switch over to tunable_policy and optional_policy

This commit is contained in:
Chris PeBenito 2005-05-02 19:22:58 +00:00
parent f360f82f54
commit 25baab18d1
10 changed files with 56 additions and 62 deletions

View File

@ -157,13 +157,13 @@ optional_policy(`fsadm.te', `
filesystemtools_execute(bootloader_t) filesystemtools_execute(bootloader_t)
') ')
ifdef(`distro_debian', ` tunable_policy(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom; allow bootloader_t boot_t:file relabelfrom;
') ')
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
files_make_mountpoint(bootloader_tmp_t) files_make_mountpoint(bootloader_tmp_t)
# for mke2fs # for mke2fs
@ -204,7 +204,7 @@ allow lvm_t bootloader_tmp_t:file rw_file_perms;
r_dir_file(bootloader_t, lvm_etc_t) r_dir_file(bootloader_t, lvm_etc_t)
') ')
ifdef(`distro_debian', ` tunable_policy(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t tmpfs_t:dir r_dir_perms; allow bootloader_t tmpfs_t:dir r_dir_perms;
@ -216,7 +216,7 @@ allow bootloader_t dpkg_var_lib_t:file { getattr read };
can_exec(bootloader_t, usr_t) can_exec(bootloader_t, usr_t)
') ')
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
# new file system defaults to file_t, granting file_t access is still bad. # new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms; allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;

View File

@ -277,7 +277,7 @@ optional_policy(`consoletype.te',`
consoletype_transition(initrc_t) consoletype_transition(initrc_t)
') ')
ifdef(`distro_redhat',` tunable_policy(`distro_redhat',`
kernel_set_selinux_enforcement_mode(initrc_t) kernel_set_selinux_enforcement_mode(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
@ -308,7 +308,7 @@ allow initrc_t home_type:file r_file_perms;
allow initrc_t udev_runtime_t:file rw_file_perms; allow initrc_t udev_runtime_t:file rw_file_perms;
# for lsof in shutdown scripts # for lsof in shutdown scripts
ifdef(`kerberos.te',` optional_policy(`kerberos.te',`
if (allow_kerberos) { if (allow_kerberos) {
can_network_client(initrc_t, `kerberos_port_t') can_network_client(initrc_t, `kerberos_port_t')
can_resolve(initrc_t) can_resolve(initrc_t)
@ -326,12 +326,12 @@ allow initrc_t device_t:lnk_file unlink;
# #
# These rules are here to allow init scripts to su # These rules are here to allow init scripts to su
# #
ifdef(`su.te', ` optional_policy(`su.te', `
su_restricted_domain(initrc,system) su_restricted_domain(initrc,system)
role system_r types initrc_su_t; role system_r types initrc_su_t;
') ')
ifdef(`distro_debian', ` tunable_policy(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr; allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm # for storing state under /dev/shm
@ -339,9 +339,9 @@ allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
') ')dnl end distro_debian
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
# Create and read /boot/kernel.h and /boot/System.map. # Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time. # Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms; allow initrc_t boot_t:lnk_file rw_file_perms;
@ -375,7 +375,7 @@ dontaudit initrc_t proc_kmsg_t:file getattr;
# Run_init local policy # Run_init local policy
# #
ifdef(`targeted_policy',` tunable_policy(`targeted_policy',`
# targeted/unconfined stuff # targeted/unconfined stuff
',` ',`
corecommands_execute_general_programs(run_init_t) corecommands_execute_general_programs(run_init_t)
@ -426,7 +426,7 @@ files_ignore_search_all_directories(run_init_t)
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`targeted_policy', ` tunable_policy(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
@ -445,7 +445,7 @@ allow run_init_t lib_t:file { getattr read };
') dnl endif targeted policy ') dnl endif targeted policy
ifdef(`distro_gentoo', ` tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript: # Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
') ')

View File

@ -76,9 +76,11 @@ allow iptables_t userdomain:fd use;
# Access terminals. # Access terminals.
allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')
ifdef(`firstboot.te', ` optional_policy(`firstboot.te', `
allow iptables_t firstboot_t:fifo_file write; allow iptables_t firstboot_t:fifo_file write;
') ')
') dnl ifdef TODO ') dnl ifdef TODO

View File

@ -75,11 +75,8 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links. # Read /dev directories and any symbolic links.
allow local_login_t device_t:lnk_file r_file_perms; allow local_login_t device_t:lnk_file r_file_perms;
ifdef(`pam.te', ` optional_policy(`authlogin.te',`
can_exec(local_login_t, pam_exec_t) can_exec(local_login_t, pam_exec_t)
')
ifdef(`pamconsole.te', `
rw_dir_create_file(local_login_t, pam_var_console_t) rw_dir_create_file(local_login_t, pam_var_console_t)
') ')
@ -89,7 +86,7 @@ allow local_login_t autofs_t:dir { search read getattr };
allow local_login_t mnt_t:dir r_dir_perms; allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for? # FIXME: what is this for?
ifdef(`xdm.te', ` optional_policy(`xdm.te', `
allow xdm_t local_login_t:process signull; allow xdm_t local_login_t:process signull;
') ')
@ -118,7 +115,7 @@ allow local_login_t mail_spool_t:lnk_file read;
allow local_login_t mouse_device_t:chr_file { getattr setattr }; allow local_login_t mouse_device_t:chr_file { getattr setattr };
ifdef(`targeted_policy',` tunable_policy(`targeted_policy',`
unconfined_domain(local_login_t) unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
') ')
@ -153,8 +150,9 @@ allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
ifdef(`gpm.te', optional_policy(`gpm.te',`
`allow local_login_t gpmctl_t:sock_file { getattr setattr };') allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
# Allow setting of attributes on sound devices. # Allow setting of attributes on sound devices.
allow local_login_t sound_device_t:chr_file { getattr setattr }; allow local_login_t sound_device_t:chr_file { getattr setattr };

View File

@ -120,11 +120,13 @@ filesystem_get_all_filesystems_attributes(syslogd_t)
init_use_file_descriptors(syslogd_t) init_use_file_descriptors(syslogd_t)
init_script_use_pseudoterminal(syslogd_t) init_script_use_pseudoterminal(syslogd_t)
domain_use_widely_inheritable_file_descriptors(syslogd_t)
files_read_general_system_config(syslogd_t) files_read_general_system_config(syslogd_t)
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
ifdef(`distro_suse', ` tunable_policy(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
') ')
@ -153,9 +155,19 @@ kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t) kernel_change_ring_buffer_level(syslogd_t)
') ')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(syslogd_t)
')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(syslogd_t) udev_read_database(syslogd_t)
')dnl end if udev.te ')
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t)
files_ignore_read_rootfs_file(syslogd_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow syslogd_t proc_t:dir r_dir_perms; allow syslogd_t proc_t:dir r_dir_perms;
@ -163,19 +175,13 @@ allow syslogd_t proc_t:lnk_file read;
allow syslogd_t null_device_t:chr_file r_file_perms; allow syslogd_t null_device_t:chr_file r_file_perms;
dontaudit syslogd_t unpriv_userdomain:fd use; dontaudit syslogd_t unpriv_userdomain:fd use;
allow syslogd_t autofs_t:dir { search getattr }; allow syslogd_t autofs_t:dir { search getattr };
allow syslogd_t privfd:fd use;
dontaudit syslogd_t sysadm_home_dir_t:dir search; dontaudit syslogd_t sysadm_home_dir_t:dir search;
ifdef(`newrole.te', `allow syslogd_t newrole_t:process sigchld;') optional_policy(`rhgb.te', `
ifdef(`rhgb.te', `
allow syslogd_t rhgb_t:process sigchld; allow syslogd_t rhgb_t:process sigchld;
allow syslogd_t rhgb_t:fd use; allow syslogd_t rhgb_t:fd use;
allow syslogd_t rhgb_t:fifo_file { read write }; allow syslogd_t rhgb_t:fifo_file { read write };
') ')
ifdef(`targeted_policy', ` tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t { tty_device_t devpts_t }:chr_file { read write };
dontaudit syslogd_t root_t:file { getattr read };
')dnl end if targeted_policy
ifdef(`direct_sysadm_daemon', `
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
') ')

View File

@ -88,22 +88,10 @@ miscfiles_read_localization(insmod_t)
logging_send_system_log_message(insmod_t) logging_send_system_log_message(insmod_t)
define(`insmod_mount_optional_policy',` optional_policy(`mount.te',`
mount_transition(insmod_t) mount_transition(insmod_t)
') ')
########################################
#
# Conditional policy logic
#
ifdef(`monolithic_policy',`
ifdef(`mount.te',`insmod_mount_optional_policy')
',`
optional mount { mount_transition_depend }
ifopt (consoletype) { insmod_mount_optional_policy }
') dnl end monolithic_policy
# #
# #
# TODO rules: # TODO rules:

View File

@ -100,30 +100,30 @@ ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use; allow mount_t sysadm_gph_t:fd use;
') ')
ifdef(`distro_redhat',` tunable_policy(`distro_redhat',`
ifdef(`pamconsole.te',` optional_policy(`authlogin.te',`
r_dir_file($2_t,pam_var_console_t) r_dir_file($2_t,pam_var_console_t)
# mount config by default sets fscontext=removable_t # mount config by default sets fscontext=removable_t
allow $2_t dosfs_t:filesystem relabelfrom; allow $2_t dosfs_t:filesystem relabelfrom;
') dnl end pamconsole.te ') dnl end authlogin
') dnl end distro_redhat ') dnl end distro_redhat
ifdef(`rhgb.te', ` optional_policy(`rhgb.te', `
allow mount_t rhgb_t:process sigchld; allow mount_t rhgb_t:process sigchld;
allow mount_t rhgb_t:fd use; allow mount_t rhgb_t:fd use;
allow mount_t rhgb_t:fifo_file { read write }; allow mount_t rhgb_t:fifo_file { read write };
') ')
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow mount_t tmpfs_t:chr_file { read write }; allow mount_t tmpfs_t:chr_file { read write };
allow mount_t tmpfs_t:dir mounton; allow mount_t tmpfs_t:dir mounton;
') ')
ifdef(`automount.te', ` optional_policy(`automount.te', `
allow mount_t autofs_t:dir read; allow mount_t autofs_t:dir read;
') ')
ifdef(`portmap.te', ` optional_policy(`portmap.te', `
# for nfs # for nfs
can_network(mount_t) can_network(mount_t)
can_ypbind(mount_t) can_ypbind(mount_t)

View File

@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use;
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute }; allow restorecon_t lib_t:file { read execute };
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
') ')

View File

@ -343,7 +343,7 @@ allow restorecon_t { userdomain privfd }:fd use;
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute }; allow restorecon_t lib_t:file { read execute };
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
') ')

View File

@ -108,7 +108,7 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev) dbusd_client(system, udev)
# Ifdefs # Ifdefs
ifdef(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow udev_t tmpfs_t:dir rw_dir_perms; allow udev_t tmpfs_t:dir rw_dir_perms;
allow udev_t tmpfs_t:sock_file create_file_perms; allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms;
@ -119,26 +119,26 @@ allow udev_t tmpfs_t:dir search;
domain_auto_trans(udev_t, netutils_exec_t, netutils_t) domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
') dnl end ifdef distro_redhat ') dnl end ifdef distro_redhat
ifdef(`hide_broken_symptoms', ` tunable_policy(`hide_broken_symptoms', `
dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
') ')
ifdef(`xdm.te', ` optional_policy(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read }; allow udev_t xdm_var_run_t:file { getattr read };
') ')
ifdef(`hotplug.te', ` optional_policy(`hotplug.te', `
r_dir_file(udev_t, hotplug_etc_t) r_dir_file(udev_t, hotplug_etc_t)
') ')
ifdef(`pamconsole.te', ` optional_policy(`authlogin.te', `
allow udev_t pam_var_console_t:dir search; allow udev_t pam_var_console_t:dir search;
allow udev_t pam_var_console_t:file { getattr read }; allow udev_t pam_var_console_t:file { getattr read };
domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) authlogin_pam_console_transition(udev_t)
') ')
ifdef(`dhcpc.te', ` optional_policy(`sysnetwork.te', `
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
') ')
') dnl endif TODO ') dnl endif TODO