diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 38e603c..631a2e3 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -102,7 +102,7 @@ ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS)) PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) -POST_TE_FILES := users constraints initial_sid_contexts fs_use +POST_TE_FILES := users constraints ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc)) @@ -213,8 +213,12 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf + $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf + $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ + -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ + < tmp/all_te_files.conf > tmp/only_te_rules.conf ######################################## # diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te index c53416e..57e90d9 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te +++ b/refpolicy/policy/modules/kernel/corenetwork.te @@ -24,6 +24,7 @@ devices_make_device_node(tun_tap_device_t) # port_t is the default type of INET port numbers. # type port_t, port_type; +sid port context_template(system_u:object_r:port_t,s0) # # reserved_port_t is the type of INET port numbers below 1024. @@ -94,6 +95,7 @@ portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0) # nodes in net_contexts or net_contexts.mls. # type node_t, node_type; +sid node context_template(system_u:object_r:node_t,s0) network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) @@ -105,7 +107,6 @@ network_node(multicast, s0, ff00::, ff00::) network_node(site_local, s0, fec0::, ffc0::) network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) - ######################################## # # Network Interfaces: @@ -115,6 +116,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) # netif_t is the default type of network interfaces. # type netif_t, netif_type; +sid netif context_template(system_u:object_r:netif_t,s0) network_interface(lo, s0) network_interface(eth0, s0) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index b1d442e..aece234 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -112,6 +112,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0) type null_device_t, device_node; filesystem_associate(null_device_t) filesystem_tmpfs_associate(null_device_t) +sid devnull context_template(system_u:object_r:null_device_t,s0) # # Type for /dev/pmu diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index f690ede..49a1893 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -9,6 +9,22 @@ attribute fs_type; # filesystems with extended attributes # type fs_t, fs_type; +sid fs context_template(system_u:object_r:fs_t,s0) + +# Use xattrs for the following filesystem types. +# Requires that a security xattr handler exist for the filesystem. +fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0); +fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0); +fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0); +fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0); + +# Use the allocating task SID to label inodes in the following filesystem +# types, and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems that represent objects +# like pipes and sockets, so that these objects are labeled with the same +# type as the creating task. +fs_use_task pipefs context_template(system_u:object_r:fs_t,s0); +fs_use_task sockfs context_template(system_u:object_r:fs_t,s0); ######################################## # @@ -47,6 +63,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) type tmpfs_t, fs_type; files_make_file(tmpfs_t) +# Use a transition SID based on the allocating task SID and the +# filesystem SID to label inodes in the following filesystem types, +# and label the filesystem itself with the specified context. +# This is appropriate for pseudo filesystems like devpts and tmpfs +# where we want to label objects with a derived type. +fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0); +fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0); + allow tmpfs_t self:filesystem associate; allow tmpfs_t autofs_t:filesystem associate; allow tmpfs_t cifs_t:filesystem associate; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 5d9cca6..915a4d9 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -20,6 +20,7 @@ attribute can_change_object_identity; type kernel_t, can_load_kernmodule, can_load_policy; role system_r types kernel_t; domain_make_domain(kernel_t) +sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) # # unlabeled_t is the type of unlabeled objects. @@ -27,6 +28,26 @@ domain_make_domain(kernel_t) # have labels that are no longer valid are treated as having this type. # type unlabeled_t; +sid unlabeled context_template(system_u:object_r:unlabeled_t,s0) + +# These initial sids are no longer used, and can be removed: +sid any_socket context_template(system_u:object_r:unlabeled_t,s0) +sid file_labels context_template(system_u:object_r:unlabeled_t,s0) +sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0) +sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0) +sid init context_template(system_u:object_r:unlabeled_t,s0) +sid kmod context_template(system_u:object_r:unlabeled_t,s0) +sid netmsg context_template(system_u:object_r:unlabeled_t,s0) +sid policy context_template(system_u:object_r:unlabeled_t,s0) +sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0) +sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0) +sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0) # # security_t is the target type when checking @@ -35,6 +56,7 @@ type unlabeled_t; # type security_t; filesystem_make_filesystem(security_t) +sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) # @@ -95,6 +117,7 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys directory, base directory of sysctls type sysctl_t; files_make_mountpoint(sysctl_t) +sid sysctl context_template(system_u:object_r:sysctl_t,s0) genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0) # /proc/sys/fs directory and files diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 34d8433..7f6654b 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -23,6 +23,7 @@ devices_make_device_node(console_device_t) type devpts_t; files_make_mountpoint(devpts_t) filesystem_make_filesystem(devpts_t) +fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); # # devtty_t is the type of /dev/tty. diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 9bd3e6f..b22386d 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -40,6 +40,7 @@ type file_t, file_type, mountpoint; filesystem_associate(file_t) filesystem_noxattr_associate(file_t) kernel_make_root_filesystem_mountpoint(file_t) +sid file context_template(system_u:object_r:file_t,s0) # # home_root_t is the type for the directory where user home directories