cleanup inspired by sediff

This commit is contained in:
Chris PeBenito 2005-05-27 21:56:01 +00:00
parent 16e9b0cb6b
commit 32e53ac1b8
6 changed files with 167 additions and 27 deletions

View File

@ -254,6 +254,12 @@ kernel_compute_selinux_relabel_context(rpm_script_t)
kernel_compute_selinux_reachable_user_contexts(rpm_script_t) kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t) kernel_read_system_state(rpm_script_t)
# ideally we would not need this
devices_manage_generic_block_devices(rpm_script_t)
devices_manage_generic_character_devices(rpm_script_t)
devices_manage_all_block_devices(rpm_script_t)
devices_manage_all_character_devices(rpm_script_t)
filesystem_manage_nfs_files(rpm_script_t) filesystem_manage_nfs_files(rpm_script_t)
filesystem_get_nfs_filesystem_attributes(rpm_script_t) filesystem_get_nfs_filesystem_attributes(rpm_script_t)
# why is this not using mount? # why is this not using mount?
@ -274,6 +280,7 @@ authlogin_manage_all_files_except_shadow(rpm_script_t)
corecommands_execute_general_programs(rpm_script_t) corecommands_execute_general_programs(rpm_script_t)
corecommands_execute_system_programs(rpm_script_t) corecommands_execute_system_programs(rpm_script_t)
domain_read_all_domains_process_state(rpm_script_t)
domain_use_widely_inheritable_file_descriptors(rpm_script_t) domain_use_widely_inheritable_file_descriptors(rpm_script_t)
domain_execute_all_entrypoint_programs(rpm_script_t) domain_execute_all_entrypoint_programs(rpm_script_t)
domain_signal_all_domains(rpm_script_t) domain_signal_all_domains(rpm_script_t)
@ -310,24 +317,12 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms; allow rpm_script_t sysfs_t:dir r_dir_perms;
# ideally we would not need this
allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans }; allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
allow rpm_script_t autofs_t:dir { search getattr }; allow rpm_script_t autofs_t:dir { search getattr };
can_ypbind(rpm_script_t) can_ypbind(rpm_script_t)
allow rpm_script_t domain:dir { search getattr read };
allow rpm_script_t domain:{ file lnk_file } { read getattr };
allow rpm_script_t domain:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit rpm_script_t domain:process ptrace;
optional_policy(`automount.te', ` optional_policy(`automount.te', `
allow rpm_script_t autofs_t:dir { search getattr }; allow rpm_script_t autofs_t:dir { search getattr };
') ')

View File

@ -298,9 +298,6 @@ devices_get_pseudorandom_data(passwd_t)
filesystem_get_persistent_filesystem_attributes(passwd_t) filesystem_get_persistent_filesystem_attributes(passwd_t)
terminal_use_all_private_physical_terminals(passwd_t)
terminal_use_all_private_pseudoterminals(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_script_ignore_modify_runtime_data(passwd_t) init_script_ignore_modify_runtime_data(passwd_t)
@ -320,7 +317,10 @@ miscfiles_read_localization(passwd_t)
authlogin_manage_shadow_passwords(passwd_t) authlogin_manage_shadow_passwords(passwd_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types passwd_t;
ifdef(`firstboot.te',`
domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
')
# Update /etc/shadow and /etc/passwd # Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@ -340,7 +340,7 @@ allow passwd_t shell_exec_t:file execute;
# user generally runs this from their home directory, so do not audit a search # user generally runs this from their home directory, so do not audit a search
# on user home dir # on user home dir
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search; dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
in_user_role(passwd_t)
# make sure that getcon succeeds # make sure that getcon succeeds
allow passwd_t userdomain:dir search; allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read; allow passwd_t userdomain:file read;
@ -356,7 +356,6 @@ allow passwd_t crack_db_t:file r_file_perms;
', ` ', `
dontaudit passwd_t var_t:dir search; dontaudit passwd_t var_t:dir search;
') ')
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
') dnl endif TODO ') dnl endif TODO
######################################## ########################################

View File

@ -218,6 +218,38 @@ class chr_file { getattr read write ioctl };
class blk_file { getattr read write ioctl }; class blk_file { getattr read write ioctl };
') ')
########################################
#
# devices_manage_generic_block_devices(domain)
#
define(`devices_manage_generic_block_devices',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name remove_name };
allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`devices_manage_generic_block_devices_depend',`
type device_t;
class dir { getattr search read };
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
#
# devices_manage_generic_character_devices(domain)
#
define(`devices_manage_generic_character_devices',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name remove_name };
allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
')
define(`devices_manage_generic_character_devices_depend',`
type device_t;
class dir { getattr search read };
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
')
######################################## ########################################
# #
# devices_create_dev_entry(domain,file,objectclass(es)) # devices_create_dev_entry(domain,file,objectclass(es))
@ -324,6 +356,44 @@ attribute device_node;
class chr_file setattr; class chr_file setattr;
') ')
########################################
#
# devices_manage_all_block_devices(domain)
#
define(`devices_manage_all_block_devices',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name remove_name };
allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
')
define(`devices_manage_generic_block_devices_depend',`
attribute device_node;
class dir { getattr search read };
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
')
########################################
#
# devices_manage_all_character_devices(domain)
#
define(`devices_manage_all_character_devices',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name remove_name };
allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
typeattribute $1 memory_raw_read, memory_raw_write;
')
define(`devices_manage_all_character_devices_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
class dir { getattr search read };
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
')
######################################## ########################################
# #
# devices_raw_read_memory(domain) # devices_raw_read_memory(domain)

View File

@ -1,8 +1,17 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
## <module name="hostname" layer="keyservices">
## <summary>Policy for changing the system host name.</summary>
####################################### ########################################
# ## <interface name="hostname_transition">
# hostname_transition(domain) ## <description>
## Execute hostname in the hostname domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`hostname_transition',` define(`hostname_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,6 +27,36 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="hostname_transition_add_role_use_terminal">
## <description>
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the hostname domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the hostname domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`hostname_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
hostname_transition($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
')
define(`hostname_transition_add_role_use_terminal_depend',`
type hostname_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# hostname_execute(domain) # hostname_execute(domain)
@ -31,3 +70,5 @@ define(`hostname_execute_depend',`
type hostname_exec_t; type hostname_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
## </module>

View File

@ -205,6 +205,11 @@ if (user_ttyfile_stat) {
terminal_get_all_private_physical_terminal_attributes($1_t) terminal_get_all_private_physical_terminal_attributes($1_t)
} }
optional_policy(`usermanage.te',`
usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
ifdef(`TODO',` ifdef(`TODO',`
# When the user domain runs ps, there will be a number of access # When the user domain runs ps, there will be a number of access

View File

@ -75,6 +75,7 @@ bool user_tcp_server false;
# Allow w to display everyone # Allow w to display everyone
bool user_ttyfile_stat false; bool user_ttyfile_stat false;
admin_domain_template(sysadm)
user_domain_template(staff) user_domain_template(staff)
user_domain_template(user) user_domain_template(user)
@ -83,18 +84,38 @@ user_domain_template(user)
# Local policy # Local policy
# #
#allow privhome home_root_t:dir { getattr search }; # user role change rules:
define(`role_change',`
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
# sysadm_r can change to user roles
role_change(sysadm, user)
role_change(sysadm, staff)
# only staff_r can change to sysadm_r
role_change(staff, sysadm)
tunable_policy(`user_canbe_sysadm',`
role_change(user,sysadm)
')
ifdef(`TODO',`
allow privhome home_root_t:dir { getattr search };
# Add/remove user home directories # Add/remove user home directories
#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
')
######################################## ########################################
# #
# Sysadm local policy # Sysadm local policy
# #
admin_domain_template(sysadm)
# for su # for su
allow sysadm_t userdomain:fd use; allow sysadm_t userdomain:fd use;
@ -102,6 +123,14 @@ optional_policy(`bootloader.te',`
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`clock.te',`
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`hostname.te',`
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`iptables.te',` optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
') ')
@ -142,6 +171,7 @@ optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`clock.te',` optional_policy(`usermanage.te',`
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
') ')