diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 1fb0855..0ae4071 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -28,151 +28,171 @@ ## # template(`su_per_userdomain_template',` - - gen_require(` - type su_exec_t; - ') - - type $1_su_t; - domain_entry_file($1_su_t,su_exec_t) - domain_type($1_su_t) - domain_role_change_exempt($1_su_t) - domain_subj_id_change_exempt($1_su_t) - domain_obj_id_change_exempt($1_su_t) - domain_wide_inherit_fd($1_su_t) - role $3 types $1_su_t; - - allow $2 $1_su_t:process signal; - - allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_file_perms; - - # Transition from the user domain to this domain. - domain_auto_trans($2, su_exec_t, $1_su_t) - allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t,$2) - allow $2 $1_su_t:fd use; - allow $1_su_t $2:fd use; - allow $1_su_t $2:fifo_file rw_file_perms; - allow $1_su_t $2:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctl($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_user_ttys($1_su_t) - term_relabel_all_user_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_user_ttys($1_su_t) - term_use_all_user_ptys($1_su_t) - - auth_domtrans_user_chk_passwd($1_su_t,$1) - auth_dontaudit_read_shadow($1_su_t) - - domain_wide_inherit_fd($1_su_t) - - files_read_etc_files($1_su_t) - files_search_var_lib($1_su_t) - - init_dontaudit_use_fd($1_su_t) - # Write to utmp. - init_rw_script_pid($1_su_t) - - libs_use_ld_so($1_su_t) - libs_use_shared_libs($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - userdom_use_user_terminals($1,$1_su_t) - - if(secure_mode) - { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - - if (use_nfs_home_dirs) { - fs_search_nfs($1_su_t) - } - - if (use_samba_home_dirs) { - fs_search_cifs($1_su_t) - } - - optional_policy(`crond.te',` - cron_read_pipe($1_su_t) - ') - - optional_policy(`kerberos.te',` - kerberos_use($1_su_t) - ') - - optional_policy(`nis.te',` - nis_use_ypbind($1_su_t) - ') - - optional_policy(`nscd.te',` - nscd_use_socket($1_su_t) - ') - - ifdef(`TODO',` - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - - # Inherit and use descriptors from gnome-pty-helper. - ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') - - allow $1_su_t { home_root_t $1_home_dir_t }:dir search; - allow $1_su_t $1_home_t:file create_file_perms; - - ifdef(`user_canbe_sysadm', ` - allow $1_su_t home_dir_type:dir { search write }; - ', ` - dontaudit $1_su_t home_dir_type:dir { search write }; - ') - - # Modify .Xauthority file (via xauth program). - ifdef(`xauth.te', ` - file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) - file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) - file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) - domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) - ') - - ifdef(`cyrus.te', ` - allow $1_su_t cyrus_var_lib_t:dir search; - ') - ifdef(`ssh.te', ` - # Access sshd cookie files. - allow $1_su_t sshd_tmp_t:file rw_file_perms; - file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) + # in optional since loadable modules do not natively + # support per-userdomain templates yet. + optional_policy(`su.te',` + gen_require(` + type su_exec_t; + ') + + type $1_su_t; + domain_entry_file($1_su_t,su_exec_t) + domain_type($1_su_t) + domain_role_change_exempt($1_su_t) + domain_subj_id_change_exempt($1_su_t) + domain_obj_id_change_exempt($1_su_t) + domain_wide_inherit_fd($1_su_t) + role $3 types $1_su_t; + + allow $2 $1_su_t:process signal; + + allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + + # Transition from the user domain to this domain. + domain_auto_trans($2, su_exec_t, $1_su_t) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$2) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctl($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + fs_search_auto_mountpoints($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_user_ttys($1_su_t) + term_relabel_all_user_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + + auth_domtrans_user_chk_passwd($1_su_t,$1) + auth_dontaudit_read_shadow($1_su_t) + + domain_wide_inherit_fd($1_su_t) + + files_read_etc_files($1_su_t) + files_search_var_lib($1_su_t) + + init_dontaudit_use_fd($1_su_t) + # Write to utmp. + init_rw_script_pid($1_su_t) + + libs_use_ld_so($1_su_t) + libs_use_shared_libs($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + userdom_use_user_terminals($1,$1_su_t) + + if(secure_mode) + { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + if (use_nfs_home_dirs) { + fs_search_nfs($1_su_t) + } + + if (use_samba_home_dirs) { + fs_search_cifs($1_su_t) + } + + optional_policy(`crond.te',` + cron_read_pipe($1_su_t) + ') + + optional_policy(`kerberos.te',` + kerberos_use($1_su_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind($1_su_t) + ') + + optional_policy(`nscd.te',` + nscd_use_socket($1_su_t) + ') + + ifdef(`TODO',` + + ifdef(`support_polyinstantiation', ` + typeattribute $1_su_t mlsfileread; + typeattribute $1_su_t mlsfilewrite; + typeattribute $1_su_t mlsfileupgrade; + typeattribute $1_su_t mlsfiledowngrade; + typeattribute $1_su_t mlsprocsetsl; + # Su can polyinstantiate + polyinstantiater($1_su_t) + # Su has to unmount polyinstantiated directories (like home) + # that should not be polyinstantiated under the new user + allow $1_su_t fs_t:filesystem unmount; + # Su needs additional permission to mount over a previous mount + allow $1_su_t polymember:dir mounton; + ') + + # Caused by su - init scripts + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + + allow $1_su_t { home_root_t $1_home_dir_t }:dir search; + allow $1_su_t $1_home_t:file create_file_perms; + + ifdef(`user_canbe_sysadm', ` + allow $1_su_t home_dir_type:dir { search write }; + ', ` + dontaudit $1_su_t home_dir_type:dir { search write }; + ') + + # Modify .Xauthority file (via xauth program). + ifdef(`xauth.te', ` + file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) + file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) + file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) + domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) + ') + + ifdef(`cyrus.te', ` + allow $1_su_t cyrus_var_lib_t:dir search; + ') + ifdef(`ssh.te', ` + # Access sshd cookie files. + allow $1_su_t sshd_tmp_t:file rw_file_perms; + file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) + ') + ') dnl end TODO ') - ') dnl end TODO ') diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index e61e8d5..84e11c4 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -54,7 +54,7 @@ template(`sudo_per_userdomain_template',` # # Use capabilities. - allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource }; + allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index f27154e..8659a3d 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -75,7 +75,7 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t self:capability { ipc_lock setuid }; allow { $2 $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 - allow $1_gpg_t self:process { setrlimit setcap }; + allow $1_gpg_t self:process { setrlimit setcap setpgid }; allow $1_gpg_t self:fifo_file rw_file_perms; allow $1_gpg_t self:tcp_socket create_stream_socket_perms; @@ -84,9 +84,6 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; - allow $2 $1_gpg_secret_t:file getattr; - allow $2 $1_gpg_secret_t:dir rw_dir_perms; - corenet_tcp_sendrecv_all_if($1_gpg_t) corenet_raw_sendrecv_all_if($1_gpg_t) corenet_udp_sendrecv_all_if($1_gpg_t) @@ -97,6 +94,7 @@ template(`gpg_per_userdomain_template',` corenet_udp_sendrecv_all_ports($1_gpg_t) corenet_tcp_bind_all_nodes($1_gpg_t) corenet_udp_bind_all_nodes($1_gpg_t) + corenet_tcp_connect_all_ports($1_gpg_t) dev_read_rand($1_gpg_t) dev_read_urand($1_gpg_t) @@ -108,8 +106,6 @@ template(`gpg_per_userdomain_template',` files_read_etc_files($1_gpg_t) files_read_usr_files($1_gpg_t) files_dontaudit_search_var($1_gpg_t) - # should not need read access... - files_list_home($1_gpg_t) libs_use_shared_libs($1_gpg_t) libs_use_ld_so($1_gpg_t) @@ -122,54 +118,22 @@ template(`gpg_per_userdomain_template',` userdom_use_user_terminals($1,$1_gpg_t) - # Legacy - tunable_policy(`allow_gpg_execstack',` - allow $1_gpg_t self:process execmem; - libs_legacy_use_shared_libs($1_gpg_t) - libs_legacy_use_ld_so($1_gpg_t) - miscfiles_legacy_read_localization($1_gpg_t) - # Not quite sure why this is needed... - allow $1_gpg_t gpg_exec_t:file execmod; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_gpg_t) - fs_manage_nfs_files($1_gpg_t) - fs_manage_nfs_symlinks($1_gpg_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_gpg_t) - fs_manage_cifs_files($1_gpg_t) - fs_manage_cifs_symlinks($1_gpg_t) - ') - optional_policy(`nis.te',` nis_use_ypbind($1_gpg_t) ') ifdef(`TODO',` + # Read content to encrypt/decrypt/sign + read_content($1_gpg_t, $1) + + # Write content to encrypt/decrypt/sign + write_trusted($1_gpg_t, $1) ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') # allow ps to show gpg can_ps($1_t, $1_gpg_t) - # use $1_gpg_secret_t for files it creates - # NB we are doing the type transition for directory creation only! - # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as - # secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt - # a file and write output to your home directory it will use user_home_t. - file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) - - file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) - create_dir_file($1_gpg_t, $1_home_t) - - # allow the usual access to /tmp - file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) - - rw_dir_create_file($1_gpg_t, $1_file_type) - ') dnl end TODO ######################################## @@ -210,6 +174,7 @@ template(`gpg_per_userdomain_template',` corenet_udp_sendrecv_all_ports($1_gpg_helper_t) corenet_tcp_bind_all_nodes($1_gpg_helper_t) corenet_udp_bind_all_nodes($1_gpg_helper_t) + corenet_tcp_connect_all_ports($1_gpg_helper_t) dev_read_urand($1_gpg_helper_t) @@ -232,9 +197,8 @@ template(`gpg_per_userdomain_template',` ifdef(`TODO',` - ifdef(`xdm.te', ` - dontaudit $1_gpg_t xdm_t:fd use; - dontaudit $1_gpg_t xdm_t:fifo_file read; + ifdef(`xdm.te',` + can_pipe_xdm($1_gpg_t) ') ') dnl end TODO @@ -296,8 +260,6 @@ template(`gpg_per_userdomain_template',` ifdef(`TODO',` - allow $1_gpg_agent_t xdm_t:fd use; - # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) @@ -353,7 +315,6 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto; - allow $1_gpg_pinentry_t xdm_t:fd use; ') allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index e1771a6..e6e9584 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -62,10 +62,6 @@ type inotifyfs_t, filesystem_type; allow inotifyfs_t self:filesystem associate; genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0) -type mqueue_t, filesystem_type; -files_mountpoint(mqueue_t) -allow mqueue_t self:filesystem associate; - type nfsd_fs_t, filesystem_type; genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0) @@ -86,12 +82,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # type tmpfs_t, filesystem_type; files_type(tmpfs_t) +files_mountpoint(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, # and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems like devpts and tmpfs # where we want to label objects with a derived type. +fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0); fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0); diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 282f5d0..d4d9bf7 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -28,7 +28,7 @@ attribute sysctl_type; type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans role system_r types kernel_t; domain_base_type(kernel_t) -sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) +sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127) # # Procfs types diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te index 6953df6..0c091b8 100644 --- a/refpolicy/policy/modules/kernel/selinux.te +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -15,7 +15,7 @@ attribute can_setsecparam; # the permissions in the security class. It is also # applied to selinuxfs inodes. # -type security_t; +type security_t; #, mlstrustedobject; fs_type(security_t) sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index b01cbfd..e642b2a 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -91,6 +91,7 @@ template(`cron_per_userdomain_template',` corenet_udp_sendrecv_all_ports($1_crond_t) corenet_tcp_bind_all_nodes($1_crond_t) corenet_udp_bind_all_nodes($1_crond_t) + corenet_tcp_connect_all_ports($1_crond_t) dev_read_urand($1_crond_t) @@ -188,6 +189,8 @@ template(`cron_per_userdomain_template',` # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; + kernel_read_system_state($1_crontab_t) + # for the checks used by crontab -u selinux_dontaudit_search_fs($1_crontab_t) @@ -210,7 +213,7 @@ template(`cron_per_userdomain_template',` miscfiles_read_localization($1_crontab_t) - seutil_dontaudit_search_config($1_crontab_t) + seutil_read_config($1_crontab_t) userdom_manage_user_tmp_dirs($1,$1_crontab_t) userdom_manage_user_tmp_files($1,$1_crontab_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index c4f6c53..07b9a03 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -46,12 +46,13 @@ template(`dbus_per_userdomain_template',` # allow $1_dbusd_t self:process { getattr sigkill signal }; + allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t self:dbus { send_msg acquire_svc }; allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; # Receive notifications of policy reloads and enforcing status changes. - allow $1_dbusd_t self:netlink_selinux_socket { create bind read }; + allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; # For connecting to the bus allow $2 $1_dbusd_t:unix_stream_socket connectto; @@ -141,6 +142,12 @@ template(`dbus_per_userdomain_template',` optional_policy(`nscd.te',` nscd_use_socket($1_dbusd_t) ') + + ifdef(`TODO',` + ifdef(`xdm.te', ` + can_pipe_xdm($1_dbusd_t) + ') + ') ') ####################################### diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc index fcbb737..bd07afa 100644 --- a/refpolicy/policy/modules/services/kerberos.fc +++ b/refpolicy/policy/modules/services/kerberos.fc @@ -1,6 +1,10 @@ /etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0) /etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0) +/etc/krb5kdc/kadm5.keytab -- context_template(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0) + /usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0) /usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0) @@ -11,4 +15,4 @@ /var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0) /var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0) -/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0) +/var/log/kadmin(d)?\.log context_template(system_u:object_r:kadmind_log_t,s0) diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index adfd14e..b777d46 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -54,6 +54,7 @@ interface(`kerberos_use',` corenet_udp_sendrecv_kerberos_port($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) + corenet_tcp_connect_kerberos_port($1) sysnet_read_config($1) sysnet_dns_name_resolve($1) ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 06537b8..ccd249d 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -70,6 +70,7 @@ template(`mta_per_userdomain_template',` corenet_raw_sendrecv_all_nodes($1_mail_t) corenet_tcp_sendrecv_all_ports($1_mail_t) corenet_tcp_bind_all_nodes($1_mail_t) + corenet_tcp_connect_all_ports($1_mail_t) domain_use_wide_inherit_fd($1_mail_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index edb0e04..6fab73a 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -110,6 +110,7 @@ template(`ssh_per_userdomain_template',` corenet_raw_sendrecv_all_nodes($1_ssh_t) corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_bind_all_nodes($1_ssh_t) + corenet_tcp_connect_ssh_port($1_ssh_t) dev_read_urand($1_ssh_t) @@ -132,6 +133,7 @@ template(`ssh_per_userdomain_template',` files_read_usr_files($1_ssh_t) files_read_etc_runtime_files($1_ssh_t) files_read_etc_files($1_ssh_t) + files_read_var_files($1_ssh_t) libs_use_ld_so($1_ssh_t) libs_use_shared_libs($1_ssh_t) @@ -184,9 +186,6 @@ template(`ssh_per_userdomain_template',` ') ifdef(`TODO',` - # Read /var. - allow $1_ssh_t var_t:dir r_dir_perms; - allow $1_ssh_t var_t:notdevfile_class_set r_file_perms; # Read /var/run, /var/log. allow $1_ssh_t var_run_t:dir r_dir_perms; @@ -215,32 +214,33 @@ template(`ssh_per_userdomain_template',` # allow ps to show ssh can_ps($1_t, $1_ssh_t) - ifdef(`xserver.te', ` - # Communicate with the X server. - can_unix_connect($1_ssh_t, $1_xserver_t) - allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms; - allow $1_ssh_t $1_xserver_tmp_t:dir search; - ifdef(`xdm.te', ` - allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search; - allow $1_ssh_t { xdm_tmp_t }:sock_file write; - ') - ')dnl end if xserver + # Connect to X server + x_client_domain($1_ssh, $1) #allow ssh to access keys stored on removable media # Should we have a boolean around this? files_search_mnt($1_ssh_t) r_dir_file($1_ssh_t, removable_t) - ifdef(`xdm.te', ` - # should be able to remove these two later - allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write }; - allow $1_ssh_t xdm_xserver_tmp_t:dir search; - allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto; - allow $1_ssh_t xdm_xserver_t:shm r_shm_perms; - allow $1_ssh_t xdm_xserver_t:fd use; - allow $1_ssh_t xdm_xserver_tmpfs_t:file read; - allow $1_ssh_t xdm_t:fd use; - ')dnl end if xdm.te + type $1_ssh_keysign_t, domain, nscd_client_domain; + role $1_r types $1_ssh_keysign_t; + + if (allow_ssh_keysign) { + domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) + allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; + allow $1_ssh_keysign_t self:capability { setgid setuid }; + allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; + uses_shlib($1_ssh_keysign_t) + dontaudit $1_ssh_keysign_t selinux_config_t:dir search; + dontaudit $1_ssh_keysign_t proc_t:dir search; + dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; + allow $1_ssh_keysign_t usr_t:dir search; + allow $1_ssh_keysign_t etc_t:file { getattr read }; + allow $1_ssh_keysign_t self:dir search; + allow $1_ssh_keysign_t self:file { getattr read }; + allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; + } + ') dnl endif TODO ############################## @@ -301,7 +301,7 @@ template(`ssh_per_userdomain_template',` miscfiles_read_localization($1_ssh_agent_t) - seutil_dontaudit_search_config($1_ssh_agent_t) + seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_agent_t) @@ -325,14 +325,14 @@ template(`ssh_per_userdomain_template',` ') optional_policy(`xdm.te', ` - xdm_use_fd($1_ssh_agent_t) - xdm_rw_pipe($1_ssh_agent_t) - # KDM: - xdm_sigchld($1_ssh_agent_t) + #xdm_sigchld($1_ssh_agent_t) ') ifdef(`TODO',` + ifdef(`xdm.te',` + can_pipe_xdm($1_ssh_agent_t) + ') # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 7a126cc..3bfa449 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -47,12 +47,14 @@ template(`authlogin_per_userdomain_template',` role $3 types $1_chkpwd_t; role $3 types system_chkpwd_t; - allow $1_chkpwd_t self:capability setuid; + allow $1_chkpwd_t self:capability { audit_write audit_control setuid }; allow $1_chkpwd_t self:process getattr; files_list_etc($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; + allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + # Transition from the user domain to this domain. domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) @@ -64,6 +66,9 @@ template(`authlogin_per_userdomain_template',` # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) + dev_read_rand($1_chkpwd_t) + dev_read_urand($1_chkpwd_t) + fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) domain_use_wide_inherit_fd($1_chkpwd_t) @@ -82,6 +87,7 @@ template(`authlogin_per_userdomain_template',` seutil_read_config($1_chkpwd_t) sysnet_dns_name_resolve($1_chkpwd_t) + sysnet_use_ldap($1_chkpwd_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_chkpwd_t) @@ -93,17 +99,6 @@ template(`authlogin_per_userdomain_template',` kerberos_use($1_chkpwd_t) ') - optional_policy(`ldap.te',` - allow $1_chkpwd_t self:tcp_socket create_socket_perms; - corenet_tcp_sendrecv_all_if($1_chkpwd_t) - corenet_raw_sendrecv_all_if($1_chkpwd_t) - corenet_tcp_sendrecv_all_nodes($1_chkpwd_t) - corenet_raw_sendrecv_all_nodes($1_chkpwd_t) - corenet_tcp_sendrecv_ldap_port($1_chkpwd_t) - corenet_tcp_bind_all_nodes($1_chkpwd_t) - sysnet_read_config($1_chkpwd_t) - ') - optional_policy(`nis.te',` nis_use_ypbind($1_chkpwd_t) ') @@ -115,6 +110,12 @@ template(`authlogin_per_userdomain_template',` optional_policy(`selinuxutil.te',` seutil_use_newrole_fd($1_chkpwd_t) ') + + ifdef(`TODO',` + can_winbind($1) + r_dir_file($1, cert_t) + dontaudit $1 shadow_t:file { getattr read }; + ') ') ######################################## @@ -221,6 +222,9 @@ interface(`auth_domtrans_chk_passwd',` corecmd_search_sbin($1) domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) + allow $1 self:capability { audit_write audit_control }; + allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow $1 system_chkpwd_t:fd use; allow system_chkpwd_t $1:fd use; allow system_chkpwd_t $1:fifo_file rw_file_perms; @@ -228,26 +232,25 @@ interface(`auth_domtrans_chk_passwd',` dontaudit $1 shadow_t:file { getattr read }; + dev_read_rand($1) + dev_read_urand($1) + sysnet_dns_name_resolve($1) + sysnet_use_ldap($1) optional_policy(`kerberos.te',` kerberos_use($1) ') - optional_policy(`ldap.te',` - allow $1 self:tcp_socket create_socket_perms; - corenet_tcp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) - corenet_tcp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) - corenet_tcp_sendrecv_ldap_port($1) - corenet_tcp_bind_all_nodes($1) - sysnet_read_config($1) - ') - optional_policy(`nis.te',` nis_use_ypbind($1) ') + + ifdef(`TODO',` + can_winbind($1) + r_dir_file($1, cert_t) + dontaudit $1 shadow_t:file { getattr read }; + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 5df4a0f..850b48d 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -46,11 +46,11 @@ ifdef(`targeted_policy',` # # /opt # -/opt/.*/bin(/.*)? context_template(system_u:object_r:bin_t,s0) +/opt/(.*)?/bin(/.*)? context_template(system_u:object_r:bin_t,s0) -/opt/.*/libexec(/.*)? context_template(system_u:object_r:bin_t,s0) +/opt/(.*)?/libexec(/.*)? context_template(system_u:object_r:bin_t,s0) -/opt/.*/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0) +/opt/(.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0) # # /usr @@ -70,23 +70,20 @@ ifdef(`distro_suse', ` ') /usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0) - /usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0) - /usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0) - /usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0) - /usr/lib(64)?/news/bin(/.*)? context_template(system_u:object_r:bin_t,s0) ifdef(`distro_suse', ` /usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0) ') -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0) -/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0) +/usr/lib(64)?/[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0) @@ -97,8 +94,8 @@ ifdef(`distro_suse', ` /usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0) - /usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0) +/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0) # # /var diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc index 970538e..6d1fd77 100644 --- a/refpolicy/policy/modules/system/files.fc +++ b/refpolicy/policy/modules/system/files.fc @@ -19,8 +19,8 @@ ifdef(`distro_redhat',` # /boot # /boot/\.journal <> - -/boot/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +/boot/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/boot/lost\+found/.* <> # # /etc @@ -66,7 +66,8 @@ ifdef(`distro_gentoo', ` # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd HOME_ROOT -d context_template(system_u:object_r:home_root_t,s0) HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +HOME_ROOT/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +HOME_ROOT/lost\+found/.* <> # # /initrd @@ -77,7 +78,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) # # /lost+found # -/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/lost\+found/.* <> # # /media @@ -98,7 +100,7 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) # /opt(/.*)? context_template(system_u:object_r:usr_t,s0) -/opt/.*/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0) +/opt/(.*)?/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0) # # /proc @@ -111,6 +113,11 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /selinux(/.*)? <> # +# /srv +# +/srv(/.*)? context_template(system_u:object_r:var_t,s0) + +# # /sys # /sys(/.*)? <> @@ -122,7 +129,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /tmp/.* <> /tmp/\.journal <> -/tmp/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/tmp/lost\+found/.* <> # # /usr @@ -130,8 +138,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /usr(/.*)? context_template(system_u:object_r:usr_t,s0) /usr/\.journal <> -/usr/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) - /usr/etc(/.*)? context_template(system_u:object_r:etc_t,s0) /usr/inclu.e(/.*)? context_template(system_u:object_r:usr_t,s0) @@ -140,10 +146,14 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /usr/local/etc(/.*)? context_template(system_u:object_r:etc_t,s0) -/usr/local/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +/usr/local/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/usr/local/lost\+found/.* <> /usr/local/src(/.*)? context_template(system_u:object_r:src_t,s0) +/usr/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/usr/lost\+found/.* <> + /usr/share(/.*)?/lib(64)?(/.*)? context_template(system_u:object_r:usr_t,s0) /usr/src(/.*)? context_template(system_u:object_r:src_t,s0) @@ -167,7 +177,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /var/lock(/.*)? context_template(system_u:object_r:var_lock_t,s0) -/var/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) +/var/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/var/lost\+found/.* <> /var/run(/.*)? context_template(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -176,5 +187,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0) /var/tmp -d context_template(system_u:object_r:tmp_t,s0) /var/tmp/.* <> - +/var/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0) +/var/tmp/lost\+found/.* <> /var/tmp/vi\.recover -d context_template(system_u:object_r:tmp_t,s0) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index a31f3e8..df31a4e 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -73,15 +73,21 @@ interface(`files_pid_file',` ') ######################################## -# -# files_tmp_file(type) -# +## +## Make the specified type a file +## used for temporary files. +## +## +## Type of the file to be used as a +## temporary file. +## interface(`files_tmp_file',` gen_require(` attribute tmpfile; ') files_type($1) + fs_associate_tmpfs($1) typeattribute $1 tmpfile; ') diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index d4dc4d4..2730a5e 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -15,8 +15,8 @@ # # /opt # -/opt/.*/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0) -/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0) +/opt/(.*)?/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0) +/opt/(.*)?/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0) # # /sbin @@ -26,6 +26,10 @@ # # /usr # +/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) + +/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) + /usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) @@ -41,6 +45,10 @@ /usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0) +/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0) +/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) +/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0) + /usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 5098be3..e642dba 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -1,8 +1,13 @@ ## Policy for the kernel message logger and system logging daemon. ####################################### -# -# logging_log_file(domain) +## +## Make the specified type a file +## used for logs. +## +## +## Type of the file to be used as a log. +## # interface(`logging_log_file',` gen_require(` @@ -10,6 +15,7 @@ interface(`logging_log_file',` ') files_type($1) + fs_associate_tmpfs($1) typeattribute $1 logfile; ') diff --git a/refpolicy/policy/modules/system/lvm.fc b/refpolicy/policy/modules/system/lvm.fc index f23a4f1..5b41740 100644 --- a/refpolicy/policy/modules/system/lvm.fc +++ b/refpolicy/policy/modules/system/lvm.fc @@ -8,23 +8,18 @@ # /etc/lvm(/.*)? context_template(system_u:object_r:lvm_etc_t,s0) /etc/lvm/\.cache -- context_template(system_u:object_r:lvm_metadata_t,s0) - /etc/lvm/archive(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0) - /etc/lvm/backup(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0) - /etc/lvm/lock(/.*)? context_template(system_u:object_r:lvm_lock_t,s0) /etc/lvmtab(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0) - /etc/lvmtab\.d(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0) # # /lib # -/lib/lvm-10(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0) - -/lib/lvm-200(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0) +/lib/lvm-10/.* -- context_template(system_u:object_r:lvm_exec_t,s0) +/lib/lvm-200/.* -- context_template(system_u:object_r:lvm_exec_t,s0) # # /sbin @@ -50,6 +45,7 @@ /sbin/lvresize -- context_template(system_u:object_r:lvm_exec_t,s0) /sbin/lvs -- context_template(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- context_template(system_u:object_r:lvm_exec_t,s0) +/sbin/multipathd -- context_template(system_u:object_r:lvm_exec_t,s0) /sbin/pvchange -- context_template(system_u:object_r:lvm_exec_t,s0) /sbin/pvcreate -- context_template(system_u:object_r:lvm_exec_t,s0) /sbin/pvdata -- context_template(system_u:object_r:lvm_exec_t,s0) @@ -82,9 +78,12 @@ # # /usr # +/usr/sbin/clvmd -- context_template(system_u:object_r:clvmd_exec_t,s0) /usr/sbin/lvm -- context_template(system_u:object_r:lvm_exec_t,s0) # # /var # /var/lock/lvm(/.*)? context_template(system_u:object_r:lvm_lock_t,s0) + +/var/cache/multipathd(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index db203f9..f16a8bf 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -6,6 +6,13 @@ policy_module(lvm,1.0) # Declarations # +type clvmd_t; +type clvmd_exec_t; +init_daemon_domain(clvmd_t,clvmd_exec_t) + +type clvmd_var_run_t; +files_pid_file(clvmd_var_run_t) + type lvm_t; type lvm_exec_t; init_system_domain(lvm_t,lvm_exec_t) @@ -28,7 +35,91 @@ files_tmp_file(lvm_tmp_t) ######################################## # -# Local policy +# Cluster LVM daemon local policy +# + +dontaudit clvmd_t self:capability sys_tty_config; +allow clvmd_t self:socket create_socket_perms; +allow clvmd_t self:fifo_file { read write }; +allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow clvmd_t self:tcp_socket create_stream_socket_perms; +allow clvmd_t self:udp_socket create_socket_perms; + +allow clvmd_t clvmd_var_run_t:file create_file_perms; +allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; +files_create_pid(clvmd_t,clvmd_var_run_t) + +kernel_read_kernel_sysctl(clvmd_t) +kernel_list_proc(clvmd_t) +kernel_read_proc_symlinks(clvmd_t) + +corenet_tcp_sendrecv_all_if(clvmd_t) +corenet_udp_sendrecv_all_if(clvmd_t) +corenet_raw_sendrecv_all_if(clvmd_t) +corenet_tcp_sendrecv_all_nodes(clvmd_t) +corenet_udp_sendrecv_all_nodes(clvmd_t) +corenet_raw_sendrecv_all_nodes(clvmd_t) +corenet_tcp_sendrecv_all_ports(clvmd_t) +corenet_udp_sendrecv_all_ports(clvmd_t) +corenet_tcp_bind_all_nodes(clvmd_t) +corenet_udp_bind_all_nodes(clvmd_t) +corenet_tcp_bind_reserved_port(clvmd_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t) + +dev_read_sysfs(clvmd_t) + +fs_getattr_all_fs(clvmd_t) +fs_search_auto_mountpoints(clvmd_t) + +term_dontaudit_use_console(clvmd_t) + +domain_use_wide_inherit_fd(clvmd_t) + +init_use_fd(clvmd_t) +init_use_script_pty(clvmd_t) + +libs_use_ld_so(clvmd_t) +libs_use_shared_libs(clvmd_t) + +logging_send_syslog_msg(clvmd_t) + +miscfiles_read_localization(clvmd_t) + +seutil_dontaudit_search_config(clvmd_t) +seutil_sigchld_newrole(clvmd_t) + +sysnet_read_config(clvmd_t) + +userdom_dontaudit_use_unpriv_user_fd(clvmd_t) +userdom_dontaudit_search_sysadm_home_dir(clvmd_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(clvmd_t) + term_dontaudit_use_generic_pty(clvmd_t) + files_dontaudit_read_root_file(clvmd_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(clvmd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(clvmd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(clvmd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(clvmd_t) +') +') dnl end TODO + +######################################## +# +# LVM Local policy # # DAC overrides and mknod for modifying /dev entries (vgmknodes) @@ -167,13 +258,10 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` - optional_policy(`gnome-pty-helper.te', ` allow lvm_t sysadm_gph_t:fd use; ') - optional_policy(`rhgb.te',` rhgb_domain(lvm_t) ') - ') dnl end TODO diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc index bcd4720..770a32d 100644 --- a/refpolicy/policy/modules/system/miscfiles.fc +++ b/refpolicy/policy/modules/system/miscfiles.fc @@ -1,13 +1,15 @@ - # # /etc # /etc/localtime -- context_template(system_u:object_r:locale_t,s0) +/etc/pki(/.*)? context_template(system_u:object_r:cert_t,s0) # # /opt # -/opt/.*/man(/.*)? context_template(system_u:object_r:man_t,s0) +/opt/(.*)?/man(/.*)? context_template(system_u:object_r:man_t,s0) + +/srv/([^/]*/)?rsync(/.*)? context_template(system_u:object_r:ftpd_anon_t,s0) # # /usr diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 9b9ab9a..535e1af 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -25,6 +25,9 @@ files_type(fonts_t) type ftpd_anon_t; #, customizable; files_type(ftpd_anon_t) +type ftpd_anon_rw_t; #, customizable; +files_type(ftpd_anon_rw_t) + # # type for /tmp/.ICE-unix # diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index f55425c..cc19cb5 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -181,8 +181,7 @@ userdom_use_all_user_fd(load_policy_t) # Newrole local policy # -allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; - +allow newrole_t self:capability { fowner setuid setgid dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 488bb20..85a7b4d 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -41,10 +41,12 @@ template(`base_user_template',` # type for contents of home directory type $1_home_t, $1_file_type, home_type; files_type($1_home_t) + fs_associate_tmpfs($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; files_type($1_home_dir_t) + fs_associate_tmpfs($1_home_dir_t) type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t) diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt index 4dafb20..2c869d3 100644 --- a/refpolicy/policy/support/misc_macros.spt +++ b/refpolicy/policy/support/misc_macros.spt @@ -13,19 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') ######################################## # -# gen_user(username, role_set, mls_defaultlevel, mls_range) +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) # -define(`gen_user',` -user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); -') +define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');') ######################################## # # gen_con(context,mls_sensitivity,[mcs_categories]) # -# MLS: Optionally put the sensitivity for the file -# MCS: Optionally put the categories of the file -# define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl ######################################## diff --git a/refpolicy/policy/systemuser b/refpolicy/policy/systemuser index ff30b50..35499f8 100644 --- a/refpolicy/policy/systemuser +++ b/refpolicy/policy/systemuser @@ -4,11 +4,8 @@ # # -# gen_user(username, role_set, mls_defaultlevel, mls_range) +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) # -define(`gen_user',` -user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); -') # # system_u is the user identity for system processes and objects. @@ -16,7 +13,7 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); # and a user process should never be assigned the system user # identity. # -gen_user(system_u, system_r, s0, s0 - s9:c0.c127) +gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127) # Normal users should not be added to this file, # but instead added to the users file. diff --git a/refpolicy/policy/users b/refpolicy/policy/users index 517c9e3..88a516e 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -5,7 +5,7 @@ # # -# gen_user(username, role_set, mls_defaultlevel, mls_range) +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # @@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127) # not in the sysadm_r. # ifdef(`targeted_policy',` - gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127) + gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127) ',` ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127) + gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127) ',` - gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127) + gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127) ') ') diff --git a/strict/assert.te b/strict/assert.te index f8b76c8..02b2878 100644 --- a/strict/assert.te +++ b/strict/assert.te @@ -30,58 +30,52 @@ neverallow domain ~domain:process { transition dyntransition }; # Verify that only the insmod_t and kernel_t domains # have the sys_module capability. # -neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module; +neverallow {domain -privsysmod -unrestricted } self:capability sys_module; # # Verify that executable types, the system dynamic loaders, and the # system shared libraries can only be modified by administrators. # -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename }; -neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto; +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename }; +neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto; # # Verify that only appropriate domains can access /etc/shadow -neverallow { domain -auth -auth_write } shadow_t:file ~getattr; -neverallow { domain -auth_write } shadow_t:file ~r_file_perms; +neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr; +neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms; # # Verify that only appropriate domains can write to /etc (IE mess with # /etc/passwd) -neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms; -neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms; -neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms }; +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms; +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms; +neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms }; # # Verify that other system software can only be modified by administrators. # -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; -neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename }; +neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; +neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename }; # # Verify that only certain domains have access to the raw disk devices. # -neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append }; +neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append }; # # Verify that only the X server and klogd have access to memory devices. # -neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append }; +neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append }; # # Verify that only domains with the privlog attribute can actually syslog # -neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append }; +neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append }; # # Verify that /proc/kmsg is only accessible to klogd. # -ifdef(`klogd.te', ` -neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms; -', ` -ifdef(`syslogd.te', ` -neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms; -')dnl end if syslogd -')dnl end if klogd +neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms; # # Verify that /proc/kcore is inaccessible. @@ -93,14 +87,14 @@ neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; # Verify that sysctl variables are only changeable # by initrc and administrators. # -neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append }; -neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append }; -neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append }; -neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append }; -neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append }; -neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append }; -neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append }; -neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append }; +neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append }; +neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append }; +neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append }; +neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append }; # # Verify that certain domains are limited to only being @@ -146,13 +140,13 @@ neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:f # # Verify that only the admin domains and initrc_t have setenforce. # -neverallow { domain -admin -initrc_t } security_t:security setenforce; +neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce; # # Verify that only the kernel and load_policy_t have load_policy. # -neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy; +neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy; # # for gross mistakes in policy diff --git a/strict/attrib.te b/strict/attrib.te index 9648dcf..b5e4d8b 100644 --- a/strict/attrib.te +++ b/strict/attrib.te @@ -141,6 +141,10 @@ attribute privhome; # to read /etc/shadow, and grants the permission. attribute auth; +# The auth_bool attribute identifies every domain that can +# read /etc/shadow if its boolean is set; +attribute auth_bool; + # The auth_write attribute identifies every domain that can have write or # relabel access to /etc/shadow, but does not grant it. attribute auth_write; @@ -180,6 +184,12 @@ attribute sysctl_type; # XXX used in different assertions within assert.te. attribute admin; +# The secadmin attribute identifies every security administrator domain. +# It is used in TE assertions when verifying that only administrator +# domains have certain permissions. +# This attribute is presently associated with sysadm_t and secadm_t +attribute secadmin; + # The userdomain attribute identifies every user domain, presently # user_t and sysadm_t. It is used in TE rules that should be applied # to all user domains. @@ -454,3 +464,18 @@ attribute transitionbool; # of the file system. attribute customizable; +############################## +# Attributes for polyinstatiation support: +# + +# For labeling types that are to be polyinstantiated +attribute polydir; + +# And for labeling the parent directories of those polyinstantiated directories +# This is necessary for remounting the original in the parent to give +# security aware apps access +attribute polyparent; + +# And labeling for the member directories +attribute polymember; + diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te index 7ed0722..b3df265 100644 --- a/strict/domains/program/lvm.te +++ b/strict/domains/program/lvm.te @@ -121,3 +121,16 @@ r_dir_file(lvm_t, selinux_config_t) # it has no reason to need this dontaudit lvm_t proc_kcore_t:file getattr; + +# cluster LVM daemon +daemon_domain(clvmd) +can_network(clvmd_t) +can_ypbind(clvmd_t) +allow clvmd_t self:capability net_bind_service; +allow clvmd_t self:socket create_socket_perms; +allow clvmd_t self:fifo_file { read write }; +allow clvmd_t self:file { getattr read }; +allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow clvmd_t reserved_port_t:tcp_socket name_bind; +dontaudit clvmd_t reserved_port_type:tcp_socket name_bind; +dontaudit clvmd_t selinux_config_t:dir search; diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te index 5b794ed..9e86c4b 100644 --- a/strict/domains/program/snmpd.te +++ b/strict/domains/program/snmpd.te @@ -8,7 +8,7 @@ # # Rules for the snmpd_t domain. # -daemon_domain(snmpd) +daemon_domain(snmpd, `, nscd_client_domain') #temp allow snmpd_t var_t:dir getattr; @@ -16,17 +16,14 @@ allow snmpd_t var_t:dir getattr; can_network_server(snmpd_t) can_ypbind(snmpd_t) -type snmp_port_t, port_type, reserved_port_type; allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; etc_domain(snmpd) -typealias snmpd_etc_t alias etc_snmpd_t; # for the .index file var_lib_domain(snmpd) file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir) file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) -typealias snmpd_var_lib_t alias snmpd_var_rw_t; log_domain(snmpd) # for /usr/share/snmp/mibs @@ -39,13 +36,15 @@ allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_socket_perms; allow snmpd_t etc_t:lnk_file read; allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; -allow snmpd_t urandom_device_t:chr_file read; +allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; allow snmpd_t proc_t:dir search; allow snmpd_t proc_t:file r_file_perms; allow snmpd_t self:file { getattr read }; -allow snmpd_t self:fifo_file { read write }; +allow snmpd_t self:fifo_file rw_file_perms; +allow snmpd_t { bin_t sbin_t }:dir search; +can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) ifdef(`distro_redhat', ` ifdef(`rpm.te', ` @@ -61,6 +60,9 @@ dontaudit snmpd_t initrc_var_run_t:file write; dontaudit snmpd_t rpc_pipefs_t:dir getattr; allow snmpd_t rpc_pipefs_t:dir getattr; read_sysctl(snmpd_t) +allow snmpd_t sysctl_net_t:dir search; +allow snmpd_t sysctl_net_t:file { getattr read }; + dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; allow snmpd_t sysfs_t:dir { getattr read search }; ifdef(`amanda.te', ` @@ -75,6 +77,7 @@ allow snmpd_t var_lib_nfs_t:dir search; allow snmpd_t proc_net_t:dir search; allow snmpd_t proc_net_t:file r_file_perms; -dontaudit snmpd_t domain:dir { getattr search }; +allow snmpd_t domain:dir { getattr search }; +allow snmpd_t domain:file { getattr read }; dontaudit snmpd_t selinux_config_t:dir search; diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc index 06adff4..050ecb3 100644 --- a/strict/file_contexts/program/kerberos.fc +++ b/strict/file_contexts/program/kerberos.fc @@ -9,3 +9,12 @@ /var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t /var/log/kadmind\.log system_u:object_r:kadmind_log_t /usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t + +# gentoo file locations +/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t +/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t +/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t +/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t +/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t +/var/log/kadmin.log -- system_u:object_r:kadmind_log_t + diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc index e74e2c5..648beb0 100644 --- a/strict/file_contexts/program/lvm.fc +++ b/strict/file_contexts/program/lvm.fc @@ -13,8 +13,8 @@ /var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t /dev/lvm -c system_u:object_r:fixed_disk_device_t /dev/mapper/control -c system_u:object_r:lvm_control_t -/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t -/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t +/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t +/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t /sbin/e2fsadm -- system_u:object_r:lvm_exec_t /sbin/lvchange -- system_u:object_r:lvm_exec_t /sbin/lvcreate -- system_u:object_r:lvm_exec_t @@ -64,3 +64,6 @@ /sbin/pvremove -- system_u:object_r:lvm_exec_t /sbin/pvs -- system_u:object_r:lvm_exec_t /sbin/vgs -- system_u:object_r:lvm_exec_t +/sbin/multipathd -- system_u:object_r:lvm_exec_t +/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t +/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc index f4539f1..a146940 100644 --- a/strict/file_contexts/program/rsync.fc +++ b/strict/file_contexts/program/rsync.fc @@ -1,2 +1,3 @@ # rsync program /usr/bin/rsync -- system_u:object_r:rsync_exec_t +/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc index 33816d9..b712037 100644 --- a/strict/file_contexts/types.fc +++ b/strict/file_contexts/types.fc @@ -261,13 +261,13 @@ ifdef(`distro_suse', ` # /opt # /opt(/.*)? system_u:object_r:usr_t -/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t -/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/opt/.*/libexec(/.*)? system_u:object_r:bin_t -/opt/.*/bin(/.*)? system_u:object_r:bin_t -/opt/.*/sbin(/.*)? system_u:object_r:sbin_t -/opt/.*/man(/.*)? system_u:object_r:man_t -/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t +/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t +/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t +/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t +/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/opt(/.*)?/man(/.*)? system_u:object_r:man_t +/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t # # /etc @@ -359,7 +359,9 @@ ifdef(`distro_gentoo', ` # nvidia share libraries /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t # libGL @@ -385,6 +387,10 @@ ifdef(`distro_gentoo', ` /usr/local/etc(/.*)? system_u:object_r:etc_t /usr/local/src(/.*)? system_u:object_r:src_t /usr/local/man(/.*)? system_u:object_r:man_t +/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t + # # /usr/X11R6/man @@ -442,13 +448,22 @@ HOME_ROOT/\.journal <> # # Lost and found directories. # -/lost\+found(/.*)? system_u:object_r:lost_found_t -/usr/lost\+found(/.*)? system_u:object_r:lost_found_t -/boot/lost\+found(/.*)? system_u:object_r:lost_found_t -HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t -/var/lost\+found(/.*)? system_u:object_r:lost_found_t -/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t -/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t +/lost\+found -d system_u:object_r:lost_found_t +/lost\+found/.* <> +/usr/lost\+found -d system_u:object_r:lost_found_t +/usr/lost\+found/.* <> +/boot/lost\+found -d system_u:object_r:lost_found_t +/boot/lost\+found/.* <> +HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t +HOME_ROOT/lost\+found/.* <> +/var/lost\+found -d system_u:object_r:lost_found_t +/var/lost\+found/.* <> +/tmp/lost\+found -d system_u:object_r:lost_found_t +/tmp/lost\+found/.* <> +/var/tmp/lost\+found -d system_u:object_r:lost_found_t +/var/tmp/lost\+found/.* <> +/usr/local/lost\+found -d system_u:object_r:lost_found_t +/usr/local/lost\+found/.* <> # # system localization @@ -458,6 +473,7 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t /usr/lib/locale(/.*)? system_u:object_r:locale_t /etc/localtime -- system_u:object_r:locale_t /etc/localtime -l system_u:object_r:etc_t +/etc/pki(/.*)? system_u:object_r:cert_t # # Gnu Cash @@ -466,6 +482,11 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t # +# Turboprint +# +/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t + +# # initrd mount point, only used during boot # /initrd -d system_u:object_r:root_t @@ -481,5 +502,12 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t # /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t +/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t + +# +# /srv +# +/srv(/.*)? system_u:object_r:var_t + diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te index 806a9cd..34f1948 100644 --- a/strict/macros/program/chkpwd_macros.te +++ b/strict/macros/program/chkpwd_macros.te @@ -17,30 +17,25 @@ define(`chkpwd_domain',` # Derived domain based on the calling user domain and the program. type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; +role $1_r types $1_chkpwd_t; + # is_selinux_enabled allow $1_chkpwd_t proc_t:file read; + can_getcon($1_chkpwd_t) -can_ypbind($1_chkpwd_t) -can_kerberos($1_chkpwd_t) -can_ldap($1_chkpwd_t) -can_resolve($1_chkpwd_t) -# Transition from the user domain to this domain. +authentication_domain($1_chkpwd_t) + ifelse($1, system, ` domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) -role system_r types system_chkpwd_t; -dontaudit auth_chkpwd shadow_t:file { getattr read }; allow auth_chkpwd sbin_t:dir search; -dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; -can_ypbind(auth_chkpwd) -can_kerberos(auth_chkpwd) -can_ldap(auth_chkpwd) -can_resolve(auth_chkpwd) +allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; +authentication_domain(auth_chkpwd) ', ` domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) allow $1_t sbin_t:dir search; - -# The user role is authorized for this domain. -role $1_r types $1_chkpwd_t; +allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Write to the user domain tty. access_terminal($1_chkpwd_t, $1) diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te index 8cd7deb..5e61d7d 100644 --- a/strict/macros/program/crond_macros.te +++ b/strict/macros/program/crond_macros.te @@ -67,6 +67,7 @@ role $1_r types $1_crond_t; # This domain is granted permissions common to most domains. can_network($1_crond_t) +allow $1_crond_t port_type:tcp_socket name_connect; can_ypbind($1_crond_t) r_dir_file($1_crond_t, self) allow $1_crond_t self:fifo_file rw_file_perms; diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te index 352fbe9..50d5ee5 100644 --- a/strict/macros/program/crontab_macros.te +++ b/strict/macros/program/crontab_macros.te @@ -41,8 +41,6 @@ read_locale($1_crontab_t) # Use capabilities dac_override is to create the file in the directory # under /tmp allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override }; -dontaudit $1_crontab_t proc_t:dir search; -dontaudit $1_crontab_t selinux_config_t:dir search; # Type for temporary files. file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) @@ -65,6 +63,11 @@ dontaudit $1_crontab_t crond_t:process signal; # for the checks used by crontab -u dontaudit $1_crontab_t security_t:dir search; +allow $1_crontab_t proc_t:dir search; +allow $1_crontab_t proc_t:{ file lnk_file } { getattr read }; +allow $1_crontab_t selinux_config_t:dir search; +allow $1_crontab_t selinux_config_t:file { getattr read }; +dontaudit $1_crontab_t self:dir search; # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te index c11784c..600ac41 100644 --- a/strict/macros/program/dbusd_macros.te +++ b/strict/macros/program/dbusd_macros.te @@ -30,17 +30,20 @@ r_dir_file($1_dbusd_t, etc_dbusd_t) tmp_domain($1_dbusd) allow $1_dbusd_t self:process fork; ifdef(`xdm.te', ` -allow $1_dbusd_t xdm_t:fd use; -allow $1_dbusd_t xdm_t:fifo_file write; +can_pipe_xdm($1_dbusd_t) ') allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; -allow $1_dbusd_t self:file { getattr read }; +allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t proc_t:file read; +can_getsecurity($1_dbusd_t) +r_dir_file($1_dbusd_t, default_context_t) +allow system_dbusd_t self:netlink_selinux_socket create_socket_perms; + ifdef(`pamconsole.te', ` r_dir_file($1_dbusd_t, pam_var_console_t) ') diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te index 21a8768..f7ad8b0 100644 --- a/strict/macros/program/gpg_agent_macros.te +++ b/strict/macros/program/gpg_agent_macros.te @@ -22,7 +22,6 @@ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) role $1_r types $1_gpg_agent_t; allow $1_gpg_agent_t privfd:fd use; -allow $1_gpg_agent_t xdm_t:fd use; # Write to the user domain tty. access_terminal($1_gpg_agent_t, $1) @@ -86,10 +85,9 @@ ifdef(`xdm.te', ` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) -allow $1_gpg_pinentry_t xdm_t:fd use; ')dnl end ig xdm.te -r_dir_file($1_gpg_pinentry_t, fonts_t) +read_fonts($1_gpg_pinentry_t, $1) # read kde font cache allow $1_gpg_pinentry_t usr_t:file { getattr read }; diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te index 124d6e8..a836ed6 100644 --- a/strict/macros/program/gpg_macros.te +++ b/strict/macros/program/gpg_macros.te @@ -23,27 +23,15 @@ type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) +role $1_r types $1_gpg_t; can_network($1_gpg_t) +allow $1_gpg_t port_type:tcp_socket name_connect; can_ypbind($1_gpg_t) # for a bug in kmail dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; -# The user role is authorized for this domain. -role $1_r types $1_gpg_t; - -# Legacy -if (allow_gpg_execstack) { -legacy_domain($1_gpg) -allow $1_gpg_t locale_t:file execute; - -# Not quite sure why this is needed... -allow $1_gpg_t gpg_exec_t:file execmod; -} - -allow $1_t $1_gpg_secret_t:file getattr; - allow $1_gpg_t device_t:dir r_dir_perms; allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; @@ -60,45 +48,28 @@ allow $1_gpg_t { privfd $1_t }:fd use; allow { $1_t $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 -allow $1_gpg_t self:process { setrlimit setcap }; +allow $1_gpg_t self:process { setrlimit setcap setpgid }; # allow ps to show gpg can_ps($1_t, $1_gpg_t) uses_shlib($1_gpg_t) -# should not need read access... -allow $1_gpg_t home_root_t:dir { read search }; - -# use $1_gpg_secret_t for files it creates -# NB we are doing the type transition for directory creation only! -# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as -# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt -# a file and write output to your home directory it will use user_home_t. -file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) +# Access .gnupg rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) -file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) -create_dir_file($1_gpg_t, $1_home_t) - -# allow the usual access to /tmp -file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) +# Read content to encrypt/decrypt/sign +read_content($1_gpg_t, $1) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_t, cifs_t) -} +# Write content to encrypt/decrypt/sign +write_trusted($1_gpg_t, $1) allow $1_gpg_t self:capability { ipc_lock setuid }; -rw_dir_create_file($1_gpg_t, $1_file_type) allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; allow $1_gpg_t fs_t:filesystem getattr; allow $1_gpg_t usr_t:file r_file_perms; read_locale($1_gpg_t) -allow $1_t $1_gpg_secret_t:dir rw_dir_perms; dontaudit $1_gpg_t var_t:dir search; @@ -130,6 +101,7 @@ allow $1_gpg_helper_t $1_t:fd use; allow $1_gpg_helper_t $1_t:fifo_file write; # get keys from the network can_network_client($1_gpg_helper_t) +allow $1_gpg_helper_t port_type:tcp_socket name_connect; allow $1_gpg_helper_t etc_t:file { getattr read }; allow $1_gpg_helper_t urandom_device_t:chr_file read; allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; @@ -137,8 +109,7 @@ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; dontaudit $1_gpg_helper_t var_t:dir search; ifdef(`xdm.te', ` -dontaudit $1_gpg_t xdm_t:fd use; -dontaudit $1_gpg_t xdm_t:fifo_file read; +can_pipe_xdm($1_gpg_t) ') ')dnl end gpg_domain definition diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te index 1cdaa39..e5c4eed 100644 --- a/strict/macros/program/inetd_macros.te +++ b/strict/macros/program/inetd_macros.te @@ -56,7 +56,6 @@ allow $1_t self:dir search; allow $1_t self:{ lnk_file file } { getattr read }; can_kerberos($1_t) allow $1_t urandom_device_t:chr_file r_file_perms; -type $1_port_t, port_type, reserved_port_type; # Use sockets inherited from inetd. ifelse($2, `', ` allow inetd_t $1_port_t:udp_socket name_bind; diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te index 0be8bee..91850d3 100644 --- a/strict/macros/program/kerberos_macros.te +++ b/strict/macros/program/kerberos_macros.te @@ -2,6 +2,7 @@ define(`can_kerberos',` ifdef(`kerberos.te',` if (allow_kerberos) { can_network_client($1, `kerberos_port_t') +allow $1 kerberos_port_t:tcp_socket name_connect; can_resolve($1) } ') dnl kerberos.te diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te index 6778d6e..cc73d63 100644 --- a/strict/macros/program/mta_macros.te +++ b/strict/macros/program/mta_macros.te @@ -34,6 +34,7 @@ role $1_r types $1_mail_t; uses_shlib($1_mail_t) can_network_client_tcp($1_mail_t) +allow $1_mail_t port_type:tcp_socket name_connect; can_resolve($1_mail_t) can_ypbind($1_mail_t) allow $1_mail_t self:unix_dgram_socket create_socket_perms; diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te index b19e2de..c7a143e 100644 --- a/strict/macros/program/newrole_macros.te +++ b/strict/macros/program/newrole_macros.te @@ -49,7 +49,7 @@ can_setexec($1_t) allow $1_t autofs_t:dir search; # Use capabilities. -allow $1_t self:capability { setuid setgid net_bind_service dac_override }; +allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override }; # Read the devpts root directory. allow $1_t devpts_t:dir r_dir_perms; @@ -60,8 +60,7 @@ r_dir_file($1_t, selinux_config_t) allow $1_t etc_t:file r_file_perms; # Read /var. -allow $1_t var_t:dir r_dir_perms; -allow $1_t var_t:notdevfile_class_set r_file_perms; +r_dir_file($1_t, var_t) # Read /dev directories and any symbolic links. allow $1_t device_t:dir r_dir_perms; diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te index 0accc1b..7215f5c 100644 --- a/strict/macros/program/ssh_agent_macros.te +++ b/strict/macros/program/ssh_agent_macros.te @@ -49,6 +49,7 @@ read_locale($1_ssh_agent_t) allow $1_ssh_agent_t proc_t:dir search; dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; dontaudit $1_ssh_agent_t selinux_config_t:dir search; +dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; read_sysctl($1_ssh_agent_t) # Access the ssh temporary files. Should we have an own type here @@ -62,7 +63,7 @@ allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; allow $1_ssh_agent_t self:capability setgid; # access the random devices -allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read; +allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read }; # for ssh-add can_unix_connect($1_t, $1_ssh_agent_t) @@ -89,8 +90,7 @@ allow $1_ssh_t $1_t:unix_stream_socket connectto; allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; ifdef(`xdm.te', ` -allow $1_ssh_agent_t xdm_t:fd use; -allow $1_ssh_agent_t xdm_t:fifo_file { read write }; +can_pipe_xdm($1_ssh_agent_t) # kdm: sigchld allow $1_ssh_agent_t xdm_t:process sigchld; diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te index 473b273..0f6549f 100644 --- a/strict/macros/program/ssh_macros.te +++ b/strict/macros/program/ssh_macros.te @@ -53,8 +53,7 @@ allow $1_ssh_t fs_type:filesystem getattr; base_file_read_access($1_ssh_t) # Read /var. -allow $1_ssh_t var_t:dir r_dir_perms; -allow $1_ssh_t var_t:notdevfile_class_set r_file_perms; +r_dir_file($1_ssh_t, var_t) # Read /var/run, /var/log. allow $1_ssh_t var_run_t:dir r_dir_perms; @@ -63,8 +62,7 @@ allow $1_ssh_t var_log_t:dir r_dir_perms; allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; # Read /etc. -allow $1_ssh_t etc_t:dir r_dir_perms; -allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms; +r_dir_file($1_ssh_t, etc_t) allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; # Read /dev directories and any symbolic links. @@ -80,6 +78,7 @@ allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; # Grant permissions needed to create TCP and UDP sockets and # to access the network. can_network_client_tcp($1_ssh_t) +allow $1_ssh_t ssh_port_t:tcp_socket name_connect; can_resolve($1_ssh_t) can_ypbind($1_ssh_t) can_kerberos($1_ssh_t) @@ -130,18 +129,8 @@ allow $1_t $1_ssh_t:process signal; # allow ps to show ssh can_ps($1_t, $1_ssh_t) -ifdef(`xserver.te', ` -# Communicate with the X server. -ifdef(`startx.te', ` -can_unix_connect($1_ssh_t, $1_xserver_t) -allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms; -allow $1_ssh_t $1_xserver_tmp_t:dir search; -')dnl end if startx -ifdef(`xdm.te', ` -allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search; -allow $1_ssh_t { xdm_tmp_t }:sock_file write; -') -')dnl end if xserver +# Connect to X server +x_client_domain($1_ssh, $1) ifdef(`ssh-agent.te', ` ssh_agent_domain($1) @@ -152,18 +141,26 @@ ssh_agent_domain($1) allow $1_ssh_t mnt_t:dir search; r_dir_file($1_ssh_t, removable_t) -ifdef(`xdm.te', ` -# should be able to remove these two later -allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write }; -allow $1_ssh_t xdm_xserver_tmp_t:dir search; -allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto; -allow $1_ssh_t xdm_xserver_t:shm r_shm_perms; -allow $1_ssh_t xdm_xserver_t:fd use; -allow $1_ssh_t xdm_xserver_tmpfs_t:file read; -allow $1_ssh_t xdm_t:fd use; -')dnl end if xdm.te -')dnl end macro definition +type $1_ssh_keysign_t, domain, nscd_client_domain; +role $1_r types $1_ssh_keysign_t; + +if (allow_ssh_keysign) { +domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) +allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; +allow $1_ssh_keysign_t self:capability { setgid setuid }; +allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; +uses_shlib($1_ssh_keysign_t) +dontaudit $1_ssh_keysign_t selinux_config_t:dir search; +dontaudit $1_ssh_keysign_t proc_t:dir search; +dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; +allow $1_ssh_keysign_t usr_t:dir search; +allow $1_ssh_keysign_t etc_t:file { getattr read }; +allow $1_ssh_keysign_t self:dir search; +allow $1_ssh_keysign_t self:file { getattr read }; +allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; +} +')dnl end macro definition ', ` define(`ssh_domain',`') diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te index 7426b4e..055e08a 100644 --- a/strict/macros/program/su_macros.te +++ b/strict/macros/program/su_macros.te @@ -24,6 +24,13 @@ ifdef(`su.te', ` define(`su_restricted_domain', ` # Derived domain based on the calling user domain and the program. type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; +ifdef(`support_polyinstantiation', ` +typeattribute $1_su_t mlsfileread; +typeattribute $1_su_t mlsfilewrite; +typeattribute $1_su_t mlsfileupgrade; +typeattribute $1_su_t mlsfiledowngrade; +typeattribute $1_su_t mlsprocsetsl; +') # for SSP allow $1_su_t urandom_device_t:chr_file { getattr read }; @@ -32,7 +39,6 @@ allow $1_su_t urandom_device_t:chr_file { getattr read }; domain_auto_trans($1_t, su_exec_t, $1_su_t) allow $1_su_t sbin_t:dir search; -domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) uses_shlib($1_su_t) allow $1_su_t etc_t:file { getattr read }; @@ -62,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read; ') # Use capabilities. -allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; +allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control }; dontaudit $1_su_t self:capability sys_tty_config; # # Caused by su - init scripts @@ -88,6 +94,13 @@ allow $1_su_t privfd:fd use; allow $1_su_t { var_t var_run_t }:dir search; allow $1_su_t initrc_var_run_t:file rw_file_perms; can_kerberos($1_su_t) + +ifdef(`chkpwd.te', ` +domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) +') + +allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + ') dnl end su_restricted_domain define(`su_mini_domain', ` @@ -109,10 +122,6 @@ allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; define(`su_domain', ` su_mini_domain($1) -ifdef(`chkpwd.te', ` -# Run chkpwd. -can_exec($1_su_t, chkpwd_exec_t) -') # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') @@ -139,6 +148,16 @@ if (use_samba_home_dirs) { allow $1_su_t cifs_t:dir search; } +ifdef(`support_polyinstantiation', ` +# Su can polyinstantiate +polyinstantiater($1_su_t) +# Su has to unmount polyinstantiated directories (like home) +# that should not be polyinstantiated under the new user +allow $1_su_t fs_t:filesystem unmount; +# Su needs additional permission to mount over a previous mount +allow $1_su_t polymember:dir mounton; +') + # Modify .Xauthority file (via xauth program). ifdef(`xauth.te', ` file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) diff --git a/strict/mcs b/strict/mcs new file mode 100644 index 0000000..20ec239 --- /dev/null +++ b/strict/mcs @@ -0,0 +1,212 @@ +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +# MCS is single-sensitivity. +# +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; + + +# +# Each MCS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c127; + +# +# Define the MCS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# MCS policy for the file classes +# +# Constrain file access so that the high range of the process dominates +# the high range of the file. We use the high range of the process so +# that processes can always simply run at s0. +# +# Only files are constrained by MCS at this stage. +# +mlsconstrain file { read write setattr append unlink link rename + create ioctl lock execute } (h1 dom h2); + + +# XXX +# +# For some reason, we need to reference the mlsfileread attribute +# or we get a build error. Below is a dummy entry to do this. +mlsconstrain xextension query ( t1 == mlsfileread ); + diff --git a/strict/types/file.te b/strict/types/file.te index d6bc8a9..5b319e5 100644 --- a/strict/types/file.te +++ b/strict/types/file.te @@ -276,7 +276,8 @@ allow { file_type device_type ttyfile } fs_t:filesystem associate; # Allow the pty to be associated with the file system. allow devpts_t self:filesystem associate; -type tmpfs_t, file_type, sysadmfile, fs_type; +type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; +allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; ifdef(`distro_redhat', ` allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; @@ -332,6 +333,7 @@ allow file_type noexattrfile:filesystem associate; # Type for anonymous FTP data, used by ftp and rsync type ftpd_anon_t, file_type, sysadmfile, customizable; +type ftpd_anon_rw_t, file_type, sysadmfile, customizable; allow customizable self:filesystem associate; diff --git a/strict/types/security.te b/strict/types/security.te index 7bfd0bc..76d97dd 100644 --- a/strict/types/security.te +++ b/strict/types/security.te @@ -12,32 +12,32 @@ # the permissions in the security class. It is also # applied to selinuxfs inodes. # -type security_t, fs_type; +type security_t, mount_point, fs_type, mlstrustedobject; # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # -type policy_config_t, file_type; +type policy_config_t, file_type, secadmfile; # # policy_src_t is the type of the policy source # files. # -type policy_src_t, file_type, sysadmfile; +type policy_src_t, file_type, secadmfile; # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # -type default_context_t, file_type, sysadmfile, login_contexts; +type default_context_t, file_type, login_contexts, secadmfile; # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # -type file_context_t, file_type, sysadmfile; +type file_context_t, file_type, secadmfile; # # no_access_t is the type for objects that should @@ -49,6 +49,6 @@ type no_access_t, file_type, sysadmfile; # selinux_config_t is the type applied to # /etc/selinux/config # -type selinux_config_t, file_type, sysadmfile; +type selinux_config_t, file_type, secadmfile; diff --git a/strict/users b/strict/users index 19e6842..c0269c4 100644 --- a/strict/users +++ b/strict/users @@ -41,10 +41,17 @@ user user_u roles { user_r }; # The sysadm_r user also needs to be permitted system_r if we are to allow # direct execution of daemons -user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') }; +user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') }; # sample for administrative user #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; # sample for regular user #user jdoe roles { user_r }; + +# +# The following users correspond to special Unix identities +# +ifdef(`nx_server.te', ` +user nx roles nx_server_r; +') diff --git a/tools/regression.sh b/tools/regression.sh index 85864f8..0979a05 100755 --- a/tools/regression.sh +++ b/tools/regression.sh @@ -1,8 +1,8 @@ #!/bin/bash DISTROS="redhat gentoo debian suse" -STRICT_TYPES="strict strict-mls" -TARG_TYPES="targeted targeted-mls" +STRICT_TYPES="strict strict-mls strict-mcs" +TARG_TYPES="targeted targeted-mls targeted-mcs" POLVER="`checkpolicy -V |cut -f 1 -d ' '`" SETFILES="/usr/sbin/setfiles"