rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

move flask dir to top level, and update them from nsa cvs. move files in

Browse Source 
misc to top level.  make mls support work.
This commit is contained in:
Chris PeBenito 2005-06-01 15:40:37 +00:00
parent 7555aab027
commit 134191be67
10 changed files with 1940 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
refpolicy/Makefile
View File

@ -21,7 +21,10 @@
#
# Build compatibility policies
POLICYCOMPAT = -c 18
POLICYCOMPAT = 18
# Build MLS policies
MLS=n
# set distribution
override M4PARAM += -D distro_redhat
@ -42,8 +45,18 @@ CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles
# enable MLS if requested.
ifeq ($(MLS),y)
override M4PARAM += -D enable_mls
CHECKPOLICY += -M
endif
ifneq ($(POLICYCOMPAT),)
CHECKPOLICY += -c $(POLICYCOMPAT)
endif
# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)
# dont print version warnings if we are unable to determine
@ -68,21 +81,20 @@ FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
BASE_MODULE = kernel
FLASKDIR = $(BASE_MODULE)/flask/
MISCDIR = $(BASE_MODULE)/misc/
FLASKDIR = flask
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
USER_FILES := $(MISCDIR)/users
USER_FILES := users
DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS))
ALL_MODULES := $(filter-out tmp CVS $(APPDIR) $(FLASKDIR),$(DETECTED_DIRS))
PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use)
POST_TE_FILES := users constraints initial_sid_contexts fs_use
ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
@ -111,7 +123,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
@ -125,7 +137,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#

80
refpolicy/policy/constraints Normal file
View File

@ -0,0 +1,80 @@
# Copyright (C) 2005 Tresys Technology, LLC
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# SELinux process identity change constraint:
#
constrain process transition
( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
ifdef(`TODO',`
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and u2 == system_u )
') dnl end TODO
);
#
# SELinux process role change constraint:
#
constrain process transition
( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`TODO',`
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
or (t1 == priv_system_role and r2 == system_r )
') dnl end TODO
);
#
# SELinux dynamic transition constraint:
#
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# SElinux object identity change constraint:
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );

41
refpolicy/policy/flask/Makefile Normal file
View File

@ -0,0 +1,41 @@
# flask needs to know where to export the libselinux headers.
LIBSEL ?= ../../libselinux
# flask needs to know where to export the kernel headers.
LINUXDIR ?= ../../../linux-2.6
AWK = awk
CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
else if [ -x /bin/bash ]; then echo /bin/bash; \
else echo sh; fi ; fi)
FLASK_H_DEPEND = security_classes initial_sids
AV_H_DEPEND = access_vectors
FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
all: $(ALL_H_FILES)
$(FLASK_H_FILES): $(FLASK_H_DEPEND)
$(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
$(AV_H_FILES): $(AV_H_DEPEND)
$(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
tolib: all
install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
tokern: all
install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
install: all
relabel:
clean:
rm -f $(FLASK_H_FILES)
rm -f $(AV_H_FILES)

608
refpolicy/policy/flask/access_vectors Normal file
View File

@ -0,0 +1,608 @@
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
}
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
class drawable
{
create
destroy
draw
copy
getattr
}
class gc
{
create
free
getattr
setattr
}
class window
{
addchild
create
destroy
map
unmap
chstack
chproplist
chprop
listprop
getattr
setattr
setfocus
move
chselection
chparent
ctrllife
enumerate
transparent
mousemotion
clientcomevent
inputevent
drawevent
windowchangeevent
windowchangerequest
serverchangeevent
extensionevent
}
class font
{
load
free
getattr
use
}
class colormap
{
create
free
install
uninstall
list
read
store
getattr
setattr
}
class property
{
create
free
read
write
}
class cursor
{
create
createglyph
free
assign
setattr
}
class xclient
{
kill
}
class xinput
{
lookup
getattr
setattr
setfocus
warppointer
activegrab
passivegrab
ungrab
bell
mousemotion
relabelinput
}
class xserver
{
screensaver
gethostlist
sethostlist
getfontpath
setfontpath
getattr
grab
ungrab
}
class xextension
{
query
use
}
#
# Define the access vector interpretation for controlling
# PaX flags
#
class pax
{
pageexec # Paging based non-executable pages
emutramp # Emulate trampolines
mprotect # Restrict mprotect()
randmmap # Randomize mmap() base
randexec # Randomize ET_EXEC base
segmexec # Segmentation based non-executable pages
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

35
refpolicy/policy/flask/initial_sids Normal file
View File

@ -0,0 +1,35 @@
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
# FLASK

227
refpolicy/policy/flask/mkaccess_vector.sh Executable file
View File

@ -0,0 +1,227 @@
#!/bin/sh -
#
# FLASK
set -e
awk=$1
shift
# output files
av_permissions="av_permissions.h"
av_inherit="av_inherit.h"
common_perm_to_string="common_perm_to_string.h"
av_perm_to_string="av_perm_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$av_permissions\"
inheritfile = \"$av_inherit\"
cpermfile = \"$common_perm_to_string\"
avpermfile = \"$av_perm_to_string\"
"'
nextstate = "COMMON_OR_AV";
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
;
}
/^[ \t]*#/ {
next;
}
$1 == "common" {
if (nextstate != "COMMON_OR_AV")
{
printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
next;
}
if ($2 in common_defined)
{
printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
next;
}
common_defined[$2] = 1;
tclass = $2;
common_name = $2;
permission = 1;
printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
nextstate = "COMMON-OPENBRACKET";
next;
}
$1 == "class" {
if (nextstate != "COMMON_OR_AV" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET")
{
printf("Parse error: Unexpected class definition on line %d\n", NR);
next;
}
tclass = $2;
if (tclass in av_defined)
{
printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
next;
}
av_defined[tclass] = 1;
inherits = "";
permission = 1;
nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
next;
}
$1 == "inherits" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
{
printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
next;
}
if (!($2 in common_defined))
{
printf("COMMON %s is not defined (line %d).\n", $2, NR);
next;
}
inherits = $2;
permission = common_base[$2];
for (combined in common_perms)
{
split(combined,separate, SUBSEP);
if (separate[1] == inherits)
{
inherited_perms[common_perms[combined]] = separate[2];
}
}
j = 1;
for (i in inherited_perms) {
ind[j] = i + 0;
j++;
}
n = asort(ind);
for (i = 1; i <= n; i++) {
perm = inherited_perms[ind[i]];
printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
spaces = 40 - (length(perm) + length(tclass));
if (spaces < 1)
spaces = 1;
for (j = 0; j < spaces; j++)
printf(" ") > outfile;
printf("0x%08xUL\n", ind[i]) > outfile;
}
printf("\n") > outfile;
for (i in ind) delete ind[i];
for (i in inherited_perms) delete inherited_perms[i];
printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
nextstate = "CLASS_OR_CLASS-OPENBRACKET";
next;
}
$1 == "{" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
nextstate != "COMMON-OPENBRACKET")
{
printf("Parse error: Unexpected { on line %d\n", NR);
next;
}
if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
nextstate = "CLASS-CLOSEBRACKET";
if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
nextstate = "CLASS-CLOSEBRACKET";
if (nextstate == "COMMON-OPENBRACKET")
nextstate = "COMMON-CLOSEBRACKET";
}
/[a-z][a-z_]*/ {
if (nextstate != "COMMON-CLOSEBRACKET" &&
nextstate != "CLASS-CLOSEBRACKET")
{
printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
next;
}
if (nextstate == "COMMON-CLOSEBRACKET")
{
if ((common_name,$1) in common_perms)
{
printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
next;
}
common_perms[common_name,$1] = permission;
printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
printf(" S_(\"%s\")\n", $1) > cpermfile;
}
else
{
if ((tclass,$1) in av_perms)
{
printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
next;
}
av_perms[tclass,$1] = permission;
if (inherits != "")
{
if ((inherits,$1) in common_perms)
{
printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
next;
}
}
printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
}
spaces = 40 - (length($1) + length(tclass));
if (spaces < 1)
spaces = 1;
for (i = 0; i < spaces; i++)
printf(" ") > outfile;
printf("0x%08xUL\n", permission) > outfile;
permission = permission * 2;
}
$1 == "}" {
if (nextstate != "CLASS-CLOSEBRACKET" &&
nextstate != "COMMON-CLOSEBRACKET")
{
printf("Parse error: Unexpected } on line %d\n", NR);
next;
}
if (nextstate == "COMMON-CLOSEBRACKET")
{
common_base[common_name] = permission;
printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
}
printf("\n") > outfile;
nextstate = "COMMON_OR_AV";
}
END {
if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
printf("Parse error: Unexpected end of file\n");
}'
# FLASK

95
refpolicy/policy/flask/mkflask.sh Executable file
View File

@ -0,0 +1,95 @@
#!/bin/sh -
#
# FLASK
set -e
awk=$1
shift 1
# output file
output_file="flask.h"
debug_file="class_to_string.h"
debug_file2="initial_sid_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$output_file\"
debugfile = \"$debug_file\"
debugfile2 = \"$debug_file2\"
"'
nextstate = "CLASS";
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
printf("#define _SELINUX_FLASK_H_\n") > outfile;
printf("\n/*\n * Security object class definitions\n */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
printf("/*\n * Security object class definitions\n */\n") > debugfile;
printf(" S_(\"null\")\n") > debugfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
printf(" \"null\",\n") > debugfile2;
}
/^[ \t]*#/ {
next;
}
$1 == "class" {
if (nextstate != "CLASS")
{
printf("Parse error: Unexpected class definition on line %d\n", NR);
next;
}
if ($2 in class_found)
{
printf("Duplicate class definition for %s on line %d.\n", $2, NR);
next;
}
class_found[$2] = 1;
class_value++;
printf("#define SECCLASS_%s", toupper($2)) > outfile;
for (i = 0; i < 40 - length($2); i++)
printf(" ") > outfile;
printf("%d\n", class_value) > outfile;
printf(" S_(\"%s\")\n", $2) > debugfile;
}
$1 == "sid" {
if (nextstate == "CLASS")
{
nextstate = "SID";
printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
}
if ($2 in sid_found)
{
printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
next;
}
sid_found[$2] = 1;
sid_value++;
printf("#define SECINITSID_%s", toupper($2)) > outfile;
for (i = 0; i < 37 - length($2); i++)
printf(" ") > outfile;
printf("%d\n", sid_value) > outfile;
printf(" \"%s\",\n", $2) > debugfile2;
}
END {
if (nextstate != "SID")
printf("Parse error: Unexpected end of file\n");
printf("\n#define SECINITSID_NUM") > outfile;
for (i = 0; i < 34; i++)
printf(" ") > outfile;
printf("%d\n", sid_value) > outfile;
printf("\n#endif\n") > outfile;
printf("};\n\n") > debugfile2;
}'
# FLASK

86
refpolicy/policy/flask/security_classes Normal file
View File

@ -0,0 +1,86 @@
# FLASK
#
# Define the security object classes
#
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
class passwd
# SE-X Windows stuff
class drawable
class window
class gc
class font
class colormap
class property
class cursor
class xclient
class xinput
class xserver
class xextension
# pax flags
class pax
# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket
class dbus
class nscd
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
# FLASK

731
refpolicy/policy/mls Normal file
View File

@ -0,0 +1,731 @@
# Copyright (C) 2005 Tresys Technology, LLC
ifdef(`enable_mls',`
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
sensitivity s7;
sensitivity s8;
sensitivity s9;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0;
category c1;
category c2;
category c3;
category c4;
category c5;
category c6;
category c7;
category c8;
category c9;
category c10;
category c11;
category c12;
category c13;
category c14;
category c15;
category c16;
category c17;
category c18;
category c19;
category c20;
category c21;
category c22;
category c23;
category c24;
category c25;
category c26;
category c27;
category c28;
category c29;
category c30;
category c31;
category c32;
category c33;
category c34;
category c35;
category c36;
category c37;
category c38;
category c39;
category c40;
category c41;
category c42;
category c43;
category c44;
category c45;
category c46;
category c47;
category c48;
category c49;
category c50;
category c51;
category c52;
category c53;
category c54;
category c55;
category c56;
category c57;
category c58;
category c59;
category c60;
category c61;
category c62;
category c63;
category c64;
category c65;
category c66;
category c67;
category c68;
category c69;
category c70;
category c71;
category c72;
category c73;
category c74;
category c75;
category c76;
category c77;
category c78;
category c79;
category c80;
category c81;
category c82;
category c83;
category c84;
category c85;
category c86;
category c87;
category c88;
category c89;
category c90;
category c91;
category c92;
category c93;
category c94;
category c95;
category c96;
category c97;
category c98;
category c99;
category c100;
category c101;
category c102;
category c103;
category c104;
category c105;
category c106;
category c107;
category c108;
category c109;
category c110;
category c111;
category c112;
category c113;
category c114;
category c115;
category c116;
category c117;
category c118;
category c119;
category c120;
category c121;
category c122;
category c123;
category c124;
category c125;
category c126;
category c127;
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c127;
level s1:c0.c127;
level s2:c0.c127;
level s3:c0.c127;
level s4:c0.c127;
level s5:c0.c127;
level s6:c0.c127;
level s7:c0.c127;
level s8:c0.c127;
level s9:c0.c127;
#
# Define the MLS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# MLS policy for the file classes
#
# make sure these file classes are "single level"
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
# new file labels must be dominated by the relabling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
mlsconstrain dir search
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# the "ranged" file "write" ops
mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
# file { execute_no_trans entrypoint }
# the file upgrade/downgrade rule
mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( h1 eq h2 ) or
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
#
# MLS policy for the filesystem class
#
# new filesystem labels must be dominated by the relabling subject clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
# the filesystem "read" ops (implicit single level)
mlsconstrain filesystem { getattr quotaget }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ));
# all the filesystem "write" ops (implicit single level)
mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ));
# these access vectors have no MLS restrictions
# filesystem { transition associate }
#
# MLS policy for the socket classes
#
# new socket labels must be dominated by the relabling subject clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
# the socket "read" ops (note that the we check dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
#
# MLS policy for the ipc classes
#
# the ipc "read" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
mlsconstrain msg receive
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msgq enqueue
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain shm lock
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msg send
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
# these access vectors have no MLS restrictions
# { ipc sem msgq shm } associate
#
# MLS policy for the fd class
#
# these access vectors have no MLS restrictions
# fd use
#
# MLS policy for the node class
#
# these access vectors have no MLS restrictions
# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
#
# MLS policy for the netif class
#
# these access vectors have no MLS restrictions
# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
#
# MLS policy for the process class
#
# new process labels must be dominated by the relabling subject clearance and
# sensitivity level changes require privilege
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
# all the process "read" ops
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(( l1 dom l2 ) or
(( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsprocread ));
# all the process "write" ops (note the check is equality on the low level)
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
(( l1 eq l2 ) or
(( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
#
# MLS policy for the security class
#
# these access vectors have no MLS restrictions
# security *
#
# MLS policy for the system class
#
# these access vectors have no MLS restrictions
# system *
#
# MLS policy for the capability class
#
# these access vectors have no MLS restrictions
# capability *
#
# MLS policy for the passwd class
#
# these access vectors have no MLS restrictions
# passwd *
#
# MLS policy for the drawable class
#
# the drawable "read" ops (implicit single level)
mlsconstrain drawable { getattr copy }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the drawable "write" ops (implicit single level)
mlsconstrain drawable { create destroy draw copy }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the gc class
#
# the gc "read" ops (implicit single level)
mlsconstrain gc getattr
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the gc "write" ops (implicit single level)
mlsconstrain gc { create free setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the window class
#
# the window "read" ops (implicit single level)
mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the window "write" ops (implicit single level)
mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# window { map unmap }
#
# MLS policy for the font class
#
# the font "read" ops (implicit single level)
mlsconstrain font { load getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the font "write" ops (implicit single level)
mlsconstrain font free
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# font use
#
# MLS policy for the colormap class
#
# the colormap "read" ops (implicit single level)
mlsconstrain colormap { list read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the colormap "write" ops (implicit single level)
mlsconstrain colormap { create free install uninstall store setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the property class
#
# the property "read" ops (implicit single level)
mlsconstrain property { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the property "write" ops (implicit single level)
mlsconstrain property { create free write }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the cursor class
#
# the cursor "write" ops (implicit single level)
mlsconstrain cursor { create createglyph free assign setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xclient class
#
# the xclient "write" ops (implicit single level)
mlsconstrain xclient kill
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xinput class
#
# the xinput "read" ops (implicit single level)
mlsconstrain xinput { lookup getattr mousemotion }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xinput "write" ops (implicit single level)
mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xserver class
#
# the xserver "read" ops (implicit single level)
mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xserver "write" ops (implicit single level)
mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xextension class
#
# the xextension "read" ops (implicit single level)
mlsconstrain xextension query
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the xextension "write" ops (implicit single level)
mlsconstrain xextension use
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the pax class
#
# these access vectors have no MLS restrictions
# pax { pageexec emutramp mprotect randmmap randexec segmexec }
#
# MLS policy for the dbus class
#
# these access vectors have no MLS restrictions
# dbus { acquire_svc send_msg }
#
# MLS policy for the nscd class
#
# these access vectors have no MLS restrictions
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
#
# MLS policy for the association class
#
# these access vectors have no MLS restrictions
# association { sendto recvfrom }
attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetbindall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
attribute mlsprocwritetoclr;
attribute mlsprocsetsl;
attribute mlsxwinread;
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
attribute mlsxwinwritetoclr;
attribute mlsxwinupgrade;
attribute mlsxwindowngrade;
attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
') dnl end enable_mls

14
refpolicy/policy/users Normal file
View File

@ -0,0 +1,14 @@
# Copyright (C) 2005 Tresys Technology, LLC
##################################
#
# Core User configuration.
#
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);