move flask dir to top level, and update them from nsa cvs. move files in

misc to top level.  make mls support work.
This commit is contained in:
Chris PeBenito 2005-06-01 15:40:37 +00:00
parent 7555aab027
commit 134191be67
10 changed files with 1940 additions and 11 deletions

View File

@ -21,7 +21,10 @@
#
# Build compatibility policies
POLICYCOMPAT = -c 18
POLICYCOMPAT = 18
# Build MLS policies
MLS=n
# set distribution
override M4PARAM += -D distro_redhat
@ -42,14 +45,24 @@ CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles
# enable MLS if requested.
ifeq ($(MLS),y)
override M4PARAM += -D enable_mls
CHECKPOLICY += -M
endif
ifneq ($(POLICYCOMPAT),)
CHECKPOLICY += -c $(POLICYCOMPAT)
endif
# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)
# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
KV := $(PV)
KV := $(PV)
endif
FC := file_contexts
@ -68,21 +81,20 @@ FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
BASE_MODULE = kernel
FLASKDIR = $(BASE_MODULE)/flask/
MISCDIR = $(BASE_MODULE)/misc/
FLASKDIR = flask
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
USER_FILES := $(MISCDIR)/users
USER_FILES := users
DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS))
ALL_MODULES := $(filter-out tmp CVS $(APPDIR) $(FLASKDIR),$(DETECTED_DIRS))
PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use)
POST_TE_FILES := users constraints initial_sid_contexts fs_use
ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
@ -111,7 +123,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
@ -125,7 +137,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#

View File

@ -0,0 +1,80 @@
# Copyright (C) 2005 Tresys Technology, LLC
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# SELinux process identity change constraint:
#
constrain process transition
( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
ifdef(`TODO',`
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and u2 == system_u )
') dnl end TODO
);
#
# SELinux process role change constraint:
#
constrain process transition
( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`TODO',`
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
or (t1 == priv_system_role and r2 == system_r )
') dnl end TODO
);
#
# SELinux dynamic transition constraint:
#
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# SElinux object identity change constraint:
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );

View File

@ -0,0 +1,41 @@
# flask needs to know where to export the libselinux headers.
LIBSEL ?= ../../libselinux
# flask needs to know where to export the kernel headers.
LINUXDIR ?= ../../../linux-2.6
AWK = awk
CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
else if [ -x /bin/bash ]; then echo /bin/bash; \
else echo sh; fi ; fi)
FLASK_H_DEPEND = security_classes initial_sids
AV_H_DEPEND = access_vectors
FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
all: $(ALL_H_FILES)
$(FLASK_H_FILES): $(FLASK_H_DEPEND)
$(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
$(AV_H_FILES): $(AV_H_DEPEND)
$(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
tolib: all
install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
tokern: all
install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
install: all
relabel:
clean:
rm -f $(FLASK_H_FILES)
rm -f $(AV_H_FILES)

View File

@ -0,0 +1,608 @@
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
}
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
class drawable
{
create
destroy
draw
copy
getattr
}
class gc
{
create
free
getattr
setattr
}
class window
{
addchild
create
destroy
map
unmap
chstack
chproplist
chprop
listprop
getattr
setattr
setfocus
move
chselection
chparent
ctrllife
enumerate
transparent
mousemotion
clientcomevent
inputevent
drawevent
windowchangeevent
windowchangerequest
serverchangeevent
extensionevent
}
class font
{
load
free
getattr
use
}
class colormap
{
create
free
install
uninstall
list
read
store
getattr
setattr
}
class property
{
create
free
read
write
}
class cursor
{
create
createglyph
free
assign
setattr
}
class xclient
{
kill
}
class xinput
{
lookup
getattr
setattr
setfocus
warppointer
activegrab
passivegrab
ungrab
bell
mousemotion
relabelinput
}
class xserver
{
screensaver
gethostlist
sethostlist
getfontpath
setfontpath
getattr
grab
ungrab
}
class xextension
{
query
use
}
#
# Define the access vector interpretation for controlling
# PaX flags
#
class pax
{
pageexec # Paging based non-executable pages
emutramp # Emulate trampolines
mprotect # Restrict mprotect()
randmmap # Randomize mmap() base
randexec # Randomize ET_EXEC base
segmexec # Segmentation based non-executable pages
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

View File

@ -0,0 +1,35 @@
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
# FLASK

View File

@ -0,0 +1,227 @@
#!/bin/sh -
#
# FLASK
set -e
awk=$1
shift
# output files
av_permissions="av_permissions.h"
av_inherit="av_inherit.h"
common_perm_to_string="common_perm_to_string.h"
av_perm_to_string="av_perm_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$av_permissions\"
inheritfile = \"$av_inherit\"
cpermfile = \"$common_perm_to_string\"
avpermfile = \"$av_perm_to_string\"
"'
nextstate = "COMMON_OR_AV";
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
;
}
/^[ \t]*#/ {
next;
}
$1 == "common" {
if (nextstate != "COMMON_OR_AV")
{
printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
next;
}
if ($2 in common_defined)
{
printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
next;
}
common_defined[$2] = 1;
tclass = $2;
common_name = $2;
permission = 1;
printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
nextstate = "COMMON-OPENBRACKET";
next;
}
$1 == "class" {
if (nextstate != "COMMON_OR_AV" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET")
{
printf("Parse error: Unexpected class definition on line %d\n", NR);
next;
}
tclass = $2;
if (tclass in av_defined)
{
printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
next;
}
av_defined[tclass] = 1;
inherits = "";
permission = 1;
nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
next;
}
$1 == "inherits" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
{
printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
next;
}
if (!($2 in common_defined))
{
printf("COMMON %s is not defined (line %d).\n", $2, NR);
next;
}
inherits = $2;
permission = common_base[$2];
for (combined in common_perms)
{
split(combined,separate, SUBSEP);
if (separate[1] == inherits)
{
inherited_perms[common_perms[combined]] = separate[2];
}
}
j = 1;
for (i in inherited_perms) {
ind[j] = i + 0;
j++;
}
n = asort(ind);
for (i = 1; i <= n; i++) {
perm = inherited_perms[ind[i]];
printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
spaces = 40 - (length(perm) + length(tclass));
if (spaces < 1)
spaces = 1;
for (j = 0; j < spaces; j++)
printf(" ") > outfile;
printf("0x%08xUL\n", ind[i]) > outfile;
}
printf("\n") > outfile;
for (i in ind) delete ind[i];
for (i in inherited_perms) delete inherited_perms[i];
printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
nextstate = "CLASS_OR_CLASS-OPENBRACKET";
next;
}
$1 == "{" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
nextstate != "COMMON-OPENBRACKET")
{
printf("Parse error: Unexpected { on line %d\n", NR);
next;
}
if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
nextstate = "CLASS-CLOSEBRACKET";
if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
nextstate = "CLASS-CLOSEBRACKET";
if (nextstate == "COMMON-OPENBRACKET")
nextstate = "COMMON-CLOSEBRACKET";
}
/[a-z][a-z_]*/ {
if (nextstate != "COMMON-CLOSEBRACKET" &&
nextstate != "CLASS-CLOSEBRACKET")
{
printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
next;
}
if (nextstate == "COMMON-CLOSEBRACKET")
{
if ((common_name,$1) in common_perms)
{
printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
next;
}
common_perms[common_name,$1] = permission;
printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
printf(" S_(\"%s\")\n", $1) > cpermfile;
}
else
{
if ((tclass,$1) in av_perms)
{
printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
next;
}
av_perms[tclass,$1] = permission;
if (inherits != "")
{
if ((inherits,$1) in common_perms)
{
printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
next;
}
}
printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
}
spaces = 40 - (length($1) + length(tclass));
if (spaces < 1)
spaces = 1;
for (i = 0; i < spaces; i++)
printf(" ") > outfile;
printf("0x%08xUL\n", permission) > outfile;
permission = permission * 2;
}
$1 == "}" {
if (nextstate != "CLASS-CLOSEBRACKET" &&
nextstate != "COMMON-CLOSEBRACKET")
{
printf("Parse error: Unexpected } on line %d\n", NR);
next;
}
if (nextstate == "COMMON-CLOSEBRACKET")
{
common_base[common_name] = permission;
printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
}
printf("\n") > outfile;
nextstate = "COMMON_OR_AV";
}
END {
if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
printf("Parse error: Unexpected end of file\n");
}'
# FLASK

View File

@ -0,0 +1,95 @@
#!/bin/sh -
#
# FLASK
set -e
awk=$1
shift 1
# output file
output_file="flask.h"
debug_file="class_to_string.h"
debug_file2="initial_sid_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$output_file\"
debugfile = \"$debug_file\"
debugfile2 = \"$debug_file2\"
"'
nextstate = "CLASS";
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
printf("#define _SELINUX_FLASK_H_\n") > outfile;
printf("\n/*\n * Security object class definitions\n */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
printf("/*\n * Security object class definitions\n */\n") > debugfile;
printf(" S_(\"null\")\n") > debugfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
printf(" \"null\",\n") > debugfile2;
}
/^[ \t]*#/ {
next;
}
$1 == "class" {
if (nextstate != "CLASS")
{
printf("Parse error: Unexpected class definition on line %d\n", NR);
next;
}
if ($2 in class_found)
{
printf("Duplicate class definition for %s on line %d.\n", $2, NR);
next;
}
class_found[$2] = 1;
class_value++;
printf("#define SECCLASS_%s", toupper($2)) > outfile;
for (i = 0; i < 40 - length($2); i++)
printf(" ") > outfile;
printf("%d\n", class_value) > outfile;
printf(" S_(\"%s\")\n", $2) > debugfile;
}
$1 == "sid" {
if (nextstate == "CLASS")
{
nextstate = "SID";
printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
}
if ($2 in sid_found)
{
printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
next;
}
sid_found[$2] = 1;
sid_value++;
printf("#define SECINITSID_%s", toupper($2)) > outfile;
for (i = 0; i < 37 - length($2); i++)
printf(" ") > outfile;
printf("%d\n", sid_value) > outfile;
printf(" \"%s\",\n", $2) > debugfile2;
}
END {
if (nextstate != "SID")
printf("Parse error: Unexpected end of file\n");
printf("\n#define SECINITSID_NUM") > outfile;
for (i = 0; i < 34; i++)
printf(" ") > outfile;
printf("%d\n", sid_value) > outfile;
printf("\n#endif\n") > outfile;
printf("};\n\n") > debugfile2;
}'
# FLASK

View File

@ -0,0 +1,86 @@
# FLASK
#
# Define the security object classes
#
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
class passwd
# SE-X Windows stuff
class drawable
class window
class gc
class font
class colormap
class property
class cursor
class xclient
class xinput
class xserver
class xextension
# pax flags
class pax
# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket
class dbus
class nscd
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
# FLASK

731
refpolicy/policy/mls Normal file
View File

@ -0,0 +1,731 @@
# Copyright (C) 2005 Tresys Technology, LLC
ifdef(`enable_mls',`
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
sensitivity s7;
sensitivity s8;
sensitivity s9;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0;
category c1;
category c2;
category c3;
category c4;
category c5;
category c6;
category c7;
category c8;
category c9;
category c10;
category c11;
category c12;
category c13;
category c14;
category c15;
category c16;
category c17;
category c18;
category c19;
category c20;
category c21;
category c22;
category c23;
category c24;
category c25;
category c26;
category c27;
category c28;
category c29;
category c30;
category c31;
category c32;
category c33;
category c34;
category c35;
category c36;
category c37;
category c38;
category c39;
category c40;
category c41;
category c42;
category c43;
category c44;
category c45;
category c46;
category c47;
category c48;
category c49;
category c50;
category c51;
category c52;
category c53;
category c54;
category c55;
category c56;
category c57;
category c58;
category c59;
category c60;
category c61;
category c62;
category c63;
category c64;
category c65;
category c66;
category c67;
category c68;
category c69;
category c70;
category c71;
category c72;
category c73;
category c74;
category c75;
category c76;
category c77;
category c78;
category c79;
category c80;
category c81;
category c82;
category c83;
category c84;
category c85;
category c86;
category c87;
category c88;
category c89;
category c90;
category c91;
category c92;
category c93;
category c94;
category c95;
category c96;
category c97;
category c98;
category c99;
category c100;
category c101;
category c102;
category c103;
category c104;
category c105;
category c106;
category c107;
category c108;
category c109;
category c110;
category c111;
category c112;
category c113;
category c114;
category c115;
category c116;
category c117;
category c118;
category c119;
category c120;
category c121;
category c122;
category c123;
category c124;
category c125;
category c126;
category c127;
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c127;
level s1:c0.c127;
level s2:c0.c127;
level s3:c0.c127;
level s4:c0.c127;
level s5:c0.c127;
level s6:c0.c127;
level s7:c0.c127;
level s8:c0.c127;
level s9:c0.c127;
#
# Define the MLS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# MLS policy for the file classes
#
# make sure these file classes are "single level"
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
# new file labels must be dominated by the relabling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
mlsconstrain dir search
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# the "ranged" file "write" ops
mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
# file { execute_no_trans entrypoint }
# the file upgrade/downgrade rule
mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( h1 eq h2 ) or
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
#
# MLS policy for the filesystem class
#
# new filesystem labels must be dominated by the relabling subject clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
# the filesystem "read" ops (implicit single level)
mlsconstrain filesystem { getattr quotaget }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ));
# all the filesystem "write" ops (implicit single level)
mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ));
# these access vectors have no MLS restrictions
# filesystem { transition associate }
#
# MLS policy for the socket classes
#
# new socket labels must be dominated by the relabling subject clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
# the socket "read" ops (note that the we check dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
#
# MLS policy for the ipc classes
#
# the ipc "read" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
mlsconstrain msg receive
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msgq enqueue
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain shm lock
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msg send
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
# these access vectors have no MLS restrictions
# { ipc sem msgq shm } associate
#
# MLS policy for the fd class
#
# these access vectors have no MLS restrictions
# fd use
#
# MLS policy for the node class
#
# these access vectors have no MLS restrictions
# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
#
# MLS policy for the netif class
#
# these access vectors have no MLS restrictions
# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
#
# MLS policy for the process class
#
# new process labels must be dominated by the relabling subject clearance and
# sensitivity level changes require privilege
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
# all the process "read" ops
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(( l1 dom l2 ) or
(( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsprocread ));
# all the process "write" ops (note the check is equality on the low level)
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
(( l1 eq l2 ) or
(( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
#
# MLS policy for the security class
#
# these access vectors have no MLS restrictions
# security *
#
# MLS policy for the system class
#
# these access vectors have no MLS restrictions
# system *
#
# MLS policy for the capability class
#
# these access vectors have no MLS restrictions
# capability *
#
# MLS policy for the passwd class
#
# these access vectors have no MLS restrictions
# passwd *
#
# MLS policy for the drawable class
#
# the drawable "read" ops (implicit single level)
mlsconstrain drawable { getattr copy }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the drawable "write" ops (implicit single level)
mlsconstrain drawable { create destroy draw copy }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the gc class
#
# the gc "read" ops (implicit single level)
mlsconstrain gc getattr
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the gc "write" ops (implicit single level)
mlsconstrain gc { create free setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the window class
#
# the window "read" ops (implicit single level)
mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the window "write" ops (implicit single level)
mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# window { map unmap }
#
# MLS policy for the font class
#
# the font "read" ops (implicit single level)
mlsconstrain font { load getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the font "write" ops (implicit single level)
mlsconstrain font free
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# font use
#
# MLS policy for the colormap class
#
# the colormap "read" ops (implicit single level)
mlsconstrain colormap { list read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the colormap "write" ops (implicit single level)
mlsconstrain colormap { create free install uninstall store setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the property class
#
# the property "read" ops (implicit single level)
mlsconstrain property { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the property "write" ops (implicit single level)
mlsconstrain property { create free write }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the cursor class
#
# the cursor "write" ops (implicit single level)
mlsconstrain cursor { create createglyph free assign setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xclient class
#
# the xclient "write" ops (implicit single level)
mlsconstrain xclient kill
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xinput class
#
# the xinput "read" ops (implicit single level)
mlsconstrain xinput { lookup getattr mousemotion }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xinput "write" ops (implicit single level)
mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xserver class
#
# the xserver "read" ops (implicit single level)
mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xserver "write" ops (implicit single level)
mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xextension class
#
# the xextension "read" ops (implicit single level)
mlsconstrain xextension query
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xextension "write" ops (implicit single level)
mlsconstrain xextension use
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the pax class
#
# these access vectors have no MLS restrictions
# pax { pageexec emutramp mprotect randmmap randexec segmexec }
#
# MLS policy for the dbus class
#
# these access vectors have no MLS restrictions
# dbus { acquire_svc send_msg }
#
# MLS policy for the nscd class
#
# these access vectors have no MLS restrictions
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
#
# MLS policy for the association class
#
# these access vectors have no MLS restrictions
# association { sendto recvfrom }
attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetbindall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
attribute mlsprocwritetoclr;
attribute mlsprocsetsl;
attribute mlsxwinread;
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
attribute mlsxwinwritetoclr;
attribute mlsxwinupgrade;
attribute mlsxwindowngrade;
attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
') dnl end enable_mls

14
refpolicy/policy/users Normal file
View File

@ -0,0 +1,14 @@
# Copyright (C) 2005 Tresys Technology, LLC
##################################
#
# Core User configuration.
#
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);