rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

initial commit

This commit is contained in:
Chris PeBenito 2005-04-29 17:45:15 +00:00
parent 86f02eb523
commit 0fbfa546bd
527 changed files with 29445 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
strict/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

165
strict/ChangeLog Normal file
View File

@ -0,0 +1,165 @@
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.
* Made sysadm_r the first role for root, so root's home will be labled
as sysadm_home_dir_t instead of staff_home_dir_t.
* Modified fs_use and Makefile to reflect jfs now supporting security
xattrs.
1.23.1 2005-03-10
* Merged diffs from Dan Walsh. Dan's patch includes Ivan
Gyurdiev's cleanup of homedir macros and more extensive use of
read_sysctl()
1.22 2005-03-09
* Updated version for release.
1.21 2005-02-24
* Added secure_file_type attribute from Dan Walsh
* Added access_terminal() macro from Ivan Gyurdiev
* Updated capability access vector for audit capabilities.
* Added mlsconvert Makefile target to help generate MLS policies
(see selinux-doc/README.MLS for instructions).
* Changed policy Makefile to still generate policy.18 as well,
and use it for make load if the kernel doesn't support 19.
* Merged enhanced MLS support from Darrel Goeddel (TCS).
* Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
* Merged man pages from Dan Walsh.
1.20 2005-01-04
* Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
Petre Rodan.
* Merged can_create() macro used for file_type_{,auto_}trans()
from Thomas Bleher.
* Merged dante and stunnel policy by Petre Rodan.
* Merged $1_file_type attribute from Thomas Bleher.
* Merged network_macros from Dan Walsh.
1.18 2004-10-25
* Merged diffs from Russell Coker and Dan Walsh.
* Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
* Added reserved_port_t type and portcon entries to map all other
reserved ports to this type.
* Added distro_ prefix to distro tunables to avoid conflicts.
* Merged diffs from Russell Coker.
1.16 2004-08-16
* Added nscd definitions.
* Converted many tunables to policy booleans.
* Added crontab permission.
* Merged diffs from Dan Walsh.
This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
* Merged diffs from Russell Coker.
* Adjusted constraints for crond restart.
* Merged dbus/userspace object manager policy from Colin Walters.
* Merged dbus definitions from Matthew Rickard.
* Merged dnsmasq policy from Greg Norris.
* Merged gpg-agent policy from Thomas Bleher.
1.14 2004-06-28
* Removed vmware-config.pl from vmware.fc.
* Added crond entry to root_default_contexts.
* Merged patch from Dan Walsh.
* Merged mdadm and postfix changes from Colin Walters.
* Merged reiserfs and rpm changes from Russell Coker.
* Merged runaway .* glob fix from Valdis Kletnieks.
* Merged diff from Dan Walsh.
* Merged fine-grained netlink classes and permissions.
* Merged changes for new /etc/selinux layout.
* Changed mkaccess_vector.sh to provide stable order.
* Merged diff from Dan Walsh.
* Fix restorecon path in restorecon.fc.
* Merged pax class and access vector definition from Joshua Brindle.
1.12 2004-05-12
* Added targeted policy.
* Merged atd/at into crond/crontab domains.
* Exclude bind mounts from relabeling to avoid aliasing.
* Removed some obsolete types and remapped their initial SIDs to unlabeled.
* Added SE-X related security classes and policy framework.
* Added devnull initial SID and context.
* Merged diffs from Fedora policy.
1.10 2004-04-07
* Merged ipv6 support from James Morris of RedHat.
* Merged policy diffs from Dan Walsh.
* Updated call to genhomedircon to reflect new usage.
* Merged policy diffs from Dan Walsh and Russell Coker.
* Removed config-users and config-services per Dan's request.
1.8 2004-03-09
* Merged genhomedircon patch from Karl MacMillan of Tresys.
* Added restorecon domain.
* Added unconfined_domain macro.
* Added default_t for /.* file_contexts entry and replaced some
uses of file_t with default_t in the policy.
* Added su_restricted_domain() macro and use it for initrc_t.
* Merged policy diffs from Dan Walsh and Russell Coker.
These included a merge of an earlier patch by Chris PeBenito
to rename the etc types to be consistent with other types.
1.6 2004-02-18
* Merged xfs support from Chris PeBenito.
* Merged conditional rules for ping.te.
* Defined setbool permission, added can_setbool macro.
* Partial network policy cleanup.
* Merged with Russell Coker's policy.
* Renamed netscape macro and domain to mozilla and renamed
ipchains domain to iptables for consistency with Russell.
* Merged rhgb macro and domain from Russell Coker.
* Merged tunable.te from Russell Coker.
Only define direct_sysadm_daemon by default in our copy.
* Added rootok permission to passwd class.
* Merged Makefile change from Dan Walsh to generate /home
file_contexts entries for staff users.
* Added automatic role and domain transitions for init scripts and
daemons. Added an optional third argument (nosysadm) to
daemon_domain to omit the direct transition from sysadm_r when
the same executable is also used as an application, in which
case the daemon must be restarted via the init script to obtain
the proper security context. Added system_r to the authorized roles
for admin users at least until support for automatic user identity
transitions exist so that a transition to system_u can be provided
transparently.
* Added support to su domain for using pam_selinux.
Added entries to default_contexts for the su domains to
provide reasonable defaults. Removed user_su_t.
* Tighten restriction on user identity and role transitions in constraints.
* Merged macro for newrole-like domains from Russell Coker.
* Merged stub dbusd domain from Russell Coker.
* Merged stub prelink domain from Dan Walsh.
* Merged updated userhelper and config tool domains from Dan Walsh.
* Added send_msg/recv_msg permissions to can_network macro.
* Merged patch by Chris PeBenito for sshd subsystems.
* Merged patch by Chris PeBenito for passing class to var_run_domain.
* Merged patch by Yuichi Nakamura for append_log_domain macros.
* Merged patch by Chris PeBenito for rpc_pipefs labeling.
* Merged patch by Colin Walters to apply m4 once so that
source file info is preserved for checkpolicy.
1.4 2003-12-01
* Merged patches from Russell Coker.
* Revised networking permissions.
* Added new node_bind permission.
* Added new siginh, rlimitinh, and setrlimit permissions.
* Added proc_t:file read permission for new is_selinux_enabled logic.
* Added failsafe_context configuration file to appconfig.
* Moved newrules.pl to policycoreutils, renamed to audit2allow.
* Merged newrules.pl patch from Yuichi Nakamura.
1.2 2003-09-30
* More policy merging with Russell Coker.
* Transferred newrules.pl script from the old SELinux.
* Merged MLS configuration patch from Karl MacMillan of Tresys.
* Limit staff_t to reading /proc entries for unpriv_userdomain.
* Updated Makefile and spec file to allow non-root builds,
based on patch by Paul Nasrat.
1.1 2003-08-13
* Merged Makefile check-all and te-includes patches from Colin Walters.
* Merged x-debian-packages.patch from Colin Walters.
* Folded read permission into domain_trans.
1.0 2003-07-11
* Initial public release.

331
strict/Makefile Normal file
View File

@ -0,0 +1,331 @@
#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'install'.
#
# Set to y if MLS is enabled in the policy.
MLS=n
FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
LOADPOLICY = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KERNVERS := $(shell cat /selinux/policyvers)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
ifeq ($(MLS),y)
TYPE=mls
else
TYPE=strict
endif
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
ALL_TYPES := $(wildcard types/*.te)
ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
TE_RBAC_FILES := $(ALLTEFILES) rbac
ALL_TUNABLES := $(wildcard tunables/*.tun )
USER_FILES := users
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
CHECKPOLMLS += -M
endif
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
POLICYFILES += $(DEFCONTEXTFILES)
CONTEXTFILES = $(DEFCONTEXTFILES)
POLICY_DIRS = domains/program domains/misc
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
HOMEDIR_TEMPLATE = file_contexts/homedir_template
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
CONTEXTFILES += $(FCFILES)
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
all: policy
tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
@touch tmp/valid_fc
install: tmp/valid_fc $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@echo "# " > tmp/system.users
@echo "# Do not edit this file. " >> tmp/system.users
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
install -C -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
mkdir -p $(APPDIR)/users
install -m 644 $< $@
$(LOADPATH): policy.conf $(CHECKPOLICY)
mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
$(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
endif
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
policy: $(POLICYVER)
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
$(CHECKPOLICY) -c 18 -o policy.18 policy.conf
endif
endif
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
reload tmp/load: $(FCPATH) $(LOADPATH)
ifeq ($(VERS), $(KERNVERS))
$(LOADPOLICY) $(LOADPATH)
else
$(LOADPOLICY) $(POLICYPATH)/policy.18
endif
touch tmp/load
load: tmp/load
enableaudit: policy.conf
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
restorelabels: $(SETFILES)
$(SETFILES) -v $(FC) $(FILESYSTEMS)
relabel: $(FC) $(SETFILES)
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
mkdir -p file_contexts/misc
$(FCPATH): $(FC) $(USERPATH)/system.users
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file_contexts ..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE $@.tmp > $@
@grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
@-rm $@.tmp
# Create a tags-file for the policy:
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
ifeq ($(strip $(CTAGS)),)
CTAGS := $(call pathsearch,ctags) # suse naming scheme
endif
tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
@LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
--regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
--regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
--regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
rm -f policy.conf $(POLICYVER) policy.18
rm -f tags
rm -f tmp/*
rm -f $(FC)
rm -f flask/*.h
# for the policy regression tester
find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
# Policy regression tester.
# Written by Colin Walters <walters@debian.org>
cur_te = $(filter-out %/,$(subst /,/ ,$@))
TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
define compute_depends
export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
endef
ifeq ($(TE_DEPENDS_DEFINED),)
ifeq ($(MAKECMDGOALS),check-all)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
else
# Handle the case where checkunused/blah.te is run directly.
ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
endif
endif
endif
# Test for a new enough version of GNU Make.
$(eval have_eval := yes)
ifneq ($(GENRULES),)
ifeq ($(have_eval),)
$(error Need GNU Make 3.80 or better!)
Need GNU Make 3.80 or better
endif
endif
$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
PHONIES :=
define compute_presymlinks
PHONIES += presymlink/$(1)
presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
@if ! test -L domains/program/$(1); then \
cd domains/program && ln -s unused/$(1) .; \
fi
endef
# Compute dependencies.
$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
@$(MAKE) -s clean
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
@if test -n "$(TE_DEPENDS_$(cur_te))"; then \
echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
fi
@echo "Testing $(cur_te)...";
@if ! make -s policy 1>/dev/null; then \
echo "Testing $(cur_te)...FAILED"; \
exit 1; \
fi;
@echo "Testing $(cur_te)...success."; \
check-all:
@for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
$(MAKE) --no-print-directory $$goal; \
done
.PHONY: clean $(PHONIES)
mlsconvert:
@for file in $(CONTEXTFILES); do \
echo "Converting $$file"; \
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
mv $$file.new $$file; \
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \
mv $$file.new $$file; \
done
@sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
@echo "Done"

125
strict/README Normal file
View File

@ -0,0 +1,125 @@
The Makefile targets are:
policy - compile the policy configuration.
install - compile and install the policy configuration.
load - compile, install, and load the policy configuration.
relabel - relabel the filesystem.
check-all - check individual additional policy files in domains/program/unused.
checkunused/FILE.te - check individual file FILE from domains/program/unused.
If you have configured MLS into your module, then set MLS=y in the
Makefile prior to building the policy. Of course, you must have also
built checkpolicy with MLS enabled.
Three of the configuration files are independent of the particular
security policy:
1) flask/security_classes -
This file has a simple declaration for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
2) flask/initial_sids -
This file has a simple declaration for each initial SID.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
3) access_vectors -
This file defines the access vectors. Common prefixes for
access vectors may be defined at the beginning of the file.
After the common prefixes are defined, an access vector
may be defined for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/av_permissions.h>.
In addition to being read by the security server, these configuration
files are used during the kernel build to automatically generate
symbol definitions used by the kernel for security classes, initial
SIDs and permissions. Since the symbol definitions generated from
these files are used during the kernel build, the values of existing
security classes and permissions may not be modified by load_policy.
However, new classes may be appended to the list of classes and new
permissions may be appended to the list of permissions associated with
each access vector definition.
The policy-dependent configuration files are:
1) tmp/all.te -
This file defines the Type Enforcement (TE) configuration.
This file is automatically generated from a collection of files.
The macros subdirectory contains a collection of m4 macro definitions
used by the TE configuration. The global_macros.te file contains global
macros used throughout the configuration for common groupings of classes
and permissions and for common sets of rules. The user_macros.te file
contains macros used in defining user domains. The admin_macros.te file
contains macros used in defining admin domains. The macros/program
subdirectory contains macros that are used to instantiate derived domains
for certain programs that encode information about both the calling user
domain and the program, permitting the policy to maintain separation
between different instances of the program.
The types subdirectory contains several files with declarations for
general types (types not associated with a particular domain) and
some rules defining relationships among those types. Related types
are grouped together into each file in this directory, e.g. all
device type declarations are in the device.te file.
The domains subdirectory contains several files and directories
with declarations and rules for each domain. User domains are defined in
user.te. Administrator domains are defined in admin.te. Domains for
specific programs, including both system daemons and other programs, are
in the .te files within the domains/program subdirectory. The domains/misc
subdirectory is for miscellaneous domains such as the kernel domain and
the kernel module loader domain.
The assert.te file contains assertions that are checked after evaluating
the entire TE configuration.
2) rbac -
This file defines the Role-Based Access Control (RBAC) configuration.
3) mls -
This file defines the Multi-Level Security (MLS) configuration.
4) users -
This file defines the users recognized by the security policy.
5) constraints -
This file defines additional constraints on permissions
in the form of boolean expressions that must be satisfied in order
for specified permissions to be granted. These constraints
are used to further refine the type enforcement tables and
the role allow rules. Typically, these constraints are used
to restrict changes in user identity or role to certain domains.
6) initial_sid_contexts -
This file defines the security context for each initial SID.
A security context consists of a user identity, a role, a type and
optionally a MLS range if the MLS policy is enabled. If left unspecified,
the high MLS level defaults to the low MLS level. The syntax of a valid
security context is:
user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
7) fs_use -
This file defines the labeling behavior for inodes in particular
filesystem types.
8) genfs_contexts -
This file defines security contexts for files in filesystems that
cannot support persistent label mappings or use one of the fixed
labeling schemes specified in fs_use.
8) net_contexts -
This file defines the security contexts of network objects
such as ports, interfaces, and nodes.
9) file_contexts/{types.fc,program/*.fc}
These files define the security contexts for persistent files.
It is possible to test the security server functions on a given policy
configuration by running the checkpolicy program with the -d option.
This program is built from the same sources as the security server
component of the kernel, so it may be used both to verify that a
policy configuration will load successfully and to determine how the
security server would respond if it were using that policy
configuration. A menu-based interface is provided for calling any of
the security server functions after the policy is loaded.

1
strict/VERSION Normal file
View File

@ -0,0 +1 @@
1.23.2-1

6
strict/appconfig/dbus_contexts Normal file
View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

12
strict/appconfig/default_contexts Normal file
View File

@ -0,0 +1,12 @@
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t

3
strict/appconfig/default_type Normal file
View File

@ -0,0 +1,3 @@
sysadm_r:sysadm_t
staff_r:staff_t
user_r:user_t

1
strict/appconfig/failsafe_context Normal file
View File

@ -0,0 +1 @@
sysadm_r:sysadm_t

1
strict/appconfig/initrc_context Normal file
View File

@ -0,0 +1 @@
system_u:system_r:initrc_t

3
strict/appconfig/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

1
strict/appconfig/removable_context Normal file
View File

@ -0,0 +1 @@
system_u:object_r:removable_t

9
strict/appconfig/root_default_contexts Normal file
View File

@ -0,0 +1,9 @@
system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

1
strict/appconfig/userhelper_context Normal file
View File

@ -0,0 +1 @@
system_u:sysadm_r:sysadm_t

162
strict/assert.te Normal file
View File

@ -0,0 +1,162 @@
##############################
#
# Assertions for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow,
# but support for the other kinds of vectors could be easily added. Access
# vector assertions use the same syntax as access vector rules.
#
#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition };
#
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
#
neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
#
# Verify that executable types, the system dynamic loaders, and the
# system shared libraries can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
#
# Verify that only appropriate domains can access /etc/shadow
neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
#
# Verify that only appropriate domains can write to /etc (IE mess with
# /etc/passwd)
neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
#
# Verify that other system software can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
#
# Verify that only certain domains have access to the raw disk devices.
#
neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
#
# Verify that only the X server and klogd have access to memory devices.
#
neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
#
# Verify that only domains with the privlog attribute can actually syslog
#
neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
#
# Verify that /proc/kmsg is only accessible to klogd.
#
ifdef(`klogd.te', `
neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
', `
ifdef(`syslogd.te', `
neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
')dnl end if syslogd
')dnl end if klogd
#
# Verify that /proc/kcore is inaccessible.
#
neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
#
# Verify that sysctl variables are only changeable
# by initrc and administrators.
#
neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
#
# Verify that certain domains are limited to only being
# entered by their entrypoint types and to only executing
# the dynamic loader without a transition to another domain.
#
define(`assert_execute', `
ifelse($#, 0, ,
$#, 1,
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
`assert_execute($1) assert_execute(shift($@))')')
ifdef(`getty.te', `assert_execute(getty)')
ifdef(`klogd.te', `assert_execute(klogd)')
ifdef(`tcpd.te', `assert_execute(tcpd)')
ifdef(`portmap.te', `assert_execute(portmap)')
ifdef(`syslogd.te', `assert_execute(syslogd)')
ifdef(`rpcd.te', `assert_execute(rpcd)')
ifdef(`rlogind.te', `assert_execute(rlogind)')
ifdef(`ypbind.te', `assert_execute(ypbind)')
ifdef(`xfs.te', `assert_execute(xfs)')
ifdef(`gpm.te', `assert_execute(gpm)')
ifdef(`ifconfig.te', `assert_execute(ifconfig)')
ifdef(`iptables.te', `assert_execute(iptables)')
ifdef(`login.te', `
neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
')
#
# Verify that the passwd domain can only be entered by its
# entrypoint type and can only execute the dynamic loader
# and the ordinary passwd program without a transition to another domain.
#
ifdef(`passwd.te', `
neverallow passwd_t ~passwd_exec_t:file entrypoint;
neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
')
#
# Verify that only the admin domains and initrc_t have setenforce.
#
neverallow { domain -admin -initrc_t } security_t:security setenforce;
#
# Verify that only the kernel and load_policy_t have load_policy.
#
neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
#
# for gross mistakes in policy
neverallow * domain:dir ~r_dir_perms;
neverallow * domain:file_class_set ~rw_file_perms;
neverallow { domain unlabeled_t } file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;

426
strict/attrib.te Normal file
View File

@ -0,0 +1,426 @@
#
# Declarations for type attributes.
#
# A type attribute can be used to identify a set of types with a similar
# property. Each type can have any number of attributes, and each
# attribute can be associated with any number of types. Attributes are
# explicitly declared here, and can then be associated with particular
# types in type declarations. Attribute names can then be used throughout
# the configuration to express the set of types that are associated with
# the attribute. Except for the MLS attributes, attributes have no implicit
# meaning to SELinux. The meaning of all other attributes are completely
# defined through their usage within the configuration, but should be
# documented here as comments preceding the attribute declaration.
#####################
# Attributes for MLS:
#
attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetbindall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
attribute mlsprocwritetoclr;
attribute mlsprocsetsl;
attribute mlsxwinread;
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
attribute mlsxwinwritetoclr;
attribute mlsxwinupgrade;
attribute mlsxwindowngrade;
attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
#########################
# Attributes for domains:
#
# The domain attribute identifies every type that can be
# assigned to a process. This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes.
attribute domain;
# The daemon attribute identifies domains for system processes created via
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
attribute daemon;
# The privuser attribute identifies every domain that can
# change its SELinux user identity. This attribute is used
# in the constraints configuration. NOTE: This attribute
# is not required for domains that merely change the Linux
# uid attributes, only for domains that must change the
# SELinux user identity. Also note that this attribute makes
# no sense without the privrole attribute.
attribute privuser;
# The privrole attribute identifies every domain that can
# change its SELinux role. This attribute is used in the
# constraints configuration.
attribute privrole;
# The userspace_objmgr attribute identifies every domain
# which enforces its own policy.
attribute userspace_objmgr;
# The priv_system_role attribute identifies every domain that can
# change role from a user role to system_r role, and identity from a user
# identity to system_u. It is used in the constraints configuration.
attribute priv_system_role;
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
# can create a file with an identity that's not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
# The privlog attribute identifies every domain that can
# communicate with syslogd through its Unix domain socket.
# There is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privlog;
# The privmodule attribute identifies every domain that can run
# modprobe, there is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privmodule;
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privmem;
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# The auth attribute identifies every domain that needs
# to read /etc/shadow, and grants the permission.
attribute auth;
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
# The auth_chkpwd attribute identifies every system domain that can
# authenticate users by running unix_chkpwd
attribute auth_chkpwd;
# The change_context attribute identifies setfiles_t, restorecon_t, and other
# system domains that change the context of most/all files on the system
attribute change_context;
# The etc_writer attribute identifies every domain that can write to etc_t
attribute etc_writer;
# The sysctl_kernel_writer attribute identifies domains that can write to
# sysctl_kernel_t, in addition the admin attribute is permitted write access
attribute sysctl_kernel_writer;
# the sysctl_net_writer attribute identifies domains that can write to
# sysctl_net_t files.
attribute sysctl_net_writer;
# The sysctl_type attribute identifies every type that is assigned
# to a sysctl entry. This can be used in allow rules to grant
# permissions to all sysctl entries without enumerating each individual
# type, but should be used with care.
attribute sysctl_type;
# The admin attribute identifies every administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and
# certain administrator utility domains.
# XXX The use of this attribute should be reviewed for consistency.
# XXX Might want to partition into several finer-grained attributes
# XXX used in different assertions within assert.te.
attribute admin;
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
attribute userdomain;
# for a small domain that can only be used for newrole
attribute user_mini_domain;
# pty for the mini domain
attribute mini_pty_type;
# pty created by a server such as sshd
attribute server_pty;
# attribute for all non-administrative devpts types
attribute userpty_type;
# The user_tty_type identifies every type for a tty or pty owned by an
# unpriviledged user
attribute user_tty_type;
# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
# applied to all user domains.
attribute user_crond_domain;
# The unpriv_userdomain identifies non-administrative users (default user_t)
attribute unpriv_userdomain;
# This attribute is for the main user home directory for unpriv users
attribute user_home_dir_type;
# The gphdomain attribute identifies every gnome-pty-helper derived
# domain. It is used in TE rules to permit inheritance and use of
# descriptors created by these domains.
attribute gphdomain;
# The fs_domain identifies every domain that may directly access a fixed disk
attribute fs_domain;
# This attribute is for all domains for the userhelper program.
attribute userhelperdomain;
############################
# Attributes for file types:
#
# The file_type attribute identifies all types assigned to files
# in persistent filesystems. It is used in TE rules to permit
# the association of all such file types with persistent filesystem
# types, and to permit certain domains to access all such types as
# appropriate.
attribute file_type;
# The secure_file_type attribute identifies files
# which will be treated with a higer level of security.
# Most domains will be prevented from manipulating files in this domain
attribute secure_file_type;
# The device_type attribute identifies all types assigned to device nodes
attribute device_type;
# The proc_fs attribute identifies all types that may be assigned to
# files under /proc.
attribute proc_fs;
# The dev_fs attribute identifies all types that may be assigned to
# files, sockets, or pipes under /dev.
attribute dev_fs;
# The sysadmfile attribute identifies all types assigned to files
# that should be completely accessible to administrators. It is used
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;
# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
# any filesystem and to permit most domains to obtain the
# overall filesystem statistics.
attribute fs_type;
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
# such executables.
attribute exec_type;
# The tmpfile attribute identifies all types assigned to temporary
# files. This attribute is used in TE rules to grant certain
# domains the ability to remove all such files (e.g. init, crond).
attribute tmpfile;
# The user_tmpfile attribute identifies all types associated with temporary
# files for unpriv_userdomain domains.
attribute user_tmpfile;
# for the user_xserver_tmp_t etc
attribute xserver_tmpfile;
# The tmpfsfile attribute identifies all types defined for tmpfs
# type transitions.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute tmpfsfile;
# The home_type attribute identifies all types assigned to home
# directories. This attribute is used in TE rules to grant certain
# domains the ability to access all home directory types.
attribute home_type;
# This attribute is for the main user home directory /home/user, to
# distinguish it from sub-dirs. Often you want a process to be able to
# read the user home directory but not read the regular directories under it.
attribute home_dir_type;
# The ttyfile attribute identifies all types assigned to ttys.
# It is used in TE rules to grant certain domains the ability to
# access all ttys.
attribute ttyfile;
# The ptyfile attribute identifies all types assigned to ptys.
# It is used in TE rules to grant certain domains the ability to
# access all ptys.
attribute ptyfile;
# The pidfile attribute identifies all types assigned to pid files.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute pidfile;
############################
# Attributes for network types:
#
# The socket_type attribute identifies all types assigned to
# kernel-created sockets. Ordinary sockets are assigned the
# domain of the creating process.
# XXX This attribute is unused. Remove?
attribute socket_type;
# Identifies all types assigned to port numbers to control binding.
attribute port_type;
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
attribute reserved_port_type;
# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM)
# and to control traffic sent or received on the interface.
attribute netif_type;
# Identifies all default types assigned to packets received
# on network interfaces.
attribute netmsg_type;
# Identifies all types assigned to network nodes/hosts to control
# traffic sent to or received from the node.
attribute node_type;
# Identifier for log files or directories that only exist for log files.
attribute logfile;
# Identifier for lock files (/var/lock/*) or directories that only exist for
# lock files.
attribute lockfile;
##############################
# Attributes for security policy types:
#
# The login_contexts attribute idenitifies the files used
# to define default contexts for login types (e.g., login, cron).
attribute login_contexts;
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
# sysadm_mail_t, etc)
attribute user_mail_domain;
# Identifies domains that can transition to system_mail_t
attribute privmail;
# Type for non-sysadm home directory
attribute user_home_type;
# For domains that are part of a mail server and need to read user files and
# fifos, and inherit file handles to enable user email to get to the mail
# spool
attribute mta_user_agent;
# For domains that are part of a mail server for delivering messages to the
# user
attribute mta_delivery_agent;
# For domains that make outbound TCP port 25 connections to send mail from the
# mail server.
attribute mail_server_sender;
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
# For web clients such as netscape and squid
attribute web_client_domain;
# For X Window System server domains
attribute xserver;
# For X Window System client domains
attribute xclient;
# For X Window System protocol extensions
attribute xextension;
# For X Window System property types
attribute xproperty;
#
# For file systems that do not have extended attributes but need to be
# r/w by users
#
attribute noexattrfile;
#
# For filetypes that the usercan read
#
attribute usercanread;
#
# For serial devices
#
attribute serial_device;
# Attribute to designate unrestricted access
attribute unrestricted;
# For clients of nscd.
attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
# For labeling of content for httpd
attribute httpdcontent;
# For labeling of domains whos transition can be disabled
attribute transitionbool;
# For labeling of file_context domains which users can change files to rather
# then the default file context. These file_context can survive a relabeling
# of the file system.
attribute customizable;

79
strict/constraints Normal file
View File

@ -0,0 +1,79 @@
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# validatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for validatetrans)
# | r3 op names (NOTE: this is only available for validatetrans)
# | t3 op names (NOTE: this is only available for validatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or ( t1 == privuser and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and u2 == system_u )
);
constrain process transition
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and r2 == system_r )
);
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );

35
strict/domains/admin.te Normal file
View File

@ -0,0 +1,35 @@
#DESC Admin - Domains for administrators.
#
#################################
# sysadm_t is the system administrator domain.
type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
ifdef(`direct_sysadm_daemon', `, priv_system_role')
; dnl end of sysadm_t type declaration
allow privhome home_root_t:dir { getattr search };
# system_r is authorized for sysadm_t for single-user mode.
role system_r types sysadm_t;
general_proc_read_access(sysadm_t)
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
# Allow administrator domains to set the enforcing flag.
can_setenforce(sysadm_t)
# Allow administrator domains to set policy booleans.
can_setbool(sysadm_t)
# Allow administrator domains to set security parameters
can_setsecparam(sysadm_t)
# for su
allow sysadm_t userdomain:fd use;
define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
# Add/remove user home directories
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)

3
strict/domains/misc/auth-net.te Normal file
View File

@ -0,0 +1,3 @@
#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
can_network(auth)

30
strict/domains/misc/fcron.te Normal file
View File

@ -0,0 +1,30 @@
#DESC fcron - additions to cron policy for a more powerful cron program
#
# Domain for fcron, a more powerful cron program.
#
# Needs cron.te installed.
#
# Author: Russell Coker <russell@coker.com.au>
# Use capabilities.
allow crond_t self:capability { dac_override dac_read_search };
# differences between r_dir_perms and rw_dir_perms
allow crond_t cron_spool_t:dir { add_name remove_name write };
ifdef(`mta.te', `
# not sure why we need write access, but Postfix does not work without it
# I will have to change fcron to avoid the need for this
allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
')
ifdef(`distro_debian', `
can_exec(dpkg_t, crontab_exec_t)
file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
')
rw_dir_create_file(crond_t, cron_spool_t)
can_setfscreate(crond_t)
# for /var/run/fcron.fifo
file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)

66
strict/domains/misc/kernel.te Normal file
View File

@ -0,0 +1,66 @@
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
#################################
#
# Rules for the kernel_t domain.
#
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
allow kernel_t sysfs_t:dir search;
allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
# Share state with the init process.
allow kernel_t init_t:process share;
# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;
# Send signal to any process.
allow kernel_t domain:process signal;
# Access the console.
allow kernel_t device_t:dir search;
allow kernel_t console_device_t:chr_file rw_file_perms;
# Access the initrd filesystem.
allow kernel_t file_t:chr_file rw_file_perms;
can_exec(kernel_t, file_t)
ifdef(`chroot.te', `
can_exec(kernel_t, chroot_exec_t)
')
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
# Lookup the policy.
allow kernel_t policy_config_t:dir r_dir_perms;
# Load the policy configuration.
can_loadpol(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)

18
strict/domains/misc/screensaver.te Normal file
View File

@ -0,0 +1,18 @@
#
# Alias file to stop blow up during policy upgrade, since
# screensaver policy is being removed.
#
typealias bin_t alias screensaver_exec_t;
typealias sysadm_home_t alias sysadm_screensaver_t;
typealias sysadm_home_t alias sysadm_screensaver_rw_t;
typealias sysadm_home_t alias sysadm_screensaver_ro_t;
typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
typealias user_home_t alias user_screensaver_t;
typealias user_home_t alias user_screensaver_rw_t;
typealias user_home_t alias user_screensaver_ro_t;
typealias user_home_t alias user_screensaver_tmpfs_t;
typealias staff_home_t alias staff_screensaver_t;
typealias staff_home_t alias staff_screensaver_rw_t;
typealias staff_home_t alias staff_screensaver_ro_t;
typealias staff_home_t alias staff_screensaver_tmpfs_t;

7
strict/domains/misc/startx.te Normal file
View File

@ -0,0 +1,7 @@
#DESC startx - policy for running an X server from a user domain
#
# Author: Russell Coker <russell@coker.com.au>
#
# Everything is in the macro files

13
strict/domains/misc/userspace_objmgr.te Normal file
View File

@ -0,0 +1,13 @@
#DESC Userspace Object Managers
#
#################################
# Get our own security context.
can_getcon(userspace_objmgr)
# Get security decisions via selinuxfs.
can_getsecurity(userspace_objmgr)
# Read /etc/selinux
r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
# Receive notifications of policy reloads and enforcing status changes.
allow userspace_objmgr self:netlink_selinux_socket { create bind read };

14
strict/domains/misc/xclient.te Normal file
View File

@ -0,0 +1,14 @@
#
# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
#
#######################################
#
# Domains for the SELinux-enabled X Window System
#
#
# Domain for all non-local X clients
#
type remote_xclient_t, domain;
in_user_role(remote_xclient_t)

68
strict/domains/program/acct.te Normal file
View File

@ -0,0 +1,68 @@
#DESC Acct - BSD process accounting
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: acct
#
#################################
#
# Rules for the acct_t domain.
#
# acct_exec_t is the type of the acct executable.
#
daemon_base_domain(acct)
ifdef(`crond.te', `
system_crond_entry(acct_exec_t, acct_t)
# for monthly cron job
file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
')
# for SSP
allow acct_t urandom_device_t:chr_file read;
type acct_data_t, file_type, sysadmfile;
allow acct_t self:capability sys_pacct;
# gzip needs chown capability for some reason
allow acct_t self:capability chown;
allow acct_t var_t:dir { getattr search };
rw_dir_create_file(acct_t, acct_data_t)
can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
allow acct_t { bin_t sbin_t }:dir search;
allow acct_t bin_t:lnk_file read;
read_locale(acct_t)
allow acct_t self:capability fsetid;
allow acct_t fs_t:filesystem getattr;
allow acct_t self:unix_stream_socket create_socket_perms;
allow acct_t self:fifo_file { read write getattr };
allow acct_t proc_t:file { read getattr };
read_sysctl(acct_t)
dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
# for nscd
dontaudit acct_t var_run_t:dir search;
# not sure why we need this, the command "last" is reported as using it
dontaudit acct_t self:capability kill;
allow acct_t devtty_t:chr_file { read write };
allow acct_t { etc_t etc_runtime_t }:file { read getattr };
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
rw_dir_create_file(logrotate_t, acct_data_t)
can_exec(logrotate_t, acct_data_t)
')

307
strict/domains/program/amanda.te Normal file
View File

@ -0,0 +1,307 @@
#DESC Amanda - Automated backup program
#
# This policy file sets the rigths for amanda client started by inetd_t
# and amrecover
#
# X-Debian-Packages: amanda-common amanda-server
# Depends: inetd.te
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
#
# License : GPL
#
# last change: 27. August 2002
#
# state : complete and tested
#
# Hints :
# - amanda.fc is the appendant file context file
# - If you use amrecover please extract the files and directories to the
# directory speficified in amanda.fc as type amanda_recover_dir_t.
# - The type amanda_user_exec_t is defined to label the files but not used.
# This configuration works only as an client and a amanda client does not need
# this programs.
#
# Enhancements/Corrections:
# - set tighter permissions to /bin/tar instead bin_t
##############################################################################
# AMANDA CLIENT DECLARATIONS
##############################################################################
# General declarations
######################
type amanda_t, domain, privlog, auth, nscd_client_domain ;
role system_r types amanda_t;
# type for the amanda executables
type amanda_exec_t, file_type, sysadmfile, exec_type;
# type for the amanda executables started by inetd
type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
# type for amanda configurations files
type amanda_config_t, file_type, sysadmfile;
# type for files in /usr/lib/amanda
type amanda_usr_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda
type amanda_var_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t, file_type, sysadmfile;
# type for user startable files
type amanda_user_exec_t, file_type, sysadmfile, exec_type;
# type for same awk and other scripts
type amanda_script_exec_t, file_type, sysadmfile, exec_type;
# type for the shell configuration files
type amanda_shellconfig_t, file_type, sysadmfile;
tmp_domain(amanda)
# type for /etc/amandates
type amanda_amandates_t, file_type, sysadmfile;
# type for /etc/dumpdates
type amanda_dumpdates_t, file_type, sysadmfile;
# type for amanda data
type amanda_data_t, file_type, sysadmfile;
# Domain transitions
####################
domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
##################
# File permissions
##################
# configuration files -> read only
allow amanda_t amanda_config_t:file { getattr read };
allow amanda_t amanda_config_t:dir search;
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
# access to amandas data structure
allow amanda_t amanda_data_t:dir { read search write };
allow amanda_t amanda_data_t:file { read write };
# access to proc_t
allow amanda_t proc_t:dir { getattr search };
allow amanda_t proc_t:file { getattr read };
# access to etc_t and similar
allow amanda_t etc_t:dir { getattr search };
allow amanda_t etc_t:file { getattr read };
allow amanda_t etc_runtime_t:file { getattr read };
# access to var_t and similar
allow amanda_t var_t:dir search;
allow amanda_t var_lib_t:dir search;
allow amanda_t amanda_var_lib_t:dir search;
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
# access to var_run_t
allow amanda_t var_run_t:dir search;
# access to var_log_t
allow amanda_t var_log_t:dir getattr;
# access to var_spool_t
allow amanda_t var_spool_t:dir getattr;
# access to amanda_usr_lib_t
allow amanda_t amanda_usr_lib_t:dir search;
# access to device_t and similar
allow amanda_t device_t:dir search;
allow amanda_t null_device_t:chr_file { getattr read write };
allow amanda_t devpts_t:dir getattr;
allow amanda_t fixed_disk_device_t:blk_file getattr;
allow amanda_t removable_device_t:blk_file getattr;
allow amanda_t devtty_t:chr_file { read write };
# access to boot_t
allow amanda_t boot_t:dir getattr;
# access to fs_t
allow amanda_t fs_t:filesystem getattr;
# access to sysctl_kernel_t ( proc/sys/kernel/* )
read_sysctl(amanda_t)
#####################
# process permissions
#####################
# Allow to use shared libs
uses_shlib(amanda_t)
# Allow to execute a amanda executable file
allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
# Allow to run a shell
allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
# access to bin_t (tar)
allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
allow amanda_t self:process { fork sigchld };
allow amanda_t self:unix_dgram_socket create;
###################################
# Network and process communication
###################################
can_network_server(amanda_t);
can_ypbind(amanda_t);
allow amanda_t self:fifo_file { getattr read write ioctl lock };
allow amanda_t self:unix_stream_socket { connect create read write };
##########################
# Communication with inetd
##########################
allow amanda_t inetd_t:udp_socket { read write };
###################
# inetd permissions
###################
allow inetd_t amanda_usr_lib_t:dir search;
########################
# Access to to save data
########################
# access to user_home_t
allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
allow amanda_t user_home_type:file { getattr read };
# access to file_t ( /floppy, /cdrom )
allow amanda_t mnt_t:dir getattr;
###########
# Dontaudit
###########
dontaudit amanda_t lost_found_t:dir { getattr read };
##############################################################################
# AMANDA RECOVER DECLARATIONS
##############################################################################
# General declarations
######################
# type for amrecover
type amanda_recover_t, domain;
role sysadm_r types { amanda_recover_t amanda_recover_dir_t };
# exec types for amrecover
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
# type for recover files ( restored data )
type amanda_recover_dir_t, file_type, sysadmfile;
file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
# domain transsition
domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
# file type auto trans to write debug messages
file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
# amanda recover process permissions
####################################
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
allow amanda_recover_t privfd:fd use;
# amrecover network and process communication
#############################################
can_network_server(amanda_recover_t);
can_ypbind(amanda_recover_t);
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
# amrecover file permissions
############################
# access to etc_t and similar
allow amanda_recover_t etc_t:dir search;
allow amanda_recover_t etc_t:file { getattr read };
allow amanda_recover_t etc_runtime_t:file { getattr read };
# access to amanda_recover_dir_t
allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
# access to var_t and var_run_t
allow amanda_recover_t var_t:dir search;
allow amanda_recover_t var_run_t:dir search;
# access to proc_t
allow amanda_recover_t proc_t:dir search;
allow amanda_recover_t proc_t:file { getattr read };
# access to sysctl_kernel_t
read_sysctl(amanda_recover_t)
# access to dev_t and similar
allow amanda_recover_t device_t:dir search;
allow amanda_recover_t devtty_t:chr_file { read write };
allow amanda_recover_t null_device_t:chr_file { getattr write };
# access to bin_t
allow amanda_recover_t bin_t:file { execute execute_no_trans };
# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
# in the sysadm home directory
allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
# access to use sysadm_tty_device_t (/dev/tty?)
allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
# access to amanda_tmp_t and tmp_t
allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
allow amanda_recover_t tmp_t:dir search;
#
# Rules to allow amanda to be run as a service in xinetd
#
type amanda_port_t, port_type;
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
allow amanda_t file_type:dir {getattr read search };
allow amanda_t file_type:file {getattr read };
logdir_domain(amanda)

47
strict/domains/program/anaconda.te Normal file
View File

@ -0,0 +1,47 @@
#DESC Anaconda - Red Hat Installation program
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the anaconda_t domain.
#
# anaconda_t is the domain of the installation program
#
type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
role system_r types anaconda_t;
unconfined_domain(anaconda_t)
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
role system_r types sysadm_su_t;
domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
# Run other rc scripts in the anaconda_t domain.
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
ifdef(`distro_redhat', `
file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
')
ifdef(`rpm.te', `
# Access /var/lib/rpm.
domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
')
file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
ifdef(`udev.te', `
domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
')
ifdef(`ssh-agent.te', `
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)

354
strict/domains/program/apache.te Normal file
View File

@ -0,0 +1,354 @@
#DESC Apache - Web server
#
# X-Debian-Packages: apache2-common apache
#
###############################################################################
#
# Policy file for running the Apache web server
#
# NOTES:
# This policy will work with SUEXEC enabled as part of the Apache
# configuration. However, the user CGI scripts will run under the
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
# of the creating user.
#
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
# type, and the directory containing the scripts should also be labeled
# with these types. This policy allows user_r role to perform that
# relabeling. If it is desired that only sysadm_r should be able to relabel
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
define(`httpd_home_dirs', `
r_dir_file(httpd_t, $1)
r_dir_file(httpd_suexec_t, $1)
can_exec(httpd_suexec_t, $1)
')
type http_port_t, port_type, reserved_port_type;
bool httpd_unified false;
# Allow httpd cgi support
bool httpd_enable_cgi false;
# Allow httpd to read home directories
bool httpd_enable_homedirs false;
# Run SSI execs in system CGI script domain.
bool httpd_ssi_exec false;
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
#########################################################
# Apache types
#########################################################
# httpd_config_t is the type given to the configuration
# files for apache /etc/httpd/conf
#
type httpd_config_t, file_type, sysadmfile;
append_logdir_domain(httpd)
#can read /etc/httpd/logs
allow httpd_t httpd_log_t:lnk_file read;
# For /etc/init.d/apache2 reload
can_tcp_connect(httpd_t, httpd_t)
can_tcp_connect(web_client_domain, httpd_t)
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
#
type httpd_modules_t, file_type, sysadmfile;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
#
type httpd_cache_t, file_type, sysadmfile;
# httpd_exec_t is the type give to the httpd executable.
#
daemon_domain(httpd, `, privmail')
can_exec(httpd_t, httpd_exec_t)
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
general_domain_access(httpd_t)
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
read_sysctl(httpd_t)
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
# setup the system domain for system CGI scripts
apache_domain(sys)
# The following are types for SUEXEC,which runs user scripts as their
# own user ID
#
daemon_sub_domain(httpd_t, httpd_suexec)
allow httpd_t httpd_suexec_exec_t:file read;
#########################################################
# Permissions for running child processes and scripts
##########################################################
allow httpd_suexec_t self:capability { setuid setgid };
dontaudit httpd_suexec_t var_run_t:dir search;
allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
allow httpd_suexec_t httpd_log_t:dir search;
allow httpd_suexec_t httpd_log_t:file { append getattr };
allow httpd_suexec_t httpd_t:fifo_file getattr;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t etc_t:file { getattr read };
read_locale(httpd_suexec_t)
read_sysctl(httpd_suexec_t)
allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
# for shell scripts
allow httpd_suexec_t bin_t:dir search;
allow httpd_suexec_t bin_t:lnk_file read;
can_exec(httpd_suexec_t, { bin_t shell_exec_t })
can_network(httpd_suexec_t)
can_ypbind(httpd_suexec_t)
allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
ifdef(`mta.te', `
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
')
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
# for apache2 memory mapped files
var_lib_domain(httpd)
# for tomcat
r_dir_file(httpd_t, var_lib_t)
# execute perl
allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
can_network(httpd_t)
can_ypbind(httpd_t)
###################
# Allow httpd to search users diretories
######################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
############################################################################
# Allow the httpd_t the capability to bind to a port and various other stuff
############################################################################
allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
dontaudit httpd_t self:capability net_admin;
#################################################
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
dontaudit httpd_sys_script_t httpd_config_t:dir search;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
allow logrotate_t httpd_t:process signull;
')
r_dir_file(initrc_t, httpd_config_t)
##################################################
########################################
# Allow httpd_t to bind to the HTTP port
########################################
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
create_dir_file(httpd_t, httpd_cache_t)
###############################
# Allow httpd_t to access the tmpfs file system
##############################
tmpfs_domain(httpd)
#####################
# Allow httpd_t to access
# libraries for its modules
###############################
allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
######################################################################
# Allow initrc_t to access the Apache modules directory.
######################################################################
allow initrc_t httpd_modules_t:dir r_dir_perms;
##############################################
# Allow httpd_t to have access to files
# such as nisswitch.conf
# need ioctl for php
###############################################
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
r_dir_file(httpd_t, httpd_sys_script_ro_t)
create_dir_file(httpd_t, httpd_sys_script_rw_t)
ra_dir_file(httpd_t, httpd_sys_script_ra_t)
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
#
# PHP Directives
##################################################
type httpd_php_exec_t, file_type, sysadmfile, exec_type;
type httpd_php_t, domain;
# Transition from the user domain to this domain.
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
# The system role is authorized for this domain.
role system_r types httpd_php_t;
general_domain_access(httpd_php_t)
uses_shlib(httpd_php_t)
can_exec(httpd_php_t, lib_t)
# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file ra_file_perms;
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
tmp_domain(httpd_suexec)
# Creation of lock files for apache2
lock_domain(httpd)
# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(httpd_php_t, mysqld_t)
can_unix_connect(httpd_t, mysqld_t)
can_unix_connect(httpd_sys_script_t, mysqld_t)
allow httpd_php_t mysqld_var_run_t:dir search;
allow httpd_php_t mysqld_var_run_t:sock_file write;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
')
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
allow httpd_suexec_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
}
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
r_dir_file(httpd_t, fonts_t)
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
########################################
# When the admin starts the server, the server wants to acess
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
##################################################
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
can_kerberos(httpd_t)
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
if (httpd_enable_homedirs) {
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
allow httpd_t user_home_dir_t:dir { getattr search };
}
') dnl targeted policy
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
# This is a bug but it still exists in FC2
#
typealias httpd_log_t alias httpd_runtime_t;
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
dontaudit httpd_t httpd_runtime_t:file ioctl;
') dnl distro_redhat
#
# Customer reported the following
#
ifdef(`snmpd.te', `
dontaudit httpd_t snmpd_var_lib_t:dir search;
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
', `
dontaudit httpd_t usr_t:dir write;
')
type httpd_squirrelmail_t, file_type, sysadmfile;
create_dir_file(httpd_t, httpd_squirrelmail_t)
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
# File Type of squirrelmail attachments
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
create_dir_file(httpd_t, squirrelmail_spool_t)
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
dontaudit system_mail_t httpd_log_t:file { append getattr };
allow system_mail_t httpd_squirrelmail_t:file { append read };
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir { search };
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
}
read_sysctl(httpd_sys_script_t)
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)

134
strict/domains/program/apmd.te Normal file
View File

@ -0,0 +1,134 @@
#DESC Apmd - Automatic Power Management daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: apmd
#
#################################
#
# Rules for the apmd_t domain.
#
daemon_domain(apmd, `, privmodule, nscd_client_domain')
# for SSP
allow apmd_t urandom_device_t:chr_file read;
type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability sys_admin;
allow apm_t proc_t:dir search;
allow apm_t proc_t:file { read getattr };
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read };
read_sysctl(apmd_t)
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;
# acpid wants a socket
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
# acpid also has a logfile
log_domain(apmd)
ifdef(`distro_suse', `
var_lib_domain(apmd)
')
allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;
# Use capabilities.
allow apmd_t self:capability { sys_admin sys_nice sys_time };
# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability mknod;
# Access /dev/apm_bios.
allow apmd_t apm_bios_t:chr_file rw_file_perms;
# Run helper programs.
can_exec_any(apmd_t)
# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
allow apmd_t adjtime_t:file rw_file_perms;
')
# to quiet fuser and ps
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:socket_class_set getattr;
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;
ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
rw_dir_create_file(apmd_t, var_lock_t)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
', `
# for ifconfig which is run all the time
dontaudit apmd_t sysctl_t:dir search;
')
ifdef(`udev.te', `
allow apmd_t udev_t:file { getattr read };
allow apmd_t udev_t:lnk_file { getattr read };
')
#
# apmd tells the machine to shutdown requires the following
#
allow apmd_t initctl_t:fifo_file write;
allow apmd_t initrc_var_run_t:file { read write lock };
#
# Allow it to run killof5 and pidof
#
r_dir_file(apmd_t, domain)
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
ifdef(`consoletype.te', `
allow consoletype_t apmd_t:fd use;
allow consoletype_t apmd_t:fifo_file write;
')
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
ifdef(`crond.te', `
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
ifdef(`mta.te', `
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
')
# for a find /dev operation that gets /dev/shm
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };

42
strict/domains/program/arpwatch.te Normal file
View File

@ -0,0 +1,42 @@
#DESC arpwatch - keep track of ethernet/ip address pairings
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the arpwatch_t domain.
#
# arpwatch_exec_t is the type of the arpwatch executable.
#
daemon_domain(arpwatch, `, privmail')
# for files created by arpwatch
type arpwatch_data_t, file_type, sysadmfile;
create_dir_file(arpwatch_t,arpwatch_data_t)
tmp_domain(arpwatch)
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
can_network_server(arpwatch_t)
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
allow arpwatch_t { sbin_t var_lib_t }:dir search;
allow arpwatch_t sbin_t:lnk_file read;
r_dir_file(arpwatch_t, etc_t)
r_dir_file(arpwatch_t, usr_t)
can_ypbind(arpwatch_t)
ifdef(`qmail.te', `
allow arpwatch_t bin_t:dir search;
')
ifdef(`distro_gentoo', `
allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo

12
strict/domains/program/auditd.te Normal file
View File

@ -0,0 +1,12 @@
#DESC auditd - System auditing daemon
#
# Authors: Colin Walters <walters@verbum.org>
#
daemon_domain(auditd)
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t self:capability { audit_write audit_control };
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t etc_t:file { getattr read };
log_domain(auditd)

69
strict/domains/program/automount.te Normal file
View File

@ -0,0 +1,69 @@
#DESC Automount - Automount daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: amd am-utils autofs
#
#################################
#
# Rules for the automount_t domain.
#
daemon_domain(automount)
etc_domain(automount)
# for SSP
allow automount_t urandom_device_t:chr_file read;
# for if the mount point is not labelled
allow automount_t file_t:dir getattr;
allow automount_t default_t:dir getattr;
allow automount_t autofs_t:dir { create_dir_perms ioctl };
allow automount_t fs_type:dir getattr;
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
allow automount_t proc_t:file { getattr read };
allow automount_t self:process { setpgid setsched };
allow automount_t self:capability sys_nice;
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
# because config files can be shell scripts
can_exec(automount_t, { etc_t automount_etc_t })
can_network_server(automount_t)
can_ypbind(automount_t)
ifdef(`fsadm.te', `
domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
')
lock_domain(automount)
tmp_domain(automount)
allow automount_t self:fifo_file rw_file_perms;
# Run mount in the mount_t domain.
domain_auto_trans(automount_t, mount_exec_t, mount_t)
allow mount_t autofs_t:dir { search mounton read };
allow mount_t automount_tmp_t:dir mounton;
ifdef(`apmd.te',
`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
can_exec(automount_t, bin_t)')
allow automount_t { bin_t sbin_t }:dir search;
can_exec(automount_t, mount_exec_t)
allow mount_t autofs_t:dir getattr;
dontaudit automount_t var_t:dir write;
allow userdomain autofs_t:dir r_dir_perms;
allow kernel_t autofs_t:dir { getattr ioctl read search };
allow automount_t home_root_t:dir getattr;
allow automount_t mnt_t:dir { getattr search };
allow initrc_t automount_etc_t:file { getattr read };

42
strict/domains/program/bluetooth.te Normal file
View File

@ -0,0 +1,42 @@
#DESC Bluetooth
#
# Authors: Dan Walsh
# RH-Packages: Bluetooth
#
#################################
#
# Rules for the bluetooth_t domain.
#
daemon_domain(bluetooth)
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
tmp_domain(bluetooth)
# Use capabilities.
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
rw_dir_create_file(bluetooth_t, var_lock_t)
# Use the network.
can_network_server(bluetooth_t)
can_ypbind(bluetooth_t)
ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
allow bluetooth_t system_dbusd_t:dbus send_msg;
')
allow bluetooth_t self:socket { create setopt ioctl bind listen };
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
#/usr/sbin/hid2hci causes the following
allow initrc_t usbfs_t:file { read };

166
strict/domains/program/bootloader.te Normal file
View File

@ -0,0 +1,166 @@
#DESC Bootloader - Lilo boot loader/manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: lilo
#
#################################
#
# Rules for the bootloader_t domain.
#
# bootloader_exec_t is the type of the bootloader executable.
#
type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
typealias bootloader_etc_t alias etc_bootloader_t;
role sysadm_r types bootloader_t;
role system_r types bootloader_t;
allow bootloader_t var_t:dir search;
create_append_log_file(bootloader_t, var_log_t)
allow bootloader_t var_log_t:file write;
# for nscd
dontaudit bootloader_t var_run_t:dir search;
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t { initrc_t privfd }:fd use;
tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
read_locale(bootloader_t)
# for tune2fs
file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
# for /vmlinuz sym link
allow bootloader_t root_t:lnk_file read;
# lilo would need read access to get BIOS data
allow bootloader_t proc_kcore_t:file getattr;
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
allow bootloader_t etc_t:file r_file_perms;
allow bootloader_t etc_t:lnk_file read;
allow bootloader_t initctl_t:fifo_file getattr;
uses_shlib(bootloader_t)
ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t usr_t:lnk_file read;
allow bootloader_t tmpfs_t:dir r_dir_perms;
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
allow bootloader_t var_lib_t:dir search;
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
# for /usr/share/initrd-tools/scripts
can_exec(bootloader_t, usr_t)
')
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
allow bootloader_t device_t:lnk_file { getattr read };
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
ifdef(`lvm.te', `
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
allow lvm_t bootloader_tmp_t:file rw_file_perms;
r_dir_file(bootloader_t, lvm_etc_t)
')
# uncomment the following line if you use "lilo -p"
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
can_exec_any(bootloader_t)
allow bootloader_t shell_exec_t:lnk_file read;
allow bootloader_t { bin_t sbin_t }:dir search;
allow bootloader_t { bin_t sbin_t }:lnk_file read;
allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
allow bootloader_t modules_object_t:dir r_dir_perms;
ifdef(`distro_redhat', `
allow bootloader_t modules_object_t:lnk_file { getattr read };
')
# for ldd
ifdef(`fsadm.te', `
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
')
ifdef(`modutil.te', `
allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
')
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:file create_file_perms;
allow bootloader_t boot_t:lnk_file create_lnk_perms;
allow bootloader_t load_policy_exec_t:file { getattr read };
allow bootloader_t random_device_t:chr_file { getattr read };
ifdef(`distro_redhat', `
# for mke2fs
domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
allow mount_t bootloader_tmp_t:dir mounton;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
allow bootloader_t file_t:lnk_file create_lnk_perms;
allow bootloader_t self:unix_stream_socket create_socket_perms;
allow bootloader_t boot_runtime_t:file { read getattr unlink };
# for memlock
allow bootloader_t zero_device_t:chr_file { getattr read };
allow bootloader_t self:capability ipc_lock;
')
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
# allow bootloader to get attributes of any device node
allow bootloader_t { device_type ttyfile }:chr_file getattr;
allow bootloader_t device_type:blk_file getattr;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
allow bootloader_t self:process { fork signal_perms };
allow bootloader_t self:lnk_file read;
allow bootloader_t self:dir search;
allow bootloader_t self:file { getattr read };
allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t fs_t:filesystem getattr;
allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file { getattr read };
allow bootloader_t proc_mdstat_t:file r_file_perms;
allow bootloader_t self:dir { getattr search read };
read_sysctl(bootloader_t)
allow bootloader_t etc_runtime_t:file r_file_perms;
allow bootloader_t devtty_t:chr_file rw_file_perms;
allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write };
# for reading BIOS data
allow bootloader_t memory_device_t:chr_file r_file_perms;
allow bootloader_t policy_config_t:dir { search read };
allow bootloader_t policy_config_t:file { getattr read };
allow bootloader_t lib_t:file { getattr read };
allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t urandom_device_t:chr_file read;
allow bootloader_t { usr_t var_t }:file { getattr read };
r_dir_file(bootloader_t, src_t)
dontaudit bootloader_t selinux_config_t:dir search;
dontaudit bootloader_t sysctl_t:dir search;

43
strict/domains/program/canna.te Normal file
View File

@ -0,0 +1,43 @@
#DESC canna - A Japanese character set input system.
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the canna_t domain.
#
daemon_domain(canna)
file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
logdir_domain(canna)
var_lib_domain(canna)
allow canna_t self:capability { setgid setuid net_bind_service };
allow canna_t tmp_t:dir { search };
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t etc_t:file { getattr read };
allow canna_t usr_t:file { getattr read };
allow canna_t proc_t:file r_file_perms;
allow canna_t etc_runtime_t:file r_file_perms;
allow canna_t canna_var_lib_t:dir create;
rw_dir_create_file(canna_t, canna_var_lib_t)
can_network_tcp(canna_t)
can_ypbind(canna_t)
allow userdomain canna_var_run_t:dir search;
allow userdomain canna_var_run_t:sock_file write;
can_unix_connect(userdomain, canna_t)
ifdef(`i18n_input.te', `
allow i18n_input_t canna_var_run_t:dir search;
allow i18n_input_t canna_var_run_t:sock_file write;
can_unix_connect(i18n_input_t, canna_t)
')

85
strict/domains/program/cardmgr.te Normal file
View File

@ -0,0 +1,85 @@
#DESC Cardmgr - PCMCIA control programs
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pcmcia-cs
#
#################################
#
# Rules for the cardmgr_t domain.
#
daemon_domain(cardmgr, `, privmodule')
# for SSP
allow cardmgr_t urandom_device_t:chr_file read;
type cardctl_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
role sysadm_r types cardmgr_t;
allow cardmgr_t admin_tty_type:chr_file { read write };
allow cardmgr_t sysfs_t:dir search;
allow cardmgr_t home_root_t:dir search;
# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
allow cardmgr_t etc_runtime_t:file { getattr read };
allow cardmgr_t modules_object_t:dir search;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
allow cardmgr_t self:fifo_file rw_file_perms;
# Create stab file
var_lib_domain(cardmgr)
# for /var/lib/misc/pcmcia-scheme
# would be better to have it in a different type if I knew how it was created..
allow cardmgr_t var_lib_t:file { getattr read };
# Create device files in /tmp.
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Create symbolic links in /dev.
type cardmgr_lnk_t, file_type, sysadmfile;
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
# Run a shell, normal commands, /etc/pcmcia scripts.
can_exec_any(cardmgr_t)
allow cardmgr_t etc_t:lnk_file read;
# Run ifconfig.
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
allow ifconfig_t cardmgr_t:fd use;
allow cardmgr_t proc_t:file { getattr read ioctl };
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain)
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')
ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
')

10
strict/domains/program/cdrecord.te Normal file
View File

@ -0,0 +1,10 @@
# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
# Type for the cdrecord excutable.
type cdrecord_exec_t, file_type, sysadmfile, exec_type;
# everything else is in the cdrecord_domain macros in
# macros/program/cdrecord_macros.te.

65
strict/domains/program/checkpolicy.te Normal file
View File

@ -0,0 +1,65 @@
#DESC Checkpolicy - SELinux policy compliler
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: checkpolicy
#
###########################
#
# checkpolicy_t is the domain type for checkpolicy
# checkpolicy_exec_t if file type for the executable
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
role system_r types checkpolicy_t;
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
###########################
# constrain what checkpolicy can use as source files
#
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
# allow test policies to be created in src directories
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
allow checkpolicy_t root_t:dir search;
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
allow checkpolicy_t devpts_t:dir r_dir_perms;
ifdef(`sshd.te',
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
allow checkpolicy_t { userdomain privfd }:fd use;
allow checkpolicy_t fs_t:filesystem getattr;
allow checkpolicy_t console_device_t:chr_file { read write };
allow checkpolicy_t init_t:fd use;
allow checkpolicy_t selinux_config_t:dir search;

18
strict/domains/program/chkpwd.te Normal file
View File

@ -0,0 +1,18 @@
#DESC Chkpwd - PAM password checking programs
# X-Debian-Packages: libpam-modules
#
# Domains for the /sbin/.*_chkpwd utilities.
#
#
# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
#
type chkpwd_exec_t, file_type, sysadmfile, exec_type;
chkpwd_domain(system)
dontaudit system_chkpwd_t privfd:fd use;
role sysadm_r types system_chkpwd_t;
in_user_role(system_chkpwd_t)
# Everything else is in the chkpwd_domain macro in
# macros/program/chkpwd_macros.te.

21
strict/domains/program/chroot.te Normal file
View File

@ -0,0 +1,21 @@
#DESC Chroot - Establish chroot environments
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages:
#
type chroot_exec_t, file_type, sysadmfile, exec_type;
# For a chroot environment named potato that can be entered from user_t (so
# the user can run an old version of Debian in a chroot), with the possibility
# of user_devpts_t or user_tty_device_t being the controlling tty type for
# administration. This also defines a mount_domain for the user (so they can
# mount file systems).
#chroot(user, potato)
# For a chroot environment named apache that can be entered from initrc_t for
# running a different version of apache.
# initrc is a special case, uses the system_r role (usually appends "_r" to
# the base name of the parent domain), and has sysadm_devpts_t and
# sysadm_tty_device_t for the controlling terminal
#chroot(initrc, apache)
# the main code is in macros/program/chroot_macros.te

20
strict/domains/program/comsat.te Normal file
View File

@ -0,0 +1,20 @@
#DESC comsat - biff server
#
# Author: Dan Walsh <dwalsh@redhat.com>
# Depends: inetd.te
#
#################################
#
# Rules for the comsat_t domain.
#
# comsat_exec_t is the type of the comsat executable.
#
inetd_child_domain(comsat, udp)
allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
allow comsat_t mail_spool_t:dir r_dir_perms;
allow comsat_t mail_spool_t:lnk_file read;
allow comsat_t var_spool_t:dir search;
dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;

64
strict/domains/program/consoletype.te Normal file
View File

@ -0,0 +1,64 @@
#DESC consoletype - determine the type of a console device
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages:
#
#################################
#
# Rules for the consoletype_t domain.
#
# consoletype_t is the domain for the consoletype program.
# consoletype_exec_t is the type of the corresponding program.
#
type consoletype_t, domain;
type consoletype_exec_t, file_type, sysadmfile, exec_type;
role system_r types consoletype_t;
uses_shlib(consoletype_t)
general_domain_access(consoletype_t)
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
allow consoletype_t admin_tty_type:chr_file rw_file_perms;
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
# Use capabilities.
allow consoletype_t self:capability sys_admin;
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t tty_device_t:chr_file read;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
ifdef(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
')
ifdef(`pam.te', `
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
')
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
allow consoletype_t system_crond_t:fd use;
allow consoletype_t fs_t:filesystem getattr;

17
strict/domains/program/cpucontrol.te Normal file
View File

@ -0,0 +1,17 @@
#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
#
# Author: Russell Coker <russell@coker.com.au>
#
type cpucontrol_conf_t, file_type, sysadmfile;
daemon_base_domain(cpucontrol)
# Access cpu devices.
allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
allow cpucontrol_t device_t:lnk_file { getattr read };
allow initrc_t cpu_device_t:chr_file getattr;
allow cpucontrol_t self:capability sys_rawio;
r_dir_file(cpucontrol_t, cpucontrol_conf_t)

17
strict/domains/program/cpuspeed.te Normal file
View File

@ -0,0 +1,17 @@
#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
#
# Authors: Russell Coker <russell@coker.com.au>
# Thomas Bleher <ThomasBleher@gmx.de>
#
daemon_base_domain(cpuspeed)
read_locale(cpuspeed_t)
allow cpuspeed_t sysfs_t:dir search;
allow cpuspeed_t sysfs_t:file rw_file_perms;
allow cpuspeed_t proc_t:dir r_dir_perms;
allow cpuspeed_t proc_t:file { getattr read };
allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
allow cpuspeed_t self:process setsched;
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;

48
strict/domains/program/crack.te Normal file
View File

@ -0,0 +1,48 @@
#DESC Crack - Password cracking application
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: crack
#
#################################
#
# Rules for the crack_t domain.
#
# crack_exec_t is the type of the crack executable.
#
system_domain(crack)
ifdef(`crond.te', `
system_crond_entry(crack_exec_t, crack_t)
')
# for SSP
allow crack_t urandom_device_t:chr_file read;
type crack_db_t, file_type, sysadmfile, usercanread;
allow crack_t var_t:dir search;
rw_dir_create_file(crack_t, crack_db_t)
allow crack_t device_t:dir search;
allow crack_t devtty_t:chr_file rw_file_perms;
allow crack_t self:fifo_file { read write getattr };
tmp_domain(crack)
# for dictionaries
allow crack_t usr_t:file { getattr read };
can_exec(crack_t, bin_t)
allow crack_t { bin_t sbin_t }:dir search;
allow crack_t self:process { fork signal_perms };
allow crack_t proc_t:dir { read search };
allow crack_t proc_t:file { read getattr };
# read config files
allow crack_t { etc_t etc_runtime_t }:file { getattr read };
allow crack_t etc_t:dir r_dir_perms;
allow crack_t fs_t:filesystem getattr;
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };

215
strict/domains/program/crond.te Normal file
View File

@ -0,0 +1,215 @@
#DESC Crond - Crond daemon
#
# Domains for the top-level crond daemon process and
# for system cron jobs. The domains for user cron jobs
# are in macros/program/crond_macros.te.
#
# X-Debian-Packages: cron
# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
# Domain for crond. It needs auth_chkpwd to check for locked accounts.
daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
# This domain is granted permissions common to most domains (including can_net)
general_domain_access(crond_t)
# Type for the anacron executable.
type anacron_exec_t, file_type, sysadmfile, exec_type;
# Type for temporary files.
tmp_domain(crond)
crond_domain(system)
allow system_crond_t proc_mdstat_t:file { getattr read };
allow system_crond_t proc_t:lnk_file read;
allow system_crond_t proc_t:filesystem getattr;
allow system_crond_t usbdevfs_t:filesystem getattr;
ifdef(`mta.te', `
allow mta_user_agent system_crond_t:fd use;
')
# read files in /etc
allow system_crond_t etc_t:file r_file_perms;
allow system_crond_t etc_runtime_t:file read;
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
read_locale(crond_t)
log_domain(crond)
# Use capabilities.
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
can_getsecurity(crond_t)
# for finding binaries and /bin/sh
allow crond_t { bin_t sbin_t }:dir search;
allow crond_t { bin_t sbin_t }:lnk_file read;
# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
allow crond_t var_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
# Read /etc/security/default_contexts.
r_dir_file(crond_t, default_context_t)
allow crond_t etc_t:file { getattr read };
allow crond_t etc_t:lnk_file read;
allow crond_t default_t:dir search;
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
# to search /home
allow crond_t home_root_t:dir { getattr search };
allow crond_t user_home_dir_type:dir r_dir_perms;
# Run a shell.
can_exec(crond_t, shell_exec_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
ifdef(`rpm.te', `
allow crond_t rpm_log_t: file create_file_perms;
system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
')
')
allow system_crond_t var_log_t:file r_file_perms;
# Set exec context.
can_setexec(crond_t)
# Transition to this domain for anacron as well.
# Still need to study anacron.
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
# Access log files
file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;
# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
allow system_crond_t initrc_devpts_t:chr_file { read write };
# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow crond_t urandom_device_t:chr_file { getattr read };
# Read the system crontabs.
allow system_crond_t system_cron_spool_t:file r_file_perms;
allow crond_t system_cron_spool_t:dir r_dir_perms;
allow crond_t system_cron_spool_t:file r_file_perms;
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir r_dir_perms;
allow system_crond_t cron_spool_t:file r_file_perms;
# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;
# Update whatis files.
allow system_crond_t catman_t:dir create_dir_perms;
allow system_crond_t catman_t:file create_file_perms;
allow system_crond_t man_t:file r_file_perms;
allow system_crond_t man_t:lnk_file read;
# Write /var/lock/makewhatis.lock.
lock_domain(system_crond)
# for if /var/mail is a symlink
allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
allow crond_t mail_spool_t:dir search;
ifdef(`mta.te', `
r_dir_file(system_mail_t, crond_tmp_t)
')
# Stat any file and search any directory for find.
allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
allow system_crond_t device_type:{ chr_file blk_file } getattr;
allow system_crond_t file_type:dir { read search getattr };
# Create temporary files.
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
# /sbin/runlevel ask for w access to utmp, but will operate
# correctly without it. Do not audit write denials to utmp.
# /sbin/runlevel needs lock access however
dontaudit system_crond_t initrc_var_run_t:file write;
allow system_crond_t initrc_var_run_t:file { getattr read lock };
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
allow system_crond_t var_spool_t:file create_file_perms;
allow system_crond_t var_spool_t:dir rw_dir_perms;
# Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;
#
# reading /var/spool/cron/mailman
#
allow crond_t var_spool_t:file { getattr read };
allow system_crond_t devpts_t:filesystem getattr;
allow system_crond_t sysfs_t:filesystem getattr;
allow system_crond_t tmpfs_t:filesystem getattr;
allow system_crond_t rpc_pipefs_t:filesystem getattr;
#
# These rules are here to allow system cron jobs to su
#
ifdef(`su.te', `
su_restricted_domain(system_crond,system)
role system_r types system_crond_su_t;
allow system_crond_su_t crond_t:fifo_file ioctl;
')
allow system_crond_t self:passwd rootok;
#
# prelink tells init to restart it self, we either need to allow or dontaudit
#
allow system_crond_t initctl_t:fifo_file write;
dontaudit userdomain system_crond_t:fd use;
r_dir_file(crond_t, selinux_config_t)
# Allow system cron jobs to relabel filesystem for restoring file contexts.
bool cron_can_relabel false;
if (cron_can_relabel) {
domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
} else {
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
allow system_crond_t removable_t:filesystem { getattr };
#
# Required for webalizer
#
ifdef(`apache.te', `
allow system_crond_t httpd_log_t:file { getattr read };
')
dontaudit crond_t self:capability { sys_tty_config };

12
strict/domains/program/crontab.te Normal file
View File

@ -0,0 +1,12 @@
#DESC Crontab - Crontab manipulation programs
#
# Domains for the crontab program.
#
# X-Debian-Packages: cron
#
# Type for the crontab executable.
type crontab_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the crontab_domain macro in
# macros/program/crontab_macros.te.

257
strict/domains/program/cups.te Normal file
View File

@ -0,0 +1,257 @@
#DESC Cups - Common Unix Printing System
#
# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
# Depends: lpd.te lpr.te
#################################
#
# Rules for the cupsd_t domain.
#
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
type ipp_port_t, port_type, reserved_port_type;
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
typealias cupsd_etc_t alias etc_cupsd_t;
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
can_network(cupsd_t)
logdir_domain(cupsd)
tmp_domain(cupsd)
allow cupsd_t devpts_t:dir search;
allow cupsd_t device_t:lnk_file read;
allow cupsd_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
r_dir_file(cupsd_t, usbdevfs_t)
r_dir_file(cupsd_t, usbfs_t)
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
')
ifdef(`inetd.te', `
allow inetd_t printer_port_t:tcp_socket name_bind;
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
# write to spool
allow cupsd_t var_spool_t:dir search;
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
allow cupsd_t cupsd_etc_t:file setattr;
allow cupsd_t cupsd_etc_t:dir setattr;
allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
can_exec(cupsd_t, initrc_exec_t)
allow cupsd_t proc_t:file r_file_perms;
allow cupsd_t proc_t:dir r_dir_perms;
allow cupsd_t self:file { getattr read };
read_sysctl(cupsd_t)
allow cupsd_t sysctl_dev_t:dir search;
allow cupsd_t sysctl_dev_t:file { getattr read };
# for /etc/printcap
dontaudit cupsd_t etc_t:file write;
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:fifo_file rw_file_perms;
# Use capabilities.
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
dontaudit cupsd_t self:capability net_admin;
allow cupsd_t self:process setsched;
# for /var/lib/defoma
allow cupsd_t var_lib_t:dir search;
r_dir_file(cupsd_t, readable_t)
# Bind to the cups/ipp port (631).
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
# Send to portmap.
ifdef(`portmap.te', `
can_udp_send(cupsd_t, portmap_t)
can_udp_send(portmap_t, cupsd_t)
')
# Write to /var/spool/cups.
allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
allow cupsd_t print_spool_t:file create_file_perms;
allow cupsd_t print_spool_t:file rw_file_perms;
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow cupsd_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_t bin_t:lnk_file read;
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
# They will also invoke ghostscript, which needs to read fonts
r_dir_file(cupsd_t, fonts_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
allow cupsd_t lib_t:file { read getattr };
# read python modules
allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
#
# lots of errors generated requiring the following
#
allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
#
# Satisfy readahead
#
allow initrc_t cupsd_log_t:file { getattr read };
r_dir_file(cupsd_t, var_t)
r_dir_file(cupsd_t, usercanread)
ifdef(`samba.te', `
rw_dir_file(cupsd_t, samba_var_t)
allow smbd_t cupsd_etc_t:dir search;
')
ifdef(`pam.te', `
dontaudit cupsd_t pam_var_run_t:file { getattr read };
')
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
allow ptal_t ptal_var_run_t:sock_file create_file_perms;
allow ptal_t self:capability chown;
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file { ioctl read write };
allow initrc_t printer_device_t:chr_file getattr;
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
r_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
allow cupsd_t ptal_var_run_t:dir search;
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink;
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
allow cupsd_t printconf_t:file { getattr read };
dbusd_client(system, cupsd)
ifdef(`hald.te', `
# CUPS configuration daemon
daemon_domain(cupsd_config)
allow cupsd_config_t devpts_t:dir search;
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
')
allow cupsd_config_t initrc_exec_t:file getattr;
')dnl end distro_redhat
allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
allow cupsd_config_t self:file { getattr read };
allow cupsd_config_t proc_t:file { getattr read };
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
allow cupsd_config_t cupsd_t:process { signal };
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
can_ps(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:capability chown;
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
can_network_tcp(cupsd_config_t)
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
ifdef(`dbusd.te', `
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
allow cupsd_t system_dbusd_t:dbus send_msg;
allow userdomain cupsd_config_t:dbus send_msg;
allow cupsd_config_t hald_t:dbus send_msg;
allow hald_t cupsd_config_t:dbus send_msg;
allow cupsd_t userdomain:dbus send_msg;
allow cupsd_t hald_t:dbus send_msg;
allow hald_t cupsd_t:dbus send_msg;
')dnl end if dbusd.te
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(cupsd_t, hostname_exec_t)
can_exec(cupsd_config_t, hostname_exec_t)
')
allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
# killall causes the following
dontaudit cupsd_config_t domain:dir { getattr search };
dontaudit cupsd_config_t selinux_config_t:dir search;
can_exec(cupsd_config_t, cupsd_config_exec_t)
allow cupsd_config_t usr_t:file { getattr read };
allow cupsd_config_t var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
ifdef(`logrotate.te', `
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
allow cupsd_config_t system_crond_t:fd use;
allow cupsd_config_t crond_t:fifo_file read;
allow cupsd_t crond_t:fifo_file read;
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
') dnl end if hald.te
ifdef(`targeted_policy', `
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
')
ifdef(`targeted_policy', `
allow cupsd_t unconfined_t:dbus send_msg;
')

47
strict/domains/program/cyrus.te Normal file
View File

@ -0,0 +1,47 @@
#DESC cyrus-imapd
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# cyrusd_exec_t is the type of the cyrusd executable.
# cyrusd_key_t is the type of the cyrus private key files
daemon_domain(cyrus)
general_domain_access(cyrus_t)
file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
type cyrus_var_lib_t, file_type, sysadmfile;
allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow cyrus_t self:process setrlimit;
allow initrc_su_t cyrus_var_lib_t:dir search;
can_network(cyrus_t)
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
allow cyrus_t etc_t:file { getattr read };
allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
read_locale(cyrus_t)
read_sysctl(cyrus_t)
tmp_domain(cyrus)
ifdef(`use_pop', `
allow cyrus_t pop_port_t:tcp_socket name_bind;
')
allow cyrus_t proc_t:dir search;
allow cyrus_t proc_t:file { getattr read };
allow cyrus_t sysadm_devpts_t:chr_file { read write };
allow cyrus_t staff_t:fd use;
allow cyrus_t var_lib_t:dir search;
allow cyrus_t etc_runtime_t:file { read getattr };
ifdef(`crond.te', `
system_crond_entry(cyrus_exec_t, cyrus_t)
allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
allow system_crond_t cyrus_var_lib_t:file create_file_perms;
allow system_crond_su_t cyrus_var_lib_t:dir search;
')
allow cyrus_t mail_port_t:tcp_socket name_bind;

14
strict/domains/program/dbskkd.te Normal file
View File

@ -0,0 +1,14 @@
#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the dbskkd_t domain.
#
# dbskkd_exec_t is the type of the dbskkd executable.
#
# Depends: inetd.te
inetd_child_domain(dbskkd)

20
strict/domains/program/dbusd.te Normal file
View File

@ -0,0 +1,20 @@
#DESC dbus-daemon-1 server for dbus desktop bus protocol
#
# Author: Russell Coker <russell@coker.com.au>
dbusd_domain(system)
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
ifdef(`pamconsole.te', `
r_dir_file(system_dbusd_t, pam_var_console_t)
')
# dac_override: /var/run/dbus is owned by messagebus on Debian
allow system_dbusd_t self:capability { dac_override setgid setuid };
can_ypbind(system_dbusd_t)
# I expect we need more than this
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };

146
strict/domains/program/dhcpc.te Normal file
View File

@ -0,0 +1,146 @@
#DESC DHCPC - DHCP client
#
# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pump dhcp-client udhcpc
#
#################################
#
# Rules for the dhcpc_t domain.
#
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
# network configurator daemon started by /etc/sysconfig/network-scripts
# rc scripts, runs in this domain.
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
type dhcpc_port_t, port_type, reserved_port_type;
daemon_domain(dhcpc)
# for SSP
allow dhcpc_t urandom_device_t:chr_file read;
can_network(dhcpc_t)
can_ypbind(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t devpts_t:dir search;
# for localization
allow dhcpc_t lib_t:file { getattr read };
ifdef(`consoletype.te', `
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
')
ifdef(`nscd.te', `
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
allow hotplug_t dhcpc_t:process signal_perms;
allow hotplug_t dhcpc_var_run_t:file { getattr read };
allow hotplug_t dhcp_etc_t:file rw_file_perms;
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
')
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
ifdef(`hotplug.te', `
allow ping_t hotplug_t:fd use;
') dnl end if hotplug
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
') dnl end if ping
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
')
type dhcpc_state_t, file_type, sysadmfile;
allow dhcpc_t etc_t:lnk_file read;
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
allow dhcpc_t proc_net_t:dir search;
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
allow dhcpc_t self:file { getattr read };
read_sysctl(dhcpc_t)
allow dhcpc_t userdomain:fd use;
ifdef(`run_init.te', `
allow dhcpc_t run_init_t:fd use;
')
# Use capabilities
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
# for udp port 68
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
# Allow access to the dhcpc file types
r_dir_file(dhcpc_t, dhcp_etc_t)
allow dhcpc_t sbin_t:dir search;
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
ifdef(`distro_redhat', `
can_exec(dhcpc_t, etc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms;
')
ifdef(`ifconfig.te', `
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
tmp_domain(dhcpc)
# Allow dhcpc_t to use packet sockets
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
allow dhcpc_t bin_t:dir search;
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
dontaudit dhcpc_t selinux_config_t:dir search;
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit dhcpc_t domain:dir getattr;
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
#
# dhclient sometimes starts ypbind and ntdp
#
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
')

82
strict/domains/program/dhcpd.te Normal file
View File

@ -0,0 +1,82 @@
#DESC DHCPD - DHCP server
#
# Author: Russell Coker <russell@coker.com.au>
# based on the dhcpc_t policy from:
# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# X-Debian-Packages: dhcp dhcp3-server
#
#################################
#
# Rules for the dhcpd_t domain.
#
# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
# server daemon rc scripts, runs in this domain.
# dhcpd_exec_t is the type of the dhcpdd executable.
# The dhcpd_t can be used for other DHCPC related files as well.
#
daemon_domain(dhcpd)
allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
# for UDP port 4011
ifdef(`pxe.te', `', `
type pxe_port_t, port_type;
')
allow dhcpd_t pxe_port_t:udp_socket name_bind;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
# Use the network.
can_network(dhcpd_t)
can_ypbind(dhcpd_t)
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t var_lib_t:dir search;
allow dhcpd_t devtty_t:chr_file { read write };
# Use capabilities
allow dhcpd_t self:capability { net_raw net_bind_service };
dontaudit dhcpd_t self:capability net_admin;
# Allow access to the dhcpd file types
type dhcp_state_t, file_type, sysadmfile;
type dhcpd_state_t, file_type, sysadmfile;
allow dhcpd_t dhcp_etc_t:file { read getattr };
allow dhcpd_t dhcp_etc_t:dir search;
file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
allow dhcpd_t etc_t:lnk_file read;
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;
# allow to run utilities and scripts
allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
allow dhcpd_t self:fifo_file { read write getattr };
# allow reading /proc
allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
tmp_domain(dhcpd)
ifdef(`distro_gentoo', `
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
allow initrc_t dhcpd_state_t:file setattr;
')
r_dir_file(dhcpd_t, usr_t)
allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
ifdef(`named.te', `
allow dhcpd_t { named_conf_t named_zone_t }:dir search;
allow dhcpd_t dnssec_t:file { getattr read };
')

49
strict/domains/program/dictd.te Normal file
View File

@ -0,0 +1,49 @@
#DESC Dictd - Dictionary daemon
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dictd
#
#################################
#
# Rules for the dictd_t domain.
#
# dictd_exec_t is the type of the dictd executable.
#
type dict_port_t, port_type;
daemon_base_domain(dictd)
type var_lib_dictd_t, file_type, sysadmfile;
etc_domain(dictd)
typealias dictd_etc_t alias etc_dictd_t;
# for checking for nscd
dontaudit dictd_t var_run_t:dir search;
# read config files
allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
read_locale(dictd_t)
allow dictd_t { var_t var_lib_t }:dir search;
allow dictd_t var_lib_dictd_t:dir r_dir_perms;
allow dictd_t var_lib_dictd_t:file r_file_perms;
allow dictd_t self:capability { setuid setgid };
allow dictd_t usr_t:file r_file_perms;
allow dictd_t self:process { setpgid fork sigchld };
allow dictd_t proc_t:file r_file_perms;
allow dictd_t dict_port_t:tcp_socket name_bind;
allow dictd_t devtty_t:chr_file rw_file_perms;
allow dictd_t self:unix_stream_socket create_stream_socket_perms;
can_network_server(dictd_t)
can_ypbind(dictd_t)
can_tcp_connect(userdomain, dictd_t)
allow dictd_t fs_t:filesystem getattr;

29
strict/domains/program/dmesg.te Normal file
View File

@ -0,0 +1,29 @@
#DESC dmesg - control kernel ring buffer
#
# Author: Dan Walsh dwalsh@redhat.com
#
# X-Debian-Packages: util-linux
#################################
#
# Rules for the dmesg_t domain.
#
# dmesg_exec_t is the type of the dmesg executable.
#
# while sysadm_t has the sys_admin capability there is no point in using
# dmesg_t when run from sysadm_t, so we use nosysadm.
#
daemon_base_domain(dmesg, , `nosysadm')
#
# Rules used for dmesg
#
allow dmesg_t self:capability sys_admin;
allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
allow dmesg_t admin_tty_type:chr_file { getattr read write };
allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
allow dmesg_t var_log_t:file { getattr write };
read_locale(dmesg_t)
# for when /usr is not mounted
dontaudit dmesg_t file_t:dir search;

55
strict/domains/program/dovecot.te Normal file
View File

@ -0,0 +1,55 @@
#DESC Dovecot POP and IMAP servers
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
daemon_domain(dovecot, `, privhome')
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
can_exec(dovecot_t, dovecot_exec_t)
type dovecot_cert_t, file_type, sysadmfile;
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
can_network_tcp(dovecot_t)
can_ypbind(dovecot_t)
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dovecot_t, self)
allow dovecot_t etc_t:file { getattr read };
allow dovecot_t initrc_var_run_t:file getattr;
allow dovecot_t bin_t:dir { getattr search };
can_exec(dovecot_t, bin_t)
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file read;
allow dovecot_t cert_t:dir search;
allow dovecot_t dovecot_cert_t:file { getattr read };
allow dovecot_t { self proc_t }:file { getattr read };
allow dovecot_t self:fifo_file rw_file_perms;
can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
rw_dir_file(dovecot_t, mail_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
allow dovecot_t var_spool_t:dir { search };
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
allow dovecot_auth_t self:process { fork signal_perms };
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t self:fifo_file rw_file_perms;
allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
allow dovecot_auth_t etc_t:file { getattr read };
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
read_sysctl(dovecot_auth_t)
allow dovecot_auth_t sysctl_t:dir search;
dontaudit dovecot_auth_t selinux_config_t:dir search;

28
strict/domains/program/fetchmail.te Normal file
View File

@ -0,0 +1,28 @@
#DESC fetchmail - remote-mail retrieval utility
#
# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: fetchmail
#
# Note: This policy is only required when running fetchmail in daemon mode.
#################################
#
# Rules for the fetchmail_t domain.
#
daemon_domain(fetchmail);
type fetchmail_etc_t, file_type, sysadmfile;
type fetchmail_uidl_cache_t, file_type, sysadmfile;
# misc. requirements
allow fetchmail_t self:process setrlimit;
# network-related goodies
can_network(fetchmail_t)
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
# file access
allow fetchmail_t etc_t:file r_file_perms;
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
allow fetchmail_t mail_spool_t:dir search;
file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)

82
strict/domains/program/fingerd.te Normal file
View File

@ -0,0 +1,82 @@
#DESC Fingerd - Finger daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
#
#################################
#
# Rules for the fingerd_t domain.
#
# fingerd_exec_t is the type of the fingerd executable.
#
daemon_domain(fingerd)
type fingerd_port_t, port_type, reserved_port_type;
etcdir_domain(fingerd)
typealias fingerd_etc_t alias etc_fingerd_t;
allow fingerd_t etc_t:lnk_file read;
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
log_domain(fingerd)
system_crond_entry(fingerd_exec_t, fingerd_t)
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
ifdef(`inetd.te', `
allow inetd_t fingerd_port_t:tcp_socket name_bind;
# can be run from inetd
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
')
allow fingerd_t self:capability { setgid setuid };
# for gzip from logrotate
dontaudit fingerd_t self:capability fsetid;
# cfingerd runs shell scripts
allow fingerd_t { bin_t sbin_t }:dir search;
allow fingerd_t bin_t:lnk_file read;
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
allow fingerd_t devtty_t:chr_file { read write };
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
# Use the network.
can_network_server(fingerd_t)
can_ypbind(fingerd_t)
allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
allow fingerd_t self:fifo_file { read write getattr };
# allow any user domain to connect to the finger server
can_tcp_connect(userdomain, fingerd_t)
# for .finger, .plan. etc
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
# should really have a different type for .plan etc
allow fingerd_t user_home_type:file { getattr read };
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;
# for mail
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
allow fingerd_t mail_spool_t:file getattr;
allow fingerd_t mail_spool_t:lnk_file read;
# see who is logged in and when users last logged in
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
dontaudit fingerd_t initrc_var_run_t:file lock;
allow fingerd_t devpts_t:dir search;
allow fingerd_t ptyfile:chr_file getattr;
allow fingerd_t proc_t:file { read getattr };
# for date command
read_sysctl(fingerd_t)

131
strict/domains/program/firstboot.te Normal file
View File

@ -0,0 +1,131 @@
#DESC firstboot
#
# Author: Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: firstboot
#
#################################
#
# Rules for the firstboot_t domain.
#
# firstboot_exec_t is the type of the firstboot executable.
#
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
ifdef(`xserver.te', `
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
')
etc_domain(firstboot)
allow firstboot_t proc_t:file r_file_perms;
allow firstboot_t urandom_device_t:chr_file { getattr read };
allow firstboot_t proc_t:file { getattr read write };
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
can_exec_any(firstboot_t)
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
allow firstboot_t etc_runtime_t:file { getattr read };
r_dir_file(firstboot_t, etc_t)
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
allow firstboot_t firstboot_rw_t:file create_file_perms;
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:process { fork sigchld };
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t initrc_exec_t:file { getattr read };
allow firstboot_t initrc_var_run_t:file r_file_perms;
allow firstboot_t lib_t:file { getattr read };
allow firstboot_t local_login_t:fd use;
read_locale(firstboot_t)
allow firstboot_t proc_t:dir search;
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
allow firstboot_t usr_t:file r_file_perms;
allow firstboot_t etc_t:file write;
# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;
allow firstboot_t krb5_conf_t:file { getattr read };
allow firstboot_t net_conf_t:file { getattr read };
ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')
dontaudit firstboot_t shadow_t:file getattr;
role system_r types initrc_t;
#role_transition firstboot_r initrc_exec_t system_r;
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
allow firstboot_t self:passwd rootok;
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
ifdef(`consoletype.te', `
allow consoletype_t devtty_t:chr_file { read write };
allow consoletype_t etc_t:file { getattr read };
allow consoletype_t firstboot_t:fd use;
')
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:dir search;
allow firstboot_t self:file { read write };
allow firstboot_t self:lnk_file read;
can_setfscreate(firstboot_t)
allow firstboot_t krb5_conf_t:file rw_file_perms;
allow firstboot_t modules_conf_t:file { getattr read };
allow firstboot_t modules_dep_t:file { getattr read };
allow firstboot_t modules_object_t:dir search;
allow firstboot_t net_conf_t:file rw_file_perms;
allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
allow firstboot_t node_t:node { tcp_recv tcp_send };
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;
can_getsecurity(firstboot_t)
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
read_sysctl(firstboot_t)
allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
allow iptables_t firstboot_t:fifo_file write;
')
can_network_server(firstboot_t)
can_ypbind(firstboot_t)
ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
create_dir_file(firstboot_t, var_t)
# Add/remove user home directories
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
#
# The big hammer
#
unconfined_domain(firstboot_t)

26
strict/domains/program/fs_daemon.te Normal file
View File

@ -0,0 +1,26 @@
#DESC file system daemons
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: smartmontools
daemon_domain(fsdaemon, `, fs_domain, privmail')
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
# for config
allow fsdaemon_t etc_t:file { getattr read };
allow fsdaemon_t device_t:dir read;
allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
allow fsdaemon_t etc_runtime_t:file { getattr read };
can_exec_any(fsdaemon_t)
allow fsdaemon_t self:fifo_file rw_file_perms;
can_network_udp(fsdaemon_t)
tmp_domain(fsdaemon)
allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
dontaudit fsdaemon_t devpts_t:dir search;
allow fsdaemon_t proc_t:file { getattr read };
dontaudit system_mail_t fixed_disk_device_t:blk_file read;

117
strict/domains/program/fsadm.te Normal file
View File

@ -0,0 +1,117 @@
#DESC Fsadm - Disk and file system administration
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
#
#################################
#
# Rules for the fsadm_t domain.
#
# fsadm_t is the domain for disk and file system
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
type fsadm_t, domain, privlog, fs_domain;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
allow fsadm_t sysfs_t:dir { search getattr };
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
# Read system variables in /proc/sys
read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
base_file_read_access(fsadm_t)
# Read /etc.
allow fsadm_t etc_t:dir r_dir_perms;
allow fsadm_t etc_t:notdevfile_class_set r_file_perms;
# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow fsadm_t device_t:dir r_dir_perms;
allow fsadm_t device_t:lnk_file r_file_perms;
uses_shlib(fsadm_t)
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
tmp_domain(fsadm)
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
allow fsadm_t fs_t:filesystem getattr;
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
# mkreiserfs and other programs need this for UUID
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;
# Run other fs admin programs in the fsadm_t domain.
can_exec(fsadm_t, fsadm_exec_t)
# Access disk devices.
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
# Recreate /dev/cdrom.
allow fsadm_t device_t:dir rw_dir_perms;
allow fsadm_t device_t:lnk_file { unlink create };
# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
# Allow console log change (updfstab)
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
allow fsadm_t devpts_t:dir { getattr search };
read_locale(fsadm_t)
# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)
# Access to /initrd devices
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };

116
strict/domains/program/ftpd.te Normal file
View File

@ -0,0 +1,116 @@
#DESC Ftpd - Ftp daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
#
#################################
#
# Rules for the ftpd_t domain
#
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
daemon_domain(ftpd, `, auth_chkpwd')
etc_domain(ftpd)
typealias ftpd_etc_t alias etc_ftpd_t;
can_network(ftpd_t)
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_file_perms;
allow ftpd_t bin_t:dir search;
can_exec(ftpd_t, bin_t)
allow ftpd_t bin_t:lnk_file read;
read_sysctl(ftpd_t)
allow ftpd_t urandom_device_t:chr_file { getattr read };
ifdef(`crond.te', `
system_crond_entry(ftpd_exec_t, ftpd_t)
allow system_crond_t xferlog_t:file r_file_perms;
can_exec(ftpd_t, { sbin_t shell_exec_t })
allow ftpd_t usr_t:file { getattr read };
ifdef(`logrotate.te', `
can_exec(ftpd_t, logrotate_exec_t)
')dnl end if logrotate.te
')dnl end if crond.te
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
allow ftpd_t port_t:tcp_socket name_bind;
# Allow ftpd to run directly without inetd.
bool ftpd_is_daemon false;
if (ftpd_is_daemon) {
rw_dir_create_file(ftpd_t, var_lock_t)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
# Allows it to check exec privs on daemon
allow inetd_t ftpd_exec_t:file x_file_perms;
}
ifdef(`inetd.te', `
if (!ftpd_is_daemon) {
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Send SIGCHLD to inetd on death.
allow ftpd_t inetd_t:process sigchld;
}
') dnl end inetd.te
# Access shared memory tmpfs instance.
tmpfs_domain(ftpd)
# Use capabilities.
allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
# Append to /var/log/wtmp.
allow ftpd_t wtmp_t:file { getattr append };
#kerberized ftp requires the following
allow ftpd_t wtmp_t:file { write lock };
# Create and modify /var/log/xferlog.
type xferlog_t, file_type, sysadmfile, logfile;
file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
can_exec(ftpd_t, ls_exec_t)
allow initrc_t ftpd_etc_t:file { getattr read };
allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
allow ftpd_t proc_t:file { getattr read };
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t selinux_config_t:dir search;
allow ftpd_t autofs_t:dir search;
allow ftpd_t self:file { getattr read };
tmp_domain(ftpd)
# Allow ftp to read/write files in the user home directories.
bool ftp_home_dir false;
if (ftp_home_dir) {
# allow access to /home
allow ftpd_t home_root_t:dir { getattr search };
}
if (use_nfs_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, nfs_t)
}
if (use_samba_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
#
# Type for access to anon ftp
#
type ftpd_anon_t, file_type, sysadmfile, customizable;
r_dir_file(ftpd_t,ftpd_anon_t)
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
create_dir_file(ftpd_t,ftpd_anon_rw_t)

17
strict/domains/program/games.te Normal file
View File

@ -0,0 +1,17 @@
#DESC Games - Miscellaneous games
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: bsdgames
#
# type for shared data from games
type games_data_t, file_type, sysadmfile;
# domain games_t is for system operation of games, generic games daemons and
# games recovery scripts, also defines games_exec_t
daemon_domain(games,,nosysadm)
rw_dir_create_file(games_t, games_data_t)
r_dir_file(initrc_t, games_data_t)
# Everything else is in the x_client_domain macro in
# macros/program/x_client_macros.te.

60
strict/domains/program/getty.te Normal file
View File

@ -0,0 +1,60 @@
#DESC Getty - Manage ttys
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
#
#################################
#
# Rules for the getty_t domain.
#
init_service_domain(getty, `, privfd')
etcdir_domain(getty)
typealias getty_etc_t alias etc_getty_t;
allow getty_t console_device_t:chr_file setattr;
tmp_domain(getty)
log_domain(getty)
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
allow getty_t etc_t:lnk_file read;
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
# to allow w to display everyone...
bool user_ttyfile_stat false;
if (user_ttyfile_stat) {
allow userdomain ttyfile:chr_file getattr;
}
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
# fbgetty needs fsetid for some reason
#allow getty_t self:capability fsetid;
read_locale(getty_t)
# Run login in local_login_t domain.
allow getty_t bin_t:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
allow getty_t { var_t var_run_t }:dir search;
allow getty_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow getty_t wtmp_t:file rw_file_perms;
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
# for error condition handling
allow getty_t fs_t:filesystem getattr;
rw_dir_create_file(getty_t, var_lock_t)
r_dir_file(getty_t, sysfs_t)

11
strict/domains/program/gnome-pty-helper.te Normal file
View File

@ -0,0 +1,11 @@
#DESC Gnome Terminal - Helper program for GNOME x-terms
#
# Domains for the gnome-pty-helper program.
# X-Debian-Packages: gnome-terminal
#
# Type for the gnome-pty-helper executable.
type gph_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the gph_domain macro in
# macros/program/gph_macros.te.

13
strict/domains/program/gpg-agent.te Normal file
View File

@ -0,0 +1,13 @@
#DESC gpg-agent - agent to securely store gpg-keys
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
# Type for the gpg-agent executable.
type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
# type for the pinentry executable
type pinentry_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the gpg_agent_domain macro in
# macros/program/gpg_agent_macros.te.

18
strict/domains/program/gpg.te Normal file
View File

@ -0,0 +1,18 @@
#DESC GPG - Gnu Privacy Guard (PGP replacement)
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: gnupg
#
# Type for gpg or pgp executables.
type gpg_exec_t, file_type, sysadmfile, exec_type;
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
# Allow gpg exec stack
bool allow_gpg_execstack false;
# Everything else is in the gpg_domain macro in
# macros/program/gpg_macros.te.

45
strict/domains/program/gpm.te Normal file
View File

@ -0,0 +1,45 @@
#DESC Gpm - General Purpose Mouse driver
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: gpm
#
#################################
#
# Rules for the gpm_t domain.
#
# gpm_t is the domain of the console mouse server.
# gpm_exec_t is the type of the console mouse server program.
# gpmctl_t is the type of the Unix domain socket or pipe created
# by the console mouse server.
#
daemon_domain(gpm)
type gpmctl_t, file_type, sysadmfile, dev_fs;
tmp_domain(gpm)
# Allow to read the /etc/gpm/ conf files
type gpm_conf_t, file_type, sysadmfile;
r_dir_file(gpm_t, gpm_conf_t)
# Use capabilities.
allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
# Create and bind to /dev/gpmctl.
file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
allow gpm_t self:unix_dgram_socket create_socket_perms;
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
# Read and write ttys.
allow gpm_t tty_device_t:chr_file rw_file_perms;
# Access the mouse.
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
allow gpm_t device_t:lnk_file { getattr read };
read_locale(gpm_t)
allow initrc_t gpmctl_t:sock_file setattr;

74
strict/domains/program/hald.te Normal file
View File

@ -0,0 +1,74 @@
#DESC hald - server for device info
#
# Author: Russell Coker <rcoker@redhat.com>
# X-Debian-Packages:
#
#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, fs_domain, nscd_client_domain')
can_exec_any(hald_t)
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket create_stream_socket_perms;
allow hald_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
dbusd_client(system, hald)
allow hald_t self:dbus send_msg;
')
allow hald_t { self proc_t }:file { getattr read };
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
can_network_server(hald_t)
can_ypbind(hald_t)
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t removable_device_t:blk_file write;
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
allow updfstab_t hald_t:dbus send_msg;
allow hald_t updfstab_t:dbus send_msg;
')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t udev_tbl_t:file { getattr read };
')
ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
allow hald_t etc_runtime_t:file rw_file_perms;
allow hald_t var_lib_t:dir search;
allow hald_t device_t:dir create_dir_perms;
allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)

28
strict/domains/program/hostname.te Normal file
View File

@ -0,0 +1,28 @@
#DESC hostname - show or set the system host name
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hostname
# for setting the hostname
daemon_base_domain(hostname, , nosysadm)
role sysadm_r types hostname_t;
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };
allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write };
read_locale(hostname_t)
can_resolve(hostname_t)
allow hostname_t userdomain:fd use;
dontaudit hostname_t kernel_t:fd use;
allow hostname_t net_conf_t:file { getattr read };
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t var_t:dir search;
allow hostname_t fs_t:filesystem getattr;
# for when /usr is not mounted
dontaudit hostname_t file_t:dir search;
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')

163
strict/domains/program/hotplug.te Normal file
View File

@ -0,0 +1,163 @@
#DESC Hotplug - Hardware event manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hotplug
#
#################################
#
# Rules for the hotplug_t domain.
#
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
', `
daemon_domain(hotplug, `, privmodule')
')
etcdir_domain(hotplug)
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
read_sysctl(hotplug_t)
allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
r_dir_file(hotplug_t, proc_t)
allow hotplug_t self:file { getattr read };
allow hotplug_t devtty_t:chr_file rw_file_perms;
allow hotplug_t device_t:dir r_dir_perms;
# for SSP
allow hotplug_t urandom_device_t:chr_file read;
allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
ifdef(`hostname.te', `
can_exec(hotplug_t, hostname_exec_t)
dontaudit hostname_t hotplug_t:fd use;
')
ifdef(`netutils.te', `
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };
# read config files
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
allow hotplug_t kernel_t:process sigchld;
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')
ifdef(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
')
# init scripts run /etc/hotplug/usb.rc
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
allow initrc_t hotplug_etc_t:dir r_dir_perms;
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
r_dir_file(hotplug_t, modules_object_t)
allow hotplug_t modules_dep_t:file { getattr read ioctl };
# for lsmod
dontaudit hotplug_t self:capability { sys_module sys_admin };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
ifdef(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
allow hotplug_t var_log_t:dir search;
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
ifdef(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
# kernel threads inherit from shared descriptor table used by init
dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
allow hotplug_t self:capability { net_admin sys_tty_config mknod };
allow hotplug_t sysfs_t:dir { getattr read search };
allow hotplug_t sysfs_t:file { getattr read };
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
allow hotplug_t fixed_disk_device_t:blk_file setattr;
allow hotplug_t removable_device_t:blk_file setattr;
allow hotplug_t sound_device_t:chr_file setattr;
ifdef(`udev.te', `
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
ifdef(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
allow restorecon_t hotplug_t:fd use;
ifdef(`unlimitedUtils', `
unconfined_domain(hotplug_t)
')
allow kernel_t hotplug_etc_t:dir search;

22
strict/domains/program/howl.te Normal file
View File

@ -0,0 +1,22 @@
#DESC howl - port of Apple Rendezvous multicast DNS
#
# Author: Russell Coker <rcoker@redhat.com>
#
daemon_domain(howl)
r_dir_file(howl_t, proc_net_t)
can_network_server(howl_t)
can_ypbind(howl_t)
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t self:capability { kill net_admin sys_module };
allow howl_t self:fifo_file rw_file_perms;
type howl_port_t, port_type;
allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t etc_t:file { getattr read };
allow howl_t initrc_var_run_t:file rw_file_perms;

49
strict/domains/program/hwclock.te Normal file
View File

@ -0,0 +1,49 @@
#DESC Hwclock - Hardware clock manager
#
# Author: David A. Wheeler <dwheeler@ida.org>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: util-linux
#
#################################
#
# Rules for the hwclock_t domain.
# This domain moves time information between the "hardware clock"
# (which runs when the system is off) and the "system clock",
# and it stores adjustment values in /etc/adjtime so that errors in the
# hardware clock are corrected.
# Note that any errors from this domain are NOT recorded by the system logger,
# because the system logger isnt running when this domain is active.
#
daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
type adjtime_t, file_type, sysadmfile;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
')
allow hwclock_t fs_t:filesystem getattr;
read_locale(hwclock_t)
# Give hwclock the capabilities it requires. dac_override is a surprise,
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
# Allow hwclock to set the hardware clock.
allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { setattr rw_file_perms };
# Read and write console and ttys.
allow hwclock_t tty_device_t:chr_file rw_file_perms;
allow hwclock_t ttyfile:chr_file rw_file_perms;
allow hwclock_t ptyfile:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
read_locale(hwclock_t)
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;

29
strict/domains/program/i18n_input.te Normal file
View File

@ -0,0 +1,29 @@
# i18n_input.te
# Security Policy for IIIMF htt server
# Date: 2004, 12th April (Monday)
# Types for server port
type i18n_input_port_t, port_type;
# Establish i18n_input as a daemon
daemon_domain(i18n_input)
can_exec(i18n_input_t, i18n_input_exec_t)
can_network(i18n_input_t)
can_ypbind(i18n_input_t)
can_tcp_connect(userdomain, i18n_input_t)
allow i18n_input_t self:fifo_file rw_file_perms;
allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
allow i18n_input_t self:capability { kill setgid setuid };
allow i18n_input_t self:process { setsched setpgid };
allow i18n_input_t { bin_t sbin_t }:dir search;
allow i18n_input_t etc_t:file r_file_perms;
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;

68
strict/domains/program/ifconfig.te Normal file
View File

@ -0,0 +1,68 @@
#DESC Ifconfig - Configure network interfaces
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: net-tools
#
#################################
#
# Rules for the ifconfig_t domain.
#
# ifconfig_t is the domain for the ifconfig program.
# ifconfig_exec_t is the type of the corresponding program.
#
type ifconfig_t, domain, privlog, privmodule;
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
role system_r types ifconfig_t;
role sysadm_r types ifconfig_t;
uses_shlib(ifconfig_t)
general_domain_access(ifconfig_t)
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
allow ifconfig_t etc_t:file { getattr read };
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
allow ifconfig_t self:capability net_admin;
dontaudit ifconfig_t self:capability sys_module;
# Inherit and use descriptors from init.
allow ifconfig_t { kernel_t init_t }:fd use;
# Access /proc
r_dir_file(ifconfig_t, proc_t)
r_dir_file(ifconfig_t, proc_net_t)
allow ifconfig_t privfd:fd use;
allow ifconfig_t run_init_t:fd use;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
# see the denials.
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
allow ifconfig_t fs_t:filesystem getattr;
read_locale(ifconfig_t)
allow ifconfig_t lib_t:file { getattr read };
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;

68
strict/domains/program/inetd.te Normal file
View File

@ -0,0 +1,68 @@
#DESC Inetd - Internet services daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
#
#################################
#
# Rules for the inetd_t domain and
# the inetd_child_t domain.
#
type biff_port_t, port_type, reserved_port_type;
#################################
#
# Rules for the inetd_t domain.
#
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
allow inetd_t self:unix_dgram_socket create_socket_perms;
allow inetd_t self:unix_stream_socket create_socket_perms;
allow inetd_t self:fifo_file rw_file_perms;
allow inetd_t etc_t:file { getattr read ioctl };
allow inetd_t self:process setsched;
log_domain(inetd)
tmp_domain(inetd)
# Use capabilities.
allow inetd_t self:capability { setuid setgid net_bind_service };
# allow any domain to connect to inetd
can_tcp_connect(userdomain, inetd_t)
# Run each daemon with a defined domain in its own domain.
# These rules have been moved to the individual target domain .te files.
# Run other daemons in the inetd_child_t domain.
allow inetd_t { bin_t sbin_t }:dir search;
allow inetd_t sbin_t:lnk_file read;
# Bind to the telnet, ftp, rlogin and rsh ports.
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
inetd_child_domain(inetd_child)
allow inetd_child_t proc_net_t:dir search;
allow inetd_child_t proc_net_t:file { getattr read };
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
')
ifdef(`unlimitedInetd', `
unconfined_domain(inetd_t)
')

147
strict/domains/program/init.te Normal file
View File

@ -0,0 +1,147 @@
#DESC Init - Process initialization
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit
#
#################################
#
# Rules for the init_t domain.
#
# init_t is the domain of the init process.
# init_exec_t is the type of the init program.
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile, dev_fs;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
allow init_t security_t:dir search;
allow init_t security_t:file { getattr read };
# for mount points
allow init_t file_t:dir search;
# Use capabilities.
allow init_t self:capability ~sys_module;
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)
# Run init.
can_exec(init_t, init_exec_t)
# Run chroot from initrd scripts.
ifdef(`chroot.te', `
can_exec(init_t, chroot_exec_t)
')
# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
ifdef(`distro_redhat', `
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
')
# Create ioctl.save.
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;
# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
allow init_t var_log_t:file rw_file_perms;
read_locale(init_t)
# Create unix sockets
allow init_t self:unix_dgram_socket create_socket_perms;
allow init_t self:unix_stream_socket create_socket_perms;
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
allow init_t { bin_t sbin_t }:dir r_dir_perms;
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
# For /var/run/shutdown.pid.
var_run_domain(init)
# Shutdown permissions
r_dir_file(init_t, proc_t)
r_dir_file(init_t, self)
allow init_t devpts_t:dir r_dir_perms;
# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;
# Kill all processes.
allow init_t domain:process signal_perms;
# Allow all processes to send SIGCHLD to init.
allow domain init_t:process { sigchld signull };
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;
# for loading policy
allow init_t policy_config_t:file r_file_perms;
# Set booleans.
can_setbool(init_t)
# Read and write the console and ttys.
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
ifdef(`distro_redhat', `
allow init_t tmpfs_t:chr_file rw_file_perms;
')
allow init_t ttyfile:chr_file rw_file_perms;
allow init_t ptyfile:chr_file rw_file_perms;
# Run system executables.
can_exec(init_t,bin_t)
ifdef(`consoletype.te', `
can_exec(init_t, consoletype_exec_t)
')
# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)
allow init_t lib_t:file { getattr read };
ifdef(`rhgb.te', `
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
')
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
ifdef(`targeted_policy', `
typeattribute init_t unrestricted;
')

311
strict/domains/program/initrc.te Normal file
View File

@ -0,0 +1,311 @@
#DESC Initrc - System initialization scripts
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit policycoreutils
#
#################################
#
# Rules for the initrc_t domain.
#
# initrc_t is the domain of the init rc scripts.
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
role system_r types initrc_t;
uses_shlib(initrc_t);
can_network(initrc_t)
can_ypbind(initrc_t)
type initrc_exec_t, file_type, sysadmfile, exec_type;
# for halt to down interfaces
allow initrc_t self:udp_socket create_socket_perms;
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
read_locale(initrc_t)
r_dir_file(initrc_t, usr_t)
# Read system information files in /proc.
r_dir_file(initrc_t, { proc_t proc_net_t })
allow initrc_t proc_mdstat_t:file { getattr read };
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow initrc_t self:fifo_file rw_file_perms;
# Read the root directory of a usbdevfs filesystem, and
# the devices and drivers files. Permit stating of the
# device nodes, but nothing else.
allow initrc_t usbdevfs_t:dir r_dir_perms;
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
allow initrc_t usbdevfs_t:file getattr;
allow initrc_t usbfs_t:dir r_dir_perms;
allow initrc_t usbfs_t:file getattr;
# allow initrc to fork and renice itself
allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
# Can create ptys for open_init_pty
can_create_pty(initrc)
tmp_domain(initrc)
var_run_domain(initrc)
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
allow initrc_t var_run_t:dir { create rmdir };
ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')
allow initrc_t framebuf_device_t:chr_file r_file_perms;
# Use capabilities.
allow initrc_t self:capability ~{ sys_admin sys_module };
# Use system operations.
allow initrc_t kernel_t:system *;
# Set values in /proc/sys.
can_sysctl(initrc_t)
# Run helper programs in the initrc_t domain.
allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
allow initrc_t {bin_t sbin_t }:lnk_file read;
can_exec(initrc_t, etc_t)
can_exec(initrc_t, lib_t)
can_exec(initrc_t, bin_t)
can_exec(initrc_t, sbin_t)
can_exec(initrc_t, exec_type)
#
# These rules are here to allow init scripts to su
#
ifdef(`su.te', `
su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
allow initrc_t self:passwd rootok;
# read /lib/modules
allow initrc_t modules_object_t:dir { search read };
# Read conf.modules.
allow initrc_t modules_conf_t:file r_file_perms;
# Run other rc scripts in the initrc_t domain.
can_exec(initrc_t, initrc_exec_t)
# Run init (telinit) in the initrc_t domain.
can_exec(initrc_t, init_exec_t)
# Communicate with the init process.
allow initrc_t initctl_t:fifo_file rw_file_perms;
# Read /proc/PID directories for all domains.
r_dir_file(initrc_t, domain)
allow initrc_t domain:process { getattr getsession };
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
allow initrc_t var_log_t:dir rw_dir_perms;
allow initrc_t var_log_t:file { setattr rw_file_perms };
allow initrc_t lastlog_t:file { setattr rw_file_perms };
allow initrc_t logfile:file { read append };
# remove old locks
allow initrc_t lockfile:dir rw_dir_perms;
allow initrc_t lockfile:file { getattr unlink };
# Access /var/lib/random-seed.
allow initrc_t var_lib_t:file rw_file_perms;
allow initrc_t var_lib_t:file unlink;
# Create lock file.
allow initrc_t var_lock_t:dir create_dir_perms;
allow initrc_t var_lock_t:file create_file_perms;
# Set the clock.
allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
# Kill all processes.
allow initrc_t domain:process signal_perms;
# Read and unlink /var/run/*.pid files.
allow initrc_t pidfile:file { getattr read unlink };
# Write to /dev/urandom.
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
# for cryptsetup
allow initrc_t fixed_disk_device_t:blk_file getattr;
# Set device ownerships/modes.
allow initrc_t framebuf_device_t:chr_file setattr;
allow initrc_t misc_device_t:devfile_class_set setattr;
allow initrc_t device_t:devfile_class_set setattr;
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
allow initrc_t removable_device_t:devfile_class_set setattr;
allow initrc_t device_t:lnk_file read;
allow initrc_t xconsole_device_t:fifo_file setattr;
# Stat any file.
allow initrc_t file_type:notdevfile_class_set getattr;
allow initrc_t file_type:dir { search getattr };
# Read and write console and ttys.
allow initrc_t devtty_t:chr_file rw_file_perms;
allow initrc_t console_device_t:chr_file rw_file_perms;
allow initrc_t tty_device_t:chr_file rw_file_perms;
allow initrc_t ttyfile:chr_file rw_file_perms;
allow initrc_t ptyfile:chr_file rw_file_perms;
# Reset tty labels.
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
ifdef(`distro_redhat', `
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
allow initrc_t tmpfs_t:chr_file rw_file_perms;
allow initrc_t tmpfs_t:dir r_dir_perms;
ifdef(`distro_redhat', `
# Allow initrc domain to set the enforcing flag.
can_setenforce(initrc_t)
')
#
# readahead asks for these
#
allow initrc_t etc_aliases_t:file { getattr read };
allow initrc_t var_lib_nfs_t:file { getattr read };
# for /halt /.autofsck and other flag files
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
allow initrc_t var_spool_t:file rw_file_perms;
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
allow initrc_t admin_tty_type:chr_file rw_file_perms;
# Access sound device and files.
allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
# Read user home directories.
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
allow initrc_t home_type:file r_file_perms;
# for system start scripts
allow initrc_t pidfile:dir rw_dir_perms;
allow initrc_t pidfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
# allow start scripts to clean /tmp
allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
dontaudit initrc_t proc_kmsg_t:file getattr;
#################################
#
# Rules for the run_init_t domain.
#
ifdef(`targeted_policy', `
type run_init_exec_t, file_type, sysadmfile, exec_type;
type run_init_t, domain;
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
')
allow initrc_t privfd:fd use;
# Transition to system_r:initrc_t upon executing init scripts.
ifdef(`direct_sysadm_daemon', `
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
')
#
# Shutting down xinet causes these
#
# Fam
dontaudit initrc_t device_t:dir { read write };
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
allow initrc_t sysfs_t:dir { getattr read search };
allow initrc_t sysfs_t:file { getattr read write };
allow initrc_t sysfs_t:lnk_file { getattr read };
allow initrc_t udev_runtime_t:file rw_file_perms;
allow initrc_t device_type:chr_file setattr;
allow initrc_t binfmt_misc_fs_t:dir { getattr search };
allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
# for lsof in shutdown scripts
can_kerberos(initrc_t)
#
# Wants to remove udev.tbl
#
allow initrc_t device_t:dir rw_dir_perms;
allow initrc_t device_t:lnk_file unlink;
r_dir_file(initrc_t,selinux_config_t)
ifdef(`distro_redhat', `
#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
')
ifdef(`unlimitedRC', `
unconfined_domain(initrc_t)
')
#
# initrc script does a cat /selinux/enforce
#
allow initrc_t security_t:dir { getattr search };
allow initrc_t security_t:file { getattr read };
# init script state
type initrc_state_t, file_type, sysadmfile;
create_dir_file(initrc_t,initrc_state_t)
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;

81
strict/domains/program/innd.te Normal file
View File

@ -0,0 +1,81 @@
#DESC INN - InterNetNews server
#
# Author: Faye Coker <faye@lurking-grue.org>
# X-Debian-Packages: inn
#
################################
# Types for the server port and news spool.
#
type innd_port_t, port_type, reserved_port_type;
type news_spool_t, file_type, sysadmfile;
# need privmail attribute so innd can access system_mail_t
daemon_domain(innd, `, privmail')
# allow innd to create files and directories of type news_spool_t
create_dir_file(innd_t, news_spool_t)
# allow user domains to read files and directories these types
r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
can_exec(initrc_t, innd_etc_t)
can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(innd_t, hostname_exec_t)
')
allow innd_t var_spool_t:dir { getattr search };
can_network(innd_t)
can_ypbind(innd_t)
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
allow innd_t self:unix_dgram_socket create_socket_perms;
allow innd_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(innd_t, self)
allow innd_t self:fifo_file rw_file_perms;
allow innd_t innd_port_t:tcp_socket name_bind;
allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
allow innd_t self:process setsched;
allow innd_t { bin_t sbin_t }:dir search;
allow innd_t usr_t:lnk_file read;
allow innd_t usr_t:file { getattr read ioctl };
allow innd_t lib_t:file ioctl;
allow innd_t etc_t:file { getattr read };
allow innd_t { proc_t etc_runtime_t }:file { getattr read };
allow innd_t urandom_device_t:chr_file read;
allow innd_t innd_var_run_t:sock_file create_file_perms;
# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
etcdir_domain(innd)
# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
# it can write to
logdir_domain(innd)
# allow innd read-write directory permissions to /var/lib/news.
var_lib_domain(innd)
ifdef(`crond.te', `
system_crond_entry(innd_exec_t, innd_t)
allow system_crond_t innd_etc_t:file { getattr read };
rw_dir_create_file(system_crond_t, innd_log_t)
rw_dir_create_file(system_crond_t, innd_var_run_t)
')
ifdef(`syslogd.te', `
allow syslogd_t innd_log_t:dir search;
allow syslogd_t innd_log_t:file create_file_perms;
')
allow innd_t self:file { getattr read };
dontaudit innd_t selinux_config_t:dir { search };
allow system_crond_t innd_etc_t:file { getattr read };
allow innd_t bin_t:lnk_file { read };
allow innd_t sbin_t:lnk_file { read };

229
strict/domains/program/ipsec.te Normal file
View File

@ -0,0 +1,229 @@
#DESC ipsec - TCP/IP encryption
#
# Authors: Mark Westerman mark.westerman@westcam.com
# massively butchered by paul krumviede <pwk@acm.org>
# further massaged by Chris Vance <cvance@tislabs.com>
# X-Debian-Packages: freeswan
#
########################################
#
# Rules for the ipsec_t domain.
#
# a domain for things that need access to the PF_KEY socket
daemon_base_domain(ipsec, `, privlog')
# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t, file_type, sysadmfile;
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t, file_type, sysadmfile;
# type for runtime files, including pluto.ctl
# lots of strange stuff for the ipsec_var_run_t - need to check it
var_run_domain(ipsec)
type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
allow ipsec_mgmt_t modules_object_t:dir search;
allow ipsec_mgmt_t modules_object_t:file getattr;
allow ipsec_t self:capability { net_admin net_bind_service };
allow ipsec_t self:process signal;
allow ipsec_t etc_t:lnk_file read;
domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
# Inherit and use descriptors from init.
# allow access (for, e.g., klipsdebug) to console
allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
# I do not know where this pesky pipe is...
allow ipsec_t initrc_t:fifo_file write;
r_dir_file(ipsec_t, ipsec_conf_file_t)
r_dir_file(ipsec_t, ipsec_key_file_t)
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
allow ipsec_t self:key_socket { create write read setopt };
# for lsof
allow sysadm_t ipsec_t:key_socket getattr;
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
can_exec(ipsec_mgmt_t, bin_t)
# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
# also need to run things like whack and shell scripts
can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
can_exec(ipsec_mgmt_t, shell_exec_t)
can_exec(ipsec_t, shell_exec_t)
can_exec(ipsec_t, bin_t)
can_exec(ipsec_t, ipsec_mgmt_exec_t)
# now for a icky part...
# pluto runs an updown script (by calling popen()!); as this is by default
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
# the default updown script wants to run route
can_exec(ipsec_mgmt_t, sbin_t)
allow ipsec_mgmt_t sbin_t:lnk_file read;
allow ipsec_mgmt_t self:capability { net_admin dac_override };
# need access to /proc/sys/net/ipsec/icmp
allow ipsec_mgmt_t sysctl_t:file write;
allow ipsec_mgmt_t sysctl_net_t:dir search;
allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
# whack needs to be able to read/write pluto.ctl
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
# and it wants to connect to a socket...
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
can_exec(sysadm_t, ipsec_mgmt_exec_t)
allow sysadm_t ipsec_t:unix_stream_socket connectto;
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
allow ipsec_mgmt_t boot_t:dir search;
allow ipsec_mgmt_t system_map_t:file { read getattr };
# denials when ps tries to search /proc. Do not audit these denials.
dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
# suppress audit messages about unnecessary socket access
dontaudit ipsec_mgmt_t domain:key_socket { read write };
dontaudit ipsec_mgmt_t domain:udp_socket { read write };
# from rbac
role system_r types { ipsec_t ipsec_mgmt_t };
# from initrc.te
domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
########## The following rules were added by cvance@tislabs.com ##########
# allow pluto and startup scripts to access /dev/urandom
allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
# allow pluto to access /proc/net/ipsec_eroute;
general_proc_read_access(ipsec_t)
general_proc_read_access(ipsec_mgmt_t)
# allow pluto to search the root directory (not sure why, but mostly harmless)
# Are these all really necessary?
allow ipsec_t var_t:dir search;
allow ipsec_t bin_t:dir search;
allow ipsec_t device_t:dir { getattr search };
allow ipsec_mgmt_t device_t:dir { getattr search read };
dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
dontaudit ipsec_mgmt_t devpts_t:dir getattr;
allow ipsec_mgmt_t etc_t:lnk_file read;
allow ipsec_mgmt_t var_t:dir search;
allow ipsec_mgmt_t sbin_t:dir search;
allow ipsec_mgmt_t bin_t:dir search;
allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
# Startup scripts
# use libraries
uses_shlib({ ipsec_t ipsec_mgmt_t })
# Read and write /dev/tty
allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
# fork
allow ipsec_mgmt_t self:process fork;
# startup script runs /bin/gawk with a pipe
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
# read /etc/mtab Why?
allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
# read link for /bin/sh
allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
#
allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
# Allow read/write access to /var/run/pluto.ctl
allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
# Pluto needs network access
can_network_server(ipsec_t)
can_ypbind(ipsec_t)
allow ipsec_t self:unix_dgram_socket { create connect write };
# for sleep
allow ipsec_mgmt_t fs_t:filesystem getattr;
# for the start script
can_exec(ipsec_mgmt_t, etc_t)
# allow access to /etc/localtime
allow ipsec_mgmt_t etc_t:file { read getattr };
allow ipsec_t etc_t:file { read getattr };
# allow access to /dev/null
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
allow ipsec_t null_device_t:chr_file rw_file_perms;
# Allow scripts to use /var/locl/subsys/ipsec
allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
allow ipsec_mgmt_t var_lock_t:file create_file_perms;
# allow tncfg to create sockets
allow ipsec_mgmt_t self:udp_socket { create ioctl };
#When running ipsec auto --up <conname>
allow ipsec_t self:process { fork sigchld };
allow ipsec_t self:fifo_file { read getattr };
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
allow ipsec_mgmt_t self:lnk_file read;
allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
read_locale(ipsec_mgmt_t)
var_run_domain(ipsec_mgmt)
dontaudit ipsec_mgmt_t default_t:dir getattr;
dontaudit ipsec_mgmt_t default_t:file getattr;
allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
allow ipsec_mgmt_t self:key_socket { create setopt };
can_exec(ipsec_mgmt_t, initrc_exec_t)
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
read_locale(ipsec_t)
ifdef(`consoletype.te', `
can_exec(ipsec_mgmt_t, consoletype_exec_t )
')
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
allow ipsec_t self:capability { dac_override dac_read_search };
allow ipsec_t reserved_port_t:udp_socket name_bind;
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
dontaudit ipsec_mgmt_t device_t:lnk_file read;
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
rw_dir_create_file(initrc_t, ipsec_var_run_t)
allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };

63
strict/domains/program/iptables.te Normal file
View File

@ -0,0 +1,63 @@
#DESC Ipchains - IP packet filter administration
#
# Authors: Justin Smith <jsmith@mcs.drexel.edu>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: ipchains iptables
#
#
# Rules for the iptables_t domain.
#
daemon_base_domain(iptables, `, privmodule')
role sysadm_r types iptables_t;
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
ifdef(`modutil.te', `
# for modprobe
allow iptables_t sbin_t:dir search;
allow iptables_t sbin_t:lnk_file read;
')
read_locale(iptables_t)
# to allow rules to be saved on reboot
allow iptables_t initrc_tmp_t:file rw_file_perms;
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
allow iptables_t var_t:dir search;
var_run_domain(iptables)
allow iptables_t self:process { fork signal_perms };
allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
allow iptables_t sysctl_modprobe_t:file { getattr read };
tmp_domain(iptables)
# for iptables -L
allow iptables_t self:unix_stream_socket create_socket_perms;
can_resolve(iptables_t)
can_ypbind(iptables_t)
allow iptables_t iptables_exec_t:file execute_no_trans;
allow iptables_t self:capability { net_admin net_raw };
allow iptables_t self:rawip_socket create_socket_perms;
allow iptables_t etc_t:file { getattr read };
allow iptables_t fs_t:filesystem getattr;
allow iptables_t { userdomain kernel_t }:fd use;
# Access terminals.
allow iptables_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
allow iptables_t proc_t:file { getattr read };
allow iptables_t proc_net_t:dir search;
allow iptables_t proc_net_t:file { read getattr };
# system-config-network appends to /var/log
allow iptables_t var_log_t:file append;
ifdef(`firstboot.te', `
allow iptables_t firstboot_t:fifo_file write;
')

12
strict/domains/program/irc.te Normal file
View File

@ -0,0 +1,12 @@
#DESC Irc - IRC client
#
# Domains for the irc program.
# X-Debian-Packages: tinyirc ircii
#
# irc_exec_t is the type of the irc executable.
#
type irc_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the irc_domain macro in
# macros/program/irc_macros.te.

15
strict/domains/program/irqbalance.te Normal file
View File

@ -0,0 +1,15 @@
#DESC IRQBALANCE - IRQ balance daemon
#
# Author: Ulrich Drepper <drepper@redhat.com>
#
#################################
#
# Rules for the irqbalance_t domain.
#
daemon_domain(irqbalance)
# irqbalance needs access to /proc.
allow irqbalance_t proc_t:file { read getattr };
allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
allow irqbalance_t sysctl_irq_t:file rw_file_perms;

14
strict/domains/program/java.te Normal file
View File

@ -0,0 +1,14 @@
#DESC Java VM
#
# Authors: Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: java
#
# Type for the netscape, java or other browser executables.
type java_exec_t, file_type, sysadmfile, exec_type;
# Allow java executable stack
bool allow_java_execstack false;
# Everything else is in the java_domain macro in
# macros/program/java_macros.te.

91
strict/domains/program/kerberos.te Normal file
View File

@ -0,0 +1,91 @@
#DESC Kerberos5 - MIT Kerberos5
# supports krb5kdc and kadmind daemons
# kinit, kdestroy, klist clients
# ksu support not complete
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux support
#
# Not supported : telnetd, ftpd, kprop/kpropd daemons
#
# Author: Kerry Thompson <kerry@crypt.gen.nz>
# Modified by Colin Walters <walters@redhat.com>
#
#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
daemon_domain(krb5kdc)
daemon_domain(kadmind)
can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)
# types for general configuration files in /etc
type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
# types for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
# krb5kdc and kadmind can use network
can_network_server( { krb5kdc_t kadmind_t } )
can_ypbind( { krb5kdc_t kadmind_t } )
# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t reserved_port_t:tcp_socket name_bind;
dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
allow krb5kdc_t self:unix_stream_socket create_socket_perms;
allow kadmind_t self:unix_stream_socket create_socket_perms;
allow krb5kdc_t krb5kdc_conf_t:dir search;
allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
allow krb5kdc_t locale_t:file { getattr read };
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
tmp_domain(krb5kdc)
log_domain(krb5kdc)
allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
allow kadmind_t random_device_t:chr_file { getattr read };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t proc_t:dir r_dir_perms;
allow krb5kdc_t proc_t:file { getattr read };
#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t krb5kdc_conf_t:dir search;
allow kadmind_t krb5kdc_conf_t:file r_file_perms;
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
read_locale(kadmind_t)
dontaudit kadmind_t krb5kdc_conf_t:file write;
tmp_domain(kadmind)
log_domain(kadmind)
#
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
allow initrc_t krb5_conf_t:file ioctl;

45
strict/domains/program/klogd.te Normal file
View File

@ -0,0 +1,45 @@
#DESC Klogd - Kernel log daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: klogd
#
#################################
#
# Rules for the klogd_t domain.
#
daemon_domain(klogd, `, privmem')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
allow klogd_t proc_t:lnk_file r_file_perms;
allow klogd_t proc_t:file { getattr read };
allow klogd_t self:dir r_dir_perms;
allow klogd_t self:lnk_file r_file_perms;
# read /etc/nsswitch.conf
allow klogd_t etc_t:lnk_file read;
allow klogd_t etc_t:file r_file_perms;
read_locale(klogd_t)
allow klogd_t etc_runtime_t:file { getattr read };
# Create unix sockets
allow klogd_t self:unix_dgram_socket create_socket_perms;
# Use the sys_admin and sys_rawio capabilities.
allow klogd_t self:capability { sys_admin sys_rawio };
dontaudit klogd_t self:capability sys_resource;
# Read /proc/kmsg and /dev/mem.
allow klogd_t proc_kmsg_t:file r_file_perms;
allow klogd_t memory_device_t:chr_file r_file_perms;
# Control syslog and console logging
allow klogd_t kernel_t:system { syslog_mod syslog_console };
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;

14
strict/domains/program/ktalkd.te Normal file
View File

@ -0,0 +1,14 @@
#DESC ktalkd - KDE version of the talk server
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the ktalkd_t domain.
#
# ktalkd_exec_t is the type of the ktalkd executable.
#
inetd_child_domain(ktalkd, udp)

102
strict/domains/program/kudzu.te Normal file
View File

@ -0,0 +1,102 @@
#DESC kudzu - Red Hat utility to recognise new hardware
#
# Author: Russell Coker <russell@coker.com.au>
#
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
read_locale(kudzu_t)
# for /etc/sysconfig/hwconf - probably need a new type
allow kudzu_t etc_runtime_t:file rw_file_perms;
# for kmodule
if (allow_execmem) {
allow kudzu_t self:process execmem;
}
allow kudzu_t zero_device_t:chr_file rx_file_perms;
allow kudzu_t memory_device_t:chr_file { read write execute };
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
allow kudzu_t modules_conf_t:file { getattr read };
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
allow kudzu_t { bin_t sbin_t }:lnk_file read;
read_sysctl(kudzu_t)
allow kudzu_t sysctl_dev_t:dir { getattr search read };
allow kudzu_t sysctl_dev_t:file { getattr read };
allow kudzu_t sysctl_kernel_t:file write;
allow kudzu_t usbdevfs_t:dir search;
allow kudzu_t usbdevfs_t:file { getattr read };
allow kudzu_t usbfs_t:dir search;
allow kudzu_t usbfs_t:file { getattr read };
allow kudzu_t var_t:dir search;
allow kudzu_t kernel_t:system syslog_console;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t var_lock_t:dir search;
allow kudzu_t devpts_t:dir search;
# so it can write messages to the console
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
role sysadm_r types kudzu_t;
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
ifdef(`anaconda.te', `
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
')
allow kudzu_t sysadm_home_dir_t:dir search;
rw_dir_create_file(kudzu_t, etc_t)
rw_dir_create_file(kudzu_t, mnt_t)
can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
# Read /usr/lib/gconv/gconv-modules.*
allow kudzu_t lib_t:file { read getattr };
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
allow kudzu_t usr_t:file { read getattr };
# Communicate with rhgb-client.
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
ifdef(`rhgb.te', `
allow kudzu_t rhgb_t:unix_stream_socket connectto;
')
allow kudzu_t self:file { getattr read };
allow kudzu_t self:fifo_file rw_file_perms;
ifdef(`gpm.te', `
allow kudzu_t gpmctl_t:sock_file getattr;
')
can_exec(kudzu_t, shell_exec_t)
# Write to /proc/sys/kernel/hotplug. Why?
allow kudzu_t sysctl_hotplug_t:file { read write };
allow kudzu_t sysfs_t:dir { getattr read search };
allow kudzu_t sysfs_t:file { getattr read };
allow kudzu_t sysfs_t:lnk_file read;
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
allow kudzu_t tape_device_t:chr_file r_file_perms;
tmp_domain(kudzu, `', `{ file dir chr_file }')
# for file systems that are not yet mounted
dontaudit kudzu_t file_t:dir search;
ifdef(`lpd.te', `
allow kudzu_t printconf_t:file { getattr read };
')
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
dontaudit kudzu_t src_t:dir search;
ifdef(`xserver.te', `
allow kudzu_t xserver_exec_t:file getattr;
')

51
strict/domains/program/ldconfig.te Normal file
View File

@ -0,0 +1,51 @@
#DESC Ldconfig - Configure dynamic linker bindings
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: libc6
#
#################################
#
# Rules for the ldconfig_t domain.
#
type ldconfig_t, domain, privlog, etc_writer;
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types ldconfig_t;
role system_r types ldconfig_t;
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
allow ldconfig_t userdomain:fd use;
# unlink for when /etc/ld.so.cache is mislabeled
allow ldconfig_t etc_t:file { getattr read unlink };
allow ldconfig_t etc_t:lnk_file read;
allow ldconfig_t fs_t:filesystem getattr;
allow ldconfig_t tmp_t:dir search;
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
allow ldconfig_t { var_t var_lib_t }:dir search;
allow ldconfig_t proc_t:file read;
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
');
')dnl end hide_broken_symptoms
ifdef(`targeted_policy', `
allow ldconfig_t lib_t:file r_file_perms;
unconfined_domain(ldconfig_t)
')

61
strict/domains/program/load_policy.te Normal file
View File

@ -0,0 +1,61 @@
#DESC LoadPolicy - SELinux policy loading utilities
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: policycoreutils
#
###########################
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
type load_policy_t, domain;
role sysadm_r types load_policy_t;
role system_r types load_policy_t;
type load_policy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
allow load_policy_t console_device_t:chr_file { read write };
# Reload the policy configuration (sysadm_t no longer has this ability)
can_loadpol(load_policy_t)
# Reset policy boolean values.
can_setbool(load_policy_t)
###########################
# constrain from where load_policy can load a policy, specifically
# policy_config_t files
#
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
# Read the devpts root directory (needed?)
allow load_policy_t devpts_t:dir r_dir_perms;
# Other access
allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
allow load_policy_t { userdomain privfd initrc_t }:fd use;
allow load_policy_t fs_t:filesystem getattr;
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
read_locale(load_policy_t)
r_dir_file(load_policy_t, selinux_config_t)

45
strict/domains/program/loadkeys.te Normal file
View File

@ -0,0 +1,45 @@
#DESC loadkeys - for changing to unicode at login time
#
# Author: Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: console-tools
#
# loadkeys_exec_t is the type of the wrapper
#
type loadkeys_exec_t, file_type, sysadmfile, exec_type;
can_exec(initrc_t, loadkeys_exec_t)
# Derived domain based on the calling user domain and the program.
type loadkeys_t, domain;
# Transition from the user domain to this domain.
domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
uses_shlib(loadkeys_t)
dontaudit loadkeys_t proc_t:dir search;
allow loadkeys_t proc_t:file { getattr read };
allow loadkeys_t self:process { fork sigchld };
allow loadkeys_t self:fifo_file rw_file_perms;
allow loadkeys_t bin_t:dir search;
allow loadkeys_t bin_t:lnk_file read;
can_exec(loadkeys_t, { shell_exec_t bin_t })
read_locale(loadkeys_t)
dontaudit loadkeys_t etc_runtime_t:file { getattr read };
# Use capabilities.
allow loadkeys_t self:capability { setuid sys_tty_config };
allow loadkeys_t local_login_t:fd use;
allow loadkeys_t devtty_t:chr_file rw_file_perms;
# The user role is authorized for this domain.
in_user_role(loadkeys_t)
# Write to the user domain tty.
allow loadkeys_t ttyfile:chr_file rw_file_perms;

11
strict/domains/program/lockdev.te Normal file
View File

@ -0,0 +1,11 @@
#DESC Lockdev - libblockdev helper application
#
# Authors: Daniel Walsh <dwalsh@redhat.com>
#
# Type for the lockdev
type lockdev_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the lockdev_domain macro in
# macros/program/lockdev_macros.te.

227
strict/domains/program/login.te Normal file
View File

@ -0,0 +1,227 @@
#DESC Login - Local/remote login utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Macroised by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: login
#
#################################
#
# Rules for the local_login_t domain
# and the remote_login_t domain.
#
# $1 is the name of the domain (local or remote)
define(`login_domain', `
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
general_domain_access($1_login_t);
# Read system information files in /proc.
r_dir_file($1_login_t, proc_t)
base_file_read_access($1_login_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1_login_t readable_t:dir r_dir_perms;
allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
# Read /var, /var/spool
allow $1_login_t { var_t var_spool_t }:dir search;
# for when /var/mail is a sym-link
allow $1_login_t var_t:lnk_file read;
# Read /etc.
allow $1_login_t etc_t:dir r_dir_perms;
allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
read_locale($1_login_t)
# for SSP/ProPolice
allow $1_login_t urandom_device_t:chr_file { getattr read };
# Read executable types.
allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow $1_login_t device_t:dir r_dir_perms;
allow $1_login_t device_t:lnk_file r_file_perms;
uses_shlib($1_login_t);
tmp_domain($1_login)
ifdef(`pam.te', `
can_exec($1_login_t, pam_exec_t)
')
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
')
# Use capabilities
allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow $1_login_t self:process setrlimit;
dontaudit $1_login_t sysfs_t:dir search;
# Set exec context.
can_setexec($1_login_t)
allow $1_login_t autofs_t:dir { search read getattr };
allow $1_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) {
r_dir_file($1_login_t, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file($1_login_t, cifs_t)
}
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
')
ifdef(`crack.te', `
allow $1_login_t crack_db_t:file r_file_perms;
')
# Permit login to search the user home directories.
allow $1_login_t home_root_t:dir search;
allow $1_login_t home_dir_type:dir search;
# Write to /var/run/utmp.
allow $1_login_t var_run_t:dir search;
allow $1_login_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow $1_login_t var_log_t:dir search;
allow $1_login_t wtmp_t:file rw_file_perms;
# Write to /var/log/lastlog.
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
allow $1_login_t faillog_t:file { append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
allow $1_login_t mail_spool_t:file getattr;
allow $1_login_t mail_spool_t:lnk_file read;
# Get security policy decisions.
can_getsecurity($1_login_t)
# allow read access to default_contexts in /etc/security
allow $1_login_t default_context_t:file r_file_perms;
allow $1_login_t default_context_t:dir search;
r_dir_file($1_login_t, selinux_config_t)
allow $1_login_t mouse_device_t:chr_file { getattr setattr };
ifdef(`targeted_policy',`
unconfined_domain($1_login_t)
domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
')
')dnl end login_domain macro
#################################
#
# Rules for the local_login_t domain.
#
# local_login_t is the domain of a login process
# spawned by getty.
#
# remote_login_t is the domain of a login process
# spawned by rlogind.
#
# login_exec_t is the type of the login program
#
type login_exec_t, file_type, sysadmfile, exec_type;
login_domain(local)
# But also permit other user domains to be entered by login.
login_spawn_domain(local_login, userdomain)
# Do not audit denied attempts to access devices.
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
# Create lock file.
allow local_login_t var_lock_t:dir rw_dir_perms;
allow local_login_t var_lock_t:file create_file_perms;
# Read and write ttys.
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
# Relabel ttys.
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
ifdef(`gpm.te',
`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
# Allow setting of attributes on sound devices.
allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
dontaudit local_login_t init_t:fd use;
#################################
#
# Rules for the remote_login_t domain.
#
login_domain(remote)
# Only permit unprivileged user domains to be entered via rlogin,
# since very weak authentication is used.
login_spawn_domain(remote_login, unpriv_userdomain)
allow remote_login_t devpts_t:dir search;
allow remote_login_t userpty_type:chr_file { setattr write };
# Use the pty created by rlogind.
ifdef(`rlogind.te', `
allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
# Relabel ptys created by rlogind.
allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
')
# Use the pty created by telnetd.
ifdef(`telnetd.te', `
allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
# Relabel ptys created by telnetd.
allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
')
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
allow remote_login_t fs_t:filesystem { getattr };
# Allow remote login to resolve host names (passed in via the -h switch)
can_resolve(remote_login_t)

145
strict/domains/program/logrotate.te Normal file
View File

@ -0,0 +1,145 @@
#DESC Logrotate - Rotate log files
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
# Russell Coker <rcoker@redhat.com>
# X-Debian-Packages: logrotate
# Depends: crond.te
#
#################################
#
# Rules for the logrotate_t domain.
#
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
#
type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
role system_r types logrotate_t;
role sysadm_r types logrotate_t;
uses_shlib(logrotate_t)
general_domain_access(logrotate_t)
type logrotate_exec_t, file_type, sysadmfile, exec_type;
system_crond_entry(logrotate_exec_t, logrotate_t)
allow logrotate_t cron_spool_t:dir search;
allow crond_t logrotate_var_lib_t:dir search;
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
allow logrotate_t self:unix_stream_socket create_socket_perms;
allow logrotate_t devtty_t:chr_file rw_file_perms;
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
')
# for perl
allow logrotate_t usr_t:file { getattr read ioctl };
allow logrotate_t usr_t:lnk_file read;
# access files in /etc
allow logrotate_t etc_t:file { getattr read ioctl };
allow logrotate_t etc_t:lnk_file { getattr read };
allow logrotate_t etc_runtime_t:file r_file_perms;
# it should not require this
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
# create lock files
rw_dir_create_file(logrotate_t, var_lock_t)
# Create temporary files.
tmp_domain(logrotate)
can_exec(logrotate_t, logrotate_tmp_t)
# Run helper programs.
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
allow logrotate_t { bin_t sbin_t }:lnk_file read;
can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
# Read PID files.
allow logrotate_t pidfile:file r_file_perms;
# Read /proc/PID directories for all domains.
read_sysctl(logrotate_t)
allow logrotate_t proc_t:dir r_dir_perms;
allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
allow logrotate_t domain:notdevfile_class_set r_file_perms;
allow logrotate_t domain:dir r_dir_perms;
allow logrotate_t exec_type:file getattr;
# Read /dev directories and any symbolic links.
allow logrotate_t device_t:dir r_dir_perms;
allow logrotate_t device_t:lnk_file r_file_perms;
# Signal processes.
allow logrotate_t domain:process signal;
# Modify /var/log and other log dirs.
allow logrotate_t var_t:dir r_dir_perms;
allow logrotate_t logfile:dir rw_dir_perms;
allow logrotate_t logfile:lnk_file read;
# Create, rename, and truncate log files.
allow logrotate_t logfile:file create_file_perms;
allow logrotate_t wtmp_t:file create_file_perms;
ifdef(`squid.te', `
allow squid_t { system_crond_t crond_t }:fd use;
allow squid_t crond_t:fifo_file { read write };
allow squid_t system_crond_t:fifo_file write;
allow squid_t self:capability kill;
')
# Set a context other than the default one for newly created files.
can_setfscreate(logrotate_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
dontaudit logrotate_t self:capability { setuid setgid };
ifdef(`mta.te', `
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
')
# Access /var/run
allow logrotate_t var_run_t:dir r_dir_perms;
# for /var/lib/logrotate.status and /var/lib/logcheck
var_lib_domain(logrotate)
allow logrotate_t logrotate_var_lib_t:dir create;
# Write to /var/spool/slrnpull - should be moved into its own type.
create_dir_file(logrotate_t, var_spool_t)
allow logrotate_t urandom_device_t:chr_file { getattr read };
# Access terminals.
allow logrotate_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
allow logrotate_t privfd:fd use;
# for /var/backups on Debian
ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t)
')
read_locale(logrotate_t)
allow logrotate_t fs_t:filesystem getattr;
can_exec(logrotate_t, shell_exec_t)
can_exec(logrotate_t, hostname_exec_t)
can_exec(logrotate_t,logfile)
allow logrotate_t net_conf_t:file { getattr read };
ifdef(`consoletype.te', `
can_exec(logrotate_t, consoletype_exec_t)
dontaudit consoletype_t logrotate_t:fd use;
')
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
dontaudit logrotate_t selinux_config_t:dir search;

161
strict/domains/program/lpd.te Normal file
View File

@ -0,0 +1,161 @@
#DESC Lpd - Print server
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: lpr
#
#################################
#
# Rules for the lpd_t domain.
#
# lpd_t is the domain of lpd.
# lpd_exec_t is the type of the lpd executable.
# printer_t is the type of the Unix domain socket created
# by lpd.
#
type printer_port_t, port_type, reserved_port_type;
daemon_domain(lpd)
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
r_dir_file(lpd_t, fonts_t)
type printer_t, file_type, sysadmfile, dev_fs;
type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
tmp_domain(lpd);
# for postscript include files
allow lpd_t usr_t:{ file lnk_file } { getattr read };
# Allow checkpc to access the lpd spool so it can check & fix it.
# This requires that /usr/sbin/checkpc have type checkpc_t.
type checkpc_t, domain, privlog;
role system_r types checkpc_t;
uses_shlib(checkpc_t)
can_network_client(checkpc_t)
can_ypbind(checkpc_t)
log_domain(checkpc)
type checkpc_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
role sysadm_r types checkpc_t;
allow checkpc_t admin_tty_type:chr_file { read write };
allow checkpc_t privfd:fd use;
ifdef(`crond.te', `
system_crond_entry(checkpc_exec_t, checkpc_t)
')
allow checkpc_t self:capability { setgid setuid dac_override };
allow checkpc_t self:process { fork signal_perms };
allow checkpc_t proc_t:dir search;
allow checkpc_t proc_t:lnk_file read;
allow checkpc_t proc_t:file { getattr read };
r_dir_file(checkpc_t, self)
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
allow checkpc_t etc_t:lnk_file read;
allow checkpc_t { var_t var_spool_t }:dir { getattr search };
allow checkpc_t print_spool_t:file { rw_file_perms unlink };
allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
allow checkpc_t device_t:dir search;
allow checkpc_t printer_device_t:chr_file { getattr append };
allow checkpc_t devtty_t:chr_file rw_file_perms;
allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
# Allow access to /dev/console through the fd:
allow checkpc_t init_t:fd use;
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
allow checkpc_t { bin_t sbin_t }:dir search;
allow checkpc_t bin_t:lnk_file read;
can_exec(checkpc_t, shell_exec_t)
can_exec(checkpc_t, bin_t)
# bash wants access to /proc/meminfo
allow lpd_t proc_t:file { getattr read };
# gs-gnu wants to read some sysctl entries, it seems to work without though
dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
# for defoma
r_dir_file(lpd_t, var_lib_t)
allow checkpc_t var_run_t:dir search;
allow checkpc_t lpd_var_run_t:dir { search getattr };
# This is needed to permit chown to read /var/spool/lpd/lp.
# This is opens up security more than necessary; this means that ANYTHING
# running in the initrc_t domain can read the printer spool directory.
# Perhaps executing /etc/rc.d/init.d/lpd should transition
# to domain lpd_t, instead of waiting for executing lpd.
allow initrc_t print_spool_t:dir read;
# for defoma
r_dir_file(lpd_t, readable_t)
# Use capabilities.
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
# Use the network.
can_network_server(lpd_t)
can_ypbind(lpd_t)
allow lpd_t self:fifo_file rw_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
allow lpd_t self:file { getattr read };
allow lpd_t etc_runtime_t:file { getattr read };
# Bind to the printer port.
allow lpd_t printer_port_t:tcp_socket name_bind;
# Send to portmap.
ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
ifdef(`ypbind.te',
`# Connect to ypbind.
can_tcp_connect(lpd_t, ypbind_t)')
# Create and bind to /dev/printer.
file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
allow lpd_t printer_t:unix_stream_socket name_bind;
allow lpd_t printer_t:unix_dgram_socket name_bind;
allow lpd_t printer_device_t:chr_file rw_file_perms;
# Write to /var/spool/lpd.
allow lpd_t var_spool_t:dir search;
allow lpd_t print_spool_t:dir rw_dir_perms;
allow lpd_t print_spool_t:file create_file_perms;
allow lpd_t print_spool_t:file rw_file_perms;
# Execute filter scripts.
# can_exec(lpd_t, print_spool_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow lpd_t bin_t:dir search;
allow lpd_t bin_t:lnk_file read;
can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
# lpd must be able to execute the filter utilities in /usr/share/printconf.
can_exec(lpd_t, printconf_t)
allow lpd_t printconf_t:file rx_file_perms;
allow lpd_t printconf_t:dir { getattr search read };
# config files for lpd are of type etc_t, probably should change this
allow lpd_t etc_t:file { getattr read };
allow lpd_t etc_t:lnk_file read;
# checkpc needs similar permissions.
allow checkpc_t printconf_t:file getattr;
allow checkpc_t printconf_t:dir { getattr search read };
# Read printconf files.
allow initrc_t printconf_t:dir r_dir_perms;
allow initrc_t printconf_t:file r_file_perms;

12
strict/domains/program/lpr.te Normal file
View File

@ -0,0 +1,12 @@
#DESC Lpr - Print client
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: lpr lprng
#
# Type for the lpr, lpq, and lprm executables.
type lpr_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the lpr_domain macro in
# macros/program/lpr_macros.te.

124
strict/domains/program/lvm.te Normal file
View File

@ -0,0 +1,124 @@
#DESC LVM - Linux Volume Manager
#
# Author: Michael Kaufman <walker@screwage.com>
# X-Debian-Packages: lvm10 lvm2 lvm-common
#
#################################
#
# Rules for the lvm_t domain.
#
# lvm_t is the domain for LVM administration.
# lvm_exec_t is the type of the corresponding programs.
# lvm_etc_t is for read-only LVM configuration files.
# lvm_metadata_t is the type of LVM metadata files in /etc that are
# modified at runtime.
#
type lvm_vg_t, file_type, sysadmfile;
type lvm_metadata_t, file_type, sysadmfile;
type lvm_control_t, device_type, dev_fs;
etcdir_domain(lvm)
allow lvm_t var_t:dir search;
lock_domain(lvm)
allow lvm_t lvm_lock_t:dir rw_dir_perms;
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
daemon_base_domain(lvm, `, fs_domain, privowner')
role sysadm_r types lvm_t;
domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
r_dir_file(lvm_t, proc_t)
allow lvm_t self:file r_file_perms;
# Read system variables in /proc/sys
read_sysctl(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
r_dir_file(lvm_t, sysfs_t)
allow lvm_t fs_t:filesystem getattr;
# Read configuration files in /etc.
allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
allow lvm_t device_t:dir create_dir_perms;
allow lvm_t device_t:lnk_file create_lnk_perms;
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
allow lvm_t lvm_exec_t:dir search;
allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
tmp_domain(lvm)
allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
allow lvm_t lvm_metadata_t:dir rw_dir_perms;
# Inherit and use descriptors from init.
allow lvm_t init_t:fd use;
# LVM is split into many individual binaries
can_exec(lvm_t, lvm_exec_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
# relabel devices
allow lvm_t { default_context_t file_context_t }:dir search;
allow lvm_t file_context_t:file { getattr read };
can_getsecurity(lvm_t)
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
allow lvm_t device_t:lnk_file { relabelfrom relabelto };
# Access terminals.
allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow lvm_t devtty_t:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
allow lvm_t privfd:fd use;
allow lvm_t devpts_t:dir { search getattr read };
read_locale(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
dontaudit lvm_t ttyfile:chr_file getattr;
dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
dontaudit lvm_t devpts_t:dir { getattr read };
ifdef(`gpm.te', `
dontaudit lvm_t gpmctl_t:sock_file getattr;
')
dontaudit lvm_t initctl_t:fifo_file getattr;
allow lvm_t sbin_t:dir search;
dontaudit lvm_t sbin_t:file getattr;
allow lvm_t lvm_control_t:chr_file rw_file_perms;
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
allow initrc_t device_t:chr_file create;
dontaudit lvm_t var_run_t:dir getattr;
# for when /usr is not mounted
dontaudit lvm_t file_t:dir search;
allow lvm_t tmpfs_t:dir r_dir_perms;
r_dir_file(lvm_t, selinux_config_t)
# it has no reason to need this
dontaudit lvm_t proc_kcore_t:file getattr;

110
strict/domains/program/mailman.te Normal file
View File

@ -0,0 +1,110 @@
#DESC Mailman - GNU Mailman mailing list manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: mailman
type mailman_data_t, file_type, sysadmfile;
type mailman_archive_t, file_type, sysadmfile;
type mailman_log_t, file_type, sysadmfile, logfile;
type mailman_lock_t, file_type, sysadmfile, lockfile;
define(`mailman_domain', `
type mailman_$1_t, domain, privlog $2;
type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
role system_r types mailman_$1_t;
file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
create_dir_file(mailman_$1_t, mailman_data_t)
uses_shlib(mailman_$1_t)
can_exec_any(mailman_$1_t)
read_sysctl(mailman_$1_t)
allow mailman_$1_t proc_t:dir search;
allow mailman_$1_t proc_t:file { read getattr };
allow mailman_$1_t var_lib_t:dir r_dir_perms;
allow mailman_$1_t var_lib_t:lnk_file read;
allow mailman_$1_t device_t:dir search;
allow mailman_$1_t etc_runtime_t:file { read getattr };
read_locale(mailman_$1_t)
file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
tmp_domain(mailman_$1)
')
mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
can_tcp_connect(mailman_queue_t, mail_server_domain)
can_exec(mailman_queue_t, su_exec_t)
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:fifo_file rw_file_perms;
dontaudit mailman_queue_t var_run_t:dir search;
allow mailman_queue_t proc_t:lnk_file { getattr read };
# for su
dontaudit mailman_queue_t selinux_config_t:dir search;
allow mailman_queue_t self:dir search;
allow mailman_queue_t self:file { getattr read };
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
allow mailman_queue_t self:lnk_file { getattr read };
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
mailman_domain(mail)
dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
allow mailman_mail_t mta_delivery_agent:fd use;
ifdef(`qmail.te', `
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
')
create_dir_file(mailman_queue_t, mailman_archive_t)
ifdef(`apache.te', `
mailman_domain(cgi)
can_tcp_connect(mailman_cgi_t, mail_server_domain)
domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
# should have separate types for public and private archives
r_dir_file(httpd_t, mailman_archive_t)
create_dir_file(mailman_cgi_t, mailman_archive_t)
allow httpd_t mailman_data_t:dir { getattr search };
dontaudit mailman_cgi_t httpd_log_t:file append;
allow httpd_t mailman_cgi_t:process signal;
allow mailman_cgi_t httpd_t:process sigchld;
allow mailman_cgi_t httpd_t:fd use;
allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
allow mailman_cgi_t httpd_sys_script_t:dir search;
allow mailman_cgi_t devtty_t:chr_file { read write };
allow mailman_cgi_t self:process { fork sigchld };
allow mailman_cgi_t var_spool_t:dir search;
')
allow mta_delivery_agent mailman_data_t:dir search;
allow mta_delivery_agent mailman_data_t:lnk_file read;
domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
ifdef(`direct_sysadm_daemon', `
domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
')
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
allow mailman_queue_t devtty_t:chr_file { read write };
allow mailman_queue_t self:process { fork signal sigchld };
allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
# so MTA can access /var/lib/mailman/mail/wrapper
allow mta_delivery_agent var_lib_t:dir search;
# Handle mailman log files
rw_dir_create_file(logrotate_t, mailman_log_t)
allow logrotate_t mailman_data_t:dir search;
can_exec(logrotate_t, mailman_mail_exec_t)

43
strict/domains/program/mdadm.te Normal file
View File

@ -0,0 +1,43 @@
#DESC mdadm - Linux RAID tool
#
# Author: Colin Walters <walters@redhat.com>
#
daemon_base_domain(mdadm, `, fs_domain')
role sysadm_r types mdadm_t;
allow initrc_t mdadm_var_run_t:file create_file_perms;
# Kernel filesystem permissions
r_dir_file(mdadm_t, proc_t)
allow mdadm_t proc_mdstat_t:file rw_file_perms;
read_sysctl(mdadm_t)
r_dir_file(mdadm_t, sysfs_t)
# Configuration
allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
read_locale(mdadm_t)
# Linux capabilities
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
# Helper program access
can_exec(mdadm_t, { bin_t sbin_t })
# RAID block device access
allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
allow mdadm_t device_t:lnk_file { getattr read };
# Ignore attempts to read every device file
dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
dontaudit mdadm_t devpts_t:dir r_dir_perms;
# Ignore attempts to read/write sysadmin tty
dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
# Other random ignores
dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
dontaudit mdadm_t initctl_t:fifo_file getattr;
var_run_domain(mdadm)
allow mdadm_t var_t:dir { getattr search };

Some files were not shown because too many files have changed in this diff Show More