add rolemap/per-userdomain infrastructure

This commit is contained in:
Chris PeBenito 2006-01-26 18:04:57 +00:00
parent 5e4cbc7557
commit 4ace0fa5d6
12 changed files with 75 additions and 24 deletions

View File

@ -1,3 +1,7 @@
- Separate per-userdomain template expansion from the userdomain
module and add infrastructure to expand templates in the modules
that own the template.
- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been - Remove role change rules in su and sudo since this functionality has been
removed from these programs. removed from these programs.
- Add ctags Make target from Thomas Bleher. - Add ctags Make target from Thomas Bleher.

View File

@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
MOD_CONF := $(POLDIR)/modules.conf MOD_CONF := $(POLDIR)/modules.conf
TUNABLES := $(POLDIR)/tunables.conf TUNABLES := $(POLDIR)/tunables.conf
BOOLEANS := $(POLDIR)/booleans.conf BOOLEANS := $(POLDIR)/booleans.conf
ROLEMAP := $(POLDIR)/rolemap
# install paths # install paths
TOPDIR = $(DESTDIR)/etc/selinux TOPDIR = $(DESTDIR)/etc/selinux
@ -181,6 +182,24 @@ BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null)) MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null)) OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null))
########################################
#
# Functions
#
# parse-rolemap modulename,outputfile
define parse-rolemap
$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# peruser-expansion modulename,outputfile
define peruser-expansion
$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(QUIET) echo "')" >> $2
endef
######################################## ########################################
# #
# Load appropriate rules # Load appropriate rules

View File

@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
# #
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module" @echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(call peruser-expansion,$(basename $(@F)),$@.role)
$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc tmp/%.mod.fc: $(M4SUPPORT) %.fc
@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
# define all available object classes # define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
# per-userdomain templates # per-userdomain templates
$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@ $(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \ $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\ >> $@ ;\
done done
@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(QUIET) cat $^ > $@
$(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(BASE_POST_TE_FILES) tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp

View File

@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
tmp/generated_definitions.conf: $(ALL_TE_FILES) tmp/generated_definitions.conf: $(ALL_TE_FILES)
# per-userdomain templates: # per-userdomain templates:
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ $(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\ >> $@ ;\
@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(QUIET) cat $^ > $@
$(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(POST_TE_FILES) tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp

View File

@ -48,6 +48,9 @@ template(`irc_per_userdomain_template',`
type $1_irc_home_t; type $1_irc_home_t;
userdom_home_file($1,$1_irc_home_t) userdom_home_file($1,$1_irc_home_t)
type $1_irc_tmp_t;
userdom_home_file($1,$1_irc_tmp_t)
######################################## ########################################
# #
# Local policy # Local policy
@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t) userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
# access files under /tmp # access files under /tmp
allow $1_irc_t $1_tmp_t:dir create_dir_perms; allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_tmp_t:file create_file_perms; allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms; allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_tmp_t:sock_file create_file_perms; allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_tmp_t:fifo_file create_file_perms; allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file }) files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain. # Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t) domain_auto_trans($2,irc_exec_t,$1_irc_t)

View File

@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
# #
interface(`dev_getattr_agp_dev',` interface(`dev_getattr_agp_dev',`
gen_require(` gen_require(`
type device_t, dri_device_t; type device_t, agp_device_t;
') ')
allow $1 device_t:dir r_dir_perms; allow $1 device_t:dir r_dir_perms;

View File

@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
template(`cron_admin_template',` template(`cron_admin_template',`
gen_require(` gen_require(`
attribute cron_spool_type; attribute cron_spool_type;
type $1_crontab_t, $1_crond_t;
') ')
# Allow our crontab domain to unlink a user cron spool file. # Allow our crontab domain to unlink a user cron spool file.

View File

@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
## </param> ## </param>
# #
template(`mta_admin_template',` template(`mta_admin_template',`
gen_require(`
type $1_mail_t;
')
ifdef(`strict_policy',` ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever" # allow the sysadmin to do "mail someone < /home/user/whatever"
userdom_read_unpriv_user_home_files($1_mail_t) userdom_read_unpriv_user_home_files($1_mail_t)

View File

@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
allow system_chkpwd_t $2:process sigchld; allow system_chkpwd_t $2:process sigchld;
',` ',`
gen_require(` gen_require(`
type chkpwd_exec_t; type $1_chkpwd_t, chkpwd_exec_t;
') ')
corecmd_search_bin($2) corecmd_search_bin($2)

View File

@ -142,13 +142,6 @@ template(`base_user_template',`
allow $1_t unpriv_userdomain:fd use; allow $1_t unpriv_userdomain:fd use;
# Instantiate derived domains for a number of programs.
# These derived domains encode both information about the calling
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
per_userdomain_templates($1,$1_t,$1_r)
kernel_read_kernel_sysctl($1_t) kernel_read_kernel_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_file($1_t) kernel_dontaudit_getattr_unlabeled_file($1_t)
@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
# #
template(`userdom_rw_user_tmpfs_files',` template(`userdom_rw_user_tmpfs_files',`
gen_require(` gen_require(`
type $1_tmp_t; type $1_tmpfs_t;
') ')
fs_search_tmpfs($2) fs_search_tmpfs($2)

View File

@ -1,8 +1,12 @@
policy_module(userdomain,1.2.3) policy_module(userdomain,1.2.4)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r, secadm_r; role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
')
') ')
######################################## ########################################
@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
') ')
',` ',`
admin_user_template(sysadm) admin_user_template(sysadm)
admin_user_template(secadm)
unpriv_user_template(staff) unpriv_user_template(staff)
unpriv_user_template(user) unpriv_user_template(user)
@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
# only staff_r can change to sysadm_r # only staff_r can change to sysadm_r
role_change(staff, sysadm) role_change(staff, sysadm)
ifdef(`enable_mls',`
admin_user_template(secadm)
role_change(staff, secadm) role_change(staff, secadm)
')
# this should be tunable_policy, but # this should be tunable_policy, but
# currently type_change and RBAC allow # currently type_change and RBAC allow

17
refpolicy/policy/rolemap Normal file
View File

@ -0,0 +1,17 @@
#
# This file contains the mappings
# used for per-userdomain template
# infrastructure
#
# Each line has: role prefix user_domain
#
ifdef(`strict_policy',`
user_r user user_t
staff_r staff staff_t
sysadm_r sysadm sysadm_t
ifdef(`enable_mls',`
secadm_r secadm secadm_t
')
')