add prelink.

2006-01-11 23:20:28 +00:00 · 2006-01-11 23:20:28 +00:00 · 2c243586e5
parent 3c4d75944a
commit 2c243586e5
15 changed files with 474 additions and 12 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -3,7 +3,7 @@
 - Add apache relay and db connect tunables.
 - Rename texrel_shlib_t to textrel_shlib_t.
 - Add swat to samba module.
- Miscellaneous fixes from Dan Walsh.
+- Numerous miscellaneous fixes from Dan Walsh.
 - Added modules:
 	automount
 	ddcprobe
@ -12,6 +12,7 @@
 	lockdev
 	logwatch (Dan Walsh)
 	openct
+	prelink (Dan Walsh)
 	readahead
 	roundup
 	screen
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@ -1,5 +1,5 @@

-policy_module(amanda,1.1.0)
+policy_module(amanda,1.1.1)

 #######################################
 #
@ -77,6 +77,10 @@ role system_r types amanda_recover_t;
 type amanda_recover_dir_t;
 files_type(amanda_recover_dir_t)

+optional_policy(`prelink',`
+	prelink_object_file(amanda_usr_lib_t)
+')
+
 ########################################
 #
 # Amanda local policy
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ b/refpolicy/policy/modules/admin/prelink.fc
@ -0,0 +1,6 @@
+
+/etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
--- a/refpolicy/policy/modules/admin/prelink.if
+++ b/refpolicy/policy/modules/admin/prelink.if
@ -0,0 +1,92 @@
+## <summary>Prelink ELF shared library mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_domtrans',`
+	gen_require(`
+		type prelink_t, prelink_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1, prelink_exec_t, prelink_t)
+
+	allow $1 prelink_t:fd use;
+	allow prelink_t $1:fd use;
+	allow prelink_t $1:fifo_file rw_file_perms;
+	allow prelink_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Make the specified file type prelinkable.
+## </summary>
+## <param name="file_type">
+##	File type to be prelinked.
+## </param>
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+	gen_require(`
+		attribute prelink_object;
+	')
+
+	typeattribute $1 prelink_object;
+')
+
+########################################
+## <summary>
+##	Read the prelink cache.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_read_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	files_search_etc($1)
+	allow $1 prelink_cache_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Delete the prelink cache.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_delete_cache',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	allow $1 prelink_cache_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	prelink log files.
+## </summary>
+## <param name="file_type">
+##	Domain allowed access.
+## </param>
+#
+interface(`prelink_manage_log',`
+	gen_require(`
+		type prelink_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 prelink_log_t:dir rw_dir_perms;
+	allow $1 prelink_log_t:file create_file_perms;
+')
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@ -0,0 +1,79 @@
+
+policy_module(prelink,1.0.0)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t,prelink_exec_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t self:fifo_file rw_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_create_etc_config(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:file { create ra_file_perms };
+allow prelink_t prelink_log_t:lnk_file read;
+logging_create_log(prelink_t, prelink_log_t)
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_dontaudit_search_kernel_sysctl(prelink_t)
+kernel_dontaudit_search_sysctl(prelink_t)
+
+corecmd_manage_bin_files(prelink_t)
+corecmd_relabel_bin_files(prelink_t)
+corecmd_mmap_bin_files(prelink_t)
+corecmd_manage_sbin_files(prelink_t)
+corecmd_relabel_sbin_files(prelink_t)
+corecmd_mmap_sbin_files(prelink_t)
+
+dev_read_urand(prelink_t)
+
+domain_manage_all_entry_files(prelink_t)
+domain_relabel_all_entry_files(prelink_t)
+domain_mmap_all_entry_files(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dir(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+libs_use_ld_so(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_use_shared_libs(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_use_lib(prelink_t)
+libs_manage_lib_files(prelink_t)
+libs_relabel_lib_files(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+optional_policy(`cron',`
+	cron_system_entry(prelink_t, prelink_exec_t)
+')
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@ -188,6 +188,57 @@ interface(`corecmd_exec_bin',`

 ')

+########################################
+## <summary>
+##	Create, read, write, and delete bin files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_manage_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir rw_dir_perms;
+	allow $1 bin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_relabel_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap a bin file as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_mmap_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { getattr read execute };
+')
+
 ########################################
 ## <summary>
 ##	Execute a file in a bin directory
@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',`
 	allow $1 sbin_t:dir r_dir_perms;
 	allow $1 sbin_t:lnk_file r_file_perms;
 	can_exec($1,sbin_t)
+')

+########################################
+## <summary>
+##	Create, read, write, and delete sbin files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir rw_dir_perms;
+	allow $1 sbin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the sbin type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap a sbin file as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:file { getattr read execute };
 ')

 ########################################
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@ -1,5 +1,5 @@

-policy_module(corecommands,1.1.0)
+policy_module(corecommands,1.1.1)

 ########################################
 #
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@ -1019,6 +1019,59 @@ interface(`domain_exec_all_entry_files',`
 	can_exec($1,entry_type)
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete all
+##	entrypoint files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all entry point
+##	file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Mmap all entry point files as executable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	allow $1 entry_type:file { getattr read execute };
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to domains.
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@

-policy_module(domain,1.0.0)
+policy_module(domain,1.0.1)

 ########################################
 #
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.1.1)
+policy_module(apache,1.1.2)

 #
 # NOTES: 
@ -122,6 +122,10 @@ ifdef(`targeted_policy',`
 	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
 ')

+optional_policy(`prelink',`
+	prelink_object_file(httpd_modules_t)
+')
+
 ########################################
 #
 # Apache server local policy
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -1,5 +1,5 @@

-policy_module(cron,1.1.3)
+policy_module(cron,1.1.4)

 gen_require(`
 	class passwd rootok;
@ -397,6 +397,12 @@ ifdef(`targeted_policy',`
 		nscd_use_socket(system_crond_t)
 	')

+	optional_policy(`prelink',`
+		prelink_read_cache(system_crond_t)
+		prelink_manage_log(system_crond_t)
+		prelink_delete_cache(system_crond_t)
+	')
+
 	optional_policy(`samba',`
 		samba_read_config(system_crond_t)
 		samba_read_log(system_crond_t)
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search;
 allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xdm_xserver_t, xkb_var_lib_t)

+optional_policy(`prelink',`
+	prelink_object_file(xkb_var_lib_t)
+')
+
 # Insert video drivers.  
 allow xdm_xserver_t self:capability mknod;
 allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -113,6 +113,44 @@ interface(`libs_exec_ld_so',`
 	can_exec($1,ld_so_t)
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete the
+##	dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	allow $1 lib_t:dir rw_dir_perms;
+	allow $1 ld_so_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	the dynamic link/loader.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+	gen_require(`
+		type lib_t, ld_so_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 ld_so_t:file { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Modify the dynamic link/loader's cached listing
@ -212,6 +250,25 @@ interface(`libs_use_lib',`
 	allow $1 lib_t:file rx_file_perms;
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	files in library directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 lib_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel files to the type used in library directories.
@ -226,9 +283,47 @@ interface(`libs_relabelto_lib_files',`
 		class file relabelto;
 	')

+	allow $1 lib_t:dir search_dir_perms;
 	allow $1 lib_t:file relabelto;
 ')

+########################################
+## <summary>
+##	Relabel to and from the type used
+##	for generic lib files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 lib_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete shared libraries.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+	gen_require(`
+		type lib_t, shlib_t, textrel_shlib_t;
+	')
+
+	allow $1 lib_t:dir rw_dir_perms;
+	allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Load and execute functions from shared libraries.
@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',`
 	allow $1 { shlib_t textrel_shlib_t }:file execmod;
 ')

+########################################
+## <summary>
+##	Relabel to and from the type used for
+##	shared libraries.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+	gen_require(`
+		type lib_t, shlib_t, textrel_shlib_t;
+	')
+
+	allow $1 lib_t:dir search_dir_perms;
+	allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
+')
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -1,5 +1,5 @@

-policy_module(libraries,1.1.3)
+policy_module(libraries,1.1.4)

 ########################################
 #
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@

-policy_module(unconfined,1.1.4)
+policy_module(unconfined,1.1.5)

 ########################################
 #
@ -129,10 +129,6 @@ ifdef(`targeted_policy',`
 		sendmail_domtrans(unconfined_t)
 	')

-	optional_policy(`su',`
-		su_per_userdomain_template(sysadm,unconfined_t,system_r)
-	')
-
 	optional_policy(`sysnetwork',`
 		sysnet_domtrans_dhcpc(unconfined_t)
 	')