diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 8a85ac7..496eb1c 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1,7 +1,7 @@ ## ## -## Policy for kernel threads, security interface (selinuxfs), -## proc filesystem, sysfs filesystem, and usb device filesystem. +## Policy for kernel threads, proc filesystem, +## and unlabeled processes and objects. ## ######################################## @@ -153,290 +153,6 @@ define(`kernel_load_module_depend',` ') ######################################## -## -## -## Allows the caller to get the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## The process type to allow to get the enforcing mode. -## -## -# -define(`kernel_get_selinux_enforcement_mode',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read }; -') - -define(`kernel_get_selinux_enforcement_mode_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read }; -') - -######################################## -## -## -## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## The process type to allow to set the enforcement mode. -## -## -# -define(`kernel_set_enforcement_mode',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security setenforce; - auditallow $1 security_t:security setenforce; - typeattribute $1 can_setenforce; -') - -define(`kernel_set_enforcement_mode_depend',` - type security_t; - - attribute can_setenforce; - - class dir { read search getattr }; - class file { getattr read write }; - class security setenforce; -') - -######################################## -## -## -## Allow caller to load the policy into the kernel. -## -## -## The process type that will load the policy. -## -## -# -define(`kernel_load_policy',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security load_policy; - auditallow $1 security_t:security load_policy; - typeattribute $1 can_load_policy; -') - -define(`kernel_load_policy_depend',` - type security_t; - - attribute can_load_policy; - - class dir { read search getattr }; - class file { getattr read write }; - class security load_policy; -') - -######################################## -## -## -## Allow caller to set the state of Booleans to -## enable or disable conditional portions of the policy. -## -## -## The process type allowed to set the Boolean. -## -## -## The type of Booleans the caller is allowed to set. -## -## -# -define(`kernel_set_boolean',` - gen_require(`$0'_depend) - - ifelse(`$2',`',` - allow $1 security_t:dir { getattr search read }; - allow $1 security_t:file { getattr read write }; - ',` - allow $1 $2:dir { getattr search read }; - allow $1 $2:file { getattr read write }; - ') - - allow $1 security_t:dir search; - allow $1 security_t:security setbool; - auditallow $1 security_t:security setbool; -') - -define(`kernel_set_boolean_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security setbool; -') - -######################################## -## -## -## Allow caller to set selinux security parameters. -## -## -## The process type to allow to set security parameters. -## -## -# -define(`kernel_set_security_parameters',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security setsecparam; - auditallow $1 security_t:security setsecparam; - typeattribute $1 can_setsecparam; -') - -define(`kernel_set_security_parameters_depend',` - type security_t; - - attribute can_setsecparam; - - class dir { read search getattr }; - class file { getattr read write }; - class security setsecparam; -') - -######################################## -## -## -## Allows caller to validate security contexts. -## -## -## The process type permitted to validate contexts. -## -## -# -define(`kernel_validate_context',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security check_context; -') - -define(`kernel_validate_context_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security check_context; -') - -######################################## -## -## -## Allows caller to compute an access vector. -## -## -## The process type allowed to compute an access vector. -## -## -# -define(`kernel_compute_access_vector',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security compute_av; -') - -define(`kernel_compute_access_vector_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security compute_av; -') - -######################################## -## -## -## -## -## -## -## -## -# -define(`kernel_compute_create_context',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security compute_create; -') - -define(`kernel_compute_create_context_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security compute_create; -') - -######################################## -## -## -## -## -## -## The process type to -## -## -# -define(`kernel_compute_relabel_context',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security compute_relabel; -') - -define(`kernel_compute_relabel_context_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security compute_relabel; -') - -######################################## -## -## -## Allows caller to compute possible contexts for a user. -## -## -## The process type allowed to compute user contexts. -## -## -# -define(`kernel_compute_reachable_user_contexts',` - gen_require(`$0'_depend) - - allow $1 security_t:dir { read search getattr }; - allow $1 security_t:file { getattr read write }; - allow $1 security_t:security compute_user; -') - -define(`kernel_compute_reachable_user_contexts_depend',` - type security_t; - - class dir { read search getattr }; - class file { getattr read write }; - class security compute_user; -') - -######################################## ## ## ## Allows caller to read the ring buffer. @@ -547,33 +263,6 @@ define(`kernel_get_sysvipc_info_depend',` ') ######################################## -## -## -## Gets the caller the mountpoint of the selinuxfs filesystem. -## -## -## The process type requesting the selinuxfs mountpoint. -## -## -# -define(`kernel_get_selinuxfs_mount_point',` - gen_require(`$0'_depend) - - allow $1 proc_t:dir search; - allow $1 proc_t:{ file lnk_file } read; - allow $1 self:dir search; - allow $1 self:file { getattr read }; -') - -define(`kernel_get_selinuxfs_mount_point_depend',` - type proc_t; - - class dir search; - class lnk_file read; - class file { getattr read }; -') - -######################################## ## ## ## Allows caller to read system state information. diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 0a582a3..bc938cf 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,6 +1,11 @@ policy_module(kernel,1.0) +######################################## +# +# Declarations +# + # assertion related attributes attribute can_load_policy; attribute can_setenforce; @@ -44,16 +49,6 @@ sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0) sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0) -# -# security_t is the target type when checking -# the permissions in the security class. It is also -# applied to selinuxfs inodes. -# -type security_t; -fs_make_fs(security_t) -sid security context_template(system_u:object_r:security_t,s0) -genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) - # # Procfs types # @@ -202,8 +197,8 @@ libs_use_shared_libs(kernel_t) logging_send_syslog_msg(kernel_t) -selinux_read_config(kernel_t) -selinux_read_binary_pol(kernel_t) +seutil_read_config(kernel_t) +seutil_read_binary_pol(kernel_t) neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_setenforce security_t:security setenforce; diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if new file mode 100644 index 0000000..4f36172 --- /dev/null +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -0,0 +1,306 @@ +## +## +## Policy for kernel security interface, in particular, selinuxfs. +## + +######################################## +## +## +## Gets the caller the mountpoint of the selinuxfs filesystem. +## +## +## The process type requesting the selinuxfs mountpoint. +## +## +# +define(`selinux_get_fs_mount',` + # read /proc/filesystems to see if selinuxfs is supported + # then read /proc/self/mount to see where selinuxfs is mounted + kernel_read_system_state($1) +') + +######################################## +## +## +## Allows the caller to get the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## The process type to allow to get the enforcing mode. +## +## +# +define(`selinux_get_enforce_mode',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read }; +') + +define(`selinux_get_enforce_mode_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read }; +') + +######################################## +## +## +## Allow caller to set the mode of policy enforcement +## (enforcing or permissive mode). +## +## +## The process type to allow to set the enforcement mode. +## +## +# +define(`selinux_set_enforce_mode',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security setenforce; + auditallow $1 security_t:security setenforce; + typeattribute $1 can_setenforce; +') + +define(`selinux_set_enforce_mode_depend',` + type security_t; + + attribute can_setenforce; + + class dir { read search getattr }; + class file { getattr read write }; + class security setenforce; +') + +######################################## +## +## +## Allow caller to load the policy into the kernel. +## +## +## The process type that will load the policy. +## +## +# +define(`selinux_load_policy',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security load_policy; + auditallow $1 security_t:security load_policy; + typeattribute $1 can_load_policy; +') + +define(`selinux_load_policy_depend',` + type security_t; + + attribute can_load_policy; + + class dir { read search getattr }; + class file { getattr read write }; + class security load_policy; +') + +######################################## +## +## +## Allow caller to set the state of Booleans to +## enable or disable conditional portions of the policy. +## +## +## The process type allowed to set the Boolean. +## +## +## The type of Booleans the caller is allowed to set. +## +## +# +define(`selinux_set_boolean',` + gen_require(`$0'_depend) + + ifelse(`$2',`',` + allow $1 security_t:dir { getattr search read }; + allow $1 security_t:file { getattr read write }; + ',` + allow $1 $2:dir { getattr search read }; + allow $1 $2:file { getattr read write }; + ') + + allow $1 security_t:dir search; + allow $1 security_t:security setbool; + auditallow $1 security_t:security setbool; +') + +define(`selinux_set_boolean_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security setbool; +') + +######################################## +## +## +## Allow caller to set selinux security parameters. +## +## +## The process type to allow to set security parameters. +## +## +# +define(`selinux_set_parameters',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security setsecparam; + auditallow $1 security_t:security setsecparam; + typeattribute $1 can_setsecparam; +') + +define(`selinux_set_parameters_depend',` + type security_t; + + attribute can_setsecparam; + + class dir { read search getattr }; + class file { getattr read write }; + class security setsecparam; +') + +######################################## +## +## +## Allows caller to validate security contexts. +## +## +## The process type permitted to validate contexts. +## +## +# +define(`selinux_validate_context',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security check_context; +') + +define(`selinux_validate_context_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security check_context; +') + +######################################## +## +## +## Allows caller to compute an access vector. +## +## +## The process type allowed to compute an access vector. +## +## +# +define(`selinux_compute_access_vector',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_av; +') + +define(`selinux_compute_access_vector_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_av; +') + +######################################## +## +## +## +## +## +## +## +## +# +define(`selinux_compute_create_context',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_create; +') + +define(`selinux_compute_create_context_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_create; +') + +######################################## +## +## +## +## +## +## The process type to +## +## +# +define(`selinux_compute_relabel_context',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_relabel; +') + +define(`selinux_compute_relabel_context_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_relabel; +') + +######################################## +## +## +## Allows caller to compute possible contexts for a user. +## +## +## The process type allowed to compute user contexts. +## +## +# +define(`selinux_compute_user_contexts',` + gen_require(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_user; +') + +define(`selinux_compute_user_contexts_depend',` + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_user; +') + +## diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te new file mode 100644 index 0000000..69f6e10 --- /dev/null +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -0,0 +1,17 @@ + +policy_module(selinux,1.0) + +######################################## +# +# Declarations +# + +# +# security_t is the target type when checking +# the permissions in the security class. It is also +# applied to selinuxfs inodes. +# +type security_t; +fs_make_fs(security_t) +sid security context_template(system_u:object_r:security_t,s0) +genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)