diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 1773fa8..219bcab 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -147,16 +147,39 @@ interface(`mta_mailserver',` typeattribute $1 mailserver_domain; ') -####################################### -# -# mta_sendmail_mailserver(domain,entrypointtype) -# +######################################## +## +## Modified mailserver interface for +## sendmail daemon use. +## +## +##

+## A modified MTA mail server interface for +## the sendmail program. It's design does +## not fit well with policy, and using the +## regular interface causes a type_transition +## conflict if direct running of init scripts +## is enabled. +##

+##

+## This interface should most likely only be used +## by the sendmail policy. +##

+##
+## +## The type to be used for the mail server. +## +## +## The type to be used for the domain entry point program. +## interface(`mta_sendmail_mailserver',` gen_require(` + attribute mailserver_domain; type sendmail_exec_t; ') - mta_mailserver($1,sendmail_exec_t) + init_system_domain($1,sendmail_exec_t) + typeattribute $1 mailserver_domain; ') ####################################### diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 8ecd0a7..661622a 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -18,7 +18,7 @@ files_type(ssh_exec_t) type ssh_keygen_t; type ssh_keygen_exec_t; -init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t) +init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) role system_r types ssh_keygen_t; ssh_server_template(sshd) @@ -207,6 +207,8 @@ allow ssh_keygen_t proc_t:lnk_file read; userdom_use_sysadm_tty(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t) +# cjp: with the old daemon_(base_)domain being broken up into +# a daemon and system interface, this probably is not needed: ifdef(`direct_sysadm_daemon',` userdom_dontaudit_use_sysadm_terms(ssh_keygen_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index f775741..bc9eae6 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -190,6 +190,8 @@ seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t) +# cjp: with the old daemon_(base_)domain being broken up into +# a daemon and system interface, this probably is not needed: ifdef(`direct_sysadm_daemon', ` userdom_dontaudit_use_sysadm_terms(pam_console_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 966f21b..4383272 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -1,8 +1,15 @@ ## System initialization programs (init and init scripts). ######################################## -# -# init_domain(domain,entrypointfile) +## +## Create a domain which can be started by init. +## +## +## Type to be used as a domain. +## +## +## Type of the program to be used as an entry point to this domain. +## # interface(`init_domain',` gen_require(` @@ -34,16 +41,25 @@ interface(`init_domain',` ') ######################################## -# -# init_daemon_domain(domain,entrypointfile) +## +## Create a domain for long running processes +## (daemons) which can be started by init scripts. +## +## +## Type to be used as a domain. +## +## +## Type of the program to be used as an entry point to this domain. +## # interface(`init_daemon_domain',` gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; class fifo_file rw_file_perms; class fd use; - class process sigchld; + class process { noatsecure siginh rlimitinh sigchld }; ') domain_type($1) @@ -54,10 +70,24 @@ interface(`init_daemon_domain',` domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; + allow initrc_t $1:process { noatsecure siginh rlimitinh }; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; + ifdef(`direct_sysadm_daemon',` + domain_auto_trans(direct_run_init,$2,$1) + + allow direct_run_init $1:fd use; + allow direct_run_init $1:process { noatsecure siginh rlimitinh }; + allow $1 direct_run_init:fd use; + allow $1 direct_run_init:fifo_file rw_file_perms; + allow $1 direct_run_init:process sigchld; + + typeattribute $1 direct_init; + typeattribute $2 direct_init_entry; + ') + # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` @@ -67,8 +97,16 @@ interface(`init_daemon_domain',` ') ######################################## -# -# init_system_domain(domain,entrypointfile) +## +## Create a domain for short running processes +## which can be started by init scripts. +## +## +## Type to be used as a domain. +## +## +## Type of the program to be used as an entry point to this domain. +## # interface(`init_system_domain',` gen_require(` @@ -260,6 +298,32 @@ interface(`init_domtrans_script',` ') ######################################## +## +## Start and stop daemon programs directly. +## +## +## The type of the process performing this action. +## +## +## The role to be performing this action. +## +## +## The type of the terminal of the user. +## +# +interface(`init_run_daemon',` + gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; + role system_r; + class chr_file rw_file_perms; + ') + + typeattribute $1 direct_run_init; + role_transition $2 direct_init_entry system_r; + dontaudit direct_init $3:chr_file rw_file_perms; +') + +######################################## # # init_exec_script(domain) # diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 70f88b3..f11db47 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -6,6 +6,12 @@ policy_module(init,1.0) # Declarations # +# used for direct running of init scripts +# by admin domains +attribute direct_run_init; +attribute direct_init; +attribute direct_init_entry; + # # init_t is the domain of the init process. # diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 14eac6d..8c6312e 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -82,9 +82,7 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) userdom_dontaudit_use_unpriv_user_fd(auditd_t) -# cjp: this is questionable. it should probably -# be a userdom_dontaudit_use_sysadm_terms(auditd_t) -# in a direct_sysadm_daemon tunable +# cjp: this is questionable userdom_use_sysadm_tty(auditd_t) ifdef(`targeted_policy', ` @@ -248,10 +246,6 @@ ifdef(`klogd.te', `', ` kernel_change_ring_buffer_level(syslogd_t) ') -ifdef(`direct_sysadm_daemon',` - userdom_dontaudit_use_sysadm_terms(syslogd_t) -') - ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(syslogd_t) term_dontaudit_use_generic_pty(syslogd_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index a3174c5..d754509 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -100,6 +100,12 @@ ifdef(`targeted_policy',` allow sysadm_t user_home_dir_t:dir create_dir_perms; files_create_home_dirs(sysadm_t,user_home_dir_t) + ifdef(`direct_sysadm_daemon',` + optional_policy(`init.te',` + init_run_daemon(sysadm_t,sysadm_r,admin_terminal) + ') + ') + optional_policy(`bootloader.te',` bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') diff --git a/refpolicy/policy/users b/refpolicy/policy/users index 76f8f53..2341ebf 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -38,7 +38,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127) # not in the sysadm_r. # ifdef(`targeted_policy',` -gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127) + gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127) ',` -gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127) + ifdef(`direct_sysadm_daemon',` + gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127) +',` + gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127) + ') ')