more cleanup

This commit is contained in:
Chris PeBenito 2005-07-19 18:40:31 +00:00
parent 8b0bbdda34
commit 2ec4c9d38f
5 changed files with 273 additions and 132 deletions

View File

@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',`
allow $1 noxattrfs:filesystem associate; allow $1 noxattrfs:filesystem associate;
') ')
########################################
## <summary>
## Execute files on a filesystem that does
## not support extended attributes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_exec_noxattr',`
gen_require(`
attribute noxattrfs;
')
can_exec($1,noxattrfs)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a persistent filesystem which ## Mount a persistent filesystem which

View File

@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Read the process state (/proc/pid) of all domains. ## Read the process state (/proc/pid) of all domains.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',`
dontaudit $1 domain:process ptrace; dontaudit $1 domain:process ptrace;
') ')
########################################
## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
class process { getattr ptrace };
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:lnk_file r_file_perms;
dontaudit $1 domain:file r_file_perms;
dontaudit $1 domain:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 domain:process ptrace;
')
######################################## ########################################
## <desc> ## <desc>
## Do not audit attempts to read the process state ## Do not audit attempts to read the process state
@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Get the session ID of all domains. ## Get the session ID of all domains.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',`
allow $1 domain:process getsession; allow $1 domain:process getsession;
') ')
########################################
## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
gen_require(`
attribute domain;
class process getsession;
')
allow $1 domain:process getsession;
')
########################################
## <summary>
## Get the attributes of all domains
## sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## sockets, for all socket types.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`domain_getattr_all_sockets',`
gen_require(`
gen_require_set(getattr,socket_class_set)
')
allow $1 domain:socket_class_set getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes

View File

@ -1,10 +1,10 @@
## <summary>Miscelaneous files.</summary> ## <summary>Miscelaneous files.</summary>
######################################## ########################################
## <desc> ## <summary>
## Allow process to create files and dirs in /var/cache/man ## Allow process to create files and dirs in /var/cache/man
## and /var/catman/ ## and /var/catman/
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
@ -22,9 +22,9 @@ interface(`miscfiles_rw_man_cache',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to read fonts files ## Read fonts
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
@ -45,9 +45,9 @@ interface(`miscfiles_read_fonts',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to read localization info ## Allow process to read localization info
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
@ -72,9 +72,9 @@ interface(`miscfiles_read_localization',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to read legacy time localization info ## Allow process to read legacy time localization info
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
@ -90,9 +90,9 @@ interface(`miscfiles_legacy_read_localization',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to read man pages ## Allow process to read man pages
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:lnk_file r_file_perms; allow $1 man_t:lnk_file r_file_perms;
') ')
########################################
## <summary>
## Read TeX data
## </summary>
## <param name="domain">
## Type type of the process performing this action.
## </param>
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
allow $1 tetex_data_t:file r_file_perms;
allow $1 tetex_data_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
## Type type of the process performing this action.
## </param>
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
class dir r_dir_perms;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
can_exec($1,tetex_data_t)
')

View File

@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',`
allow cardmgr_t $3:chr_file rw_term_perms; allow cardmgr_t $3:chr_file rw_term_perms;
') ')
########################################
## <summary>
## Read cardmgr pid files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`pcmcia_read_pid',`
gen_require(`
type cardmgr_var_run_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_pids($1)
allow $1 cardmgr_var_run_t:dir r_dir_perms;
allow $1 cardmgr_var_run_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete ## Create, read, write, and delete

View File

@ -156,6 +156,7 @@ template(`base_user_template',`
fs_get_all_fs_quotas($1_t) fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t) fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t) fs_search_auto_mountpoints($1_t)
fs_exec_noxattr($1_t)
# for eject # for eject
storage_getattr_fixed_disk($1_t) storage_getattr_fixed_disk($1_t)
@ -171,6 +172,10 @@ template(`base_user_template',`
domain_exec_all_entry_files($1_t) domain_exec_all_entry_files($1_t)
domain_use_wide_inherit_fd($1_t) domain_use_wide_inherit_fd($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t) files_exec_etc_files($1_t)
files_read_usr_src_files($1_t) files_read_usr_src_files($1_t)
@ -188,6 +193,9 @@ template(`base_user_template',`
miscfiles_read_localization($1_t) miscfiles_read_localization($1_t)
miscfiles_rw_man_cache($1_t) miscfiles_rw_man_cache($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@ -198,6 +206,14 @@ template(`base_user_template',`
allow $1_t self:process execmem; allow $1_t self:process execmem;
') ')
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
')
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t) fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t) fs_manage_nfs_files($1_t)
@ -236,6 +252,11 @@ template(`base_user_template',`
nscd_use_socket($1_t) nscd_use_socket($1_t)
') ')
optional_policy(`pcmcia.te',`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t) files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t) files_search_var_lib($1_t)
@ -248,11 +269,6 @@ template(`base_user_template',`
ifdef(`TODO',` ifdef(`TODO',`
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
dontaudit $1_t domain:dir r_dir_perms;
dontaudit $1_t domain:notdevfile_class_set r_file_perms;
dontaudit $1_t domain:process { getattr getsession };
# #
# Cups daemon running as user tries to write /etc/printcap # Cups daemon running as user tries to write /etc/printcap
# #
@ -271,11 +287,6 @@ template(`base_user_template',`
# /initrd is left mounted, various programs try to look at it # /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr; dontaudit $1_t ramfs_t:dir getattr;
tunable_policy(`read_default_t',`
allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms;
')
# #
# Running ifconfig as a user generates the following # Running ifconfig as a user generates the following
# #
@ -303,11 +314,8 @@ template(`base_user_template',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr; dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search }; dontaudit $1_t proc_fs:dir { read search };
can_exec($1_t, { removable_t noexattrfile } )
tunable_policy(`user_rw_noexattrfile',` tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile) create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
# Write floppies # Write floppies
storage_raw_read_removable_device($1_t) storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t) storage_raw_write_removable_device($1_t)
@ -321,12 +329,6 @@ template(`base_user_template',`
allow $1_t usbtty_device_t:chr_file read; allow $1_t usbtty_device_t:chr_file read;
can_exec($1_t, noexattrfile)
# for running TeX programs
r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t)
can_resmgrd_connect($1_t) can_resmgrd_connect($1_t)
# Grant permissions to access the system DBus # Grant permissions to access the system DBus
@ -350,22 +352,19 @@ template(`base_user_template',`
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
') ')
# Connect to inetd.
ifdef(`inetd.te', ` ifdef(`inetd.te', `
# Connect to inetd.
can_tcp_connect($1_t, inetd_t) can_tcp_connect($1_t, inetd_t)
can_udp_send($1_t, inetd_t) can_udp_send($1_t, inetd_t)
can_udp_send(inetd_t, $1_t) can_udp_send(inetd_t, $1_t)
# Inherit and use sockets from inetd
allow $1_t inetd_t:fd use;
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
') ')
# Connect to portmap. # Connect to portmap.
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
# Inherit and use sockets from inetd
ifdef(`inetd.te', `
allow $1_t inetd_t:fd use;
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
')
ifdef(`xserver.te', ` ifdef(`xserver.te', `
# for /tmp/.ICE-unix # for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@ -398,11 +397,6 @@ template(`base_user_template',`
create_dir_file($1_t, nfsd_rw_t) create_dir_file($1_t, nfsd_rw_t)
') ')
ifdef(`cardmgr.te', `
# to allow monitoring of pcmcia status
allow $1_t cardmgr_var_run_t:file r_file_perms;
')
# #
# Allow graphical boot to check battery lifespan # Allow graphical boot to check battery lifespan
# #
@ -417,7 +411,7 @@ template(`base_user_template',`
') dnl endif TODO ') dnl endif TODO
')dnl end base_user_domain macro ')
####################################### #######################################
## <summary> ## <summary>
@ -496,6 +490,14 @@ template(`unpriv_user_template', `
files_read_etc_files($1_t) files_read_etc_files($1_t)
files_list_home($1_t) files_list_home($1_t)
files_read_usr_files($1_t) files_read_usr_files($1_t)
files_exec_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
files_read_world_readable_files($1_t)
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
init_read_script_pid($1_t) init_read_script_pid($1_t)
# The library functions always try to open read-write first, # The library functions always try to open read-write first,
@ -567,18 +569,6 @@ template(`unpriv_user_template', `
') ')
') ')
tunable_policy(`read_default_t',`
allow $1 default_t:dir r_dir_perms;
allow $1 default_t:notdevfile_class_set r_file_perms;
')
can_exec($1_t, usr_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1_t readable_t:dir r_dir_perms;
allow $1_t readable_t:notdevfile_class_set r_file_perms;
# Stat lost+found. # Stat lost+found.
allow $1_t lost_found_t:dir getattr; allow $1_t lost_found_t:dir getattr;
@ -644,8 +634,7 @@ template(`unpriv_user_template', `
## rules for the user's tty, pty, home directories, ## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files. ## tmp, and tmpfs files.
## </p> ## </p>
## </desc> ## <p>
## <secdesc>
## The privileges given to administrative users are: ## The privileges given to administrative users are:
## <ul> ## <ul>
## <li>Raw disk access</li> ## <li>Raw disk access</li>
@ -658,7 +647,8 @@ template(`unpriv_user_template', `
## <li>Manage source and binary format SELinux policy</li> ## <li>Manage source and binary format SELinux policy</li>
## <li>Run insmod</li> ## <li>Run insmod</li>
## </ul> ## </ul>
## </secdesc> ## </p>
## </desc>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., sysadm ## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t). ## is the prefix for sysadm_t).
@ -724,13 +714,26 @@ template(`admin_user_template',`
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t) kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t) kernel_rw_all_sysctl($1_t)
# signal unlabeled processes: # signal unlabeled processes:
kernel_kill_unlabeled($1_t) kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t) kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t) kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t) kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t) kernel_sigchld_unlabeled($1_t)
# for the administrator to run TCP servers directly
kernel_tcp_recvfrom($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_use_tun_tap_device($1_t)
dev_getattr_generic_blk_file($1_t)
dev_getattr_generic_chr_file($1_t)
dev_getattr_all_blk_files($1_t)
dev_getattr_all_chr_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
selinux_set_enforce_mode($1_t) selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t) selinux_set_boolean($1_t)
@ -743,16 +746,6 @@ template(`admin_user_template',`
selinux_compute_relabel_context($1_t) selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t) selinux_compute_user_contexts($1_t)
corenet_tcp_bind_generic_port($1_t)
dev_getattr_generic_blk_file($1_t)
dev_getattr_generic_chr_file($1_t)
dev_getattr_all_blk_files($1_t)
dev_getattr_all_chr_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
storage_raw_read_removable_device($1_t) storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t) storage_raw_write_removable_device($1_t)
@ -761,6 +754,7 @@ template(`admin_user_template',`
term_use_all_user_ptys($1_t) term_use_all_user_ptys($1_t)
term_use_all_user_ttys($1_t) term_use_all_user_ttys($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files # Manage almost all files
auth_manage_all_files_except_shadow($1_t) auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files # Relabel almost all files
@ -775,6 +769,8 @@ template(`admin_user_template',`
domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t) domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_files($1_t) files_exec_usr_files($1_t)
@ -799,43 +795,44 @@ template(`admin_user_template',`
ifdef(`TODO',` ifdef(`TODO',`
# Let admin stat the shadow file.
allow $1_t shadow_t:file getattr;
# for lsof # for lsof
allow $1_t mtrr_device_t:file getattr; allow $1_t mtrr_device_t:file getattr;
# for lsof
allow $1_t eventpollfs_t:file getattr;
allow $1_t serial_device:chr_file setattr; allow $1_t serial_device:chr_file setattr;
# allow setting up tunnels
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
allow $1_t ptyfile:chr_file getattr; allow $1_t ptyfile:chr_file getattr;
# Run programs from staff home directories.
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
# Run admin programs that require different permissions in their own domain. # Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file. # These rules were moved into the appropriate program domain file.
ifdef(`startx.te', `
ifdef(`xserver.te', ` ifdef(`xserver.te', `
# Create files in /tmp/.X11-unix with our X servers derived # Create files in /tmp/.X11-unix with our X servers derived
# tmp type rather than user_xserver_tmp_t. # tmp type rather than user_xserver_tmp_t.
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
') ')
')
ifdef(`xdm.te', ` ifdef(`xdm.te', `
ifdef(`xauth.te', `
tunable_policy(`xdm_sysadm_login',` tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search; allow xdm_t $1_home_t:dir search;
') ')
allow $1_t xdm_t:fifo_file rw_file_perms; allow $1_t xdm_t:fifo_file rw_file_perms;
') ')
')
# Connect data port to ftpd.
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
# Connect second port to rshd.
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
# Allow MAKEDEV to work
allow $1_t device_t:dir rw_dir_perms;
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
allow $1_t device_t:lnk_file { create read };
# #
# A user who is authorized for sysadm_t may nonetheless have # A user who is authorized for sysadm_t may nonetheless have
@ -850,23 +847,9 @@ template(`admin_user_template',`
allow $1_gph_t user_home_type:file create_file_perms; allow $1_gph_t user_home_type:file create_file_perms;
') ')
# for the administrator to run TCP servers directly # Run programs from staff home directories.
allow $1_t kernel_t:tcp_socket recvfrom; # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
# Connect data port to ftpd.
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
# Connect second port to rshd.
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
# Allow MAKEDEV to work
allow $1_t device_t:dir rw_dir_perms;
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
allow $1_t device_t:lnk_file { create read };
# for lsof
allow $1_t domain:socket_class_set getattr;
allow $1_t eventpollfs_t:file getattr;
') dnl endif TODO ') dnl endif TODO
') ')