rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add fc mls policy

This commit is contained in:
Chris PeBenito 2005-11-22 19:28:03 +00:00
parent 9cc2ccc4ed
commit 31b7c0551d
617 changed files with 35197 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
mls/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

434
mls/ChangeLog Normal file
View File

@ -0,0 +1,434 @@
1.27.3 2005-11-17
* Removed the seuser policy as suggested by Kevin Carr.
* Removed unnecessary allow rule concerning tmpfs_t in the squid
policy as suggested by Russell Coker.
* Merged a patch from Jonathan Kim which modified the restorecon policy
to use the secadmin attribute.
* Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd
policies. Added the unconfinedtrans attribute for domains that
can transistion to unconfined_t. Added httpd_enable_ftp_server,
allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp
booleans. Created a $1_disable_trans boolean used in the
init_service_domain macro to specify whether init should
transition to a new domain when executing. Included Chad Hanson's
patch which adds the mls* attributes to more domains and makes
other changes to support MLS. Included Russell Coker's patch
which makes many changes to the sendmail policy. Added rules to
allow initscripts to execute scripts that they generate. Added
dbus support to the named policy. Made other fixes and cleanups
to various policies including amanda, apache, bluetooth, pegasus,
postfix, pppd, and slapd. Removed sendmail policy from targeted.
1.27.2 2005-10-20
* Merged patch from Chad Hanson. Modified MLS constraints.
Provided comments for the MLS attributes.
* Merged two patches from Thomas Bleher which made some minor
fixes and cleanups.
* Merged patches from Russell Coker. Added comments to some of the
MLS attributes. Added the secure_mode_insmod boolean to determine
whether the system permits loading policy, setting enforcing mode,
and changing boolean values. Made minor fixes for the cdrecord_domain
macro, application_domain, newrole_domain, and daemon_base_domain
macros. Added rules to allow the mail server to access the user
home directories in the targeted policy and allows the postfix
showq program to do DNS lookups. Minor fixes for the MCS
policy. Made other minor fixes and cleanups.
* Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
and roundup policies. Created can_access_pty macro to handle pty
output. Created nsswithch_domain macro for domains using
nsswitch. Added mcs transition rules. Removed mqueue and added
capifs genfscon entries. Added dhcpd and pegasus ports. Added
domain transitions from login domains to pam_console and alsa
domains. Added rules to allow the httpd and squid domains to
relay more protocols. For the targeted policy, removed sysadm_r
role from unconfined_t. Made other fixes and cleanups.
1.27.1 2005-09-15
* Merged small patches from Russell Coker for the apostrophe,
dhcpc, fsadm, and setfiles policy.
* Merged a patch from Russell Coker with some minor fixes to a
multitude of policy files.
* Merged patch from Dan Walsh from August 15th. Adds certwatch
policy. Adds mcs support to Makefile. Adds mcs file which
defines sensitivities and categories for the MSC policy. Creates
an authentication_domain macro in global_macros.te for domains
that use pam_authentication. Creates the anonymous_domain macro
so that the ftpd, rsync, httpd, and smbd domains can share the
ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
start isolating individual ethernet devices. Changes vpnc from a
daemon to an application_domain. Adds audit_control capability to
crond_t. Adds dac_override and dac_read_search capabilities to
fsadm_t to allow the manipulation of removable media. Adds
read_sysctl macro to the base_passwd_domain macro. Adds rules to
allow alsa_t to communicate with userspace. Allows networkmanager
to communicate with isakmp_port and to use vpnc. For targeted
policy, removes transitions of sysadm_t to apm_t, backup_t,
bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
Makes other minor cleanups and fixes.
1.26 2005-09-06
* Updated version for release.
1.25.4 2005-08-10
* Merged small patches from Russell Coker for the restorecon,
kudzu, lvm, radvd, and spamassasin policies.
* Added fs_use_trans rule for mqueue from Mark Gebhart to support
the work he has done on providing SELinux support for mqueue.
* Merged a patch from Dan Walsh. Removes the user_can_mount
tunable. Adds disable_evolution_trans and disable_thunderbird_trans
booleans. Adds the nscd_client_domain attribute to insmod_t.
Removes the user_ping boolean from targeted policy. Adds
hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
Allows getty to run sbin_t for pppd. Allows initrc to write to
default_t for booting. Allows Hotplug_t sys_rawio for prism54
card at boot. Other minor fixes.
1.25.3 2005-07-18
* Merged patch from Dan Walsh. Adds auth_bool attribute to allow
domains to have read access to shadow_t. Creates pppd_can_insmod
boolean to control the loading of modem kernel modules. Allows
nfs to export noexattrfile types. Allows unix_chpwd to access
cert files and random devices for encryption purposes. Other
minor cleanups and fixes.
1.25.2 2005-07-11
* Merged patch from Dan Walsh. Added allow_ptrace boolean to
allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
audit_control and audit_write capabilities. Stops targeted policy
from transitioning from unconfined_t to netutils. Allows cupsd to
audit messages. Gives prelink the execheap, execmem, and execstack
permissions by default. Adds can_winbind boolean and functions to
better handle samba and winbind communications. Eliminates
allow_execmod checks around texrel_shlib_t libraries. Other minor
cleanups and fixes.
1.25.1 2005-07-05
* Moved role_tty_type_change, reach_sysadm, and priv_user macros
from user.te to user_macros.te as suggested by Steve.
* Modified admin_domain macro so autrace would work and removed
privuser attribute for dhcpc as suggested by Russell Coker.
* Merged rather large patch from Dan Walsh. Moves
targeted/strict/mls policies closer together. Adds local.te for
users to customize. Includes minor fixes to auditd, cups,
cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
that defines all ports in network.te. Ports are always defined
now, no ifdefs are used in network.te. Also includes Ivan
Gyurdiev's user home directory policy patches. These patches add
alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
iceauth, orbit, and thunderbird policy. They create read_content,
write_trusted, and write_untrusted macros in content.te. They
create network_home, write_network_home, read_network_home,
base_domain_ro_access, home_domain_access, home_domain, and
home_domain_ro macros in home_macros.te. They also create
$3_read_content, $3_write_content, and write_untrusted booleans.
1.24 2005-06-20
* Updated version for release.
1.23.18 2005-05-31
* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
* Removed devfsd policy as suggested by Russell Coker.
* Merged patch from Dan Walsh. Includes beginnings of Ivan
Gyurdiev's Font Config policy. Don't transition to fsadm_t from
unconfined_t (sysadm_t) in targeted policy. Add support for
debugfs in modutil. Allow automount to create and delete
directories in /root and /home dirs. Move can_ypbind to
chkpwd_macro.te. Allow useradd to create additional files and
types via the skell mechanism. Other minor cleanups and fixes.
1.23.17 2005-05-23
* Merged minor fixes by Petre Rodan to the daemontools, dante,
gpg, kerberos, and ucspi-tcp policies.
* Merged minor fixes by Russell Coker to the bluetooth, crond,
initrc, postfix, and udev policies. Modifies constraints so that
newaliases can be run. Modifies types.fc so that objects in
lost+found directories will not be relabled.
* Modified fc rules for nvidia.
* Added Chad Sellers policy for polyinstantiation support, which
creates the polydir, polyparent, and polymember attributes. Also
added the support_polyinstantiation tunable.
* Merged patch from Dan Walsh. Includes mount_point attribute,
read_font macros and some other policy fixes from Ivan Gyurdiev.
Adds privkmsg and secadmfile attributes and ddcprobe policy.
Removes the use_syslogng boolean. Many other minor fixes.
1.23.16 2005-05-13
* Added rdisc policy from Russell Coker.
* Merged minor fix to named policy by Petre Rodan.
* Merged minor fixes to policy from Russell Coker for kudzu,
named, screen, setfiles, telnet, and xdm.
* Merged minor fix to Makefile from Russell Coker.
1.23.15 2005-05-06
* Added tripwire and yam policy from David Hampton.
* Merged minor fixes to amavid and a clarification to the
httpdcontent attribute comments from David Hampton.
* Merged patch from Dan Walsh. Includes fixes for restorecon,
games, and postfix from Russell Coker. Adds support for debugfs.
Restores support for reiserfs. Allows udev to work with tmpfs_t
before /dev is labled. Removes transition from sysadm_t
(unconfined_t) to ifconfig_t for the targeted policy. Other minor
cleanups and fixes.
1.23.14 2005-04-29
* Added afs policy from Andrew Reisse.
* Merged patch from Lorenzo Hernández García-Hierro which defines
execstack and execheap permissions. The patch excludes these
permissions from general_domain_access and updates the macros for
X, legacy binaries, users, and unconfined domains.
* Added nlmsg_relay permisison where netlink_audit_socket class is
used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
* Merged some minor cleanups from Russell Coker and David Hampton.
* Merged patch from Dan Walsh. Many changes made to allow
targeted policy to run closer to strict and now almost all of
non-userspace is protected via SELinux. Kernel is now in
unconfined_domain for targeted and runs as root:system_r:kernel_t.
Added transitionbool to daemon_sub_domain, mainly to turn off
httpd_suexec transitioning. Implemented web_client_domain
name_connect rules. Added yp support for cups. Now the real
hotplug, udev, initial_sid_contexts are used for the targeted
policy. Other minor cleanups and fixes. Auditd fixes by Paul
Moore.
1.23.13 2005-04-22
* Merged more changes from Dan Walsh to initrc_t for removal of
unconfined_domain.
* Merged Dan Walsh's split of auditd policy into auditd_t for the
audit daemon and auditctl_t for the autoctl program.
* Added use of name_connect to uncond_can_ypbind macro by Dan
Walsh.
* Merged other cleanup and fixes by Dan Walsh.
1.23.12 2005-04-20
* Merged Dan Walsh's Netlink changes to handle new auditing pam
modules.
* Merged Dan Walsh's patch removing the sysadmfile attribute from
policy files to separate sysadm_t from secadm_t.
* Added CVS and uucpd policy from Dan Walsh.
* Cleanup by Dan Walsh to handle turning off unlimitedRC.
* Merged Russell Coker's fixes to ntpd, postgrey, and named
policy.
* Cleanup of chkpwd_domain and added permissions to su_domain
macro due to pam changes to support audit.
* Added nlmsg_relay and nlmsg_readpriv permissions to the
netlink_audit_socket class.
1.23.11 2005-04-14
* Merged Dan Walsh's separation of the security manager and system
administrator.
* Removed screensaver.te as suggested by Thomas Bleher
* Cleanup of typealiases that are no longer used by Thomas Bleher.
* Cleanup of fc files and additional rules for SuSE by Thomas
Bleher.
* Merged changes to auditd and named policy by Russell Coker.
* Merged MLS change from Darrel Goeddel to support the policy
hierarchy patch.
1.23.10 2005-04-08
* Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
1.23.9 2005-04-07
* Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
of x_client apps.
* Added dmidecode policy from Ivan Gyurdiev.
1.23.8 2005-04-05
* Added netlink_kobject_uevent_socket class.
* Removed empty files pump.te and pump.fc.
* Added NetworkManager policy from Dan Walsh.
* Merged Dan Walsh's major restructuring of Apache's policy.
1.23.7 2005-04-04
* Merged David Hampton's amavis and clamav cleanups.
* Added David Hampton's dcc, pyzor, and razor policy.
1.23.6 2005-04-01
* Merged cleanup of the Makefile and other stuff from Dan Walsh.
Dan's patch includes some desktop changes from Ivan Gyurdiev.
* Merged Thomas Bleher's patches which increase the usage of
lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
possible.
* Merged Greg Norris's cleanup of fetchmail.
1.23.5 2005-03-23
* Added name_connect support from Dan Walsh.
* Added httpd_unconfined_t from Dan Walsh.
* Merged cleanup of assert.te to allow unresticted full access
from Dan Walsh.
1.23.4 2005-03-21
* Merged diffs from Dan Walsh:
* Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
Gyurdiev.
* Added syslogng support to syslog.te.
1.23.3 2005-03-15
* Added policy for nx_server from Thomas Bleher.
* Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
publicfile from Petre Rodan.
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.
* Made sysadm_r the first role for root, so root's home will be labled
as sysadm_home_dir_t instead of staff_home_dir_t.
* Modified fs_use and Makefile to reflect jfs now supporting security
xattrs.
1.23.1 2005-03-10
* Merged diffs from Dan Walsh. Dan's patch includes Ivan
Gyurdiev's cleanup of homedir macros and more extensive use of
read_sysctl()
1.22 2005-03-09
* Updated version for release.
1.21 2005-02-24
* Added secure_file_type attribute from Dan Walsh
* Added access_terminal() macro from Ivan Gyurdiev
* Updated capability access vector for audit capabilities.
* Added mlsconvert Makefile target to help generate MLS policies
(see selinux-doc/README.MLS for instructions).
* Changed policy Makefile to still generate policy.18 as well,
and use it for make load if the kernel doesn't support 19.
* Merged enhanced MLS support from Darrel Goeddel (TCS).
* Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
* Merged man pages from Dan Walsh.
1.20 2005-01-04
* Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
Petre Rodan.
* Merged can_create() macro used for file_type_{,auto_}trans()
from Thomas Bleher.
* Merged dante and stunnel policy by Petre Rodan.
* Merged $1_file_type attribute from Thomas Bleher.
* Merged network_macros from Dan Walsh.
1.18 2004-10-25
* Merged diffs from Russell Coker and Dan Walsh.
* Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
* Added reserved_port_t type and portcon entries to map all other
reserved ports to this type.
* Added distro_ prefix to distro tunables to avoid conflicts.
* Merged diffs from Russell Coker.
1.16 2004-08-16
* Added nscd definitions.
* Converted many tunables to policy booleans.
* Added crontab permission.
* Merged diffs from Dan Walsh.
This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
* Merged diffs from Russell Coker.
* Adjusted constraints for crond restart.
* Merged dbus/userspace object manager policy from Colin Walters.
* Merged dbus definitions from Matthew Rickard.
* Merged dnsmasq policy from Greg Norris.
* Merged gpg-agent policy from Thomas Bleher.
1.14 2004-06-28
* Removed vmware-config.pl from vmware.fc.
* Added crond entry to root_default_contexts.
* Merged patch from Dan Walsh.
* Merged mdadm and postfix changes from Colin Walters.
* Merged reiserfs and rpm changes from Russell Coker.
* Merged runaway .* glob fix from Valdis Kletnieks.
* Merged diff from Dan Walsh.
* Merged fine-grained netlink classes and permissions.
* Merged changes for new /etc/selinux layout.
* Changed mkaccess_vector.sh to provide stable order.
* Merged diff from Dan Walsh.
* Fix restorecon path in restorecon.fc.
* Merged pax class and access vector definition from Joshua Brindle.
1.12 2004-05-12
* Added targeted policy.
* Merged atd/at into crond/crontab domains.
* Exclude bind mounts from relabeling to avoid aliasing.
* Removed some obsolete types and remapped their initial SIDs to unlabeled.
* Added SE-X related security classes and policy framework.
* Added devnull initial SID and context.
* Merged diffs from Fedora policy.
1.10 2004-04-07
* Merged ipv6 support from James Morris of RedHat.
* Merged policy diffs from Dan Walsh.
* Updated call to genhomedircon to reflect new usage.
* Merged policy diffs from Dan Walsh and Russell Coker.
* Removed config-users and config-services per Dan's request.
1.8 2004-03-09
* Merged genhomedircon patch from Karl MacMillan of Tresys.
* Added restorecon domain.
* Added unconfined_domain macro.
* Added default_t for /.* file_contexts entry and replaced some
uses of file_t with default_t in the policy.
* Added su_restricted_domain() macro and use it for initrc_t.
* Merged policy diffs from Dan Walsh and Russell Coker.
These included a merge of an earlier patch by Chris PeBenito
to rename the etc types to be consistent with other types.
1.6 2004-02-18
* Merged xfs support from Chris PeBenito.
* Merged conditional rules for ping.te.
* Defined setbool permission, added can_setbool macro.
* Partial network policy cleanup.
* Merged with Russell Coker's policy.
* Renamed netscape macro and domain to mozilla and renamed
ipchains domain to iptables for consistency with Russell.
* Merged rhgb macro and domain from Russell Coker.
* Merged tunable.te from Russell Coker.
Only define direct_sysadm_daemon by default in our copy.
* Added rootok permission to passwd class.
* Merged Makefile change from Dan Walsh to generate /home
file_contexts entries for staff users.
* Added automatic role and domain transitions for init scripts and
daemons. Added an optional third argument (nosysadm) to
daemon_domain to omit the direct transition from sysadm_r when
the same executable is also used as an application, in which
case the daemon must be restarted via the init script to obtain
the proper security context. Added system_r to the authorized roles
for admin users at least until support for automatic user identity
transitions exist so that a transition to system_u can be provided
transparently.
* Added support to su domain for using pam_selinux.
Added entries to default_contexts for the su domains to
provide reasonable defaults. Removed user_su_t.
* Tighten restriction on user identity and role transitions in constraints.
* Merged macro for newrole-like domains from Russell Coker.
* Merged stub dbusd domain from Russell Coker.
* Merged stub prelink domain from Dan Walsh.
* Merged updated userhelper and config tool domains from Dan Walsh.
* Added send_msg/recv_msg permissions to can_network macro.
* Merged patch by Chris PeBenito for sshd subsystems.
* Merged patch by Chris PeBenito for passing class to var_run_domain.
* Merged patch by Yuichi Nakamura for append_log_domain macros.
* Merged patch by Chris PeBenito for rpc_pipefs labeling.
* Merged patch by Colin Walters to apply m4 once so that
source file info is preserved for checkpolicy.
1.4 2003-12-01
* Merged patches from Russell Coker.
* Revised networking permissions.
* Added new node_bind permission.
* Added new siginh, rlimitinh, and setrlimit permissions.
* Added proc_t:file read permission for new is_selinux_enabled logic.
* Added failsafe_context configuration file to appconfig.
* Moved newrules.pl to policycoreutils, renamed to audit2allow.
* Merged newrules.pl patch from Yuichi Nakamura.
1.2 2003-09-30
* More policy merging with Russell Coker.
* Transferred newrules.pl script from the old SELinux.
* Merged MLS configuration patch from Karl MacMillan of Tresys.
* Limit staff_t to reading /proc entries for unpriv_userdomain.
* Updated Makefile and spec file to allow non-root builds,
based on patch by Paul Nasrat.
1.1 2003-08-13
* Merged Makefile check-all and te-includes patches from Colin Walters.
* Merged x-debian-packages.patch from Colin Walters.
* Folded read permission into domain_trans.
1.0 2003-07-11
* Initial public release.

356
mls/Makefile Normal file
View File

@ -0,0 +1,356 @@
#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'install'.
#
# Set to y if MLS is enabled in the policy.
MLS=y
# Set to y if MCS is enabled in the policy
MCS=n
FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
LOADPOLICY = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PREVERS := 20
KERNVERS := $(shell cat /selinux/policyvers)
MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
TYPE=mls
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
ALL_TYPES := $(wildcard types/*.te)
ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
TE_RBAC_FILES := $(ALLTEFILES) rbac
ALL_TUNABLES := $(wildcard tunables/*.tun )
USER_FILES := users
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
CHECKPOLMLS += -M
endif
ifeq ($(MCS), y)
POLICYFILES += mcs
CHECKPOLMLS += -M
endif
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
POLICYFILES += $(DEFCONTEXTFILES)
CONTEXTFILES = $(DEFCONTEXTFILES)
POLICY_DIRS = domains domains/program domains/misc macros macros/program
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
HOMEDIR_TEMPLATE = file_contexts/homedir_template
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
CONTEXTFILES += $(FCFILES)
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
all: policy
tmp/valid_fc: $(LOADPATH) $(FC)
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(LOADPATH) $(FC)
@touch tmp/valid_fc
install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@echo "# " > tmp/system.users
@echo "# Do not edit this file. " >> tmp/system.users
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
@m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
@mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
@mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/port_types: policy.conf
@mkdir -p $(APPDIR)
@grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
install -m 644 tmp/port_types $@
$(APPDIR)/default_type: appconfig/default_type
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
@mkdir -p $(APPDIR)/users
install -m 644 $< $@
$(LOADPATH): policy.conf $(CHECKPOLICY)
@echo "Compiling policy ..."
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(VERS),$(PREVERS))
$(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
policy: $(POLICYVER)
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
$(LOADPOLICY)
touch tmp/load
load: tmp/load $(FCPATH)
enableaudit: policy.conf
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
@echo "Building policy.conf ..."
@mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
@mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
@mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
@mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
restorelabels: $(SETFILES)
$(SETFILES) -v $(FC) $(FILESYSTEMS)
relabel: $(FC) $(SETFILES)
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
@mkdir -p file_contexts/misc
$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
@echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
install -m 644 $(FC) $(FCPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
@grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
@-rm $@.tmp
# Create a tags-file for the policy:
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
ifeq ($(strip $(CTAGS)),)
CTAGS := $(call pathsearch,ctags) # suse naming scheme
endif
tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
@LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
--regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
--regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
--regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
rm -f policy.conf $(POLICYVER)
rm -f tags
rm -f tmp/*
rm -f $(FC)
rm -f flask/*.h
# for the policy regression tester
find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
# Policy regression tester.
# Written by Colin Walters <walters@debian.org>
cur_te = $(filter-out %/,$(subst /,/ ,$@))
TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
define compute_depends
export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
endef
ifeq ($(TE_DEPENDS_DEFINED),)
ifeq ($(MAKECMDGOALS),check-all)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
else
# Handle the case where checkunused/blah.te is run directly.
ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
endif
endif
endif
# Test for a new enough version of GNU Make.
$(eval have_eval := yes)
ifneq ($(GENRULES),)
ifeq ($(have_eval),)
$(error Need GNU Make 3.80 or better!)
Need GNU Make 3.80 or better
endif
endif
$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
PHONIES :=
define compute_presymlinks
PHONIES += presymlink/$(1)
presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
@if ! test -L domains/program/$(1); then \
cd domains/program && ln -s unused/$(1) .; \
fi
endef
# Compute dependencies.
$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
@$(MAKE) -s clean
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
@if test -n "$(TE_DEPENDS_$(cur_te))"; then \
echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
fi
@echo "Testing $(cur_te)...";
@if ! make -s policy 1>/dev/null; then \
echo "Testing $(cur_te)...FAILED"; \
exit 1; \
fi;
@echo "Testing $(cur_te)...success."; \
check-all:
@for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
$(MAKE) --no-print-directory $$goal; \
done
.PHONY: clean $(PHONIES)
mlsconvert:
@for file in $(CONTEXTFILES); do \
echo "Converting $$file"; \
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
mv $$file.new $$file; \
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
mv $$file.new $$file; \
done
@sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
@echo "Enabling MLS in the Makefile"
@sed "s/MLS=y/MLS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"
mcsconvert:
@for file in $(CONTEXTFILES); do \
echo "Converting $$file"; \
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
mv $$file.new $$file; \
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -r -e 's/\;/ level s0 range s0;/' $$file | \
sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
mv $$file.new $$file; \
done
@echo "Enabling MCS in the Makefile"
@sed "s/MCS=n/MCS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"

125
mls/README Normal file
View File

@ -0,0 +1,125 @@
The Makefile targets are:
policy - compile the policy configuration.
install - compile and install the policy configuration.
load - compile, install, and load the policy configuration.
relabel - relabel the filesystem.
check-all - check individual additional policy files in domains/program/unused.
checkunused/FILE.te - check individual file FILE from domains/program/unused.
If you have configured MLS into your module, then set MLS=y in the
Makefile prior to building the policy. Of course, you must have also
built checkpolicy with MLS enabled.
Three of the configuration files are independent of the particular
security policy:
1) flask/security_classes -
This file has a simple declaration for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
2) flask/initial_sids -
This file has a simple declaration for each initial SID.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
3) access_vectors -
This file defines the access vectors. Common prefixes for
access vectors may be defined at the beginning of the file.
After the common prefixes are defined, an access vector
may be defined for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/av_permissions.h>.
In addition to being read by the security server, these configuration
files are used during the kernel build to automatically generate
symbol definitions used by the kernel for security classes, initial
SIDs and permissions. Since the symbol definitions generated from
these files are used during the kernel build, the values of existing
security classes and permissions may not be modified by load_policy.
However, new classes may be appended to the list of classes and new
permissions may be appended to the list of permissions associated with
each access vector definition.
The policy-dependent configuration files are:
1) tmp/all.te -
This file defines the Type Enforcement (TE) configuration.
This file is automatically generated from a collection of files.
The macros subdirectory contains a collection of m4 macro definitions
used by the TE configuration. The global_macros.te file contains global
macros used throughout the configuration for common groupings of classes
and permissions and for common sets of rules. The user_macros.te file
contains macros used in defining user domains. The admin_macros.te file
contains macros used in defining admin domains. The macros/program
subdirectory contains macros that are used to instantiate derived domains
for certain programs that encode information about both the calling user
domain and the program, permitting the policy to maintain separation
between different instances of the program.
The types subdirectory contains several files with declarations for
general types (types not associated with a particular domain) and
some rules defining relationships among those types. Related types
are grouped together into each file in this directory, e.g. all
device type declarations are in the device.te file.
The domains subdirectory contains several files and directories
with declarations and rules for each domain. User domains are defined in
user.te. Administrator domains are defined in admin.te. Domains for
specific programs, including both system daemons and other programs, are
in the .te files within the domains/program subdirectory. The domains/misc
subdirectory is for miscellaneous domains such as the kernel domain and
the kernel module loader domain.
The assert.te file contains assertions that are checked after evaluating
the entire TE configuration.
2) rbac -
This file defines the Role-Based Access Control (RBAC) configuration.
3) mls -
This file defines the Multi-Level Security (MLS) configuration.
4) users -
This file defines the users recognized by the security policy.
5) constraints -
This file defines additional constraints on permissions
in the form of boolean expressions that must be satisfied in order
for specified permissions to be granted. These constraints
are used to further refine the type enforcement tables and
the role allow rules. Typically, these constraints are used
to restrict changes in user identity or role to certain domains.
6) initial_sid_contexts -
This file defines the security context for each initial SID.
A security context consists of a user identity, a role, a type and
optionally a MLS range if the MLS policy is enabled. If left unspecified,
the high MLS level defaults to the low MLS level. The syntax of a valid
security context is:
user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
7) fs_use -
This file defines the labeling behavior for inodes in particular
filesystem types.
8) genfs_contexts -
This file defines security contexts for files in filesystems that
cannot support persistent label mappings or use one of the fixed
labeling schemes specified in fs_use.
8) net_contexts -
This file defines the security contexts of network objects
such as ports, interfaces, and nodes.
9) file_contexts/{types.fc,program/*.fc}
These files define the security contexts for persistent files.
It is possible to test the security server functions on a given policy
configuration by running the checkpolicy program with the -d option.
This program is built from the same sources as the security server
component of the kernel, so it may be used both to verify that a
policy configuration will load successfully and to determine how the
security server would respond if it were using that policy
configuration. A menu-based interface is provided for calling any of
the security server functions after the policy is loaded.

1
mls/VERSION Normal file
View File

@ -0,0 +1 @@
1.27.3

6
mls/appconfig/dbus_contexts Normal file
View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

12
mls/appconfig/default_contexts Normal file
View File

@ -0,0 +1,12 @@
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

4
mls/appconfig/default_type Normal file
View File

@ -0,0 +1,4 @@
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
user_r:user_t

1
mls/appconfig/failsafe_context Normal file
View File

@ -0,0 +1 @@
sysadm_r:sysadm_t:s0

1
mls/appconfig/initrc_context Normal file
View File

@ -0,0 +1 @@
system_u:system_r:initrc_t:s0

3
mls/appconfig/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

1
mls/appconfig/removable_context Normal file
View File

@ -0,0 +1 @@
system_u:object_r:removable_t:s0

9
mls/appconfig/root_default_contexts Normal file
View File

@ -0,0 +1,9 @@
system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

1
mls/appconfig/userhelper_context Normal file
View File

@ -0,0 +1 @@
system_u:sysadm_r:sysadm_t:s0

156
mls/assert.te Normal file
View File

@ -0,0 +1,156 @@
##############################
#
# Assertions for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow,
# but support for the other kinds of vectors could be easily added. Access
# vector assertions use the same syntax as access vector rules.
#
#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition };
#
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
#
neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
#
# Verify that executable types, the system dynamic loaders, and the
# system shared libraries can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
#
# Verify that only appropriate domains can access /etc/shadow
neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
#
# Verify that only appropriate domains can write to /etc (IE mess with
# /etc/passwd)
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
#
# Verify that other system software can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
#
# Verify that only certain domains have access to the raw disk devices.
#
neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
#
# Verify that only the X server and klogd have access to memory devices.
#
neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
#
# Verify that only domains with the privlog attribute can actually syslog
#
neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
#
# Verify that /proc/kmsg is only accessible to klogd.
#
neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
#
# Verify that /proc/kcore is inaccessible.
#
neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
#
# Verify that sysctl variables are only changeable
# by initrc and administrators.
#
neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
#
# Verify that certain domains are limited to only being
# entered by their entrypoint types and to only executing
# the dynamic loader without a transition to another domain.
#
define(`assert_execute', `
ifelse($#, 0, ,
$#, 1,
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
`assert_execute($1) assert_execute(shift($@))')')
ifdef(`getty.te', `assert_execute(getty)')
ifdef(`klogd.te', `assert_execute(klogd)')
ifdef(`tcpd.te', `assert_execute(tcpd)')
ifdef(`portmap.te', `assert_execute(portmap)')
ifdef(`syslogd.te', `assert_execute(syslogd)')
ifdef(`rpcd.te', `assert_execute(rpcd)')
ifdef(`rlogind.te', `assert_execute(rlogind)')
ifdef(`ypbind.te', `assert_execute(ypbind)')
ifdef(`xfs.te', `assert_execute(xfs)')
ifdef(`gpm.te', `assert_execute(gpm)')
ifdef(`ifconfig.te', `assert_execute(ifconfig)')
ifdef(`iptables.te', `assert_execute(iptables)')
ifdef(`login.te', `
neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
')
#
# Verify that the passwd domain can only be entered by its
# entrypoint type and can only execute the dynamic loader
# and the ordinary passwd program without a transition to another domain.
#
ifdef(`passwd.te', `
neverallow passwd_t ~passwd_exec_t:file entrypoint;
neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
')
#
# Verify that only the admin domains and initrc_t have setenforce.
#
neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
#
# Verify that only the kernel and load_policy_t have load_policy.
#
neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
#
# for gross mistakes in policy
neverallow * domain:dir ~r_dir_perms;
neverallow * domain:file_class_set ~rw_file_perms;
neverallow { domain unlabeled_t } file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;

562
mls/attrib.te Normal file
View File

@ -0,0 +1,562 @@
#
# Declarations for type attributes.
#
# A type attribute can be used to identify a set of types with a similar
# property. Each type can have any number of attributes, and each
# attribute can be associated with any number of types. Attributes are
# explicitly declared here, and can then be associated with particular
# types in type declarations. Attribute names can then be used throughout
# the configuration to express the set of types that are associated with
# the attribute. Attributes have no implicit meaning to SELinux. The
# meaning of all attributes are completely defined through their
# usage within the configuration, but should be documented here as
# comments preceding the attribute declaration.
#####################
# Attributes for MLS:
#
# Common Terminology
# MLS Range: low-high
# low referred to as "Effective Sensitivity Label (SL)"
# high referred to as "Clearance SL"
#
# File System MLS attributes/privileges
#
# Grant MLS read access to files not dominated by the process Effective SL
attribute mlsfileread;
# Grant MLS read access to files dominated by the process Clearance SL
attribute mlsfilereadtoclr;
# Grant MLS write access to files not equal to the Effective SL
attribute mlsfilewrite;
# Grant MLS write access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilewritetoclr;
# Grant MLS ability to change file label to a new label which dominates
# the old label
attribute mlsfileupgrade;
# Grant MLS ability to change file label to a new label which is
# dominated by or incomparable to the old label
attribute mlsfiledowngrade;
#
# Network MLS attributes/privileges
#
# Grant MLS read access to packets not dominated by the process Effective SL
attribute mlsnetread;
# Grant MLS read access to packets dominated by the process Clearance SL
attribute mlsnetreadtoclr;
# Grant MLS write access to packets not equal to the Effective SL
attribute mlsnetwrite;
# Grant MLS write access to packets which dominate the Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetwritetoclr;
# Grant MLS read access to packets from hosts or interfaces which dominate
# or incomparable to the process Effective SL
attribute mlsnetrecvall;
# Grant MLS ability to change socket label to a new label which dominates
# the old label
attribute mlsnetupgrade;
# Grant MLS ability to change socket label to a new label which is
# dominated by or incomparable to the old label
attribute mlsnetdowngrade;
#
# IPC MLS attributes/privileges
#
# Grant MLS read access to IPC objects not dominated by the process Effective SL
attribute mlsipcread;
# Grant MLS read access to IPC objects dominated by the process Clearance SL
attribute mlsipcreadtoclr;
# Grant MLS write access to IPC objects not equal to the process Effective SL
attribute mlsipcwrite;
# Grant MLS write access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcwritetoclr;
#
# Process MLS attributes/privileges
#
# Grant MLS read access to processes not dominated by the process Effective SL
attribute mlsprocread;
# Grant MLS read access to processes dominated by the process Clearance SL
attribute mlsprocreadtoclr;
# Grant MLS write access to processes not equal to the Effective SL
attribute mlsprocwrite;
# Grant MLS write access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocwritetoclr;
# Grant MLS ability to change Effective SL or Clearance SL of process to a
# label dominated by the Clearance SL
attribute mlsprocsetsl;
#
# X Window MLS attributes/privileges
#
# Grant MLS read access to X objects not dominated by the process Effective SL
attribute mlsxwinread;
# Grant MLS read access to X objects dominated by the process Clearance SL
attribute mlsxwinreadtoclr;
# Grant MLS write access to X objects not equal to the process Effective SL
attribute mlsxwinwrite;
# Grant MLS write access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinwritetoclr;
# Grant MLS read access to X properties not dominated by
# the process Effective SL
attribute mlsxwinreadproperty;
# Grant MLS write access to X properties not equal to the process Effective SL
attribute mlsxwinwriteproperty;
# Grant MLS read access to X colormaps not dominated by
# the process Effective SL
attribute mlsxwinreadcolormap;
# Grant MLS write access to X colormaps not equal to the process Effective SL
attribute mlsxwinwritecolormap;
# Grant MLS write access to X xinputs not equal to the process Effective SL
attribute mlsxwinwritexinput;
# Grant MLS read/write access to objects which internally arbitrate MLS
attribute mlstrustedobject;
#
# Both of the following attributes are needed for a range transition to succeed
#
# Grant ability for the current domain to change SL upon process transition
attribute privrangetrans;
# Grant ability for the new process domain to change SL upon process transition
attribute mlsrangetrans;
#########################
# Attributes for domains:
#
# The domain attribute identifies every type that can be
# assigned to a process. This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes.
attribute domain;
# The daemon attribute identifies domains for system processes created via
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
attribute daemon;
# The privuser attribute identifies every domain that can
# change its SELinux user identity. This attribute is used
# in the constraints configuration. NOTE: This attribute
# is not required for domains that merely change the Linux
# uid attributes, only for domains that must change the
# SELinux user identity. Also note that this attribute makes
# no sense without the privrole attribute.
attribute privuser;
# The privrole attribute identifies every domain that can
# change its SELinux role. This attribute is used in the
# constraints configuration.
attribute privrole;
# The userspace_objmgr attribute identifies every domain
# which enforces its own policy.
attribute userspace_objmgr;
# The priv_system_role attribute identifies every domain that can
# change role from a user role to system_r role, and identity from a user
# identity to system_u. It is used in the constraints configuration.
attribute priv_system_role;
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
# can create a file with an identity that is not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
# The privlog attribute identifies every domain that can
# communicate with syslogd through its Unix domain socket.
# There is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privlog;
# The privmodule attribute identifies every domain that can run
# modprobe, there is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privmodule;
# The privsysmod attribute identifies every domain that can have the
# sys_module capability
attribute privsysmod;
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privmem;
# The privkmsg attribute identifies every domain that can
# read kernel messages (/proc/kmsg)
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privkmsg;
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# The auth attribute identifies every domain that needs
# to read /etc/shadow, and grants the permission.
attribute auth;
# The auth_bool attribute identifies every domain that can
# read /etc/shadow if its boolean is set;
attribute auth_bool;
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
# The auth_chkpwd attribute identifies every system domain that can
# authenticate users by running unix_chkpwd
attribute auth_chkpwd;
# The change_context attribute identifies setfiles_t, restorecon_t, and other
# system domains that change the context of most/all files on the system
attribute change_context;
# The etc_writer attribute identifies every domain that can write to etc_t
attribute etc_writer;
# The sysctl_kernel_writer attribute identifies domains that can write to
# sysctl_kernel_t, in addition the admin attribute is permitted write access
attribute sysctl_kernel_writer;
# the sysctl_net_writer attribute identifies domains that can write to
# sysctl_net_t files.
attribute sysctl_net_writer;
# The sysctl_type attribute identifies every type that is assigned
# to a sysctl entry. This can be used in allow rules to grant
# permissions to all sysctl entries without enumerating each individual
# type, but should be used with care.
attribute sysctl_type;
# The admin attribute identifies every administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and
# certain administrator utility domains.
# XXX The use of this attribute should be reviewed for consistency.
# XXX Might want to partition into several finer-grained attributes
# XXX used in different assertions within assert.te.
attribute admin;
# The secadmin attribute identifies every security administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and secadm_t
attribute secadmin;
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
attribute userdomain;
# for a small domain that can only be used for newrole
attribute user_mini_domain;
# pty for the mini domain
attribute mini_pty_type;
# pty created by a server such as sshd
attribute server_pty;
# attribute for all non-administrative devpts types
attribute userpty_type;
# The user_tty_type identifies every type for a tty or pty owned by an
# unpriviledged user
attribute user_tty_type;
# The admin_tty_type identifies every type for a tty or pty owned by a
# priviledged user
attribute admin_tty_type;
# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
# applied to all user domains.
attribute user_crond_domain;
# The unpriv_userdomain identifies non-administrative users (default user_t)
attribute unpriv_userdomain;
# This attribute is for the main user home directory for unpriv users
attribute user_home_dir_type;
# The gphdomain attribute identifies every gnome-pty-helper derived
# domain. It is used in TE rules to permit inheritance and use of
# descriptors created by these domains.
attribute gphdomain;
# The fs_domain identifies every domain that may directly access a fixed disk
attribute fs_domain;
# This attribute is for all domains for the userhelper program.
attribute userhelperdomain;
############################
# Attributes for file types:
#
# The file_type attribute identifies all types assigned to files
# in persistent filesystems. It is used in TE rules to permit
# the association of all such file types with persistent filesystem
# types, and to permit certain domains to access all such types as
# appropriate.
attribute file_type;
# The secure_file_type attribute identifies files
# which will be treated with a higer level of security.
# Most domains will be prevented from manipulating files in this domain
attribute secure_file_type;
# The device_type attribute identifies all types assigned to device nodes
attribute device_type;
# The proc_fs attribute identifies all types that may be assigned to
# files under /proc.
attribute proc_fs;
# The dev_fs attribute identifies all types that may be assigned to
# files, sockets, or pipes under /dev.
attribute dev_fs;
# The sysadmfile attribute identifies all types assigned to files
# that should be completely accessible to administrators. It is used
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;
# The secadmfile attribute identifies all types assigned to files
# that should be only accessible to security administrators. It is used
# in TE rules to grant such access for security administrator domains.
attribute secadmfile;
# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
# any filesystem and to permit most domains to obtain the
# overall filesystem statistics.
attribute fs_type;
# The mount_point attribute identifies all types that can serve
# as a mount point (for the mount binary). It is used in the mount
# policy to grant mounton permission, and in other domains to grant
# getattr permission over all the mount points.
attribute mount_point;
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
# such executables.
attribute exec_type;
# The tmpfile attribute identifies all types assigned to temporary
# files. This attribute is used in TE rules to grant certain
# domains the ability to remove all such files (e.g. init, crond).
attribute tmpfile;
# The user_tmpfile attribute identifies all types associated with temporary
# files for unpriv_userdomain domains.
attribute user_tmpfile;
# for the user_xserver_tmp_t etc
attribute xserver_tmpfile;
# The tmpfsfile attribute identifies all types defined for tmpfs
# type transitions.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute tmpfsfile;
# The home_type attribute identifies all types assigned to home
# directories. This attribute is used in TE rules to grant certain
# domains the ability to access all home directory types.
attribute home_type;
# This attribute is for the main user home directory /home/user, to
# distinguish it from sub-dirs. Often you want a process to be able to
# read the user home directory but not read the regular directories under it.
attribute home_dir_type;
# The ttyfile attribute identifies all types assigned to ttys.
# It is used in TE rules to grant certain domains the ability to
# access all ttys.
attribute ttyfile;
# The ptyfile attribute identifies all types assigned to ptys.
# It is used in TE rules to grant certain domains the ability to
# access all ptys.
attribute ptyfile;
# The pidfile attribute identifies all types assigned to pid files.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute pidfile;
############################
# Attributes for network types:
#
# The socket_type attribute identifies all types assigned to
# kernel-created sockets. Ordinary sockets are assigned the
# domain of the creating process.
# XXX This attribute is unused. Remove?
attribute socket_type;
# Identifies all types assigned to port numbers to control binding.
attribute port_type;
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
attribute reserved_port_type;
# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM)
# and to control traffic sent or received on the interface.
attribute netif_type;
# Identifies all default types assigned to packets received
# on network interfaces.
attribute netmsg_type;
# Identifies all types assigned to network nodes/hosts to control
# traffic sent to or received from the node.
attribute node_type;
# Identifier for log files or directories that only exist for log files.
attribute logfile;
# Identifier for lock files (/var/lock/*) or directories that only exist for
# lock files.
attribute lockfile;
##############################
# Attributes for security policy types:
#
# The login_contexts attribute idenitifies the files used
# to define default contexts for login types (e.g., login, cron).
attribute login_contexts;
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
# sysadm_mail_t, etc)
attribute user_mail_domain;
# Identifies domains that can transition to system_mail_t
attribute privmail;
# Type for non-sysadm home directory
attribute user_home_type;
# For domains that are part of a mail server and need to read user files and
# fifos, and inherit file handles to enable user email to get to the mail
# spool
attribute mta_user_agent;
# For domains that are part of a mail server for delivering messages to the
# user
attribute mta_delivery_agent;
# For domains that make outbound TCP port 25 connections to send mail from the
# mail server.
attribute mail_server_sender;
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
# For web clients such as netscape and squid
attribute web_client_domain;
# For X Window System server domains
attribute xserver;
# For X Window System client domains
attribute xclient;
# For X Window System protocol extensions
attribute xextension;
# For X Window System property types
attribute xproperty;
#
# For file systems that do not have extended attributes but need to be
# r/w by users
#
attribute noexattrfile;
#
# For filetypes that the usercan read
#
attribute usercanread;
#
# For serial devices
#
attribute serial_device;
# Attribute to designate unrestricted access
attribute unrestricted;
# Attribute to designate can transition to unconfined_t
attribute unconfinedtrans;
# For clients of nscd.
attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
# For labeling of content for httpd. This attribute is only used by
# the httpd_unified domain, which says treat all httpdcontent the
# same. If you want content to be served in a "non-unified" system
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
# your policy.
attribute httpdcontent;
# For labeling of domains whos transition can be disabled
attribute transitionbool;
# For labelling daemons that should not have a range transition to "s0"
# included in the daemon_base_domain macro
attribute no_daemon_range_trans;
# For labeling of file_context domains which users can change files to rather
# then the default file context. These file_context can survive a relabeling
# of the file system.
attribute customizable;
##############################
# Attributes for polyinstatiation support:
#
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;

83
mls/constraints Normal file
View File

@ -0,0 +1,83 @@
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# validatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for validatetrans)
# | r3 op names (NOTE: this is only available for validatetrans)
# | t3 op names (NOTE: this is only available for validatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or ( t1 == privuser and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and u2 == system_u )
);
constrain process transition
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
or (t1 == priv_system_role and r2 == system_r )
);
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );

43
mls/domains/admin.te Normal file
View File

@ -0,0 +1,43 @@
#DESC Admin - Domains for administrators.
#
#################################
# sysadm_t is the system administrator domain.
type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
; dnl end of sysadm_t type declaration
allow privhome home_root_t:dir { getattr search };
# system_r is authorized for sysadm_t for single-user mode.
role system_r types sysadm_t;
general_proc_read_access(sysadm_t)
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
# for su
allow sysadm_t userdomain:fd use;
ifdef(`separate_secadm', `', `
security_manager_domain(sysadm_t)
')
# Add/remove user home directories
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
limited_user_role(secadm)
typeattribute secadm_t admin;
role secadm_r types secadm_t;
security_manager_domain(secadm_t)
r_dir_file(secadm_t, { var_t var_log_t })
typeattribute secadm_tty_device_t admin_tty_type;
typeattribute secadm_devpts_t admin_tty_type;
bool allow_ptrace false;
if (allow_ptrace) {
can_ptrace(sysadm_t, domain)
}

3
mls/domains/misc/auth-net.te Normal file
View File

@ -0,0 +1,3 @@
#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
can_network(auth)

30
mls/domains/misc/fcron.te Normal file
View File

@ -0,0 +1,30 @@
#DESC fcron - additions to cron policy for a more powerful cron program
#
# Domain for fcron, a more powerful cron program.
#
# Needs cron.te installed.
#
# Author: Russell Coker <russell@coker.com.au>
# Use capabilities.
allow crond_t self:capability { dac_override dac_read_search };
# differences between r_dir_perms and rw_dir_perms
allow crond_t cron_spool_t:dir { add_name remove_name write };
ifdef(`mta.te', `
# not sure why we need write access, but Postfix does not work without it
# I will have to change fcron to avoid the need for this
allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
')
ifdef(`distro_debian', `
can_exec(dpkg_t, crontab_exec_t)
file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
')
rw_dir_create_file(crond_t, cron_spool_t)
can_setfscreate(crond_t)
# for /var/run/fcron.fifo
file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)

75
mls/domains/misc/kernel.te Normal file
View File

@ -0,0 +1,75 @@
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
#################################
#
# Rules for the kernel_t domain.
#
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
r_dir_file(kernel_t, sysfs_t)
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
ifdef(`mls_policy', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
')
# Share state with the init process.
allow kernel_t init_t:process share;
# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;
# Send signal to any process.
allow kernel_t domain:process signal;
allow kernel_t domain:dir search;
# Access the console.
allow kernel_t device_t:dir search;
allow kernel_t console_device_t:chr_file rw_file_perms;
# Access the initrd filesystem.
allow kernel_t file_t:chr_file rw_file_perms;
can_exec(kernel_t, file_t)
ifdef(`chroot.te', `
can_exec(kernel_t, chroot_exec_t)
')
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
# Lookup the policy.
allow kernel_t policy_config_t:dir r_dir_perms;
# Load the policy configuration.
can_loadpol(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
')

5
mls/domains/misc/local.te Normal file
View File

@ -0,0 +1,5 @@
# Local customization of existing policy should be done in this file.
# If you are creating brand new policy for a new "target" domain, you
# need to create a type enforcement (.te) file in domains/program
# and a file context (.fc) file in file_context/program.

7
mls/domains/misc/startx.te Normal file
View File

@ -0,0 +1,7 @@
#DESC startx - policy for running an X server from a user domain
#
# Author: Russell Coker <russell@coker.com.au>
#
# Everything is in the macro files

13
mls/domains/misc/userspace_objmgr.te Normal file
View File

@ -0,0 +1,13 @@
#DESC Userspace Object Managers
#
#################################
# Get our own security context.
can_getcon(userspace_objmgr)
# Get security decisions via selinuxfs.
can_getsecurity(userspace_objmgr)
# Read /etc/selinux
r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
# Receive notifications of policy reloads and enforcing status changes.
allow userspace_objmgr self:netlink_selinux_socket { create bind read };

14
mls/domains/misc/xclient.te Normal file
View File

@ -0,0 +1,14 @@
#
# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
#
#######################################
#
# Domains for the SELinux-enabled X Window System
#
#
# Domain for all non-local X clients
#
type remote_xclient_t, domain;
in_user_role(remote_xclient_t)

122
mls/domains/program/NetworkManager.te Normal file
View File

@ -0,0 +1,122 @@
#DESC NetworkManager -
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the NetworkManager_t domain.
#
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
#
daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
can_network(NetworkManager_t)
allow NetworkManager_t port_type:tcp_socket name_connect;
allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
allow NetworkManager_t dhcpc_t:process signal;
can_ypbind(NetworkManager_t)
uses_shlib(NetworkManager_t)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
allow NetworkManager_t self:process { setcap getsched };
allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
allow NetworkManager_t self:file { getattr read };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
#
# Communicate with Caching Name Server
#
ifdef(`named.te', `
allow NetworkManager_t named_zone_t:dir search;
rw_dir_create_file(NetworkManager_t, named_cache_t)
domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
allow named_t NetworkManager_t:udp_socket { read write };
allow named_t NetworkManager_t:netlink_route_socket { read write };
allow NetworkManager_t named_t:process signal;
allow named_t NetworkManager_t:packet_socket { read write };
')
allow NetworkManager_t selinux_config_t:dir search;
allow NetworkManager_t selinux_config_t:file { getattr read };
ifdef(`dbusd.te', `
dbusd_client(system, NetworkManager)
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
allow NetworkManager_t self:dbus send_msg;
ifdef(`hald.te', `
allow NetworkManager_t hald_t:dbus send_msg;
allow hald_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t initrc_t:dbus send_msg;
allow initrc_t NetworkManager_t:dbus send_msg;
ifdef(`targeted_policy', `
allow NetworkManager_t unconfined_t:dbus send_msg;
allow unconfined_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t userdomain:dbus send_msg;
allow userdomain NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t usr_t:file { getattr read };
ifdef(`ifconfig.te', `
domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
allow NetworkManager_t { sbin_t bin_t }:dir search;
allow NetworkManager_t bin_t:lnk_file read;
can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
# in /etc created by NetworkManager will be labelled net_conf_t.
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
allow NetworkManager_t proc_t:file { getattr read };
r_dir_file(NetworkManager_t, proc_net_t)
allow NetworkManager_t { domain -unrestricted }:dir search;
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
dontaudit NetworkManager_t unrestricted:dir search;
dontaudit NetworkManager_t unrestricted:file { getattr read };
allow NetworkManager_t howl_t:process signal;
allow NetworkManager_t initrc_var_run_t:file { getattr read };
ifdef(`modutil.te', `
if (!secure_mode_insmod) {
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
}
')
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
# allow vpnc connections
allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
ifdef(`vpnc.te', `
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
')
ifdef(`dhcpc.te', `
allow NetworkManager_t dhcp_state_t:dir search;
allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
')
allow NetworkManager_t var_lib_t:dir search;
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
dontaudit NetworkManager_t security_t:dir search;
ifdef(`consoletype.te', `
can_exec(NetworkManager_t, consoletype_exec_t)
')

66
mls/domains/program/acct.te Normal file
View File

@ -0,0 +1,66 @@
#DESC Acct - BSD process accounting
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: acct
#
#################################
#
# Rules for the acct_t domain.
#
# acct_exec_t is the type of the acct executable.
#
daemon_base_domain(acct)
ifdef(`crond.te', `
system_crond_entry(acct_exec_t, acct_t)
# for monthly cron job
file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
')
# for SSP
allow acct_t urandom_device_t:chr_file read;
type acct_data_t, file_type, logfile, sysadmfile;
# not sure why we need this, the command "last" is reported as using it
dontaudit acct_t self:capability kill;
# gzip needs chown capability for some reason
allow acct_t self:capability { chown fsetid sys_pacct };
allow acct_t var_t:dir { getattr search };
rw_dir_create_file(acct_t, acct_data_t)
can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
allow acct_t { bin_t sbin_t }:dir search;
allow acct_t bin_t:lnk_file read;
read_locale(acct_t)
allow acct_t fs_t:filesystem getattr;
allow acct_t self:unix_stream_socket create_socket_perms;
allow acct_t self:fifo_file { read write getattr };
allow acct_t { self proc_t }:file { read getattr };
read_sysctl(acct_t)
dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
# for nscd
dontaudit acct_t var_run_t:dir search;
allow acct_t devtty_t:chr_file { read write };
allow acct_t { etc_t etc_runtime_t }:file { read getattr };
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
rw_dir_create_file(logrotate_t, acct_data_t)
can_exec(logrotate_t, acct_data_t)
')

24
mls/domains/program/alsa.te Normal file
View File

@ -0,0 +1,24 @@
#DESC ainit - configuration tool for ALSA
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#
type alsa_t, domain, privlog, daemon;
type alsa_exec_t, file_type, sysadmfile, exec_type;
uses_shlib(alsa_t)
allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
rw_dir_create_file(alsa_t,alsa_etc_rw_t)
allow alsa_t self:capability { setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t devpts_t:chr_file { read write };
allow alsa_t etc_t:file { getattr read };
domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
role system_r types alsa_t;
read_locale(alsa_t)

284
mls/domains/program/amanda.te Normal file
View File

@ -0,0 +1,284 @@
#DESC Amanda - Automated backup program
#
# This policy file sets the rigths for amanda client started by inetd_t
# and amrecover
#
# X-Debian-Packages: amanda-common amanda-server
# Depends: inetd.te
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
#
# License : GPL
#
# last change: 27. August 2002
#
# state : complete and tested
#
# Hints :
# - amanda.fc is the appendant file context file
# - If you use amrecover please extract the files and directories to the
# directory speficified in amanda.fc as type amanda_recover_dir_t.
# - The type amanda_user_exec_t is defined to label the files but not used.
# This configuration works only as an client and a amanda client does not need
# this programs.
#
# Enhancements/Corrections:
# - set tighter permissions to /bin/tar instead bin_t
##############################################################################
# AMANDA CLIENT DECLARATIONS
##############################################################################
# General declarations
######################
type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
role system_r types amanda_t;
# type for the amanda executables
type amanda_exec_t, file_type, sysadmfile, exec_type;
# type for the amanda executables started by inetd
type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
# type for amanda configurations files
type amanda_config_t, file_type, sysadmfile;
# type for files in /usr/lib/amanda
type amanda_usr_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda
type amanda_var_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t, file_type, sysadmfile;
# type for user startable files
type amanda_user_exec_t, file_type, sysadmfile, exec_type;
# type for same awk and other scripts
type amanda_script_exec_t, file_type, sysadmfile, exec_type;
# type for the shell configuration files
type amanda_shellconfig_t, file_type, sysadmfile;
tmp_domain(amanda)
# type for /etc/amandates
type amanda_amandates_t, file_type, sysadmfile;
# type for /etc/dumpdates
type amanda_dumpdates_t, file_type, sysadmfile;
# type for amanda data
type amanda_data_t, file_type, sysadmfile;
# Domain transitions
####################
domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
##################
# File permissions
##################
# configuration files -> read only
allow amanda_t amanda_config_t:file { getattr read };
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
# access to amandas data structure
allow amanda_t amanda_data_t:dir { read search write };
allow amanda_t amanda_data_t:file { read write };
# access to proc_t
allow amanda_t proc_t:file { getattr read };
# access to etc_t and similar
allow amanda_t etc_t:file { getattr read };
allow amanda_t etc_runtime_t:file { getattr read };
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
# access to device_t and similar
allow amanda_t devtty_t:chr_file { read write };
# access to fs_t
allow amanda_t fs_t:filesystem getattr;
# access to sysctl_kernel_t ( proc/sys/kernel/* )
read_sysctl(amanda_t)
#####################
# process permissions
#####################
# Allow to use shared libs
uses_shlib(amanda_t)
# Allow to execute a amanda executable file
allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
# Allow to run a shell
allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
# access to bin_t (tar)
allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
allow amanda_t self:process { fork sigchld setpgid signal };
allow amanda_t self:dir search;
allow amanda_t self:file { getattr read };
###################################
# Network and process communication
###################################
can_network_server(amanda_t);
can_ypbind(amanda_t);
can_exec(amanda_t, sbin_t);
allow amanda_t self:fifo_file { getattr read write ioctl lock };
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
##########################
# Communication with inetd
##########################
allow amanda_t inetd_t:udp_socket { read write };
###################
# inetd permissions
###################
allow inetd_t amanda_usr_lib_t:dir search;
########################
# Access to to save data
########################
# access to user_home_t
allow amanda_t user_home_type:file { getattr read };
##############################################################################
# AMANDA RECOVER DECLARATIONS
##############################################################################
# General declarations
######################
# type for amrecover
type amanda_recover_t, domain;
role sysadm_r types amanda_recover_t;
role system_r types amanda_recover_t;
# exec types for amrecover
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
# type for recover files ( restored data )
type amanda_recover_dir_t, file_type, sysadmfile;
file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
# domain transsition
domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
# file type auto trans to write debug messages
file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
# amanda recover process permissions
####################################
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
can_exec(amanda_recover_t, shell_exec_t)
allow amanda_recover_t privfd:fd use;
# amrecover network and process communication
#############################################
can_network(amanda_recover_t);
allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
can_ypbind(amanda_recover_t);
read_locale(amanda_recover_t);
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t var_log_t:dir search;
rw_dir_create_file(amanda_recover_t, amanda_log_t)
# amrecover file permissions
############################
# access to etc_t and similar
allow amanda_recover_t etc_t:dir search;
allow amanda_recover_t etc_t:file { getattr read };
allow amanda_recover_t etc_runtime_t:file { getattr read };
# access to amanda_recover_dir_t
allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
# access to var_t and var_run_t
allow amanda_recover_t var_t:dir search;
allow amanda_recover_t var_run_t:dir search;
# access to proc_t
allow amanda_recover_t proc_t:dir search;
allow amanda_recover_t proc_t:file { getattr read };
# access to sysctl_kernel_t
read_sysctl(amanda_recover_t)
# access to dev_t and similar
allow amanda_recover_t device_t:dir search;
allow amanda_recover_t devtty_t:chr_file { read write };
allow amanda_recover_t null_device_t:chr_file { getattr write };
# access to bin_t
allow amanda_recover_t bin_t:file { execute execute_no_trans };
# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
# in the sysadm home directory
allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
# access to use sysadm_tty_device_t (/dev/tty?)
allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
# access to amanda_tmp_t and tmp_t
allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
allow amanda_recover_t tmp_t:dir search;
#
# Rules to allow amanda to be run as a service in xinetd
#
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
#amanda needs to look at fs_type directories to decide whether it should backup
allow amanda_t { fs_type file_type }:dir {getattr read search };
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
allow amanda_t device_type:{ blk_file chr_file } getattr;
allow amanda_t fixed_disk_device_t:blk_file read;
domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
allow amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
dontaudit amanda_t proc_t:lnk_file read;
dontaudit amanda_t unlabeled_t:file getattr;
#amanda wants to check attributes on fifo_files
allow amanda_t file_type:fifo_file getattr;

48
mls/domains/program/anaconda.te Normal file
View File

@ -0,0 +1,48 @@
#DESC Anaconda - Red Hat Installation program
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the anaconda_t domain.
#
# anaconda_t is the domain of the installation program
#
type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
role system_r types anaconda_t;
unconfined_domain(anaconda_t)
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
# Run other rc scripts in the anaconda_t domain.
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
ifdef(`dmesg.te', `
domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
')
ifdef(`distro_redhat', `
file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
')
ifdef(`rpm.te', `
# Access /var/lib/rpm.
domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
')
file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
ifdef(`udev.te', `
domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
')
ifdef(`ssh-agent.te', `
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
ifdef(`passwd.te', `
domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
')

415
mls/domains/program/apache.te Normal file
View File

@ -0,0 +1,415 @@
#DESC Apache - Web server
#
# X-Debian-Packages: apache2-common apache
#
###############################################################################
#
# Policy file for running the Apache web server
#
# NOTES:
# This policy will work with SUEXEC enabled as part of the Apache
# configuration. However, the user CGI scripts will run under the
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
# of the creating user.
#
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
# type, and the directory containing the scripts should also be labeled
# with these types. This policy allows user_r role to perform that
# relabeling. If it is desired that only sysadm_r should be able to relabel
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
define(`httpd_home_dirs', `
r_dir_file(httpd_t, $1)
r_dir_file(httpd_suexec_t, $1)
can_exec(httpd_suexec_t, $1)
')
bool httpd_unified false;
# Allow httpd to use built in scripting (usually php)
bool httpd_builtin_scripting false;
# Allow httpd cgi support
bool httpd_enable_cgi false;
# Allow httpd to read home directories
bool httpd_enable_homedirs false;
# Run SSI execs in system CGI script domain.
bool httpd_ssi_exec false;
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
# Allow http daemon to tcp connect
bool httpd_can_network_connect false;
#########################################################
# Apache types
#########################################################
# httpd_config_t is the type given to the configuration
# files for apache /etc/httpd/conf
#
type httpd_config_t, file_type, sysadmfile;
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
#
type httpd_modules_t, file_type, sysadmfile;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
#
type httpd_cache_t, file_type, sysadmfile;
# httpd_exec_t is the type give to the httpd executable.
#
daemon_domain(httpd, `, privmail, nscd_client_domain')
append_logdir_domain(httpd)
#can read /etc/httpd/logs
allow httpd_t httpd_log_t:lnk_file read;
# For /etc/init.d/apache2 reload
can_tcp_connect(httpd_t, httpd_t)
can_tcp_connect(web_client_domain, httpd_t)
can_exec(httpd_t, httpd_exec_t)
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
general_domain_access(httpd_t)
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
read_sysctl(httpd_t)
allow httpd_t crypt_device_t:chr_file rw_file_perms;
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
# for apache2 memory mapped files
var_lib_domain(httpd)
# for tomcat
r_dir_file(httpd_t, var_lib_t)
# execute perl
allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
########################################
# Set up networking
########################################
can_network_server(httpd_t)
can_kerberos(httpd_t)
can_resolve(httpd_t)
nsswitch_domain(httpd_t)
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
# allow httpd to connect to mysql/posgresql
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
# allow httpd to work as a relay
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
if (httpd_can_network_connect) {
can_network_client(httpd_t)
allow httpd_t port_type:tcp_socket name_connect;
}
##########################################
# Legacy: remove when it's fixed #
# Allow libphp5.so with text relocations #
##########################################
allow httpd_t texrel_shlib_t:file execmod;
#########################################
# Allow httpd to search users directories
#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
############################################################################
# Allow the httpd_t the capability to bind to a port and various other stuff
############################################################################
allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
dontaudit httpd_t self:capability net_admin;
#################################################
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
allow logrotate_t httpd_t:process signull;
')
r_dir_file(initrc_t, httpd_config_t)
##################################################
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
create_dir_file(httpd_t, httpd_cache_t)
###############################
# Allow httpd_t to access the tmpfs file system
##############################
tmpfs_domain(httpd)
#####################
# Allow httpd_t to access
# libraries for its modules
###############################
allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
######################################################################
# Allow initrc_t to access the Apache modules directory.
######################################################################
allow initrc_t httpd_modules_t:dir r_dir_perms;
##############################################
# Allow httpd_t to have access to files
# such as nisswitch.conf
# need ioctl for php
###############################################
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
# setup the system domain for system CGI scripts
apache_domain(sys)
dontaudit httpd_sys_script_t httpd_config_t:dir search;
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
#
# PHP Directives
##################################################
type httpd_php_exec_t, file_type, sysadmfile, exec_type;
type httpd_php_t, domain;
# Transition from the user domain to this domain.
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
# The system role is authorized for this domain.
role system_r types httpd_php_t;
general_domain_access(httpd_php_t)
uses_shlib(httpd_php_t)
can_exec(httpd_php_t, lib_t)
# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file ra_file_perms;
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
# Creation of lock files for apache2
lock_domain(httpd)
# Allow apache to used public_content_t
anonymous_domain(httpd)
# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(httpd_php_t, mysqld_t)
can_unix_connect(httpd_t, mysqld_t)
can_unix_connect(httpd_sys_script_t, mysqld_t)
allow httpd_php_t mysqld_var_run_t:dir search;
allow httpd_php_t mysqld_var_run_t:sock_file write;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
')
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
read_fonts(httpd_t)
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
}
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
ifdef(`targeted_policy', `
domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
if (httpd_enable_homedirs) {
allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
}
') dnl targeted policy
# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
# This is a bug but it still exists in FC2
#
typealias httpd_log_t alias httpd_runtime_t;
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
dontaudit httpd_t httpd_runtime_t:file ioctl;
') dnl distro_redhat
#
# Customer reported the following
#
ifdef(`snmpd.te', `
dontaudit httpd_t snmpd_var_lib_t:dir search;
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
', `
dontaudit httpd_t usr_t:dir write;
')
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
########################################
# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
##################################################
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir search;
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
} else {
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)
#
# unconfined domain for apache scripts. Only to be used as a last resort
#
type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;
unconfined_domain(httpd_unconfined_script_t)
# The following are types for SUEXEC,which runs user scripts as their
# own user ID
#
daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
allow httpd_t httpd_suexec_exec_t:file { getattr read };
#########################################################
# Permissions for running child processes and scripts
##########################################################
allow httpd_suexec_t self:capability { setuid setgid };
dontaudit httpd_suexec_t var_run_t:dir search;
allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
allow httpd_suexec_t httpd_t:fifo_file getattr;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t etc_t:file { getattr read };
read_locale(httpd_suexec_t)
read_sysctl(httpd_suexec_t)
allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
# for shell scripts
allow httpd_suexec_t bin_t:dir search;
allow httpd_suexec_t bin_t:lnk_file read;
can_exec(httpd_suexec_t, { bin_t shell_exec_t })
if (httpd_can_network_connect) {
can_network(httpd_suexec_t)
allow httpd_suexec_t port_type:tcp_socket name_connect;
}
can_ypbind(httpd_suexec_t)
allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_suexec_t autofs_t:dir { search getattr };
tmp_domain(httpd_suexec)
if (httpd_enable_cgi && httpd_unified) {
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
')
}
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
}
#
# Types for squirrelmail
#
type httpd_squirrelmail_t, file_type, sysadmfile;
create_dir_file(httpd_t, httpd_squirrelmail_t)
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
# File Type of squirrelmail attachments
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
create_dir_file(httpd_t, squirrelmail_spool_t)
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
dontaudit system_mail_t httpd_log_t:file { append getattr };
allow system_mail_t httpd_squirrelmail_t:file { append read };
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
bool httpd_enable_ftp_server false;
if (httpd_enable_ftp_server) {
allow httpd_t ftp_port_t:tcp_socket name_bind;
}

157
mls/domains/program/apmd.te Normal file
View File

@ -0,0 +1,157 @@
#DESC Apmd - Automatic Power Management daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: apmd
#
#################################
#
# Rules for the apmd_t domain.
#
daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain')
# for SSP
allow apmd_t urandom_device_t:chr_file read;
type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
')
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
allow apm_t proc_t:file r_file_perms;
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read write };
can_sysctl(apmd_t)
allow apmd_t sysfs_t:file write;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;
# acpid wants a socket
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
# acpid also has a logfile
log_domain(apmd)
tmp_domain(apmd)
ifdef(`distro_suse', `
var_lib_domain(apmd)
')
allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;
# Use capabilities.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability mknod;
# Access /dev/apm_bios.
allow apmd_t apm_bios_t:chr_file rw_file_perms;
# Run helper programs.
can_exec_any(apmd_t)
# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
allow apmd_t adjtime_t:file rw_file_perms;
allow hwclock_t apmd_log_t:file append;
allow hwclock_t apmd_t:unix_stream_socket { read write };
')
# to quiet fuser and ps
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:socket_class_set getattr;
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;
ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
lock_domain(apmd)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
', `
# for ifconfig which is run all the time
dontaudit apmd_t sysctl_t:dir search;
')
ifdef(`udev.te', `
allow apmd_t udev_t:file { getattr read };
allow apmd_t udev_t:lnk_file { getattr read };
')
#
# apmd tells the machine to shutdown requires the following
#
allow apmd_t initctl_t:fifo_file write;
allow apmd_t initrc_var_run_t:file { read write lock };
#
# Allow it to run killof5 and pidof
#
typeattribute apmd_t unrestricted;
r_dir_file(apmd_t, domain)
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
ifdef(`consoletype.te', `
allow consoletype_t apmd_t:fd use;
allow consoletype_t apmd_t:fifo_file write;
')
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
ifdef(`crond.te', `
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
# for a find /dev operation that gets /dev/shm
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
ifdef(`logrotate.te', `
allow apmd_t logrotate_t:fd use;
')dnl end if logrotate.te
allow apmd_t devpts_t:dir { getattr search };
allow apmd_t security_t:dir search;
allow apmd_t usr_t:dir search;
r_dir_file(apmd_t, hwdata_t)
ifdef(`targeted_policy', `
unconfined_domain(apmd_t)
')
ifdef(`NetworkManager.te', `
ifdef(`dbusd.te', `
allow apmd_t NetworkManager_t:dbus send_msg;
allow NetworkManager_t apmd_t:dbus send_msg;
')
')

48
mls/domains/program/arpwatch.te Normal file
View File

@ -0,0 +1,48 @@
#DESC arpwatch - keep track of ethernet/ip address pairings
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the arpwatch_t domain.
#
# arpwatch_exec_t is the type of the arpwatch executable.
#
daemon_domain(arpwatch, `, privmail')
# for files created by arpwatch
type arpwatch_data_t, file_type, sysadmfile;
create_dir_file(arpwatch_t,arpwatch_data_t)
tmp_domain(arpwatch)
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
can_network_server(arpwatch_t)
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
allow arpwatch_t { sbin_t var_lib_t }:dir search;
allow arpwatch_t sbin_t:lnk_file read;
r_dir_file(arpwatch_t, etc_t)
r_dir_file(arpwatch_t, usr_t)
can_ypbind(arpwatch_t)
ifdef(`qmail.te', `
allow arpwatch_t bin_t:dir search;
')
ifdef(`distro_gentoo', `
allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo
# why is mail delivered to a directory of type arpwatch_data_t?
allow mta_delivery_agent arpwatch_data_t:dir search;
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
ifdef(`hide_broken_symptoms', `
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
')

76
mls/domains/program/auditd.te Normal file
View File

@ -0,0 +1,76 @@
#DESC auditd - System auditing daemon
#
# Authors: Colin Walters <walters@verbum.org>
#
# Some fixes by Paul Moore <paul.moore@hp.com>
#
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
')
daemon_domain(auditd)
ifdef(`mls_policy', `
# run at the highest MLS level
typeattribute auditd_t mlsrangetrans;
range_transition initrc_t auditd_exec_t s15:c0.c255;
')
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
allow auditd_t self:process setsched;
allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };
# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
allow auditd_t var_log_t:dir search;
rw_dir_create_file(auditd_t, auditd_log_t)
can_exec(auditd_t, init_exec_t)
allow auditd_t initctl_t:fifo_file write;
ifdef(`targeted_policy', `
dontaudit auditd_t unconfined_t:fifo_file read;
')
type auditctl_t, domain, privlog;
type auditctl_exec_t, file_type, exec_type, sysadmfile;
uses_shlib(auditctl_t)
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t etc_t:file { getattr read };
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
type auditd_etc_t, file_type, secure_file_type;
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
allow initrc_t auditd_etc_t:file r_file_perms;
role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
audit_manager_domain(secadm_t)
ifdef(`targeted_policy', `', `
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
')
')
role system_r types auditctl_t;
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file { getattr read };
dontaudit auditctl_t init_t:fd use;
allow auditctl_t initrc_devpts_t:chr_file { read write };
allow auditctl_t privfd:fd use;
allow auditd_t sbin_t:dir search;
can_exec(auditd_t, sbin_t)
allow auditd_t self:fifo_file rw_file_perms;

79
mls/domains/program/automount.te Normal file
View File

@ -0,0 +1,79 @@
#DESC Automount - Automount daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: amd am-utils autofs
#
#################################
#
# Rules for the automount_t domain.
#
daemon_domain(automount)
etc_domain(automount)
# for SSP
allow automount_t urandom_device_t:chr_file read;
# for if the mount point is not labelled
allow automount_t file_t:dir getattr;
allow automount_t default_t:dir getattr;
allow automount_t autofs_t:dir { create_dir_perms ioctl };
allow automount_t fs_type:dir getattr;
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
allow automount_t proc_t:file { getattr read };
allow automount_t self:process { getpgid setpgid setsched };
allow automount_t self:capability { sys_nice dac_override };
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
# because config files can be shell scripts
can_exec(automount_t, { etc_t automount_etc_t })
can_network_server(automount_t)
can_resolve(automount_t)
can_ypbind(automount_t)
can_ldap(automount_t)
ifdef(`fsadm.te', `
domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
')
lock_domain(automount)
tmp_domain(automount)
allow automount_t self:fifo_file rw_file_perms;
# Run mount in the mount_t domain.
domain_auto_trans(automount_t, mount_exec_t, mount_t)
allow mount_t autofs_t:dir { search mounton read };
allow mount_t automount_tmp_t:dir mounton;
ifdef(`apmd.te',
`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
can_exec(automount_t, bin_t)')
allow automount_t { bin_t sbin_t }:dir search;
can_exec(automount_t, mount_exec_t)
can_exec(automount_t, shell_exec_t)
allow mount_t autofs_t:dir getattr;
dontaudit automount_t var_t:dir write;
allow userdomain autofs_t:dir r_dir_perms;
allow kernel_t autofs_t:dir { getattr ioctl read search };
allow automount_t { boot_t home_root_t }:dir getattr;
allow automount_t mnt_t:dir { getattr search };
can_exec(initrc_t, automount_etc_t)
# Allow automount to create and delete directories in / and /home
file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
allow automount_t var_lib_t:dir search;
allow automount_t var_lib_nfs_t:dir search;

31
mls/domains/program/avahi.te Normal file
View File

@ -0,0 +1,31 @@
#DESC avahi - mDNS/DNS-SD daemon implementing Apples ZeroConf architecture
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
daemon_domain(avahi, `, privsysmod')
r_dir_file(avahi_t, proc_net_t)
can_network_server(avahi_t)
can_ypbind(avahi_t)
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:capability { dac_override setgid chown kill setuid };
allow avahi_t urandom_device_t:chr_file r_file_perms;
allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
allow avahi_t self:fifo_file { read write };
allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
allow avahi_t self:process setrlimit;
allow avahi_t etc_t:file { getattr read };
allow avahi_t initrc_t:process { signal signull };
allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
allow avahi_t avahi_var_run_t:dir setattr;
allow avahi_t avahi_var_run_t:sock_file create_file_perms;
ifdef(`dbusd.te', `
dbusd_client(system, avahi)
ifdef(`targeted_policy', `
allow avahi_t unconfined_t:dbus send_msg;
allow unconfined_t avahi_t:dbus send_msg;
')
')

116
mls/domains/program/bluetooth.te Normal file
View File

@ -0,0 +1,116 @@
#DESC Bluetooth
#
# Authors: Dan Walsh
# RH-Packages: Bluetooth
#
#################################
#
# Rules for the bluetooth_t domain.
#
daemon_domain(bluetooth)
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
tmp_domain(bluetooth)
var_lib_domain(bluetooth)
# Use capabilities.
allow bluetooth_t self:file read;
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
allow bluetooth_t self:process getsched;
allow bluetooth_t proc_t:file { getattr read };
allow bluetooth_t self:shm create_shm_perms;
lock_domain(bluetooth)
# Use the network.
can_network(bluetooth_t)
can_ypbind(bluetooth_t)
ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
allow bluetooth_t system_dbusd_t:dbus send_msg;
')
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
type bluetooth_conf_rw_t, file_type, sysadmfile;
# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
#/usr/sbin/hid2hci causes the following
allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
allow bluetooth_t bin_t:dir search;
can_exec(bluetooth_t, { bin_t shell_exec_t })
allow bluetooth_t bin_t:lnk_file read;
#Handle bluetooth serial devices
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
allow bluetooth_t self:fifo_file rw_file_perms;
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_t, fonts_t)
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
allow bluetooth_t usr_t:file { getattr read };
application_domain(bluetooth_helper, `, nscd_client_domain')
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
role system_r types bluetooth_helper_t;
read_locale(bluetooth_helper_t)
typeattribute bluetooth_helper_t unrestricted;
r_dir_file(bluetooth_helper_t, domain)
allow bluetooth_helper_t bin_t:dir { getattr search };
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
allow bluetooth_helper_t bin_t:lnk_file read;
allow bluetooth_helper_t self:capability sys_nice;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:process { fork getsched sigchld };
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_helper_t, fonts_t)
r_dir_file(bluetooth_helper_t, proc_t)
read_sysctl(bluetooth_helper_t)
allow bluetooth_helper_t tmp_t:dir search;
allow bluetooth_helper_t usr_t:file { getattr read };
allow bluetooth_helper_t home_dir_type:dir search;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
ifdef(`targeted_policy', `
allow bluetooth_helper_t tmp_t:sock_file { read write };
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
allow bluetooth_t unconfined_t:dbus send_msg;
allow unconfined_t bluetooth_t:dbus send_msg;
', `
ifdef(`xdm.te', `
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
allow bluetooth_t unpriv_userdomain:dbus send_msg;
allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
allow bluetooth_helper_t bluetooth_t:socket { read write };
allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_helper_t self:unix_stream_socket connectto;
tmp_domain(bluetooth_helper)
allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
dontaudit bluetooth_helper_t default_t:dir { read search };
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')

9
mls/domains/program/bonobo.te Normal file
View File

@ -0,0 +1,9 @@
# DESC - Bonobo Activation Server
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
# Type for executable
type bonobo_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in macros/bonobo_macros.te

167
mls/domains/program/bootloader.te Normal file
View File

@ -0,0 +1,167 @@
#DESC Bootloader - Lilo boot loader/manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: lilo
#
#################################
#
# Rules for the bootloader_t domain.
#
# bootloader_exec_t is the type of the bootloader executable.
#
type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
role sysadm_r types bootloader_t;
role system_r types bootloader_t;
allow bootloader_t var_t:dir search;
create_append_log_file(bootloader_t, var_log_t)
allow bootloader_t var_log_t:file write;
# for nscd
dontaudit bootloader_t var_run_t:dir search;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
')
allow bootloader_t { initrc_t privfd }:fd use;
tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
read_locale(bootloader_t)
# for tune2fs
file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
# for /vmlinuz sym link
allow bootloader_t root_t:lnk_file read;
# lilo would need read access to get BIOS data
allow bootloader_t proc_kcore_t:file getattr;
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
allow bootloader_t etc_t:file r_file_perms;
allow bootloader_t etc_t:lnk_file read;
allow bootloader_t initctl_t:fifo_file getattr;
uses_shlib(bootloader_t)
ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t usr_t:lnk_file read;
allow bootloader_t tmpfs_t:dir r_dir_perms;
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
allow bootloader_t var_lib_t:dir search;
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
# for /usr/share/initrd-tools/scripts
can_exec(bootloader_t, usr_t)
')
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
allow bootloader_t device_t:lnk_file { getattr read };
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
ifdef(`lvm.te', `
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
allow lvm_t bootloader_tmp_t:file rw_file_perms;
r_dir_file(bootloader_t, lvm_etc_t)
')
# uncomment the following line if you use "lilo -p"
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
can_exec_any(bootloader_t)
allow bootloader_t shell_exec_t:lnk_file read;
allow bootloader_t { bin_t sbin_t }:dir search;
allow bootloader_t { bin_t sbin_t }:lnk_file read;
allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
allow bootloader_t modules_object_t:dir r_dir_perms;
ifdef(`distro_redhat', `
allow bootloader_t modules_object_t:lnk_file { getattr read };
')
# for ldd
ifdef(`fsadm.te', `
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
')
ifdef(`modutil.te', `
allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
')
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:file create_file_perms;
allow bootloader_t boot_t:lnk_file create_lnk_perms;
allow bootloader_t load_policy_exec_t:file { getattr read };
allow bootloader_t random_device_t:chr_file { getattr read };
ifdef(`distro_redhat', `
# for mke2fs
domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
allow mount_t bootloader_tmp_t:dir mounton;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
allow bootloader_t file_t:lnk_file create_lnk_perms;
allow bootloader_t self:unix_stream_socket create_socket_perms;
allow bootloader_t boot_runtime_t:file { read getattr unlink };
# for memlock
allow bootloader_t zero_device_t:chr_file { getattr read };
allow bootloader_t self:capability ipc_lock;
')
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
# allow bootloader to get attributes of any device node
allow bootloader_t { device_type ttyfile }:chr_file getattr;
allow bootloader_t device_type:blk_file getattr;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
allow bootloader_t self:process { fork signal_perms };
allow bootloader_t self:lnk_file read;
allow bootloader_t self:dir search;
allow bootloader_t self:file { getattr read };
allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t fs_t:filesystem getattr;
allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file { getattr read };
allow bootloader_t proc_mdstat_t:file r_file_perms;
allow bootloader_t self:dir { getattr search read };
read_sysctl(bootloader_t)
allow bootloader_t etc_runtime_t:file r_file_perms;
allow bootloader_t devtty_t:chr_file rw_file_perms;
allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write };
# for reading BIOS data
allow bootloader_t memory_device_t:chr_file r_file_perms;
allow bootloader_t policy_config_t:dir { search read };
allow bootloader_t policy_config_t:file { getattr read };
allow bootloader_t lib_t:file { getattr read };
allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t urandom_device_t:chr_file read;
allow bootloader_t { usr_t var_t }:file { getattr read };
r_dir_file(bootloader_t, src_t)
dontaudit bootloader_t selinux_config_t:dir search;
dontaudit bootloader_t sysctl_t:dir search;

46
mls/domains/program/canna.te Normal file
View File

@ -0,0 +1,46 @@
#DESC canna - A Japanese character set input system.
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the canna_t domain.
#
daemon_domain(canna)
file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
logdir_domain(canna)
var_lib_domain(canna)
allow canna_t self:capability { setgid setuid net_bind_service };
allow canna_t tmp_t:dir { search };
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t etc_t:file { getattr read };
allow canna_t usr_t:file { getattr read };
allow canna_t proc_t:file r_file_perms;
allow canna_t etc_runtime_t:file r_file_perms;
allow canna_t canna_var_lib_t:dir create;
rw_dir_create_file(canna_t, canna_var_lib_t)
can_network_tcp(canna_t)
allow canna_t port_type:tcp_socket name_connect;
can_ypbind(canna_t)
allow userdomain canna_var_run_t:dir search;
allow userdomain canna_var_run_t:sock_file write;
can_unix_connect(userdomain, canna_t)
ifdef(`i18n_input.te', `
allow i18n_input_t canna_var_run_t:dir search;
allow i18n_input_t canna_var_run_t:sock_file write;
can_unix_connect(i18n_input_t, canna_t)
')
dontaudit canna_t kernel_t:fd use;
dontaudit canna_t root_t:file read;

90
mls/domains/program/cardmgr.te Normal file
View File

@ -0,0 +1,90 @@
#DESC Cardmgr - PCMCIA control programs
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pcmcia-cs
#
#################################
#
# Rules for the cardmgr_t domain.
#
daemon_domain(cardmgr, `, privmodule')
# for SSP
allow cardmgr_t urandom_device_t:chr_file read;
type cardctl_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
')
role sysadm_r types cardmgr_t;
allow cardmgr_t admin_tty_type:chr_file { read write };
allow cardmgr_t sysfs_t:dir search;
allow cardmgr_t home_root_t:dir search;
# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
allow cardmgr_t etc_runtime_t:file { getattr read };
allow cardmgr_t modules_object_t:dir search;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
allow cardmgr_t self:fifo_file rw_file_perms;
# Create stab file
var_lib_domain(cardmgr)
# for /var/lib/misc/pcmcia-scheme
# would be better to have it in a different type if I knew how it was created..
allow cardmgr_t var_lib_t:file { getattr read };
# Create device files in /tmp.
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Create symbolic links in /dev.
type cardmgr_lnk_t, file_type, sysadmfile;
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
# Run a shell, normal commands, /etc/pcmcia scripts.
can_exec_any(cardmgr_t)
allow cardmgr_t etc_t:lnk_file read;
# Run ifconfig.
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
allow ifconfig_t cardmgr_t:fd use;
allow cardmgr_t proc_t:file { getattr read ioctl };
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain -unrestricted)
dontaudit cardmgr_t unrestricted:dir search;
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')
ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
')
allow cardmgr_t device_t:lnk_file { getattr read };

10
mls/domains/program/cdrecord.te Normal file
View File

@ -0,0 +1,10 @@
# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
# Type for the cdrecord excutable.
type cdrecord_exec_t, file_type, sysadmfile, exec_type;
# everything else is in the cdrecord_domain macros in
# macros/program/cdrecord_macros.te.

11
mls/domains/program/certwatch.te Normal file
View File

@ -0,0 +1,11 @@
#DESC certwatch - generate SSL certificate expiry warnings
#
# Domains for the certwatch process
# Authors: Dan Walsh <dwalsh@redhat.com>,
#
application_domain(certwatch)
role system_r types certwatch_t;
r_dir_file(certwatch_t, cert_t)
can_exec(certwatch_t, httpd_modules_t)
system_crond_entry(certwatch_exec_t, certwatch_t)
read_locale(certwatch_t)

64
mls/domains/program/checkpolicy.te Normal file
View File

@ -0,0 +1,64 @@
#DESC Checkpolicy - SELinux policy compliler
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: checkpolicy
#
###########################
#
# checkpolicy_t is the domain type for checkpolicy
# checkpolicy_exec_t if file type for the executable
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
role system_r types checkpolicy_t;
role secadm_r types checkpolicy_t;
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
###########################
# constrain what checkpolicy can use as source files
#
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
# allow test policies to be created in src directories
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
allow checkpolicy_t root_t:dir search;
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
allow checkpolicy_t devpts_t:dir r_dir_perms;
ifdef(`sshd.te',
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
allow checkpolicy_t { userdomain privfd }:fd use;
allow checkpolicy_t fs_t:filesystem getattr;
allow checkpolicy_t console_device_t:chr_file { read write };
allow checkpolicy_t init_t:fd use;
allow checkpolicy_t selinux_config_t:dir search;

18
mls/domains/program/chkpwd.te Normal file
View File

@ -0,0 +1,18 @@
#DESC Chkpwd - PAM password checking programs
# X-Debian-Packages: libpam-modules
#
# Domains for the /sbin/.*_chkpwd utilities.
#
#
# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
#
type chkpwd_exec_t, file_type, sysadmfile, exec_type;
chkpwd_domain(system)
dontaudit system_chkpwd_t privfd:fd use;
role sysadm_r types system_chkpwd_t;
in_user_role(system_chkpwd_t)
# Everything else is in the chkpwd_domain macro in
# macros/program/chkpwd_macros.te.

21
mls/domains/program/chroot.te Normal file
View File

@ -0,0 +1,21 @@
#DESC Chroot - Establish chroot environments
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages:
#
type chroot_exec_t, file_type, sysadmfile, exec_type;
# For a chroot environment named potato that can be entered from user_t (so
# the user can run an old version of Debian in a chroot), with the possibility
# of user_devpts_t or user_tty_device_t being the controlling tty type for
# administration. This also defines a mount_domain for the user (so they can
# mount file systems).
#chroot(user, potato)
# For a chroot environment named apache that can be entered from initrc_t for
# running a different version of apache.
# initrc is a special case, uses the system_r role (usually appends "_r" to
# the base name of the parent domain), and has sysadm_devpts_t and
# sysadm_tty_device_t for the controlling terminal
#chroot(initrc, apache)
# the main code is in macros/program/chroot_macros.te

20
mls/domains/program/comsat.te Normal file
View File

@ -0,0 +1,20 @@
#DESC comsat - biff server
#
# Author: Dan Walsh <dwalsh@redhat.com>
# Depends: inetd.te
#
#################################
#
# Rules for the comsat_t domain.
#
# comsat_exec_t is the type of the comsat executable.
#
inetd_child_domain(comsat, udp)
allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
allow comsat_t mail_spool_t:dir r_dir_perms;
allow comsat_t mail_spool_t:lnk_file read;
allow comsat_t var_spool_t:dir search;
dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;

65
mls/domains/program/consoletype.te Normal file
View File

@ -0,0 +1,65 @@
#DESC consoletype - determine the type of a console device
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages:
#
#################################
#
# Rules for the consoletype_t domain.
#
# consoletype_t is the domain for the consoletype program.
# consoletype_exec_t is the type of the corresponding program.
#
type consoletype_t, domain, mlsfileread, mlsfilewrite;
type consoletype_exec_t, file_type, sysadmfile, exec_type;
role system_r types consoletype_t;
uses_shlib(consoletype_t)
general_domain_access(consoletype_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
')
allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
# Use capabilities.
allow consoletype_t self:capability sys_admin;
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
ifdef(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
')
ifdef(`pam.te', `
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
')
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
dontaudit consoletype_t proc_t:dir search;
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
allow consoletype_t system_crond_t:fd use;
allow consoletype_t fs_t:filesystem getattr;

17
mls/domains/program/cpucontrol.te Normal file
View File

@ -0,0 +1,17 @@
#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
#
# Author: Russell Coker <russell@coker.com.au>
#
type cpucontrol_conf_t, file_type, sysadmfile;
daemon_base_domain(cpucontrol)
# Access cpu devices.
allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
allow cpucontrol_t device_t:lnk_file { getattr read };
allow initrc_t cpu_device_t:chr_file getattr;
allow cpucontrol_t self:capability sys_rawio;
r_dir_file(cpucontrol_t, cpucontrol_conf_t)

17
mls/domains/program/cpuspeed.te Normal file
View File

@ -0,0 +1,17 @@
#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
#
# Authors: Russell Coker <russell@coker.com.au>
# Thomas Bleher <ThomasBleher@gmx.de>
#
daemon_base_domain(cpuspeed)
read_locale(cpuspeed_t)
allow cpuspeed_t sysfs_t:dir search;
allow cpuspeed_t sysfs_t:file rw_file_perms;
allow cpuspeed_t proc_t:dir r_dir_perms;
allow cpuspeed_t proc_t:file { getattr read };
allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
allow cpuspeed_t self:process setsched;
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;

48
mls/domains/program/crack.te Normal file
View File

@ -0,0 +1,48 @@
#DESC Crack - Password cracking application
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: crack
#
#################################
#
# Rules for the crack_t domain.
#
# crack_exec_t is the type of the crack executable.
#
system_domain(crack)
ifdef(`crond.te', `
system_crond_entry(crack_exec_t, crack_t)
')
# for SSP
allow crack_t urandom_device_t:chr_file read;
type crack_db_t, file_type, sysadmfile, usercanread;
allow crack_t var_t:dir search;
rw_dir_create_file(crack_t, crack_db_t)
allow crack_t device_t:dir search;
allow crack_t devtty_t:chr_file rw_file_perms;
allow crack_t self:fifo_file { read write getattr };
tmp_domain(crack)
# for dictionaries
allow crack_t usr_t:file { getattr read };
can_exec(crack_t, bin_t)
allow crack_t { bin_t sbin_t }:dir search;
allow crack_t self:process { fork signal_perms };
allow crack_t proc_t:dir { read search };
allow crack_t proc_t:file { read getattr };
# read config files
allow crack_t { etc_t etc_runtime_t }:file { getattr read };
allow crack_t etc_t:dir r_dir_perms;
allow crack_t fs_t:filesystem getattr;
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };

214
mls/domains/program/crond.te Normal file
View File

@ -0,0 +1,214 @@
#DESC Crond - Crond daemon
#
# Domains for the top-level crond daemon process and
# for system cron jobs. The domains for user cron jobs
# are in macros/program/crond_macros.te.
#
# X-Debian-Packages: cron
# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
# Domain for crond. It needs auth_chkpwd to check for locked accounts.
daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
# This domain is granted permissions common to most domains (including can_net)
general_domain_access(crond_t)
# Type for the anacron executable.
type anacron_exec_t, file_type, sysadmfile, exec_type;
# Type for temporary files.
tmp_domain(crond)
crond_domain(system)
allow system_crond_t proc_mdstat_t:file { getattr read };
allow system_crond_t proc_t:lnk_file read;
allow system_crond_t proc_t:filesystem getattr;
allow system_crond_t usbdevfs_t:filesystem getattr;
ifdef(`mta.te', `
allow mta_user_agent system_crond_t:fd use;
')
# read files in /etc
allow system_crond_t etc_t:file r_file_perms;
allow system_crond_t etc_runtime_t:file { getattr read };
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
read_locale(crond_t)
# Use capabilities.
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
can_getsecurity(crond_t)
# for finding binaries and /bin/sh
allow crond_t { bin_t sbin_t }:dir search;
allow crond_t { bin_t sbin_t }:lnk_file read;
# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
allow crond_t var_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
# Read /etc/security/default_contexts.
r_dir_file(crond_t, default_context_t)
allow crond_t etc_t:file { getattr read };
allow crond_t etc_t:lnk_file read;
allow crond_t default_t:dir search;
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
# to search /home
allow crond_t home_root_t:dir { getattr search };
allow crond_t user_home_dir_type:dir r_dir_perms;
# Run a shell.
can_exec(crond_t, shell_exec_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
ifdef(`rpm.te', `
allow crond_t rpm_log_t: file create_file_perms;
system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
#read ahead wants to read this
allow initrc_t system_cron_spool_t:file { getattr read };
')
')
allow system_crond_t var_log_t:file r_file_perms;
# Set exec context.
can_setexec(crond_t)
# Transition to this domain for anacron as well.
# Still need to study anacron.
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;
# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
can_access_pty(system_crond_t, initrc)
# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow crond_t urandom_device_t:chr_file { getattr read };
# Read the system crontabs.
allow system_crond_t system_cron_spool_t:file r_file_perms;
allow crond_t system_cron_spool_t:dir r_dir_perms;
allow crond_t system_cron_spool_t:file r_file_perms;
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir r_dir_perms;
allow system_crond_t cron_spool_t:file r_file_perms;
# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;
# Update whatis files.
allow system_crond_t man_t:dir create_dir_perms;
allow system_crond_t man_t:file create_file_perms;
allow system_crond_t man_t:lnk_file read;
# Write /var/lock/makewhatis.lock.
lock_domain(system_crond)
# for if /var/mail is a symlink
allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
allow crond_t mail_spool_t:dir search;
ifdef(`mta.te', `
r_dir_file(system_mail_t, crond_tmp_t)
')
# Stat any file and search any directory for find.
allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
allow system_crond_t device_type:{ chr_file blk_file } getattr;
allow system_crond_t file_type:dir { read search getattr };
# Create temporary files.
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
# /sbin/runlevel ask for w access to utmp, but will operate
# correctly without it. Do not audit write denials to utmp.
# /sbin/runlevel needs lock access however
dontaudit system_crond_t initrc_var_run_t:file write;
allow system_crond_t initrc_var_run_t:file { getattr read lock };
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
allow system_crond_t var_spool_t:file create_file_perms;
allow system_crond_t var_spool_t:dir rw_dir_perms;
# Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;
#
# reading /var/spool/cron/mailman
#
allow crond_t var_spool_t:file { getattr read };
allow system_crond_t devpts_t:filesystem getattr;
allow system_crond_t sysfs_t:filesystem getattr;
allow system_crond_t tmpfs_t:filesystem getattr;
allow system_crond_t rpc_pipefs_t:filesystem getattr;
#
# These rules are here to allow system cron jobs to su
#
ifdef(`su.te', `
su_restricted_domain(system_crond,system)
role system_r types system_crond_su_t;
allow system_crond_su_t crond_t:fifo_file ioctl;
')
allow system_crond_t self:passwd rootok;
#
# prelink tells init to restart it self, we either need to allow or dontaudit
#
allow system_crond_t initctl_t:fifo_file write;
dontaudit userdomain system_crond_t:fd use;
r_dir_file(crond_t, selinux_config_t)
# Allow system cron jobs to relabel filesystem for restoring file contexts.
bool cron_can_relabel false;
if (cron_can_relabel) {
domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
} else {
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
dontaudit system_crond_t removable_t:filesystem getattr;
#
# Required for webalizer
#
dontaudit crond_t self:capability sys_tty_config;
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
allow system_crond_t httpd_modules_t:lnk_file read;
# Needed for certwatch
can_exec(system_crond_t, httpd_modules_t)
')

12
mls/domains/program/crontab.te Normal file
View File

@ -0,0 +1,12 @@
#DESC Crontab - Crontab manipulation programs
#
# Domains for the crontab program.
#
# X-Debian-Packages: cron
#
# Type for the crontab executable.
type crontab_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the crontab_domain macro in
# macros/program/crontab_macros.te.

321
mls/domains/program/cups.te Normal file
View File

@ -0,0 +1,321 @@
#DESC Cups - Common Unix Printing System
#
# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
# Depends: lpd.te lpr.te
#################################
#
# Rules for the cupsd_t domain.
#
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
can_network(cupsd_t)
allow cupsd_t port_type:tcp_socket name_connect;
logdir_domain(cupsd)
tmp_domain(cupsd, `', { file dir fifo_file })
allow cupsd_t devpts_t:dir search;
allow cupsd_t device_t:lnk_file read;
allow cupsd_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
r_dir_file(cupsd_t, usbdevfs_t)
r_dir_file(cupsd_t, usbfs_t)
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
')
ifdef(`inetd.te', `
allow inetd_t printer_port_t:tcp_socket name_bind;
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
# write to spool
allow cupsd_t var_spool_t:dir search;
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
allow cupsd_t cupsd_etc_t:file setattr;
allow cupsd_t cupsd_etc_t:dir setattr;
allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
can_exec(cupsd_t, initrc_exec_t)
allow cupsd_t proc_t:file r_file_perms;
allow cupsd_t proc_t:dir r_dir_perms;
allow cupsd_t self:file { getattr read };
read_sysctl(cupsd_t)
allow cupsd_t sysctl_dev_t:dir search;
allow cupsd_t sysctl_dev_t:file { getattr read };
# for /etc/printcap
dontaudit cupsd_t etc_t:file write;
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
allow cupsd_t reserved_port_t:tcp_socket name_bind;
dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:fifo_file rw_file_perms;
# Use capabilities.
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
dontaudit cupsd_t self:capability net_admin;
#
# /usr/lib/cups/backend/serial needs sys_admin
# Need new context to run under???
allow cupsd_t self:capability sys_admin;
allow cupsd_t self:process setsched;
# for /var/lib/defoma
allow cupsd_t var_lib_t:dir search;
r_dir_file(cupsd_t, readable_t)
# Bind to the cups/ipp port (631).
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
# Send to portmap.
ifdef(`portmap.te', `
can_udp_send(cupsd_t, portmap_t)
can_udp_send(portmap_t, cupsd_t)
')
# Write to /var/spool/cups.
allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
allow cupsd_t print_spool_t:file create_file_perms;
allow cupsd_t print_spool_t:file rw_file_perms;
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow cupsd_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_t bin_t:lnk_file read;
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
# They will also invoke ghostscript, which needs to read fonts
read_fonts(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
allow cupsd_t lib_t:file { read getattr };
# read python modules
allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
#
# lots of errors generated requiring the following
#
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
#
# Satisfy readahead
#
allow initrc_t cupsd_log_t:file { getattr read };
r_dir_file(cupsd_t, var_t)
r_dir_file(cupsd_t, usercanread)
ifdef(`samba.te', `
rw_dir_file(cupsd_t, samba_var_t)
allow smbd_t cupsd_etc_t:dir search;
')
ifdef(`pam.te', `
dontaudit cupsd_t pam_var_run_t:file { getattr read };
')
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
can_network_server_tcp(ptal_t)
allow ptal_t ptal_port_t:tcp_socket name_bind;
allow userdomain ptal_t:unix_stream_socket connectto;
allow userdomain ptal_var_run_t:sock_file write;
allow userdomain ptal_var_run_t:dir search;
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file rw_file_perms;
allow initrc_t printer_device_t:chr_file getattr;
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
rw_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
allow cupsd_t ptal_var_run_t:dir search;
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink;
# HPLIP
daemon_domain(hplip)
etcdir_domain(hplip)
allow hplip_t etc_t:file r_file_perms;
allow hplip_t etc_runtime_t:file { read getattr };
allow hplip_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t hplip_var_run_t:file { read getattr };
allow hplip_t cupsd_etc_t:dir search;
can_network(hplip_t)
allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
allow hplip_t hplip_port_t:tcp_socket name_bind;
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
# for python
can_exec(hplip_t, bin_t)
allow hplip_t { sbin_t bin_t }:dir search;
allow hplip_t self:file { getattr read };
allow hplip_t proc_t:file r_file_perms;
allow hplip_t urandom_device_t:chr_file { getattr read };
allow hplip_t usr_t:{ file lnk_file } r_file_perms;
allow hplip_t devpts_t:dir search;
allow hplip_t devpts_t:chr_file { getattr ioctl };
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
allow cupsd_t printconf_t:file { getattr read };
ifdef(`dbusd.te', `
dbusd_client(system, cupsd)
allow cupsd_t system_dbusd_t:dbus send_msg;
allow cupsd_t userdomain:dbus send_msg;
')
# CUPS configuration daemon
daemon_domain(cupsd_config, `, nscd_client_domain')
allow cupsd_config_t devpts_t:dir search;
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
')
allow cupsd_config_t initrc_exec_t:file getattr;
')dnl end distro_redhat
allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
allow cupsd_config_t self:file { getattr read };
allow cupsd_config_t proc_t:file { getattr read };
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
allow cupsd_config_t cupsd_t:process { signal };
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
can_ps(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:capability { chown sys_tty_config };
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
allow cupsd_config_t var_t:lnk_file read;
can_network_tcp(cupsd_config_t)
can_ypbind(cupsd_config_t)
allow cupsd_config_t port_type:tcp_socket name_connect;
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
allow userdomain cupsd_config_t:dbus send_msg;
')dnl end if dbusd.te
ifdef(`hald.te', `
ifdef(`dbusd.te', `
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
')dnl end if dbusd.te
allow hald_t cupsd_config_t:process signal;
domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
') dnl end if hald.te
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(cupsd_t, hostname_exec_t)
can_exec(cupsd_config_t, hostname_exec_t)
')
allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
# killall causes the following
dontaudit cupsd_config_t domain:dir { getattr search };
dontaudit cupsd_config_t selinux_config_t:dir search;
can_exec(cupsd_config_t, cupsd_config_exec_t)
allow cupsd_config_t usr_t:file { getattr read };
allow cupsd_config_t var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
ifdef(`logrotate.te', `
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
allow cupsd_config_t system_crond_t:fd use;
allow cupsd_config_t crond_t:fifo_file r_file_perms;
allow cupsd_t crond_t:fifo_file read;
allow cupsd_t crond_t:fd use;
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
ifdef(`targeted_policy', `
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
allow unconfined_t cupsd_config_t:dbus send_msg;
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
')
typealias printer_port_t alias cupsd_lpd_port_t;
inetd_child_domain(cupsd_lpd)
allow inetd_t printer_port_t:tcp_socket name_bind;
r_dir_file(cupsd_lpd_t, cupsd_etc_t)
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
ifdef(`use_mcs', `
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
')

30
mls/domains/program/cvs.te Normal file
View File

@ -0,0 +1,30 @@
#DESC cvs - Concurrent Versions System
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the cvs_t domain.
#
# cvs_exec_t is the type of the cvs executable.
#
inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;
type cvs_data_t, file_type, sysadmfile, customizable;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
allow cvs_t bin_t:dir search;
allow cvs_t { bin_t sbin_t }:lnk_file read;
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
ifdef(`kerberos.te', `
# Allow kerberos to work
allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
dontaudit cvs_t krb5_conf_t:file write;
')

60
mls/domains/program/cyrus.te Normal file
View File

@ -0,0 +1,60 @@
#DESC cyrus-imapd
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# cyrusd_exec_t is the type of the cyrusd executable.
# cyrusd_key_t is the type of the cyrus private key files
daemon_domain(cyrus)
general_domain_access(cyrus_t)
file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
type cyrus_var_lib_t, file_type, sysadmfile;
allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow cyrus_t self:process setrlimit;
can_network(cyrus_t)
allow cyrus_t port_type:tcp_socket name_connect;
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
allow cyrus_t etc_t:file { getattr read };
allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
read_locale(cyrus_t)
read_sysctl(cyrus_t)
tmp_domain(cyrus)
allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
allow cyrus_t proc_t:dir search;
allow cyrus_t proc_t:file { getattr read };
allow cyrus_t sysadm_devpts_t:chr_file { read write };
allow cyrus_t var_lib_t:dir search;
allow cyrus_t etc_runtime_t:file { read getattr };
ifdef(`crond.te', `
system_crond_entry(cyrus_exec_t, cyrus_t)
allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
allow system_crond_t cyrus_var_lib_t:file create_file_perms;
')
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
ifdef(`saslauthd.te', `
allow cyrus_t saslauthd_var_run_t:dir search;
allow cyrus_t saslauthd_var_run_t:sock_file { read write };
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
')
r_dir_file(cyrus_t, cert_t)
allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
ifdef(`postfix.te', `
allow postfix_master_t cyrus_t:unix_stream_socket connectto;
allow postfix_master_t var_lib_t:dir search;
allow postfix_master_t cyrus_var_lib_t:dir search;
allow postfix_master_t cyrus_var_lib_t:sock_file write;
')

14
mls/domains/program/dbskkd.te Normal file
View File

@ -0,0 +1,14 @@
#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the dbskkd_t domain.
#
# dbskkd_exec_t is the type of the dbskkd executable.
#
# Depends: inetd.te
inetd_child_domain(dbskkd)

27
mls/domains/program/dbusd.te Normal file
View File

@ -0,0 +1,27 @@
#DESC dbus-daemon-1 server for dbus desktop bus protocol
#
# Author: Russell Coker <russell@coker.com.au>
dbusd_domain(system)
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
ifdef(`pamconsole.te', `
r_dir_file(system_dbusd_t, pam_var_console_t)
')
# dac_override: /var/run/dbus is owned by messagebus on Debian
allow system_dbusd_t self:capability { dac_override setgid setuid };
nsswitch_domain(system_dbusd_t)
# I expect we need more than this
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write;
can_exec(system_dbusd_t, sbin_t)
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:unix_stream_socket connectto;
allow system_dbusd_t self:unix_stream_socket connectto;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

42
mls/domains/program/ddcprobe.te Normal file
View File

@ -0,0 +1,42 @@
#DESC ddcprobe - output ddcprobe results from kudzu
#
# Author: dan walsh <dwalsh@redhat.com>
#
type ddcprobe_t, domain, privmem;
type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
# Allow execution by the sysadm
role sysadm_r types ddcprobe_t;
role system_r types ddcprobe_t;
domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
uses_shlib(ddcprobe_t)
# Allow terminal access
access_terminal(ddcprobe_t, sysadm)
# Allow ddcprobe to read /dev/mem
allow ddcprobe_t memory_device_t:chr_file read;
allow ddcprobe_t memory_device_t:chr_file { execute write };
allow ddcprobe_t self:process execmem;
allow ddcprobe_t zero_device_t:chr_file { execute read };
allow ddcprobe_t proc_t:dir search;
allow ddcprobe_t proc_t:file { getattr read };
can_exec(ddcprobe_t, sbin_t)
allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
allow ddcprobe_t userdomain:fd use;
read_sysctl(ddcprobe_t)
allow ddcprobe_t urandom_device_t:chr_file { getattr read };
allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
allow ddcprobe_t self:capability { sys_rawio sys_admin };
allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
allow ddcprobe_t kudzu_exec_t:file getattr;
allow ddcprobe_t lib_t:file { getattr read };
read_locale(ddcprobe_t)
allow ddcprobe_t modules_object_t:dir search;
allow ddcprobe_t modules_dep_t:file { getattr read };
allow ddcprobe_t usr_t:file { getattr read };
allow ddcprobe_t kernel_t:system syslog_console;

169
mls/domains/program/dhcpc.te Normal file
View File

@ -0,0 +1,169 @@
#DESC DHCPC - DHCP client
#
# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pump dhcp-client udhcpc
#
#################################
#
# Rules for the dhcpc_t domain.
#
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
# network configurator daemon started by /etc/sysconfig/network-scripts
# rc scripts, runs in this domain.
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
daemon_domain(dhcpc)
# for SSP
allow dhcpc_t urandom_device_t:chr_file read;
can_network(dhcpc_t)
allow dhcpc_t port_type:tcp_socket name_connect;
can_ypbind(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t devpts_t:dir search;
# for localization
allow dhcpc_t lib_t:file { getattr read };
ifdef(`consoletype.te', `
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
')
ifdef(`nscd.te', `
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
allow dhcpc_t nscd_var_run_t:file { getattr read };
')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
allow cardmgr_t dhcpc_var_run_t:file unlink;
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
allow hotplug_t dhcpc_t:process signal_perms;
allow hotplug_t dhcpc_var_run_t:file { getattr read };
allow hotplug_t dhcp_etc_t:file rw_file_perms;
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
')
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
ifdef(`hotplug.te', `
allow ping_t hotplug_t:fd use;
') dnl end if hotplug
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
', `
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
') dnl end if ping
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
')
type dhcpc_state_t, file_type, sysadmfile;
allow dhcpc_t etc_t:lnk_file read;
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
allow dhcpc_t proc_net_t:dir search;
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
allow dhcpc_t self:file { getattr read };
read_sysctl(dhcpc_t)
allow dhcpc_t userdomain:fd use;
ifdef(`run_init.te', `
allow dhcpc_t run_init_t:fd use;
')
# Use capabilities
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
# for udp port 68
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
# Allow access to the dhcpc file types
r_dir_file(dhcpc_t, dhcp_etc_t)
allow dhcpc_t sbin_t:dir search;
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
ifdef(`distro_redhat', `
can_exec(dhcpc_t, etc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms;
')
ifdef(`ifconfig.te', `
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
tmp_domain(dhcpc)
# Allow dhcpc_t to use packet sockets
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
rw_dir_create_file(dhcpc_t, dhcpc_state_t)
allow dhcpc_t dhcp_state_t:file { getattr read };
allow dhcpc_t bin_t:dir { getattr search };
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit dhcpc_t domain:dir getattr;
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
#
# dhclient sometimes starts ypbind and ntdp
#
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
allow dhcpc_t ypbind_t:process signal;
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
')
role sysadm_r types dhcpc_t;
domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
ifdef(`dbusd.te', `
dbusd_client(system, dhcpc)
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
allow dhcpc_t self:dbus send_msg;
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
')dnl end ifdef unconfined.te
')
ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
allow dhcpc_t locale_t:file write;

79
mls/domains/program/dhcpd.te Normal file
View File

@ -0,0 +1,79 @@
#DESC DHCPD - DHCP server
#
# Author: Russell Coker <russell@coker.com.au>
# based on the dhcpc_t policy from:
# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# X-Debian-Packages: dhcp dhcp3-server
#
#################################
#
# Rules for the dhcpd_t domain.
#
# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
# server daemon rc scripts, runs in this domain.
# dhcpd_exec_t is the type of the dhcpdd executable.
# The dhcpd_t can be used for other DHCPC related files as well.
#
daemon_domain(dhcpd, `, nscd_client_domain')
# for UDP port 4011
allow dhcpd_t pxe_port_t:udp_socket name_bind;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
# Use the network.
can_network(dhcpd_t)
allow dhcpd_t port_type:tcp_socket name_connect;
allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
can_ypbind(dhcpd_t)
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t var_lib_t:dir search;
allow dhcpd_t devtty_t:chr_file { read write };
# Use capabilities
allow dhcpd_t self:capability { net_raw net_bind_service };
dontaudit dhcpd_t self:capability net_admin;
# Allow access to the dhcpd file types
type dhcp_state_t, file_type, sysadmfile;
type dhcpd_state_t, file_type, sysadmfile;
allow dhcpd_t dhcp_etc_t:file { read getattr };
allow dhcpd_t dhcp_etc_t:dir search;
file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
rw_dir_create_file(dhcpd_t, dhcpd_state_t)
allow dhcpd_t etc_t:lnk_file read;
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;
# allow to run utilities and scripts
allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
allow dhcpd_t self:fifo_file { read write getattr };
# allow reading /proc
allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
tmp_domain(dhcpd)
ifdef(`distro_gentoo', `
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
allow initrc_t dhcpd_state_t:file setattr;
')
r_dir_file(dhcpd_t, usr_t)
allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
ifdef(`named.te', `
allow dhcpd_t { named_conf_t named_zone_t }:dir search;
allow dhcpd_t dnssec_t:file { getattr read };
')

48
mls/domains/program/dictd.te Normal file
View File

@ -0,0 +1,48 @@
#DESC Dictd - Dictionary daemon
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dictd
#
#################################
#
# Rules for the dictd_t domain.
#
# dictd_exec_t is the type of the dictd executable.
#
daemon_base_domain(dictd)
type dictd_var_lib_t, file_type, sysadmfile;
typealias dictd_var_lib_t alias var_lib_dictd_t;
etc_domain(dictd)
# for checking for nscd
dontaudit dictd_t var_run_t:dir search;
# read config files
allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
read_locale(dictd_t)
allow dictd_t { var_t var_lib_t }:dir search;
allow dictd_t dictd_var_lib_t:dir r_dir_perms;
allow dictd_t dictd_var_lib_t:file r_file_perms;
allow dictd_t self:capability { setuid setgid };
allow dictd_t usr_t:file r_file_perms;
allow dictd_t self:process { setpgid fork sigchld };
allow dictd_t proc_t:file r_file_perms;
allow dictd_t dict_port_t:tcp_socket name_bind;
allow dictd_t devtty_t:chr_file rw_file_perms;
allow dictd_t self:unix_stream_socket create_stream_socket_perms;
can_network_server(dictd_t)
can_ypbind(dictd_t)
can_tcp_connect(userdomain, dictd_t)
allow dictd_t fs_t:filesystem getattr;

29
mls/domains/program/dmesg.te Normal file
View File

@ -0,0 +1,29 @@
#DESC dmesg - control kernel ring buffer
#
# Author: Dan Walsh dwalsh@redhat.com
#
# X-Debian-Packages: util-linux
#################################
#
# Rules for the dmesg_t domain.
#
# dmesg_exec_t is the type of the dmesg executable.
#
# while sysadm_t has the sys_admin capability there is no point in using
# dmesg_t when run from sysadm_t, so we use nosysadm.
#
daemon_base_domain(dmesg, , `nosysadm')
#
# Rules used for dmesg
#
allow dmesg_t self:capability sys_admin;
allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
allow dmesg_t admin_tty_type:chr_file { getattr read write };
allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
allow dmesg_t var_log_t:file { getattr write };
read_locale(dmesg_t)
# for when /usr is not mounted
dontaudit dmesg_t file_t:dir search;

22
mls/domains/program/dmidecode.te Normal file
View File

@ -0,0 +1,22 @@
#DESC dmidecode - decodes DMI data for x86/ia64 bioses
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
type dmidecode_t, domain, privmem;
type dmidecode_exec_t, file_type, exec_type, sysadmfile;
# Allow execution by the sysadm
role sysadm_r types dmidecode_t;
role system_r types dmidecode_t;
domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
uses_shlib(dmidecode_t)
# Allow terminal access
access_terminal(dmidecode_t, sysadm)
# Allow dmidecode to read /dev/mem
allow dmidecode_t memory_device_t:chr_file read;
allow dmidecode_t self:capability sys_rawio;

75
mls/domains/program/dovecot.te Normal file
View File

@ -0,0 +1,75 @@
#DESC Dovecot POP and IMAP servers
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
#
# Main dovecot daemon
#
daemon_domain(dovecot, `, privhome')
etc_domain(dovecot);
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
can_exec(dovecot_t, dovecot_exec_t)
type dovecot_cert_t, file_type, sysadmfile;
type dovecot_passwd_t, file_type, sysadmfile;
type dovecot_spool_t, file_type, sysadmfile;
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
can_network_tcp(dovecot_t)
allow dovecot_t port_type:tcp_socket name_connect;
can_ypbind(dovecot_t)
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dovecot_t, self)
allow dovecot_t etc_t:file { getattr read };
allow dovecot_t initrc_var_run_t:file getattr;
allow dovecot_t bin_t:dir { getattr search };
can_exec(dovecot_t, bin_t)
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file { getattr read };
allow dovecot_t cert_t:dir search;
r_dir_file(dovecot_t, dovecot_cert_t)
r_dir_file(dovecot_t, cert_t)
allow dovecot_t { self proc_t }:file { getattr read };
allow dovecot_t self:fifo_file rw_file_perms;
can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
rw_dir_create_file(dovecot_t, mail_spool_t)
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
allow dovecot_t var_spool_t:dir { search };
#
# Dovecot auth daemon
#
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
can_ldap(dovecot_auth_t)
can_ypbind(dovecot_auth_t)
can_kerberos(dovecot_auth_t)
can_resolve(dovecot_auth_t)
allow dovecot_auth_t self:process { fork signal_perms };
allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t self:fifo_file rw_file_perms;
allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
allow dovecot_auth_t etc_t:file { getattr read };
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
read_sysctl(dovecot_auth_t)
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
dontaudit dovecot_auth_t selinux_config_t:dir search;
allow dovecot_auth_t etc_runtime_t:file { getattr read };

32
mls/domains/program/fetchmail.te Normal file
View File

@ -0,0 +1,32 @@
#DESC fetchmail - remote-mail retrieval utility
#
# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: fetchmail
# Depends: mta.te
#
# Note: This policy is only required when running fetchmail in daemon mode.
#################################
#
# Rules for the fetchmail_t domain.
#
daemon_domain(fetchmail);
type fetchmail_etc_t, file_type, sysadmfile;
type fetchmail_uidl_cache_t, file_type, sysadmfile;
# misc. requirements
allow fetchmail_t self:process setrlimit;
# network-related goodies
can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
can_network_udp(fetchmail_t, dns_port_t)
allow fetchmail_t port_type:tcp_socket name_connect;
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
# file access
allow fetchmail_t etc_t:file r_file_perms;
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
allow fetchmail_t mail_spool_t:dir search;
file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)

80
mls/domains/program/fingerd.te Normal file
View File

@ -0,0 +1,80 @@
#DESC Fingerd - Finger daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
#
#################################
#
# Rules for the fingerd_t domain.
#
# fingerd_exec_t is the type of the fingerd executable.
#
daemon_domain(fingerd)
etcdir_domain(fingerd)
allow fingerd_t etc_t:lnk_file read;
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
log_domain(fingerd)
system_crond_entry(fingerd_exec_t, fingerd_t)
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
ifdef(`inetd.te', `
allow inetd_t fingerd_port_t:tcp_socket name_bind;
# can be run from inetd
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
')
allow fingerd_t self:capability { setgid setuid };
# for gzip from logrotate
dontaudit fingerd_t self:capability fsetid;
# cfingerd runs shell scripts
allow fingerd_t { bin_t sbin_t }:dir search;
allow fingerd_t bin_t:lnk_file read;
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
allow fingerd_t devtty_t:chr_file { read write };
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
# Use the network.
can_network_server(fingerd_t)
can_ypbind(fingerd_t)
allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
allow fingerd_t self:fifo_file { read write getattr };
# allow any user domain to connect to the finger server
can_tcp_connect(userdomain, fingerd_t)
# for .finger, .plan. etc
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
# should really have a different type for .plan etc
allow fingerd_t user_home_type:file { getattr read };
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;
# for mail
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
allow fingerd_t mail_spool_t:file getattr;
allow fingerd_t mail_spool_t:lnk_file read;
# see who is logged in and when users last logged in
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
dontaudit fingerd_t initrc_var_run_t:file lock;
allow fingerd_t devpts_t:dir search;
allow fingerd_t ptyfile:chr_file getattr;
allow fingerd_t proc_t:file { read getattr };
# for date command
read_sysctl(fingerd_t)

131
mls/domains/program/firstboot.te Normal file
View File

@ -0,0 +1,131 @@
#DESC firstboot
#
# Author: Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: firstboot
#
#################################
#
# Rules for the firstboot_t domain.
#
# firstboot_exec_t is the type of the firstboot executable.
#
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
ifdef(`xserver.te', `
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
')
etc_domain(firstboot)
allow firstboot_t proc_t:file r_file_perms;
allow firstboot_t urandom_device_t:chr_file { getattr read };
allow firstboot_t proc_t:file { getattr read write };
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
can_exec_any(firstboot_t)
ifdef(`useradd.te',`
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
')
allow firstboot_t etc_runtime_t:file { getattr read };
r_dir_file(firstboot_t, etc_t)
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
allow firstboot_t firstboot_rw_t:file create_file_perms;
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:process { fork sigchld };
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t initrc_exec_t:file { getattr read };
allow firstboot_t initrc_var_run_t:file r_file_perms;
allow firstboot_t lib_t:file { getattr read };
allow firstboot_t local_login_t:fd use;
read_locale(firstboot_t)
allow firstboot_t proc_t:dir search;
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
allow firstboot_t usr_t:file r_file_perms;
allow firstboot_t etc_t:file write;
# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;
ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')
dontaudit firstboot_t shadow_t:file getattr;
role system_r types initrc_t;
#role_transition firstboot_r initrc_exec_t system_r;
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
allow firstboot_t self:passwd rootok;
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
ifdef(`consoletype.te', `
allow consoletype_t devtty_t:chr_file { read write };
allow consoletype_t etc_t:file { getattr read };
allow consoletype_t firstboot_t:fd use;
')
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:dir search;
allow firstboot_t self:file { read write };
allow firstboot_t self:lnk_file read;
can_setfscreate(firstboot_t)
allow firstboot_t krb5_conf_t:file rw_file_perms;
allow firstboot_t modules_conf_t:file { getattr read };
allow firstboot_t modules_dep_t:file { getattr read };
allow firstboot_t modules_object_t:dir search;
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;
can_getsecurity(firstboot_t)
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
read_sysctl(firstboot_t)
allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
ifdef(`hostname.te', `
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
')
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
allow iptables_t firstboot_t:fifo_file write;
')
can_network_server(firstboot_t)
can_ypbind(firstboot_t)
ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
create_dir_file(firstboot_t, var_t)
# Add/remove user home directories
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
#
# The big hammer
#
unconfined_domain(firstboot_t)
ifdef(`targeted_policy', `
allow firstboot_t unconfined_t:process transition;
')

28
mls/domains/program/fs_daemon.te Normal file
View File

@ -0,0 +1,28 @@
#DESC file system daemons
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: smartmontools
daemon_domain(fsdaemon, `, fs_domain, privmail')
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
# for config
allow fsdaemon_t etc_t:file { getattr read };
allow fsdaemon_t device_t:dir read;
allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
allow fsdaemon_t etc_runtime_t:file { getattr read };
allow fsdaemon_t proc_mdstat_t:file { getattr read };
can_exec_any(fsdaemon_t)
allow fsdaemon_t self:fifo_file rw_file_perms;
can_network_udp(fsdaemon_t)
tmp_domain(fsdaemon)
allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
dontaudit fsdaemon_t devpts_t:dir search;
allow fsdaemon_t proc_t:file { getattr read };
dontaudit system_mail_t fixed_disk_device_t:blk_file read;

123
mls/domains/program/fsadm.te Normal file
View File

@ -0,0 +1,123 @@
#DESC Fsadm - Disk and file system administration
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
#
#################################
#
# Rules for the fsadm_t domain.
#
# fsadm_t is the domain for disk and file system
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
# Read system variables in /proc/sys
read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t tmpfs_t:file { read write };
base_file_read_access(fsadm_t)
# Read /etc.
r_dir_file(fsadm_t, etc_t)
# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow fsadm_t device_t:dir r_dir_perms;
allow fsadm_t device_t:lnk_file r_file_perms;
uses_shlib(fsadm_t)
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
')
tmp_domain(fsadm)
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
allow fsadm_t fs_t:filesystem getattr;
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
# mkreiserfs and other programs need this for UUID
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;
# Run other fs admin programs in the fsadm_t domain.
can_exec(fsadm_t, fsadm_exec_t)
# Access disk devices.
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
# Recreate /dev/cdrom.
allow fsadm_t device_t:dir rw_dir_perms;
allow fsadm_t device_t:lnk_file { unlink create };
# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
# Allow console log change (updfstab)
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
can_access_pty(fsadm_t, initrc)
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
read_locale(fsadm_t)
# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)
# Access to /initrd devices
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;
# for tune2fs
allow fsadm_t file_type:dir { getattr search };

116
mls/domains/program/ftpd.te Normal file
View File

@ -0,0 +1,116 @@
#DESC Ftpd - Ftp daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
#
#################################
#
# Rules for the ftpd_t domain
#
daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
etc_domain(ftpd)
can_network(ftpd_t)
allow ftpd_t port_type:tcp_socket name_connect;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_file_perms;
allow ftpd_t bin_t:dir search;
can_exec(ftpd_t, bin_t)
allow ftpd_t bin_t:lnk_file read;
read_sysctl(ftpd_t)
allow ftpd_t urandom_device_t:chr_file { getattr read };
ifdef(`crond.te', `
system_crond_entry(ftpd_exec_t, ftpd_t)
allow system_crond_t xferlog_t:file r_file_perms;
can_exec(ftpd_t, { sbin_t shell_exec_t })
allow ftpd_t usr_t:file { getattr read };
ifdef(`logrotate.te', `
can_exec(ftpd_t, logrotate_exec_t)
')dnl end if logrotate.te
')dnl end if crond.te
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
allow ftpd_t port_t:tcp_socket name_bind;
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t, file_type, sysadmfile, lockfile;
# Allow ftpd to run directly without inetd.
bool ftpd_is_daemon false;
if (ftpd_is_daemon) {
file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
# Allows it to check exec privs on daemon
allow inetd_t ftpd_exec_t:file x_file_perms;
}
ifdef(`inetd.te', `
if (!ftpd_is_daemon) {
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Send SIGCHLD to inetd on death.
allow ftpd_t inetd_t:process sigchld;
}
') dnl end inetd.te
# Access shared memory tmpfs instance.
tmpfs_domain(ftpd)
# Use capabilities.
allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
# Append to /var/log/wtmp.
allow ftpd_t wtmp_t:file { getattr append };
#kerberized ftp requires the following
allow ftpd_t wtmp_t:file { write lock };
# Create and modify /var/log/xferlog.
type xferlog_t, file_type, sysadmfile, logfile;
file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
can_exec(ftpd_t, ls_exec_t)
allow initrc_t ftpd_etc_t:file { getattr read };
allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
allow ftpd_t proc_t:file { getattr read };
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t selinux_config_t:dir search;
allow ftpd_t autofs_t:dir search;
allow ftpd_t self:file { getattr read };
tmp_domain(ftpd)
# Allow ftp to read/write files in the user home directories.
bool ftp_home_dir false;
if (ftp_home_dir) {
# allow access to /home
allow ftpd_t home_root_t:dir r_dir_perms;
create_dir_file(ftpd_t, home_type)
ifdef(`targeted_policy', `
file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
')
}
if (use_nfs_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, nfs_t)
}
if (use_samba_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
anonymous_domain(ftpd)

61
mls/domains/program/getty.te Normal file
View File

@ -0,0 +1,61 @@
#DESC Getty - Manage ttys
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
#
#################################
#
# Rules for the getty_t domain.
#
init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite')
etcdir_domain(getty)
allow getty_t console_device_t:chr_file setattr;
tmp_domain(getty)
log_domain(getty)
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
allow getty_t etc_t:lnk_file read;
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
read_locale(getty_t)
# Run login in local_login_t domain.
allow getty_t { sbin_t bin_t }:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
allow getty_t { var_t var_run_t }:dir search;
allow getty_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow getty_t wtmp_t:file rw_file_perms;
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
lock_domain(getty)
r_dir_file(getty_t, sysfs_t)
# for mgetty
var_run_domain(getty)
allow getty_t self:capability { fowner fsetid };
#
# getty needs to be able to run pppd
#
ifdef(`pppd.te', `
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
')

13
mls/domains/program/gpg-agent.te Normal file
View File

@ -0,0 +1,13 @@
#DESC gpg-agent - agent to securely store gpg-keys
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
# Type for the gpg-agent executable.
type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
# type for the pinentry executable
type pinentry_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the gpg_agent_domain macro in
# macros/program/gpg_agent_macros.te.

15
mls/domains/program/gpg.te Normal file
View File

@ -0,0 +1,15 @@
#DESC GPG - Gnu Privacy Guard (PGP replacement)
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: gnupg
#
# Type for gpg or pgp executables.
type gpg_exec_t, file_type, sysadmfile, exec_type;
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
# Everything else is in the gpg_domain macro in
# macros/program/gpg_macros.te.

45
mls/domains/program/gpm.te Normal file
View File

@ -0,0 +1,45 @@
#DESC Gpm - General Purpose Mouse driver
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: gpm
#
#################################
#
# Rules for the gpm_t domain.
#
# gpm_t is the domain of the console mouse server.
# gpm_exec_t is the type of the console mouse server program.
# gpmctl_t is the type of the Unix domain socket or pipe created
# by the console mouse server.
#
daemon_domain(gpm)
type gpmctl_t, file_type, sysadmfile, dev_fs;
tmp_domain(gpm)
# Allow to read the /etc/gpm/ conf files
type gpm_conf_t, file_type, sysadmfile;
r_dir_file(gpm_t, gpm_conf_t)
# Use capabilities.
allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
# Create and bind to /dev/gpmctl.
file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
allow gpm_t self:unix_dgram_socket create_socket_perms;
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
# Read and write ttys.
allow gpm_t tty_device_t:chr_file rw_file_perms;
# Access the mouse.
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
allow gpm_t device_t:lnk_file { getattr read };
read_locale(gpm_t)
allow initrc_t gpmctl_t:sock_file setattr;

104
mls/domains/program/hald.te Normal file
View File

@ -0,0 +1,104 @@
#DESC hald - server for device info
#
# Author: Russell Coker <rcoker@redhat.com>
# X-Debian-Packages:
#
#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, fs_domain, nscd_client_domain')
can_exec_any(hald_t)
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow hald_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
dbusd_client(system, hald)
allow hald_t self:dbus send_msg;
')
allow hald_t self:file { getattr read };
allow hald_t proc_t:file rw_file_perms;
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
can_network_server(hald_t)
can_ypbind(hald_t)
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t removable_device_t:blk_file write;
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
allow hald_t mouse_device_t:chr_file r_file_perms;
allow hald_t device_type:chr_file getattr;
can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
allow updfstab_t hald_t:dbus send_msg;
allow hald_t updfstab_t:dbus send_msg;
')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t udev_tbl_t:file { getattr read };
')
ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
allow hald_t fs_type:dir { search getattr };
allow hald_t usbfs_t:dir r_dir_perms;
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
allow hald_t etc_runtime_t:file rw_file_perms;
allow hald_t var_lib_t:dir search;
allow hald_t device_t:dir create_dir_perms;
allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
ifdef(`apmd.te', `
allow hald_t apmd_var_run_t:sock_file write;
allow hald_t apmd_t:unix_stream_socket connectto;
')
# For /usr/libexec/hald-probe-smbios
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
# ??
ifdef(`lvm.te', `
allow hald_t lvm_control_t:chr_file r_file_perms;
')
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
ifdef(`mount.te', `
domain_auto_trans(hald_t, mount_exec_t, mount_t)
')
r_dir_file(hald_t, hwdata_t)

28
mls/domains/program/hostname.te Normal file
View File

@ -0,0 +1,28 @@
#DESC hostname - show or set the system host name
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hostname
# for setting the hostname
daemon_core_rules(hostname, , nosysadm)
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };
allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
read_locale(hostname_t)
can_resolve(hostname_t)
allow hostname_t userdomain:fd use;
dontaudit hostname_t kernel_t:fd use;
allow hostname_t net_conf_t:file { getattr read };
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t var_t:dir search;
allow hostname_t fs_t:filesystem getattr;
# for when /usr is not mounted
dontaudit hostname_t file_t:dir search;
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
can_access_pty(hostname_t, initrc)
allow hostname_t initrc_t:fd use;

160
mls/domains/program/hotplug.te Normal file
View File

@ -0,0 +1,160 @@
#DESC Hotplug - Hardware event manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hotplug
#
#################################
#
# Rules for the hotplug_t domain.
#
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
', `
daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
')
etcdir_domain(hotplug)
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
read_sysctl(hotplug_t)
allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
r_dir_file(hotplug_t, proc_t)
allow hotplug_t self:file { getattr read ioctl };
allow hotplug_t devtty_t:chr_file rw_file_perms;
allow hotplug_t device_t:dir r_dir_perms;
# for SSP
allow hotplug_t urandom_device_t:chr_file read;
allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
ifdef(`hostname.te', `
can_exec(hotplug_t, hostname_exec_t)
dontaudit hostname_t hotplug_t:fd use;
')
ifdef(`netutils.te', `
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };
# read config files
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
allow hotplug_t kernel_t:process { sigchld setpgid };
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')
ifdef(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
ifdef(`mount.te', `
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
')
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
')
# init scripts run /etc/hotplug/usb.rc
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
allow initrc_t hotplug_etc_t:dir r_dir_perms;
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
r_dir_file(hotplug_t, modules_object_t)
allow hotplug_t modules_dep_t:file { getattr read ioctl };
# for lsmod
dontaudit hotplug_t self:capability { sys_module sys_admin };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
ifdef(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
allow hotplug_t var_log_t:dir search;
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
ifdef(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
# kernel threads inherit from shared descriptor table used by init
dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
allow hotplug_t sysfs_t:lnk_file { getattr read };
r_dir_file(hotplug_t, hwdata_t)
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
allow hotplug_t fixed_disk_device_t:blk_file setattr;
allow hotplug_t removable_device_t:blk_file setattr;
allow hotplug_t sound_device_t:chr_file setattr;
ifdef(`udev.te', `
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# Allow hotplug (including /sbin/ifup-local) to start/stop services
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit hotplug_t selinux_config_t:dir search;

21
mls/domains/program/howl.te Normal file
View File

@ -0,0 +1,21 @@
#DESC howl - port of Apple Rendezvous multicast DNS
#
# Author: Russell Coker <rcoker@redhat.com>
#
daemon_domain(howl, `, privsysmod')
r_dir_file(howl_t, proc_net_t)
can_network_server(howl_t)
can_ypbind(howl_t)
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t self:capability { kill net_admin sys_module };
allow howl_t self:fifo_file rw_file_perms;
allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t etc_t:file { getattr read };
allow howl_t initrc_var_run_t:file rw_file_perms;

50
mls/domains/program/hwclock.te Normal file
View File

@ -0,0 +1,50 @@
#DESC Hwclock - Hardware clock manager
#
# Author: David A. Wheeler <dwheeler@ida.org>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: util-linux
#
#################################
#
# Rules for the hwclock_t domain.
# This domain moves time information between the "hardware clock"
# (which runs when the system is off) and the "system clock",
# and it stores adjustment values in /etc/adjtime so that errors in the
# hardware clock are corrected.
# Note that any errors from this domain are NOT recorded by the system logger,
# because the system logger isnt running when this domain is active.
#
daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
')
type adjtime_t, file_type, sysadmfile;
allow hwclock_t fs_t:filesystem getattr;
read_locale(hwclock_t)
# Give hwclock the capabilities it requires. dac_override is a surprise,
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
# Allow hwclock to set the hardware clock.
allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { setattr rw_file_perms };
# Read and write console and ttys.
allow hwclock_t tty_device_t:chr_file rw_file_perms;
allow hwclock_t ttyfile:chr_file rw_file_perms;
allow hwclock_t ptyfile:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
read_locale(hwclock_t)
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
r_dir_file(hwclock_t, etc_t)

33
mls/domains/program/i18n_input.te Normal file
View File

@ -0,0 +1,33 @@
# i18n_input.te
# Security Policy for IIIMF htt server
# Date: 2004, 12th April (Monday)
# Establish i18n_input as a daemon
daemon_domain(i18n_input)
can_exec(i18n_input_t, i18n_input_exec_t)
can_network(i18n_input_t)
allow i18n_input_t port_type:tcp_socket name_connect;
can_ypbind(i18n_input_t)
can_tcp_connect(userdomain, i18n_input_t)
can_unix_connect(i18n_input_t, initrc_t)
allow i18n_input_t self:fifo_file rw_file_perms;
allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
allow i18n_input_t self:capability { kill setgid setuid };
allow i18n_input_t self:process { setsched setpgid };
allow i18n_input_t { bin_t sbin_t }:dir search;
can_exec(i18n_input_t, bin_t)
allow i18n_input_t etc_t:file r_file_perms;
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
allow i18n_input_t usr_t:file { getattr read };
allow i18n_input_t home_root_t:dir search;
allow i18n_input_t etc_runtime_t:file { getattr read };
allow i18n_input_t proc_t:file { getattr read };

74
mls/domains/program/ifconfig.te Normal file
View File

@ -0,0 +1,74 @@
#DESC Ifconfig - Configure network interfaces
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: net-tools
#
#################################
#
# Rules for the ifconfig_t domain.
#
# ifconfig_t is the domain for the ifconfig program.
# ifconfig_exec_t is the type of the corresponding program.
#
type ifconfig_t, domain, privlog, privmodule;
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
role system_r types ifconfig_t;
role sysadm_r types ifconfig_t;
uses_shlib(ifconfig_t)
general_domain_access(ifconfig_t)
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
')
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
allow ifconfig_t etc_t:file { getattr read };
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
# Inherit and use descriptors from init.
allow ifconfig_t { kernel_t init_t }:fd use;
# Access /proc
r_dir_file(ifconfig_t, proc_t)
r_dir_file(ifconfig_t, proc_net_t)
allow ifconfig_t privfd:fd use;
allow ifconfig_t run_init_t:fd use;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
can_access_pty(ifconfig_t, initrc)
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
# see the denials.
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
allow ifconfig_t fs_t:filesystem getattr;
read_locale(ifconfig_t)
allow ifconfig_t lib_t:file { getattr read };
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
r_dir_file(ifconfig_t, sysfs_t)

64
mls/domains/program/inetd.te Normal file
View File

@ -0,0 +1,64 @@
#DESC Inetd - Internet services daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
#
#################################
#
# Rules for the inetd_t domain and
# the inetd_child_t domain.
#
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
allow inetd_t port_type:tcp_socket name_connect;
allow inetd_t self:unix_dgram_socket create_socket_perms;
allow inetd_t self:unix_stream_socket create_socket_perms;
allow inetd_t self:fifo_file rw_file_perms;
allow inetd_t etc_t:file { getattr read ioctl };
allow inetd_t self:process setsched;
log_domain(inetd)
tmp_domain(inetd)
# Use capabilities.
allow inetd_t self:capability { setuid setgid net_bind_service };
# allow any domain to connect to inetd
can_tcp_connect(userdomain, inetd_t)
# Run each daemon with a defined domain in its own domain.
# These rules have been moved to the individual target domain .te files.
# Run other daemons in the inetd_child_t domain.
allow inetd_t { bin_t sbin_t }:dir search;
allow inetd_t sbin_t:lnk_file read;
# Bind to the telnet, ftp, rlogin and rsh ports.
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
allow inetd_t auth_port_t:tcp_socket name_bind;
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
inetd_child_domain(inetd_child)
allow inetd_child_t proc_net_t:dir search;
allow inetd_child_t proc_net_t:file { getattr read };
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
')
ifdef(`unlimitedInetd', `
unconfined_domain(inetd_t)
')

147
mls/domains/program/init.te Normal file
View File

@ -0,0 +1,147 @@
#DESC Init - Process initialization
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit
#
#################################
#
# Rules for the init_t domain.
#
# init_t is the domain of the init process.
# init_exec_t is the type of the init program.
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
allow init_t security_t:dir search;
allow init_t security_t:file { getattr read };
# for mount points
allow init_t file_t:dir search;
# Use capabilities.
allow init_t self:capability ~sys_module;
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)
# Run init.
can_exec(init_t, init_exec_t)
# Run chroot from initrd scripts.
ifdef(`chroot.te', `
can_exec(init_t, chroot_exec_t)
')
# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
ifdef(`distro_redhat', `
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
')
# Create ioctl.save.
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;
# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
allow init_t var_log_t:file rw_file_perms;
read_locale(init_t)
# Create unix sockets
allow init_t self:unix_dgram_socket create_socket_perms;
allow init_t self:unix_stream_socket create_socket_perms;
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
allow init_t { bin_t sbin_t }:dir r_dir_perms;
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
can_unix_connect(init_t, initrc_t)
# For /var/run/shutdown.pid.
var_run_domain(init)
# Shutdown permissions
r_dir_file(init_t, proc_t)
r_dir_file(init_t, self)
allow init_t devpts_t:dir r_dir_perms;
# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;
# Kill all processes.
allow init_t domain:process signal_perms;
# Allow all processes to send SIGCHLD to init.
allow domain init_t:process { sigchld signull };
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;
# for loading policy
allow init_t policy_config_t:file r_file_perms;
# Set booleans.
can_setbool(init_t)
# Read and write the console and ttys.
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
ifdef(`distro_redhat', `
allow init_t tmpfs_t:chr_file rw_file_perms;
')
allow init_t ttyfile:chr_file rw_file_perms;
allow init_t ptyfile:chr_file rw_file_perms;
# Run system executables.
can_exec(init_t,bin_t)
ifdef(`consoletype.te', `
can_exec(init_t, consoletype_exec_t)
')
# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)
allow init_t lib_t:file { getattr read };
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
allow init_t ramfs_t:sock_file write;
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
ifdef(`targeted_policy', `
unconfined_domain(init_t)
')

346
mls/domains/program/initrc.te Normal file
View File

@ -0,0 +1,346 @@
#DESC Initrc - System initialization scripts
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit policycoreutils
#
#################################
#
# Rules for the initrc_t domain.
#
# initrc_t is the domain of the init rc scripts.
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
role system_r types initrc_t;
uses_shlib(initrc_t);
can_network(initrc_t)
allow initrc_t port_type:tcp_socket name_connect;
can_ypbind(initrc_t)
type initrc_exec_t, file_type, sysadmfile, exec_type;
# for halt to down interfaces
allow initrc_t self:udp_socket create_socket_perms;
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
read_locale(initrc_t)
r_dir_file(initrc_t, usr_t)
# Read system information files in /proc.
r_dir_file(initrc_t, { proc_t proc_net_t })
allow initrc_t proc_mdstat_t:file { getattr read };
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow initrc_t self:fifo_file rw_file_perms;
# Read the root directory of a usbdevfs filesystem, and
# the devices and drivers files. Permit stating of the
# device nodes, but nothing else.
allow initrc_t usbdevfs_t:dir r_dir_perms;
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
allow initrc_t usbdevfs_t:file getattr;
allow initrc_t usbfs_t:dir r_dir_perms;
allow initrc_t usbfs_t:file getattr;
# allow initrc to fork and renice itself
allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
# Can create ptys for open_init_pty
can_create_pty(initrc)
tmp_domain(initrc)
#
# Some initscripts generate scripts that they need to execute (ldap)
#
can_exec(initrc_t, initrc_tmp_t)
var_run_domain(initrc)
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
allow initrc_t var_run_t:dir { create rmdir };
ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')
allow initrc_t framebuf_device_t:chr_file r_file_perms;
# Use capabilities.
allow initrc_t self:capability ~{ sys_admin sys_module };
# Use system operations.
allow initrc_t kernel_t:system *;
# Set values in /proc/sys.
can_sysctl(initrc_t)
# Run helper programs in the initrc_t domain.
allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
allow initrc_t {bin_t sbin_t }:lnk_file read;
can_exec(initrc_t, etc_t)
can_exec(initrc_t, lib_t)
can_exec(initrc_t, bin_t)
can_exec(initrc_t, sbin_t)
can_exec(initrc_t, exec_type)
#
# These rules are here to allow init scripts to su
#
ifdef(`su.te', `
su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
allow initrc_t self:passwd rootok;
# read /lib/modules
allow initrc_t modules_object_t:dir { search read };
# Read conf.modules.
allow initrc_t modules_conf_t:file r_file_perms;
# Run other rc scripts in the initrc_t domain.
can_exec(initrc_t, initrc_exec_t)
# Run init (telinit) in the initrc_t domain.
can_exec(initrc_t, init_exec_t)
# Communicate with the init process.
allow initrc_t initctl_t:fifo_file rw_file_perms;
# Read /proc/PID directories for all domains.
r_dir_file(initrc_t, domain)
allow initrc_t domain:process { getattr getsession };
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
allow initrc_t file_t:dir { read search getattr mounton };
# during boot up initrc needs to do the following
allow initrc_t default_t:dir { write read search getattr mounton };
# rhgb-console writes to ramfs
allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
allow initrc_t var_log_t:dir rw_dir_perms;
allow initrc_t var_log_t:file create_file_perms;
allow initrc_t lastlog_t:file { setattr rw_file_perms };
allow initrc_t logfile:file { read append };
# remove old locks
allow initrc_t lockfile:dir rw_dir_perms;
allow initrc_t lockfile:file { getattr unlink };
# Access /var/lib/random-seed.
allow initrc_t var_lib_t:file rw_file_perms;
allow initrc_t var_lib_t:file unlink;
# Create lock file.
allow initrc_t var_lock_t:dir create_dir_perms;
allow initrc_t var_lock_t:file create_file_perms;
# Set the clock.
allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
# Kill all processes.
allow initrc_t domain:process signal_perms;
# Write to /dev/urandom.
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
# for cryptsetup
allow initrc_t fixed_disk_device_t:blk_file getattr;
# Set device ownerships/modes.
allow initrc_t framebuf_device_t:chr_file setattr;
allow initrc_t misc_device_t:devfile_class_set setattr;
allow initrc_t device_t:devfile_class_set setattr;
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
allow initrc_t removable_device_t:devfile_class_set setattr;
allow initrc_t device_t:lnk_file read;
allow initrc_t xconsole_device_t:fifo_file setattr;
# Stat any file.
allow initrc_t file_type:notdevfile_class_set getattr;
allow initrc_t file_type:dir { search getattr };
# Read and write console and ttys.
allow initrc_t devtty_t:chr_file rw_file_perms;
allow initrc_t console_device_t:chr_file rw_file_perms;
allow initrc_t tty_device_t:chr_file rw_file_perms;
allow initrc_t ttyfile:chr_file rw_file_perms;
allow initrc_t ptyfile:chr_file rw_file_perms;
# Reset tty labels.
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
ifdef(`distro_redhat', `
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
allow initrc_t tmpfs_t:chr_file rw_file_perms;
allow initrc_t tmpfs_t:dir r_dir_perms;
# Allow initrc domain to set the enforcing flag.
can_setenforce(initrc_t)
#
# readahead asks for these
#
allow initrc_t etc_aliases_t:file { getattr read };
allow initrc_t var_lib_nfs_t:file { getattr read };
# for /halt /.autofsck and other flag files
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
# wants to delete /poweroff and other files
allow initrc_t root_t:file unlink;
# wants to read /.fonts directory
allow initrc_t default_t:file { getattr read };
ifdef(`xserver.te', `
# wants to cleanup xserver log dir
allow initrc_t xserver_log_t:dir rw_dir_perms;
allow initrc_t xserver_log_t:file unlink;
')
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
allow initrc_t var_spool_t:file rw_file_perms;
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
allow initrc_t admin_tty_type:chr_file rw_file_perms;
# Access sound device and files.
allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
# Read user home directories.
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
allow initrc_t home_type:file r_file_perms;
# Read and unlink /var/run/*.pid files.
allow initrc_t pidfile:file { getattr read unlink };
# for system start scripts
allow initrc_t pidfile:dir { rmdir rw_dir_perms };
allow initrc_t pidfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
# allow start scripts to clean /tmp
allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
dontaudit initrc_t proc_kmsg_t:file getattr;
#################################
#
# Rules for the run_init_t domain.
#
ifdef(`targeted_policy', `
type run_init_exec_t, file_type, sysadmfile, exec_type;
type run_init_t, domain;
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
typeattribute initrc_t privuser;
domain_trans(initrc_t, shell_exec_t, unconfined_t)
allow initrc_t unconfined_t:system syslog_mod;
', `
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
')
allow initrc_t privfd:fd use;
# Transition to system_r:initrc_t upon executing init scripts.
ifdef(`direct_sysadm_daemon', `
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
ifdef(`mls_policy', `
typeattribute initrc_t mlsrangetrans;
range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
')
')
#
# Shutting down xinet causes these
#
# Fam
dontaudit initrc_t device_t:dir { read write };
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
allow initrc_t sysfs_t:dir { getattr read search };
allow initrc_t sysfs_t:file { getattr read write };
allow initrc_t sysfs_t:lnk_file { getattr read };
allow initrc_t udev_runtime_t:file rw_file_perms;
allow initrc_t device_type:chr_file setattr;
allow initrc_t binfmt_misc_fs_t:dir { getattr search };
allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
# for lsof in shutdown scripts
can_kerberos(initrc_t)
#
# Wants to remove udev.tbl
#
allow initrc_t device_t:dir rw_dir_perms;
allow initrc_t device_t:lnk_file unlink;
r_dir_file(initrc_t,selinux_config_t)
ifdef(`unlimitedRC', `
unconfined_domain(initrc_t)
')
#
# initrc script does a cat /selinux/enforce
#
allow initrc_t security_t:dir { getattr search };
allow initrc_t security_t:file { getattr read };
# init script state
type initrc_state_t, file_type, sysadmfile;
create_dir_file(initrc_t,initrc_state_t)
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
ifdef(`dbusd.te', `
allow initrc_t system_dbusd_var_run_t:sock_file write;
')
# Slapd needs to read cert files from its initscript
r_dir_file(initrc_t, cert_t)
ifdef(`use_mcs', `
range_transition sysadm_t initrc_exec_t s0;
')

81
mls/domains/program/innd.te Normal file
View File

@ -0,0 +1,81 @@
#DESC INN - InterNetNews server
#
# Author: Faye Coker <faye@lurking-grue.org>
# X-Debian-Packages: inn
#
################################
# Types for the server port and news spool.
#
type news_spool_t, file_type, sysadmfile;
# need privmail attribute so innd can access system_mail_t
daemon_domain(innd, `, privmail')
# allow innd to create files and directories of type news_spool_t
create_dir_file(innd_t, news_spool_t)
# allow user domains to read files and directories these types
r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
can_exec(initrc_t, innd_etc_t)
can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(innd_t, hostname_exec_t)
')
allow innd_t var_spool_t:dir { getattr search };
can_network(innd_t)
allow innd_t port_type:tcp_socket name_connect;
can_ypbind(innd_t)
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
allow innd_t self:unix_dgram_socket create_socket_perms;
allow innd_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(innd_t, self)
allow innd_t self:fifo_file rw_file_perms;
allow innd_t innd_port_t:tcp_socket name_bind;
allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
allow innd_t self:process setsched;
allow innd_t { bin_t sbin_t }:dir search;
allow innd_t usr_t:lnk_file read;
allow innd_t usr_t:file { getattr read ioctl };
allow innd_t lib_t:file ioctl;
allow innd_t etc_t:file { getattr read };
allow innd_t { proc_t etc_runtime_t }:file { getattr read };
allow innd_t urandom_device_t:chr_file read;
allow innd_t innd_var_run_t:sock_file create_file_perms;
# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
etcdir_domain(innd)
# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
# it can write to
logdir_domain(innd)
# allow innd read-write directory permissions to /var/lib/news.
var_lib_domain(innd)
ifdef(`crond.te', `
system_crond_entry(innd_exec_t, innd_t)
allow system_crond_t innd_etc_t:file { getattr read };
rw_dir_create_file(system_crond_t, innd_log_t)
rw_dir_create_file(system_crond_t, innd_var_run_t)
')
ifdef(`syslogd.te', `
allow syslogd_t innd_log_t:dir search;
allow syslogd_t innd_log_t:file create_file_perms;
')
allow innd_t self:file { getattr read };
dontaudit innd_t selinux_config_t:dir { search };
allow system_crond_t innd_etc_t:file { getattr read };
allow innd_t bin_t:lnk_file { read };
allow innd_t sbin_t:lnk_file { read };

229
mls/domains/program/ipsec.te Normal file
View File

@ -0,0 +1,229 @@
#DESC ipsec - TCP/IP encryption
#
# Authors: Mark Westerman mark.westerman@westcam.com
# massively butchered by paul krumviede <pwk@acm.org>
# further massaged by Chris Vance <cvance@tislabs.com>
# X-Debian-Packages: freeswan
#
########################################
#
# Rules for the ipsec_t domain.
#
# a domain for things that need access to the PF_KEY socket
daemon_base_domain(ipsec, `, privlog')
# type for ipsec configuration file(s) - not for keys
type ipsec_conf_file_t, file_type, sysadmfile;
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t, file_type, sysadmfile;
# type for runtime files, including pluto.ctl
# lots of strange stuff for the ipsec_var_run_t - need to check it
var_run_domain(ipsec)
type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
allow ipsec_mgmt_t modules_object_t:dir search;
allow ipsec_mgmt_t modules_object_t:file getattr;
allow ipsec_t self:capability { net_admin net_bind_service };
allow ipsec_t self:process signal;
allow ipsec_t etc_t:lnk_file read;
domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
# Inherit and use descriptors from init.
# allow access (for, e.g., klipsdebug) to console
allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
# I do not know where this pesky pipe is...
allow ipsec_t initrc_t:fifo_file write;
r_dir_file(ipsec_t, ipsec_conf_file_t)
r_dir_file(ipsec_t, ipsec_key_file_t)
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
allow ipsec_t self:key_socket { create write read setopt };
# for lsof
allow sysadm_t ipsec_t:key_socket getattr;
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
can_exec(ipsec_mgmt_t, bin_t)
# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
# also need to run things like whack and shell scripts
can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
can_exec(ipsec_mgmt_t, shell_exec_t)
can_exec(ipsec_t, shell_exec_t)
can_exec(ipsec_t, bin_t)
can_exec(ipsec_t, ipsec_mgmt_exec_t)
# now for a icky part...
# pluto runs an updown script (by calling popen()!); as this is by default
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
# the default updown script wants to run route
can_exec(ipsec_mgmt_t, sbin_t)
allow ipsec_mgmt_t sbin_t:lnk_file read;
allow ipsec_mgmt_t self:capability { net_admin dac_override };
# need access to /proc/sys/net/ipsec/icmp
allow ipsec_mgmt_t sysctl_t:file write;
allow ipsec_mgmt_t sysctl_net_t:dir search;
allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
# whack needs to be able to read/write pluto.ctl
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
# and it wants to connect to a socket...
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
can_exec(sysadm_t, ipsec_mgmt_exec_t)
allow sysadm_t ipsec_t:unix_stream_socket connectto;
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
allow ipsec_mgmt_t boot_t:dir search;
allow ipsec_mgmt_t system_map_t:file { read getattr };
# denials when ps tries to search /proc. Do not audit these denials.
dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
# suppress audit messages about unnecessary socket access
dontaudit ipsec_mgmt_t domain:key_socket { read write };
dontaudit ipsec_mgmt_t domain:udp_socket { read write };
# from rbac
role system_r types { ipsec_t ipsec_mgmt_t };
# from initrc.te
domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
########## The following rules were added by cvance@tislabs.com ##########
# allow pluto and startup scripts to access /dev/urandom
allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
# allow pluto to access /proc/net/ipsec_eroute;
general_proc_read_access(ipsec_t)
general_proc_read_access(ipsec_mgmt_t)
# allow pluto to search the root directory (not sure why, but mostly harmless)
# Are these all really necessary?
allow ipsec_t var_t:dir search;
allow ipsec_t bin_t:dir search;
allow ipsec_t device_t:dir { getattr search };
allow ipsec_mgmt_t device_t:dir { getattr search read };
dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
dontaudit ipsec_mgmt_t devpts_t:dir getattr;
allow ipsec_mgmt_t etc_t:lnk_file read;
allow ipsec_mgmt_t var_t:dir search;
allow ipsec_mgmt_t sbin_t:dir search;
allow ipsec_mgmt_t bin_t:dir search;
allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
# Startup scripts
# use libraries
uses_shlib({ ipsec_t ipsec_mgmt_t })
# Read and write /dev/tty
allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
# fork
allow ipsec_mgmt_t self:process fork;
# startup script runs /bin/gawk with a pipe
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
# read /etc/mtab Why?
allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
# read link for /bin/sh
allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
#
allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
# Allow read/write access to /var/run/pluto.ctl
allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
# Pluto needs network access
can_network_server(ipsec_t)
can_ypbind(ipsec_t)
allow ipsec_t self:unix_dgram_socket create_socket_perms;
# for sleep
allow ipsec_mgmt_t fs_t:filesystem getattr;
# for the start script
can_exec(ipsec_mgmt_t, etc_t)
# allow access to /etc/localtime
allow ipsec_mgmt_t etc_t:file { read getattr };
allow ipsec_t etc_t:file { read getattr };
# allow access to /dev/null
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
allow ipsec_t null_device_t:chr_file rw_file_perms;
# Allow scripts to use /var/lock/subsys/ipsec
lock_domain(ipsec_mgmt)
# allow tncfg to create sockets
allow ipsec_mgmt_t self:udp_socket { create ioctl };
#When running ipsec auto --up <conname>
allow ipsec_t self:process { fork sigchld };
allow ipsec_t self:fifo_file { read getattr };
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
allow ipsec_mgmt_t self:lnk_file read;
allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
read_locale(ipsec_mgmt_t)
var_run_domain(ipsec_mgmt)
dontaudit ipsec_mgmt_t default_t:dir getattr;
dontaudit ipsec_mgmt_t default_t:file getattr;
allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
allow ipsec_mgmt_t self:key_socket { create setopt };
can_exec(ipsec_mgmt_t, initrc_exec_t)
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
read_locale(ipsec_t)
ifdef(`consoletype.te', `
can_exec(ipsec_mgmt_t, consoletype_exec_t )
')
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
allow ipsec_t self:capability { dac_override dac_read_search };
allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
dontaudit ipsec_mgmt_t device_t:lnk_file read;
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
rw_dir_create_file(initrc_t, ipsec_var_run_t)
allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };

63
mls/domains/program/iptables.te Normal file
View File

@ -0,0 +1,63 @@
#DESC Ipchains - IP packet filter administration
#
# Authors: Justin Smith <jsmith@mcs.drexel.edu>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: ipchains iptables
#
#
# Rules for the iptables_t domain.
#
daemon_base_domain(iptables, `, privmodule')
role sysadm_r types iptables_t;
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
ifdef(`modutil.te', `
# for modprobe
allow iptables_t sbin_t:dir search;
allow iptables_t sbin_t:lnk_file read;
')
read_locale(iptables_t)
# to allow rules to be saved on reboot
allow iptables_t initrc_tmp_t:file rw_file_perms;
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
allow iptables_t var_t:dir search;
var_run_domain(iptables)
allow iptables_t self:process { fork signal_perms };
allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
allow iptables_t sysctl_modprobe_t:file { getattr read };
tmp_domain(iptables)
# for iptables -L
allow iptables_t self:unix_stream_socket create_socket_perms;
can_resolve(iptables_t)
can_ypbind(iptables_t)
allow iptables_t iptables_exec_t:file execute_no_trans;
allow iptables_t self:capability { net_admin net_raw };
allow iptables_t self:rawip_socket create_socket_perms;
allow iptables_t etc_t:file { getattr read };
allow iptables_t fs_t:filesystem getattr;
allow iptables_t { userdomain kernel_t }:fd use;
# Access terminals.
allow iptables_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
allow iptables_t proc_t:file { getattr read };
allow iptables_t proc_net_t:dir search;
allow iptables_t proc_net_t:file { read getattr };
# system-config-network appends to /var/log
allow iptables_t var_log_t:file append;
ifdef(`firstboot.te', `
allow iptables_t firstboot_t:fifo_file write;
')

12
mls/domains/program/irc.te Normal file
View File

@ -0,0 +1,12 @@
#DESC Irc - IRC client
#
# Domains for the irc program.
# X-Debian-Packages: tinyirc ircii
#
# irc_exec_t is the type of the irc executable.
#
type irc_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the irc_domain macro in
# macros/program/irc_macros.te.

15
mls/domains/program/irqbalance.te Normal file
View File

@ -0,0 +1,15 @@
#DESC IRQBALANCE - IRQ balance daemon
#
# Author: Ulrich Drepper <drepper@redhat.com>
#
#################################
#
# Rules for the irqbalance_t domain.
#
daemon_domain(irqbalance)
# irqbalance needs access to /proc.
allow irqbalance_t proc_t:file { read getattr };
allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
allow irqbalance_t sysctl_irq_t:file rw_file_perms;

14
mls/domains/program/java.te Normal file
View File

@ -0,0 +1,14 @@
#DESC Java VM
#
# Authors: Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: java
#
# Type for the netscape, java or other browser executables.
type java_exec_t, file_type, sysadmfile, exec_type;
# Allow java executable stack
bool allow_java_execstack false;
# Everything else is in the java_domain macro in
# macros/program/java_macros.te.

91
mls/domains/program/kerberos.te Normal file
View File

@ -0,0 +1,91 @@
#DESC Kerberos5 - MIT Kerberos5
# supports krb5kdc and kadmind daemons
# kinit, kdestroy, klist clients
# ksu support not complete
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux support
#
# Not supported : telnetd, ftpd, kprop/kpropd daemons
#
# Author: Kerry Thompson <kerry@crypt.gen.nz>
# Modified by Colin Walters <walters@redhat.com>
#
#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
daemon_domain(krb5kdc)
daemon_domain(kadmind)
can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)
# types for general configuration files in /etc
type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
# types for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
# krb5kdc and kadmind can use network
can_network_server( { krb5kdc_t kadmind_t } )
can_ypbind( { krb5kdc_t kadmind_t } )
# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t reserved_port_t:tcp_socket name_bind;
dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
allow krb5kdc_t self:unix_stream_socket create_socket_perms;
allow kadmind_t self:unix_stream_socket create_socket_perms;
allow krb5kdc_t krb5kdc_conf_t:dir search;
allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
allow krb5kdc_t locale_t:file { getattr read };
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
tmp_domain(krb5kdc)
log_domain(krb5kdc)
allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
allow kadmind_t random_device_t:chr_file { getattr read };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t proc_t:dir r_dir_perms;
allow krb5kdc_t proc_t:file { getattr read };
#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t krb5kdc_conf_t:dir search;
allow kadmind_t krb5kdc_conf_t:file r_file_perms;
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
read_locale(kadmind_t)
dontaudit kadmind_t krb5kdc_conf_t:file write;
tmp_domain(kadmind)
log_domain(kadmind)
#
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
allow initrc_t krb5_conf_t:file ioctl;

48
mls/domains/program/klogd.te Normal file
View File

@ -0,0 +1,48 @@
#DESC Klogd - Kernel log daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: klogd
#
#################################
#
# Rules for the klogd_t domain.
#
daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
allow klogd_t proc_t:lnk_file r_file_perms;
allow klogd_t proc_t:file { getattr read };
allow klogd_t self:dir r_dir_perms;
allow klogd_t self:lnk_file r_file_perms;
# read /etc/nsswitch.conf
allow klogd_t etc_t:lnk_file read;
allow klogd_t etc_t:file r_file_perms;
read_locale(klogd_t)
allow klogd_t etc_runtime_t:file { getattr read };
# Create unix sockets
allow klogd_t self:unix_dgram_socket create_socket_perms;
# Use the sys_admin and sys_rawio capabilities.
allow klogd_t self:capability { sys_admin sys_rawio };
dontaudit klogd_t self:capability sys_resource;
# Read /proc/kmsg and /dev/mem.
allow klogd_t proc_kmsg_t:file r_file_perms;
allow klogd_t memory_device_t:chr_file r_file_perms;
# Control syslog and console logging
allow klogd_t kernel_t:system { syslog_mod syslog_console };
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
ifdef(`targeted_policy', `
allow klogd_t unconfined_t:system syslog_mod;
')

14
mls/domains/program/ktalkd.te Normal file
View File

@ -0,0 +1,14 @@
#DESC ktalkd - KDE version of the talk server
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the ktalkd_t domain.
#
# ktalkd_exec_t is the type of the ktalkd executable.
#
inetd_child_domain(ktalkd, udp)

117
mls/domains/program/kudzu.te Normal file
View File

@ -0,0 +1,117 @@
#DESC kudzu - Red Hat utility to recognise new hardware
#
# Author: Russell Coker <russell@coker.com.au>
#
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
read_locale(kudzu_t)
# for /etc/sysconfig/hwconf - probably need a new type
allow kudzu_t etc_runtime_t:file rw_file_perms;
# for kmodule
if (allow_execmem) {
allow kudzu_t self:process execmem;
}
allow kudzu_t zero_device_t:chr_file rx_file_perms;
allow kudzu_t memory_device_t:chr_file { read write execute };
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
allow kudzu_t modules_conf_t:file { getattr read unlink rename };
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
allow kudzu_t { bin_t sbin_t }:lnk_file read;
read_sysctl(kudzu_t)
allow kudzu_t sysctl_dev_t:dir { getattr search read };
allow kudzu_t sysctl_dev_t:file { getattr read };
allow kudzu_t sysctl_kernel_t:file write;
allow kudzu_t usbdevfs_t:dir search;
allow kudzu_t usbdevfs_t:file { getattr read };
allow kudzu_t usbfs_t:dir search;
allow kudzu_t usbfs_t:file { getattr read };
var_run_domain(kudzu)
allow kudzu_t kernel_t:system syslog_console;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t var_lock_t:dir search;
allow kudzu_t devpts_t:dir search;
# so it can write messages to the console
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
role sysadm_r types kudzu_t;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
')
ifdef(`anaconda.te', `
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
')
allow kudzu_t sysadm_home_dir_t:dir search;
rw_dir_create_file(kudzu_t, etc_t)
rw_dir_create_file(kudzu_t, mnt_t)
can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
# Read /usr/lib/gconv/gconv-modules.*
allow kudzu_t lib_t:file { read getattr };
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
allow kudzu_t usr_t:file { read getattr };
r_dir_file(kudzu_t, hwdata_t)
# Communicate with rhgb-client.
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
ifdef(`rhgb.te', `
allow kudzu_t rhgb_t:unix_stream_socket connectto;
')
allow kudzu_t self:file { getattr read };
allow kudzu_t self:fifo_file rw_file_perms;
ifdef(`gpm.te', `
allow kudzu_t gpmctl_t:sock_file getattr;
')
can_exec(kudzu_t, shell_exec_t)
# Write to /proc/sys/kernel/hotplug. Why?
allow kudzu_t sysctl_hotplug_t:file { read write };
allow kudzu_t sysfs_t:dir { getattr read search };
allow kudzu_t sysfs_t:file { getattr read };
allow kudzu_t sysfs_t:lnk_file read;
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
allow kudzu_t tape_device_t:chr_file r_file_perms;
tmp_domain(kudzu, `', `{ file dir chr_file }')
# for file systems that are not yet mounted
dontaudit kudzu_t file_t:dir search;
ifdef(`lpd.te', `
allow kudzu_t printconf_t:file { getattr read };
')
ifdef(`cups.te', `
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
')
dontaudit kudzu_t src_t:dir search;
ifdef(`xserver.te', `
allow kudzu_t xserver_exec_t:file getattr;
')
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
', `
unconfined_domain(kudzu_t)
')
allow kudzu_t initrc_t:unix_stream_socket connectto;
allow kudzu_t net_conf_t:file { getattr read };

52
mls/domains/program/ldconfig.te Normal file
View File

@ -0,0 +1,52 @@
#DESC Ldconfig - Configure dynamic linker bindings
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: libc6
#
#################################
#
# Rules for the ldconfig_t domain.
#
type ldconfig_t, domain, privlog, etc_writer;
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types ldconfig_t;
role system_r types ldconfig_t;
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
can_access_pty(ldconfig_t, initrc)
allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
allow ldconfig_t userdomain:fd use;
# unlink for when /etc/ld.so.cache is mislabeled
allow ldconfig_t etc_t:file { getattr read unlink };
allow ldconfig_t etc_t:lnk_file read;
allow ldconfig_t fs_t:filesystem getattr;
allow ldconfig_t tmp_t:dir search;
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
allow ldconfig_t { var_t var_lib_t }:dir search;
allow ldconfig_t proc_t:file { getattr read };
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
');
')dnl end hide_broken_symptoms
ifdef(`targeted_policy', `
allow ldconfig_t lib_t:file r_file_perms;
unconfined_domain(ldconfig_t)
')

65
mls/domains/program/load_policy.te Normal file
View File

@ -0,0 +1,65 @@
#DESC LoadPolicy - SELinux policy loading utilities
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: policycoreutils
#
###########################
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
# boolean to determine whether the system permits loading policy, setting
# enforcing mode, and changing boolean values. Set this to true and you
# have to reboot to set it back
bool secure_mode_policyload false;
type load_policy_t, domain;
role sysadm_r types load_policy_t;
role secadm_r types load_policy_t;
role system_r types load_policy_t;
type load_policy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
allow load_policy_t console_device_t:chr_file { read write };
# Reload the policy configuration (sysadm_t no longer has this ability)
can_loadpol(load_policy_t)
# Reset policy boolean values.
can_setbool(load_policy_t)
###########################
# constrain from where load_policy can load a policy, specifically
# policy_config_t files
#
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
r_dir_file(load_policy_t, policy_config_t)
r_dir_file(load_policy_t, selinux_config_t)
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
# for mcs.conf
allow load_policy_t etc_t:file { getattr read };
# Other access
can_access_pty(load_policy_t, initrc)
allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
allow load_policy_t { userdomain privfd initrc_t }:fd use;
allow load_policy_t fs_t:filesystem getattr;
read_locale(load_policy_t)

45
mls/domains/program/loadkeys.te Normal file
View File

@ -0,0 +1,45 @@
#DESC loadkeys - for changing to unicode at login time
#
# Author: Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: console-tools
#
# loadkeys_exec_t is the type of the wrapper
#
type loadkeys_exec_t, file_type, sysadmfile, exec_type;
can_exec(initrc_t, loadkeys_exec_t)
# Derived domain based on the calling user domain and the program.
type loadkeys_t, domain;
# Transition from the user domain to this domain.
domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
uses_shlib(loadkeys_t)
dontaudit loadkeys_t proc_t:dir search;
allow loadkeys_t proc_t:file { getattr read };
allow loadkeys_t self:process { fork sigchld };
allow loadkeys_t self:fifo_file rw_file_perms;
allow loadkeys_t bin_t:dir search;
allow loadkeys_t bin_t:lnk_file read;
can_exec(loadkeys_t, { shell_exec_t bin_t })
read_locale(loadkeys_t)
dontaudit loadkeys_t etc_runtime_t:file { getattr read };
# Use capabilities.
allow loadkeys_t self:capability { setuid sys_tty_config };
allow loadkeys_t local_login_t:fd use;
allow loadkeys_t devtty_t:chr_file rw_file_perms;
# The user role is authorized for this domain.
in_user_role(loadkeys_t)
# Write to the user domain tty.
allow loadkeys_t ttyfile:chr_file rw_file_perms;

11
mls/domains/program/lockdev.te Normal file
View File

@ -0,0 +1,11 @@
#DESC Lockdev - libblockdev helper application
#
# Authors: Daniel Walsh <dwalsh@redhat.com>
#
# Type for the lockdev
type lockdev_exec_t, file_type, sysadmfile, exec_type;
# Everything else is in the lockdev_domain macro in
# macros/program/lockdev_macros.te.

234
mls/domains/program/login.te Normal file
View File

@ -0,0 +1,234 @@
#DESC Login - Local/remote login utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Macroised by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: login
#
#################################
#
# Rules for the local_login_t domain
# and the remote_login_t domain.
#
# $1 is the name of the domain (local or remote)
define(`login_domain', `
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
general_domain_access($1_login_t);
# Read system information files in /proc.
r_dir_file($1_login_t, proc_t)
base_file_read_access($1_login_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1_login_t readable_t:dir r_dir_perms;
allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
# Read /var, /var/spool
allow $1_login_t { var_t var_spool_t }:dir search;
# for when /var/mail is a sym-link
allow $1_login_t var_t:lnk_file read;
# Read /etc.
r_dir_file($1_login_t, etc_t)
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
read_locale($1_login_t)
# for SSP/ProPolice
allow $1_login_t urandom_device_t:chr_file { getattr read };
# Read executable types.
allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow $1_login_t device_t:dir r_dir_perms;
allow $1_login_t device_t:lnk_file r_file_perms;
uses_shlib($1_login_t);
tmp_domain($1_login)
ifdef(`pam.te', `
can_exec($1_login_t, pam_exec_t)
')
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
')
ifdef(`alsa.te', `
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
# Use capabilities
allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow $1_login_t self:process setrlimit;
dontaudit $1_login_t sysfs_t:dir search;
# Set exec context.
can_setexec($1_login_t)
allow $1_login_t autofs_t:dir { search read getattr };
allow $1_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) {
r_dir_file($1_login_t, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file($1_login_t, cifs_t)
}
# Login can polyinstantiate
polyinstantiater($1_login_t)
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
')
ifdef(`crack.te', `
allow $1_login_t crack_db_t:file r_file_perms;
')
# Permit login to search the user home directories.
allow $1_login_t home_root_t:dir search;
allow $1_login_t home_dir_type:dir search;
# Write to /var/run/utmp.
allow $1_login_t var_run_t:dir search;
allow $1_login_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow $1_login_t var_log_t:dir search;
allow $1_login_t wtmp_t:file rw_file_perms;
# Write to /var/log/lastlog.
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
allow $1_login_t faillog_t:file { lock append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
allow $1_login_t mail_spool_t:file getattr;
allow $1_login_t mail_spool_t:lnk_file read;
# Get security policy decisions.
can_getsecurity($1_login_t)
# allow read access to default_contexts in /etc/security
allow $1_login_t default_context_t:file r_file_perms;
allow $1_login_t default_context_t:dir search;
r_dir_file($1_login_t, selinux_config_t)
allow $1_login_t mouse_device_t:chr_file { getattr setattr };
ifdef(`targeted_policy',`
unconfined_domain($1_login_t)
domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
')
')dnl end login_domain macro
#################################
#
# Rules for the local_login_t domain.
#
# local_login_t is the domain of a login process
# spawned by getty.
#
# remote_login_t is the domain of a login process
# spawned by rlogind.
#
# login_exec_t is the type of the login program
#
type login_exec_t, file_type, sysadmfile, exec_type;
login_domain(local)
# But also permit other user domains to be entered by login.
login_spawn_domain(local_login, userdomain)
# Do not audit denied attempts to access devices.
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
# Create lock file.
lock_domain(local_login)
# Read and write ttys.
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
# Relabel ttys.
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
ifdef(`gpm.te',
`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
# Allow setting of attributes on sound devices.
allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
dontaudit local_login_t init_t:fd use;
#################################
#
# Rules for the remote_login_t domain.
#
login_domain(remote)
# Only permit unprivileged user domains to be entered via rlogin,
# since very weak authentication is used.
login_spawn_domain(remote_login, unpriv_userdomain)
allow remote_login_t userpty_type:chr_file { setattr write };
# Use the pty created by rlogind.
ifdef(`rlogind.te', `
can_access_pty(remote_login_t, rlogind)
# Relabel ptys created by rlogind.
allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
')
# Use the pty created by telnetd.
ifdef(`telnetd.te', `
can_access_pty(remote_login_t, telnetd)
# Relabel ptys created by telnetd.
allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
')
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
allow remote_login_t fs_t:filesystem { getattr };
# Allow remote login to resolve host names (passed in via the -h switch)
can_resolve(remote_login_t)
ifdef(`use_mcs', `
ifdef(`getty.te', `
range_transition getty_t login_exec_t s0 - s0:c0.c127;
')
')

Some files were not shown because too many files have changed in this diff Show More