157 lines
6.1 KiB
Plaintext
157 lines
6.1 KiB
Plaintext
|
##############################
|
||
|
#
|
||
|
# Assertions for the type enforcement (TE) configuration.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||
|
#
|
||
|
|
||
|
##################################
|
||
|
#
|
||
|
# Access vector assertions.
|
||
|
#
|
||
|
# An access vector assertion specifies permissions that should not be in
|
||
|
# an access vector based on a source type, a target type, and a class.
|
||
|
# If any of the specified permissions are in the corresponding access
|
||
|
# vector, then the policy compiler will reject the policy configuration.
|
||
|
# Currently, there is only one kind of access vector assertion, neverallow,
|
||
|
# but support for the other kinds of vectors could be easily added. Access
|
||
|
# vector assertions use the same syntax as access vector rules.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Verify that every type that can be entered by
|
||
|
# a domain is also tagged as a domain.
|
||
|
#
|
||
|
neverallow domain ~domain:process { transition dyntransition };
|
||
|
|
||
|
#
|
||
|
# Verify that only the insmod_t and kernel_t domains
|
||
|
# have the sys_module capability.
|
||
|
#
|
||
|
neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
|
||
|
|
||
|
#
|
||
|
# Verify that executable types, the system dynamic loaders, and the
|
||
|
# system shared libraries can only be modified by administrators.
|
||
|
#
|
||
|
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
|
||
|
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
|
||
|
|
||
|
#
|
||
|
# Verify that only appropriate domains can access /etc/shadow
|
||
|
neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
|
||
|
neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
|
||
|
|
||
|
#
|
||
|
# Verify that only appropriate domains can write to /etc (IE mess with
|
||
|
# /etc/passwd)
|
||
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
|
||
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
|
||
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
|
||
|
|
||
|
#
|
||
|
# Verify that other system software can only be modified by administrators.
|
||
|
#
|
||
|
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
|
||
|
neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
|
||
|
|
||
|
#
|
||
|
# Verify that only certain domains have access to the raw disk devices.
|
||
|
#
|
||
|
neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
|
||
|
|
||
|
#
|
||
|
# Verify that only the X server and klogd have access to memory devices.
|
||
|
#
|
||
|
neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
|
||
|
|
||
|
#
|
||
|
# Verify that only domains with the privlog attribute can actually syslog
|
||
|
#
|
||
|
neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
|
||
|
|
||
|
#
|
||
|
# Verify that /proc/kmsg is only accessible to klogd.
|
||
|
#
|
||
|
neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
|
||
|
|
||
|
#
|
||
|
# Verify that /proc/kcore is inaccessible.
|
||
|
#
|
||
|
|
||
|
neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
|
||
|
|
||
|
#
|
||
|
# Verify that sysctl variables are only changeable
|
||
|
# by initrc and administrators.
|
||
|
#
|
||
|
neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
|
||
|
neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
|
||
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
|
||
|
|
||
|
#
|
||
|
# Verify that certain domains are limited to only being
|
||
|
# entered by their entrypoint types and to only executing
|
||
|
# the dynamic loader without a transition to another domain.
|
||
|
#
|
||
|
|
||
|
define(`assert_execute', `
|
||
|
ifelse($#, 0, ,
|
||
|
$#, 1,
|
||
|
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
|
||
|
`assert_execute($1) assert_execute(shift($@))')')
|
||
|
|
||
|
ifdef(`getty.te', `assert_execute(getty)')
|
||
|
ifdef(`klogd.te', `assert_execute(klogd)')
|
||
|
ifdef(`tcpd.te', `assert_execute(tcpd)')
|
||
|
ifdef(`portmap.te', `assert_execute(portmap)')
|
||
|
ifdef(`syslogd.te', `assert_execute(syslogd)')
|
||
|
ifdef(`rpcd.te', `assert_execute(rpcd)')
|
||
|
ifdef(`rlogind.te', `assert_execute(rlogind)')
|
||
|
ifdef(`ypbind.te', `assert_execute(ypbind)')
|
||
|
ifdef(`xfs.te', `assert_execute(xfs)')
|
||
|
ifdef(`gpm.te', `assert_execute(gpm)')
|
||
|
ifdef(`ifconfig.te', `assert_execute(ifconfig)')
|
||
|
ifdef(`iptables.te', `assert_execute(iptables)')
|
||
|
|
||
|
ifdef(`login.te', `
|
||
|
neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
|
||
|
neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
|
||
|
')
|
||
|
|
||
|
#
|
||
|
# Verify that the passwd domain can only be entered by its
|
||
|
# entrypoint type and can only execute the dynamic loader
|
||
|
# and the ordinary passwd program without a transition to another domain.
|
||
|
#
|
||
|
ifdef(`passwd.te', `
|
||
|
neverallow passwd_t ~passwd_exec_t:file entrypoint;
|
||
|
neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
|
||
|
neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
|
||
|
')
|
||
|
|
||
|
#
|
||
|
# Verify that only the admin domains and initrc_t have setenforce.
|
||
|
#
|
||
|
neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
|
||
|
|
||
|
#
|
||
|
# Verify that only the kernel and load_policy_t have load_policy.
|
||
|
#
|
||
|
|
||
|
neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
|
||
|
|
||
|
#
|
||
|
# for gross mistakes in policy
|
||
|
neverallow * domain:dir ~r_dir_perms;
|
||
|
neverallow * domain:file_class_set ~rw_file_perms;
|
||
|
neverallow { domain unlabeled_t } file_type:process *;
|
||
|
neverallow ~{ domain unlabeled_t } *:process *;
|