add rolemap/per-userdomain infrastructure
This commit is contained in:
parent
5e4cbc7557
commit
4ace0fa5d6
@ -1,3 +1,7 @@
|
|||||||
|
- Separate per-userdomain template expansion from the userdomain
|
||||||
|
module and add infrastructure to expand templates in the modules
|
||||||
|
that own the template.
|
||||||
|
- Enable secadm only for MLS policies.
|
||||||
- Remove role change rules in su and sudo since this functionality has been
|
- Remove role change rules in su and sudo since this functionality has been
|
||||||
removed from these programs.
|
removed from these programs.
|
||||||
- Add ctags Make target from Thomas Bleher.
|
- Add ctags Make target from Thomas Bleher.
|
||||||
|
@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
|
|||||||
MOD_CONF := $(POLDIR)/modules.conf
|
MOD_CONF := $(POLDIR)/modules.conf
|
||||||
TUNABLES := $(POLDIR)/tunables.conf
|
TUNABLES := $(POLDIR)/tunables.conf
|
||||||
BOOLEANS := $(POLDIR)/booleans.conf
|
BOOLEANS := $(POLDIR)/booleans.conf
|
||||||
|
ROLEMAP := $(POLDIR)/rolemap
|
||||||
|
|
||||||
# install paths
|
# install paths
|
||||||
TOPDIR = $(DESTDIR)/etc/selinux
|
TOPDIR = $(DESTDIR)/etc/selinux
|
||||||
@ -181,6 +182,24 @@ BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
|
|||||||
MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
||||||
OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Functions
|
||||||
|
#
|
||||||
|
|
||||||
|
# parse-rolemap modulename,outputfile
|
||||||
|
define parse-rolemap
|
||||||
|
$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
|
||||||
|
awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||||
|
endef
|
||||||
|
|
||||||
|
# peruser-expansion modulename,outputfile
|
||||||
|
define peruser-expansion
|
||||||
|
$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
|
||||||
|
$(call parse-rolemap,$1,$2)
|
||||||
|
$(QUIET) echo "')" >> $2
|
||||||
|
endef
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Load appropriate rules
|
# Load appropriate rules
|
||||||
|
@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
|
|||||||
#
|
#
|
||||||
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
|
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
|
||||||
@echo "Compliling $(NAME) $(@F) module"
|
@echo "Compliling $(NAME) $(@F) module"
|
||||||
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
$(call peruser-expansion,$(basename $(@F)),$@.role)
|
||||||
|
$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||||
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||||
|
|
||||||
tmp/%.mod.fc: $(M4SUPPORT) %.fc
|
tmp/%.mod.fc: $(M4SUPPORT) %.fc
|
||||||
@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
|
|||||||
# define all available object classes
|
# define all available object classes
|
||||||
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
|
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
|
||||||
# per-userdomain templates
|
# per-userdomain templates
|
||||||
$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
|
$(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
|
||||||
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \
|
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
|
||||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
||||||
>> $@ ;\
|
>> $@ ;\
|
||||||
done
|
done
|
||||||
@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
|
|||||||
endif
|
endif
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
$(QUIET) cat $^ > $@
|
$(QUIET) cat $^ > $@
|
||||||
|
$(call parse-rolemap,base,$@)
|
||||||
|
|
||||||
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
|
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
|
@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
|
|||||||
tmp/generated_definitions.conf: $(ALL_TE_FILES)
|
tmp/generated_definitions.conf: $(ALL_TE_FILES)
|
||||||
# per-userdomain templates:
|
# per-userdomain templates:
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
|
$(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
|
||||||
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
|
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
|
||||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
||||||
>> $@ ;\
|
>> $@ ;\
|
||||||
@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
|
|||||||
endif
|
endif
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
$(QUIET) cat $^ > $@
|
$(QUIET) cat $^ > $@
|
||||||
|
$(call parse-rolemap,base,$@)
|
||||||
|
|
||||||
tmp/post_te_files.conf: $(POST_TE_FILES)
|
tmp/post_te_files.conf: $(POST_TE_FILES)
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
|
@ -48,6 +48,9 @@ template(`irc_per_userdomain_template',`
|
|||||||
type $1_irc_home_t;
|
type $1_irc_home_t;
|
||||||
userdom_home_file($1,$1_irc_home_t)
|
userdom_home_file($1,$1_irc_home_t)
|
||||||
|
|
||||||
|
type $1_irc_tmp_t;
|
||||||
|
userdom_home_file($1,$1_irc_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
|
|||||||
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
|
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
|
||||||
|
|
||||||
# access files under /tmp
|
# access files under /tmp
|
||||||
allow $1_irc_t $1_tmp_t:dir create_dir_perms;
|
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
|
||||||
allow $1_irc_t $1_tmp_t:file create_file_perms;
|
allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
|
||||||
allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
|
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
|
||||||
allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
|
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
|
||||||
allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
|
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
|
||||||
files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
# Transition from the user domain to the derived domain.
|
# Transition from the user domain to the derived domain.
|
||||||
domain_auto_trans($2,irc_exec_t,$1_irc_t)
|
domain_auto_trans($2,irc_exec_t,$1_irc_t)
|
||||||
|
@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
|
|||||||
#
|
#
|
||||||
interface(`dev_getattr_agp_dev',`
|
interface(`dev_getattr_agp_dev',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t, dri_device_t;
|
type device_t, agp_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 device_t:dir r_dir_perms;
|
allow $1 device_t:dir r_dir_perms;
|
||||||
|
@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
template(`cron_admin_template',`
|
template(`cron_admin_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute cron_spool_type;
|
attribute cron_spool_type;
|
||||||
|
type $1_crontab_t, $1_crond_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow our crontab domain to unlink a user cron spool file.
|
# Allow our crontab domain to unlink a user cron spool file.
|
||||||
|
@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`mta_admin_template',`
|
template(`mta_admin_template',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_mail_t;
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||||
userdom_read_unpriv_user_home_files($1_mail_t)
|
userdom_read_unpriv_user_home_files($1_mail_t)
|
||||||
|
@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
|
|||||||
allow system_chkpwd_t $2:process sigchld;
|
allow system_chkpwd_t $2:process sigchld;
|
||||||
',`
|
',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type chkpwd_exec_t;
|
type $1_chkpwd_t, chkpwd_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
corecmd_search_bin($2)
|
corecmd_search_bin($2)
|
||||||
|
@ -142,13 +142,6 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
allow $1_t unpriv_userdomain:fd use;
|
allow $1_t unpriv_userdomain:fd use;
|
||||||
|
|
||||||
# Instantiate derived domains for a number of programs.
|
|
||||||
# These derived domains encode both information about the calling
|
|
||||||
# user domain and the program, and allow us to maintain separation
|
|
||||||
# between different instances of the program being run by different
|
|
||||||
# user domains.
|
|
||||||
per_userdomain_templates($1,$1_t,$1_r)
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
kernel_dontaudit_list_unlabeled($1_t)
|
kernel_dontaudit_list_unlabeled($1_t)
|
||||||
kernel_dontaudit_getattr_unlabeled_file($1_t)
|
kernel_dontaudit_getattr_unlabeled_file($1_t)
|
||||||
@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
|
|||||||
#
|
#
|
||||||
template(`userdom_rw_user_tmpfs_files',`
|
template(`userdom_rw_user_tmpfs_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_tmp_t;
|
type $1_tmpfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
fs_search_tmpfs($2)
|
fs_search_tmpfs($2)
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.2.3)
|
policy_module(userdomain,1.2.4)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r, secadm_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
role secadm_r;
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
|
|||||||
')
|
')
|
||||||
',`
|
',`
|
||||||
admin_user_template(sysadm)
|
admin_user_template(sysadm)
|
||||||
admin_user_template(secadm)
|
|
||||||
unpriv_user_template(staff)
|
unpriv_user_template(staff)
|
||||||
unpriv_user_template(user)
|
unpriv_user_template(user)
|
||||||
|
|
||||||
@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
|
|||||||
|
|
||||||
# only staff_r can change to sysadm_r
|
# only staff_r can change to sysadm_r
|
||||||
role_change(staff, sysadm)
|
role_change(staff, sysadm)
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
admin_user_template(secadm)
|
||||||
role_change(staff, secadm)
|
role_change(staff, secadm)
|
||||||
|
')
|
||||||
|
|
||||||
# this should be tunable_policy, but
|
# this should be tunable_policy, but
|
||||||
# currently type_change and RBAC allow
|
# currently type_change and RBAC allow
|
||||||
|
17
refpolicy/policy/rolemap
Normal file
17
refpolicy/policy/rolemap
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
#
|
||||||
|
# This file contains the mappings
|
||||||
|
# used for per-userdomain template
|
||||||
|
# infrastructure
|
||||||
|
#
|
||||||
|
# Each line has: role prefix user_domain
|
||||||
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
user_r user user_t
|
||||||
|
staff_r staff staff_t
|
||||||
|
sysadm_r sysadm sysadm_t
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
secadm_r secadm secadm_t
|
||||||
|
')
|
||||||
|
')
|
Loading…
Reference in New Issue
Block a user