diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 025f600..60c7c64 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -18,8 +18,8 @@ kernel_read_directory_from(sbin_t) # # ls_exec_t is the type of the ls program. # -#type ls_exec_t; -typealias bin_t alias ls_exec_t; +type ls_exec_t; +files_make_file(ls_exec_t) # # shell_exec_t is the type of user shells such as /bin/bash. diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index d3eec09..ce4c059 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -30,18 +30,9 @@ class lnk_file { getattr read }; # domain_make_domain(domain) # define(`domain_make_domain',` -requires_block_template(`$0'_depend) - -domain_make_base_domain($1,optional) - -files_read_root_dir($1,optional) -init_sigchld($1,optional) -') - -define(`domain_make_domain_depend',` -domain_make_base_domain_depend -files_read_root_dir_depend -init_send_sigchld_depend +domain_make_base_domain($1) +files_read_root_dir($1) +init_sigchld($1) ') ######################################## @@ -51,7 +42,7 @@ init_send_sigchld_depend define(`domain_make_entrypoint_file',` requires_block_template(`$0'_depend) allow $1 $2:file entrypoint; -files_make_file($2,$3) +files_make_file($2) typeattribute $1 entry_type; ') @@ -239,3 +230,17 @@ define(`domain_execute_all_entrypoint_programs_depend',` attribute entry_type; class file { getattr read execute execute_no_trans }; ') + +######################################## +# +# domain_read_all_entrypoint_programs(domain) +# +define(`domain_read_all_entrypoint_programs',` +requires_block_template(`$0'_depend) +allow $1 entry_type:{ file lnk_file } { getattr read }; +') + +define(`domain_read_all_entrypoint_programs_depend',` +attribute entry_type; +class file { getattr read }; +') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index d2fbd0c..d8c50e6 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -7,14 +7,12 @@ define(`files_make_file',` requires_block_template(`$0'_depend) typeattribute $1 file_type; -filesystem_associate($1,optional) -filesystem_noxattr_associate($1,optional) +filesystem_associate($1) +filesystem_noxattr_associate($1) ') define(`files_make_file_depend',` attribute file_type; -filesystem_associate_depend -filesystem_noxattr_associate_depend ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 372b087..aa302e2 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -395,11 +395,19 @@ kernel_ignore_get_message_interface_attributes(initrc_t) # Run_init local policy # +kernel_get_selinuxfs_mount_point(run_init_t) +kernel_validate_selinux_context(run_init_t) +kernel_compute_selinux_av(run_init_t) +kernel_compute_create(run_init_t) +kernel_compute_relabel(run_init_t) +kernel_compute_reachable_user_contexts(run_init_t) + tunable_policy(`targeted_policy',` # targeted/unconfined stuff ',` allow run_init_t initrc_t:process transition; allow run_init_t initrc_exec_t:file { getattr read execute }; +dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh }; # for utmp allow run_init_t initrc_var_run_t:file { getattr read write }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index fb587e1..aea9ca7 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -16,7 +16,7 @@ type iptables_tmp_t; files_make_file(iptables_tmp_t) type iptables_var_run_t; #, pidfile; -files_make_file(iptables_t) +files_make_file(iptables_var_run_t) ######################################## # diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 68899ef..00068fd 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -18,13 +18,25 @@ files_make_file(local_login_tmp_t) # allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:fd use; +allow local_login_t self:fifo_file { read getattr lock ioctl write append }; +allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow local_login_t self:unix_dgram_socket sendto; +allow local_login_t self:unix_stream_socket connectto; +allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow local_login_t self:msg { send receive }; allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) +kernel_read_kernel_sysctl(local_login_t) kernel_get_selinuxfs_mount_point(local_login_t) kernel_validate_selinux_context(local_login_t) kernel_compute_selinux_av(local_login_t) @@ -41,8 +53,12 @@ terminal_use_general_physical_terminal(local_login_t) init_script_modify_runtime_data(local_login_t) init_ignore_use_file_descriptors(local_login_t) +domain_read_all_entrypoint_programs(local_login_t) + files_read_general_system_config(local_login_t) files_read_runtime_system_config(local_login_t) +files_list_home_directories(local_login_t) +files_read_general_application_resources(local_login_t) libraries_use_dynamic_loader(local_login_t) libraries_read_shared_libraries(local_login_t) @@ -61,9 +77,20 @@ authlogin_pam_console_manage_runtime_data(local_login_t) miscfiles_read_localization(local_login_t) ifdef(`TODO',` -general_domain_access(local_login_t) +allow local_login_t unpriv_userdomain:fd use; +can_ypbind(local_login_t) +ifdef(`automount.te', ` +allow local_login_t autofs_t:dir { search getattr }; +') -base_file_read_access(local_login_t) +allow local_login_t bin_t:dir r_dir_perms; +allow local_login_t bin_t:notdevfile_class_set r_file_perms; +allow local_login_t sbin_t:dir r_dir_perms; +allow local_login_t sbin_t:notdevfile_class_set r_file_perms; +if (read_default_t) { +allow local_login_t default_t:dir r_dir_perms; +allow local_login_t default_t:notdevfile_class_set r_file_perms; +} # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. @@ -76,9 +103,6 @@ allow local_login_t { var_t var_spool_t }:dir search; # for when /var/mail is a sym-link allow local_login_t var_t:lnk_file read; -# Read executable types. -allow local_login_t exec_type:{ file lnk_file } r_file_perms; - # Read /dev directories and any symbolic links. allow local_login_t device_t:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 6717f9f..9b20f73 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -27,6 +27,8 @@ allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto; allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; +# cjp: this should most likely be removed: +terminal_use_console($1) ') define(`logging_send_system_log_message_depend',` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 2855917..8a315b2 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -195,7 +195,9 @@ files_create_private_config(update_modules_t,modules_conf_t) # transition to depmod allow update_modules_t depmod_exec_t:file { getattr read execute }; +allow update_modules_t depmod_t:process transition; type_transition update_modules_t depmod_exec_t:process depmod_t; +dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh }; allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index a611d9a..a234d81 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -77,6 +77,8 @@ kernel_transition_from(udev_t,udev_exec_t) devices_manage_device_nodes(udev_t) +filesystem_get_all_filesystems_attributes(udev_t) + init_script_read_runtime_data(udev_t) files_read_runtime_system_config(udev_t)