diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 9fa9840..dc0f332 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -19,6 +19,33 @@ filesystem_tmpfs_associate_depend ######################################## # +# devices_manage_all_devices_labels(type,[`optional']) +# +define(`devices_manage_all_devices_labels',` +requires_block_template(devices_manage_all_devices_labels_depend,$2) +allow $1 device_node:dir { getattr relabelfrom }; +allow $1 device_node:file { getattr relabelfrom }; +allow $1 device_node:lnk_file { getattr relabelfrom }; +allow $1 device_node:fifo_file { getattr relabelfrom }; +allow $1 device_node:sock_file { getattr relabelfrom }; +allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto }; +allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto }; +') + +define(`devices_manage_all_devices_labels_depend',` +attribute device_node; +type device_t; +class dir { getattr relabelfrom }; +class file { getattr relabelfrom }; +class lnk_file { getattr relabelfrom }; +class fifo_file { getattr relabelfrom }; +class sock_file { getattr relabelfrom }; +class blk_file { getattr relabelfrom relabelto }; +class chr_file { getattr relabelfrom relabelto }; +') + +######################################## +# # devices_list_device_nodes(type,[`optional']) # define(`devices_list_device_nodes',` diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 3fc8adf..e4482d1 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -11,10 +11,9 @@ attribute device_node; # # device_t is the type of /dev. # -type device_t, device_node; -filesystem_associate(device_t) +type device_t; +files_make_file(device_t) filesystem_tmpfs_associate(device_t) -filesystem_noxattr_associate(device_t) # Only directories and symlinks should be labeled device_t. # If there are other files with this type, it is wrong. diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 77f4037..224daf6 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -43,14 +43,14 @@ class process share; ######################################## # -# kernel_use_kernel_fd(domain,[`optional']) +# kernel_use_file_descriptors(domain,[`optional']) # -define(`kernel_use_kernel_fd',` -requires_block_template(kernel_use_kernel_fd_depend,$2) +define(`kernel_use_file_descriptors',` +requires_block_template(kernel_use_file_descriptors_depend,$2) allow $1 kernel_t:fd use; ') -define(`kernel_use_kernel_fd_depend',` +define(`kernel_use_file_descriptors_depend',` type kernel_t; class fd use; ') @@ -104,20 +104,18 @@ class process sigkill; # define(`kernel_relabel_unlabeled_object',` requires_block_template(kernel_relabel_unlabeled_object_depend,$2) -allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } relabelfrom; -typeattribute $1 can_relabel; +allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; ') define(`kernel_relabel_unlabeled_object_depend',` -attribute can_relabel; type unlabeled_t; -class dir relabelfrom; -class file relabelfrom; -class lnk_file relabelfrom; -class fifo_file relabelfrom; -class sock_file relabelfrom; -class chr_file relabelfrom; -class blk_file relabelfrom; +class dir { getattr relabelfrom }; +class file { getattr relabelfrom }; +class lnk_file { getattr relabelfrom }; +class fifo_file { getattr relabelfrom }; +class sock_file { getattr relabelfrom }; +class chr_file { getattr relabelfrom }; +class blk_file { getattr relabelfrom }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 6c741e1..64da779 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -126,6 +126,22 @@ kernel_relabeling_privilege_depend ######################################## # +# terminal_list_pseudoterminals(domain,[`optional']) +# +define(`terminal_list_pseudoterminals',` +requires_block_template(terminal_list_pseudoterminals_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 devpts_t:dir { getattr search read }; +') + +define(`terminal_list_pseudoterminals_depend',` +type devpts_t; +class dir { getattr search read }; +devices_list_device_nodes_depend +') + +######################################## +# # terminal_ignore_list_pseudoterminals(domain,[`optional']) # define(`terminal_ignore_list_pseudoterminals',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 66ebcc5..53b3ac0 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -41,20 +41,60 @@ class sock_file getattr; ######################################## # +# files_manage_all_files_labels(type,[`optional']) +# +define(`files_manage_all_files_labels',` +requires_block_template(files_manage_all_files_labels_depend,$2) +allow $1 file_type:dir { getattr relabelfrom relabelto }; +allow $1 file_type:file { getattr relabelfrom relabelto }; +allow $1 file_type:lnk_file { getattr relabelfrom relabelto }; +allow $1 file_type:fifo_file { getattr relabelfrom relabelto }; +allow $1 file_type:sock_file { getattr relabelfrom relabelto }; +allow $1 file_type:blk_file { getattr relabelfrom }; +allow $1 file_type:chr_file { getattr relabelfrom }; +') + +define(`files_manage_all_files_labels_depend',` +attribute file_type; +class dir { relabelfrom relabelto }; +class file { relabelfrom relabelto }; +class lnk_file { relabelfrom relabelto }; +class fifo_file { relabelfrom relabelto }; +class sock_file { relabelfrom relabelto }; +class blk_file relabelfrom; +class chr_file relabelfrom; +') + +######################################## +# # files_search_all_directories(type,[`optional']) # define(`files_search_all_directories',` -requires_block_template(files_get_all_file_attributes_depend,$2) +requires_block_template(files_search_all_directories_depend,$2) allow $1 file_type:dir search; ') -define(`files_get_all_file_attributes_depend',` +define(`files_search_all_directories_depend',` attribute file_type; class dir search; ') ######################################## # +# files_read_all_directories(type,[`optional']) +# +define(`files_read_all_directories',` +requires_block_template(files_read_all_directories_depend,$2) +allow $1 file_type:dir { getattr search read }; +') + +define(`files_read_all_directories_depend',` +attribute file_type; +class dir { getattr search read }; +') + +######################################## +# # files_read_root_dir(domain,[`optional']) # define(`files_read_root_dir',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index b277170..2917688 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -66,6 +66,20 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # +# init_script_use_file_descriptors(domain,[`optional']) +# +define(`init_script_use_file_descriptors',` +requires_block_template(init_script_use_file_descriptors_depend,$2) +allow $1 initrc_t:fd use; +') + +define(`init_script_use_file_descriptors_depend',` +type initrc_t; +class fd use; +') + +######################################## +# # init_script_use_pseudoterminal(domain,[`optional']) # define(`init_script_use_pseudoterminal',` diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 10b4112..87e5ac6 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -35,6 +35,23 @@ class file { getattr read }; ######################################## # +# selinux_read_file_contexts(domain,[`optional']) +# +define(`selinux_read_file_contexts',` +requires_block_template(selinux_read_file_contexts_depend,$2) +allow $1 selinux_config_t:dir search; +allow $1 file_context_t:dir { getattr search read }; +allow $1 file_context_t:file { getattr read }; +') + +define(`selinux_read_file_contexts_depend',` +type selinux_config_t, file_context_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# # selinux_read_binary_policy(domain,[`optional']) # define(`selinux_read_binary_policy',` diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 7a2fece..635d80b 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -2,12 +2,47 @@ policy_module(selinux,1.0) +######################################## # -# selinux_config_t is the type applied to -# /etc/selinux/config +# Declarations # -type selinux_config_t; -files_make_file(selinux_config_t) + +attribute can_write_binary_policy; +attribute can_relabelto_binary_policy; + +type checkpolicy_t, can_write_binary_policy; +domain_make_domain(checkpolicy_t) +role system_r types checkpolicy_t; + +type checkpolicy_exec_t; +domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t; +files_make_file(default_context_t) + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t; +files_make_file(file_context_t) + +type load_policy_t; +domain_make_domain(load_policy_t) +role system_r types load_policy_t; + +type load_policy_exec_t; +domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) + +type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; +domain_make_domain(newrole_t) + +type newrole_exec_t; +domain_make_entrypoint_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* @@ -16,8 +51,6 @@ files_make_file(selinux_config_t) type policy_config_t; files_make_file(policy_config_t) -attribute can_write_binary_policy; -attribute can_relabelto_binary_policy; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -28,24 +61,354 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; type policy_src_t; files_make_file(policy_src_t) +type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context; +domain_make_domain(restorecon_t) +role system_r types restorecon_t; + +type restorecon_exec_t; +domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) + # -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* +# selinux_config_t is the type applied to +# /etc/selinux/config # -type default_context_t; -files_make_file(default_context_t) +type selinux_config_t; +files_make_file(selinux_config_t) +type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context; +domain_make_domain(setfiles_t) +role system_r types setfiles_t; + +type setfiles_exec_t; +domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) + +######################################## # -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files +# Checkpolicy local policy # -type file_context_t; -files_make_file(file_context_t) -type load_policy_t; -domain_make_domain(load_policy_t) +allow checkpolicy_t self:capability dac_override; -type load_policy_exec_t; -domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) +# able to create and modify binary policy files +allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + +# only allow read of policy source files +allow checkpolicy_t policy_src_t:dir { getattr search read }; +allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; +allow checkpolicy_t selinux_config_t:dir search; + +filesystem_get_persistent_filesystem_attributes(checkpolicy_t) + +terminal_use_console(checkpolicy_t) +terminal_use_controlling_terminal(checkpolicy_t) + +init_use_file_descriptors(checkpolicy_t) +init_script_use_pseudoterminal(checkpolicy_t) + +libraries_use_dynamic_loader(checkpolicy_t) +libraries_read_shared_libraries(checkpolicy_t) + +ifdef(`TODO',` +role sysadm_r types checkpolicy_t; +domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) + +# allow test policies to be created in src directories +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) + +# directory search permissions for path to source and binary policy files +allow checkpolicy_t root_t:dir search; +allow checkpolicy_t etc_t:dir search; + +# Read the devpts root directory. +allow checkpolicy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; + +allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; + +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +can_exec(unpriv_userdomain, checkpolicy_exec_t) + +allow checkpolicy_t { userdomain privfd }:fd use; +') dnl endif TODO + +######################################## +# +# Load_policy local policy +# + +allow load_policy_t self:capability dac_override; + +# only allow read of policy config files +allow load_policy_t policy_src_t:dir search; +allow load_policy_t policy_config_t:dir { getattr search read }; +allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; + +allow newrole_t selinux_config_t:dir { getattr read search }; +allow newrole_t selinux_config_t:file { read getattr }; +allow newrole_t selinux_config_t:lnk_file { getattr read }; + +kernel_get_selinuxfs_mount_point(load_policy_t) +kernel_load_selinux_policy(load_policy_t) +kernel_set_selinux_boolean(load_policy_t) + +filesystem_get_persistent_filesystem_attributes(load_policy_t) + +terminal_use_console(load_policy_t) +terminal_use_controlling_terminal(load_policy_t) +terminal_list_pseudoterminals(load_policy_t) + +init_script_use_file_descriptors(load_policy_t) +init_script_use_pseudoterminal(load_policy_t) + +libraries_use_dynamic_loader(load_policy_t) +libraries_read_shared_libraries(load_policy_t) + +miscfiles_read_localization(load_policy_t) + +ifdef(`TODO',` +role sysadm_r types load_policy_t; +domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) + +# directory search permissions for path to binary policy files +allow load_policy_t etc_t:dir search; + +# Other access +allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr }; + +allow load_policy_t { userdomain privfd }:fd use; + +allow load_policy_t sysadm_tmp_t:file { getattr write } ; +') dnl endif TODO + +######################################## +# +# Newrole local policy +# + +allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; + +allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow newrole_t self:process setexec; +allow newrole_t self:fd use; +allow newrole_t self:fifo_file { read getattr lock ioctl write append }; +allow newrole_t self:unix_dgram_socket sendto; +allow newrole_t self:unix_stream_socket connectto; +allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow newrole_t self:msg { send receive }; + +allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; +allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; +allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_read_system_state(newrole_t) +kernel_read_kernel_sysctl(newrole_t) +kernel_get_selinuxfs_mount_point(newrole_t) +kernel_validate_selinux_context(newrole_t) +kernel_compute_selinux_av(newrole_t) +kernel_compute_create(newrole_t) +kernel_compute_relabel(newrole_t) +kernel_compute_reachable_user_contexts(newrole_t) + +devices_get_pseudorandom_data(newrole_t) + +filesystem_get_persistent_filesystem_attributes(newrole_t) + +terminal_list_pseudoterminals(newrole_t) +terminal_use_controlling_terminal(newrole_t) + +files_read_general_system_config(newrole_t) + +libraries_use_dynamic_loader(newrole_t) +libraries_read_shared_libraries(newrole_t) + +miscfiles_read_localization(newrole_t) + +ifdef(`TODO',` +in_user_role(newrole_t) +role sysadm_r types newrole_t; + +allow newrole_t unpriv_userdomain:fd use; +can_ypbind(newrole) +ifdef(`automount.te', ` +allow newrole_t autofs_t:dir { search getattr }; +') + +# for when the user types "exec newrole" at the command line +allow newrole_t privfd:process sigchld; + +# Inherit descriptors from the current session. +allow newrole_t privfd:fd use; + +# Execute /sbin/pwdb_chkpwd to check the password. +allow newrole_t sbin_t:dir r_dir_perms; + +# Execute shells +allow newrole_t bin_t:dir r_dir_perms; +allow newrole_t bin_t:lnk_file read; +allow newrole_t shell_exec_t:file r_file_perms; + +# Allow newrole_t to transition to user domains. +bool secure_mode false; +domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans(newrole_t, shell_exec_t, sysadm_t) +} + +# Read /var. +allow newrole_t var_t:dir r_dir_perms; +allow newrole_t var_t:notdevfile_class_set r_file_perms; + +# Read /dev directories and any symbolic links. +allow newrole_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') + +# for some PAM modules and for cwd +dontaudit newrole_t { home_root_t home_type }:dir search; + +# for when the network connection is killed +dontaudit unpriv_userdomain newrole_t:process signal; + +# Write to utmp. +allow newrole_t var_run_t:dir r_dir_perms; +allow newrole_t initrc_var_run_t:file rw_file_perms; +') dnl ifdef TODO + +######################################## +# +# Restorecon local policy +# + +allow restorecon_t self:capability { dac_override dac_read_search fowner }; + +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_use_file_descriptors(restorecon_t) +kernel_read_system_state(restorecon_t) +kernel_get_selinuxfs_mount_point(restorecon_t) +kernel_validate_selinux_context(restorecon_t) +kernel_compute_selinux_av(restorecon_t) +kernel_compute_create(restorecon_t) +kernel_compute_relabel(restorecon_t) +kernel_compute_reachable_user_contexts(restorecon_t) + +filesystem_get_persistent_filesystem_attributes(restorecon_t) + +init_use_file_descriptors(restorecon_t) +init_script_use_pseudoterminal(restorecon_t) + +files_read_runtime_system_config(restorecon_t) +files_read_general_system_config(restorecon_t) + +libraries_use_dynamic_loader(restorecon_t) +libraries_read_shared_libraries(restorecon_t) + +logging_send_system_log_message(restorecon_t) + +# relabeling rules +files_read_all_directories(restorecon_t) +kernel_relabel_unlabeled_object(restorecon_t) +devices_manage_all_devices_labels(restorecon_t) +files_manage_all_files_labels(restorecon_t) + +ifdef(`TODO',` +allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; + +domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) +domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) +role sysadm_r types restorecon_t; +allow restorecon_t { userdomain privfd }:fd use; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that restorecon can not be run! +allow restorecon_t lib_t:file { read execute }; + +ifdef(`distro_redhat', ` +allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +') + +allow restorecon_t fs_type:dir r_dir_perms; + +allow restorecon_t device_t:file { read write }; +allow restorecon_t kernel_t:fifo_file { read write }; +') dnl endif TODO + +######################################## +# +# Setfiles local policy +# + +allow setfiles_t self:capability { dac_override dac_read_search fowner }; + +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_read_system_state(setfiles_t) +kernel_get_selinuxfs_mount_point(setfiles_t) +kernel_validate_selinux_context(setfiles_t) +kernel_compute_selinux_av(setfiles_t) +kernel_compute_create(setfiles_t) +kernel_compute_relabel(setfiles_t) +kernel_compute_reachable_user_contexts(setfiles_t) + +filesystem_get_persistent_filesystem_attributes(setfiles_t) + +terminal_use_controlling_terminal(setfiles_t) + +init_use_file_descriptors(setfiles_t) +init_script_use_file_descriptors(setfiles_t) +init_script_use_pseudoterminal(setfiles_t) + +libraries_use_dynamic_loader(setfiles_t) +libraries_read_shared_libraries(setfiles_t) + +files_read_runtime_system_config(setfiles_t) +files_read_general_system_config(setfiles_t) + +logging_send_system_log_message(setfiles_t) + +miscfiles_read_localization(setfiles_t) + +# relabeling rules +files_read_all_directories(setfiles_t) +kernel_relabel_unlabeled_object(setfiles_t) +devices_manage_all_devices_labels(setfiles_t) +files_manage_all_files_labels(setfiles_t) + +ifdef(`TODO',` + +allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl }; + +domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) +role sysadm_r types setfiles_t; + +allow setfiles_t { userdomain privfd }:fd use; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that setfiles can not be run! +allow setfiles_t lib_t:file { read execute }; + +allow setfiles_t unlabeled_t:dir read; + +allow setfiles_t fs_type:dir r_dir_perms; -selinux_read_binary_policy(load_policy_t) +# for config files in a home directory +allow setfiles_t home_type:file r_file_perms; +') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 10b4112..87e5ac6 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -35,6 +35,23 @@ class file { getattr read }; ######################################## # +# selinux_read_file_contexts(domain,[`optional']) +# +define(`selinux_read_file_contexts',` +requires_block_template(selinux_read_file_contexts_depend,$2) +allow $1 selinux_config_t:dir search; +allow $1 file_context_t:dir { getattr search read }; +allow $1 file_context_t:file { getattr read }; +') + +define(`selinux_read_file_contexts_depend',` +type selinux_config_t, file_context_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# # selinux_read_binary_policy(domain,[`optional']) # define(`selinux_read_binary_policy',` diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 7a2fece..635d80b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -2,12 +2,47 @@ policy_module(selinux,1.0) +######################################## # -# selinux_config_t is the type applied to -# /etc/selinux/config +# Declarations # -type selinux_config_t; -files_make_file(selinux_config_t) + +attribute can_write_binary_policy; +attribute can_relabelto_binary_policy; + +type checkpolicy_t, can_write_binary_policy; +domain_make_domain(checkpolicy_t) +role system_r types checkpolicy_t; + +type checkpolicy_exec_t; +domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) + +# +# default_context_t is the type applied to +# /etc/selinux/*/contexts/* +# +type default_context_t; +files_make_file(default_context_t) + +# +# file_context_t is the type applied to +# /etc/selinux/*/contexts/files +# +type file_context_t; +files_make_file(file_context_t) + +type load_policy_t; +domain_make_domain(load_policy_t) +role system_r types load_policy_t; + +type load_policy_exec_t; +domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) + +type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; +domain_make_domain(newrole_t) + +type newrole_exec_t; +domain_make_entrypoint_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* @@ -16,8 +51,6 @@ files_make_file(selinux_config_t) type policy_config_t; files_make_file(policy_config_t) -attribute can_write_binary_policy; -attribute can_relabelto_binary_policy; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -28,24 +61,354 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; type policy_src_t; files_make_file(policy_src_t) +type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context; +domain_make_domain(restorecon_t) +role system_r types restorecon_t; + +type restorecon_exec_t; +domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) + # -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* +# selinux_config_t is the type applied to +# /etc/selinux/config # -type default_context_t; -files_make_file(default_context_t) +type selinux_config_t; +files_make_file(selinux_config_t) +type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context; +domain_make_domain(setfiles_t) +role system_r types setfiles_t; + +type setfiles_exec_t; +domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) + +######################################## # -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files +# Checkpolicy local policy # -type file_context_t; -files_make_file(file_context_t) -type load_policy_t; -domain_make_domain(load_policy_t) +allow checkpolicy_t self:capability dac_override; -type load_policy_exec_t; -domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) +# able to create and modify binary policy files +allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + +# only allow read of policy source files +allow checkpolicy_t policy_src_t:dir { getattr search read }; +allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; +allow checkpolicy_t selinux_config_t:dir search; + +filesystem_get_persistent_filesystem_attributes(checkpolicy_t) + +terminal_use_console(checkpolicy_t) +terminal_use_controlling_terminal(checkpolicy_t) + +init_use_file_descriptors(checkpolicy_t) +init_script_use_pseudoterminal(checkpolicy_t) + +libraries_use_dynamic_loader(checkpolicy_t) +libraries_read_shared_libraries(checkpolicy_t) + +ifdef(`TODO',` +role sysadm_r types checkpolicy_t; +domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) + +# allow test policies to be created in src directories +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) + +# directory search permissions for path to source and binary policy files +allow checkpolicy_t root_t:dir search; +allow checkpolicy_t etc_t:dir search; + +# Read the devpts root directory. +allow checkpolicy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; + +allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; + +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +can_exec(unpriv_userdomain, checkpolicy_exec_t) + +allow checkpolicy_t { userdomain privfd }:fd use; +') dnl endif TODO + +######################################## +# +# Load_policy local policy +# + +allow load_policy_t self:capability dac_override; + +# only allow read of policy config files +allow load_policy_t policy_src_t:dir search; +allow load_policy_t policy_config_t:dir { getattr search read }; +allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; + +allow newrole_t selinux_config_t:dir { getattr read search }; +allow newrole_t selinux_config_t:file { read getattr }; +allow newrole_t selinux_config_t:lnk_file { getattr read }; + +kernel_get_selinuxfs_mount_point(load_policy_t) +kernel_load_selinux_policy(load_policy_t) +kernel_set_selinux_boolean(load_policy_t) + +filesystem_get_persistent_filesystem_attributes(load_policy_t) + +terminal_use_console(load_policy_t) +terminal_use_controlling_terminal(load_policy_t) +terminal_list_pseudoterminals(load_policy_t) + +init_script_use_file_descriptors(load_policy_t) +init_script_use_pseudoterminal(load_policy_t) + +libraries_use_dynamic_loader(load_policy_t) +libraries_read_shared_libraries(load_policy_t) + +miscfiles_read_localization(load_policy_t) + +ifdef(`TODO',` +role sysadm_r types load_policy_t; +domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) + +# directory search permissions for path to binary policy files +allow load_policy_t etc_t:dir search; + +# Other access +allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr }; + +allow load_policy_t { userdomain privfd }:fd use; + +allow load_policy_t sysadm_tmp_t:file { getattr write } ; +') dnl endif TODO + +######################################## +# +# Newrole local policy +# + +allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; + +allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; +allow newrole_t self:process setexec; +allow newrole_t self:fd use; +allow newrole_t self:fifo_file { read getattr lock ioctl write append }; +allow newrole_t self:unix_dgram_socket sendto; +allow newrole_t self:unix_stream_socket connectto; +allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow newrole_t self:msg { send receive }; + +allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; +allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; +allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_read_system_state(newrole_t) +kernel_read_kernel_sysctl(newrole_t) +kernel_get_selinuxfs_mount_point(newrole_t) +kernel_validate_selinux_context(newrole_t) +kernel_compute_selinux_av(newrole_t) +kernel_compute_create(newrole_t) +kernel_compute_relabel(newrole_t) +kernel_compute_reachable_user_contexts(newrole_t) + +devices_get_pseudorandom_data(newrole_t) + +filesystem_get_persistent_filesystem_attributes(newrole_t) + +terminal_list_pseudoterminals(newrole_t) +terminal_use_controlling_terminal(newrole_t) + +files_read_general_system_config(newrole_t) + +libraries_use_dynamic_loader(newrole_t) +libraries_read_shared_libraries(newrole_t) + +miscfiles_read_localization(newrole_t) + +ifdef(`TODO',` +in_user_role(newrole_t) +role sysadm_r types newrole_t; + +allow newrole_t unpriv_userdomain:fd use; +can_ypbind(newrole) +ifdef(`automount.te', ` +allow newrole_t autofs_t:dir { search getattr }; +') + +# for when the user types "exec newrole" at the command line +allow newrole_t privfd:process sigchld; + +# Inherit descriptors from the current session. +allow newrole_t privfd:fd use; + +# Execute /sbin/pwdb_chkpwd to check the password. +allow newrole_t sbin_t:dir r_dir_perms; + +# Execute shells +allow newrole_t bin_t:dir r_dir_perms; +allow newrole_t bin_t:lnk_file read; +allow newrole_t shell_exec_t:file r_file_perms; + +# Allow newrole_t to transition to user domains. +bool secure_mode false; +domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) +if(!secure_mode) +{ + # if we are not in secure mode then we can transition to sysadm_t + domain_trans(newrole_t, shell_exec_t, sysadm_t) +} + +# Read /var. +allow newrole_t var_t:dir r_dir_perms; +allow newrole_t var_t:notdevfile_class_set r_file_perms; + +# Read /dev directories and any symbolic links. +allow newrole_t device_t:dir r_dir_perms; + +# Relabel terminals. +allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; + +# Access terminals. +allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms; +ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') + +# for some PAM modules and for cwd +dontaudit newrole_t { home_root_t home_type }:dir search; + +# for when the network connection is killed +dontaudit unpriv_userdomain newrole_t:process signal; + +# Write to utmp. +allow newrole_t var_run_t:dir r_dir_perms; +allow newrole_t initrc_var_run_t:file rw_file_perms; +') dnl ifdef TODO + +######################################## +# +# Restorecon local policy +# + +allow restorecon_t self:capability { dac_override dac_read_search fowner }; + +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; +allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_use_file_descriptors(restorecon_t) +kernel_read_system_state(restorecon_t) +kernel_get_selinuxfs_mount_point(restorecon_t) +kernel_validate_selinux_context(restorecon_t) +kernel_compute_selinux_av(restorecon_t) +kernel_compute_create(restorecon_t) +kernel_compute_relabel(restorecon_t) +kernel_compute_reachable_user_contexts(restorecon_t) + +filesystem_get_persistent_filesystem_attributes(restorecon_t) + +init_use_file_descriptors(restorecon_t) +init_script_use_pseudoterminal(restorecon_t) + +files_read_runtime_system_config(restorecon_t) +files_read_general_system_config(restorecon_t) + +libraries_use_dynamic_loader(restorecon_t) +libraries_read_shared_libraries(restorecon_t) + +logging_send_system_log_message(restorecon_t) + +# relabeling rules +files_read_all_directories(restorecon_t) +kernel_relabel_unlabeled_object(restorecon_t) +devices_manage_all_devices_labels(restorecon_t) +files_manage_all_files_labels(restorecon_t) + +ifdef(`TODO',` +allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; + +domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) +domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) +role sysadm_r types restorecon_t; +allow restorecon_t { userdomain privfd }:fd use; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that restorecon can not be run! +allow restorecon_t lib_t:file { read execute }; + +ifdef(`distro_redhat', ` +allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; +') + +allow restorecon_t fs_type:dir r_dir_perms; + +allow restorecon_t device_t:file { read write }; +allow restorecon_t kernel_t:fifo_file { read write }; +') dnl endif TODO + +######################################## +# +# Setfiles local policy +# + +allow setfiles_t self:capability { dac_override dac_read_search fowner }; + +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; + +kernel_read_system_state(setfiles_t) +kernel_get_selinuxfs_mount_point(setfiles_t) +kernel_validate_selinux_context(setfiles_t) +kernel_compute_selinux_av(setfiles_t) +kernel_compute_create(setfiles_t) +kernel_compute_relabel(setfiles_t) +kernel_compute_reachable_user_contexts(setfiles_t) + +filesystem_get_persistent_filesystem_attributes(setfiles_t) + +terminal_use_controlling_terminal(setfiles_t) + +init_use_file_descriptors(setfiles_t) +init_script_use_file_descriptors(setfiles_t) +init_script_use_pseudoterminal(setfiles_t) + +libraries_use_dynamic_loader(setfiles_t) +libraries_read_shared_libraries(setfiles_t) + +files_read_runtime_system_config(setfiles_t) +files_read_general_system_config(setfiles_t) + +logging_send_system_log_message(setfiles_t) + +miscfiles_read_localization(setfiles_t) + +# relabeling rules +files_read_all_directories(setfiles_t) +kernel_relabel_unlabeled_object(setfiles_t) +devices_manage_all_devices_labels(setfiles_t) +files_manage_all_files_labels(setfiles_t) + +ifdef(`TODO',` + +allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl }; + +domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) +role sysadm_r types setfiles_t; + +allow setfiles_t { userdomain privfd }:fd use; + +# for upgrading glibc and other shared objects - without this the upgrade +# scripts will put things in a state such that setfiles can not be run! +allow setfiles_t lib_t:file { read execute }; + +allow setfiles_t unlabeled_t:dir read; + +allow setfiles_t fs_type:dir r_dir_perms; -selinux_read_binary_policy(load_policy_t) +# for config files in a home directory +allow setfiles_t home_type:file r_file_perms; +') dnl endif TODO