diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 6f93c8a..048d14c 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -44,7 +44,7 @@ define(`gpg_per_userdomain_template',` # transition from the userdomain to the derived domain allow $1_t $1_gpg_t:process transition; - allow $1_t gpg_exec_t:file { getattr read execute }; + allow $1_t gpg_exec_t:file rx_file_perms; type_transition $1_t gpg_exec_t:process $1_gpg_t; dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh }; @@ -58,12 +58,12 @@ define(`gpg_per_userdomain_template',` # setrlimit is for ulimit -c 0 allow $1_gpg_t self:process { setrlimit setcap }; - allow $1_gpg_t self:fifo_file { getattr read write }; - allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_gpg_t self:fifo_file rw_file_perms; + allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms; + allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; + allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t) corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t) @@ -159,7 +159,7 @@ define(`gpg_per_userdomain_template',` # transition from the gpg domain to the helper domain allow $1_gpg_t $1_gpg_helper_t:process transition; - allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute }; + allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms; type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t; dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh }; @@ -168,10 +168,10 @@ define(`gpg_per_userdomain_template',` allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; allow $1_gpg_helper_t $1_gpg_t:process sigchld; - allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; - allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; + allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; @@ -224,12 +224,12 @@ define(`gpg_per_userdomain_template',` # rlimit: gpg-agent wants to prevent coredumps allow $1_gpg_agent_t self:process setrlimit; - allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; - allow $1_gpg_agent_t self:fifo_file { getattr read write }; + allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; + allow $1_gpg_agent_t self:fifo_file rw_file_perms; - allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms; + allow $1_t $1_gpg_agent_tmp_t:file create_file_perms; + allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms; files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) @@ -256,7 +256,7 @@ define(`gpg_per_userdomain_template',` allow $1_gpg_agent_t proc_t:dir search; allow $1_gpg_agent_t proc_t:lnk_file read; - allow $1_gpg_agent_t device_t:dir { getattr read }; + allow $1_gpg_agent_t device_t:dir r_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; @@ -282,7 +282,7 @@ define(`gpg_per_userdomain_template',` # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition; - allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute }; + allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms; type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t; dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh }; @@ -292,7 +292,7 @@ define(`gpg_per_userdomain_template',` allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; + allow $1_gpg_pinentry_t self:fifo_file rw_file_perms; # read /proc/meminfo kernel_read_system_state($1_gpg_pinentry_t) @@ -322,21 +322,21 @@ define(`gpg_per_userdomain_template',` # for .Xauthority allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; - allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; + allow $1_gpg_pinentry_t $1_home_t:file r_file_perms; # wants to put some lock files into the user home dir, seems to work fine without dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; if (use_nfs_home_dirs) { allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; - allow $1_gpg_pinentry_t nfs_t:file { getattr read }; + allow $1_gpg_pinentry_t nfs_t:file r_file_perms; dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; dontaudit $1_gpg_pinentry_t nfs_t:file write; } if (use_samba_home_dirs) { allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; - allow $1_gpg_pinentry_t cifs_t:file { getattr read }; + allow $1_gpg_pinentry_t cifs_t:file r_file_perms; dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; dontaudit $1_gpg_pinentry_t cifs_t:file write; } diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 0eb0658..81a7410 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -10,9 +10,6 @@ ## Gives kernel an entrypoint to the caller via ## the entrypoint type. ## -## -## ... -## ## ## The process type entered by kernel. ## @@ -47,10 +44,6 @@ define(`kernel_make_userland_entrypoint_depend',` ## Allows the kernel to share state information with ## the caller. ## -## -## Gives a type access to state information about -## kernel processes -## ## ## The type of the process with which to share state information. ## @@ -73,9 +66,6 @@ define(`kernel_share_state_depend',` ## ## Permits caller to use kernel file descriptors. ## -## -## Permits use of kernel file descriptors. -## ## ## The type of the process using the descriptors. ## @@ -99,10 +89,6 @@ define(`kernel_use_file_descriptors_depend',` ## Do not audit attempts by the caller to use ## kernel file descriptors. ## -## -## Causes attempts to use kernel file descriptors -## to not be audited for caller. -## ## ## The type of process not to audit. ## @@ -126,10 +112,6 @@ define(`kernel_ignore_use_file_descriptors_depend',` ## Allows the kernel to mount filesystems on ## the caller. ## -## -## Givers kernel permission to mount on directories -## of the calling type. -## ## ## The type of the directory to use as a mountpoint. ## @@ -153,9 +135,6 @@ define(`kernel_make_root_fs_mountpoint_depend',` ## Makes caller an exception to the constraint preventing ## changing of user identity. ## -## -## Allows changing of user identity in context of the calling process. -## ## ## The process type to make an exception to the constraint. ## @@ -177,9 +156,6 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',` ## Makes caller an exception to the constraint preventing ## changing of role. ## -## -## Allows changing of role in the context of the calling process. -## ## ## The process type to make an exception to the constraint. ## @@ -201,9 +177,6 @@ define(`kernel_make_role_change_constraint_exception_depend',` ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## -## -## Allows caller to change user identities on objects -## ## ## The process type to make an exception to the constraint. ## @@ -225,9 +198,6 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',` ## ## Allows caller to load kernel modules ## -## -## Allows loading of kernel modules. -## ## ## The process type to allow to load kernel modules. ## @@ -253,9 +223,6 @@ define(`kernel_load_module_depend',` ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). ## -## -## Gives caller access to system state data. -## ## ## The process type to allow to get the enforcing mode. ## @@ -281,9 +248,6 @@ define(`kernel_get_selinux_enforcement_mode_depend',` ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## -## -## Caller becomes able to disable enforcement of policy. -## ## ## The process type to allow to set the enforcement mode. ## diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index cee79a6..a5ee897 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -46,13 +46,13 @@ define(`logging_send_system_log_message',` requires_block_template(`$0'_depend) allow $1 devlog_t:lnk_file read; - allow $1 devlog_t:sock_file { ioctl read getattr lock write append }; + allow $1 devlog_t:sock_file rw_file_perms; # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto; - allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; - allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket create_socket_perms; # cjp: this should most likely be removed: terminal_use_console($1) @@ -61,9 +61,9 @@ define(`logging_send_system_log_message',` define(`logging_send_system_log_message_depend',` type syslogd_t, devlog_t; - class sock_file { ioctl read getattr lock write append }; - class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto }; - class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto }; + class sock_file rw_file_perms; + class unix_dgram_socket { create_socket_perms sendto }; + class unix_stream_socket { create_socket_perms connectto }; ') ######################################## @@ -115,7 +115,7 @@ define(`logging_append_all_logs',` requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) - allow $1 var_log_t:dir { getattr search read }; + allow $1 var_log_t:dir r_dir_perms; allow $1 logfile:file { getattr append }; ') @@ -124,7 +124,7 @@ define(`logging_append_all_logs_depend',` type var_log_t; - class dir { getattr search read }; + class dir r_dir_perms; class file { getattr append }; ') @@ -136,8 +136,8 @@ define(`logging_read_all_logs',` requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) - allow $1 var_log_t:dir { getattr search read }; - allow $1 logfile:file { getattr read }; + allow $1 var_log_t:dir r_dir_perms; + allow $1 logfile:file r_file_perms; ') define(`logging_read_all_logs_depend',` @@ -145,8 +145,8 @@ define(`logging_read_all_logs_depend',` type var_log_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ####################################### @@ -157,15 +157,15 @@ define(`logging_read_system_logs',` requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) - allow $1 var_log_t:dir { getattr search read }; - allow $1 var_log_t:file { getattr read }; + allow $1 var_log_t:dir r_dir_perms; + allow $1 var_log_t:file r_file_perms; ') define(`logging_read_system_logs_depend',` type var_log_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ####################################### @@ -176,14 +176,14 @@ define(`logging_write_system_logs',` requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) - allow $1 var_log_t:dir { getattr search read }; + allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file { getattr write }; ') define(`logging_write_system_logs_depend',` type var_log_t; - class dir { getattr search read }; + class dir r_dir_perms; class file { getattr write }; ') @@ -195,15 +195,15 @@ define(`logging_modify_system_logs',` requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) - allow $1 var_log_t:dir { getattr search read }; - allow $1 var_log_t:file { getattr read write append }; + allow $1 var_log_t:dir r_dir_perms; + allow $1 var_log_t:file rw_file_perms; ') define(`logging_modify_system_logs_depend',` type var_log_t; - class dir { getattr search read }; - class file { getattr read write append }; + class dir r_dir_perms; + class file rw_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 78160b1..a0a1d9a 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -53,9 +53,9 @@ allow auditd_t self:capability { audit_write audit_control }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow auditd_t auditd_log_t:file create_file_perms; -allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink }; +allow auditd_t auditd_var_run_t:file create_file_perms; files_create_daemon_runtime_data(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) @@ -158,11 +158,11 @@ dontaudit syslogd_t self:capability sys_tty_config; allow syslogd_t self:process signal_perms; # receive messages to be logged -allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow syslogd_t self:unix_dgram_socket create_socket_perms; +allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:fifo_file { getattr read write ioctl lock }; -allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +allow syslogd_t self:fifo_file rw_file_perms; +allow syslogd_t self:udp_socket { connected_socket_perms connect }; # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; @@ -176,14 +176,14 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) # Create and bind to /dev/log or /var/run/log. -allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow syslogd_t devlog_t:sock_file create_file_perms; files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) # I belive these are not needed: allow syslogd_t devlog_t:unix_stream_socket name_bind; allow syslogd_t devlog_t:unix_dgram_socket name_bind; # manage pid file -allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink }; +allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t) kernel_read_hardware_state(syslogd_t) @@ -234,7 +234,7 @@ files_ignore_search_isid_type_dir(syslogd_t) #dontaudit syslogd_t unlabeled_t:file read; #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; allow syslogd_t self:capability net_admin; -allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; +allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; ifdef(`klogd.te', `', ` # Allow access to /proc/kmsg for syslog-ng diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index c39ddab..c9b9228 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -14,7 +14,7 @@ define(`mount_transition',` requires_block_template(`$0'_depend) - allow $1 mount_exec_t:file { getattr read execute }; + allow $1 mount_exec_t:file rx_file_perms; allow $1 mount_t:process transition; type_transition $1 mount_exec_t:process mount_t; dontaudit $1 mount_t:process { noatsecure siginh rlimitinh }; @@ -28,7 +28,7 @@ define(`mount_transition',` define(`mount_transition_depend',` type mount_t, mount_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -57,13 +57,13 @@ define(`mount_transition_add_role_use_terminal',` mount_transition($1) role $2 types mount_t; - allow mount_t $3:chr_file { getattr read write ioctl }; + allow mount_t $3:chr_file rw_file_perms; ') define(`mount_transition_add_role_use_terminal_depend',` type mount_t; - class chr_file { getattr read write ioctl }; + class chr_file rw_file_perms; ') ######################################## @@ -102,13 +102,13 @@ define(`mount_use_file_descriptors_depend',` define(`mount_send_nfs_client_request',` requires_block_template(`$0'_depend) - allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown; + allow $1 mount_t:udp_socket rw_socket_perms; ') define(`mount_send_nfs_client_request_depend',` type mount_t; - class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + class udp_socket rw_socket_perms; ') ## diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 8081366..e9d961a 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -14,8 +14,8 @@ files_make_temporary_file(mount_tmp_t) allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown }; -allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlink }; -allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; +allow mount_t mount_tmp_t:file create_file_perms; +allow mount_t mount_tmp_t:dir create_dir_perms; kernel_read_system_state(mount_t) kernel_ignore_use_file_descriptors(mount_t) @@ -113,7 +113,7 @@ files_make_mountpoint(var_lib_nfs_t) # TODO: Probably need a macro for reading/unlinking files # for when /etc/mtab loses its type -allow mount_t file_t:file { getattr read unlink }; +allow mount_t file_t:file { r_file_perms unlink }; ifdef(`gnome-pty-helper.te', ` allow mount_t sysadm_gph_t:fd use; diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index e88c067..f3defc7 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -14,7 +14,7 @@ define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) - allow $1 checkpolicy_exec_t:file { getattr read execute }; + allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; @@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',` define(`selinux_checkpolicy_transition_depend',` type checkpolicy_t, checkpolicy_exec_t; - class file { getattr read execute }; + class file rx_file_perms class process { transition noatsecure siginh rlimitinh sigchld sigchld }; class fd use; class fifo_file rw_file_perms; @@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` define(`selinux_checkpolicy_execute',` requires_block_template(`$0'_depend) - allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,checkpolicy_exec_t) ') define(`selinux_checkpolicy_execute_depend',` type checkpolicy_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ####################################### @@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',` define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read execute }; + allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; @@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',` define(`selinux_load_policy_transition_depend',` type load_policy_t, load_policy_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',` define(`selinux_load_policy_execute',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,load_policy_exec_t) ') define(`selinux_load_policy_execute_depend',` type load_policy_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ####################################### @@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',` define(`selinux_read_load_policy_binary',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read }; + allow $1 load_policy_exec_t:file r_file_perms; ') define(`selinux_read_load_policy_binary_depend',` type load_policy_exec_t; - class file { getattr read }; + class file r_file_perms ') ####################################### @@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',` define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) - allow $1 newrole_exec_t:file { getattr read execute }; + allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; @@ -208,7 +208,7 @@ define(`selinux_newrole_transition',` define(`selinux_newrole_transition_depend',` type newrole_t, newrole_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',` define(`selinux_newrole_execute',` requires_block_template(`$0'_depend) - allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,newrole_exec_t) ') define(`selinux_newrole_execute_depend',` type newrole_t, newrole_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',` define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) - allow $1 restorecon_exec_t:file { getattr read execute }; + allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; @@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',` define(`selinux_restorecon_transition_depend',` type restorecon_t, restorecon_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',` # define(`selinux_restorecon_execute',` requires_block_template(`$0'_depend) -allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,restorecon_exec_t) ') define(`selinux_restorecon_execute_depend',` type restorecon_t, restorecon_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',` define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) - allow $1 run_init_exec_t:file { getattr read execute }; + allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; @@ -424,7 +424,7 @@ define(`selinux_run_init_transition',` define(`selinux_run_init_transition_depend',` type run_init_t, run_init_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',` define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) - allow $1 setfiles_exec_t:file { getattr read execute }; + allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; @@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',` define(`selinux_setfiles_transition_depend',` type setfiles_t, setfiles_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',` define(`selinux_setfiles_execute',` requires_block_template(`$0'_depend) - allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,setfiles_exec_t) ') define(`selinux_setfiles_execute_depend',` type setfiles_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',` define(`selinux_read_config',` requires_block_template(`$0'_depend) - allow $1 selinux_config_t:dir { getattr search read }; - allow $1 selinux_config_t:file { getattr read }; + allow $1 selinux_config_t:dir r_dir_perms; + allow $1 selinux_config_t:file r_file_perms; ') define(`selinux_read_config_depend',` type selinux_config_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; - allow $1 default_context_t:dir { getattr search read }; - allow $1 default_context_t:file { getattr read }; + allow $1 default_context_t:dir r_dir_perms; + allow $1 default_context_t:file r_file_perms; ') define(`selinux_read_default_contexts_depend',` type selinux_config_t, default_context_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir { getattr search read }; - allow $1 file_context_t:file { getattr read }; + allow $1 file_context_t:dir r_dir_perms; + allow $1 file_context_t:file r_file_perms; ') define(`selinux_read_file_contexts_depend',` type selinux_config_t, file_context_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',` define(`selinux_read_binary_policy',` requires_block_template(`$0'_depend) - allow $1 policy_config_t:dir { getattr search read }; - allow $1 policy_config_t:file { getattr read }; + allow $1 policy_config_t:dir r_dir_perms; + allow $1 policy_config_t:file r_file_perms; ') define(`selinux_read_binary_policy_depend',` type policy_config_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',` define(`selinux_write_binary_policy',` requires_block_template(`$0'_depend) - allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; + allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; ') @@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',` type policy_config_t; - class dir { getattr search read write add_name remove_name }; + class dir rw_dir_perms; class file { getattr create write unlink }; ') @@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir { getattr search read }; - allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 policy_config_t:dir r_dir_perms; + allow $1 policy_config_t:file create_file_perms; typeattribute $1 can_write_binary_policy; ') @@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir create_dir_perms; + class file create_file_perms; ') ######################################## @@ -710,15 +710,15 @@ define(`selinux_read_source_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir { getattr search read }; - allow $1 policy_src_t:file { getattr read }; + allow $1 policy_src_t:dir r_dir_perms; + allow $1 policy_src_t:file r_file_perms; ') define(`selinux_read_source_policy_depend',` type selinux_config_t, policy_src_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 policy_src_t:dir create_dir_perms; + allow $1 policy_src_t:file create_file_perms; ') define(`selinux_manage_source_policy_depend',` type selinux_config_t, policy_src_t; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir create_dir_perms; + class file create_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 20d4bd6..5dc7688 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow checkpolicy_t policy_config_t:dir rw_dir_perms; +allow checkpolicy_t policy_config_t:file create_file_perms; # allow test policies to be created in src directories -allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; +allow checkpolicy_t policy_src_t:dir rw_dir_perms; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files -allow checkpolicy_t policy_src_t:dir { getattr search read }; -allow checkpolicy_t policy_src_t:file { getattr read ioctl }; -allow checkpolicy_t policy_src_t:lnk_file { getattr read }; +allow checkpolicy_t policy_src_t:dir r_dir_perms; +allow checkpolicy_t policy_src_t:file r_file_perms; +allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; fs_get_persistent_fs_attributes(checkpolicy_t) @@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; -allow load_policy_t policy_config_t:dir { getattr search read }; -allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; +allow load_policy_t policy_config_t:dir r_dir_perms; +allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; -allow load_policy_t selinux_config_t:dir { getattr read search }; -allow load_policy_t selinux_config_t:file { read getattr }; -allow load_policy_t selinux_config_t:lnk_file { getattr read }; +allow load_policy_t selinux_config_t:dir r_dir_perms; +allow load_policy_t selinux_config_t:file r_file_perms; +allow load_policy_t selinux_config_t:lnk_file r_file_perms; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) @@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -allow newrole_t self:fifo_file { read getattr lock ioctl write append }; +allow newrole_t self:fifo_file rw_file_perms; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket connectto; -allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow newrole_t self:shm create_shm_perms; +allow newrole_t self:sem create_sem_perms; +allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; -allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; -allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; -allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; +allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; +allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; +allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) @@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search; allow restorecon_t self:capability { dac_override dac_read_search fowner }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) @@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file { getattr read write }; + allow run_init_t self:fifo_file rw_file_perms; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit @@ -408,9 +408,9 @@ ifdef(`distro_gentoo', ` allow setfiles_t self:capability { dac_override dac_read_search fowner }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index e88c067..f3defc7 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -14,7 +14,7 @@ define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) - allow $1 checkpolicy_exec_t:file { getattr read execute }; + allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; @@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',` define(`selinux_checkpolicy_transition_depend',` type checkpolicy_t, checkpolicy_exec_t; - class file { getattr read execute }; + class file rx_file_perms class process { transition noatsecure siginh rlimitinh sigchld sigchld }; class fd use; class fifo_file rw_file_perms; @@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` define(`selinux_checkpolicy_execute',` requires_block_template(`$0'_depend) - allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,checkpolicy_exec_t) ') define(`selinux_checkpolicy_execute_depend',` type checkpolicy_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ####################################### @@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',` define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read execute }; + allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; @@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',` define(`selinux_load_policy_transition_depend',` type load_policy_t, load_policy_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',` define(`selinux_load_policy_execute',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,load_policy_exec_t) ') define(`selinux_load_policy_execute_depend',` type load_policy_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ####################################### @@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',` define(`selinux_read_load_policy_binary',` requires_block_template(`$0'_depend) - allow $1 load_policy_exec_t:file { getattr read }; + allow $1 load_policy_exec_t:file r_file_perms; ') define(`selinux_read_load_policy_binary_depend',` type load_policy_exec_t; - class file { getattr read }; + class file r_file_perms ') ####################################### @@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',` define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) - allow $1 newrole_exec_t:file { getattr read execute }; + allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; @@ -208,7 +208,7 @@ define(`selinux_newrole_transition',` define(`selinux_newrole_transition_depend',` type newrole_t, newrole_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',` define(`selinux_newrole_execute',` requires_block_template(`$0'_depend) - allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,newrole_exec_t) ') define(`selinux_newrole_execute_depend',` type newrole_t, newrole_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',` define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) - allow $1 restorecon_exec_t:file { getattr read execute }; + allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; @@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',` define(`selinux_restorecon_transition_depend',` type restorecon_t, restorecon_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',` # define(`selinux_restorecon_execute',` requires_block_template(`$0'_depend) -allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,restorecon_exec_t) ') define(`selinux_restorecon_execute_depend',` type restorecon_t, restorecon_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',` define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) - allow $1 run_init_exec_t:file { getattr read execute }; + allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; @@ -424,7 +424,7 @@ define(`selinux_run_init_transition',` define(`selinux_run_init_transition_depend',` type run_init_t, run_init_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',` define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) - allow $1 setfiles_exec_t:file { getattr read execute }; + allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; @@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',` define(`selinux_setfiles_transition_depend',` type setfiles_t, setfiles_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',` define(`selinux_setfiles_execute',` requires_block_template(`$0'_depend) - allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,setfiles_exec_t) ') define(`selinux_setfiles_execute_depend',` type setfiles_exec_t; - class file { getattr read execute execute_no_trans }; + class file { rx_file_perms execute_no_trans }; ') ######################################## @@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',` define(`selinux_read_config',` requires_block_template(`$0'_depend) - allow $1 selinux_config_t:dir { getattr search read }; - allow $1 selinux_config_t:file { getattr read }; + allow $1 selinux_config_t:dir r_dir_perms; + allow $1 selinux_config_t:file r_file_perms; ') define(`selinux_read_config_depend',` type selinux_config_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; - allow $1 default_context_t:dir { getattr search read }; - allow $1 default_context_t:file { getattr read }; + allow $1 default_context_t:dir r_dir_perms; + allow $1 default_context_t:file r_file_perms; ') define(`selinux_read_default_contexts_depend',` type selinux_config_t, default_context_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir { getattr search read }; - allow $1 file_context_t:file { getattr read }; + allow $1 file_context_t:dir r_dir_perms; + allow $1 file_context_t:file r_file_perms; ') define(`selinux_read_file_contexts_depend',` type selinux_config_t, file_context_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',` define(`selinux_read_binary_policy',` requires_block_template(`$0'_depend) - allow $1 policy_config_t:dir { getattr search read }; - allow $1 policy_config_t:file { getattr read }; + allow $1 policy_config_t:dir r_dir_perms; + allow $1 policy_config_t:file r_file_perms; ') define(`selinux_read_binary_policy_depend',` type policy_config_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',` define(`selinux_write_binary_policy',` requires_block_template(`$0'_depend) - allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; + allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; ') @@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',` type policy_config_t; - class dir { getattr search read write add_name remove_name }; + class dir rw_dir_perms; class file { getattr create write unlink }; ') @@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir { getattr search read }; - allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 policy_config_t:dir r_dir_perms; + allow $1 policy_config_t:file create_file_perms; typeattribute $1 can_write_binary_policy; ') @@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir create_dir_perms; + class file create_file_perms; ') ######################################## @@ -710,15 +710,15 @@ define(`selinux_read_source_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir { getattr search read }; - allow $1 policy_src_t:file { getattr read }; + allow $1 policy_src_t:dir r_dir_perms; + allow $1 policy_src_t:file r_file_perms; ') define(`selinux_read_source_policy_depend',` type selinux_config_t, policy_src_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',` # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 policy_src_t:dir create_dir_perms; + allow $1 policy_src_t:file create_file_perms; ') define(`selinux_manage_source_policy_depend',` type selinux_config_t, policy_src_t; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir create_dir_perms; + class file create_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 20d4bd6..5dc7688 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow checkpolicy_t policy_config_t:dir rw_dir_perms; +allow checkpolicy_t policy_config_t:file create_file_perms; # allow test policies to be created in src directories -allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; +allow checkpolicy_t policy_src_t:dir rw_dir_perms; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files -allow checkpolicy_t policy_src_t:dir { getattr search read }; -allow checkpolicy_t policy_src_t:file { getattr read ioctl }; -allow checkpolicy_t policy_src_t:lnk_file { getattr read }; +allow checkpolicy_t policy_src_t:dir r_dir_perms; +allow checkpolicy_t policy_src_t:file r_file_perms; +allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; fs_get_persistent_fs_attributes(checkpolicy_t) @@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; -allow load_policy_t policy_config_t:dir { getattr search read }; -allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; +allow load_policy_t policy_config_t:dir r_dir_perms; +allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; -allow load_policy_t selinux_config_t:dir { getattr read search }; -allow load_policy_t selinux_config_t:file { read getattr }; -allow load_policy_t selinux_config_t:lnk_file { getattr read }; +allow load_policy_t selinux_config_t:dir r_dir_perms; +allow load_policy_t selinux_config_t:file r_file_perms; +allow load_policy_t selinux_config_t:lnk_file r_file_perms; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) @@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -allow newrole_t self:fifo_file { read getattr lock ioctl write append }; +allow newrole_t self:fifo_file rw_file_perms; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket connectto; -allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow newrole_t self:shm create_shm_perms; +allow newrole_t self:sem create_sem_perms; +allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; -allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; -allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; -allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; +allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; +allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; +allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) @@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search; allow restorecon_t self:capability { dac_override dac_read_search fowner }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) @@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file { getattr read write }; + allow run_init_t self:fifo_file rw_file_perms; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit @@ -408,9 +408,9 @@ ifdef(`distro_gentoo', ` allow setfiles_t self:capability { dac_override dac_read_search fowner }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 9619912..c7e0fc1 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -48,14 +48,14 @@ define(`base_user_domain',` allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow $1_t self:process { ptrace setfscreate }; allow $1_t self:fd use; - allow $1_t self:fifo_file { read getattr lock ioctl write append }; - allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket rw_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; allow $1_t self:unix_stream_socket connectto; - allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; - allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; - allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; + allow $1_t self:shm create_shm_perms; + allow $1_t self:sem create_sem_perms; + allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; dontaudit $1_t self:socket create; # Irrelevant until we have labeled networking. @@ -66,31 +66,31 @@ define(`base_user_domain',` dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; # execute files in the home directory - allow $1_t $1_home_t:file { getattr read execute execute_no_trans }; + allow $1_t $1_home_t:file { rx_file_perms execute_no_trans }; # full control of the home directory - allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; - allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto }; - allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; - allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; - allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; - allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; + allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto }; + allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; + allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; + allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; + allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; + allow $1_t $1_home_dir_t:dir create_dir_perms; + type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; - allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans }; + allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans }; # Bind to a Unix domain socket in /tmp. # cjp: this is combination is not checked and should be removed allow $1_t $1_tmp_t:unix_stream_socket name_bind; - allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + allow $1_t $1_tmpfs_t:dir rw_dir_perms; + allow $1_t $1_tmpfs_t:file create_file_perms; + allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; + allow $1_t $1_tmpfs_t:sock_file create_file_perms; + allow $1_t $1_tmpfs_t:fifo_file create_file_perms; + fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) - allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; + allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; allow $1_t unpriv_userdomain:fd use; @@ -223,7 +223,7 @@ define(`base_user_domain',` dontaudit $1_t usr_t:file setattr; # Access the power device. - allow $1_t power_device_t:chr_file { getattr read write ioctl }; + allow $1_t power_device_t:chr_file rw_file_perms; # Check to see if cdrom is mounted allow $1_t mnt_t:dir { getattr search }; @@ -272,7 +272,7 @@ define(`base_user_domain',` dontaudit $1_t sysctl_t:dir_file_class_set getattr; dontaudit $1_t proc_fs:dir { read search }; - allow $1_t autofs_t:dir { search getattr }; + allow $1_t autofs_t:dir { getattr search }; can_exec($1_t, { removable_t noexattrfile } ) if (user_rw_noexattrfile) { @@ -320,7 +320,7 @@ define(`base_user_domain',` # Gnome pannel binds to the following ifdef(`cups.te', ` - allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; + allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; ') # Connect to inetd. @@ -350,13 +350,13 @@ define(`base_user_domain',` can_unix_connect($1_t, xdm_t) allow $1_t xdm_tmp_t:sock_file rw_file_perms; allow $1_t xdm_tmp_t:dir r_dir_perms; - allow $1_t xdm_tmp_t:file { getattr read }; + allow $1_t xdm_tmp_t:file r_file_perms; allow $1_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_t xdm_xserver_tmp_t:dir search; allow $1_t xdm_xserver_t:unix_stream_socket connectto; # certain apps want to read xdm.pid file r_dir_file($1_t, xdm_var_run_t) - allow $1_t xdm_var_lib_t:file { getattr read }; + allow $1_t xdm_var_lib_t:file r_file_perms; allow xdm_t $1_home_dir_t:dir getattr; ifdef(`xauth.te', ` file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) @@ -373,7 +373,7 @@ define(`base_user_domain',` ifdef(`cardmgr.te', ` # to allow monitoring of pcmcia status - allow $1_t cardmgr_var_run_t:file { getattr read }; + allow $1_t cardmgr_var_run_t:file r_file_perms; ') # @@ -385,7 +385,7 @@ define(`base_user_domain',` ') ifdef(`automount.te', ` - allow $1_t autofs_t:dir { search getattr }; + allow $1_t autofs_t:dir { getattr search }; ') ifdef(`pamconsole.te', ` @@ -434,20 +434,20 @@ define(`user_domain_template', ` allow $1_file_type $1_home_t:filesystem associate; # user temporary files - allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file }) + allow $1_t $1_tmp_t:file create_file_perms; + allow $1_t $1_tmp_t:lnk_file create_lnk_perms; + allow $1_t $1_tmp_t:dir create_dir_perms; + allow $1_t $1_tmp_t:sock_file create_file_perms; + allow $1_t $1_tmp_t:fifo_file create_file_perms; + files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) # privileged home directory writers - allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename }; - allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; + allow privhome $1_home_t:file create_file_perms; + allow privhome $1_home_t:lnk_file create_lnk_perms; + allow privhome $1_home_t:dir create_dir_perms; + allow privhome $1_home_t:sock_file create_file_perms; + allow privhome $1_home_t:fifo_file create_file_perms; + type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; kernel_read_system_state($1_t) kernel_read_network_state($1_t) @@ -645,12 +645,12 @@ define(`admin_domain_template',` allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; terminal_create_private_pseudoterminal($1_t,$1_devpts_t) - allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file }) + allow $1_t $1_tmp_t:dir create_dir_perms; + allow $1_t $1_tmp_t:file create_file_perms; + allow $1_t $1_tmp_t:lnk_file create_file_perms; + allow $1_t $1_tmp_t:fifo_file create_file_perms; + allow $1_t $1_tmp_t:sock_file create_file_perms; + files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) kernel_read_system_state($1_t) kernel_read_network_state($1_t) @@ -931,15 +931,15 @@ define(`userdomain_read_all_users_data',` requires_block_template(`$0'_depend) files_list_home_directories($1) - allow $1 home_type:dir { getattr search read }; - allow $1 home_type:file { getattr read }; + allow $1 home_type:dir r_dir_perms; + allow $1 home_type:file r_file_perm; ') define(`userdomain_read_all_users_data_depend',` attribute home_type; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ########################################