convert relevant conditionals into tunable_policy

This commit is contained in:
Chris PeBenito 2005-06-14 14:43:04 +00:00
parent 65a27ee05d
commit 3eed10909e
9 changed files with 76 additions and 83 deletions

View File

@ -30,6 +30,11 @@ gen_tunable(cron_can_relabel,false)
## </tunable> ## </tunable>
gen_tunable(fcron_crond,false) gen_tunable(fcron_crond,false)
## <tunable name="allow_gpg_execstack" dftval="false">
## Allow gpg executable stack
## </tunable>
gen_tunable(allow_gpg_execstack,false)
## <tunable name="read_default_t" dftval="false"> ## <tunable name="read_default_t" dftval="false">
## Allow reading of default_t files. ## Allow reading of default_t files.
## </tunable> ## </tunable>
@ -72,6 +77,11 @@ gen_tunable(user_dmesg,false)
## </tunable> ## </tunable>
gen_tunable(user_net_control,false) gen_tunable(user_net_control,false)
## <tunable name="user_ping" dftval="false">
## Control users use of ping and traceroute
## </tunable>
gen_tunable(user_ping,false)
## <tunable name="user_rw_noexattrfile" dftval="false"> ## <tunable name="user_rw_noexattrfile" dftval="false">
## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) ## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
## </tunable> ## </tunable>

View File

@ -73,21 +73,7 @@ allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file r_file_perms; allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use; allow consoletype_t system_crond_t:fd use;
optional_policy(`ypbind.te', ` can_ypbind(consoletype_t)
if (allow_ypbind) {
can_network(consoletype_t)
r_dir_file(consoletype_t,var_yp_t)
corenet_tcp_bind_generic_port(consoletype_t)
corenet_udp_bind_generic_port(consoletype_t)
corenet_tcp_bind_reserved_port(consoletype_t)
corenet_udp_bind_reserved_port(consoletype_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t)
corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t)
dontaudit consoletype_t self:capability net_bind_service;
} else {
dontaudit consoletype_t var_yp_t:dir search;
}
') dnl end ypbind optional_policy
optional_policy(`automount.te', ` optional_policy(`automount.te', `
allow consoletype_t autofs_t:dir { search getattr }; allow consoletype_t autofs_t:dir { search getattr };

View File

@ -24,11 +24,6 @@ type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t) init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t; role system_r types traceroute_t;
#
# Control users use of ping and traceroute
#
bool user_ping false;
######################################## ########################################
# #
# Netutils local policy # Netutils local policy
@ -129,10 +124,10 @@ sysnet_read_config(ping_t)
logging_send_syslog_msg(ping_t) logging_send_syslog_msg(ping_t)
if (user_ping) { tunable_policy(`user_ping',`
term_use_all_user_ttys(ping_t) term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t) term_use_all_user_ptys(ping_t)
} ')
ifdef(`TODO',` ifdef(`TODO',`
can_ypbind(ping_t) can_ypbind(ping_t)
@ -143,10 +138,11 @@ allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
in_user_role(ping_t) in_user_role(ping_t)
if (user_ping) { tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
} ')
') dnl end TODO ') dnl end TODO
######################################## ########################################
@ -192,10 +188,10 @@ dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t) dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t) files_read_usr_files(traceroute_t)
if (user_ping) { tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t) term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t) term_use_all_user_ptys(traceroute_t)
} ')
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types traceroute_t; role sysadm_r types traceroute_t;
@ -210,9 +206,9 @@ allow traceroute_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
in_user_role(traceroute_t) in_user_role(traceroute_t)
if (user_ping) { tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
} ')
#rules needed for nmap #rules needed for nmap
dontaudit traceroute_t userdomain:dir search; dontaudit traceroute_t userdomain:dir search;

View File

@ -94,14 +94,14 @@ define(`gpg_per_userdomain_template',`
sysnet_read_config($1_gpg_t) sysnet_read_config($1_gpg_t)
# Legacy # Legacy
if (allow_gpg_execstack) { tunable_policy(`allow_gpg_execstack',`
allow $1_gpg_t self:process execmem; allow $1_gpg_t self:process execmem;
libs_legacy_use_shared_libs($1_gpg_t) libs_legacy_use_shared_libs($1_gpg_t)
libs_legacy_use_ld_so($1_gpg_t) libs_legacy_use_ld_so($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t) miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed... # Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod; allow $1_gpg_t gpg_exec_t:file execmod;
} ')
ifdef(`TODO',` ifdef(`TODO',`
@ -134,12 +134,12 @@ define(`gpg_per_userdomain_template',`
# allow the usual access to /tmp # allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_t, nfs_t) create_dir_file($1_gpg_t, nfs_t)
} ')
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_t, cifs_t) create_dir_file($1_gpg_t, cifs_t)
} ')
rw_dir_create_file($1_gpg_t, $1_file_type) rw_dir_create_file($1_gpg_t, $1_file_type)
@ -199,12 +199,12 @@ define(`gpg_per_userdomain_template',`
ifdef(`TODO',` ifdef(`TODO',`
if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
dontaudit $1_gpg_helper_t nfs_t:file { read write }; dontaudit $1_gpg_helper_t nfs_t:file { read write };
} ')
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
dontaudit $1_gpg_helper_t cifs_t:file { read write }; dontaudit $1_gpg_helper_t cifs_t:file { read write };
} ')
# communicate with the user # communicate with the user
allow $1_gpg_helper_t $1_t:fd use; allow $1_gpg_helper_t $1_t:fd use;
@ -261,12 +261,12 @@ define(`gpg_per_userdomain_template',`
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_agent_t, nfs_t) create_dir_file($1_gpg_agent_t, nfs_t)
} ')
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_agent_t, cifs_t) create_dir_file($1_gpg_agent_t, cifs_t)
} ')
# gpg connect # gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@ -327,19 +327,19 @@ define(`gpg_per_userdomain_template',`
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write; dontaudit $1_gpg_pinentry_t $1_home_t:file write;
if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
allow $1_gpg_pinentry_t nfs_t:file r_file_perms; allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write; dontaudit $1_gpg_pinentry_t nfs_t:file write;
} ')
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
allow $1_gpg_pinentry_t cifs_t:file r_file_perms; allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:file write; dontaudit $1_gpg_pinentry_t cifs_t:file write;
} ')
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
') dnl end TODO ') dnl end TODO

View File

@ -6,9 +6,6 @@ policy_module(gpg, 1.0)
# Declarations # Declarations
# #
# Allow gpg exec stack
bool allow_gpg_execstack false;
# Type for gpg or pgp executables. # Type for gpg or pgp executables.
type gpg_exec_t; type gpg_exec_t;
type gpg_helper_exec_t; type gpg_helper_exec_t;

View File

@ -116,9 +116,9 @@ define(`mta_per_userdomain_template',`
# Create dead.letter in user home directories. # Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
rw_dir_create_file($1_mail_t, cifs_t) rw_dir_create_file($1_mail_t, cifs_t)
} ')
# if you do not want to allow dead.letter then use the following instead # if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;

View File

@ -92,10 +92,10 @@ allow remote_login_t bin_t:dir r_dir_perms;
allow remote_login_t bin_t:notdevfile_class_set r_file_perms; allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
allow remote_login_t sbin_t:dir r_dir_perms; allow remote_login_t sbin_t:dir r_dir_perms;
allow remote_login_t sbin_t:notdevfile_class_set r_file_perms; allow remote_login_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) { tunable_policy(`read_default_t',`
allow remote_login_t default_t:dir r_dir_perms; allow remote_login_t default_t:dir r_dir_perms;
allow remote_login_t default_t:notdevfile_class_set r_file_perms; allow remote_login_t default_t:notdevfile_class_set r_file_perms;
} ')
# Read directories and files with the readable_t type. # Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files. # This type is a general type for "world"-readable files.
@ -116,13 +116,13 @@ dontaudit remote_login_t sysfs_t:dir search;
allow remote_login_t autofs_t:dir r_dir_perms; allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms; allow remote_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
r_dir_file(remote_login_t, nfs_t) r_dir_file(remote_login_t, nfs_t)
} ')
if (use_samba_home_dirs) { tunable_policy(`use_samba_home_dirs',`
r_dir_file(remote_login_t, cifs_t) r_dir_file(remote_login_t, cifs_t)
} ')
# FIXME: what is this for? # FIXME: what is this for?
ifdef(`xdm.te', ` ifdef(`xdm.te', `

View File

@ -124,10 +124,11 @@ allow local_login_t bin_t:dir r_dir_perms;
allow local_login_t bin_t:notdevfile_class_set r_file_perms; allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms; allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms; allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) {
tunable_policy(`read_default_t',`
allow local_login_t default_t:dir r_dir_perms; allow local_login_t default_t:dir r_dir_perms;
allow local_login_t default_t:notdevfile_class_set r_file_perms; allow local_login_t default_t:notdevfile_class_set r_file_perms;
} ')
# Read directories and files with the readable_t type. # Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files. # This type is a general type for "world"-readable files.
@ -182,13 +183,14 @@ allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices. # Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr }; allow local_login_t power_device_t:chr_file { getattr setattr };
#if (use_nfs_home_dirs) { tunable_policy(`use_nfs_home_dirs',`
#r_dir_file(local_login_t, nfs_t) r_dir_file(local_login_t, nfs_t)
#} ')
tunable_policy(`use_samba_home_dirs',`
r_dir_file(local_login_t, cifs_t)
')
#if (use_samba_home_dirs) {
#r_dir_file(local_login_t, cifs_t)
#}
') dnl endif TODO ') dnl endif TODO
################################# #################################

View File

@ -238,10 +238,10 @@ define(`base_user_domain',`
# /initrd is left mounted, various programs try to look at it # /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr; dontaudit $1_t ramfs_t:dir getattr;
if (read_default_t) { tunable_policy(`read_default_t',`
allow $1_t default_t:dir r_dir_perms; allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms; allow $1_t default_t:notdevfile_class_set r_file_perms;
} ')
# #
# Running ifconfig as a user generates the following # Running ifconfig as a user generates the following
@ -254,10 +254,10 @@ define(`base_user_domain',`
can_ypbind($1_t) can_ypbind($1_t)
if (allow_execmod) { tunable_policy(`allow_execmod',`
# Allow text relocations on system shared libraries, e.g. libGL. # Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod; allow $1_t texrel_shlib_t:file execmod;
} ')
allow $1_t fs_type:dir getattr; allow $1_t fs_type:dir getattr;
@ -275,17 +275,19 @@ define(`base_user_domain',`
allow $1_t autofs_t:dir { getattr search }; allow $1_t autofs_t:dir { getattr search };
can_exec($1_t, { removable_t noexattrfile } ) can_exec($1_t, { removable_t noexattrfile } )
if (user_rw_noexattrfile) {
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile) create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t) create_dir_file($1_t, removable_t)
# Write floppies # Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms; allow $1_t removable_device_t:blk_file rw_file_perms;
allow $1_t usbtty_device_t:chr_file write; allow $1_t usbtty_device_t:chr_file write;
} else { ',`
r_dir_file($1_t, noexattrfile) r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t) r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms; allow $1_t removable_device_t:blk_file r_file_perms;
} ')
allow $1_t usbtty_device_t:chr_file read; allow $1_t usbtty_device_t:chr_file read;
can_exec($1_t, noexattrfile) can_exec($1_t, noexattrfile)
@ -526,15 +528,15 @@ define(`user_domain_template', `
') ')
ifdef(`ftpd.te', ` ifdef(`ftpd.te', `
if (ftp_home_dir) { tunable_policy(`ftp_home_dir',`
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
} ')
') ')
if (read_default_t) { tunable_policy(`read_default_t',`
allow $1 default_t:dir r_dir_perms; allow $1 default_t:dir r_dir_perms;
allow $1 default_t:notdevfile_class_set r_file_perms; allow $1 default_t:notdevfile_class_set r_file_perms;
} ')
can_exec($1_t, usr_t) can_exec($1_t, usr_t)
@ -557,11 +559,11 @@ define(`user_domain_template', `
allow $1_t var_lib_t:file { getattr read }; allow $1_t var_lib_t:file { getattr read };
# Allow users to rw usb devices # Allow users to rw usb devices
if (user_rw_usb) { tunable_policy(`user_rw_usb',`
rw_dir_create_file($1_t,usbdevfs_t) rw_dir_create_file($1_t,usbdevfs_t)
} else { ',`
r_dir_file($1_t,usbdevfs_t) r_dir_file($1_t,usbdevfs_t)
} ')
# Do not audit write denials to /etc/ld.so.cache. # Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write; dontaudit $1_t ld_so_cache_t:file write;
@ -765,10 +767,10 @@ define(`admin_domain_template',`
ifdef(`xdm.te', ` ifdef(`xdm.te', `
ifdef(`xauth.te', ` ifdef(`xauth.te', `
if (xdm_sysadm_login) { tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search; allow xdm_t $1_home_t:dir search;
} ')
allow $1_t xdm_t:fifo_file rw_file_perms; allow $1_t xdm_t:fifo_file rw_file_perms;
') ')
') ')