add some file_t interfaces, and console write

This commit is contained in:
Chris PeBenito 2005-05-31 21:25:45 +00:00
parent b8fca44d3f
commit 3b857eae09
19 changed files with 227 additions and 115 deletions

View File

@ -37,7 +37,7 @@ kernel_ignore_read_system_state(consoletype_t)
filesystem_get_all_filesystems_attributes(consoletype_t)
terminal_ignore_use_console(consoletype_t)
terminal_use_console(consoletype_t)
terminal_use_general_physical_terminal(consoletype_t)
init_use_file_descriptors(consoletype_t)
@ -69,7 +69,6 @@ allow consoletype_t sysadm_t:fd use;
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };

View File

@ -33,6 +33,8 @@ terminal_ignore_use_console(dmesg_t)
domain_use_widely_inheritable_file_descriptors(dmesg_t)
files_read_general_system_config_directory(dmesg_t)
# for when /usr is not mounted:
files_ignore_search_isid_type_dir(dmesg_t)
init_use_file_descriptors(dmesg_t)
init_script_use_pseudoterminal(dmesg_t)
@ -73,7 +75,4 @@ allow dmesg_t rhgb_t:fifo_file { read write };
')
allow dmesg_t autofs_t:dir { search getattr };
# for when /usr is not mounted
dontaudit dmesg_t file_t:dir search;
') dnl endif TODO

View File

@ -1,4 +1,8 @@
# Copyright (C) 2005 Tresys Technology, LLC
## <module name="devices" layer="kernel">
## <summary>
## Policy for all devices except mass storage and terminal devices.
## </summary>
########################################
#
@ -1015,3 +1019,5 @@ type device_t, power_device_t;
class dir r_dir_perms;
class chr_file { getattr read write ioctl };
')
## </module>

View File

@ -14,7 +14,7 @@ dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
allow $1 kernel_t:fd use;
allow kernel_t $1:fd use;
allow kernel_t $1:fifo_file rw_file_perms;
allow kernel_t $1:process sigchld;
allow $1 kernel_t:process sigchld;
')
define(`kernel_make_userland_entrypoint_depend',`
@ -406,7 +406,7 @@ class system ipc_info;
define(`kernel_get_selinuxfs_mount_point',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
allow $1 proc_t:{ file lnk_file } read;
allow $1 self:dir search;
allow $1 self:file { getattr read };
')
@ -561,6 +561,20 @@ class dir { search getattr read };
class file { getattr read };
')
########################################
#
# kernel_ignore_search_sysctl_dir(domain)
#
define(`kernel_ignore_search_sysctl_dir',`
requires_block_template(`$0'_depend)
dontaudit $1 sysctl_t:dir search;
')
define(`kernel_ignore_search_sysctl_dir_depend',`
type sysctl_t;
class dir search;
')
########################################
#
# kernel_read_device_sysctl(domain)
@ -630,6 +644,20 @@ class dir { search getattr read };
class file { getattr read write };
')
########################################
#
# kernel_ignore_search_network_sysctl_dir(domain)
#
define(`kernel_ignore_search_network_sysctl_dir',`
requires_block_template(`$0'_depend)
dontaudit $1 sysctl_net_t:dir search;
')
define(`kernel_ignore_search_network_sysctl_dir_depend',`
type sysctl_net_t;
class dir search;
')
########################################
#
# kernel_read_network_sysctl(domain)

View File

@ -97,15 +97,38 @@ class chr_file { getattr read write };
define(`terminal_use_all_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr search read };
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
allow $1 devpts_t:dir r_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
define(`terminal_use_all_terminals_depend',`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
class dir { getattr search read };
class chr_file { getattr read write };
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="terminal_write_console">
## <description>
## Write to the console.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`terminal_write_console',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 console_device_t:chr_file write;
')
define(`terminal_use_console_depend',`
type console_device_t;
class chr_file write;
')
########################################
@ -122,12 +145,12 @@ class chr_file { getattr read write };
define(`terminal_use_console',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 console_device_t:chr_file { getattr read write ioctl };
allow $1 console_device_t:chr_file rw_file_perms;
')
define(`terminal_use_console_depend',`
type console_device_t;
class chr_file { read write };
class chr_file rw_file_perms;
')
########################################

View File

@ -234,3 +234,17 @@ kernel_compute_selinux_create_context($1_crontab_t)
kernel_compute_selinux_relabel_context($1_crontab_t)
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
')
########################################
#
# cron_modify_log(domain)
#
define(`cron_modify_log',`
requires_block_template(`$0'_depend)
allow $1 crond_log_t:file { getattr read write ioctl lock append };
')
define(`cron_modify_log_depend',`
type crond_log_t;
class file rw_file_perms;
')

View File

@ -1,6 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
policy_module(consoletype, 1.0)
policy_module(cron, 1.0)
########################################
#
@ -67,7 +67,7 @@ allow crond_t self:msg { send receive };
allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow crond_t crond_var_run_t:file { getattr create read write append setattr unlink };
allow crond_t crond_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };

View File

@ -48,6 +48,8 @@ init_script_use_pseudoterminal(hwclock_t)
domain_use_widely_inheritable_file_descriptors(hwclock_t)
files_read_general_system_config_directory(hwclock_t)
# for when /usr is not mounted:
files_ignore_search_isid_type_dir(hwclock_t)
libraries_use_dynamic_loader(hwclock_t)
libraries_use_shared_libraries(hwclock_t)
@ -93,7 +95,4 @@ optional_policy(`apmd.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
')
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
') dnl end TODO

View File

@ -621,6 +621,34 @@ type etc_t;
class dir { getattr search read write add_name remove_name };
')
########################################
#
# files_ignore_get_isid_type_dir_attrib(domain)
#
define(`files_ignore_get_isid_type_dir_attrib',`
requires_block_template(`$0'_depend)
dontaudit $1 file_t:dir search;
')
define(`files_ignore_get_isid_type_dir_attrib_depend',`
type file_t;
class dir search;
')
########################################
#
# files_ignore_search_isid_type_dir(domain)
#
define(`files_ignore_search_isid_type_dir',`
requires_block_template(`$0'_depend)
dontaudit $1 file_t:dir search;
')
define(`files_ignore_search_isid_type_dir_depend',`
type file_t;
class dir search;
')
########################################
## <interface name="files_list_home_directories">
## <description>

View File

@ -43,6 +43,9 @@ init_script_use_pseudoterminal(hostname_t)
domain_use_widely_inheritable_file_descriptors(hostname_t)
# for when /usr is not mounted:
files_ignore_search_isid_type_dir(hostname_t)
libraries_use_dynamic_loader(hostname_t)
libraries_use_shared_libraries(hostname_t)
@ -100,8 +103,4 @@ allow hostname_t rhgb_t:fifo_file { read write };
allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
# for when /usr is not mounted
dontaudit hostname_t file_t:dir search;
') dnl end TODO

View File

@ -78,6 +78,8 @@ domain_use_widely_inheritable_file_descriptors(hotplug_t)
files_read_general_system_config(hotplug_t)
files_manage_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t)
# for when filesystems are not mounted early in the boot:
files_ignore_search_isid_type_dir(hotplug_t)
init_use_file_descriptors(hotplug_t)
init_script_use_pseudoterminal(hotplug_t)
@ -173,8 +175,6 @@ dbusd_client(system, hotplug)
allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
# for ps
dontaudit hotplug_t domain:dir { getattr search };

View File

@ -6,17 +6,28 @@
#
define(`init_make_init_domain',`
requires_block_template(`$0'_depend)
domain_make_domain($1)
domain_make_entrypoint_file($1,$2)
role system_r types $1;
allow init_t $1:process transition;
allow init_t $2:file { getattr read execute };
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
type_transition init_t $2:process $1;
allow $1 init_t:fd use;
allow init_t $1:fd use;
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors($1)
files_ignore_read_rootfs_file($1)
')
')
define(`init_make_init_domain_depend',`
@ -34,17 +45,28 @@ role system_r;
#
define(`init_make_daemon_domain',`
requires_block_template(`$0'_depend)
domain_make_domain($1)
domain_make_entrypoint_file($1,$2)
role system_r types $1;
allow initrc_t $1:process transition;
allow initrc_t $2:file { getattr read execute };
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors($1)
files_ignore_read_rootfs_file($1)
')
')
define(`init_make_daemon_domain_depend',`

View File

@ -61,6 +61,15 @@ files_make_temporary_file(initrc_tmp_t)
# Init local policy
#
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
allow init_t self:fifo_file { read write ioctl };
# Re-exec itself
@ -74,6 +83,9 @@ allow init_t initctl_t:fifo_file { create getattr read append write setattr unli
filesystem_tmpfs_associate(initctl_t)
devices_create_dev_entry(init_t,initctl_t,fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file { getattr read write setattr lock };
# Run init scripts. this is ok since initrc
# is also in this module
allow init_t initrc_t:process transition;
@ -109,6 +121,8 @@ domain_sigchld_all_domains(init_t)
files_read_general_system_config(init_t)
files_modify_system_runtime_data(init_t)
files_ignore_search_isid_type_dir(init_t)
files_manage_runtime_system_config(init_t)
# Run /etc/X11/prefdm:
files_execute_system_config_script(init_t)
# file descriptors inherited from the rootfs:
@ -117,8 +131,10 @@ files_ignore_modify_rootfs_device(init_t)
libraries_use_dynamic_loader(init_t)
libraries_use_shared_libraries(init_t)
libraries_modify_dynamic_loader_cache(init_t)
logging_send_system_log_message(init_t)
logging_modify_system_logs(init_t)
selinux_read_config(init_t)
@ -129,39 +145,15 @@ filesystem_use_tmpfs_character_devices(init_t)
filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
')
optional_policy(`authlogin.te',`
authlogin_modify_login_records(init_t)
')
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
userdomain_sysadm_shell_transition(init_t)
')
########################################
#
# the following seem questionable
#
libraries_modify_dynamic_loader_cache(init_t)
files_manage_runtime_system_config(init_t)
authlogin_modify_login_records(init_t)
logging_modify_system_logs(init_t)
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
# Modify utmp.
allow init_t initrc_var_run_t:file { getattr read write setattr lock };
ifdef(`TODO',`
# for mount points
allow init_t file_t:dir search;
') dnl end TODO
########################################
#
# Init script local policy

View File

@ -207,6 +207,8 @@ kernel_read_system_state(sulogin_t)
init_script_get_process_group(sulogin_t)
files_read_general_system_config(sulogin_t)
# because file systems are not mounted:
files_ignore_search_isid_type_dir(sulogin_t)
libraries_use_dynamic_loader(sulogin_t)
libraries_use_shared_libraries(sulogin_t)
@ -250,7 +252,4 @@ allow sulogin_t autofs_t:dir { search getattr };
')
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
# because file systems are not mounted
dontaudit sulogin_t file_t:dir search;
') dnl endif TODO

View File

@ -35,10 +35,10 @@ files_make_file(var_log_t)
# klogd local policy
#
allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
allow klogd_t klogd_tmp_t:file create_file_perms;
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
allow klogd_t klogd_var_run_t:file create_file_perms;
allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability sys_resource;
@ -60,6 +60,8 @@ files_read_runtime_system_config(klogd_t)
# read /etc/nsswitch.conf
files_read_general_system_config(klogd_t)
init_use_file_descriptors(klogd_t)
libraries_use_dynamic_loader(klogd_t)
libraries_use_shared_libraries(klogd_t)
@ -77,12 +79,15 @@ allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys
dontaudit syslogd_t self:capability sys_tty_config;
# create/append log files.
allow syslogd_t var_log_t:dir { read getattr search add_name write };
allow syslogd_t var_log_t:file { create ioctl getattr setattr append link };
allow syslogd_t var_log_t:dir rw_dir_perms;
allow syslogd_t var_log_t:file create_file_perms;
# manage temporary files
allow syslogd_t syslogd_tmp_t:file { getattr create read write append setattr unlink };
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
allow syslogd_t syslogd_tmp_t:file create_file_perms;
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
# receive messages to be logged
allow syslogd_t devlog_t:unix_stream_socket name_bind;
@ -94,6 +99,7 @@ allow syslogd_t self:fifo_file { getattr read write ioctl lock };
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
# manage pid file
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
@ -129,9 +135,6 @@ init_script_use_pseudoterminal(syslogd_t)
domain_use_widely_inheritable_file_descriptors(syslogd_t)
files_read_general_system_config(syslogd_t)
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
libraries_use_dynamic_loader(syslogd_t)
libraries_use_shared_libraries(syslogd_t)
@ -145,7 +148,7 @@ userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
#
# /initrd is not umounted before minilog starts
#
#dontaudit syslogd_t file_t:dir search;
files_ignore_search_isid_type_dir(syslogd_t)
#allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
@ -159,6 +162,12 @@ kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
')
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t)
files_ignore_read_rootfs_file(syslogd_t)
')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(syslogd_t)
')
@ -167,10 +176,8 @@ optional_policy(`udev.te', `
udev_read_database(syslogd_t)
')
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t)
files_ignore_read_rootfs_file(syslogd_t)
optional_policy(`cron.te',`
cron_modify_log(syslogd_t)
')
ifdef(`TODO',`
@ -198,8 +205,6 @@ can_ypbind(syslogd_t)
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
ifdef(`crond.te', `
# Write to the cron log.
allow syslogd_t crond_log_t:file rw_file_perms;
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')

View File

@ -117,6 +117,8 @@ domain_use_widely_inheritable_file_descriptors(lvm_t)
files_search_system_state_data_directory(lvm_t)
files_read_general_system_config(lvm_t)
files_read_runtime_system_config(lvm_t)
# for when /usr is not mounted:
files_ignore_search_isid_type_dir(lvm_t)
init_use_file_descriptors(lvm_t)
init_ignore_get_control_channel_attributes(lvm_t)
@ -159,9 +161,6 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
dontaudit lvm_t var_run_t:dir getattr;
# for when /usr is not mounted
dontaudit lvm_t file_t:dir search;
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')

View File

@ -80,8 +80,10 @@ files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t)
# for nscd
# for nscd:
files_ignore_search_runtime_data_directory(insmod_t)
# for when /var is not mounted early in the boot:
files_ignore_search_isid_type_dir(insmod_t)
init_use_control_channel(insmod_t)
init_use_file_descriptors(insmod_t)
@ -113,10 +115,6 @@ allow insmod_t xserver_log_t:file getattr;
# why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
allow insmod_t usbfs_t:filesystem mount;
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
') dnl if TODO
########################################

View File

@ -45,7 +45,12 @@ files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
# transition to ifconfig
allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
allow dhcpc_t ifconfig_t:process transition;
type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
allow dhcpc_t ifconfig_t:fd use;
allow ifconfig_t dhcpc_t:fd use;
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
allow ifconfig_t dhcpc_t:process sigchld;
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@ -253,6 +258,8 @@ files_read_general_system_config(ifconfig_t);
kernel_use_file_descriptors(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_ignore_search_sysctl_dir(ifconfig_t)
kernel_ignore_search_network_sysctl_dir(ifconfig_t)
filesystem_get_persistent_filesystem_attributes(ifconfig_t)
@ -290,11 +297,6 @@ ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
# see the denials.
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
optional_policy(`rhgb.te', `
allow ifconfig_t rhgb_t:process sigchld;
allow ifconfig_t rhgb_t:fd use;

View File

@ -92,6 +92,7 @@ domain_ignore_read_all_domains_process_dirs(udev_t)
files_read_runtime_system_config(udev_t)
files_read_general_system_config(udev_t)
files_execute_system_config_script(udev_t)
files_ignore_search_isid_type_dir(udev_t)
init_use_file_descriptors(udev_t)
init_script_read_runtime_data(udev_t)
@ -150,7 +151,6 @@ allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits
dontaudit udev_t staff_home_dir_t:dir search;
dontaudit udev_t file_t:dir search;
dontaudit udev_t ttyfile:chr_file unlink;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };