rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

add first part of changes to make base module compilable

Browse Source
This commit is contained in:
Chris PeBenito 2005-09-09 20:51:54 +00:00
parent 0fdf3ef75e
commit 2e863f8ad0
7 changed files with 201 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
refpolicy/policy/constraints
View File

@ -1,8 +1,4 @@
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
@ -33,29 +29,20 @@
# SELinux process identity change constraint:
#
constrain process transition
( u1 == u2 or
( u1 == u2
ifdef(`targeted_policy',`
t1 == can_change_process_identity
or t1 == can_change_process_identity
',`
( t1 == can_change_process_identity and t2 == userdomain )
ifdef(`crond.te',`
or (
t1 == crond_t
and (
t2 == user_crond_domain
or u2 == system_u
)
)
')
or ( t1 == can_change_process_identity and t2 == process_user_target )
ifdef(`userhelper.te',`
or (t1 == userhelperdomain)
')
or ( t1 == cron_source_domain
and ( t2 == cron_job_domain or u2 == system_u )
)
ifdef(`TODO',`
or (t1 == priv_system_role and u2 == system_u )
') dnl end TODO
or (t1 == process_uncond_exempt)
or (t1 == can_system_change and u2 == system_u )
')
);
@ -63,19 +50,16 @@ ifdef(`targeted_policy',`
# SELinux process role change constraint:
#
constrain process transition
( r1 == r2 or
( r1 == r2
ifdef(`targeted_policy',`
t1 == can_change_process_role
or t1 == can_change_process_role
',`
( t1 == can_change_process_role and t2 == userdomain )
or ( t1 == can_change_process_role and t2 == process_user_target )
ifdef(`crond.te',`
or (t1 == crond_t and t2 == user_crond_domain)
')
or ( t1 == cron_source_domain and t2 == cron_job_domain )
ifdef(`userhelper.te',`
or (t1 == userhelperdomain)
')
or ( t1 == process_uncond_exempt )
ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',`
@ -87,9 +71,7 @@ ifdef(`targeted_policy',`
')
')
ifdef(`TODO',`
or (t1 == priv_system_role and r2 == system_r )
') dnl end TODO
or (t1 == can_system_change and r2 == system_r )
')
);
@ -97,7 +79,7 @@ ifdef(`targeted_policy',`
# SELinux dynamic transition constraint:
#
constrain process dyntransition
( u1 == u2 and r1 == r2);
( u1 == u2 and r1 == r2 );
#
# SElinux object identity change constraint:

5
refpolicy/policy/modules/services/cron.if
View File

@ -33,8 +33,9 @@ template(`cron_per_userdomain_template',`
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain;
domain_type($1_crond_t);
type $1_crond_t;
domain_type($1_crond_t)
domain_cron_exemption_target($1_crond_t)
corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t;

1
refpolicy/policy/modules/services/cron.te
View File

@ -17,6 +17,7 @@ type crond_t; #, privmail
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
domain_cron_exemption_source(crond_t)
type crond_log_t;
logging_log_file(crond_log_t)

1
refpolicy/policy/modules/services/ssh.if
View File

@ -389,6 +389,7 @@ template(`ssh_per_userdomain_template',`
#
template(`ssh_server_template', `
type $1_t, ssh_server;
domain_type($1_t)
role system_r types $1_t;
type $1_devpts_t;

149
refpolicy/policy/modules/system/domain.if
View File

@ -4,8 +4,22 @@
## </required>
########################################
#
# domain_base_domain_type(domain)
## <summary>
## Make the specified type usable as a basic domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a basic domain.
## </p>
## <p>
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
## </p>
## </desc>
## <param name="type">
## Type to be used as a basic domain type.
## </param>
#
interface(`domain_base_type',`
gen_require(`
@ -26,19 +40,15 @@ interface(`domain_base_type',`
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
# Files with domain types are currently only proc files
# self is excepted since domains and files can have
# the same type in SEFramework
# cjp: perhaps this should be a conditional exception,
# so it is excepted only on SEFramework policies
neverallow $1 { domain -$1 }:dir ~r_dir_perms;
neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
')
########################################
#
# domain_type(domain)
## <summary>
## Make the specified type usable as a domain.
## </summary>
## <param name="type">
## Type to be used as a domain type.
## </param>
#
interface(`domain_type',`
# start with basic domain
@ -69,8 +79,17 @@ interface(`domain_type',`
')
########################################
#
# domain_entry_file(domain,entrypointfile)
## <summary>
## Make the specified type usable as
## an entry point for the domain.
## </summary>
## <param name="domain">
## Domain to be entered.
## </param>
## <param name="type">
## Type of program used for entering
## the domain.
## </param>
#
interface(`domain_entry_file',`
gen_require(`
@ -79,7 +98,10 @@ interface(`domain_entry_file',`
')
files_type($2)
allow $1 $2:file entrypoint;
allow $1 $2:file rx_file_perms;
typeattribute $2 entry_type;
')
@ -158,6 +180,105 @@ interface(`domain_obj_id_change_exempt',`
typeattribute $1 can_change_object_identity;
')
########################################
## <summary>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_user_exemption_target',`
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
')
########################################
## <summary>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_source',`
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
')
########################################
## <summary>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
## </p>
## </desc>
## <param name="domain">
## Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_target',`
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
')
########################################
#
# domain_use_wide_inherit_fd(domain)

58
refpolicy/policy/modules/system/domain.te
View File

@ -9,30 +9,58 @@ policy_module(domain,1.0)
# Mark process types as domains
attribute domain;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# constraint related attributes
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
#
# constraint related attributes
#
# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
# [2] types that can change SELinux role on transition
attribute can_change_process_role;
# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;
# [3] types that can change to system_u:system_r
attribute can_system_change;
# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;
# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;
# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt; # add userhelperdomain to this one
# TODO:
# cjp: also need to except correctly for SEFramework
#neverallow { domain unlabeled_t } file_type:process *;
#neverallow ~{ domain unlabeled_t } *:process *;
neverallow { domain unlabeled_t } file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;

1
refpolicy/policy/modules/system/userdomain.if
View File

@ -29,6 +29,7 @@ template(`base_user_template',`
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;