diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 401465c..7a45f5a 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -6,10 +6,7 @@ define(`consoletype_transition',` requires_block_template(`$0'_depend) - allow $1 consoletype_exec_t:file { getattr read execute }; - allow $1 consoletype_t:process transition; - type_transition $1 consoletype_exec_t:process consoletype_t; - dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,consoletype_exec_t,consoletype_t) allow $1 consoletype_t:fd use; allow consoletype_t $1:fd use; @@ -20,7 +17,7 @@ define(`consoletype_transition',` define(`consoletype_transition_depend',` type consoletype_t, consoletype_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -33,7 +30,8 @@ define(`consoletype_transition_depend',` define(`consoletype_execute',` requires_block_template(`$0'_depend) - allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,consoletype_exec_t) + ') define(`consoletype_execute_depend',` diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 2ed973f..9ade7b4 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -21,14 +21,14 @@ allow consoletype_t self:capability sys_admin; allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow consoletype_t self:fd use; -allow consoletype_t self:fifo_file { read getattr lock ioctl write append }; -allow consoletype_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow consoletype_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow consoletype_t self:fifo_file rw_file_perms; +allow consoletype_t self:unix_dgram_socket create_socket_perms; +allow consoletype_t self:unix_stream_socket create_stream_socket_perms; allow consoletype_t self:unix_dgram_socket sendto; allow consoletype_t self:unix_stream_socket connectto; -allow consoletype_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow consoletype_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow consoletype_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow consoletype_t self:shm rw_shm_perms; +allow consoletype_t self:sem rw_sem_perms; +allow consoletype_t self:msgq rw_msgq_perms; allow consoletype_t self:msg { send receive }; kernel_use_file_descriptors(consoletype_t) @@ -70,7 +70,7 @@ allow consoletype_t sysadm_t:fifo_file rw_file_perms; allow consoletype_t nfs_t:file write; -allow consoletype_t crond_t:fifo_file { read getattr ioctl }; +allow consoletype_t crond_t:fifo_file r_file_perms; allow consoletype_t system_crond_t:fd use; optional_policy(`ypbind.te', ` @@ -95,11 +95,11 @@ allow consoletype_t autofs_t:dir { search getattr }; optional_policy(`xdm.te', ` domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) -allow consoletype_t xdm_tmp_t:file { read write }; +allow consoletype_t xdm_tmp_t:file rw_file_perms; ') optional_policy(`lpd.te', ` -allow consoletype_t printconf_t:file { getattr read }; +allow consoletype_t printconf_t:file r_file_perms; ') optional_policy(`firstboot.te', ` diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 2b2b8c6..9c78dc9 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -15,7 +15,7 @@ define(`dmesg_transition',` requires_block_template(`$0'_depend) - allow $1 dmesg_exec_t:file { getattr read execute }; + allow $1 dmesg_exec_t:file rx_file_perms; allow $1 dmesg_t:process transition; type_transition $1 dmesg_exec_t:process dmesg_t; dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh }; @@ -29,7 +29,7 @@ define(`dmesg_transition',` define(`dmesg_transition_depend',` type dmesg_t, dmesg_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -49,7 +49,8 @@ define(`dmesg_transition_depend',` define(`dmesg_execute',` requires_block_template(`$0'_depend) - allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,dmesg_exec_t) + ') define(`dmesg_execute_depend',` diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index eb8b780..e13fb5f 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -19,7 +19,7 @@ role system_r types dmesg_t; allow dmesg_t self:capability sys_admin; dontaudit dmesg_t self:capability sys_tty_config; -allow dmesg_t self:process { sigchld sigkill sigstop signull signal }; +allow dmesg_t self:process signal_perms; kernel_read_kernel_sysctl(dmesg_t) kernel_read_hardware_state(dmesg_t) @@ -70,7 +70,7 @@ allow dmesg_t proc_t:lnk_file read; optional_policy(`rhgb.te', ` allow dmesg_t rhgb_t:process sigchld; allow dmesg_t rhgb_t:fd use; -allow dmesg_t rhgb_t:fifo_file { read write }; +allow dmesg_t rhgb_t:fifo_file rw_file_perms; ') allow dmesg_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index 79b2e61..72fc713 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -6,7 +6,7 @@ define(`netutils_transition',` requires_block_template(`$0'_depend) - allow $1 netutils_exec_t:file { getattr read execute }; + allow $1 netutils_exec_t:file rx_file_perms; allow $1 netutils_t:process transition; type_transition $1 netutils_exec_t:process netutils_t; dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh }; @@ -20,7 +20,7 @@ define(`netutils_transition',` define(`netutils_transition_depend',` type netutils_t, netutils_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -33,7 +33,8 @@ define(`netutils_transition_depend',` define(`netutils_execute',` requires_block_template(`$0'_depend) - allow $1 netutils_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,netutils_exec_t) + ') define(`netutils_execute_depend',` diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 9a35ab6..9af0617 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -38,12 +38,12 @@ bool user_ping false; allow netutils_t self:capability { net_admin net_raw setuid setgid }; allow netutils_t self:process { sigkill sigstop signull signal }; allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow netutils_t self:packet_socket create_socket_perms; +allow netutils_t self:udp_socket create_socket_perms; +allow netutils_t self:tcp_socket create_socket_perms; -allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow netutils_t netutils_tmp_t:dir create_dir_perms; +allow netutils_t netutils_tmp_t:file create_file_perms; files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir }) corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t) @@ -100,8 +100,8 @@ allow netutils_t proc_t:dir search; allow ping_t self:capability setuid; dontaudit ping_t self:capability sys_tty_config; -allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow ping_t self:tcp_socket create_socket_perms; +allow ping_t self:udp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; corenetwork_sendrecv_tcp_on_all_interfaces(ping_t) @@ -155,8 +155,8 @@ if (user_ping) { # allow traceroute_t self:capability { net_admin net_raw setuid setgid }; -allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow traceroute_t self:rawip_socket create_socket_perms; +allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; kernel_read_system_state(traceroute_t) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index ac47688..424600c 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -15,7 +15,7 @@ define(`rpm_transition',` requires_block_template(`$0'_depend) - allow $1 rpm_exec_t:file { getattr read execute }; + allow $1 rpm_exec_t:file rx_file_perms; allow $1 rpm_t:process transition; type_transition $1 rpm_exec_t:process rpm_t; dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; @@ -29,7 +29,7 @@ define(`rpm_transition',` define(`rpm_transition_depend',` type rpm_t, rpm_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -104,13 +104,13 @@ define(`rpm_use_file_descriptors_depend',` define(`rpm_read_pipe',` requires_block_template(`$0'_depend) - allow $1 rpm_t:fifo_file { getattr read }; + allow $1 rpm_t:fifo_file r_file_perms; ') define(`rpm_read_pipe_depend',` type rpm_t; - class fifo_file { getattr read }; + class fifo_file r_file_perms; ') ######################################## @@ -127,17 +127,17 @@ define(`rpm_read_pipe_depend',` define(`rpm_read_package_database',` requires_block_template(`$0'_depend) - allow $1 rpm_var_lib_t:dir { getattr read search }; - allow $1 rpm_var_lib_t:file { read getattr }; - allow $1 rpm_var_lib_t:lnk_file { getattr read }; + allow $1 rpm_var_lib_t:dir r_dir_perms; + allow $1 rpm_var_lib_t:file r_file_perms; + allow $1 rpm_var_lib_t:lnk_file r_file_perms; ') define(`rpm_read_package_database_depend',` type rpm_var_lib_t_t; - class dir { search getattr read }; - class lnk_file { getattr read }; - class file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; ') ######################################## @@ -147,7 +147,7 @@ define(`rpm_read_package_database_depend',` define(`rpm_manage_package_database',` requires_block_template(`$0'_depend) - allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name }; + allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') @@ -155,9 +155,9 @@ define(`rpm_manage_package_database',` define(`rpm_manage_package_database_depend',` type rpm_var_lib_t_t; - class dir { search getattr read }; - class lnk_file { getattr read }; - class file { getattr read }; + class dir rw_dir_perms; + class lnk_file { getattr read write unlink }; + class file { getattr create read write append unlink }; ') ## diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 40ab210..6838164 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -59,38 +59,38 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; -allow rpm_t self:fifo_file { read getattr lock ioctl write append }; -allow rpm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow rpm_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow rpm_t self:fifo_file rw_file_perms; +allow rpm_t self:unix_dgram_socket create_socket_perms; +allow rpm_t self:unix_stream_socket rw_stream_socket_perms; allow rpm_t self:unix_dgram_socket sendto; allow rpm_t self:unix_stream_socket connectto; allow rpm_t self:udp_socket { connect }; -allow rpm_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow rpm_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow rpm_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow rpm_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow rpm_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow rpm_t self:udp_socket create_socket_perms; +allow rpm_t self:tcp_socket rw_stream_socket_perms; +allow rpm_t self:shm create_shm_perms; +allow rpm_t self:sem create_sem_perms; +allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; allow rpm_t self:dir search; -allow rpm_t self:file { getattr read write }; +allow rpm_t self:file rw_file_perms;; -allow rpm_t rpm_log_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_t rpm_log_t:file create_file_perms; logging_create_private_log(rpm_t,rpm_log_t) -allow rpm_t rpm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow rpm_t rpm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_t rpm_tmp_t:dir create_dir_perms; +allow rpm_t rpm_tmp_t:file create_file_perms; files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir }) -allow rpm_t rpm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow rpm_t rpm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow rpm_t rpm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow rpm_t rpm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow rpm_t rpm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_t rpm_tmpfs_t:dir create_dir_perms; +allow rpm_t rpm_tmpfs_t:file create_file_perms; +allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms; +allow rpm_t rpm_tmpfs_t:sock_file create_file_perms; +allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms; fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files -allow rpm_t rpm_var_lib_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow rpm_t rpm_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow rpm_t rpm_var_lib_t:file create_file_perms; +allow rpm_t rpm_var_lib_t:dir rw_dir_perms; #files_create_private_libraries(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) @@ -166,8 +166,8 @@ dontaudit rpm_t domain:process ptrace; # read/write/create any files in the system allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; -allow rpm_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_t { file_type - shadow_t }:dir create_dir_perms; +allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; allow rpm_t ttyfile:chr_file unlink; @@ -176,10 +176,10 @@ allow rpm_t ttyfile:chr_file unlink; allow rpm_t fs_type:dir { setattr rw_dir_perms }; allow rpm_t mount_t:tcp_socket write; -allow rpm_t nfs_t:lnk_file { create read getattr setattr link unlink rename }; +allow rpm_t nfs_t:lnk_file create_file_perms; -allow rpm_t sysfs_t:dir { read getattr lock search ioctl }; -allow rpm_t usbdevfs_t:dir { read getattr lock search ioctl }; +allow rpm_t sysfs_t:dir r_dir_perms; +allow rpm_t usbdevfs_t:dir r_dir_perms; allow rpm_t rpc_pipefs_t:dir search; @@ -220,28 +220,28 @@ allow crond_t rpm_t:fifo_file r_file_perms; allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow rpm_script_t self:fd use; -allow rpm_script_t self:fifo_file { read getattr lock ioctl write append }; -allow rpm_script_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow rpm_script_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow rpm_script_t self:fifo_file rw_file_perms; +allow rpm_script_t self:unix_dgram_socket create_socket_perms; +allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; allow rpm_script_t self:unix_dgram_socket sendto; allow rpm_script_t self:unix_stream_socket connectto; -allow rpm_script_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow rpm_script_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow rpm_script_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow rpm_script_t self:shm create_shm_perms; +allow rpm_script_t self:sem create_sem_perms; +allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; -allow rpm_script_t rpm_tmp_t:file { getattr read ioctl }; +allow rpm_script_t rpm_tmp_t:file r_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; -allow rpm_script_t rpm_script_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow rpm_script_t rpm_script_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; +allow rpm_script_t rpm_script_tmp_t:file create_file_perms; files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir }) -allow rpm_script_t rpm_script_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow rpm_script_t rpm_script_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow rpm_script_t rpm_script_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow rpm_script_t rpm_script_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow rpm_script_t rpm_script_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms; +allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; +allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms; +allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; +allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctl(rpm_script_t) @@ -316,7 +316,8 @@ ifdef(`TODO',` allow rpm_script_t sysfs_t:dir r_dir_perms; -allow rpm_script_t usr_t:file { getattr read execute execute_no_trans }; +can_exec(rpm_script_t,usr_t) + allow rpm_script_t autofs_t:dir { search getattr }; @@ -327,7 +328,8 @@ allow rpm_script_t autofs_t:dir { search getattr }; ') optional_policy(`lpd.te', ` -allow rpm_script_t printconf_t:file { getattr read execute execute_no_trans }; +can_exec(rpm_script_t,printconf_t) + ') optional_policy(`ssh.te', ` @@ -358,13 +360,13 @@ ifdef(`TODO',` allow userdomain var_lib_t:dir { getattr search }; -allow { insmod_t depmod_t } rpm_t:fifo_file { getattr read write append ioctl lock }; +allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; optional_policy(`cups.te', ` -allow cupsd_t rpm_var_lib_t:dir { getattr read search }; -allow cupsd_t rpm_var_lib_t:file { read getattr }; -allow cupsd_t rpb_var_lib_t:lnk_file { getattr read }; -allow cupsd_t initrc_exec_t:file { getattr read }; +allow cupsd_t rpm_var_lib_t:dir r_dir_perms; +allow cupsd_t rpm_var_lib_t:file r_file_perms; +allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms; +allow cupsd_t initrc_exec_t:file r_file_perms; domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) ') diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index aa03a72..dc3997f 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -15,7 +15,7 @@ define(`usermanage_chfn_transition',` requires_block_template(`$0'_depend) - allow $1 chfn_exec_t:file { getattr read execute }; + allow $1 chfn_exec_t:file rx_file_perms; allow $1 chfn_t:process transition; type_transition $1 chfn_exec_t:process chfn_t; dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh }; @@ -29,7 +29,7 @@ define(`usermanage_chfn_transition',` define(`usermanage_chfn_transition_depend',` type chfn_t, chfn_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -81,11 +81,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',` define(`usermanage_groupadd_transition',` requires_block_template(`$0'_depend) - allow $1 groupadd_exec_t:file { getattr read execute }; - allow $1 groupadd_t:process transition; - type_transition $1 groupadd_exec_t:process groupadd_t; - dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh }; - + domain_auto_trans($1,groupadd_t,groupadd_t) allow $1 groupadd_t:fd use; allow groupadd_t $1:fd use; allow groupadd_t $1:fifo_file rw_file_perms; @@ -95,7 +91,7 @@ define(`usermanage_groupadd_transition',` define(`usermanage_groupadd_transition_depend',` type groupadd_t, groupadd_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -147,7 +143,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',` define(`usermanage_passwd_transition',` requires_block_template(`$0'_depend) - allow $1 passwd_exec_t:file { getattr read execute }; + allow $1 passwd_exec_t:file rx_file_perms; allow $1 passwd_t:process transition; type_transition $1 passwd_exec_t:process passwd_t; dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh }; @@ -161,7 +157,7 @@ define(`usermanage_passwd_transition',` define(`usermanage_passwd_transition_depend',` type passwd_t, passwd_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -213,7 +209,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',` define(`usermanage_useradd_transition',` requires_block_template(`$0'_depend) - allow $1 useradd_exec_t:file { getattr read execute }; + allow $1 useradd_exec_t:file rx_file_perms; allow $1 useradd_t:process transition; type_transition $1 useradd_exec_t:process useradd_t; dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh }; @@ -227,7 +223,7 @@ define(`usermanage_useradd_transition',` define(`usermanage_useradd_transition_depend',` type useradd_t, useradd_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 3698461..2cb945c 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -66,14 +66,14 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; -allow chfn_t self:fifo_file { read getattr lock ioctl write append }; -allow chfn_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow chfn_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow chfn_t self:fifo_file rw_file_perms; +allow chfn_t self:unix_dgram_socket create_rw_socket_perms; +allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms; allow chfn_t self:unix_dgram_socket sendto; allow chfn_t self:unix_stream_socket connectto; -allow chfn_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow chfn_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow chfn_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow chfn_t self:shm create_shm_perms; +allow chfn_t self:sem create_sem_perms; +allow chfn_t self:msgq create_msgq_perms; allow chfn_t self:msg { send receive }; kernel_read_system_state(chfn_t) @@ -147,15 +147,15 @@ dontaudit chfn_t selinux_config_t:dir search; # allow crack_t self:process { sigkill sigstop signull signal }; -allow crack_t self:fifo_file { read write getattr }; +allow crack_t self:fifo_file rw_file_perms; -allow crack_t crack_db_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow crack_t crack_db_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow crack_t crack_db_t:lnk_file { create read getattr setattr link unlink rename }; +allow crack_t crack_db_t:dir rw_dir_perms; +allow crack_t crack_db_t:file create_file_perms; +allow crack_t crack_db_t:lnk_file create_file_perms; files_search_system_state_data_directory(crack_t) -allow crack_t crack_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow crack_t crack_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow crack_t crack_tmp_t:dir create_dir_perms; +allow crack_t crack_tmp_t:file create_file_perms; files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) @@ -180,7 +180,7 @@ logging_send_system_log_message(crack_t) ifdef(`TODO',` ifdef(`crond.te', ` domain_auto_trans(system_crond_t, crack_exec_t, crack_t) -allow crack_t crond_t:fifo_file { getattr read write ioctl }; +allow crack_t crond_t:fifo_file rw_file_perms; # a rule for privfd may make this obsolete allow crack_t crond_t:fd use; allow crack_t crond_t:process sigchld; @@ -199,14 +199,14 @@ dontaudit groupadd_t self:capability fsetid; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:fd use; -allow groupadd_t self:fifo_file { read getattr lock ioctl write append }; -allow groupadd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow groupadd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow groupadd_t self:fifo_file rw_file_perms; +allow groupadd_t self:unix_dgram_socket create_socket_perms; +allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; allow groupadd_t self:unix_stream_socket connectto; -allow groupadd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow groupadd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow groupadd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow groupadd_t self:shm create_shm_perms; +allow groupadd_t self:sem create_sem_perms; +allow groupadd_t self:msgq create_msgq_perms; allow groupadd_t self:msg { send receive }; # Allow access to context for shadow file @@ -275,14 +275,14 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; -allow passwd_t self:fifo_file { read getattr lock ioctl write append }; -allow passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow passwd_t self:fifo_file rw_file_perms; +allow passwd_t self:unix_dgram_socket create_socket_perms; +allow passwd_t self:unix_stream_socket create_stream_socket_perms; allow passwd_t self:unix_dgram_socket sendto; allow passwd_t self:unix_stream_socket connectto; -allow passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow passwd_t self:shm create_shm_perms; +allow passwd_t self:sem create_sem_perms; +allow passwd_t self:msgq create_msgq_perm; allow passwd_t self:msg { send receive }; kernel_get_selinuxfs_mount_point(passwd_t) @@ -366,19 +366,19 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; -allow sysadm_passwd_t self:fifo_file { read getattr lock ioctl write append }; -allow sysadm_passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow sysadm_passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow sysadm_passwd_t self:fifo_file rw_file_perms; +allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; +allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; allow sysadm_passwd_t self:unix_dgram_socket sendto; allow sysadm_passwd_t self:unix_stream_socket connectto; -allow sysadm_passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow sysadm_passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow sysadm_passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow sysadm_passwd_t self:shm create_shm_perms; +allow sysadm_passwd_t self:sem create_sem_perms; +allow sysadm_passwd_t self:msgq create_msgq_perms; allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover -allow sysadm_passwd_t sysadm_passwd_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow sysadm_passwd_t sysadm_passwd_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; +allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms; files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_system_state_data_directory(sysadm_passwd_t) @@ -463,14 +463,14 @@ allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid s allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; -allow useradd_t self:fifo_file { read getattr lock ioctl write append }; -allow useradd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow useradd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow useradd_t self:fifo_file rw_file_perms; +allow useradd_t self:unix_dgram_socket create_socket_perms; +allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; -allow useradd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow useradd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow useradd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow useradd_t self:shm create_shm_perms; +allow useradd_t self:sem create_sem_perms; +allow useradd_t self:msgq create_msgq_perms; allow useradd_t self:msg { send receive }; # Allow access to context for shadow file