diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 992493c4..3cdd2d3a 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -20,6 +20,12 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`su_per_userdomain_template',` @@ -30,9 +36,9 @@ template(`su_per_userdomain_template',` domain_subj_id_change_exempt($1_su_t) domain_obj_id_change_exempt($1_su_t) domain_wide_inherit_fd($1_su_t) - role $1_r types $1_su_t; + role $3 types $1_su_t; - allow $1_t $1_su_t:process signal; + allow $2 $1_su_t:process signal; allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; @@ -40,18 +46,18 @@ template(`su_per_userdomain_template',` allow $1_su_t self:fifo_file rw_file_perms; # Transition from the user domain to this domain. - domain_auto_trans($1_t, su_exec_t, $1_su_t) - allow $1_t $1_su_t:fd use; - allow $1_su_t $1_t:fd use; - allow $1_su_t $1_t:fifo_file rw_file_perms; - allow $1_su_t $1_t:process sigchld; + domain_auto_trans($2, su_exec_t, $1_su_t) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t,$1_t) - allow $1_t $1_su_t:fd use; - allow $1_su_t $1_t:fd use; - allow $1_su_t $1_t:fifo_file rw_file_perms; - allow $1_su_t $1_t:process sigchld; + corecmd_shell_domtrans($1_su_t,$2) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctl($1_su_t) @@ -97,7 +103,7 @@ template(`su_per_userdomain_template',` seutil_read_config($1_su_t) seutil_read_default_contexts($1_su_t) - userdom_use_user_terminals($1_su_t,$1) + userdom_use_user_terminals($1,$1_su_t) if(secure_mode) { diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 4ff3ed5d..17fd5f24 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -20,6 +20,12 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`sudo_per_userdomain_template',` @@ -36,7 +42,7 @@ template(`sudo_per_userdomain_template',` domain_role_change_exempt($1_sudo_t) domain_obj_id_change_exempt($1_sudo_t) - role $1_r types $1_sudo_t; + role $3 types $1_sudo_t; ############################## # @@ -59,18 +65,18 @@ template(`sudo_per_userdomain_template',` allow $1_sudo_t self:msg { send receive }; # Enter this derived domain from the user domain - domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) - allow $1_sudo_t $1_t:fd use; - allow $1_t $1_sudo_t:fd use; - allow $1_t $1_sudo_t:fifo_file rw_file_perms; - allow $1_t $1_sudo_t:process sigchld; + domain_auto_trans($2, sudo_exec_t, $1_sudo_t) + allow $1_sudo_t $2:fd use; + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$1_t) - allow $1_t $1_sudo_t:fd use; - allow $1_sudo_t $1_t:fd use; - allow $1_sudo_t $1_t:fifo_file rw_file_perms; - allow $1_sudo_t $1_t:process sigchld; + corecmd_shell_domtrans($1_sudo_t,$2) + allow $2 $1_sudo_t:fd use; + allow $1_sudo_t $2:fd use; + allow $1_sudo_t $2:fifo_file rw_file_perms; + allow $1_sudo_t $2:process sigchld; kernel_read_kernel_sysctl($1_sudo_t) kernel_read_system_state($1_sudo_t) @@ -121,10 +127,10 @@ template(`sudo_per_userdomain_template',` seutil_read_config($1_sudo_t) seutil_read_default_contexts($1_sudo_t) - userdom_manage_user_home_subdir_files($1_sudo_t,$1) - userdom_manage_user_home_subdir_symlinks($1_sudo_t,$1) - userdom_manage_user_tmp_files($1_sudo_t,$1) - userdom_manage_user_tmp_symlinks($1_sudo_t,$1) + userdom_manage_user_home_subdir_files($1,$1_sudo_t) + userdom_manage_user_home_subdir_symlinks($1,$1_sudo_t) + userdom_manage_user_tmp_files($1,$1_sudo_t) + userdom_manage_user_tmp_symlinks($1,$1_sudo_t) userdom_use_unpriv_users_fd($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home($1_sudo_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index b560223b..f27154ef 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -21,10 +21,15 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## # template(`gpg_per_userdomain_template',` - gen_require(`$0'_depend) - ######################################## # # Declarations @@ -33,12 +38,12 @@ template(`gpg_per_userdomain_template',` type $1_gpg_t; domain_type($1_gpg_t) domain_entry_file($1_gpg_t,gpg_exec_t) - role $1_r types $1_gpg_t; + role $3 types $1_gpg_t; type $1_gpg_agent_t; domain_type($1_gpg_agent_t) domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t) - role $1_r types $1_gpg_agent_t; + role $3 types $1_gpg_agent_t; type $1_gpg_agent_tmp_t; files_tmp_file($1_gpg_agent_tmp_t) @@ -48,11 +53,11 @@ template(`gpg_per_userdomain_template',` type $1_gpg_helper_t; domain_type($1_gpg_helper_t) - role $1_r types $1_gpg_helper_t; + role $3 types $1_gpg_helper_t; type $1_gpg_pinentry_t; domain_type($1_gpg_pinentry_t) - role $1_r types $1_gpg_pinentry_t; + role $3 types $1_gpg_pinentry_t; ######################################## # @@ -60,15 +65,15 @@ template(`gpg_per_userdomain_template',` # # transition from the userdomain to the derived domain - domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t) + domain_auto_trans($2,gpg_exec_t,$1_gpg_t) - allow $1_t $1_gpg_t:fd use; - allow $1_gpg_t $1_t:fd use; - allow $1_gpg_t $1_t:fifo_file rw_file_perms; - allow $1_gpg_t $1_t:process sigchld; + allow $2 $1_gpg_t:fd use; + allow $1_gpg_t $2:fd use; + allow $1_gpg_t $2:fifo_file rw_file_perms; + allow $1_gpg_t $2:process sigchld; allow $1_gpg_t self:capability { ipc_lock setuid }; - allow { $1_t $1_gpg_t } $1_gpg_t:process signal; + allow { $2 $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 allow $1_gpg_t self:process { setrlimit setcap }; @@ -79,8 +84,8 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; - allow $1_t $1_gpg_secret_t:file getattr; - allow $1_t $1_gpg_secret_t:dir rw_dir_perms; + allow $2 $1_gpg_secret_t:file getattr; + allow $2 $1_gpg_secret_t:dir rw_dir_perms; corenet_tcp_sendrecv_all_if($1_gpg_t) corenet_raw_sendrecv_all_if($1_gpg_t) @@ -115,6 +120,8 @@ template(`gpg_per_userdomain_template',` sysnet_read_config($1_gpg_t) + userdom_use_user_terminals($1,$1_gpg_t) + # Legacy tunable_policy(`allow_gpg_execstack',` allow $1_gpg_t self:process execmem; @@ -143,7 +150,6 @@ template(`gpg_per_userdomain_template',` ifdef(`TODO',` - access_terminal($1_gpg_t, $1) ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') # allow ps to show gpg @@ -176,8 +182,8 @@ template(`gpg_per_userdomain_template',` # mail interface you will likely need additional permissions. # communicate with the user - allow $1_gpg_helper_t $1_t:fd use; - allow $1_gpg_helper_t $1_t:fifo_file write; + allow $1_gpg_helper_t $2:fd use; + allow $1_gpg_helper_t $2:fifo_file write; # transition from the gpg domain to the helper domain domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) @@ -254,17 +260,17 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto; # Allow the user shell to signal the gpg-agent program. - allow $1_t $1_gpg_agent_t:process { signal sigkill }; + allow $2 $1_gpg_agent_t:process { signal sigkill }; - allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms; - allow $1_t $1_gpg_agent_tmp_t:file create_file_perms; - allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms; + allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms; + allow $2 $1_gpg_agent_tmp_t:file create_file_perms; + allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) corecmd_search_bin($1_gpg_agent_t) # Transition from the user domain to the derived domain. - domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) + domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t) domain_use_wide_inherit_fd($1_gpg_agent_t) @@ -273,6 +279,9 @@ template(`gpg_per_userdomain_template',` miscfiles_read_localization($1_gpg_agent_t) + # Write to the user domain tty. + userdom_use_user_terminals($1,$1_gpg_agent_t) + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_gpg_agent_t) fs_manage_nfs_files($1_gpg_agent_t) @@ -289,9 +298,6 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_agent_t xdm_t:fd use; - # Write to the user domain tty. - access_terminal($1_gpg_agent_t, $1) - # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index ac380e13..cde33f0b 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -20,6 +20,12 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`cron_per_userdomain_template',` @@ -30,12 +36,12 @@ template(`cron_per_userdomain_template',` type $1_crond_t; # user_crond_domain; domain_type($1_crond_t); corecmd_shell_entry_type($1_crond_t) - role $1_r types $1_crond_t; + role $3 types $1_crond_t; type $1_crontab_t; domain_type($1_crontab_t) domain_entry_file($1_crontab_t,crontab_exec_t) - role $1_r types $1_crontab_t; + role $3 types $1_crontab_t; ############################## # @@ -112,12 +118,12 @@ template(`cron_per_userdomain_template',` miscfiles_read_localization($1_crond_t) - userdom_manage_user_tmp_files($1_crond_t,$1) - userdom_manage_user_tmp_symlinks($1_crond_t,$1) - userdom_manage_user_tmp_pipes($1_crond_t,$1) - userdom_manage_user_tmp_sockets($1_crond_t,$1) + userdom_manage_user_tmp_files($1,$1_crond_t) + userdom_manage_user_tmp_symlinks($1,$1_crond_t) + userdom_manage_user_tmp_pipes($1,$1_crond_t) + userdom_manage_user_tmp_sockets($1,$1_crond_t) # Run scripts in user home directory and access shared libs. - userdom_exec_user_home_files($1_crond_t,$1) + userdom_exec_user_home_files($1,$1_crond_t) tunable_policy(`fcron_crond', ` allow crond_t $1_cron_spool_t:file create_file_perms; @@ -157,14 +163,14 @@ template(`cron_per_userdomain_template',` # # Transition from the user domain to the derived domain. - domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) - allow $1_t $1_crontab_t:fd use; - allow $1_crontab_t $1_t:fd use; - allow $1_crontab_t $1_t:fifo_file rw_file_perms; - allow $1_crontab_t $1_t:process sigchld; + domain_auto_trans($2, crontab_exec_t, $1_crontab_t) + allow $2 $1_crontab_t:fd use; + allow $1_crontab_t $2:fd use; + allow $1_crontab_t $2:fifo_file rw_file_perms; + allow $1_crontab_t $2:process sigchld; # for ^Z - allow $1_t $1_crontab_t:process signal; + allow $2 $1_crontab_t:process signal; # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file r_file_perms; @@ -188,6 +194,11 @@ template(`cron_per_userdomain_template',` fs_getattr_xattr_fs($1_crontab_t) + # Run helper programs as the user domain + corecmd_bin_domtrans($1_crontab_t,$2) + corecmd_sbin_domtrans($1_crontab_t,$2) + corecmd_shell_domtrans($1_crontab_t,$2) + domain_use_wide_inherit_fd($1_crontab_t) files_read_etc_files($1_crontab_t) @@ -202,8 +213,12 @@ template(`cron_per_userdomain_template',` seutil_dontaudit_search_config($1_crontab_t) - userdom_manage_user_tmp_dirs($1_crontab_t,$1) - userdom_manage_user_tmp_files($1_crontab_t,$1) + userdom_manage_user_tmp_dirs($1,$1_crontab_t) + userdom_manage_user_tmp_files($1,$1_crontab_t) + # Access terminals. + userdom_use_user_terminals($1,$1_crontab_t) + # Read user crontabs + userdom_read_user_home_files($1,$1_crontab_t) tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator @@ -212,7 +227,6 @@ template(`cron_per_userdomain_template',` ') ifdef(`TODO',` - can_ps($1_t, $1_crontab_t) dontaudit $1_crontab_t proc_t:dir search; @@ -220,19 +234,10 @@ template(`cron_per_userdomain_template',` allow $1_crond_t tmp_t:dir rw_dir_perms; type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t; - # Run helper programs as $1_t - domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) - - # Read user crontabs + # Read user crontabs allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; - allow $1_crontab_t $1_home_t:file r_file_perms; dontaudit $1_crontab_t $1_home_dir_t:dir write; - # Access terminals. - allow $1_crontab_t devpts_t:dir r_dir_perms; - allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms; - allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms; - # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') ') dnl endif TODO diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 87f132ce..6409e530 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -1,15 +1,36 @@ ## Policy common to all email tranfer agents. ####################################### -# -# Per user domain template for this module -# -# mta_per_userdomain_template(userdomain_prefix) +## +## The per user domain template for the mta module. +## +## +##

+## This template creates a derived domain which is +## a email transfer agent, which sends mail on +## behalf of the user. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`mta_per_userdomain_template',` type $1_mail_t; # , user_mail_domain domain_type($1_mail_t) - role $1_r types $1_mail_t; + role $3 types $1_mail_t; type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) @@ -30,13 +51,13 @@ template(`mta_per_userdomain_template',` allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; # Transition from the user domain to the derived domain. - domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) - allow $1_t sendmail_exec_t:lnk_file { getattr read }; + domain_auto_trans($2, sendmail_exec_t, $1_mail_t) + allow $2 sendmail_exec_t:lnk_file { getattr read }; - allow $1_t $1_mail_t:fd use; - allow $1_mail_t $1_t:fd use; - allow $1_mail_t $1_t:fifo_file rw_file_perms; - allow $1_mail_t $1_t:process sigchld; + allow $2 $1_mail_t:fd use; + allow $1_mail_t $2:fd use; + allow $1_mail_t $2:fifo_file rw_file_perms; + allow $1_mail_t $2:process sigchld; kernel_read_kernel_sysctl($1_mail_t) @@ -64,6 +85,8 @@ template(`mta_per_userdomain_template',` sysnet_read_config($1_mail_t) + userdom_use_user_terminals($1,$1_mail_t) + tunable_policy(`use_dns',` allow $1_mail_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if($1_mail_t) @@ -113,10 +136,6 @@ template(`mta_per_userdomain_template',` allow mta_user_agent devpts_t:dir r_dir_perms; allow mta_user_agent $1_devpts_t:chr_file rw_file_perms; - allow $1_mail_t $1_tty_device_t:chr_file rw_file_perms; - allow $1_mail_t devpts_t:dir r_dir_perms; - allow $1_mail_t $1_devpts_t:chr_file rw_file_perms; - # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index c70680d6..9b7ada4d 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -20,6 +20,12 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`ssh_per_userdomain_template',` ############################## @@ -29,14 +35,14 @@ template(`ssh_per_userdomain_template',` type $1_home_ssh_t; #, $1_file_type; files_type($1_home_ssh_t) - role $1_r types $1_ssh_t; + role $3 types $1_ssh_t; type $1_ssh_t; domain_type($1_ssh_t) type $1_ssh_agent_t; domain_type($1_ssh_agent_t) - role $1_r types $1_ssh_agent_t; + role $3 types $1_ssh_agent_t; ############################## # @@ -57,7 +63,11 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; # Transition from the user domain to the derived domain. - domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) + domain_auto_trans($2, ssh_exec_t, $1_ssh_t) + allow $2 $1_ssh_t:fd use; + allow $1_ssh_t $2:fd use; + allow $1_ssh_t $2:fifo_file rw_file_perms; + allow $1_ssh_t $2:process sigchld; # Read the ssh key file. allow $1_ssh_t sshd_key_t:file r_file_perms; @@ -68,20 +78,20 @@ template(`ssh_per_userdomain_template',` files_create_tmp_files($1_ssh_t, sshd_tmp_t, { file dir }) # for rsync - allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; - allow $1_ssh_t $1_t:unix_stream_socket connectto; + allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; + allow $1_ssh_t $2:unix_stream_socket connectto; # user can manage the keys and config - allow $1_t $1_home_ssh_t:dir rw_dir_perms; - allow $1_t $1_home_ssh_t:file create_file_perms; - allow $1_t $1_home_ssh_t:lnk_file create_lnk_perms; - allow $1_t $1_home_ssh_t:sock_file create_file_perms; + allow $2 $1_home_ssh_t:dir rw_dir_perms; + allow $2 $1_home_ssh_t:file create_file_perms; + allow $2 $1_home_ssh_t:lnk_file create_lnk_perms; + allow $2 $1_home_ssh_t:sock_file create_file_perms; # inheriting stream sockets is needed for "ssh host command" as no pty # is allocated # cjp: should probably fix target to be an attribute for ssh servers # or "regular" (not special like sshd_extern_t) servers - allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms; + allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms; # ssh client can manage the keys and config allow $1_ssh_t $1_home_ssh_t:file create_file_perms; @@ -248,20 +258,30 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_agent_t self:process setrlimit; allow $1_ssh_agent_t self:capability setgid; - allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; + allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull; allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; + # for ssh-add + allow $2 $1_ssh_agent_t:unix_stream_socket connectto; + + # Allow the user shell to signal the ssh program. + allow $2 $1_ssh_agent_t:process signal; + # for the transition back to normal privs upon exec - allow $1_ssh_agent_t $1_t:fd use; - allow $1_t $1_ssh_agent_t:fd use; - allow $1_t $1_ssh_agent_t:fifo_file rw_file_perms; - allow $1_t $1_ssh_agent_t:process sigchld; + allow $1_ssh_agent_t $2:fd use; + allow $2 $1_ssh_agent_t:fd use; + allow $2 $1_ssh_agent_t:fifo_file rw_file_perms; + allow $2 $1_ssh_agent_t:process sigchld; # Allow the ssh program to communicate with ssh-agent. allow $1_ssh_t sshd_t:unix_stream_socket connectto; - domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) + domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t) + allow $2 $1_ssh_agent_t:fd use; + allow $1_ssh_agent_t $2:fd use; + allow $1_ssh_agent_t $2:fifo_file rw_file_perms; + allow $1_ssh_agent_t $2:process sigchld; kernel_read_kernel_sysctl($1_ssh_agent_t) @@ -290,6 +310,9 @@ template(`ssh_per_userdomain_template',` seutil_dontaudit_search_config($1_ssh_agent_t) + # Write to the user domain tty. + userdom_use_user_terminals($1,$1_ssh_agent_t) + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) @@ -318,11 +341,6 @@ template(`ssh_per_userdomain_template',` ifdef(`TODO',` - # Write to the user domain tty. - access_terminal($1_ssh_agent_t, $1) - - # Allow the user shell to signal the ssh program. - allow $1_t $1_ssh_agent_t:process signal; # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) @@ -333,12 +351,8 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) - # for ssh-add - can_unix_connect($1_t, $1_ssh_agent_t) - # transition back to normal privs upon exec domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t) - allow $1_ssh_agent_t $1_home_dir_t:dir search; allow $1_ssh_t $1_tmp_t:sock_file write; @@ -351,7 +365,7 @@ template(`ssh_per_userdomain_template',` # Allow the ssh program to communicate with ssh-agent. allow $1_ssh_t $1_tmp_t:sock_file write; - allow $1_ssh_t $1_t:unix_stream_socket connectto; + allow $1_ssh_t $2:unix_stream_socket connectto; ') dnl endif TODO ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index c4ada700..7635bb18 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -21,6 +21,12 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## # template(`authlogin_per_userdomain_template',` gen_require(` @@ -38,8 +44,8 @@ template(`authlogin_per_userdomain_template',` type $1_chkpwd_t, can_read_shadow_passwords; domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) - role $1_r types $1_chkpwd_t; - role $1_r types system_chkpwd_t; + role $3 types $1_chkpwd_t; + role $3 types system_chkpwd_t; allow $1_chkpwd_t self:capability setuid; allow $1_chkpwd_t self:process getattr; @@ -70,16 +76,15 @@ template(`authlogin_per_userdomain_template',` #can_ldap($1_chkpwd_t) # Transition from the user domain to this domain. - domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t) + domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - allow $1_chkpwd_t $1_t:fd use; - allow $1_t $1_chkpwd_t:fd use; - allow $1_chkpwd_t $1_t:fifo_file rw_file_perms; - allow $1_chkpwd_t $1_t:process sigchld; + allow $1_chkpwd_t $2:fd use; + allow $2 $1_chkpwd_t:fd use; + allow $1_chkpwd_t $2:fifo_file rw_file_perms; + allow $1_chkpwd_t $2:process sigchld; # Write to the user domain tty. - #userdomain_use_$1_terminal($1_chkpwd_t) - #userdomain_use_$1_pty($1_chkpwd_t) + userdom_use_user_terminals($1,$1_chkpwd_t) # Inherit and use descriptors from gnome-pty-helper. #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') @@ -110,7 +115,6 @@ template(`authlogin_per_userdomain_template',` optional_policy(`selinuxutil.te',` seutil_use_newrole_fd($1_chkpwd_t) ') - ') ######################################## diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index d49f4b26..821170fd 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -347,6 +347,49 @@ interface(`corecmd_exec_sbin',` ') +######################################## +## +## Execute a file in a sbin directory +## in the specified domain. +## +## +##

+## Execute a file in a sbin directory +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified +## domain. This is not suggested. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##

+## This interface was added to handle +## the ssh-agent policy. +##

+##
+## +## The type of the process performing this action. +## +## +## The type of the new process. +## +# +interface(`corecmd_sbin_domtrans',` + gen_require(` + type sbin_t; + class dir search; + class lnk_file { getattr read }; + ') + + allow $1 sbin_t:dir search; + allow $1 sbin_t:lnk_file { getattr read }; + + domain_auto_trans($1,sbin_t,$2) +') + ######################################## # # corecmd_exec_shell(domain) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 7668c033..04a37dad 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -114,7 +114,7 @@ template(`base_user_template',` # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. - per_userdomain_templates($1,$1_t) + per_userdomain_templates($1,$1_t,$1_r) kernel_read_kernel_sysctl($1_t) selinux_get_fs_mount($1_t) @@ -865,6 +865,39 @@ template(`admin_user_template',` ') dnl endif TODO ') +######################################## +## +## Read user home files. +## +## +##

+## Read user home files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## +# +template(`userdom_read_user_home_files',` + gen_require(` + class dir search; + class file r_file_perms; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir search; + allow $2 $1_home_t:file r_file_perms; +') + ######################################## ## ## Execute user home files. @@ -878,23 +911,23 @@ template(`admin_user_template',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_exec_user_home_files',` gen_require(` class dir search; ') - files_search_home($1) - allow $1 $2_home_dir_t:dir search; - allow $1 $2_home_t:dir search; - can_exec($1,$2_home_t) + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir search; + can_exec($2,$1_home_t) ') ######################################## @@ -912,13 +945,13 @@ template(`userdom_exec_user_home_files',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_home_subdir_files',` gen_require(` @@ -926,10 +959,10 @@ template(`userdom_manage_user_home_subdir_files',` class file create_file_perms; ') - files_search_home($1) - allow $1 $2_home_dir_t:dir search; - allow $1 $2_home_t:dir rw_dir_perms; - allow $1 $2_home_t:file create_file_perms; + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir rw_dir_perms; + allow $2 $1_home_t:file create_file_perms; ') ######################################## @@ -947,13 +980,13 @@ template(`userdom_manage_user_home_subdir_files',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_home_subdir_symlinks',` gen_require(` @@ -961,10 +994,10 @@ template(`userdom_manage_user_home_subdir_symlinks',` class lnk_file create_lnk_perms; ') - files_search_home($1) - allow $1 $2_home_dir_t:dir search; - allow $1 $2_home_t:dir rw_dir_perms; - allow $1 $2_home_t:lnk_file create_lnk_perms; + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir rw_dir_perms; + allow $2 $1_home_t:lnk_file create_lnk_perms; ') ######################################## @@ -982,21 +1015,21 @@ template(`userdom_manage_user_home_subdir_symlinks',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_tmp_dirs',` gen_require(` class dir create_dir_perms; ') - files_search_tmp($1) - allow $1 $2_tmp_t:dir create_dir_perms; + files_search_tmp($2) + allow $2 $1_tmp_t:dir create_dir_perms; ') ######################################## @@ -1014,13 +1047,13 @@ template(`userdom_manage_user_tmp_dirs',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -1028,9 +1061,9 @@ template(`userdom_manage_user_tmp_files',` class file create_file_perms; ') - files_search_tmp($1) - allow $1 $2_tmp_t:dir rw_dir_perms; - allow $1 $2_tmp_t:file create_file_perms; + files_search_tmp($2) + allow $2 $1_tmp_t:dir rw_dir_perms; + allow $2 $1_tmp_t:file create_file_perms; ') ######################################## @@ -1048,13 +1081,13 @@ template(`userdom_manage_user_tmp_files',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -1062,9 +1095,9 @@ template(`userdom_manage_user_tmp_symlinks',` class lnk_file create_lnk_perms; ') - files_search_tmp($1) - allow $1 $2_tmp_t:dir rw_dir_perms; - allow $1 $2_tmp_t:lnk_file create_lnk_perms; + files_search_tmp($2) + allow $2 $1_tmp_t:dir rw_dir_perms; + allow $2 $1_tmp_t:lnk_file create_lnk_perms; ') ######################################## @@ -1082,13 +1115,13 @@ template(`userdom_manage_user_tmp_symlinks',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -1096,9 +1129,9 @@ template(`userdom_manage_user_tmp_pipes',` class fifo_file create_file_perms; ') - files_search_tmp($1) - allow $1 $2_tmp_t:dir rw_dir_perms; - allow $1 $2_tmp_t:fifo_file create_file_perms; + files_search_tmp($2) + allow $2 $1_tmp_t:dir rw_dir_perms; + allow $2 $1_tmp_t:fifo_file create_file_perms; ') ######################################## @@ -1116,13 +1149,13 @@ template(`userdom_manage_user_tmp_pipes',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -1130,9 +1163,9 @@ template(`userdom_manage_user_tmp_sockets',` class sock_file create_file_perms; ') - files_search_tmp($1) - allow $1 $2_tmp_t:dir rw_dir_perms; - allow $1 $2_tmp_t:sock_file create_file_perms; + files_search_tmp($2) + allow $2 $1_tmp_t:dir rw_dir_perms; + allow $2 $1_tmp_t:sock_file create_file_perms; ') ######################################## @@ -1148,22 +1181,22 @@ template(`userdom_manage_user_tmp_sockets',` ## be called from a per-userdomain template. ##

## -## -## The type of the process performing this action. -## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## +## +## The type of the process performing this action. +## # template(`userdom_use_user_terminals',` gen_require(` class chr_file rw_term_perms; ') - allow $1 $2_tty_device_t:chr_file rw_term_perms; - allow $1 $2_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) + allow $2 $1_tty_device_t:chr_file rw_term_perms; + allow $2 $1_devpts_t:chr_file rw_term_perms; + term_list_ptys($2) ') ########################################