinux_config_t,policy_src_t) + read_files_pattern($1,policy_src_t,policy_src_t) ') ######################################## @@ -995,9 +954,9 @@ interface(`seutil_manage_src_policy',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir create_dir_perms; - allow $1 policy_src_t:file create_file_perms; + allow $1 selinux_config_t:dir search_dir_perms; + manage_dirs_pattern($1,policy_src_t,policy_src_t) + manage_files_pattern($1,policy_src_t,policy_src_t) ') ######################################## @@ -1017,12 +976,7 @@ interface(`seutil_domtrans_semanage',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,semanage_exec_t,semanage_t) - - allow $1 semanage_t:fd use; - allow semanage_t $1:fd use; - allow semanage_t $1:fifo_file rw_file_perms; - allow semanage_t $1:process sigchld; + domtrans_pattern($1,semanage_exec_t,semanage_t) ') ######################################## @@ -1075,11 +1029,9 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) - allow $1 selinux_config_t:dir rw_dir_perms; - type_transition $1 selinux_config_t:dir semanage_store_t; - - allow $1 semanage_store_t:dir create_dir_perms; - allow $1 semanage_store_t:file create_file_perms; + manage_dirs_pattern($1,selinux_config_t,semanage_store_t) + manage_files_pattern($1,semanage_store_t,semanage_store_t) + filetrans_pattern($1,selinux_config_t,semanage_store_t,dir) ') ####################################### @@ -1098,8 +1050,7 @@ interface(`seutil_get_semanage_read_lock',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - allow $1 semanage_read_lock_t:file rw_file_perms; + rw_files_pattern($1,selinux_config_t,semanage_read_lock_t) ') ####################################### @@ -1118,6 +1069,5 @@ interface(`seutil_get_semanage_trans_lock',` ') files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - allow $1 semanage_trans_lock_t:file rw_file_perms; + rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 9e946e4..274e02b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -140,18 +140,15 @@ ifdef(`distro_redhat',` allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:file create_file_perms; +manage_files_pattern(checkpolicy_t,policy_config_t,policy_config_t) # allow test policies to be created in src directories -allow checkpolicy_t policy_src_t:dir rw_dir_perms; -type_transition checkpolicy_t policy_src_t:file policy_config_t; +filetrans_add_pattern(checkpolicy_t,policy_src_t,policy_config_t,file) # only allow read of policy source files -allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:file r_file_perms; -allow checkpolicy_t policy_src_t:lnk_file r_file_perms; -allow checkpolicy_t selinux_config_t:dir search; +read_files_pattern(checkpolicy_t,policy_src_t,policy_src_t) +read_lnk_files_pattern(checkpolicy_t,policy_src_t,policy_src_t) +allow checkpolicy_t selinux_config_t:dir search_dir_perms; fs_getattr_xattr_fs(checkpolicy_t) @@ -184,14 +181,10 @@ ifdef(`targeted_policy',` allow load_policy_t self:capability dac_override; # only allow read of policy config files -allow load_policy_t policy_src_t:dir search; -allow load_policy_t policy_config_t:dir r_dir_perms; -allow load_policy_t policy_config_t:file r_file_perms; -allow load_policy_t policy_config_t:lnk_file r_file_perms; +read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t) -allow load_policy_t selinux_config_t:dir r_dir_perms; -allow load_policy_t selinux_config_t:file r_file_perms; -allow load_policy_t selinux_config_t:lnk_file r_file_perms; +read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t) +read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t) domain_use_interactive_fds(load_policy_t) @@ -242,8 +235,8 @@ allow newrole_t self:capability { fowner setuid setgid dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -allow newrole_t self:fifo_file rw_file_perms; -allow newrole_t self:sock_file r_file_perms; +allow newrole_t self:fifo_file rw_fifo_file_perms; +allow newrole_t self:sock_file read_sock_file_perms; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; @@ -252,10 +245,11 @@ allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +read_files_pattern(newrole_t,selinux_config_t,selinux_config_t) +read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t) -allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; -allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; -allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; +read_files_pattern(newrole_t,default_context_t,default_context_t) +read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) @@ -339,7 +333,7 @@ optional_policy(` allow restorecon_t self:capability { dac_override dac_read_search fowner }; dontaudit restorecon_t self:capability sys_tty_config; -allow restorecon_t self:fifo_file rw_file_perms; +allow restorecon_t self:fifo_file rw_fifo_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; @@ -427,10 +421,10 @@ optional_policy(` # allow restorecond_t self:capability { dac_override dac_read_search fowner }; -allow restorecond_t self:fifo_file rw_file_perms; +allow restorecond_t self:fifo_file rw_fifo_file_perms; allow restorecond_t self:netlink_route_socket r_netlink_socket_perms; -allow restorecond_t restorecond_var_run_t:file create_file_perms; +allow restorecond_t restorecond_var_run_t:file manage_file_perms; files_pid_filetrans(restorecond_t,restorecond_var_run_t, file) kernel_use_fds(restorecond_t) @@ -562,8 +556,8 @@ allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_r allow semanage_t policy_config_t:file { read write }; -allow semanage_t semanage_tmp_t:dir create_dir_perms; -allow semanage_t semanage_tmp_t:file create_file_perms; +allow semanage_t semanage_tmp_t:dir manage_dir_perms; +allow semanage_t semanage_tmp_t:file manage_file_perms; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) kernel_read_system_state(semanage_t) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index 8c1c7ce..67b99fa 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -16,11 +16,7 @@ interface(`setrans_translate_context',` ') allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 setrans_t:context translate; - allow $1 setrans_t:unix_stream_socket connectto; - allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms; - allow $1 setrans_var_run_t:sock_file rw_file_perms; - allow $1 setrans_var_run_t:dir search_dir_perms; + stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 71c1a90..0d6e890 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -37,9 +37,8 @@ can_exec(setrans_t, setrans_exec_t) corecmd_search_sbin(setrans_t) # create unix domain socket in /var -allow setrans_t setrans_var_run_t:sock_file manage_file_perms; -allow setrans_t setrans_var_run_t:file manage_file_perms; -allow setrans_t setrans_var_run_t:dir rw_dir_perms; +manage_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t) +manage_sock_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t) files_pid_filetrans(setrans_t,setrans_var_run_t,file) kernel_read_kernel_sysctls(setrans_t) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index c8813eb..3a0ba46 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -16,12 +16,7 @@ interface(`sysnet_domtrans_dhcpc',` ') corecmd_search_sbin($1) - domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) - - allow $1 dhcpc_t:fd use; - allow dhcpc_t $1:fd use; - allow dhcpc_t $1:fifo_file rw_file_perms; - allow dhcpc_t $1:process sigchld; + domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) ') ######################################## @@ -222,7 +217,7 @@ interface(`sysnet_read_config',` ') files_search_etc($1) - allow $1 net_conf_t:file r_file_perms; + allow $1 net_conf_t:file read_file_perms; ') ####################################### @@ -240,7 +235,7 @@ interface(`sysnet_dontaudit_read_config',` type net_conf_t; ') - dontaudit $1 net_conf_t:file r_file_perms; + dontaudit $1 net_conf_t:file read_file_perms; ') ####################################### @@ -277,7 +272,7 @@ interface(`sysnet_manage_config',` type net_conf_t; ') - allow $1 net_conf_t:file create_file_perms; + allow $1 net_conf_t:file manage_file_perms; ') ####################################### @@ -333,12 +328,7 @@ interface(`sysnet_domtrans_ifconfig',` ') corecmd_search_sbin($1) - domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) - - allow $1 ifconfig_t:fd use; - allow ifconfig_t $1:fd use; - allow ifconfig_t $1:fifo_file rw_file_perms; - allow ifconfig_t $1:process sigchld; + domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) ') ######################################## @@ -410,8 +400,7 @@ interface(`sysnet_read_dhcp_config',` ') files_search_etc($1) - allow $1 dhcp_etc_t:dir search; - allow $1 dhcp_etc_t:file { getattr read }; + read_files_pattern($1,dhcp_etc_t,dhcp_etc_t) ') ######################################## @@ -430,7 +419,7 @@ interface(`sysnet_search_dhcp_state',` ') files_search_var_lib($1) - allow $1 dhcp_state_t:dir search; + allow $1 dhcp_state_t:dir search_dir_perms; ') ######################################## @@ -469,8 +458,7 @@ interface(`sysnet_dhcp_state_filetrans',` ') files_search_var_lib($1) - allow $1 dhcp_state_t:dir rw_dir_perms; - type_transition $1 dhcp_state_t:$3 $2; + filetrans_pattern($1,dhcp_state_t,$2,$3) ') ######################################## @@ -503,7 +491,7 @@ interface(`sysnet_dns_name_resolve',` corenet_sendrecv_dns_client_packets($1) files_search_etc($1) - allow $1 net_conf_t:file r_file_perms; + allow $1 net_conf_t:file read_file_perms; ') ######################################## @@ -531,7 +519,7 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) files_search_etc($1) - allow $1 net_conf_t:file r_file_perms; + allow $1 net_conf_t:file read_file_perms; ') ######################################## @@ -563,5 +551,5 @@ interface(`sysnet_use_portmap',` corenet_sendrecv_portmap_client_packets($1) files_search_etc($1) - allow $1 net_conf_t:file r_file_perms; + allow $1 net_conf_t:file read_file_perms; ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 5d18e40..8161430 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -52,39 +52,32 @@ allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; -allow dhcpc_t dhcp_etc_t:dir r_dir_perms; -allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; -allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans }; +allow dhcpc_t dhcp_etc_t:dir list_dir_perms; +read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) +exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) -allow dhcpc_t dhcp_state_t:dir rw_dir_perms; allow dhcpc_t dhcp_state_t:file { getattr read }; -allow dhcpc_t dhcpc_state_t:dir rw_dir_perms; -allow dhcpc_t dhcpc_state_t:file create_file_perms; -type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; +manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) +filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) # create pid file -allow dhcpc_t dhcpc_var_run_t:file create_file_perms; -allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms; +manage_files_pattern(dhcpc_t,dhcpc_var_run_t,dhcpc_var_run_t) files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -allow dhcpc_t net_conf_t:file create_file_perms; +allow dhcpc_t net_conf_t:file manage_file_perms; files_etc_filetrans(dhcpc_t,net_conf_t,file) # create temp files -allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; -allow dhcpc_t dhcpc_tmp_t:file create_file_perms; +manage_dirs_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) +manage_files_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) # transition to ifconfig -domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) -allow dhcpc_t ifconfig_t:fd use; -allow ifconfig_t dhcpc_t:fd use; -allow ifconfig_t dhcpc_t:fifo_file rw_file_perms; -allow ifconfig_t dhcpc_t:process sigchld; +domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t) kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) @@ -259,8 +252,8 @@ allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:fd use; -allow ifconfig_t self:fifo_file rw_file_perms; -allow ifconfig_t self:sock_file r_file_perms; +allow ifconfig_t self:fifo_file rw_fifo_file_perms; +allow ifconfig_t self:sock_file read_sock_file_perms; allow ifconfig_t self:socket create_socket_perms; allow ifconfig_t self:unix_dgram_socket create_socket_perms; allow ifconfig_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 6aa57ce..573a890 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -15,12 +15,7 @@ interface(`udev_domtrans',` type udev_t, udev_exec_t; ') - domain_auto_trans($1, udev_exec_t, udev_t) - - allow $1 udev_t:fd use; - allow udev_t $1:fd use; - allow udev_t $1:fifo_file rw_file_perms; - allow udev_t $1:process sigchld; + domtrans_pattern($1, udev_exec_t, udev_t) ') ######################################## @@ -38,12 +33,7 @@ interface(`udev_helper_domtrans',` type udev_t, udev_helper_exec_t; ') - domain_auto_trans($1, udev_helper_exec_t, udev_t) - - allow $1 udev_t:fd use; - allow udev_t $1:fd use; - allow udev_t $1:fifo_file rw_file_perms; - allow udev_t $1:process sigchld; + domtrans_pattern($1, udev_helper_exec_t, udev_t) ') ######################################## @@ -62,8 +52,8 @@ interface(`udev_read_state',` ') kernel_search_proc($1) - allow $1 udev_t:file r_file_perms; - allow $1 udev_t:lnk_file r_file_perms; + allow $1 udev_t:file read_file_perms; + allow $1 udev_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -120,7 +110,7 @@ interface(`udev_read_db',` ') dev_list_all_dev_nodes($1) - allow $1 udev_tdb_t:file r_file_perms; + allow $1 udev_tdb_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 87555e6..79f454e 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -44,8 +44,8 @@ dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; -allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:sock_file r_file_perms; +allow udev_t self:fifo_file rw_fifo_file_perms; +allow udev_t self:sock_file read_file_perms; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; @@ -59,17 +59,16 @@ allow udev_t self:rawip_socket create_socket_perms; allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -allow udev_t udev_helper_exec_t:dir r_dir_perms; +allow udev_t udev_helper_exec_t:dir list_dir_perms; # read udev config -allow udev_t udev_etc_t:file r_file_perms; +allow udev_t udev_etc_t:file read_file_perms; # create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file create_file_perms; +allow udev_t udev_tbl_t:file manage_file_perms; dev_filetrans(udev_t,udev_tbl_t,file) -allow udev_t udev_var_run_t:file create_file_perms; -allow udev_t udev_var_run_t:dir rw_dir_perms; +manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t) files_pid_filetrans(udev_t,udev_var_run_t,file) kernel_read_system_state(udev_t) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 9f4f7ec..2c7c721 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -19,7 +19,7 @@ interface(`unconfined_domain_noaudit',` # Use any Linux capability. allow $1 self:capability *; - allow $1 self:fifo_file create_file_perms; + allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; @@ -130,12 +130,7 @@ interface(`unconfined_domtrans',` type unconfined_t, unconfined_exec_t; ') - domain_auto_trans($1,unconfined_exec_t,unconfined_t) - - allow $1 unconfined_t:fd use; - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; + domtrans_pattern($1,unconfined_exec_t,unconfined_t) ') ######################################## @@ -184,6 +179,9 @@ interface(`unconfined_shell_domtrans',` ') corecmd_shell_domtrans($1,unconfined_t) + allow unconfined_t $1:fd use; + allow unconfined_t $1:fifo_file rw_file_perms; + allow unconfined_t $1:process sigchld; ') ######################################## @@ -218,10 +216,7 @@ interface(`unconfined_domtrans_to',` type unconfined_t; ') - domain_auto_trans(unconfined_t,$2,$1) - allow $1 unconfined_t:fd use; - allow $1 unconfined_t:fifo_file rw_file_perms; - allow $1 unconfined_t:process sigchld; + domtrans_pattern(unconfined_t,$2,$1) ') ######################################## @@ -311,7 +306,7 @@ interface(`unconfined_read_pipes',` type unconfined_t; ') - allow $1 unconfined_t:fifo_file r_file_perms; + allow $1 unconfined_t:fifo_file read_fifo_file_perms; ') ######################################## @@ -347,7 +342,7 @@ interface(`unconfined_rw_pipes',` type unconfined_t; ') - allow $1 unconfined_t:fifo_file rw_file_perms; + allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ') ######################################## diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 240ff34..0f1edf6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -48,7 +48,7 @@ template(`userdom_base_user_template',` allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession }; allow $1_t self:fd use; - allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_t self:shm create_shm_perms; @@ -61,7 +61,7 @@ template(`userdom_base_user_template',` allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; term_create_pty($1_t,$1_devpts_t) - allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; + allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; kernel_read_kernel_sysctls($1_t) kernel_dontaudit_list_unlabeled($1_t) @@ -171,12 +171,13 @@ template(`userdom_ro_home_template',` # # read-only home directory - allow $1_t $1_home_t:file { read_file_perms entrypoint }; - allow $1_t $1_home_t:lnk_file read_file_perms; - allow $1_t $1_home_t:dir list_dir_perms; - allow $1_t $1_home_t:sock_file read_file_perms; - allow $1_t $1_home_t:fifo_file read_file_perms; allow $1_t $1_home_dir_t:dir list_dir_perms; + allow $1_t $1_home_t:dir list_dir_perms; + allow $1_t $1_home_t:file entrypoint; + read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) + read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) + read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) + read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` @@ -257,15 +258,23 @@ template(`userdom_manage_home_template',` # # full control of the home directory - allow $1_t $1_home_t:file { manage_file_perms relabelfrom relabelto entrypoint }; - allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; - allow $1_t $1_home_t:dir { manage_dir_perms relabelfrom relabelto }; - allow $1_t $1_home_t:sock_file { manage_file_perms relabelfrom relabelto }; - allow $1_t $1_home_t:fifo_file { manage_file_perms relabelfrom relabelto }; - allow $1_t $1_home_dir_t:dir { manage_dir_perms relabelfrom relabelto }; - type_transition $1_t $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t; + allow $1_t $1_home_t:file entrypoint; + manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) + filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) files_list_home($1_t) + # cjp: this should probably be removed: + allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_t) fs_manage_nfs_files($1_t) @@ -363,11 +372,11 @@ template(`userdom_manage_tmp_template',` type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t) - allow $1_t $1_tmp_t:dir manage_dir_perms; - allow $1_t $1_tmp_t:file manage_file_perms; - allow $1_t $1_tmp_t:lnk_file create_lnk_perms; - allow $1_t $1_tmp_t:sock_file manage_file_perms; - allow $1_t $1_tmp_t:fifo_file manage_file_perms; + manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) ') @@ -384,7 +393,7 @@ template(`userdom_manage_tmp_template',` ## # template(`userdom_exec_tmp_template',` - can_exec($1_t,$1_tmp_t) + exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) ') ####################################### @@ -435,11 +444,11 @@ template(`userdom_manage_tmpfs_template',` type $1_tmpfs_t, $1_file_type; files_tmpfs_file($1_tmpfs_t) - allow $1_t $1_tmpfs_t:dir rw_dir_perms; - allow $1_t $1_tmpfs_t:file manage_file_perms; - allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; - allow $1_t $1_tmpfs_t:sock_file manage_file_perms; - allow $1_t $1_tmpfs_t:fifo_file manage_file_perms; + manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) + manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) + manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) + manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) + manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ') @@ -472,13 +481,13 @@ template(`userdom_untrusted_content_template',` files_tmp_file($1_untrusted_content_tmp_t) # Allow user to relabel untrusted content - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabelto relabelfrom }; - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabel_file_perms rename }; tunable_policy(`read_untrusted_content',` allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms; - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms; - allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read }; + read_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t }) + read_lnk_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t }) ',` dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms; dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms; @@ -952,12 +961,12 @@ template(`userdom_unpriv_user_template', ` # # privileged home directory writers - allow privhome $1_home_t:file manage_file_perms; - allow privhome $1_home_t:lnk_file create_lnk_perms; - allow privhome $1_home_t:dir manage_dir_perms; - allow privhome $1_home_t:sock_file manage_file_perms; - allow privhome $1_home_t:fifo_file manage_file_perms; - type_transition privhome $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t; + manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) corecmd_exec_all_executables($1_t) @@ -1656,7 +1665,7 @@ template(`userdom_search_user_home_dirs',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir { getattr search }; + allow $2 $1_home_dir_t:dir search_dir_perms; ') ######################################## @@ -1690,7 +1699,7 @@ template(`userdom_list_user_home_dirs',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir r_dir_perms; + allow $2 $1_home_dir_t:dir list_dir_perms; ') ######################################## @@ -1772,7 +1781,7 @@ template(`userdom_dontaudit_list_user_home_dirs',` type $1_home_dir_t; ') - dontaudit $2 $1_home_dir_t:dir r_dir_perms; + dontaudit $2 $1_home_dir_t:dir list_dir_perms; ') ######################################## @@ -1808,8 +1817,7 @@ template(`userdom_manage_user_home_content_dirs',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir rw_dir_perms; - allow $2 $1_home_t:dir manage_dir_perms; + manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') ######################################## @@ -1878,9 +1886,7 @@ template(`userdom_read_user_home_content_files',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir search_dir_perms; - allow $2 $1_home_t:file r_file_perms; + read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') ######################################## @@ -1913,8 +1919,8 @@ template(`userdom_dontaudit_read_user_home_content_files',` type $1_home_t; ') - dontaudit $2 $1_home_t:dir r_dir_perms; - dontaudit $2 $1_home_t:file r_file_perms; + dontaudit $2 $1_home_t:dir list_dir_perms; + dontaudit $2 $1_home_t:file read_file_perms; ') ######################################## @@ -1981,9 +1987,7 @@ template(`userdom_read_user_home_content_symlinks',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir search_dir_perms; - allow $2 $1_home_t:lnk_file r_file_perms; + read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') ######################################## @@ -2017,9 +2021,7 @@ template(`userdom_exec_user_home_content_files',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir search_dir_perms; - can_exec($2,$1_home_t) + exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') ######################################## @@ -2089,8 +2091,7 @@ template(`userdom_manage_user_home_content_files',` files_search_home($2) allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir rw_dir_perms; - allow $2 $1_home_t:file create_file_perms; + manage_files_pattern($2,$1_home_t,$1_home_t) ') ######################################## @@ -2162,8 +2163,7 @@ template(`userdom_manage_user_home_content_symlinks',` files_search_home($2) allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir rw_dir_perms; - allow $2 $1_home_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($2,$1_home_t,$1_home_t) ') ######################################## @@ -2200,8 +2200,7 @@ template(`userdom_manage_user_home_content_pipes',` files_search_home($2) allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir rw_dir_perms; - allow $2 $1_home_t:fifo_file create_file_perms; + manage_fifo_files_pattern($2,$1_home_t,$1_home_t) ') ######################################## @@ -2238,8 +2237,7 @@ template(`userdom_manage_user_home_content_sockets',` files_search_home($2) allow $2 $1_home_dir_t:dir search_dir_perms; - allow $2 $1_home_t:dir rw_dir_perms; - allow $2 $1_home_t:sock_file create_file_perms; + manage_sock_files_pattern($2,$1_home_t,$1_home_t) ') ######################################## @@ -2288,8 +2286,7 @@ template(`userdom_user_home_dir_filetrans',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir rw_dir_perms; - type_transition $2 $1_home_dir_t:$4 $3; + filetrans_pattern($2,$1_home_dir_t,$3,$4) ') ######################################## @@ -2333,8 +2330,7 @@ template(`userdom_user_home_dir_filetrans_user_home_content',` ') files_search_home($2) - allow $2 $1_home_dir_t:dir rw_dir_perms; - type_transition $2 $1_home_dir_t:$3 $1_home_t; + filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) ') ######################################## @@ -2402,7 +2398,7 @@ template(`userdom_list_user_tmp',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir r_dir_perms; + allow $2 $1_tmp_t:dir list_dir_perms; ') ######################################## @@ -2437,7 +2433,7 @@ template(`userdom_dontaudit_list_user_tmp',` type $1_tmp_t; ') - dontaudit $2 $1_tmp_t:dir r_dir_perms; + dontaudit $2 $1_tmp_t:dir list_dir_perms; ') ######################################## @@ -2506,8 +2502,8 @@ template(`userdom_read_user_tmp_files',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir r_dir_perms; - allow $2 $1_tmp_t:file r_file_perms; + allow $2 $1_tmp_t:dir list_dir_perms; + read_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2611,8 +2607,8 @@ template(`userdom_rw_user_tmp_files',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir r_dir_perms; - allow $2 $1_tmp_t:file rw_file_perms; + allow $2 $1_tmp_t:dir list_dir_perms; + rw_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2683,8 +2679,8 @@ template(`userdom_read_user_tmp_symlinks',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir r_dir_perms; - allow $2 $1_tmp_t:lnk_file r_file_perms; + allow $2 $1_tmp_t:dir list_dir_perms; + read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2720,7 +2716,7 @@ template(`userdom_manage_user_tmp_dirs',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir manage_dir_perms; + manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2756,8 +2752,7 @@ template(`userdom_manage_user_tmp_files',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir rw_dir_perms; - allow $2 $1_tmp_t:file create_file_perms; + manage_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2793,8 +2788,7 @@ template(`userdom_manage_user_tmp_symlinks',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir rw_dir_perms; - allow $2 $1_tmp_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2830,8 +2824,7 @@ template(`userdom_manage_user_tmp_pipes',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir rw_dir_perms; - allow $2 $1_tmp_t:fifo_file create_file_perms; + manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2867,8 +2860,7 @@ template(`userdom_manage_user_tmp_sockets',` ') files_search_tmp($2) - allow $2 $1_tmp_t:dir rw_dir_perms; - allow $2 $1_tmp_t:sock_file create_file_perms; + manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t) ') ######################################## @@ -2916,8 +2908,7 @@ template(`userdom_user_tmp_filetrans',` type $1_tmp_t; ') - allow $2 $1_tmp_t:dir rw_dir_perms; - type_transition $2 $1_tmp_t:$4 $3; + filetrans_pattern($2,$1_tmp_t,$3,$4) files_search_tmp($2) ') @@ -2996,8 +2987,8 @@ template(`userdom_rw_user_tmpfs_files',` fs_search_tmpfs($2) allow $2 $1_tmpfs_t:dir list_dir_perms; - allow $2 $1_tmpfs_t:file rw_file_perms; - allow $2 $1_tmpfs_t:lnk_file { getattr read }; + rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) + read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) ') ######################################## @@ -3030,7 +3021,7 @@ template(`userdom_list_user_untrusted_content',` type $1_untrusted_content_t; ') - allow $2 $1_untrusted_content_t:dir r_dir_perms; + allow $2 $1_untrusted_content_t:dir list_dir_perms; ') ######################################## @@ -3065,7 +3056,7 @@ template(`userdom_dontaudit_list_user_untrusted_content',` type $1_untrusted_content_t; ') - dontaudit $2 $1_untrusted_content_t:dir r_dir_perms; + dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; ') ######################################## @@ -3098,8 +3089,8 @@ template(`userdom_read_user_untrusted_content_files',` type $1_untrusted_content_t; ') - allow $2 $1_untrusted_content_t:dir r_dir_perms; - allow $2 $1_untrusted_content_t:file r_file_perms; + allow $2 $1_untrusted_content_t:dir list_dir_perms; + read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) ') ######################################## @@ -3132,8 +3123,7 @@ template(`userdom_manage_user_untrusted_content_files',` type $1_untrusted_content_t; ') - allow $2 $1_tmp_t:dir rw_dir_perms; - allow $2 $1_untrusted_content_tmp_t:file manage_file_perms; + manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) ') ######################################## @@ -3168,7 +3158,7 @@ template(`userdom_dontaudit_read_user_untrusted_content_files',` type $1_untrusted_content_t; ') - dontaudit $2 $1_untrusted_content_t:file r_file_perms; + dontaudit $2 $1_untrusted_content_t:file read_file_perms; ') ######################################## @@ -3201,8 +3191,8 @@ template(`userdom_read_user_untrusted_content_symlinks',` type $1_untrusted_content_t; ') - allow $2 $1_untrusted_content_t:dir r_dir_perms; - allow $2 $1_untrusted_content_t:lnk_file r_file_perms; + allow $2 $1_untrusted_content_t:dir list_dir_perms; + read_lnk_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t) ') ######################################## @@ -3235,7 +3225,7 @@ template(`userdom_list_user_tmp_untrusted_content',` type $1_untrusted_content_tmp_t; ') - allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms; + allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; ') ######################################## @@ -3270,7 +3260,7 @@ template(`userdom_dontaudit_list_user_tmp_untrusted_content',` type $1_untrusted_content_tmp_t; ') - dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms; + dontaudit $2 $1_untrusted_content_tmp_t:dir list_dir_perms; ') ######################################## @@ -3303,8 +3293,8 @@ template(`userdom_read_user_tmp_untrusted_content_files',` type $1_untrusted_content_tmp_t; ') - allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms; - allow $2 $1_untrusted_content_tmp_t:file r_file_perms; + allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; + read_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) ') ######################################## @@ -3372,8 +3362,8 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',` type $1_untrusted_content_tmp_t; ') - allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms; - allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms; + allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms; + read_lnk_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) ') ######################################## @@ -3391,8 +3381,9 @@ interface(`userdom_read_all_untrusted_content',` attribute untrusted_content_type; ') - allow $1 untrusted_content_type:dir r_dir_perms; - allow $1 untrusted_content_type:{ file lnk_file } r_file_perms; + allow $1 untrusted_content_type:dir list_dir_perms; + read_files_pattern($1,untrusted_content_type,untrusted_content_type) + read_lnk_files_pattern($1,untrusted_content_type,untrusted_content_type) ') ######################################## @@ -3410,8 +3401,9 @@ interface(`userdom_read_all_tmp_untrusted_content',` attribute untrusted_content_tmp_type; ') - allow $1 untrusted_content_tmp_type:dir r_dir_perms; - allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms; + allow $1 untrusted_content_tmp_type:dir list_dir_perms; + read_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type) + read_lnk_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type) ') ######################################## @@ -3582,7 +3574,6 @@ interface(`userdom_spec_domtrans_all_users',` ') corecmd_shell_spec_domtrans($1,userdomain) - allow $1 userdomain:fd use; allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; @@ -3606,7 +3597,6 @@ interface(`userdom_xsession_spec_domtrans_all_users',` ') xserver_xsession_spec_domtrans($1,userdomain) - allow $1 userdomain:fd use; allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; @@ -3630,7 +3620,6 @@ interface(`userdom_spec_domtrans_unpriv_users',` ') corecmd_shell_spec_domtrans($1,unpriv_userdomain) - allow $1 unpriv_userdomain:fd use; allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -3654,7 +3643,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` ') xserver_xsession_spec_domtrans($1,unpriv_userdomain) - allow $1 unpriv_userdomain:fd use; allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -3715,8 +3703,6 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',` ') corecmd_bin_spec_domtrans($1,unpriv_userdomain) - - allow $1 unpriv_userdomain:fd use; allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -3740,8 +3726,6 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',` ') corecmd_sbin_spec_domtrans($1,unpriv_userdomain) - - allow $1 unpriv_userdomain:fd use; allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -3765,8 +3749,6 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` ') domain_entry_file_spec_domtrans($1,unpriv_userdomain) - - allow $1 unpriv_userdomain:fd use; allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; @@ -3792,8 +3774,6 @@ interface(`userdom_shell_domtrans_sysadm',` ') corecmd_shell_domtrans($1,sysadm_t) - - allow $1 sysadm_t:fd use; allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; @@ -3816,8 +3796,6 @@ interface(`userdom_bin_spec_domtrans_sysadm',` ') corecmd_bin_spec_domtrans($1,sysadm_t) - - allow $1 sysadm_t:fd use; allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; @@ -3839,8 +3817,6 @@ interface(`userdom_sbin_spec_domtrans_sysadm',` ') corecmd_sbin_spec_domtrans($1,sysadm_t) - - allow $1 sysadm_t:fd use; allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; @@ -3864,8 +3840,6 @@ interface(`userdom_entry_spec_domtrans_sysadm',` ') domain_entry_file_spec_domtrans($1,sysadm_t) - - allow $1 sysadm_t:fd use; allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; @@ -3900,8 +3874,6 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',` ') corecmd_bin_spec_domtrans(sysadm_t,$1) - - allow sysadm_t $1:fd use; allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; @@ -3936,8 +3908,6 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',` ') corecmd_sbin_spec_domtrans(sysadm_t, $1) - - allow sysadm_t $1:fd use; allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; @@ -3973,8 +3943,6 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` ') domain_entry_file_spec_domtrans(sysadm_t, $1) - - allow sysadm_t $1:fd use; allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; @@ -4100,8 +4068,9 @@ interface(`userdom_read_staff_home_content_files',` ') files_search_home($1) - allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms; - allow $1 staff_home_t:{ file lnk_file } r_file_perms; + allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; + read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) + read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) ') ######################################## @@ -4319,7 +4288,7 @@ interface(`userdom_rw_sysadm_pipes',` type sysadm_t; ') - allow $1 sysadm_t:fifo_file rw_file_perms; + allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ') ') @@ -4510,8 +4479,7 @@ interface(`userdom_sysadm_home_dir_filetrans',` type sysadm_home_dir_t; ') - allow $1 sysadm_home_dir_t:dir rw_dir_perms; - type_transition $1 sysadm_home_dir_t:$3 $2; + filetrans_pattern($1,sysadm_home_dir_t,$2,$3) ') ######################################## @@ -4549,8 +4517,9 @@ interface(`userdom_read_sysadm_home_content_files',` ') files_search_home($1) - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms; - allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; + allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; + read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) + read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) ',` userdom_read_generic_user_home_content_files($1) ') @@ -4574,7 +4543,8 @@ interface(`userdom_read_sysadm_tmp_files',` files_search_tmp($1) allow $1 sysadm_tmp_t:dir list_dir_perms; - allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms; + read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) + read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) ',` files_read_generic_tmp_files($1) ') @@ -4671,8 +4641,8 @@ interface(`userdom_read_all_users_home_content_files',` ') files_list_home($1) - allow $1 home_type:dir r_dir_perms; - allow $1 home_type:file r_file_perms; + allow $1 home_type:dir list_dir_perms; + read_files_pattern($1,home_type,home_type) ') ######################################## @@ -4692,7 +4662,7 @@ interface(`userdom_manage_all_users_home_content_dirs',` ') files_list_home($1) - allow $1 home_type:dir create_dir_perms; + allow $1 home_type:dir manage_dir_perms; ') ######################################## @@ -4712,8 +4682,7 @@ interface(`userdom_manage_all_users_home_content_files',` ') files_list_home($1) - allow $1 home_type:dir rw_dir_perms; - allow $1 home_type:file create_file_perms; + manage_files_pattern($1,home_type,home_type) ') ######################################## @@ -4733,8 +4702,7 @@ interface(`userdom_manage_all_users_home_content_symlinks',` ') files_list_home($1) - allow $1 home_type:dir rw_dir_perms; - allow $1 home_type:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,home_type,home_type) ') ######################################## @@ -4881,8 +4849,7 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` ') files_search_home($1) - allow $1 user_home_dir_t:dir rw_dir_perms; - type_transition $1 user_home_dir_t:$2 user_home_t; + filetrans_pattern($1,user_home_dir_t,user_home_t,$2) ') ######################################## @@ -4941,8 +4908,7 @@ interface(`userdom_manage_generic_user_home_content_dirs',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir create_dir_perms; + manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -4980,9 +4946,8 @@ interface(`userdom_read_generic_user_home_content_files',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir r_dir_perms; - allow $1 user_home_t:file r_file_perms; + allow $1 user_home_t:dir list_dir_perms; + read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -5022,9 +4987,7 @@ interface(`userdom_manage_generic_user_home_content_files',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir rw_dir_perms; - allow $1 user_home_t:file manage_file_perms; + manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -5063,9 +5026,7 @@ interface(`userdom_manage_generic_user_home_content_symlinks',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir rw_dir_perms; - allow $1 user_home_t:lnk_file create_lnk_perms; + manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -5085,9 +5046,7 @@ interface(`userdom_manage_generic_user_home_content_pipes',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir rw_dir_perms; - allow $1 user_home_t:fifo_file create_file_perms; + manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -5107,9 +5066,7 @@ interface(`userdom_manage_generic_user_home_content_sockets',` ') files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - allow $1 user_home_t:dir rw_dir_perms; - allow $1 user_home_t:sock_file create_file_perms; + manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -5148,10 +5105,9 @@ interface(`userdom_read_unpriv_users_home_content_files',` ') files_search_home($1) - allow $1 user_home_dir_type:dir search_dir_perms; - allow $1 user_home_type:dir r_dir_perms; - allow $1 user_home_type:lnk_file { getattr read }; - allow $1 user_home_type:file r_file_perms; + allow $1 user_home_type:dir list_dir_perms; + read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) + read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') ######################################## @@ -5171,8 +5127,7 @@ interface(`userdom_manage_unpriv_users_home_content_dirs',` ') files_search_home($1) - allow $1 user_home_dir_type:dir search_dir_perms; - allow $1 user_home_type:dir manage_dir_perms; + manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') ######################################## @@ -5192,9 +5147,7 @@ interface(`userdom_manage_unpriv_users_home_content_files',` ') files_search_home($1) - allow $1 user_home_dir_type:dir search_dir_perms; - allow $1 user_home_type:dir rw_dir_perms; - allow $1 user_home_type:file manage_file_perms; + manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') ######################################## @@ -5400,7 +5353,7 @@ interface(`userdom_use_unpriv_users_ttys',` attribute user_ttynode; ') - allow $1 user_ttynode:chr_file rw_file_perms; + allow $1 user_ttynode:chr_file rw_term_perms; ') ') @@ -5442,8 +5395,7 @@ interface(`userdom_read_all_users_state',` attribute userdomain; ') - allow $1 userdomain:dir search_dir_perms; - allow $1 userdomain:file r_file_perms; + read_files_pattern($1,userdomain,userdomain) kernel_search_proc($1) ') @@ -5594,6 +5546,6 @@ interface(`userdom_unconfined',` type user_home_dir_t; ') - allow $1 user_home_dir_t:dir create_dir_perms; + allow $1 user_home_dir_t:dir manage_dir_perms; files_home_filetrans($1,user_home_dir_t,dir) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 0b6b653..4f77a77 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -102,7 +102,7 @@ ifdef(`strict_policy',` allow sysadm_t userdomain:fd use; # Add/remove user home directories - allow sysadm_t user_home_dir_t:dir create_dir_perms; + allow sysadm_t user_home_dir_t:dir manage_dir_perms; files_home_filetrans(sysadm_t,user_home_dir_t,dir) corecmd_exec_shell(sysadm_t) @@ -485,13 +485,12 @@ ifdef(`targeted_policy',` allow system_r sysadm_r; allow system_r sysadm_r; - allow privhome user_home_t:dir manage_dir_perms; - allow privhome user_home_t:file create_file_perms; - allow privhome user_home_t:lnk_file create_lnk_perms; - allow privhome user_home_t:fifo_file create_file_perms; - allow privhome user_home_t:sock_file create_file_perms; - allow privhome user_home_dir_t:dir rw_dir_perms; - type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t; + manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) files_search_home(privhome) ifdef(`enable_mls',` diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index fbc62fa..7ef96e5 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -15,12 +15,7 @@ interface(`xen_domtrans',` type xend_t, xend_exec_t; ') - domain_auto_trans($1,xend_exec_t,xend_t) - - allow $1 xend_t:fd use; - allow xend_t $1:fd use; - allow xend_t $1:fifo_file rw_file_perms; - allow xend_t $1:process sigchld; + domtrans_pattern($1,xend_exec_t,xend_t) ') ######################################## @@ -117,9 +112,7 @@ interface(`xen_stream_connect_xenstore',` ') files_search_pids($1) - allow $1 xenstored_var_run_t:dir search; - allow $1 xenstored_var_run_t:sock_file { getattr write }; - allow $1 xenstored_t:unix_stream_socket connectto; + stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t) ') ######################################## @@ -138,9 +131,7 @@ interface(`xen_stream_connect',` ') files_search_pids($1) - allow $1 xend_var_run_t:dir search; - allow $1 xend_var_run_t:sock_file { getattr write }; - allow $1 xend_t:unix_stream_socket connectto; + stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) ') ######################################## @@ -158,8 +149,5 @@ interface(`xen_domtrans_xm',` type xm_t, xm_exec_t; ') - domain_auto_trans($1,xm_exec_t,xm_t) - allow xm_t $1:fd use; - allow xm_t $1:fifo_file rw_file_perms; - allow xm_t $1:process sigchld; + domtrans_pattern($1,xm_exec_t,xm_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 7d7f4bf..9294640 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -20,7 +20,6 @@ dev_node(xen_image_t) type xenctl_t; files_type(xenctl_t) - type xend_t; type xend_exec_t; domain_type(xend_t) @@ -79,37 +78,38 @@ dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; dontaudit xend_t self:process ptrace; # internal communication is often done using fifo and unix sockets. -allow xend_t self:fifo_file rw_file_perms; +allow xend_t self:fifo_file rw_fifo_file_perms; allow xend_t self:unix_stream_socket create_stream_socket_perms; allow xend_t self:unix_dgram_socket create_socket_perms; allow xend_t self:netlink_route_socket r_netlink_socket_perms; allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; -allow xend_t xen_image_t:dir manage_dir_perms; -allow xend_t xen_image_t:file manage_file_perms; -allow xend_t xen_image_t:blk_file rw_file_perms; +allow xend_t xen_image_t:dir list_dir_perms; +manage_dirs_pattern(xend_t,xen_image_t,xen_image_t) +manage_files_pattern(xend_t,xen_image_t,xen_image_t) +rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) -allow xend_t xenctl_t:fifo_file create_file_perms; +allow xend_t xenctl_t:fifo_file manage_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) # pid file -allow xend_t xend_var_run_t:file manage_file_perms; -allow xend_t xend_var_run_t:sock_file manage_file_perms; -allow xend_t xend_var_run_t:dir { setattr rw_dir_perms }; +allow xend_t xend_var_run_t:dir setattr; +manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) +manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file }) # log files -allow xend_t xend_var_log_t:file create_file_perms; -allow xend_t xend_var_log_t:sock_file create_file_perms; -allow xend_t xend_var_log_t:dir { rw_dir_perms setattr }; +allow xend_t xend_var_log_t:dir setattr; +manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) +manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) # var/lib files for xend -allow xend_t xend_var_lib_t:file create_file_perms; -allow xend_t xend_var_lib_t:sock_file create_file_perms; -allow xend_t xend_var_lib_t:fifo_file create_file_perms; -allow xend_t xend_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) +manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) +manage_sock_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) +manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) # transition to store @@ -226,9 +226,8 @@ allow xenconsoled_t self:fifo_file { read write }; allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; # pid file -allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms; -allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms; -allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms; +manage_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t) +manage_sock_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t) files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(xenconsoled_t) @@ -268,15 +267,14 @@ allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; # pid file -allow xenstored_t xenstored_var_run_t:file manage_file_perms; -allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms; -allow xenstored_t xenstored_var_run_t:dir rw_dir_perms; +manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) +manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) # var/lib files for xenstored -allow xenstored_t xenstored_var_lib_t:file create_file_perms; -allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms; -allow xenstored_t xenstored_var_lib_t:dir create_dir_perms; +manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) +manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) +manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) kernel_write_xen_state(xenstored_t) @@ -317,13 +315,12 @@ allow xm_t self:fifo_file { read write }; allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xm_t self:tcp_socket create_stream_socket_perms; -allow xm_t xend_var_lib_t:dir rw_dir_perms; -allow xm_t xend_var_lib_t:fifo_file create_file_perms; -allow xm_t xend_var_lib_t:file create_file_perms; +manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) +manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; -allow xm_t xen_image_t:file r_file_perms; +allow xm_t xen_image_t:file read_file_perms; kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt new file mode 100644 index 0000000..77eefa8 --- /dev/null +++ b/policy/support/file_patterns.spt @@ -0,0 +1,534 @@ +# +# Directory patterns (dir) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. directory type +# +define(`getattr_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir getattr_dir_perms; +') + +define(`setattr_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir setattr_dir_perms; +') + +define(`search_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir search_dir_perms; +') + +define(`list_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir list_dir_perms; +') + +define(`add_entry_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir add_entry_dir_perms; +') + +define(`del_entry_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir del_entry_dir_perms; +') + +define(`create_dirs_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:dir create_dir_perms; +') + +define(`delete_dirs_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:dir delete_dir_perms; +') + +define(`rename_dirs_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:dir rename_dir_perms; +') + +define(`manage_dirs_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:dir manage_dir_perms; +') + +define(`relabelfrom_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabelfrom_dir_perms; +') + +define(`relabelto_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabelto_dir_perms; +') + +define(`relabel_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabel_dir_perms; +') + +# +# Regular file patterns (file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file getattr_file_perms; +') + +define(`setattr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file setattr_file_perms; +') + +define(`read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file read_file_perms; +') + +define(`mmap_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_file_perms; +') + +define(`exec_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file exec_file_perms; +') + +define(`append_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file append_file_perms; +') + +define(`write_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file write_file_perms; +') + +define(`rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file rw_file_perms; +') + +define(`create_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:file create_file_perms; +') + +define(`delete_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:file delete_file_perms; +') + +define(`rename_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:file rename_file_perms; +') + +define(`manage_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:file manage_file_perms; +') + +define(`relabelfrom_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabelfrom_file_perms; +') + +define(`relabelto_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabelto_file_perms; +') + +define(`relabel_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabel_file_perms; +') + +# +# Symbolic link patterns (lnk_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file getattr_lnk_file_perms; +') + +define(`setattr_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file setattr_lnk_file_perms; +') + +define(`read_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file read_lnk_file_perms; +') + +define(`append_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file append_lnk_file_perms; +') + +define(`write_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file write_lnk_file_perms; +') + +define(`rw_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file rw_lnk_file_perms; +') + +define(`create_lnk_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:lnk_file create_lnk_file_perms; +') + +define(`delete_lnk_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:lnk_file delete_lnk_file_perms; +') + +define(`rename_lnk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:lnk_file rename_lnk_file_perms; +') + +define(`manage_lnk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:lnk_file manage_lnk_file_perms; +') + +define(`relabelfrom_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabelfrom_lnk_file_perms; +') + +define(`relabelto_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabelto_lnk_file_perms; +') + +define(`relabel_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabel_lnk_file_perms; +') + +# +# (Un)named Pipes/FIFO patterns (fifo_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file getattr_fifo_file_perms; +') + +define(`setattr_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file setattr_fifo_file_perms; +') + +define(`read_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file read_fifo_file_perms; +') + +define(`append_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file append_fifo_file_perms; +') + +define(`write_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file write_fifo_file_perms; +') + +define(`rw_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file rw_fifo_file_perms; +') + +define(`create_fifo_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:fifo_file create_fifo_file_perms; +') + +define(`delete_fifo_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:fifo_file delete_fifo_file_perms; +') + +define(`rename_fifo_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:fifo_file rename_fifo_file_perms; +') + +define(`manage_fifo_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:fifo_file manage_fifo_file_perms; +') + +define(`relabelfrom_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabelfrom_fifo_file_perms; +') + +define(`relabelto_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabelto_fifo_file_perms; +') + +define(`relabel_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabel_fifo_file_perms; +') + +# +# (Un)named sockets patterns (sock_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file getattr_fifo_file_perms; +') + +define(`setattr_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file setattr_fifo_file_perms; +') + +define(`read_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file read_fifo_file_perms; +') + +define(`write_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file write_fifo_file_perms; +') + +define(`rw_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file rw_fifo_file_perms; +') + +define(`create_sock_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:sock_file create_fifo_file_perms; +') + +define(`delete_sock_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:sock_file delete_fifo_file_perms; +') + +define(`rename_sock_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:sock_file rename_fifo_file_perms; +') + +define(`manage_sock_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:sock_file manage_fifo_file_perms; +') + +define(`relabelfrom_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabelfrom_sock_file_perms; +') + +define(`relabelto_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabelto_sock_file_perms; +') + +define(`relabel_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabel_sock_file_perms; +') + +# +# Block device node patterns (blk_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file getattr_blk_file_perms; +') + +define(`setattr_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file setattr_blk_file_perms; +') + +define(`read_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file read_blk_file_perms; +') + +define(`append_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file append_blk_file_perms; +') + +define(`write_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file write_blk_file_perms; +') + +define(`rw_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file rw_blk_file_perms; +') + +define(`create_blk_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:blk_file create_blk_file_perms; +') + +define(`delete_blk_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:blk_file delete_blk_file_perms; +') + +define(`rename_blk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:blk_file rename_blk_file_perms; +') + +define(`manage_blk_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir rw_dir_perms; + allow $1 $3:blk_file manage_blk_file_perms; +') + +define(`relabelfrom_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabelfrom_blk_file_perms; +') + +define(`relabelto_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabelto_blk_file_perms; +') + +define(`relabel_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabel_blk_file_perms; +') + +# +# Character device node patterns (chr_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file getattr_chr_file_perms; +') + +define(`setattr_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file setattr_chr_file_perms; +') + +define(`read_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file read_chr_file_perms; +') + +define(`append_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file append_chr_file_perms; +') + +define(`write_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file write_chr_file_perms; +') + +define(`rw_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file rw_chr_file_perms; +') + +define(`create_chr_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:chr_file create_chr_file_perms; +') + +define(`delete_chr_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:chr_file delete_chr_file_perms; +') + +define(`rename_chr_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:chr_file rename_chr_file_perms; +') + +define(`manage_chr_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir rw_dir_perms; + allow $1 $3:chr_file manage_chr_file_perms; +') + +define(`relabelfrom_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabelfrom_chr_file_perms; +') + +define(`relabelto_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabelto_chr_file_perms; +') + +define(`relabel_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabel_chr_file_perms; +') + +# +# File type_transition patterns +# +# pattern(domain,dirtype,newtype,class(es)) +# +define(`filetrans_add_pattern',` + allow $1 $2:dir ra_dir_perms; + type_transition $1 $2:$4 $3; +') + +define(`filetrans_pattern',` + allow $1 $2:dir rw_dir_perms; + type_transition $1 $2:$4 $3; +') diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt new file mode 100644 index 0000000..641f6e2 --- /dev/null +++ b/policy/support/ipc_patterns.spt @@ -0,0 +1,14 @@ +# +# unix domain socket patterns +# +define(`stream_connect_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file { getattr write }; + allow $1 $4:unix_stream_socket connectto; +') + +define(`dgram_send_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file { getattr write }; + allow $1 $4:unix_dgram_socket sendto; +') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt new file mode 100644 index 0000000..7efe286 --- /dev/null +++ b/policy/support/misc_patterns.spt @@ -0,0 +1,53 @@ +# +# Specified domain transition patterns +# +define(`domain_transition_pattern',` + allow $1 $2:file { getattr read execute }; + allow $1 $3:process transition; + dontaudit $1 $3:process { noatsecure siginh rlimitinh }; +') + +# compatibility: +define(`domain_trans',`domain_transition_pattern($*)') + +define(`spec_domtrans_pattern',` + allow $1 self:process setexec; + domain_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_file_perms; + allow $3 $1:process sigchld; +') + +# +# Automatic domain transition patterns +# +define(`domain_auto_transition_pattern',` + domain_transition_pattern($1,$2,$3) + type_transition $1 $2:process $3; +') + +# compatibility: +define(`domain_auto_trans',`domain_auto_transition_pattern($*)') + +define(`domtrans_pattern',` + domain_auto_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_file_perms; + allow $3 $1:process sigchld; +') + +# +# Other process permissions +# +define(`send_audit_msgs_pattern',` + allow $1 self:capability audit_write; + allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +') + +define(`ps_process_pattern',` + allow $1 $2:dir { search getattr read }; + allow $1 $2:{ file lnk_file } { read getattr }; + allow $1 $2:process getattr; +') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index eea1598..734c63d 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -88,8 +88,9 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') # # Permissions for creating and using files. -# -define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') +# +# deprecated by new perm set below +#define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') # # Permissions for reading directories and their attributes. @@ -109,8 +110,9 @@ define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') # # Permissions for creating and using directories. -# -define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') +# +# deprecated by new perm set below +#define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') # # Permissions to mount and unmount file systems. @@ -192,27 +194,125 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ # # -# Directory +# Directory (dir) # -define(`search_dir_perms',`{ getattr search }') define(`getattr_dir_perms',`{ getattr }') define(`setattr_dir_perms',`{ setattr }') +define(`search_dir_perms',`{ getattr search }') define(`list_dir_perms',`{ getattr search read lock ioctl }') define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }') define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }') +define(`create_dir_perms',`{ getattr create }') +define(`delete_dir_perms',`{ getattr rmdir }') define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') +define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') +define(`relabelto_dir_perms',`{ getattr relabelto }') +define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # -# File +# Regular file (file) # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_file_perms',`{ getattr read lock ioctl }') +define(`mmap_file_perms',`{ getattr read execute }') +define(`exec_file_perms',`{ getattr read execute execute_no_trans }') define(`append_file_perms',`{ getattr append lock ioctl }') define(`write_file_perms',`{ getattr write append lock ioctl }') define(`rw_file_perms',`{ getattr read write append ioctl lock }') +define(`create_file_perms',`{ getattr create }') +define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_file_perms',`{ getattr relabelfrom }') +define(`relabelto_file_perms',`{ getattr relabelto }') +define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Symbolic link (lnk_file) +# +define(`getattr_lnk_file_perms',`{ getattr }') +define(`setattr_lnk_file_perms',`{ setattr }') +define(`read_lnk_file_perms',`{ getattr read }') +define(`write_lnk_file_perms',`{ getattr write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`create_lnk_file_perms',`{ create getattr }') +define(`rename_lnk_file_perms',`{ getattr rename }') +define(`delete_lnk_file_perms',`{ getattr unlink }') +define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }') +define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_lnk_file_perms',`{ getattr relabelto }') +define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Pipes/FIFOs (fifo_file) +# +define(`getattr_fifo_file_perms',`{ getattr }') +define(`setattr_fifo_file_perms',`{ setattr }') +define(`read_fifo_file_perms',`{ getattr read lock ioctl }') +define(`append_fifo_file_perms',`{ getattr append lock ioctl }') +define(`write_fifo_file_perms',`{ getattr write append lock ioctl }') +define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`create_fifo_file_perms',`{ getattr create }') +define(`delete_fifo_file_perms',`{ getattr unlink }') +define(`manage_fifo_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') +define(`relabelto_fifo_file_perms',`{ getattr relabelto }') +define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Sockets (sock_file) +# +define(`getattr_sock_file_perms',`{ getattr }') +define(`setattr_sock_file_perms',`{ setattr }') +define(`read_sock_file_perms',`{ getattr read }') +define(`write_sock_file_perms',`{ getattr write append }') +define(`rw_sock_file_perms',`{ getattr read write append }') +define(`create_sock_file_perms',`{ getattr create }') +define(`delete_sock_file_perms',`{ getattr unlink }') +define(`manage_sock_file_perms',`{ create getattr setattr read write rename link unlink ioctl lock }') +define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') +define(`relabelto_sock_file_perms',`{ getattr relabelto }') +define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Block device nodes (blk_file) +# +define(`getattr_blk_file_perms',`{ getattr }') +define(`setattr_blk_file_perms',`{ setattr }') +define(`read_blk_file_perms',`{ getattr read lock ioctl }') +define(`append_blk_file_perms',`{ getattr append lock ioctl }') +define(`write_blk_file_perms',`{ getattr write append lock ioctl }') +define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`create_blk_file_perms',`{ getattr create }') +define(`rename_blk_file_perms',`{ getattr rename }') +define(`delete_blk_file_perms',`{ getattr unlink }') +define(`manage_blk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_blk_file_perms',`{ getattr relabelto }') +define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Character device nodes (chr_file) +# +define(`getattr_chr_file_perms',`{ getattr }') +define(`setattr_chr_file_perms',`{ setattr }') +define(`read_chr_file_perms',`{ getattr read lock ioctl }') +define(`append_chr_file_perms',`{ getattr append lock ioctl }') +define(`write_chr_file_perms',`{ getattr write append lock ioctl }') +define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`create_chr_file_perms',`{ getattr create }') +define(`rename_chr_file_perms',`{ getattr rename }') +define(`delete_chr_file_perms',`{ getattr unlink }') +define(`manage_chr_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') +define(`relabelto_chr_file_perms',`{ getattr relabelto }') +define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') + +######################################## +# +# Special permission sets +# # # Use (read and write) terminals
-## Create a aliased type to etc runtime files. -##
-## This is added to remove types that should have been etc_runtime_t -##