diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index f6ab7d2..1000a52 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -51,13 +51,20 @@ files_ignore_read_rootfs_file(consoletype_t) libraries_use_dynamic_loader(consoletype_t) libraries_use_shared_libraries(consoletype_t) +tunable_policy(`distro_redhat', ` +filesystem_use_tmpfs_character_devices(consoletype_t) +') + optional_policy(`authlogin.te', ` authlogin_pam_read_runtime_data(consoletype_t) ') +optional_policy(`userdomain.te',` +userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t) +') + ifdef(`TODO',` -allow consoletype_t unpriv_userdomain:fd use; allow consoletype_t sysadm_t:fd use; allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; allow consoletype_t sysadm_t:fifo_file rw_file_perms; @@ -97,10 +104,6 @@ optional_policy(`lpd.te', ` allow consoletype_t printconf_t:file { getattr read }; ') -tunable_policy(`distro_redhat', ` -allow consoletype_t tmpfs_t:chr_file rw_file_perms; -') - optional_policy(`firstboot.te', ` allow consoletype_t firstboot_t:fifo_file write; ') diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d2dfb22..a202049 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -882,8 +882,15 @@ class filesystem getattr; ') ######################################## -# -# filesystem_tmpfs_associate(type) +## +## +## Allow the type to associate to tmpfs filesystems. +## +## +## The type of the object to be associated. +## +## +## # define(`filesystem_tmpfs_associate',` requires_block_template(`$0'_depend) @@ -915,6 +922,100 @@ class dir { getattr search read write add_name }; ') ######################################## +## +## +## Read and write character nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_use_tmpfs_character_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read }; +allow $1 tmpfs_t:chr_file { getattr read write ioctl }; +') + +define(`filesystem_use_tmpfs_character_devices_depend',` +type tmpfs_t; +class dir { getattr search read }; +class chr_file { getattr read write ioctl }; +') + +######################################## +## +## +## Read and write block nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_use_tmpfs_block_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read }; +allow $1 tmpfs_t:blk_file { getattr read write ioctl }; +') + +define(`filesystem_use_tmpfs_block_devices_depend',` +type tmpfs_t; +class dir { getattr search read }; +class blk_file { getattr read write ioctl }; +') + +######################################## +## +## +## Read and write, create and delete character +## nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_manage_tmpfs_character_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read write add_name remove_name }; +allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr }; +') + +define(`filesystem_mange_tmpfs_character_devices_depend',` +type tmpfs_t; +class dir { getattr search read write add_name remove_name }; +class chr_file { getattr read write ioctl create unlink setattr }; +') + +######################################## +## +## +## Read and write, create and delete block nodes +## on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_manage_tmpfs_block_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read write add_name remove_name }; +allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr }; +') + +define(`filesystem_manage_tmpfs_block_devices_depend',` +type tmpfs_t; +class dir { getattr search read write add_name remove_name }; +class blk_file { getattr read write ioctl create unlink setattr }; +') + +######################################## # # filesystem_mount_all_filesystems(type) # diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 2d799f1..cc23bf3 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1058,8 +1058,16 @@ class lnk_file { getattr read }; ') ######################################## -# -# kernel_read_usb_hardware_state(domain) +## +## +## Read USB hardware information using +## the usbfs filesystem interface. +## +## +## The type of the process performing this action. +## +## +## # define(`kernel_read_usb_hardware_state',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index c48f3bc..ea24f98 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -104,24 +104,37 @@ class chr_file { read write }; ') ######################################## -# -# terminal_use_console(domain) +## +## +## Read from and write to the console. +## +## +## The type of the process performing this action. +## +## +## # define(`terminal_use_console',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 console_device_t:chr_file { read write }; ') define(`terminal_use_console_depend',` type console_device_t; class chr_file { read write }; -devices_list_device_nodes_depend ') ######################################## -# -# terminal_ignore_use_console(domain) +## +## +## Do not audit read from or write to the console. +## +## +## The type of the process performing this action. +## +## +## # define(`terminal_ignore_use_console',` requires_block_template(`$0'_depend) @@ -155,7 +168,7 @@ devices_list_device_nodes_depend # define(`terminal_list_pseudoterminals',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 devpts_t:dir { getattr search read }; ') @@ -334,6 +347,29 @@ devices_list_device_nodes_depend ') ######################################## +## +## +## Write to general ttys. Has a backchannel of +## getting all tty attributes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`terminal_write_general_physical_terminal',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +allow $1 tty_device_t:chr_file { getattr write }; +') + +define(`terminal_write_general_physical_terminal_depend',` +type tty_device_t; +class chr_file { read write }; +') + +######################################## # # terminal_use_general_physical_terminal(domain) # @@ -392,6 +428,29 @@ class chr_file getattr; ') ######################################## +## +## +## Write to all private ttys. Has a backchannel of +## getting all private tty attributes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`terminal_write_all_private_physical_terminals',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file { getattr write }; +') + +define(`terminal_write_all_private_physical_terminals_depend',` +attribute ttynode; +class chr_file { getattr write }; +') + +######################################## # # terminal_use_all_private_physical_terminals(domain) # diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index dadf9ec..8cf7256 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -2,7 +2,7 @@ ######################################## # -# cron_per_userdomain_template(domain) +# cron_per_userdomain_template(domainprefix) # define(`cron_per_userdomain_template',` @@ -213,3 +213,24 @@ ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') dontaudit $1_crontab_t var_run_t:dir search; ') dnl endif TODO ') + +######################################## +# +# cron_admin_template(domainprefix) +# + +define(`cron_admin_template',` + +logging_read_system_logs($1_crond_t) + +# Allow our crontab domain to unlink a user cron spool file. +#allow $1_crontab_t user_cron_spool_t:file unlink; + +# Manipulate other users crontab. +kernel_get_selinuxfs_mount_point($1_crontab_t) +kernel_validate_selinux_context($1_crontab_t) +kernel_compute_selinux_access_vector($1_crontab_t) +kernel_compute_selinux_create_context($1_crontab_t) +kernel_compute_selinux_relabel_context($1_crontab_t) +kernel_compute_selinux_reachable_user_contexts($1_crontab_t) +') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index ff41a42..1286ce6 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -204,6 +204,27 @@ type sendmail_exec_t; class file { getattr read execute execute_no_trans }; ') +######################################## +## +## +## Read mail address aliases. +## +## +## The type of the process performing this action. +## +## +## +# +define(`mta_read_mail_aliases',` +requires_block_template(`$0'_depend) +allow $1 etc_aliases_t:file { getattr read }; +') + +define(`mta_read_mail_aliases_depend',` +type etc_aliases_t; +class file { getattr read }; +') + ####################################### # # mta_modify_mail_aliases(domain) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 57eb823..1b3a20c 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC -####################################### -# -# clock_transition(domain) +######################################## +## +## +## Execute hwclock in the clock domain. +## +## +## The type of the process performing this action. +## +## +## # define(`clock_transition',` requires_block_template(`$0'_depend) @@ -18,6 +25,36 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute hwclock in the clock domain, and +## allow the specified role the hwclock domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the clock domain. +## +## +## The type of the terminal allow the clock domain to use. +## +## +## +# +define(`clock_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +clock_transition($1) +role $2 types hwclock_t; +allow hwclock_t $3:chr_file { getattr read write ioctl }; +') + +define(`clock_transition_add_role_use_terminal_depend',` +type hwclock_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # clock_execute(domain) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 041fcf1..dc47297 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -68,6 +68,10 @@ optional_policy(`udev.te', ` udev_read_database(hwclock_t) ') +optional_policy(`userdomain.te',` +userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t) +') + ifdef(`TODO',` allow hwclock_t proc_t:dir r_dir_perms; @@ -79,10 +83,8 @@ allow hwclock_t rhgb_t:fd use; allow hwclock_t rhgb_t:fifo_file { read write }; ') -dontaudit hwclock_t unpriv_userdomain:fd use; allow hwclock_t autofs_t:dir { search getattr }; -domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') optional_policy(`apmd.te', ` diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 082d8d4..f41a158 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -148,8 +148,15 @@ class capability kill; ') ######################################## -# -# domain_read_all_domains_process_state(domain) +## +## +## Read the process state (/proc/pid) of all domains. +## +## +## The type of the process performing this action. +## +## +## # define(`domain_read_all_domains_process_state',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 0bbddef..b1fcda2 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -263,7 +263,7 @@ type root_t; class chr_file { read write }; ') -# +######################################## ## ## ## Create an object in the root directory, with a private @@ -282,7 +282,6 @@ class chr_file { read write }; ## ## # - define(`files_create_private_root_dir_entry',` requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read write add_name remove_name }; @@ -498,8 +497,15 @@ class dir { getattr search read write add_name remove_name }; ') ######################################## -# -# files_list_home_directories(type) +## +## +## Get listing home home directories. +## +## +## The type of the process performing this action. +## +## +## # define(`files_list_home_directories',` requires_block_template(`$0'_depend) @@ -570,6 +576,32 @@ class lnk_file { getattr read }; ') ######################################## +## +## +## Execute programs in /usr/src in the caller domain. +## +## +## The type of the process performing this action. +## +## +## +# +define(`files_execute_system_source_code_scripts',` +requires_block_template(`$0'_depend) +allow $1 usr_t:dir search; +allow $1 src_t:dir { getattr search read }; +allow $1 src_t:lnk_file { getattr read }; +allow $1 src_t:file { getattr read execute execute_no_trans }; +') + +define(`files_read_system_source_code_depend',` +type usr_t, src_t; +class dir { getattr search read }; +class file { getattr read execute execute_no_trans }; +class lnk_file { getattr read }; +') + +######################################## # # files_read_system_source_code(domain) # diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index bee806e..37dc3eb 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -75,8 +75,15 @@ class dir search; ') ######################################## -# -# hotplug_read_config(domain) +## +## +## Read the configuration files for hotplug. +## +## +## The type of the process performing this action. +## +## +## # define(`hotplug_read_config',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 57fb357..8adac10 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -60,13 +60,9 @@ storage_set_removable_device_attributes(hotplug_t) terminal_ignore_use_console(hotplug_t) -init_use_file_descriptors(hotplug_t) -init_script_use_pseudoterminal(hotplug_t) -# Allow hotplug (including /sbin/ifup-local) to start/stop services and -# run sendmail -q -init_script_transition(hotplug_t) -# kernel threads inherit from shared descriptor table used by init -init_ignore_use_control_channel(hotplug_t) +corecommands_execute_general_programs(hotplug_t) +corecommands_execute_shell(hotplug_t) +corecommands_execute_system_programs(hotplug_t) domain_use_widely_inheritable_file_descriptors(hotplug_t) @@ -74,11 +70,17 @@ files_read_general_system_config(hotplug_t) files_create_runtime_system_config(hotplug_t) files_execute_system_config_script(hotplug_t) -corecommands_execute_general_programs(hotplug_t) -corecommands_execute_shell(hotplug_t) -corecommands_execute_system_programs(hotplug_t) +init_use_file_descriptors(hotplug_t) +init_script_use_pseudoterminal(hotplug_t) +init_script_read_process_state(hotplug_t) +# Allow hotplug (including /sbin/ifup-local) to start/stop services and +# run sendmail -q +init_script_transition(hotplug_t) +# kernel threads inherit from shared descriptor table used by init +init_ignore_use_control_channel(hotplug_t) logging_send_system_log_message(hotplug_t) +logging_search_system_log_directory(hotplug_t) libraries_use_dynamic_loader(hotplug_t) libraries_use_shared_libraries(hotplug_t) @@ -92,6 +94,8 @@ miscfiles_read_localization(hotplug_t) mount_transition(hotplug_t) +userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) + tunable_policy(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t) @@ -110,6 +114,10 @@ optional_policy(`iptables.te',` iptables_transition(hotplug_t) ') +optional_policy(`mta.te', ` +mta_send_mail(hotplug_t) +') + optional_policy(`selinux.te',` selinux_newrole_sigchld(hotplug_t) ') @@ -128,7 +136,6 @@ updfstab_transition(hotplug_t) ') ifdef(`TODO',` -dontaudit hotplug_t unpriv_userdomain:fd use; allow hotplug_t autofs_t:dir { search getattr }; dontaudit hotplug_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` @@ -147,11 +154,6 @@ can_network_server(hotplug_t) can_ypbind(hotplug_t) dbusd_client(system, hotplug) -allow initrc_t usbdevfs_t:file { getattr read ioctl }; -allow initrc_t modules_dep_t:file { getattr read ioctl }; -# init scripts run /etc/hotplug/usb.rc -allow initrc_t hotplug_etc_t:dir r_dir_perms; - allow hotplug_t kernel_t:process sigchld; # for when filesystems are not mounted early in the boot @@ -159,8 +161,6 @@ dontaudit hotplug_t file_t:dir { search getattr }; allow hotplug_t udev_runtime_t:file rw_file_perms; -allow hotplug_t var_log_t:dir search; - # for ps dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; @@ -178,6 +178,10 @@ allow hotplug_t var_lock_t:file getattr; optional_policy(`hald.te', ` allow hotplug_t hald_t:unix_dgram_socket sendto; +') + +# this goes to hald: +optional_policy(`hotplug.te',` allow hald_t hotplug_etc_t:dir search; allow hald_t hotplug_etc_t:file { getattr read }; ') @@ -186,15 +190,7 @@ optional_policy(`fsadm.te', ` domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) ') -optional_policy(`initrc.te', ` -can_ps(hotplug_t, initrc_t) -') - optional_policy(`lpd.te', ` allow hotplug_t printer_device_t:chr_file setattr; ') - -optional_policy(`mta.te', ` -domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) -') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 37d3fac..8d9d1d2 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -222,6 +222,37 @@ class file { getattr read execute execute_no_trans }; ') ######################################## +## +## +## Read the process state (/proc/pid) of the init scripts. +## +## +## The type of the process performing this action. +## +## +## +# +define(`init_script_read_process_state',` +requires_block_template(`$0'_depend) +allow $1 initrc_t:dir { search getattr read }; +allow $1 initrc_t:{ file lnk_file } { read getattr }; +allow $1 initrc_t:process getattr; +# We need to suppress this denial because procps tries to access +# /proc/pid/environ and this now triggers a ptrace check in recent kernels +# (2.4 and 2.6). Might want to change procps to not do this, or only if +# running in a privileged domain. +dontaudit $1 initrc_t:process ptrace; +') + +define(`init_script_read_process_state_depend',` +type initrc_t; +class dir { search getattr read }; +class file { read getattr }; +class lnk_file { read getattr }; +class process { getattr ptrace }; +') + +######################################## # # init_script_direct_admin_transition(role,domain) # @@ -257,6 +288,20 @@ class fd use; ######################################## # +# init_script_ignore_use_file_descriptors(domain) +# +define(`init_script_ignore_use_file_descriptors',` +requires_block_template(`$0'_depend) +dontaudit $1 initrc_t:fd use; +') + +define(`init_script_ignore_use_file_descriptors_depend',` +type initrc_t; +class fd use; +') + +######################################## +# # init_script_get_process_group(domain) # define(`init_script_get_process_group',` @@ -275,6 +320,7 @@ class process getpgid; # define(`init_script_use_pseudoterminal',` requires_block_template(`$0'_depend) +terminal_list_pseudoterminals($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; ') @@ -298,6 +344,28 @@ class chr_file { read write ioctl }; ') ######################################## +## +## +## Read and write init script temporary data. +## +## +## The type of the process performing this action. +## +## +## +# +define(`init_script_modify_temporary_data',` +requires_block_template(`$0'_depend) +# FIXME: read tmp_t +allow $1 initrc_tmp_t:file { getattr read write }; +') + +define(`init_script_modify_temporary_data_depend',` +type initrc_var_run_t; +class file { getattr read write }; +') + +######################################## # # init_script_read_runtime_data(domain) # diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index eedd038..bfc3a60 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -187,12 +187,7 @@ kernel_list_usb_hardware(initrc_t) # for lsof which is used by alsa shutdown: kernel_ignore_get_message_interface_attributes(initrc_t) -filesystem_register_binary_executable_type(initrc_t) -# cjp: not sure why these are here; should use mount policy -filesystem_mount_all_filesystems(initrc_t) -filesystem_unmount_all_filesystems(initrc_t) -filesystem_remount_all_filesystems(initrc_t) -filesystem_get_all_filesystems_attributes(initrc_t) +bootloader_read_kernel_symbol_table(initrc_t) corenetwork_network_tcp_on_all_interfaces(initrc_t) corenetwork_network_raw_on_all_interfaces(initrc_t) @@ -215,6 +210,13 @@ devices_read_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t) devices_set_all_character_device_attributes(initrc_t) +filesystem_register_binary_executable_type(initrc_t) +# cjp: not sure why these are here; should use mount policy +filesystem_mount_all_filesystems(initrc_t) +filesystem_unmount_all_filesystems(initrc_t) +filesystem_remount_all_filesystems(initrc_t) +filesystem_get_all_filesystems_attributes(initrc_t) + storage_get_fixed_disk_attributes(initrc_t) storage_set_fixed_disk_attributes(initrc_t) storage_set_removable_device_attributes(initrc_t) @@ -222,17 +224,14 @@ storage_set_removable_device_attributes(initrc_t) terminal_use_all_terminals(initrc_t) terminal_reset_physical_terminal_labels(initrc_t) -bootloader_read_kernel_symbol_table(initrc_t) +corecommands_execute_general_programs(initrc_t) +corecommands_execute_system_programs(initrc_t) +corecommands_execute_shell(initrc_t) domain_kill_all_domains(initrc_t) domain_read_all_domains_process_state(initrc_t) domain_use_widely_inheritable_file_descriptors(initrc_t) -libraries_modify_dynamic_loader_cache(initrc_t) -libraries_use_dynamic_loader(initrc_t) -libraries_use_shared_libraries(initrc_t) -libraries_execute_library_scripts(initrc_t) - files_get_all_file_attributes(initrc_t) files_remove_all_tmp_data(initrc_t) files_remove_all_lock_files(initrc_t) @@ -244,9 +243,10 @@ files_execute_system_config_script(initrc_t) files_read_general_application_resources(initrc_t) files_manage_pseudorandom_saved_seed(initrc_t) -corecommands_execute_general_programs(initrc_t) -corecommands_execute_system_programs(initrc_t) -corecommands_execute_shell(initrc_t) +libraries_modify_dynamic_loader_cache(initrc_t) +libraries_use_dynamic_loader(initrc_t) +libraries_use_shared_libraries(initrc_t) +libraries_execute_library_scripts(initrc_t) logging_send_system_log_message(initrc_t) @@ -267,14 +267,29 @@ logging_append_all_logs(initrc_t) udev_modify_database(initrc_t) +userdomain_read_all_users_data(initrc_t) +# Allow access to the sysadm TTYs. Note that this will give access to the +# TTYs to any process in the initrc_t domain. Therefore, daemons and such +# started from init should be placed in their own domain. +userdomain_use_admin_terminals(initrc_t) + +tunable_policy(`distro_debian', ` +filesystem_tmpfs_associate(initrc_var_run_t) +') + tunable_policy(`distro_redhat',` kernel_set_selinux_enforcement_mode(initrc_t) -files_create_boot_flag(initrc_t) - # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. bootloader_create_runtime_data(initrc_t) + +filesystem_use_tmpfs_character_devices(initrc_t) + +files_create_boot_flag(initrc_t) + +# readahead asks for these +mta_read_mail_aliases(initrc_t) ') dnl end distro_redhat optional_policy(`authlogin.te',` @@ -282,7 +297,15 @@ authlogin_pam_read_runtime_data(initrc_t) authlogin_pam_remove_runtime_data(initrc_t) ') +optional_policy(`hotplug.te',` +kernel_read_usb_hardware_state(initrc_t) +# init scripts run /etc/hotplug/usb.rc +hotplug_read_config(initrc_t) +modutils_read_kernel_module_dependencies(initrc_t) +') + ifdef(`TODO',` + # Mount and unmount file systems. allow initrc_t { file_t default_t }:dir { read search getattr mounton }; @@ -291,15 +314,6 @@ allow initrc_t var_spool_t:file rw_file_perms; # Set device ownerships/modes. allow initrc_t xconsole_device_t:fifo_file setattr; -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the initrc_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -allow initrc_t admin_tty_type:chr_file rw_file_perms; - -# Read user home directories. -allow initrc_t { home_root_t home_type }:dir r_dir_perms; -allow initrc_t home_type:file r_file_perms; - # for lsof in shutdown scripts can_kerberos(initrc_t) dontaudit initrc_t krb5_conf_t:file write; @@ -326,7 +340,6 @@ allow initrc_t { etc_t device_t }:dir setattr; allow initrc_t tmpfs_t:dir setattr; file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) -allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; ')dnl end distro_debian tunable_policy(`distro_redhat', ` @@ -334,22 +347,13 @@ tunable_policy(`distro_redhat', ` # Redhat systems typically create this file at boot time. allow initrc_t boot_t:lnk_file rw_file_perms; -allow initrc_t tmpfs_t:chr_file rw_file_perms; -allow initrc_t tmpfs_t:dir r_dir_perms; - -# # readahead asks for these -# -allow initrc_t etc_aliases_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read }; - ')dnl end distro_redhat # # Shutting down xinet causes these # -# Fam -dontaudit initrc_t device_t:dir { read write }; # Rsync dontaudit initrc_t mail_spool_t:lnk_file read; diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 5a3d6a8..6eb7669 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC -####################################### -# -# iptables_transition(domain) +######################################## +## +## +## Execute iptables in the iptables domain. +## +## +## The type of the process performing this action. +## +## +## # define(`iptables_transition',` requires_block_template(`$0'_depend) @@ -18,9 +25,46 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') -####################################### +######################################## +## +## +## Execute iptables in the iptables domain, and +## allow the specified role the iptables domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the iptables domain. +## +## +## The type of the terminal allow the iptables domain to use. +## +## +## # -# iptables_execute(domain) +define(`iptables_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +iptables_transition($1) +role $2 types iptables_t; +allow iptables_t $3:chr_file { getattr read write ioctl }; +') + +define(`iptables_transition_add_role_use_terminal_depend',` +type iptables_t; +class chr_file { getattr read write ioctl }; +') + +######################################## +## +## +## Execute iptables in the caller domain. +## +## +## The type of the process performing this action. +## +## +## # define(`iptables_execute',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index d48f9f3..883d7a6 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -49,13 +49,15 @@ filesystem_get_persistent_filesystem_attributes(iptables_t) terminal_ignore_use_console(iptables_t) -init_use_file_descriptors(iptables_t) -init_script_use_pseudoterminal(iptables_t) - domain_use_widely_inheritable_file_descriptors(iptables_t) files_read_general_system_config(iptables_t) +init_use_file_descriptors(iptables_t) +init_script_use_pseudoterminal(iptables_t) +# to allow rules to be saved on reboot: +init_script_modify_temporary_data(iptables_t) + libraries_use_dynamic_loader(iptables_t) libraries_use_shared_libraries(iptables_t) @@ -67,6 +69,19 @@ miscfiles_read_localization(iptables_t) sysnetwork_ifconfig_transition(iptables_t) +userdomain_use_all_users_file_descriptors(iptables_t) + +tunable_policy(`use_dns',` +allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +corenetwork_network_udp_on_all_interfaces(iptables_t) +corenetwork_network_raw_on_all_interfaces(iptables_t) +corenetwork_network_udp_on_all_nodes(iptables_t) +corenetwork_network_raw_on_all_nodes(iptables_t) +corenetwork_bind_udp_on_all_nodes(iptables_t) +corenetwork_network_udp_on_dns_port(iptables_t) +sysnetwork_read_network_config(iptables_t) +') + optional_policy(`modutils.te', ` modutils_insmod_transition(iptables_t) ') @@ -92,26 +107,12 @@ allow iptables_t rhgb_t:process sigchld; allow iptables_t rhgb_t:fd use; allow iptables_t rhgb_t:fifo_file { read write }; ') -dontaudit iptables_t unpriv_userdomain:fd use; -allow iptables_t autofs_t:dir { search getattr }; -tunable_policy(`direct_sysadm_daemon', ` -dontaudit iptables_t admin_tty_type:chr_file rw_file_perms; -') -domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) -role sysadm_r types iptables_t; - -# to allow rules to be saved on reboot -allow iptables_t initrc_tmp_t:file rw_file_perms; +allow iptables_t autofs_t:dir { search getattr }; # for iptables -L -can_resolve(iptables_t) can_ypbind(iptables_t) -allow iptables_t userdomain:fd use; - -# Access terminals. -allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; optional_policy(`gnome-pty-helper.te',` allow iptables_t sysadm_gph_t:fd use; ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 38d8207..fdaad08 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -11,9 +11,9 @@ type local_login_t; #, nscd_client_domain; kernel_make_object_identity_change_constraint_exception(local_login_t) kernel_make_process_identity_change_constraint_exception(local_login_t) kernel_make_role_change_constraint_exception(local_login_t) +authlogin_make_login_program_entrypoint(local_login_t) domain_make_domain(local_login_t) domain_make_file_descriptors_widely_inheritable(local_login_t) -authlogin_make_login_program_entrypoint(local_login_t) role system_r types local_login_t; type local_login_tmp_t; @@ -24,10 +24,9 @@ type sulogin_exec_t; kernel_make_object_identity_change_constraint_exception(sulogin_t) kernel_make_process_identity_change_constraint_exception(sulogin_t) kernel_make_role_change_constraint_exception(sulogin_t) +domain_make_file_descriptors_widely_inheritable(sulogin_t) init_make_init_domain(sulogin_t,sulogin_exec_t) init_make_system_domain(sulogin_t,sulogin_exec_t) -domain_make_file_descriptors_widely_inheritable(sulogin_t) - role system_r types sulogin_t; ######################################## @@ -68,8 +67,12 @@ devices_get_pseudorandom_data(local_login_t) terminal_use_all_private_physical_terminals(local_login_t) terminal_use_general_physical_terminal(local_login_t) -init_script_modify_runtime_data(local_login_t) -init_ignore_use_file_descriptors(local_login_t) +authlogin_check_password_transition(local_login_t) +authlogin_ignore_read_shadow_passwords(local_login_t) +authlogin_modify_login_records(local_login_t) +authlogin_modify_last_login_log(local_login_t) +authlogin_pam_execute(local_login_t) +authlogin_pam_console_manage_runtime_data(local_login_t) domain_read_all_entrypoint_programs(local_login_t) @@ -78,22 +81,19 @@ files_read_runtime_system_config(local_login_t) files_list_home_directories(local_login_t) files_read_general_application_resources(local_login_t) +init_script_modify_runtime_data(local_login_t) +init_ignore_use_file_descriptors(local_login_t) + libraries_use_dynamic_loader(local_login_t) libraries_use_shared_libraries(local_login_t) logging_send_system_log_message(local_login_t) +miscfiles_read_localization(local_login_t) + selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) -authlogin_check_password_transition(local_login_t) -authlogin_ignore_read_shadow_passwords(local_login_t) -authlogin_modify_login_records(local_login_t) -authlogin_modify_last_login_log(local_login_t) -authlogin_pam_execute(local_login_t) -authlogin_pam_console_manage_runtime_data(local_login_t) - -miscfiles_read_localization(local_login_t) ifdef(`TODO',` allow local_login_t unpriv_userdomain:fd use; diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index ef0a698..80f0987 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -57,9 +57,18 @@ class unix_dgram_socket { create read getattr write setattr append bind connect class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto }; ') -####################################### -# -# logging_search_system_log_directory(domain) +######################################## +## +## +## Allows the domain to open a file in the +## log directory, but does not allow the listing +## of the contents of the log directory. +## +## +## The type of the process performing this action. +## +## +## # define(`logging_search_system_log_directory',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 28cc0e4..a8335de 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -36,6 +36,8 @@ files_make_file(var_log_t) # allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink }; +files_create_private_tmp_data(klogd_t,klogd_tmp_t) + allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink }; allow klogd_t self:capability sys_admin; @@ -46,26 +48,25 @@ kernel_read_messages(klogd_t) # Control syslog and console logging kernel_clear_ring_buffer(klogd_t) kernel_change_ring_buffer_level(klogd_t) -devices_raw_read_memory(klogd_t) - -filesystem_get_all_filesystems_attributes(klogd_t) bootloader_read_kernel_symbol_table(klogd_t) -libraries_use_dynamic_loader(klogd_t) -libraries_use_shared_libraries(klogd_t) +devices_raw_read_memory(klogd_t) -files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) -files_create_private_tmp_data(klogd_t,klogd_tmp_t) +filesystem_get_all_filesystems_attributes(klogd_t) +files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) +files_read_runtime_system_config(klogd_t) # read /etc/nsswitch.conf files_read_general_system_config(klogd_t) -files_read_runtime_system_config(klogd_t) -miscfiles_read_localization(klogd_t) +libraries_use_dynamic_loader(klogd_t) +libraries_use_shared_libraries(klogd_t) logging_send_system_log_message(klogd_t) +miscfiles_read_localization(klogd_t) + ######################################## # # syslogd local policy @@ -104,6 +105,13 @@ kernel_read_kernel_sysctl(syslogd_t) devices_create_dev_entry(syslogd_t,devlog_t,sock_file) terminal_ignore_use_console(syslogd_t) +# Allow syslog to a terminal +terminal_write_general_physical_terminal(syslogd_t) + +# for sending messages to logged in users +init_script_read_runtime_data(syslogd_t) +init_script_ignore_write_runtime_data(syslogd_t) +terminal_write_all_private_physical_terminals(syslogd_t) corenetwork_network_raw_on_all_interfaces(syslogd_t) corenetwork_network_udp_on_all_interfaces(syslogd_t) @@ -132,11 +140,13 @@ sysnetwork_read_network_config(syslogd_t) miscfiles_read_localization(syslogd_t) +userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t) + # # /initrd is not umounted before minilog starts # #dontaudit syslogd_t file_t:dir search; -#allow syslogd_t { tmpfs_t devpts_t }:dir search; +#allow syslogd_t tmpfs_t:dir search; #dontaudit syslogd_t unlabeled_t:file read; #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; allow syslogd_t self:capability net_admin; @@ -165,7 +175,6 @@ files_ignore_read_rootfs_file(syslogd_t) ifdef(`TODO',` allow syslogd_t proc_t:lnk_file read; -dontaudit syslogd_t unpriv_userdomain:fd use; allow syslogd_t autofs_t:dir { search getattr }; dontaudit syslogd_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` @@ -199,16 +208,8 @@ ifdef(`logrotate.te', ` allow logrotate_t syslogd_exec_t:file r_file_perms; ') -# for sending messages to logged in users -allow syslogd_t initrc_var_run_t:file { read lock }; -dontaudit syslogd_t initrc_var_run_t:file write; -allow syslogd_t ttyfile:chr_file { getattr write }; - # # Special case to handle crashes # allow syslogd_t { device_t file_t }:sock_file unlink; - -# Allow syslog to a terminal -allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; ') dnl end TODO diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index d52cabb..8ab67cc 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC -####################################### -# -# lvm_transition(domain) +######################################## +## +## +## Execute lvm programs in the lvm domain. +## +## +## The type of the process performing this action. +## +## +## # define(`lvm_transition',` requires_block_template(`$0'_depend) @@ -18,9 +25,45 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') -####################################### +######################################## +## +## +## Execute lvm programs in the lvm domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the LVM domain. +## +## +## The type of the terminal allow the LVM domain to use. +## +## +## # -# lvm_read_config(domain) +define(`lvm_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +lvm_transition($1) +role $2 types lvm_t; +allow lvm_t $3:chr_file { getattr read write ioctl }; +') + +define(`lvm_transition_add_role_use_terminal_depend',` +type lvm_t; +class chr_file { getattr read write ioctl }; +') + +######################################## +## +## +## Read LVM configuration files. +## +## +## The type of the process performing this action. +## +## +## # define(`lvm_read_config',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 9c8d0b4..af279df 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -15,18 +15,18 @@ init_make_system_domain(lvm_t,lvm_exec_t) kernel_make_object_identity_change_constraint_exception(lvm_t) role system_r types lvm_t; -type lvm_tmp_t; -files_make_temporary_file(lvm_tmp_t) - -type lvm_metadata_t; -files_make_file(lvm_metadata_t) - type lvm_etc_t; files_make_file(lvm_etc_t) type lvm_lock_t; files_make_lock_file(lvm_lock_t) +type lvm_metadata_t; +files_make_file(lvm_metadata_t) + +type lvm_tmp_t; +files_make_temporary_file(lvm_tmp_t) + ######################################## # # Local policy @@ -137,7 +137,6 @@ udev_read_database(lvm_t) ifdef(`TODO',` -role sysadm_r types lvm_t; allow lvm_t autofs_t:dir { search getattr }; # LVM creates block devices in /dev/mapper or /dev/ @@ -154,9 +153,6 @@ allow lvm_t default_context_t:dir search; allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; allow lvm_t device_t:lnk_file { relabelfrom relabelto }; -# Access terminals. -allow lvm_t admin_tty_type:chr_file { ioctl read getattr lock write append }; - # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... dontaudit lvm_t device_t:fifo_file getattr; diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index b4cc3ec..6a179ff 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC ######################################## -# -# modutils_read_kernel_module_dependencies(domain) +## +## +## Read the dependencies of kernel modules. +## +## +## The type of the process performing this action. +## +## +## # define(`modutils_read_kernel_module_dependencies',` requires_block_template(`$0'_depend) @@ -18,8 +25,16 @@ bootloader_list_kernel_modules_depend ') ######################################## -# -# modutils_read_kernel_module_loading_config(domain) +## +## +## Read the configuration options used when +## loading modules. +## +## +## The type of the process performing this action. +## +## +## # define(`modutils_read_kernel_module_loading_config',` requires_block_template(`$0'_depend) @@ -32,8 +47,15 @@ class file { getattr create read write setattr unlink }; ') ######################################## -# -# modutils_insmod_transition(domain) +## +## +## Execute insmod in the insmod domain. +## +## +## The type of the process performing this action. +## +## +## # define(`modutils_insmod_transition',` requires_block_template(`$0'_depend) @@ -50,6 +72,37 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute insmod in the insmod domain, and +## allow the specified role the insmod domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the insmod domain. +## +## +## The type of the terminal allow the insmod domain to use. +## +## +## +# +define(`modutils_insmod_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +modutils_insmod_transition($1) +role $2 types insmod_t; +allow insmod_t $3:chr_file { getattr read write ioctl }; +') + +define(`modutils_insmod_transition_add_role_use_terminal_depend',` +type insmod_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # modutils_insmod_execute(domain) # @@ -64,8 +117,15 @@ class file { getattr read execute execute_no_trans }; ') ######################################## -# -# modutils_depmod_transition(domain) +## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## +## +## # define(`modutils_depmod_transition',` requires_block_template(`$0'_depend) @@ -82,6 +142,35 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the depmod domain. +## +## +## The type of the terminal allow the depmod domain to use. +## +## +## +# +define(`modutils_depmod_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +modutils_depmod_transition($1) +role $2 types insmod_t; +allow insmod_t $3:chr_file { getattr read write ioctl }; +') + +define(`modutils_depmod_transition_add_role_use_terminal_depend',` +type depmod_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # modutils_depmod_execute(domain) # @@ -96,8 +185,15 @@ class file { getattr read execute execute_no_trans }; ') ######################################## -# -# modutils_update_modules_transition(domain) +## +## +## Execute depmod in the depmod domain. +## +## +## The type of the process performing this action. +## +## +## # define(`modutils_update_modules_transition',` requires_block_template(`$0'_depend) @@ -114,6 +210,35 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute update_modules in the update_modules domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the update_modules domain. +## +## +## The type of the terminal allow the update_modules domain to use. +## +## +## +# +define(`modutils_update_modules_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +modutils_update_modules_transition($1) +role $2 types update_modules_t; +allow update_modules_t $3:chr_file { getattr read write ioctl }; +') + +define(`modutils_update_modules_transition_add_role_use_terminal_depend',` +type update_modules_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # modutils_update_modules_execute(domain) # diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index f87c5e4..97a80d3 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -110,8 +110,6 @@ allow insmod_t sysfs_t:dir search; allow insmod_t usbfs_t:dir search; allow insmod_t usbfs_t:filesystem mount; -allow insmod_t admin_tty_type:chr_file { getattr read write }; - # for when /var is not mounted early in the boot dontaudit insmod_t file_t:dir search; @@ -159,10 +157,6 @@ ifdef(`TODO',` allow depmod_t { bin_t sbin_t }:dir search; -domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) - -# Access terminals. -allow depmod_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') # Read System.map from home directories. @@ -228,8 +222,5 @@ logging_send_system_log_message(update_modules_t) miscfiles_read_localization(update_modules_t) ifdef(`TODO',` -role sysadm_r types update_modules_t; -domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t) -allow update_modules_t admin_tty_type:chr_file rw_file_perms; dontaudit update_modules_t sysadm_home_dir_t:dir search; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 96606bd..86c21ab 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC -####################################### -# -# mount_transition(domain) +######################################## +## +## +## Execute mount in the mount domain. +## +## +## The type of the process performing this action. +## +## +## # define(`mount_transition',` requires_block_template(`$0'_depend) @@ -18,6 +25,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute mount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the mount domain. +## +## +## The type of the terminal allow the mount domain to use. +## +## +## +# +define(`mount_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +mount_transition($1) +role $2 types mount_t; +allow mount_t $3:chr_file { getattr read write ioctl }; +') + +define(`mount_transition_add_role_use_terminal_depend',` +type mount_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # mount_use_file_descriptors(domain) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 35d13d2..b2e18b0 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -21,6 +21,9 @@ allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr kernel_read_system_state(mount_t) kernel_ignore_use_file_descriptors(mount_t) +corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t) +corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t) + devices_get_all_block_device_attributes(mount_t) devices_list_device_nodes(mount_t) @@ -37,11 +40,9 @@ files_unmount_root_filesystem(mount_t) terminal_use_console(mount_t) -corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t) -corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t) - -init_use_file_descriptors(mount_t) -init_script_use_pseudoterminal(mount_t) +# required for mount.smbfs +corecommands_execute_system_programs(mount_t) +corecommands_execute_general_programs(mount_t) domain_use_widely_inheritable_file_descriptors(mount_t) @@ -51,21 +52,55 @@ files_read_general_system_config(mount_t) files_create_runtime_system_config(mount_t) files_mount_on_all_mountpoints(mount_t) +init_use_file_descriptors(mount_t) +init_script_use_pseudoterminal(mount_t) + libraries_use_dynamic_loader(mount_t) libraries_use_shared_libraries(mount_t) -# required for mount.smbfs -corecommands_execute_system_programs(mount_t) -corecommands_execute_general_programs(mount_t) - logging_send_system_log_message(mount_t) miscfiles_read_localization(mount_t) +userdomain_use_all_users_file_descriptors(mount_t) + +tunable_policy(`distro_redhat',` +filesystem_use_tmpfs_character_devices(mount_t) +allow mount_t tmpfs_t:dir mounton; + +optional_policy(`authlogin.te',` +authlogin_pam_console_read_runtime_data(mount_t) +# mount config by default sets fscontext=removable_t +allow mount_t dosfs_t:filesystem relabelfrom; +') dnl end authlogin + +') dnl end distro_redhat + +optional_policy(`portmap.te', ` +# for nfs +#can_ypbind(mount_t) +#allow portmap_t mount_t:udp_socket { sendto recvfrom }; +#allow mount_t portmap_t:udp_socket { sendto recvfrom }; +#allow mount_t rpc_pipefs_t:dir search; +corenetwork_network_tcp_on_all_interfaces(mount_t) +corenetwork_network_raw_on_all_interfaces(mount_t) +corenetwork_network_udp_on_all_interfaces(mount_t) +corenetwork_network_tcp_on_all_nodes(mount_t) +corenetwork_network_raw_on_all_nodes(mount_t) +corenetwork_network_udp_on_all_nodes(mount_t) +corenetwork_network_tcp_on_all_ports(mount_t) +corenetwork_network_udp_on_all_ports(mount_t) +corenetwork_bind_tcp_on_all_nodes(mount_t) +corenetwork_bind_udp_on_all_nodes(mount_t) +corenetwork_bind_tcp_on_general_port(mount_t) +corenetwork_bind_udp_on_general_port(mount_t) +corenetwork_bind_tcp_on_reserved_port(mount_t) +corenetwork_bind_udp_on_reserved_port(mount_t) +') + ifdef(`TODO',` -# Mount, remount and unmount file systems. -# nfsv4 has a filesystem to mount for its userspace daemons -allow mount_t var_lib_nfs_t:dir mounton; +# this goes to the nfs/rpc module +files_make_mountpoint(var_lib_nfs_t) # TODO: Need to examine this further. Not sure how to handle this #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; @@ -83,59 +118,18 @@ allow mount_t fs_t:filesystem relabelfrom; # This rule needs to be generalized. Only admin, initrc should have it. allow mount_t file_type:filesystem { unmount mount relabelto }; -allow mount_t userdomain:fd use; - -domain_auto_trans(sysadm_t, mount_exec_t, mount_t) -role sysadm_r types mount_t; -allow mount_t sysadm_tty_device_t:chr_file { getattr read write ioctl }; -allow mount_t sysadm_devpts_t:chr_file { getattr read write }; ifdef(`gnome-pty-helper.te', ` allow mount_t sysadm_gph_t:fd use; ') -tunable_policy(`distro_redhat',` -optional_policy(`authlogin.te',` -r_dir_file($2_t,pam_var_console_t) -# mount config by default sets fscontext=removable_t -allow $2_t dosfs_t:filesystem relabelfrom; -') dnl end authlogin -') dnl end distro_redhat - optional_policy(`rhgb.te', ` allow mount_t rhgb_t:process sigchld; allow mount_t rhgb_t:fd use; allow mount_t rhgb_t:fifo_file { read write }; ') -tunable_policy(`distro_redhat', ` -allow mount_t tmpfs_t:chr_file { read write }; -allow mount_t tmpfs_t:dir mounton; -') - optional_policy(`automount.te', ` allow mount_t autofs_t:dir read; ') -optional_policy(`portmap.te', ` -# for nfs -can_ypbind(mount_t) -can_udp_send(mount_t, portmap_t) -can_udp_send(portmap_t, mount_t) -allow mount_t rpc_pipefs_t:dir search; -corenetwork_network_tcp_on_all_interfaces(mount_t) -corenetwork_network_raw_on_all_interfaces(mount_t) -corenetwork_network_udp_on_all_interfaces(mount_t) -corenetwork_network_tcp_on_all_nodes(mount_t) -corenetwork_network_raw_on_all_nodes(mount_t) -corenetwork_network_udp_on_all_nodes(mount_t) -corenetwork_network_tcp_on_all_ports(mount_t) -corenetwork_network_udp_on_all_ports(mount_t) -corenetwork_bind_tcp_on_all_nodes(mount_t) -corenetwork_bind_udp_on_all_nodes(mount_t) -corenetwork_bind_tcp_on_general_port(mount_t) -corenetwork_bind_udp_on_general_port(mount_t) -corenetwork_bind_tcp_on_reserved_port(mount_t) -corenetwork_bind_udp_on_reserved_port(mount_t) -') - ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 1df3c3e..be9abdb 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC ####################################### -# -# selinux_checkpolicy_transition(domain) +## +## +## Execute checkpolicy in the checkpolicy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) @@ -18,6 +25,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute checkpolicy in the checkpolicy domain, and +## allow the specified role the checkpolicy domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the checkpolicy domain. +## +## +## The type of the terminal allow the checkpolicy domain to use. +## +## +## +# +define(`selinux_checkpolicy_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_checkpolicy_transition($1) +role $2 types checkpolicy_t; +allow checkpolicy_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` +type checkpolicy_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_checkpolicy_execute(domain) @@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans }; ') ####################################### -# -# selinux_load_policy_transition(domain) +## +## +## Execute load_policy in the load_policy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) @@ -50,6 +95,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute load_policy in the load_policy domain, and +## allow the specified role the load_policy domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the load_policy domain. +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +## +# +define(`selinux_load_policy_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_load_policy_transition($1) +role $2 types load_policy_t; +allow load_policy_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_load_policy_transition_add_role_use_terminal_depend',` +type load_policy_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_load_policy_execute(domain) @@ -79,8 +155,15 @@ class file { getattr read }; ') ####################################### -# -# selinux_newrole_transition(domain) +## +## +## Execute newrole in the load_policy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) @@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; ') define(`selinux_newrole_transition_depend',` -type newrole_exec_t; +type newrole_t, newrole_exec_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute newrole in the newrole domain, and +## allow the specified role the newrole domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the newrole domain. +## +## +## The type of the terminal allow the newrole domain to use. +## +## +## +# +define(`selinux_newrole_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_newrole_transition($1) +role $2 types newrole_t; +allow newrole_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_newrole_transition_add_role_use_terminal_depend',` +type newrole_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_newrole_execute(domain) @@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t; class file { getattr read execute execute_no_trans }; ') +######################################## +## +## +## Do not audit the caller attempts to send +## a signal to newrole. +## +## +## The type of the process performing this action. +## +## +## +# +define(`selinux_newrole_ignore_signal',` +requires_block_template(`$0'_depend) +dontaudit $1 newrole_t:process signal; +') + +define(`selinux_newrole_ignore_signal_depend',` +type newrole_t; +class process signal; +') + ####################################### # # selinux_newrole_sigchld(domain) @@ -139,8 +275,15 @@ class fd use; ') ####################################### -# -# selinux_restorecon_transition(domain) +## +## +## Execute restorecon in the restorecon domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) @@ -156,6 +299,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute restorecon in the restorecon domain, and +## allow the specified role the restorecon domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the restorecon domain. +## +## +## The type of the terminal allow the restorecon domain to use. +## +## +## +# +define(`selinux_restorecon_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_restorecon_transition($1) +role $2 types restorecon_t; +allow restorecon_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_restorecon_transition_add_role_use_terminal_depend',` +type restorecon_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_restorecon_execute(domain) @@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans }; ') ######################################## -# -# selinux_run_init_transition(domain) +## +## +## Execute run_init in the run_init domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) @@ -189,6 +370,37 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute run_init in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the run_init domain. +## +## +## The type of the terminal allow the run_init domain to use. +## +## +## +# +define(`selinux_run_init_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_run_init_transition($1) +role $2 types run_init_t; +allow run_init_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_run_init_transition_add_role_use_terminal_depend',` +type run_init_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # selinux_run_init_use_file_descriptors(domain) # @@ -202,9 +414,16 @@ type run_init_t; class fd use; ') -####################################### -# -# selinux_setfiles_transition(domain) +######################################## +## +## +## Execute setfiles in the setfiles domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) @@ -220,6 +439,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute setfiles in the setfiles domain, and +## allow the specified role the setfiles domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the setfiles domain. +## +## +## The type of the terminal allow the setfiles domain to use. +## +## +## +# +define(`selinux_setfiles_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_setfiles_transition($1) +role $2 types setfiles_t; +allow setfiles_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_setfiles_transition_add_role_use_terminal_depend',` +type setfiles_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_setfiles_execute(domain) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 92739bf..7ecde92 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) +# directory search permissions for path to source and binary policy files +files_search_general_system_config_directory(checkpolicy_t) + init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) @@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t) userdomain_use_all_users_file_descriptors(checkpolicy_t) ifdef(`TODO',` -role sysadm_r types checkpolicy_t; -domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; -allow checkpolicy_t sysadm_tmp_t:file { getattr write }; - -# directory search permissions for path to source and binary policy files -allow checkpolicy_t etc_t:dir search; - # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') - -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -can_exec(unpriv_userdomain, checkpolicy_exec_t) ') dnl endif TODO ######################################## @@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t) ifdef(`TODO',` -role sysadm_r types load_policy_t; -domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) -allow load_policy_t sysadm_tmp_t:file { getattr write }; -allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; @@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t) -# Write to utmp. -init_script_modify_runtime_data(newrole_t) +authlogin_check_password_transition(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t) +# Write to utmp. +init_script_modify_runtime_data(newrole_t) + files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) @@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t) miscfiles_read_localization(newrole_t) -authlogin_check_password_transition(newrole_t) +userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) ifdef(`TODO',` -in_user_role(newrole_t) -role sysadm_r types newrole_t; -allow newrole_t unpriv_userdomain:fd use; can_ypbind(newrole) ifdef(`automount.te', ` allow newrole_t autofs_t:dir { search getattr }; @@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd dontaudit newrole_t { home_root_t home_type }:dir search; - -# for when the network connection is killed -dontaudit unpriv_userdomain newrole_t:process signal; - ') dnl ifdef TODO ######################################## @@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) +tunable_policy(`distro_redhat', ` +filesystem_use_tmpfs_character_devices(restorecon_t) +filesystem_use_tmpfs_block_devices(restorecon_t) +') + ifdef(`TODO',` -allow restorecon_t admin_tty_type:chr_file { read write ioctl }; -domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) -role sysadm_r types restorecon_t; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; tunable_policy(`distro_redhat', ` -allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto }; +allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto }; ') allow restorecon_t fs_type:dir r_dir_perms; @@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t) +authlogin_check_password_transition(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) corecommands_execute_general_programs(run_init_t) @@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; domain_trans(initrc_t, shell_exec_t, unconfined_t) -', ` -domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) -role sysadm_r types run_init_t; -domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) -allow run_init_t admin_tty_type:chr_file rw_file_perms; ') dnl endif targeted policy tunable_policy(`distro_gentoo', ` @@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) userdomain_use_all_users_file_descriptors(setfiles_t) +# for config files in a home directory +userdomain_read_all_users_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled_object(setfiles_t) @@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t) authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',` - -domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) -role sysadm_r types setfiles_t; - # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; @@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read; allow setfiles_t fs_type:dir r_dir_perms; -# for config files in a home directory -allow setfiles_t home_type:file r_file_perms; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 1df3c3e..be9abdb 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -1,8 +1,15 @@ # Copyright (C) 2005 Tresys Technology, LLC ####################################### -# -# selinux_checkpolicy_transition(domain) +## +## +## Execute checkpolicy in the checkpolicy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) @@ -18,6 +25,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute checkpolicy in the checkpolicy domain, and +## allow the specified role the checkpolicy domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the checkpolicy domain. +## +## +## The type of the terminal allow the checkpolicy domain to use. +## +## +## +# +define(`selinux_checkpolicy_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_checkpolicy_transition($1) +role $2 types checkpolicy_t; +allow checkpolicy_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` +type checkpolicy_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_checkpolicy_execute(domain) @@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans }; ') ####################################### -# -# selinux_load_policy_transition(domain) +## +## +## Execute load_policy in the load_policy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) @@ -50,6 +95,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute load_policy in the load_policy domain, and +## allow the specified role the load_policy domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the load_policy domain. +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +## +# +define(`selinux_load_policy_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_load_policy_transition($1) +role $2 types load_policy_t; +allow load_policy_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_load_policy_transition_add_role_use_terminal_depend',` +type load_policy_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_load_policy_execute(domain) @@ -79,8 +155,15 @@ class file { getattr read }; ') ####################################### -# -# selinux_newrole_transition(domain) +## +## +## Execute newrole in the load_policy domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) @@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; ') define(`selinux_newrole_transition_depend',` -type newrole_exec_t; +type newrole_t, newrole_exec_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute newrole in the newrole domain, and +## allow the specified role the newrole domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the newrole domain. +## +## +## The type of the terminal allow the newrole domain to use. +## +## +## +# +define(`selinux_newrole_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_newrole_transition($1) +role $2 types newrole_t; +allow newrole_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_newrole_transition_add_role_use_terminal_depend',` +type newrole_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_newrole_execute(domain) @@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t; class file { getattr read execute execute_no_trans }; ') +######################################## +## +## +## Do not audit the caller attempts to send +## a signal to newrole. +## +## +## The type of the process performing this action. +## +## +## +# +define(`selinux_newrole_ignore_signal',` +requires_block_template(`$0'_depend) +dontaudit $1 newrole_t:process signal; +') + +define(`selinux_newrole_ignore_signal_depend',` +type newrole_t; +class process signal; +') + ####################################### # # selinux_newrole_sigchld(domain) @@ -139,8 +275,15 @@ class fd use; ') ####################################### -# -# selinux_restorecon_transition(domain) +## +## +## Execute restorecon in the restorecon domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) @@ -156,6 +299,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute restorecon in the restorecon domain, and +## allow the specified role the restorecon domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the restorecon domain. +## +## +## The type of the terminal allow the restorecon domain to use. +## +## +## +# +define(`selinux_restorecon_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_restorecon_transition($1) +role $2 types restorecon_t; +allow restorecon_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_restorecon_transition_add_role_use_terminal_depend',` +type restorecon_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_restorecon_execute(domain) @@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans }; ') ######################################## -# -# selinux_run_init_transition(domain) +## +## +## Execute run_init in the run_init domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) @@ -189,6 +370,37 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute run_init in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the run_init domain. +## +## +## The type of the terminal allow the run_init domain to use. +## +## +## +# +define(`selinux_run_init_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_run_init_transition($1) +role $2 types run_init_t; +allow run_init_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_run_init_transition_add_role_use_terminal_depend',` +type run_init_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # selinux_run_init_use_file_descriptors(domain) # @@ -202,9 +414,16 @@ type run_init_t; class fd use; ') -####################################### -# -# selinux_setfiles_transition(domain) +######################################## +## +## +## Execute setfiles in the setfiles domain. +## +## +## The type of the process performing this action. +## +## +## # define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) @@ -220,6 +439,37 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute setfiles in the setfiles domain, and +## allow the specified role the setfiles domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the setfiles domain. +## +## +## The type of the terminal allow the setfiles domain to use. +## +## +## +# +define(`selinux_setfiles_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +selinux_setfiles_transition($1) +role $2 types setfiles_t; +allow setfiles_t $3:chr_file { getattr read write ioctl }; +') + +define(`selinux_setfiles_transition_add_role_use_terminal_depend',` +type setfiles_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # selinux_setfiles_execute(domain) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 92739bf..7ecde92 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) +# directory search permissions for path to source and binary policy files +files_search_general_system_config_directory(checkpolicy_t) + init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) @@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t) userdomain_use_all_users_file_descriptors(checkpolicy_t) ifdef(`TODO',` -role sysadm_r types checkpolicy_t; -domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; -allow checkpolicy_t sysadm_tmp_t:file { getattr write }; - -# directory search permissions for path to source and binary policy files -allow checkpolicy_t etc_t:dir search; - # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') - -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -can_exec(unpriv_userdomain, checkpolicy_exec_t) ') dnl endif TODO ######################################## @@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t) ifdef(`TODO',` -role sysadm_r types load_policy_t; -domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) -allow load_policy_t sysadm_tmp_t:file { getattr write }; -allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; @@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t) -# Write to utmp. -init_script_modify_runtime_data(newrole_t) +authlogin_check_password_transition(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t) +# Write to utmp. +init_script_modify_runtime_data(newrole_t) + files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) @@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t) miscfiles_read_localization(newrole_t) -authlogin_check_password_transition(newrole_t) +userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) ifdef(`TODO',` -in_user_role(newrole_t) -role sysadm_r types newrole_t; -allow newrole_t unpriv_userdomain:fd use; can_ypbind(newrole) ifdef(`automount.te', ` allow newrole_t autofs_t:dir { search getattr }; @@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd dontaudit newrole_t { home_root_t home_type }:dir search; - -# for when the network connection is killed -dontaudit unpriv_userdomain newrole_t:process signal; - ') dnl ifdef TODO ######################################## @@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) +tunable_policy(`distro_redhat', ` +filesystem_use_tmpfs_character_devices(restorecon_t) +filesystem_use_tmpfs_block_devices(restorecon_t) +') + ifdef(`TODO',` -allow restorecon_t admin_tty_type:chr_file { read write ioctl }; -domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) -role sysadm_r types restorecon_t; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; tunable_policy(`distro_redhat', ` -allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto }; +allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto }; ') allow restorecon_t fs_type:dir r_dir_perms; @@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t) +authlogin_check_password_transition(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) corecommands_execute_general_programs(run_init_t) @@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; domain_trans(initrc_t, shell_exec_t, unconfined_t) -', ` -domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) -role sysadm_r types run_init_t; -domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) -allow run_init_t admin_tty_type:chr_file rw_file_perms; ') dnl endif targeted policy tunable_policy(`distro_gentoo', ` @@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) userdomain_use_all_users_file_descriptors(setfiles_t) +# for config files in a home directory +userdomain_read_all_users_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled_object(setfiles_t) @@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t) authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',` - -domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) -role sysadm_r types setfiles_t; - # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; @@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read; allow setfiles_t fs_type:dir r_dir_perms; -# for config files in a home directory -allow setfiles_t home_type:file r_file_perms; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 9a93c8c..28ac0b8 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -18,9 +18,16 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') -######################################## -# -# sysnetwork_ifconfig_transition(domain) +####################################### +## +## +## Execute ifconfig in the ifconfig domain. +## +## +## The type of the process performing this action. +## +## +## # define(`sysnetwork_ifconfig_transition',` requires_block_template(`$0'_depend) @@ -37,6 +44,37 @@ class process { transition noatsecure siginh rlimitinh }; ') ######################################## +## +## +## Execute ifconfig in the ifconfig domain, and +## allow the specified role the ifconfig domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the ifconfig domain. +## +## +## The type of the terminal allow the ifconfig domain to use. +## +## +## +# +define(`sysnetwork_ifconfig_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +sysnetwork_ifconfig_transition($1) +role $2 types ifconfig_t; +allow ifconfig_t $3:chr_file { getattr read write ioctl }; +') + +define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` +type ifconfig_t; +class chr_file { getattr read write ioctl }; +') + +######################################## # # sysnetwork_read_network_config(domain) # diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 97fdab2..95753f8 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -94,28 +94,28 @@ terminal_ignore_use_all_private_physical_terminals(dhcpc_t) terminal_ignore_use_all_private_pseudoterminals(dhcpc_t) terminal_ignore_use_general_physical_terminal(dhcpc_t) -init_use_file_descriptors(dhcpc_t) -init_script_use_pseudoterminal(dhcpc_t) -init_script_modify_runtime_data(dhcpc_t) +corecommands_execute_general_programs(dhcpc_t) +corecommands_execute_system_programs(dhcpc_t) +corecommands_execute_shell(dhcpc_t) domain_use_widely_inheritable_file_descriptors(dhcpc_t) files_read_general_system_config(dhcpc_t) files_read_runtime_system_config(dhcpc_t) -corecommands_execute_general_programs(dhcpc_t) -corecommands_execute_system_programs(dhcpc_t) -corecommands_execute_shell(dhcpc_t) +init_use_file_descriptors(dhcpc_t) +init_script_use_pseudoterminal(dhcpc_t) +init_script_modify_runtime_data(dhcpc_t) logging_send_system_log_message(dhcpc_t) libraries_use_dynamic_loader(dhcpc_t) libraries_use_shared_libraries(dhcpc_t) -modutils_insmod_transition(dhcpc_t) - miscfiles_read_localization(dhcpc_t) +modutils_insmod_transition(dhcpc_t) + tunable_policy(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t) @@ -142,6 +142,10 @@ optional_policy(`udev.te',` udev_read_database(dhcpc_t) ') +optional_policy(`userdomain.te',` +userdomain_use_all_users_file_descriptors(dhcpc_t) +') + # # dhclient sometimes starts ypbind and ntpd # @@ -203,8 +207,6 @@ allow dhcpc_t dhcp_etc_t:file { read getattr }; allow dhcpc_t dhcp_etc_t:lnk_file { getattr read }; allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans }; -allow dhcpc_t userdomain:fd use; - ifdef(`distro_redhat', ` files_execute_system_config_script(dhcpc_t) allow initrc_t dhcp_etc_t:file rw_file_perms; @@ -273,6 +275,8 @@ miscfiles_read_localization(ifconfig_t) selinux_run_init_use_file_descriptors(ifconfig_t) +userdomain_use_all_users_file_descriptors(ifconfig_t) + ifdef(`TODO',` can_ypbind(ifconfig_t) @@ -280,10 +284,6 @@ ifdef(`automount.te', ` allow ifconfig_t autofs_t:dir { search getattr }; ') -domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) -role sysadm_r types ifconfig_t; -allow ifconfig_t userdomain:fd use; - # Access terminals. ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 19e6574..59594ff 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -81,6 +81,7 @@ devices_manage_device_nodes(udev_t) filesystem_get_all_filesystems_attributes(udev_t) init_script_read_runtime_data(udev_t) +init_script_ignore_write_runtime_data(udev_t) files_read_runtime_system_config(udev_t) files_read_general_system_config(udev_t) @@ -102,6 +103,14 @@ logging_send_system_log_message(udev_t) sysnetwork_ifconfig_transition(udev_t) +tunable_policy(`distro_redhat',` +filesystem_manage_tmpfs_block_devices(udev_t) +filesystem_manage_tmpfs_character_devices(udev_t) + +# for arping used for static IP addresses on PCMCIA ethernet +netutils_transition(udev_t) +') dnl end ifdef distro_redhat + optional_policy(`authlogin.te',` authlogin_pam_console_read_runtime_data(udev_t) authlogin_pam_console_transition(udev_t) @@ -127,10 +136,10 @@ allow udev_t var_lock_t:file getattr; allow udev_t mnt_t:dir search; allow udev_t devpts_t:dir { getattr search }; + allow udev_t sysadm_tty_device_t:chr_file { read write }; # Dontaudits -dontaudit udev_t initrc_var_run_t:file write; dontaudit udev_t staff_home_dir_t:dir search; dontaudit udev_t file_t:dir search; dontaudit udev_t domain:dir r_dir_perms; @@ -142,14 +151,9 @@ dbusd_client(system, udev) # Ifdefs tunable_policy(`distro_redhat',` -allow udev_t tmpfs_t:dir rw_dir_perms; allow udev_t tmpfs_t:sock_file create_file_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms; -allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -allow udev_t tmpfs_t:dir search; - -# for arping used for static IP addresses on PCMCIA ethernet -netutils_transition(udev_t) +allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto }; ') dnl end ifdef distro_redhat tunable_policy(`hide_broken_symptoms',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 88eabb2..d53d9fa 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -128,6 +128,8 @@ logging_ignore_get_all_logs_attributes($1_t) miscfiles_read_localization($1_t) miscfiles_manage_man_page_cache($1_t) +selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + mta_modify_mail_spool($1_t) if (allow_execmem) { @@ -376,11 +378,11 @@ type $1_devpts_t; # userpty_type, user_tty_type; terminal_make_user_pseudoterminal($1_t,$1_devpts_t) # Type for home directory. -type $1_home_dir_t; #, home_dir_type, home_type, user_home_dir_type; +type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type; files_make_file($1_home_dir_t) # Type for files and directories in the home directory -type $1_home_t, $1_file_type; #, home_type, user_home_type; +type $1_home_t, $1_file_type, home_type; #, user_home_type; files_make_file($1_home_t) type $1_tmp_t, $1_file_type; #, user_tmpfile @@ -438,8 +440,16 @@ init_script_read_runtime_data($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_script_ignore_write_runtime_data($1_t) +# Stop warnings about access to /dev/console +init_ignore_use_file_descriptors($1_t) +init_script_ignore_use_file_descriptors($1_t) + +miscfiles_read_man_pages($1_t) selinux_read_config($1_t) +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +selinux_checkpolicy_execute($1_t) if (user_dmesg) { kernel_read_ring_buffer($1_t) @@ -454,6 +464,16 @@ if (user_tcp_server) { corenetwork_bind_tcp_on_general_port($1_t) } +# for running depmod as part of the kernel packaging process +optional_policy(`modutils.te',` +modutils_read_kernel_module_loading_config($1_t) +') + +optional_policy(`selinux.te',` +# for when the network connection is killed +selinux_newrole_ignore_signal($1_t) +') + # Need the following rule to allow users to run vpnc optional_policy(`xserver.te', ` corenetwork_bind_tcp_on_xserver_port($1_t) @@ -509,13 +529,6 @@ allow $1_t var_run_t:{ file lnk_file } r_file_perms; allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; -# for running depmod as part of the kernel packaging process -allow $1_t modules_conf_t:file { getattr read }; - -# Read man directories and files. -allow $1_t man_t:dir r_dir_perms; -allow $1_t man_t:notdevfile_class_set r_file_perms; - # Allow users to rw usb devices if (user_rw_usb) { rw_dir_create_file($1_t,usbdevfs_t) @@ -523,10 +536,6 @@ rw_dir_create_file($1_t,usbdevfs_t) r_dir_file($1_t,usbdevfs_t) } -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; -allow $1_t device_t:lnk_file r_file_perms; - # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; @@ -540,10 +549,8 @@ dontaudit $1_t devlog_t:sock_file { read write }; dontaudit $1_t syslogd_t:unix_dgram_socket sendto; ') -# Stop warnings about access to /dev/console -dontaudit $1_t init_t:fd use; -dontaudit $1_t initrc_t:fd use; allow $1_t initrc_t:fifo_file write; + ifdef(`user_can_mount', ` # # Allow users to mount file systems like floppies and cdrom @@ -586,7 +593,7 @@ role system_r types $1_t; #; dnl end of sysadm_t type declaration # Type and access for pty devices. -type $1_devpts_t; +type $1_devpts_t, admin_terminal; terminal_make_pseudoterminal($1_devpts_t) type $1_home_t, $1_file_type; #, home_type; @@ -598,7 +605,7 @@ files_make_file($1_home_t) type $1_tmp_t, $1_file_type; files_make_temporary_file($1_tmp_t) -type $1_tty_device_t; +type $1_tty_device_t, admin_terminal; terminal_make_physical_terminal($1_t,$1_tty_device_t) ############################## @@ -675,6 +682,8 @@ terminal_use_all_private_physical_terminals($1_t) domain_set_all_domains_priorities($1_t) +files_execute_system_source_code_scripts($1_t) + init_use_control_channel($1_t) logging_send_system_log_message($1_t) @@ -690,6 +699,10 @@ selinux_manage_source_policy($1_t) # But presently necessary for installing the file_contexts file. selinux_manage_binary_policy($1_t) +optional_policy(`cron.te',` +cron_admin_template($1) +') + ifdef(`TODO',` # Let admin stat the shadow file. @@ -727,9 +740,6 @@ allow $1_t ptyfile:chr_file getattr; # Not ideal, but typical if users want to login as both sysadm_t or staff_t. can_exec($1_t, staff_home_t) -# Run programs from /usr/src. -can_exec($1_t, src_t) - # Run admin programs that require different permissions in their own domain. # These rules were moved into the appropriate program domain file. @@ -764,16 +774,6 @@ allow $1_gph_t user_home_dir_type:dir rw_dir_perms; allow $1_gph_t user_home_type:file create_file_perms; ') -# Manipulate other users crontab. -can_getsecurity(sysadm_crontab_t) - -ifdef(`crond.te', ` -allow $1_crond_t var_log_t:file r_file_perms; -') - -# Allow our crontab domain to unlink a user cron spool file. -ifdef(`crontab.te',`allow $1_crontab_t user_cron_spool_t:file unlink;') - # for the administrator to run TCP servers directly allow $1_t kernel_t:tcp_socket recvfrom; @@ -794,7 +794,55 @@ allow $1_t eventpollfs_t:file getattr; ') dnl endif TODO ') +######################################## +## +## +## Read and write administrative users +## physical and pseudo terminals. +## +## +## The type of the process performing this action. +## +## +## # +define(`userdomain_use_admin_terminals',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +terminal_list_pseudoterminals($1) +allow $1 admin_terminal:chr_file { getattr read write ioctl }; +') + +define(`userdomain_use_admin_terminals_depend',` +attribute admin_terminal; +class chr_file { getattr read write ioctl }; +') + +######################################## +## +## +## Inherit the file descriptors from all user domains +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_read_all_users_data',` +requires_block_template(`$0'_depend) +files_list_home_directories($1) +allow $1 home_type:dir { getattr search read }; +allow $1 home_type:file { getattr read }; +') + +define(`userdomain_read_all_users_data_depend',` +attribute home_type; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## ## ## ## Inherit the file descriptors from all user domains @@ -815,4 +863,47 @@ attribute userdomain; class fd use; ') +######################################## +## +## +## Inherit the file descriptors from all user domains. +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_use_all_unprivileged_users_file_descriptors',` +requires_block_template(`$0'_depend) +allow $1 unpriv_userdomain:fd use; +') + +define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` +attribute unpriv_userdomain; +class fd use; +') + +######################################## +## +## +## Do not audit attempts to inherit the +## file descriptors from all user domains. +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',` +requires_block_template(`$0'_depend) +dontaudit $1 unpriv_userdomain:fd use; +') + +define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',` +attribute unpriv_userdomain; +class fd use; +') + ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index e530c6c..9a64b81 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -7,6 +7,15 @@ policy_module(userdomain,1.0) # Declarations # +# admin users terminals (tty and pty) +attribute admin_terminal; + +# users home directory +attribute home_dir_type; + +# users home directory contents +attribute home_type; + # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) @@ -66,7 +75,6 @@ bool user_tcp_server false; # Allow w to display everyone bool user_ttyfile_stat false; -admin_domain_template(sysadm) user_domain_template(staff) user_domain_template(user) @@ -77,8 +85,51 @@ user_domain_template(user) #allow privhome home_root_t:dir { getattr search }; +# Add/remove user home directories +#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) + +######################################## +# +# Sysadm local policy +# + +admin_domain_template(sysadm) + # for su allow sysadm_t userdomain:fd use; -# Add/remove user home directories -#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) +optional_policy(`iptables.te',` +iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + +optional_policy(`lvm.te',` +lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + +optional_policy(`modutils.te',` +modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + +optional_policy(`mount.te',` +mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + +optional_policy(`selinux.te',` +selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +optional_policy(`targeted_policy',`',` +selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') +') + +optional_policy(`sysnetwork.te',` +sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + +optional_policy(`clock.te',` +clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +')