diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 98beae7..8443652 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -89,6 +89,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template BASE_MODULE = kernel FLASKDIR = flask APPCONF = appconfig +M4SUPPORT = support_macros APPDIR := $(CONTEXTPATH) APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media @@ -98,7 +99,7 @@ USER_FILES := users DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS)) -PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls +PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) POST_TE_FILES := users constraints initial_sid_contexts fs_use @@ -185,7 +186,7 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor echo "define(\`$$i')" >> $@ ;\ done $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ - | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \ + | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ # this is so the xml works: $(QUIET) echo "## " >> $@ @@ -226,7 +227,7 @@ enableaudit: policy.conf # # Construct file_contexts # -$(FC): kernel/global.if $(ALL_FC_FILES) +$(FC): $(M4SUPPORT) $(ALL_FC_FILES) @test -d tmp || mkdir -p tmp $(QUIET) m4 $(M4PARAM) $^ > $@ diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros new file mode 100644 index 0000000..c02e0a1 --- /dev/null +++ b/refpolicy/policy/support/support_macros @@ -0,0 +1,283 @@ + +######################################## +# +# Macros for switching between source policy +# and loadable policy module support +# + +############################## +# +# For adding the module statement +# +define(`policy_module',` +ifdef(`monolithic_policy',`',` +module $1 $2; +') +') + +############################## +# +# For use in interfaces, to optionally insert a requires block +# +define(`requires_block_template',` +ifdef(`monolithic_policy',`',` +require { +$1 +} +') dnl end ifdef monolithic_policy +') dnl end requires_block_template + +############################## +# +# Optional policy handling +# +define(`optional_policy',` +ifdef(`monolithic_policy',` +ifdef(`$1',$2,$3) +',` +optional { +$2 +} else { +$3 +} +') dnl end ifdef monolithic_policy +') dnl end optional_policy + +############################## +# +# Tunable policy handling +# +define(`tunable_policy',` +ifdef(`monolithic_policy',` +ifdef(`$1',$2,$3) +',` +optional { +require { $1 } +$2 +} else { +$3 +} +') dnl end ifdef monolithic_policy +') dnl end tunable_policy + +######################################## +# +# Helper macros +# + +# +# shiftn(num,list...) +# +# shift the list num times +# +define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') + +######################################## +# +# context_template(context,sensitivity) +# +# Optionally put the sensitivity for the file +# +define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl + +######################################## +# +# user_mls(level,range) +# +define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl + +######################################## +# +# Macros for sets of classes and permissions. +# + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + + +# +# Permissions for getting file attributes. +# +define(`stat_file_perms', `{ getattr }') + +# +# Permissions for executing files. +# +define(`x_file_perms', `{ getattr execute }') + +# +# Permissions for reading files and their attributes. +# +define(`r_file_perms', `{ read getattr lock ioctl }') + +# +# Permissions for reading and executing files. +# +define(`rx_file_perms', `{ read getattr lock execute ioctl }') + +# +# Permissions for reading and writing files and their attributes. +# +define(`rw_file_perms', `{ ioctl read getattr lock write append }') + +# +# Permissions for reading and appending to files. +# +define(`ra_file_perms', `{ ioctl read getattr lock append }') + +# +# Permissions for linking, unlinking and renaming files. +# +define(`link_file_perms', `{ getattr link unlink rename }') + +# +# Permissions for creating lnk_files. +# +define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') + +# +# Permissions for creating and using files. +# +define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') + +# +# Permissions for reading directories and their attributes. +# +define(`r_dir_perms', `{ read getattr lock search ioctl }') + +# +# Permissions for reading and writing directories and their attributes. +# +define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') + +# +# Permissions for reading and adding names to directories. +# +define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') + + +# +# Permissions for creating and using directories. +# +define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') + + + + + + + + +