add rolemap/per-userdomain infrastructure
This commit is contained in:
parent
5e4cbc7557
commit
4ace0fa5d6
@ -1,3 +1,7 @@
|
||||
- Separate per-userdomain template expansion from the userdomain
|
||||
module and add infrastructure to expand templates in the modules
|
||||
that own the template.
|
||||
- Enable secadm only for MLS policies.
|
||||
- Remove role change rules in su and sudo since this functionality has been
|
||||
removed from these programs.
|
||||
- Add ctags Make target from Thomas Bleher.
|
||||
|
@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
|
||||
MOD_CONF := $(POLDIR)/modules.conf
|
||||
TUNABLES := $(POLDIR)/tunables.conf
|
||||
BOOLEANS := $(POLDIR)/booleans.conf
|
||||
ROLEMAP := $(POLDIR)/rolemap
|
||||
|
||||
# install paths
|
||||
TOPDIR = $(DESTDIR)/etc/selinux
|
||||
@ -181,6 +182,24 @@ BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
|
||||
MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
||||
OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null))
|
||||
|
||||
########################################
|
||||
#
|
||||
# Functions
|
||||
#
|
||||
|
||||
# parse-rolemap modulename,outputfile
|
||||
define parse-rolemap
|
||||
$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
|
||||
awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# peruser-expansion modulename,outputfile
|
||||
define peruser-expansion
|
||||
$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
|
||||
$(call parse-rolemap,$1,$2)
|
||||
$(QUIET) echo "')" >> $2
|
||||
endef
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load appropriate rules
|
||||
|
@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
|
||||
#
|
||||
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
|
||||
@echo "Compliling $(NAME) $(@F) module"
|
||||
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
||||
$(call peruser-expansion,$(basename $(@F)),$@.role)
|
||||
$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||
|
||||
tmp/%.mod.fc: $(M4SUPPORT) %.fc
|
||||
@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
|
||||
# define all available object classes
|
||||
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
|
||||
# per-userdomain templates
|
||||
$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
|
||||
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \
|
||||
$(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
|
||||
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
|
||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
||||
>> $@ ;\
|
||||
done
|
||||
@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
|
||||
endif
|
||||
@test -d tmp || mkdir -p tmp
|
||||
$(QUIET) cat $^ > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
|
||||
@test -d tmp || mkdir -p tmp
|
||||
|
@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
|
||||
tmp/generated_definitions.conf: $(ALL_TE_FILES)
|
||||
# per-userdomain templates:
|
||||
@test -d tmp || mkdir -p tmp
|
||||
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
|
||||
$(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
|
||||
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
|
||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
||||
>> $@ ;\
|
||||
@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
|
||||
endif
|
||||
@test -d tmp || mkdir -p tmp
|
||||
$(QUIET) cat $^ > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
tmp/post_te_files.conf: $(POST_TE_FILES)
|
||||
@test -d tmp || mkdir -p tmp
|
||||
|
@ -48,6 +48,9 @@ template(`irc_per_userdomain_template',`
|
||||
type $1_irc_home_t;
|
||||
userdom_home_file($1,$1_irc_home_t)
|
||||
|
||||
type $1_irc_tmp_t;
|
||||
userdom_home_file($1,$1_irc_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
|
||||
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
|
||||
|
||||
# access files under /tmp
|
||||
allow $1_irc_t $1_tmp_t:dir create_dir_perms;
|
||||
allow $1_irc_t $1_tmp_t:file create_file_perms;
|
||||
allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
|
||||
allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
||||
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($2,irc_exec_t,$1_irc_t)
|
||||
|
@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
|
||||
#
|
||||
interface(`dev_getattr_agp_dev',`
|
||||
gen_require(`
|
||||
type device_t, dri_device_t;
|
||||
type device_t, agp_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
|
@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
|
||||
template(`cron_admin_template',`
|
||||
gen_require(`
|
||||
attribute cron_spool_type;
|
||||
type $1_crontab_t, $1_crond_t;
|
||||
')
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
|
@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`mta_admin_template',`
|
||||
gen_require(`
|
||||
type $1_mail_t;
|
||||
')
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
userdom_read_unpriv_user_home_files($1_mail_t)
|
||||
|
@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
|
||||
allow system_chkpwd_t $2:process sigchld;
|
||||
',`
|
||||
gen_require(`
|
||||
type chkpwd_exec_t;
|
||||
type $1_chkpwd_t, chkpwd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($2)
|
||||
|
@ -142,13 +142,6 @@ template(`base_user_template',`
|
||||
|
||||
allow $1_t unpriv_userdomain:fd use;
|
||||
|
||||
# Instantiate derived domains for a number of programs.
|
||||
# These derived domains encode both information about the calling
|
||||
# user domain and the program, and allow us to maintain separation
|
||||
# between different instances of the program being run by different
|
||||
# user domains.
|
||||
per_userdomain_templates($1,$1_t,$1_r)
|
||||
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
kernel_dontaudit_list_unlabeled($1_t)
|
||||
kernel_dontaudit_getattr_unlabeled_file($1_t)
|
||||
@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
|
||||
#
|
||||
template(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
type $1_tmp_t;
|
||||
type $1_tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($2)
|
||||
|
@ -1,8 +1,12 @@
|
||||
|
||||
policy_module(userdomain,1.2.3)
|
||||
policy_module(userdomain,1.2.4)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r, secadm_r;
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
role secadm_r;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
',`
|
||||
admin_user_template(sysadm)
|
||||
admin_user_template(secadm)
|
||||
unpriv_user_template(staff)
|
||||
unpriv_user_template(user)
|
||||
|
||||
@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
|
||||
|
||||
# only staff_r can change to sysadm_r
|
||||
role_change(staff, sysadm)
|
||||
role_change(staff, secadm)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
admin_user_template(secadm)
|
||||
role_change(staff, secadm)
|
||||
')
|
||||
|
||||
# this should be tunable_policy, but
|
||||
# currently type_change and RBAC allow
|
||||
|
17
refpolicy/policy/rolemap
Normal file
17
refpolicy/policy/rolemap
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# This file contains the mappings
|
||||
# used for per-userdomain template
|
||||
# infrastructure
|
||||
#
|
||||
# Each line has: role prefix user_domain
|
||||
#
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
user_r user user_t
|
||||
staff_r staff staff_t
|
||||
sysadm_r sysadm sysadm_t
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
secadm_r secadm secadm_t
|
||||
')
|
||||
')
|
Loading…
Reference in New Issue
Block a user