rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

add first part of changes to make base module compilable

Browse Source
This commit is contained in:
Chris PeBenito 2005-09-09 20:51:54 +00:00
parent 0fdf3ef75e
commit 2e863f8ad0
7 changed files with 201 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
refpolicy/policy/constraints
View File

@ -1,8 +1,4 @@
#
# Define m4 macros for the constraints
#
# #
# Define the constraints # Define the constraints
# #
@ -33,29 +29,20 @@
# SELinux process identity change constraint: # SELinux process identity change constraint:
# #
constrain process transition constrain process transition
( u1 == u2 or ( u1 == u2
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
t1 == can_change_process_identity or t1 == can_change_process_identity
',` ',`
( t1 == can_change_process_identity and t2 == userdomain ) or ( t1 == can_change_process_identity and t2 == process_user_target )
ifdef(`crond.te',`
or (
t1 == crond_t
and (
t2 == user_crond_domain
or u2 == system_u
)
)
')
ifdef(`userhelper.te',` or ( t1 == cron_source_domain
or (t1 == userhelperdomain) and ( t2 == cron_job_domain or u2 == system_u )
') )
ifdef(`TODO',` or (t1 == process_uncond_exempt)
or (t1 == priv_system_role and u2 == system_u )
') dnl end TODO or (t1 == can_system_change and u2 == system_u )
') ')
); );
@ -63,19 +50,16 @@ ifdef(`targeted_policy',`
# SELinux process role change constraint: # SELinux process role change constraint:
# #
constrain process transition constrain process transition
( r1 == r2 or ( r1 == r2
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
t1 == can_change_process_role or t1 == can_change_process_role
',` ',`
( t1 == can_change_process_role and t2 == userdomain ) or ( t1 == can_change_process_role and t2 == process_user_target )
ifdef(`crond.te',` or ( t1 == cron_source_domain and t2 == cron_job_domain )
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`userhelper.te',` or ( t1 == process_uncond_exempt )
or (t1 == userhelperdomain)
')
ifdef(`postfix.te',` ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
@ -87,9 +71,7 @@ ifdef(`targeted_policy',`
') ')
') ')
ifdef(`TODO',` or (t1 == can_system_change and r2 == system_r )
or (t1 == priv_system_role and r2 == system_r )
') dnl end TODO
') ')
); );
@ -97,7 +79,7 @@ ifdef(`targeted_policy',`
# SELinux dynamic transition constraint: # SELinux dynamic transition constraint:
# #
constrain process dyntransition constrain process dyntransition
( u1 == u2 and r1 == r2); ( u1 == u2 and r1 == r2 );
# #
# SElinux object identity change constraint: # SElinux object identity change constraint:

5
refpolicy/policy/modules/services/cron.if
View File

@ -33,8 +33,9 @@ template(`cron_per_userdomain_template',`
type $1_cron_spool_t, cron_spool_type; type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t) files_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain; type $1_crond_t;
domain_type($1_crond_t); domain_type($1_crond_t)
domain_cron_exemption_target($1_crond_t)
corecmd_shell_entry_type($1_crond_t) corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t; role $3 types $1_crond_t;

1
refpolicy/policy/modules/services/cron.te
View File

@ -17,6 +17,7 @@ type crond_t; #, privmail
type crond_exec_t; type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t) init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t) domain_wide_inherit_fd(crond_t)
domain_cron_exemption_source(crond_t)
type crond_log_t; type crond_log_t;
logging_log_file(crond_log_t) logging_log_file(crond_log_t)

1
refpolicy/policy/modules/services/ssh.if
View File

@ -389,6 +389,7 @@ template(`ssh_per_userdomain_template',`
# #
template(`ssh_server_template', ` template(`ssh_server_template', `
type $1_t, ssh_server; type $1_t, ssh_server;
domain_type($1_t)
role system_r types $1_t; role system_r types $1_t;
type $1_devpts_t; type $1_devpts_t;

149
refpolicy/policy/modules/system/domain.if
View File

@ -4,8 +4,22 @@
## </required> ## </required>
######################################## ########################################
# ## <summary>
# domain_base_domain_type(domain) ## Make the specified type usable as a basic domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a basic domain.
## </p>
## <p>
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
## </p>
## </desc>
## <param name="type">
## Type to be used as a basic domain type.
## </param>
# #
interface(`domain_base_type',` interface(`domain_base_type',`
gen_require(` gen_require(`
@ -26,19 +40,15 @@ interface(`domain_base_type',`
# allow $1 to create child processes in this domain # allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld }; allow $1 self:process { fork sigchld };
# Files with domain types are currently only proc files
# self is excepted since domains and files can have
# the same type in SEFramework
# cjp: perhaps this should be a conditional exception,
# so it is excepted only on SEFramework policies
neverallow $1 { domain -$1 }:dir ~r_dir_perms;
neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
') ')
######################################## ########################################
# ## <summary>
# domain_type(domain) ## Make the specified type usable as a domain.
## </summary>
## <param name="type">
## Type to be used as a domain type.
## </param>
# #
interface(`domain_type',` interface(`domain_type',`
# start with basic domain # start with basic domain
@ -69,8 +79,17 @@ interface(`domain_type',`
') ')
######################################## ########################################
# ## <summary>
# domain_entry_file(domain,entrypointfile) ## Make the specified type usable as
## an entry point for the domain.
## </summary>
## <param name="domain">
## Domain to be entered.
## </param>
## <param name="type">
## Type of program used for entering
## the domain.
## </param>
# #
interface(`domain_entry_file',` interface(`domain_entry_file',`
gen_require(` gen_require(`
@ -79,7 +98,10 @@ interface(`domain_entry_file',`
') ')
files_type($2) files_type($2)
allow $1 $2:file entrypoint; allow $1 $2:file entrypoint;
allow $1 $2:file rx_file_perms;
typeattribute $2 entry_type; typeattribute $2 entry_type;
') ')
@ -158,6 +180,105 @@ interface(`domain_obj_id_change_exempt',`
typeattribute $1 can_change_object_identity; typeattribute $1 can_change_object_identity;
') ')
########################################
## <summary>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_user_exemption_target',`
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
')
########################################
## <summary>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_source',`
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
')
########################################
## <summary>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_target',`
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
')
######################################## ########################################
# #
# domain_use_wide_inherit_fd(domain) # domain_use_wide_inherit_fd(domain)

58
refpolicy/policy/modules/system/domain.te
View File

@ -9,30 +9,58 @@ policy_module(domain,1.0)
# Mark process types as domains # Mark process types as domains
attribute domain; attribute domain;
# entrypoint executables # Transitions only allowed from domains to other domains
attribute entry_type; neverallow domain ~domain:process { transition dyntransition };
# widely-inheritable file descriptors
attribute privfd;
# Domains that can set their current context # Domains that can set their current context
# (perform dynamic transitions) # (perform dynamic transitions)
attribute set_curr_context; attribute set_curr_context;
# constraint related attributes
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not # enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a # know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!! # dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent; neverallow { domain -set_curr_context } self:process setcurrent;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
#
# constraint related attributes
#
# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
# [2] types that can change SELinux role on transition
attribute can_change_process_role;
# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;
# [3] types that can change to system_u:system_r
attribute can_system_change;
# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;
# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;
# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt; # add userhelperdomain to this one
# TODO: # TODO:
# cjp: also need to except correctly for SEFramework # cjp: also need to except correctly for SEFramework
#neverallow { domain unlabeled_t } file_type:process *; neverallow { domain unlabeled_t } file_type:process *;
#neverallow ~{ domain unlabeled_t } *:process *; neverallow ~{ domain unlabeled_t } *:process *;

1
refpolicy/policy/modules/system/userdomain.if
View File

@ -29,6 +29,7 @@ template(`base_user_template',`
type $1_t, userdomain; type $1_t, userdomain;
domain_type($1_t) domain_type($1_t)
corecmd_shell_entry_type($1_t) corecmd_shell_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t; role $1_r types $1_t;
allow system_r $1_r; allow system_r $1_r;