add prelink.

This commit is contained in:
Chris PeBenito 2006-01-11 23:20:28 +00:00
parent 3c4d75944a
commit 2c243586e5
15 changed files with 474 additions and 12 deletions

View File

@ -3,7 +3,7 @@
- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
- Miscellaneous fixes from Dan Walsh.
- Numerous miscellaneous fixes from Dan Walsh.
- Added modules:
automount
ddcprobe
@ -12,6 +12,7 @@
lockdev
logwatch (Dan Walsh)
openct
prelink (Dan Walsh)
readahead
roundup
screen

View File

@ -1,5 +1,5 @@
policy_module(amanda,1.1.0)
policy_module(amanda,1.1.1)
#######################################
#
@ -77,6 +77,10 @@ role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
optional_policy(`prelink',`
prelink_object_file(amanda_usr_lib_t)
')
########################################
#
# Amanda local policy

View File

@ -0,0 +1,6 @@
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)

View File

@ -0,0 +1,92 @@
## <summary>Prelink ELF shared library mappings.</summary>
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`prelink_domtrans',`
gen_require(`
type prelink_t, prelink_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, prelink_exec_t, prelink_t)
allow $1 prelink_t:fd use;
allow prelink_t $1:fd use;
allow prelink_t $1:fifo_file rw_file_perms;
allow prelink_t $1:process sigchld;
')
########################################
## <summary>
## Make the specified file type prelinkable.
## </summary>
## <param name="file_type">
## File type to be prelinked.
## </param>
#
# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
')
typeattribute $1 prelink_object;
')
########################################
## <summary>
## Read the prelink cache.
## </summary>
## <param name="file_type">
## Domain allowed access.
## </param>
#
interface(`prelink_read_cache',`
gen_require(`
type prelink_cache_t;
')
files_search_etc($1)
allow $1 prelink_cache_t:file { getattr read };
')
########################################
## <summary>
## Delete the prelink cache.
## </summary>
## <param name="file_type">
## Domain allowed access.
## </param>
#
interface(`prelink_delete_cache',`
gen_require(`
type prelink_cache_t;
')
allow $1 prelink_cache_t:file unlink;
')
########################################
## <summary>
## Create, read, write, and delete
## prelink log files.
## </summary>
## <param name="file_type">
## Domain allowed access.
## </param>
#
interface(`prelink_manage_log',`
gen_require(`
type prelink_log_t;
')
logging_search_logs($1)
allow $1 prelink_log_t:dir rw_dir_perms;
allow $1 prelink_log_t:file create_file_perms;
')

View File

@ -0,0 +1,79 @@
policy_module(prelink,1.0.0)
########################################
#
# Declarations
attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t,prelink_exec_t)
type prelink_cache_t;
files_type(prelink_cache_t)
type prelink_log_t;
logging_log_file(prelink_log_t)
########################################
#
# Local policy
#
allow prelink_t self:capability { chown dac_override fowner fsetid };
allow prelink_t self:process { execheap execmem execstack };
allow prelink_t self:fifo_file rw_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_create_etc_config(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
allow prelink_t prelink_log_t:file { create ra_file_perms };
allow prelink_t prelink_log_t:lnk_file read;
logging_create_log(prelink_t, prelink_log_t)
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
kernel_dontaudit_search_kernel_sysctl(prelink_t)
kernel_dontaudit_search_sysctl(prelink_t)
corecmd_manage_bin_files(prelink_t)
corecmd_relabel_bin_files(prelink_t)
corecmd_mmap_bin_files(prelink_t)
corecmd_manage_sbin_files(prelink_t)
corecmd_relabel_sbin_files(prelink_t)
corecmd_mmap_sbin_files(prelink_t)
dev_read_urand(prelink_t)
domain_manage_all_entry_files(prelink_t)
domain_relabel_all_entry_files(prelink_t)
domain_mmap_all_entry_files(prelink_t)
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dir(prelink_t)
files_read_etc_runtime_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
libs_use_ld_so(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_use_shared_libs(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_use_lib(prelink_t)
libs_manage_lib_files(prelink_t)
libs_relabel_lib_files(prelink_t)
miscfiles_read_localization(prelink_t)
optional_policy(`cron',`
cron_system_entry(prelink_t, prelink_exec_t)
')

View File

@ -188,6 +188,57 @@ interface(`corecmd_exec_bin',`
')
########################################
## <summary>
## Create, read, write, and delete bin files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`corecmd_manage_bin_files',`
gen_require(`
type bin_t;
')
allow $1 bin_t:dir rw_dir_perms;
allow $1 bin_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from the bin type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`corecmd_relabel_bin_files',`
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Mmap a bin file as executable.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`corecmd_mmap_bin_files',`
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { getattr read execute };
')
########################################
## <summary>
## Execute a file in a bin directory
@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',`
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:lnk_file r_file_perms;
can_exec($1,sbin_t)
')
########################################
## <summary>
## Create, read, write, and delete sbin files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`corecmd_manage_sbin_files',`
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir rw_dir_perms;
allow $1 sbin_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from the sbin type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`corecmd_relabel_sbin_files',`
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Mmap a sbin file as executable.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`corecmd_mmap_sbin_files',`
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file { getattr read execute };
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.1.0)
policy_module(corecommands,1.1.1)
########################################
#

View File

@ -1019,6 +1019,59 @@ interface(`domain_exec_all_entry_files',`
can_exec($1,entry_type)
')
########################################
## <summary>
## Create, read, write, and delete all
## entrypoint files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`domain_manage_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from all entry point
## file types.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`domain_relabel_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file { relabelfrom relabelto };
')
########################################
## <summary>
## Mmap all entry point files as executable.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`domain_mmap_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file { getattr read execute };
')
########################################
## <summary>
## Unconfined access to domains.

View File

@ -1,5 +1,5 @@
policy_module(domain,1.0.0)
policy_module(domain,1.0.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(apache,1.1.1)
policy_module(apache,1.1.2)
#
# NOTES:
@ -122,6 +122,10 @@ ifdef(`targeted_policy',`
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')
optional_policy(`prelink',`
prelink_object_file(httpd_modules_t)
')
########################################
#
# Apache server local policy

View File

@ -1,5 +1,5 @@
policy_module(cron,1.1.3)
policy_module(cron,1.1.4)
gen_require(`
class passwd rootok;
@ -397,6 +397,12 @@ ifdef(`targeted_policy',`
nscd_use_socket(system_crond_t)
')
optional_policy(`prelink',`
prelink_read_cache(system_crond_t)
prelink_manage_log(system_crond_t)
prelink_delete_cache(system_crond_t)
')
optional_policy(`samba',`
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)

View File

@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search;
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
optional_policy(`prelink',`
prelink_object_file(xkb_var_lib_t)
')
# Insert video drivers.
allow xdm_xserver_t self:capability mknod;
allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };

View File

@ -113,6 +113,44 @@ interface(`libs_exec_ld_so',`
can_exec($1,ld_so_t)
')
########################################
## <summary>
## Create, read, write, and delete the
## dynamic link/loader.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_manage_ld_so',`
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir rw_dir_perms;
allow $1 ld_so_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from the type used for
## the dynamic link/loader.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_relabel_ld_so',`
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 ld_so_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Modify the dynamic link/loader's cached listing
@ -212,6 +250,25 @@ interface(`libs_use_lib',`
allow $1 lib_t:file rx_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete generic
## files in library directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_manage_lib_files',`
gen_require(`
type lib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel files to the type used in library directories.
@ -226,9 +283,47 @@ interface(`libs_relabelto_lib_files',`
class file relabelto;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file relabelto;
')
########################################
## <summary>
## Relabel to and from the type used
## for generic lib files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_relabel_lib_files',`
gen_require(`
type lib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Create, read, write, and delete shared libraries.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_manage_shared_libs',`
gen_require(`
type lib_t, shlib_t, textrel_shlib_t;
')
allow $1 lib_t:dir rw_dir_perms;
allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
')
########################################
## <summary>
## Load and execute functions from shared libraries.
@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',`
allow $1 { shlib_t textrel_shlib_t }:file execmod;
')
########################################
## <summary>
## Relabel to and from the type used for
## shared libraries.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for prelink
interface(`libs_relabel_shared_libs',`
gen_require(`
type lib_t, shlib_t, textrel_shlib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
')

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.1.3)
policy_module(libraries,1.1.4)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.1.4)
policy_module(unconfined,1.1.5)
########################################
#
@ -129,10 +129,6 @@ ifdef(`targeted_policy',`
sendmail_domtrans(unconfined_t)
')
optional_policy(`su',`
su_per_userdomain_template(sysadm,unconfined_t,system_r)
')
optional_policy(`sysnetwork',`
sysnet_domtrans_dhcpc(unconfined_t)
')