From 4bf4ed9e68e09dcb3418f703a7c82e0a0db8c7dd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 31 May 2005 19:52:57 +0000 Subject: [PATCH] permission set macro changes, plus more cab related work --- refpolicy/policy/modules/admin/consoletype.if | 8 +- refpolicy/policy/modules/admin/dmesg.if | 8 +- refpolicy/policy/modules/admin/netutils.if | 8 +- refpolicy/policy/modules/admin/rpm.if | 8 +- refpolicy/policy/modules/apps/gpg.if | 9 + refpolicy/policy/modules/kernel/bootloader.if | 8 +- refpolicy/policy/modules/kernel/devices.if | 163 +++++++++--------- refpolicy/policy/modules/kernel/kernel.if | 17 +- refpolicy/policy/modules/kernel/terminal.if | 62 ++++++- refpolicy/policy/modules/services/mta.if | 34 +++- refpolicy/policy/modules/system/authlogin.if | 63 ++++++- refpolicy/policy/modules/system/clock.if | 8 +- .../policy/modules/system/corecommands.if | 77 ++++++--- refpolicy/policy/modules/system/domain.if | 14 +- refpolicy/policy/modules/system/files.if | 30 +--- refpolicy/policy/modules/system/getty.if | 8 +- refpolicy/policy/modules/system/getty.te | 10 +- refpolicy/policy/modules/system/hostname.if | 10 +- refpolicy/policy/modules/system/hotplug.if | 15 +- refpolicy/policy/modules/system/init.if | 57 +++--- refpolicy/policy/modules/system/iptables.if | 8 +- refpolicy/policy/modules/system/libraries.if | 52 +++--- refpolicy/policy/modules/system/locallogin.te | 49 ++---- refpolicy/policy/modules/system/lvm.if | 11 +- refpolicy/policy/modules/system/modutils.if | 22 ++- refpolicy/policy/modules/system/mount.if | 8 +- refpolicy/policy/modules/system/selinux.if | 50 +++++- .../policy/modules/system/selinuxutil.if | 50 +++++- refpolicy/policy/modules/system/sysnetwork.if | 16 +- refpolicy/policy/modules/system/udev.if | 5 +- refpolicy/policy/modules/system/userdomain.if | 74 +++++++- 31 files changed, 683 insertions(+), 279 deletions(-) diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 6faf8e19..8070200b 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -10,12 +10,18 @@ allow $1 consoletype_exec_t:file { getattr read execute }; allow $1 consoletype_t:process transition; type_transition $1 consoletype_exec_t:process consoletype_t; dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; +allow $1 consoletype_t:fd use; +allow consoletype_t $1:fd use; +allow consoletype_t $1:fifo_file rw_file_perms; +allow consoletype_t $1:process sigchld; ') define(`consoletype_transition_depend',` type consoletype_t, consoletype_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index dc01a1c2..bc718b23 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -20,12 +20,18 @@ allow $1 dmesg_exec_t:file { getattr read execute }; allow $1 dmesg_t:process transition; type_transition $1 dmesg_exec_t:process dmesg_t; dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh }; +allow $1 dmesg_t:fd use; +allow dmesg_t $1:fd use; +allow dmesg_t $1:fifo_file rw_file_perms; +allow dmesg_t $1:process sigchld; ') define(`dmesg_transition_depend',` type dmesg_t, dmesg_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index e063dd5c..c1150feb 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -10,12 +10,18 @@ allow $1 netutils_exec_t:file { getattr read execute }; allow $1 netutils_t:process transition; type_transition $1 netutils_exec_t:process netutils_t; dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh }; +allow $1 netutils_t:fd use; +allow netutils_t $1:fd use; +allow netutils_t $1:fifo_file rw_file_perms; +allow netutils_t $1:process sigchld; ') define(`netutils_transition_depend',` type netutils_t, netutils_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 1e77b405..cabe283b 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -19,12 +19,18 @@ allow $1 rpm_exec_t:file { getattr read execute }; allow $1 rpm_t:process transition; type_transition $1 rpm_exec_t:process rpm_t; dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; +allow $1 rpm_t:fd use; +allow rpm_t $1:fd use; +allow rpm_t $1:fifo_file rw_file_perms; +allow rpm_t $1:process sigchld; ') define(`rpm_transition_depend',` type rpm_t, rpm_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 7e0737c5..d635dcc9 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -47,6 +47,9 @@ role $1_r types $1_gpg_pinentry_t; allow $1_t $1_gpg_t:process transition; allow $1_t gpg_exec_t:file { getattr read execute }; type_transition $1_t gpg_exec_t:process $1_gpg_t; +allow $1_t $1_gpg_t:fd use; +allow $1_gpg_t $1_t:fd use; +allow $1_gpg_t $1_t:fifo_file rw_file_perms; allow $1_gpg_t self:capability { ipc_lock setuid }; allow { $1_t $1_gpg_t } $1_gpg_t:process signal; @@ -156,6 +159,9 @@ dontaudit $1_gpg_t var_t:dir search; allow $1_gpg_t $1_gpg_helper_t:process transition; allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute }; type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t; +allow $1_gpg_t $1_gpg_helper_t:fd use; +allow $1_gpg_helper_t $1_t:fd use; +allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms; allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; @@ -273,6 +279,9 @@ can_unix_connect($1_gpg_t, $1_gpg_agent_t) allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition; allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute }; type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t; +allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; +allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; +allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 8681739b..5e312b29 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -19,12 +19,18 @@ allow $1 bootloader_exec_t:file { getattr read execute }; allow $1 bootloader_t:process transition; type_transition $1 bootloader_exec_t:process bootloader_t; dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh }; +allow $1 bootloader_t:fd use; +allow bootloader_t $1:fd use; +allow bootloader_t $1:fifo_file rw_file_perms; +allow bootloader_t $1:process sigchld; ') define(`bootloader_transition_depend',` type bootloader_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 92a52f65..227e8b29 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -50,13 +50,13 @@ class chr_file { getattr relabelfrom relabelto }; # define(`devices_list_device_nodes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 device_t:lnk_file { getattr read }; ') define(`devices_list_device_nodes_depend',` type device_t; -class dir { getattr read search }; +class dir r_dir_perms; class lnk_file { getattr read }; ') @@ -66,12 +66,12 @@ class lnk_file { getattr read }; # define(`devices_ignore_list_device_nodes',` requires_block_template(`$0'_depend) -dontaudit $1 device_t:dir { getattr read search }; +dontaudit $1 device_t:dir r_dir_perms; ') define(`devices_ignore_list_device_nodes_depend',` type device_t; -class dir { getattr read search }; +class dir r_dir_perms; ') ######################################## @@ -94,13 +94,13 @@ class fifo_file getattr; # define(`devices_get_generic_block_device_attributes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read }; +allow $1 device_t:dir r_dir_perms; allow $1 device_t:blk_file getattr; ') define(`devices_get_generic_block_device_attributes_depend',` type device_t; -class dir { getattr search read }; +class dir r_dir_perms; class blk_file getattr; ') @@ -142,13 +142,13 @@ class capability mknod; # define(`devices_get_generic_character_device_attributes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read }; +allow $1 device_t:dir r_dir_perms; allow $1 device_t:chr_file getattr; ') define(`devices_get_generic_character_device_attributes_depend',` type device_t; -class dir { getattr search read }; +class dir r_dir_perms; class chr_file getattr; ') @@ -264,7 +264,7 @@ allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append define(`devices_manage_generic_block_devices_depend',` type device_t; -class dir { getattr search read }; +class dir r_dir_perms; class blk_file { create ioctl read getattr lock write setattr append link unlink rename }; ') @@ -280,7 +280,7 @@ allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append define(`devices_manage_generic_character_devices_depend',` type device_t; -class dir { getattr search read }; +class dir r_dir_perms; class chr_file { create ioctl read getattr lock write setattr append link unlink rename }; ') @@ -308,14 +308,14 @@ class dir { getattr search read write add_name remove_name }; # define(`devices_get_all_block_device_attributes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 device_node:blk_file getattr; ') define(`devices_get_all_block_device_attributes_depend',` attribute device_node; class blk_file getattr; -class dir { getattr read search }; +class dir r_dir_perms; ') ######################################## @@ -338,14 +338,14 @@ class blk_file getattr; # define(`devices_get_all_character_device_attributes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 device_node:chr_file getattr; ') define(`devices_get_all_character_device_attributes_depend',` attribute device_node; class chr_file getattr; -class dir { getattr read search }; +class dir r_dir_perms; ') ######################################## @@ -407,7 +407,7 @@ storage_write_scsi_generic($1) define(`devices_manage_generic_block_devices_depend',` attribute device_node; -class dir { getattr search read }; +class dir r_dir_perms; class blk_file { create ioctl read getattr lock write setattr append link unlink rename }; ') @@ -424,7 +424,7 @@ typeattribute $1 memory_raw_read, memory_raw_write; define(`devices_manage_all_character_devices_depend',` attribute device_node, memory_raw_read, memory_raw_write; -class dir { getattr search read }; +class dir r_dir_perms; class chr_file { create ioctl read getattr lock write setattr append link unlink rename }; ') @@ -435,7 +435,7 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink define(`devices_raw_read_memory',` requires_block_template(`$0'_depend) typeattribute $1 memory_raw_read; -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 memory_device_t:chr_file { getattr read ioctl }; allow $1 self:capability sys_rawio; ') @@ -443,7 +443,7 @@ allow $1 self:capability sys_rawio; define(`devices_raw_read_memory_depend',` type device_t, memory_device_t; attribute memory_raw_read; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; class capability sys_rawio; ') @@ -455,7 +455,7 @@ class capability sys_rawio; define(`devices_raw_write_memory',` requires_block_template(`$0'_depend) typeattribute $1 memory_raw_write; -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 memory_device_t:chr_file write; allow $1 self:capability sys_rawio; ') @@ -463,7 +463,7 @@ allow $1 self:capability sys_rawio; define(`devices_raw_write_memory_depend',` type device_t, memory_device_t; attribute memory_raw_write; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file write; class capability sys_rawio; ') @@ -504,13 +504,13 @@ class chr_file execute; # define(`devices_get_random_data',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_random_data_depend',` type device_t, random_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -520,13 +520,13 @@ class chr_file { getattr read ioctl }; # define(`devices_get_pseudorandom_data',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_pseudorandom_data_depend',` type device_t, urandom_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -536,13 +536,13 @@ class chr_file { getattr read ioctl }; # define(`devices_add_entropy',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file { getattr write ioctl }; ') define(`devices_add_entropy_depend',` type device_t, random_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -552,13 +552,13 @@ class chr_file { getattr write ioctl }; # define(`devices_set_pseudorandom_seed',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') define(`devices_set_pseudorandom_seed_depend',` type device_t, urandom_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -568,14 +568,14 @@ class chr_file { getattr write ioctl }; # define(`devices_use_dev_null',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; -allow $1 null_device_t:chr_file { getattr read write append ioctl }; +allow $1 device_t:dir r_dir_perms; +allow $1 null_device_t:chr_file rw_file_perms; ') define(`devices_use_dev_null_depend',` type device_t, null_device_t; -class device_t:dir { getattr read search }; -class chr_file { getattr read write append ioctl }; +class device_t:dir r_dir_perms; +class chr_file rw_file_perms; ') ######################################## @@ -584,14 +584,14 @@ class chr_file { getattr read write append ioctl }; # define(`devices_use_dev_zero',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; -allow $1 zero_device_t:chr_file { getattr read write append ioctl }; +allow $1 device_t:dir r_dir_perms; +allow $1 zero_device_t:chr_file rw_file_perms; ') define(`devices_use_dev_zero_depend',` type device_t, zero_device_t; -class device_t:dir { getattr read search }; -class chr_file { getattr read write append ioctl }; +class device_t:dir r_dir_perms; +class chr_file r_file_perms; ') ######################################## @@ -615,13 +615,13 @@ class chr_file execute; # define(`devices_read_realtime_clock',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_realtime_clock_depend',` type device_t, clock_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -631,13 +631,13 @@ class chr_file { getattr read ioctl }; # define(`devices_write_realtime_clock',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; ') define(`devices_write_realtime_clock_depend',` type device_t, clock_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { setattr lock write append ioctl }; ') @@ -656,13 +656,13 @@ devices_write_realtime_clock($1) # define(`devices_record_sound_input',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') define(`devices_record_sound_input_depend',` type device_t, sound_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -672,13 +672,13 @@ class chr_file { getattr read ioctl }; # define(`devices_play_sound',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_play_sound_depend',` type device_t, sound_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -688,13 +688,13 @@ class chr_file { getattr write ioctl }; # define(`devices_read_sound_mixer_levels',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_sound_mixer_levels_depend',` type device_t, sound_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -704,13 +704,13 @@ class chr_file { getattr read ioctl }; # define(`devices_write_sound_mixer_levels',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_sound_mixer_levels_depend',` type device_t, sound_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -720,13 +720,13 @@ class chr_file { getattr write ioctl }; # define(`devices_direct_agp_access',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 agp_device_t:chr_file { getattr read write ioctl }; ') define(`devices_direct_agp_access_depend',` type device_t, agp_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read write ioctl }; ') @@ -736,13 +736,13 @@ class chr_file { getattr read write ioctl }; # define(`devices_get_direct_rendering_interface_attributes',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file getattr; ') define(`devices_get_direct_rendering_interface_attributes_depend',` type device_t, dri_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file getattr; ') @@ -752,13 +752,13 @@ class chr_file getattr; # define(`devices_use_direct_rendering_interface',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file { getattr read write ioctl }; ') define(`devices_use_direct_rendering_interface_depend',` type device_t, dri_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read write ioctl }; ') @@ -782,13 +782,13 @@ class chr_file { getattr read write ioctl }; # define(`devices_read_mtrr',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_mtrr_depend',` type device_t, mtrr_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -798,12 +798,13 @@ class chr_file { getattr read ioctl }; # define(`devices_write_mtrr',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_mtrr_depend',` type device_t, mtrr_device_t; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -813,13 +814,13 @@ class chr_file { getattr write ioctl }; # define(`devices_read_framebuffer',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_framebuffer_depend',` type framebuf_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -829,13 +830,13 @@ class chr_file { getattr read ioctl }; # define(`devices_write_framebuffer',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_framebuffer_depend',` type device_t, framebuf_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -845,13 +846,13 @@ class chr_file { getattr write ioctl }; # define(`devices_read_lvm_control_channel',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file { getattr read }; ') define(`devices_read_lvm_control_channel_depend',` type lvm_control_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { ioctl read getattr lock write append }; ') @@ -861,13 +862,13 @@ class chr_file { ioctl read getattr lock write append }; # define(`devices_use_lvm_control_channel',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read }; +allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append }; ') define(`devices_use_lvm_control_channel_depend',` type lvm_control_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { ioctl read getattr lock write append }; ') @@ -893,13 +894,13 @@ class chr_file unlink; # define(`devices_read_misc',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_misc_depend',` type device_t, misc_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -909,13 +910,13 @@ class chr_file { getattr read ioctl }; # define(`devices_write_misc',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_misc_depend',` type device_t, misc_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr write ioctl }; ') @@ -925,13 +926,13 @@ class chr_file { getattr write ioctl }; # define(`devices_get_mouse_input',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 mouse_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_mouse_input_depend',` type device_t, mouse_device_t; -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -941,13 +942,13 @@ class chr_file { getattr read ioctl }; # define(`devices_get_input_event',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 event_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_input_event_depend',` type device_t, event_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -957,13 +958,13 @@ class chr_file { getattr read ioctl }; # define(`devices_get_cpuid',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_cpuid_depend',` type device_t, cpu_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read ioctl }; ') @@ -973,13 +974,13 @@ class chr_file { getattr read ioctl }; # define(`devices_load_cpu_microcode',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file { getattr read write ioctl }; ') define(`devices_load_cpu_microcode_depend',` type device_t, cpu_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read write ioctl }; ') @@ -989,13 +990,13 @@ class chr_file { getattr read write ioctl }; # define(`devices_use_scanner',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 scanner_device_t:chr_file { getattr read write ioctl }; ') define(`devices_use_scanner_depend',` type device_t, scanner_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read write ioctl }; ') @@ -1005,12 +1006,12 @@ class chr_file { getattr read write ioctl }; # define(`devices_control_system_powermanagement',` requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; +allow $1 device_t:dir r_dir_perms; allow $1 power_device_t:chr_file { getattr read write ioctl }; ') define(`devices_control_system_powermanagement_depend',` type device_t, power_device_t; -class dir { getattr read search }; +class dir r_dir_perms; class chr_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 55d391c5..4cbb3092 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -11,12 +11,18 @@ allow kernel_t $1:process transition; allow $1 kernel_t:fd use; type_transition kernel_t $2:process $1; dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; +allow $1 kernel_t:fd use; +allow kernel_t $1:fd use; +allow kernel_t $1:fifo_file rw_file_perms; +allow kernel_t $1:process sigchld; ') define(`kernel_make_userland_entrypoint_depend',` type kernel_t; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; class file { getattr read execute }; +class fifo_file rw_file_perms; +class fd use; ') ######################################## @@ -418,15 +424,16 @@ class file { getattr read }; # define(`kernel_read_system_state',` requires_block_template(`$0'_depend) -allow $1 proc_t:dir { getattr search read }; -allow $1 proc_t:{ lnk_file file } { getattr read ioctl }; +allow $1 proc_t:dir r_dir_perms; +allow $1 proc_t:lnk_file { getattr read }; +allow $1 proc_t:file r_file_perms; ') define(`kernel_read_system_state_depend',` type proc_t; -class dir { search getattr read }; +class dir r_dir_perms; class lnk_file { getattr read }; -class file { getattr read ioctl }; +class file r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 96c0d89a..c5cc8e24 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -1,4 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Policy for terminals. ######################################## # @@ -278,13 +280,13 @@ define(`terminal_use_all_private_pseudoterminals',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 devpts_t:dir { getattr read search }; -allow $1 ptynode:chr_file { read write }; +allow $1 ptynode:chr_file { getattr read write ioctl }; ') define(`terminal_use_all_private_pseudoterminals_depend',` attribute ptynode; class dir { getattr search read }; -class chr_file { read write }; +class chr_file { getattr read write ioctl }; ') ######################################## @@ -331,6 +333,21 @@ type tty_device_t; class chr_file setattr; ') +######################################## +# +# terminal_relabel_general_physical_terminal(domain) +# +define(`terminal_relabel_general_physical_terminal',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +allow $1 tty_device_t:chr_file { relabelfrom relabelto }; +') + +define(`terminal_relabel_general_physical_terminal_depend',` +type tty_device_t; +class chr_file { relabelfrom relabelto }; +') + ######################################## # # terminal_reset_physical_terminal_labels(domain) @@ -346,7 +363,6 @@ define(`terminal_reset_physical_terminal_labels_depend',` attribute ttynode; type tty_device_t; class chr_file { relabelfrom relabelto }; -devices_list_device_nodes_depend ') ######################################## @@ -379,12 +395,12 @@ class chr_file { read write }; define(`terminal_use_general_physical_terminal',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file { read write }; +allow $1 tty_device_t:chr_file { getattr read write ioctl }; ') define(`terminal_use_general_physical_terminal_depend',` type tty_device_t; -class chr_file { read write }; +class chr_file { getattr read write ioctl }; ') ######################################## @@ -416,6 +432,21 @@ attribute ttynode; class chr_file getattr; ') +######################################## +# +# terminal_set_all_private_physical_terminal_attributes(domain) +# +define(`terminal_set_all_private_physical_terminal_attributes',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file setattr; +') + +define(`terminal_set_all_private_physical_terminal_attributes_depend',` +attribute ttynode; +class chr_file setattr; +') + ######################################## # # terminal_ignore_get_all_private_physical_terminal_attributes(domain) @@ -430,6 +461,21 @@ attribute ttynode; class chr_file getattr; ') +######################################## +# +# terminal_relabel_all_private_physical_terminals(domain) +# +define(`terminal_relabel_all_private_physical_terminals',` +requires_block_template(`$0'_depend) +devices_list_device_nodes($1) +allow $1 ttynode:chr_file { relabelfrom relabelto }; +') + +define(`terminal_relabel_all_private_physical_terminals_depend',` +attribute ttynode; +class chr_file { relabelfrom relabelto }; +') + ######################################## ## ## @@ -460,12 +506,12 @@ class chr_file { getattr write }; define(`terminal_use_all_private_physical_terminals',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) -allow $1 ttynode:chr_file { read write }; +allow $1 ttynode:chr_file { getattr read write ioctl }; ') define(`terminal_use_all_private_physical_terminals_depend',` attribute ttynode; -class chr_file { read write }; +class chr_file { getattr read write ioctl }; ') ######################################## @@ -481,3 +527,5 @@ define(`terminal_ignore_use_all_private_physical_terminals_depend',` attribute ttynode; class chr_file { read write }; ') + +## diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 3ee99d9e..973bbf4b 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -1,4 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Policy common to all email tranfer agents. ####################################### # @@ -36,6 +38,10 @@ allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; allow $1_t sendmail_exec_t:lnk_file { getattr read }; allow $1_t $1_mail_t:process transition; type_transition $1_t sendmail_exec_t:process $1_mail_t; +allow $1_t $1_mail_t:fd use; +allow $1_mail_t $1_t:fd use; +allow $1_mail_t $1_t:fifo_file rw_file_perms; +allow $1_mail_t $1_t:process sigchld; kernel_read_kernel_sysctl($1_mail_t) @@ -174,11 +180,10 @@ allow $1 sendmail_exec_t:file { getattr read execute }; allow $1 system_mail_t:process transition; type_transition $1 sendmail_exec_t:process system_mail_t; dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; - allow $1 system_mail_t:fd use; -allow system_mail_t $1:process sigchld; allow system_mail_t $1:fd use; -allow system_mail_t $1:fifo_file { ioctl read getattr lock write append }; +allow system_mail_t $1:fifo_file rw_file_perms; +allow system_mail_t $1:process sigchld; ') define(`mta_send_mail_depend',` @@ -239,12 +244,32 @@ type etc_aliases_t; class file { getattr read write append setattr }; ') +####################################### +# +# mta_get_mail_spool_attributes(domain) +# +define(`mta_get_mail_spool_attributes',` +requires_block_template(`$0'_depend) +files_search_system_spool_directory($1) +allow $1 mail_spool_t:dir r_dir_perms; +allow $1 mail_spool_t:lnk_file read; +allow $1 mail_spool_t:file getattr; +') + +define(`mta_get_mail_spool_attributes_depend',` +type mail_spool_t; +class dir r_dir_perms; +class file getattr; +class lnk_file read; +') + ####################################### # # mta_modify_mail_spool(domain) # define(`mta_modify_mail_spool',` requires_block_template(`$0'_depend) +files_search_system_spool_directory($1) allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1 mail_spool_t:file { getattr read write append setattr }; ') @@ -261,6 +286,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # define(`mta_manage_mail_spool',` requires_block_template(`$0'_depend) +files_search_system_spool_directory($1) allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') @@ -286,3 +312,5 @@ type mqueue_spool_t; class dir { read getattr lock search ioctl add_name remove_name write }; class file { create ioctl read getattr lock write setattr append link unlink rename } ') + +## diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index b1ca8740..cf846574 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -51,6 +51,10 @@ selinux_read_config($1_chkpwd_t) allow $1_t chkpwd_exec_t:file { getattr read execute }; allow $1_t $1_chkpwd_t:process transition; type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t; +allow $1_chkpwd_t $1_t:fd use; +allow $1_t $1_chkpwd_t:fd use; +allow $1_chkpwd_t $1_t:fifo_file rw_file_perms; +allow $1_chkpwd_t $1_t:process sigchld; # Write to the user domain tty. #userdomain_use_$1_terminal($1_chkpwd_t) @@ -80,10 +84,12 @@ define(`authlogin_per_userdomain_template_depend',` attribute can_read_shadow_passwords; type chkpwd_exec_t, system_chkpwd_t, shadow_t; class file { getattr read execute }; -class process { getattr transition }; +class process { getattr transition sigchld }; class capability setuid; class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -121,12 +127,18 @@ allow $1 login_exec_t:file { getattr read execute }; allow $1 $2:process transition; type_transition $1 login_exec_t:process $2; dontaudit $1 $2:process { noatsecure siginh rlimitinh }; +allow $1 $2:fd use; +allow $2 $1:fd use; +allow $2 $1:fifo_file rw_file_perms; +allow $2 $1:process sigchld; ') define(`authlogin_login_program_transition_depend',` type login_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -138,6 +150,10 @@ requires_block_template(`$0'_depend) allow $1 chkpwd_exec_t:file { getattr read execute }; allow $1 system_chkpwd_t:process transition; type_transition $1 chkpwd_exec_t:process system_chkpwd_t; +allow $1 system_chkpwd_t:fd use; +allow system_chkpwd_t $1:fd use; +allow system_chkpwd_t $1:fifo_file rw_file_perms; +allow system_chkpwd_t $1:process sigchld; dontaudit $1 shadow_t:file { getattr read }; #allow $1_t sbin_t:dir search; @@ -161,8 +177,10 @@ sysnetwork_read_network_config($1) define(`authlogin_check_password_transition_depend',` type system_chkpwd_t, chkpwd_exec_t, shadow_t; class file { getattr read execute }; -class process transition; +class process { transition sigchld }; class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -265,6 +283,21 @@ type shadow_t; class file relabelto; ') +####################################### +# +# authlogin_modify_login_failure_records(domain) +# +define(`authlogin_modify_login_failure_records',` +requires_block_template(`$0'_depend) +logging_search_system_log_directory($1) +allow $1 faillog_t:file { read write append }; +') + +define(`authlogin_modify_login_failure_records_depend',` +type faillog_t; +class file { read write append }; +') + ####################################### # # authlogin_modify_last_login_log(domain) @@ -297,12 +330,18 @@ allow $1 pam_exec_t:file { getattr read execute }; allow $1 pam_t:process transition; type_transition $1 pam_exec_t:process pam_t; dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; +allow $1 pam_t:fd use; +allow pam_t $1:fd use; +allow pam_t $1:fifo_file rw_file_perms; +allow pam_t $1:process sigchld; ') define(`authlogin_pam_transition_depend',` type pam_t, pam_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd +class fifo_file rw_file_perms; ') ######################################## @@ -394,12 +433,18 @@ allow $1 pam_console_exec_t:file { getattr read execute }; allow $1 pam_console_t:process transition; type_transition $1 pam_console_exec_t:process pam_console_t; dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; +allow $1 pam_console_t:fd use; +allow pam_console_t $1:fd use; +allow pam_console_t $1:fifo_file rw_file_perms; +allow pam_console_t $1:process sigchld; ') define(`authlogin_pam_console_transition_depend',` type pam_console_t, pam_console_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -525,12 +570,18 @@ allow $1 utempter_exec_t:file { getattr read execute }; allow $1 utempter_t:process transition; type_transition $1 utempter_exec_t:process utempter_t; dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; +allow $1 utempter_t:fd use; +allow utempter_t $1:fd use; +allow utempter_t $1:fifo_file rw_file_perms; +allow utempter_t $1:process sigchld; ') define(`authlogin_utempter_transition_depend',` type utempter_t, utempter_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 0ba002ef..73e32dd5 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -17,12 +17,18 @@ allow $1 hwclock_exec_t:file { getattr read execute }; allow $1 hwclock_t:process transition; type_transition $1 hwclock_exec_t:process hwclock_t; dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; +allow $1 hwclock_t:fd use; +allow hwclock_t $1:fd use; +allow hwclock_t $1:fifo_file rw_file_perms; +allow hwclock_t $1:process sigchld; ') define(`clock_transition_depend',` type hwclock_t, hwclock_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 82065f40..2fc23a0f 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -54,14 +54,14 @@ define(`corecommands_execute_general_programs',` requires_block_template(`$0'_depend) allow $1 bin_t:dir { getattr search read }; allow $1 bin_t:lnk_file { getattr read }; -allow $1 bin_t:file { getattr read ioctl execute execute_no_trans }; +allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans }; ') define(`corecommands_execute_general_programs_depend',` type bin_t; class dir { getattr search read }; class lnk_file { getattr read }; -class file { getattr read ioctl execute execute_no_trans }; +class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -84,12 +84,12 @@ class dir search; # define(`corecommands_read_system_programs_directory',` requires_block_template(`$0'_depend) -allow $1 sbin_t:dir { getattr search read }; +allow $1 sbin_t:dir r_dir_perms; ') define(`corecommands_read_system_programs_directory_depend',` type sbin_t; -class dir { getattr search read }; +class dir r_dir_perms; ') ######################################## @@ -114,14 +114,14 @@ define(`corecommands_execute_system_programs',` requires_block_template(`$0'_depend) allow $1 sbin_t:dir { getattr search read }; allow $1 sbin_t:lnk_file { getattr read }; -allow $1 sbin_t:file { getattr read ioctl execute execute_no_trans }; +allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans }; ') define(`corecommands_execute_system_programs_depend',` type sbin_t; class dir { getattr search read }; class lnk_file { getattr read }; -class file { getattr read ioctl execute execute_no_trans }; +class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -130,16 +130,16 @@ class file { getattr read ioctl execute execute_no_trans }; # define(`corecommands_execute_shell',` requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file { getattr read }; -allow $1 shell_exec_t:file { getattr read execute execute_no_trans }; +allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans }; ') define(`corecommands_execute_shell_depend',` type bin_t, shell_exec_t; -class dir { getattr search read }; +class dir r_dir_perms; class lnk_file { getattr read }; -class file { getattr read execute execute_no_trans }; +class file { getattr read lock ioctl execute execute_no_trans }; ') ######################################## @@ -148,16 +148,55 @@ class file { getattr read execute execute_no_trans }; # define(`corecommands_execute_ls',` requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file { getattr read }; -allow $1 ls_exec_t:file { getattr read execute execute_no_trans }; +allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans }; ') define(`corecommands_execute_shell_depend',` type bin_t, ls_exec_t; +class dir r_dir_perms; +class lnk_file { getattr read }; +class file { getattr read lock ioctl execute execute_no_trans }; +') + +######################################## +## +## +## Execute a shell in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## The type of the process performing this action. +## +## +## The type of the shell process. +## +## +## +# +define(`corecommands_shell_explicit_transition',` +requires_block_template(`$0'_depend) +allow $1 bin_t:dir { getattr search read }; +allow $1 bin_t:lnk_file { getattr read }; +allow $1 shell_exec_t:file { getattr read execute }; +allow $1 $2:process transition; +dontaudit $1 $2:process { noatsecure siginh rlimitinh }; +allow $1 $2:fd use; +allow $2 $1:fd use; +allow $2 $1:fifo_file rw_file_perms; +allow $2 $1:process sigchld; +') + +define(`corecommands_shell_explicit_transition_depend',` +type bin_t, shell_exec_t; class dir { getattr search read }; class lnk_file { getattr read }; -class file { getattr read execute execute_no_trans }; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -176,20 +215,12 @@ class file { getattr read execute execute_no_trans }; # define(`corecommands_shell_transition',` requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; -allow $1 bin_t:lnk_file { getattr read }; -allow $1 shell_exec_t:file { getattr read execute }; -allow $1 $2:process transition; +corecommands_shell_explicit_transition($1,$2) type_transition $1 shell_exec_t:process $2; -dontaudit $1 $2:process { noatsecure siginh rlimitinh }; ') define(`corecommands_shell_transition_depend',` -type bin_t, shell_exec_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +type shell_exec_t; ') ######################################## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 4ff71acf..234207d1 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -278,12 +278,12 @@ class process { getattr ptrace }; # define(`domain_ignore_read_all_domains_process_dirs',` requires_block_template(`$0'_depend) -dontaudit $1 domain:dir { getattr search read }; +dontaudit $1 domain:dir r_dir_perms; ') define(`domain_ignore_read_all_domains_process_dirs_depend',` attribute domain; -class dir { getattr search read }; +class dir r_dir_perms; ') @@ -402,12 +402,12 @@ class fifo_file getattr; # define(`domain_execute_all_entrypoint_programs',` requires_block_template(`$0'_depend) -allow $1 entry_type:file { getattr read ioctl execute execute_no_trans }; +allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans }; ') define(`domain_execute_all_entrypoint_programs_depend',` attribute entry_type; -class file { getattr read ioctl execute execute_no_trans }; +class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -416,12 +416,14 @@ class file { getattr read ioctl execute execute_no_trans }; # define(`domain_read_all_entrypoint_programs',` requires_block_template(`$0'_depend) -allow $1 entry_type:{ file lnk_file } { getattr read }; +allow $1 entry_type:lnk_file { getattr read }; +allow $1 entry_type:file r_file_perms; ') define(`domain_read_all_entrypoint_programs_depend',` attribute entry_type; -class file { getattr read }; +class file r_file_perms; +class lnk_file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 6d7c4a57..bdebc307 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -136,7 +136,7 @@ class sock_file getattr; # define(`files_relabel_all_files',` requires_block_template(`$0'_depend) -allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto }; +allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; @@ -149,7 +149,7 @@ selinux_relabelto_binary_policy($1) define(`files_relabel_all_files_depend',` attribute file_type; -class dir { getattr search read relabelfrom relabelto }; +class dir { r_dir_perms relabelfrom relabelto }; class file { relabelfrom relabelto }; class lnk_file { relabelfrom relabelto }; class fifo_file { relabelfrom relabelto }; @@ -215,12 +215,12 @@ class dir search; # define(`files_read_all_directories',` requires_block_template(`$0'_depend) -allow $1 file_type:dir { getattr search read }; +allow $1 file_type:dir r_dir_perms; ') define(`files_read_all_directories_depend',` attribute file_type; -class dir { getattr search read }; +class dir r_dir_perms; ') ######################################## @@ -237,20 +237,6 @@ attribute file_type; class dir search; ') -######################################## -# -# files_read_all_directories(domain) -# -define(`files_read_all_directories',` -requires_block_template(`$0'_depend) -allow $1 file_type:dir { getattr search read }; -') - -define(`files_read_all_directories_depend',` -attribute file_type; -class dir { getattr search read }; -') - ####################################### # # files_relabelto_all_file_type_filesystems(domain) @@ -313,13 +299,13 @@ class dir { getattr search mounton }; # define(`files_read_root_dir',` requires_block_template(`$0'_depend) -allow $1 root_t:dir { getattr search read }; +allow $1 root_t:dir r_dir_perms; allow $1 root_t:lnk_file { getattr read }; ') define(`files_read_root_dir_depend',` type root_t; -class dir { getattr search read }; +class dir r_dir_perms; class lnk_file { getattr read }; ') @@ -329,12 +315,12 @@ class lnk_file { getattr read }; # define(`files_create_root_dir_entry',` requires_block_template(`$0'_depend) -allow $1 root_t:dir { getattr search read write add_name }; +allow $1 root_t:dir ra_dir_perms; ') define(`files_create_root_dir_entry_depend',` type root_t; -class dir { getattr search read write add_name }; +class dir ra_dir_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 41a67b2e..4c55da37 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -10,12 +10,18 @@ allow $1 getty_exec_t:file { getattr read execute }; allow $1 getty_t:process transition; type_transition $1 getty_exec_t:process getty_t; dontaudit $1 getty_t:process { noatsecure siginh rlimitinh }; +allow $1 getty_t:fd use; +allow getty_t $1:fd use; +allow getty_t $1:fifo_file rw_file_perms; +allow getty_t $1:process sigchld; ') define(`getty_transition_depend',` type getty_t, getty_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 9536e3ed..ce2f2a6d 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -2,6 +2,11 @@ policy_module(getty,1.0) +######################################## +# +# Declarations +# + type getty_t; type getty_exec_t; init_make_init_domain(getty_t,getty_exec_t) @@ -30,9 +35,12 @@ allow getty_t self:process { getpgid getsession }; allow getty_t getty_etc_t:dir { getattr search read }; allow getty_t getty_etc_t:file { getattr read }; +files_create_private_config(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; +files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir }) + allow getty_t getty_log_t:file { getattr append setattr }; kernel_read_hardware_state(getty_t) @@ -48,8 +56,6 @@ init_script_modify_runtime_data(getty_t) init_script_use_pseudoterminal(getty_t) files_modify_system_runtime_data(getty_t) -files_create_private_config(getty_t,getty_etc_t,{ file dir }) -files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir }) files_manage_system_lock_files(getty_t) files_read_runtime_system_config(getty_t) files_read_general_system_config(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index e7ec93dc..5a47de80 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -9,6 +9,7 @@ ## ## ## The type of the process performing this action. +## Has a sigchld signal backchannel. ## ## ## @@ -19,12 +20,18 @@ allow $1 hostname_exec_t:file { getattr read execute }; allow $1 hostname_t:process transition; type_transition $1 hostname_exec_t:process hostname_t; dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh }; +allow $1 hostname_t:fd use; +allow hostname_t $1:fd use; +allow hostname_t $1:fifo_file rw_file_perms; +allow hostname_t $1:process sigchld; ') define(`hostname_transition_depend',` type hostname_t, hostname_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -32,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh }; ## ## Execute hostname in the hostname domain, and ## allow the specified role the hostname domain. +## Has a sigchld signal backchannel. ## ## ## The type of the process performing this action. diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index e4002c98..e9a49c68 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -1,4 +1,9 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## +## Policy for hotplug system, for supporting the +## connection and disconnection of devices at runtime. +## ####################################### # @@ -10,12 +15,18 @@ allow $1 hotplug_exec_t:file { getattr read execute }; allow $1 hotplug_t:process transition; type_transition $1 hotplug_exec_t:process hotplug_t; dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; +allow $1 hotplug_t:fd use; +allow hotplug_t $1:fd use; +allow hotplug_t $1:fifo_file rw_file_perms; +allow hotplug_t $1:process sigchld; ') define(`hotplug_transition_depend',` type hotplug_t, hotplug_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -99,3 +110,5 @@ class file { read getattr lock ioctl }; class dir { read getattr lock search ioctl }; class lnk_file { getattr read }; ') + +## diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 1d1f5e96..db255bbc 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -13,13 +13,18 @@ allow init_t $1:process transition; allow init_t $2:file { getattr read execute }; dontaudit init_t $1:process { noatsecure siginh rlimitinh }; type_transition init_t $2:process $1; +allow $1 init_t:fd use; +allow init_t $1:fd use; +allow $1 init_t:fifo_file rw_file_perms; +allow $1 init_t:process sigchld; ') define(`init_make_init_domain_depend',` type init_t; class file { getattr read execute }; class fd use; -class process { transition noatsecure siginh rlimitinh }; +class fifo_file rw_file_perms; +class process { transition noatsecure siginh rlimitinh sigchld }; role system_r; ') @@ -36,17 +41,16 @@ allow initrc_t $1:process transition; allow initrc_t $2:file { getattr read execute }; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; type_transition initrc_t $2:process $1; +allow initrc_t $1:fd use; allow $1 initrc_t:fd use; -# backchannels: +allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; -# cjp: probably for logging -allow $1 initrc_t:fifo_file { getattr write }; ') define(`init_make_daemon_domain_depend',` type initrc_t; class file { getattr read execute }; -class fifo_file { getattr write }; +class fifo_file rw_file_perms; class fd use; class process { transition noatsecure siginh rlimitinh sigchld }; role system_r; @@ -65,18 +69,17 @@ allow initrc_t $1:process transition; allow initrc_t $2:file { getattr read execute }; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; type_transition initrc_t $2:process $1; +allow initrc_t $1:fd use; allow $1 initrc_t:fd use; -# backchannels: +allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; -# cjp: probably for logging -allow $1 initrc_t:fifo_file { getattr write }; ') define(`init_make_system_domain_depend',` type initrc_t; class file { getattr read execute }; class fd use; -class fifo_file { getattr write }; +class fifo_file rw_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; role system_r; ') @@ -91,12 +94,18 @@ allow $1 init_exec_t:file { getattr read execute }; allow $1 init_t:process transition; type_transition $1 init_exec_t:process init_t; dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; +allow $1 init_t:fd use; +allow init_t $1:fd use; +allow init_t $1:fifo_file rw_file_perms; +allow init_t $1:process sigchld; ') define(`init_transition_depend',` type init_t, init_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -222,12 +231,18 @@ allow $1 initrc_exec_t:file { getattr read execute }; allow $1 initrc_t:process transition; type_transition $1 initrc_exec_t:process init_t; dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; +allow $1 initrc_t:fd use; +allow initrc_t $1:fd use; +allow initrc_t $1:fifo_file rw_file_perms; +allow initrc_t $1:process sigchld; ') define(`init_script_transition_depend',` type initrc_t, initrc_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -275,26 +290,6 @@ class lnk_file { read getattr }; class process { getattr ptrace }; ') -######################################## -# -# init_script_direct_admin_transition(role,domain) -# -define(`init_script_direct_admin_transition',` -requires_block_template(`$0'_depend) -allow $2 initrc_exec_t:file { getattr read execute }; -allow $2 initrc_t:process transition; -type_transition $2 initrc_exec_t:file init_t; -role_transition $1 initrc_exec_t system_r; -dontaudit $2 init_t:process { noatsecure siginh rlimitinh }; -') - -define(`init_script_direct_admin_transition_depend',` -type initrc_t, initrc_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; -kernel_system_role_transition_depend -') - ######################################## # # init_script_use_file_descriptors(domain) diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index b8e9aa0f..c0d6335e 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -17,12 +17,18 @@ allow $1 iptables_exec_t:file { getattr read execute }; allow $1 iptables_t:process transition; type_transition $1 iptables_exec_t:process iptables_t; dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; +allow $1 iptables_t:fd use; +allow iptables_t $1:fd use; +allow iptables_t $1:fifo_file rw_file_perms; +allow iptables_t $1:process sigchld; ') define(`iptables_transition_depend',` type iptables_t, iptables_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 9600fa0e..12379bc9 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -19,12 +19,18 @@ allow $1 ldconfig_exec_t:file { getattr read execute }; allow $1 ldconfig_t:process transition; type_transition $1 ldconfig_exec_t:process ldconfig_t; dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; +allow $1 ldconfig_t:fd use; +allow ldconfig_t $1:fd use; +allow ldconfig_t $1:fifo_file rw_file_perms; +allow ldconfig_t $1:process sigchld; ') define(`libraries_ldconfig_transition_depend',` type ldconfig_t, ldconfig_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -71,18 +77,18 @@ class chr_file { getattr read write ioctl }; define(`libraries_use_dynamic_loader',` requires_block_template(`$0'_depend) files_read_general_system_config_directory($1) -allow $1 lib_t:dir { getattr search read }; -allow $1 lib_t:lnk_file { getattr read }; -allow $1 ld_so_t:lnk_file { getattr read }; -allow $1 ld_so_t:file { getattr read execute }; -allow $1 ld_so_cache_t:file { getattr read }; +allow $1 lib_t:dir r_dir_perms; +allow $1 lib_t:lnk_file r_file_perms; +allow $1 ld_so_t:lnk_file r_file_perms; +allow $1 ld_so_t:file rx_file_perms; +allow $1 ld_so_cache_t:file r_file_perms; ') define(`libraries_use_dynamic_loader_depend',` type lib_t, ld_so_t, ld_so_cache_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read execute }; +class dir r_dir_perms; +class lnk_file r_file_perms; +class file rx_file_perms; ') ######################################## @@ -127,17 +133,17 @@ class file { execute execmod }; # define(`libraries_execute_dynamic_loader',` requires_block_template(`$0'_depend) -allow $1 lib_t:dir { getattr search read }; -allow $1 lib_t:lnk_file { getattr read }; -allow $1 ld_so_t:lnk_file { getattr read }; -allow $1 ld_so_t:file { getattr read execute execute_no_trans }; +allow $1 lib_t:dir r_dir_perms; +allow $1 lib_t:lnk_file r_file_perms; +allow $1 ld_so_t:lnk_file r_file_perms; +allow $1 ld_so_t:file { r_file_perms execute execute_no_trans }; ') define(`libraries_execute_dynamic_loader_depend',` type lib_t, ld_so_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read execute execute_no_trans }; +class dir r_dir_perms; +class lnk_file r_file_perms; +class file { r_file_perms execute execute_no_trans }; ') ######################################## @@ -227,17 +233,17 @@ class file { getattr read execute execute_no_trans }; define(`libraries_use_shared_libraries',` requires_block_template(`$0'_depend) files_search_general_application_resources_dir($1) -allow $1 lib_t:dir { getattr search read }; -allow $1 lib_t:lnk_file { getattr read }; -allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read }; -allow $1 { shlib_t texrel_shlib_t }:file { getattr read execute }; +allow $1 lib_t:dir r_dir_perms; +allow $1 lib_t:lnk_file r_file_perms; +allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; +allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; ') define(`libraries_use_shared_libraries_depend',` type lib_t, shlib_t, texrel_shlib_t; -class dir { getattr searc read }; -class lnk_file { getattr read }; -class file { getattr read execute }; +class dir r_dir_perms; +class lnk_file r_file_perms; +class file rx_dir_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 9a611c69..2426a07d 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -66,11 +66,16 @@ devices_get_pseudorandom_data(local_login_t) terminal_use_all_private_physical_terminals(local_login_t) terminal_use_general_physical_terminal(local_login_t) +terminal_relabel_general_physical_terminal(local_login_t) +terminal_relabel_all_private_physical_terminals(local_login_t) +terminal_set_all_private_physical_terminal_attributes(local_login_t) +terminal_set_general_physical_terminal_attributes(local_login_t) authlogin_check_password_transition(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t) authlogin_modify_login_records(local_login_t) authlogin_modify_last_login_log(local_login_t) +authlogin_modify_login_failure_records(local_login_t) authlogin_pam_execute(local_login_t) authlogin_pam_console_manage_runtime_data(local_login_t) @@ -78,8 +83,8 @@ domain_read_all_entrypoint_programs(local_login_t) files_read_general_system_config(local_login_t) files_read_runtime_system_config(local_login_t) -files_list_home_directories(local_login_t) files_read_general_application_resources(local_login_t) +files_manage_system_lock_files(var_lock_t) init_script_modify_runtime_data(local_login_t) init_ignore_use_file_descriptors(local_login_t) @@ -94,8 +99,14 @@ miscfiles_read_localization(local_login_t) selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) +userdomain_all_users_explicit_transition(local_login_t) +userdomain_signal_all_userdomains(local_login_t) +userdomain_search_all_users_home_dirs(local_login_t) userdomain_use_all_unprivileged_users_file_descriptors(local_login_t) +# Search for mail spool file. +mta_get_mail_spool_attributes(local_login_t) + ifdef(`TODO',` can_ypbind(local_login_t) @@ -117,15 +128,9 @@ allow local_login_t default_t:notdevfile_class_set r_file_perms; allow local_login_t readable_t:dir r_dir_perms; allow local_login_t readable_t:notdevfile_class_set r_file_perms; -# Read /var, /var/spool -allow local_login_t { var_t var_spool_t }:dir search; - # for when /var/mail is a sym-link allow local_login_t var_t:lnk_file read; -# Read /dev directories and any symbolic links. -allow local_login_t device_t:lnk_file r_file_perms; - dontaudit local_login_t sysfs_t:dir search; allow local_login_t autofs_t:dir { search read getattr }; @@ -140,18 +145,6 @@ ifdef(`crack.te', ` allow local_login_t crack_db_t:file r_file_perms; ') -# Permit login to search the user home directories. -allow local_login_t home_root_t:dir search; -allow local_login_t home_dir_type:dir search; - -# Write to /var/log/btmp -allow local_login_t faillog_t:file { append read write }; - -# Search for mail spool file. -allow local_login_t mail_spool_t:dir r_dir_perms; -allow local_login_t mail_spool_t:file getattr; -allow local_login_t mail_spool_t:lnk_file read; - allow local_login_t mouse_device_t:chr_file { getattr setattr }; tunable_policy(`targeted_policy',` @@ -159,10 +152,6 @@ unconfined_domain(local_login_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') -# But also permit other user domains to be entered by login. -domain_trans(local_login_t, shell_exec_t, userdomain) -allow local_login_t userdomain:process signal; - # Do not audit denied attempts to access devices. dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; @@ -177,18 +166,6 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; # Do not audit denied attempts to access /mnt. dontaudit local_login_t mnt_t:dir r_dir_perms; -# Create lock file. -allow local_login_t var_lock_t:dir rw_dir_perms; -allow local_login_t var_lock_t:file create_file_perms; - -# Read and write ttys. -allow local_login_t tty_device_t:chr_file setattr; -allow local_login_t ttyfile:chr_file setattr; - -# Relabel ttys. -allow local_login_t tty_device_t:chr_file { relabelfrom relabelto }; -allow local_login_t ttyfile:chr_file { relabelfrom relabelto }; - optional_policy(`gpm.te',` allow local_login_t gpmctl_t:sock_file { getattr setattr }; ') @@ -241,6 +218,7 @@ selinux_read_default_contexts(sulogin_t) authlogin_read_shadow_passwords(sulogin_t) +userdomain_sysadm_shell_transition(sulogin_t) userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t) # suse and debian do not use pam with sulogin... @@ -264,7 +242,6 @@ kernel_compute_selinux_reachable_user_contexts(sulogin_t) ifdef(`TODO',` -domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; can_ypbind(sulogin_t) diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index d84f8d2d..4c9437c5 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -1,4 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Policy for logical volume management programs. ######################################## ## @@ -17,12 +19,18 @@ allow $1 lvm_exec_t:file { getattr read execute }; allow $1 lvm_t:process transition; type_transition $1 lvm_exec_t:process lvm_t; dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh }; +allow $1 lvm_t:fd use; +allow lvm_t $1:fd use; +allow lvm_t $1:fifo_file rw_file_perms; +allow lvm_t $1:process sigchld; ') define(`lvm_transition_depend',` type lvm_t, lvm_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -76,3 +84,4 @@ type lvm_t, lvm_exec_t; class file { getattr read }; ') +## diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index b124ce3e..5066301f 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -65,7 +65,9 @@ allow $1 insmod_exec_t:file { getattr read execute }; allow $1 insmod_t:process transition; type_transition $1 insmod_exec_t:process insmod_t; dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; -# backchannel: +allow $1 insmod_t:fd use; +allow insmod_t $1:fd use; +allow insmod_t $1:fifo_file rw_file_perms; allow insmod_t $1:process sigchld; ') @@ -73,6 +75,8 @@ define(`modutils_insmod_transition_depend',` type insmod_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -138,12 +142,18 @@ allow $1 depmod_exec_t:file { getattr read execute }; allow $1 depmod_t:process transition; type_transition $1 depmod_exec_t:process depmod_t; dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh }; +allow $1 depmod_t:fd use; +allow depmod_t $1:fd use; +allow depmod_t $1:fifo_file rw_file_perms; +allow depmod_t $1:process sigchld; ') define(`modutils_depmod_transition_depend',` type depmod_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -206,12 +216,18 @@ allow $1 update_modules_exec_t:file { getattr read execute }; allow $1 update_modules_t:process transition; type_transition $1 update_modules_exec_t:process update_modules_t; dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh }; +allow $1 update_modules_t:fd use; +allow update_modules_t $1:fd use; +allow update_modules_t $1:fifo_file rw_file_perms; +allow update_modules_t $1:process sigchld; ') define(`modutils_update_modules_transition_depend',` type update_modules_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh signal }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 51bfc3b2..574bf39d 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -17,12 +17,18 @@ allow $1 mount_exec_t:file { getattr read execute }; allow $1 mount_t:process transition; type_transition $1 mount_exec_t:process mount_t; dontaudit $1 mount_t:process { noatsecure siginh rlimitinh }; +allow $1 mount_t:fd use; +allow mount_t $1:fd use; +allow mount_t $1:fifo_file rw_file_perms; +allow mount_t $1:process sigchld; ') define(`mount_transition_depend',` type mount_t, mount_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index fd97ed4a..8700646a 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; +allow $1 checkpolicy_t:fd use; +allow checkpolicy_t $1:fd use; +allow checkpolicy_t $1:fifo_file rw_file_perms; +allow checkpolicy_t $1:process sigchld; ') define(`selinux_checkpolicy_transition_depend',` type checkpolicy_t, checkpolicy_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh }; ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. @@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; +allow $1 load_policy_t:fd use; +allow load_policy_t $1:fd use; +allow load_policy_t $1:fifo_file rw_file_perms; +allow load_policy_t $1:process sigchld; ') define(`selinux_load_policy_transition_depend',` type load_policy_t, load_policy_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh }; ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. @@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; +allow $1 newrole_t:fd use; +allow newrole_t $1:fd use; +allow newrole_t $1:fifo_file rw_file_perms; +allow newrole_t $1:process sigchld; ') define(`selinux_newrole_transition_depend',` type newrole_t, newrole_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; +allow $1 restorecon_t:fd use; +allow restorecon_t $1:fd use; +allow restorecon_t $1:fifo_file rw_file_perms; +allow restorecon_t $1:process sigchld; ') define(`selinux_restorecon_transition_depend',` type restorecon_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute }; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; +allow $1 run_init_t:fd use; +allow run_init_t $1:fd use; +allow run_init_t $1:fifo_file rw_file_perms; +allow run_init_t $1:process sigchld; ') define(`selinux_run_init_transition_depend',` type run_init_t, run_init_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; +allow $1 setfiles_t:fd use; +allow setfiles_t $1:fd use; +allow setfiles_t $1:fifo_file rw_file_perms; +allow setfiles_t $1:process sigchld; ') define(`selinux_setfiles_transition_depend',` type setfiles_t, setfiles_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index fd97ed4a..8700646a 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; +allow $1 checkpolicy_t:fd use; +allow checkpolicy_t $1:fd use; +allow checkpolicy_t $1:fifo_file rw_file_perms; +allow checkpolicy_t $1:process sigchld; ') define(`selinux_checkpolicy_transition_depend',` type checkpolicy_t, checkpolicy_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh }; ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. @@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; +allow $1 load_policy_t:fd use; +allow load_policy_t $1:fd use; +allow load_policy_t $1:fifo_file rw_file_perms; +allow load_policy_t $1:process sigchld; ') define(`selinux_load_policy_transition_depend',` type load_policy_t, load_policy_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh }; ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. +## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. @@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; +allow $1 newrole_t:fd use; +allow newrole_t $1:fd use; +allow newrole_t $1:fifo_file rw_file_perms; +allow newrole_t $1:process sigchld; ') define(`selinux_newrole_transition_depend',` type newrole_t, newrole_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; +allow $1 restorecon_t:fd use; +allow restorecon_t $1:fd use; +allow restorecon_t $1:fifo_file rw_file_perms; +allow restorecon_t $1:process sigchld; ') define(`selinux_restorecon_transition_depend',` type restorecon_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute }; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; +allow $1 run_init_t:fd use; +allow run_init_t $1:fd use; +allow run_init_t $1:fifo_file rw_file_perms; +allow run_init_t $1:process sigchld; ') define(`selinux_run_init_transition_depend',` type run_init_t, run_init_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## @@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; +allow $1 setfiles_t:fd use; +allow setfiles_t $1:fd use; +allow setfiles_t $1:fifo_file rw_file_perms; +allow setfiles_t $1:process sigchld; ') define(`selinux_setfiles_transition_depend',` type setfiles_t, setfiles_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 9a889457..0de49c3f 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -10,12 +10,18 @@ allow $1 dhcpc_exec_t:file { getattr read execute }; allow $1 dhcpc_t:process transition; type_transition $1 dhcpc_exec_t:process dhcpc_t; dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; +allow $1 dhcpc_t:fd use; +allow dhcpc_t $1:fd use; +allow dhcpc_t $1:fifo_file rw_file_perms; +allow dhcpc_t $1:process sigchld; ') define(`sysnetwork_dhcpc_transition_depend',` type dhcpc_t, dhcpc_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ####################################### @@ -35,12 +41,18 @@ allow $1 ifconfig_exec_t:file { getattr read execute }; allow $1 ifconfig_t:process transition; type_transition $1 ifconfig_exec_t:process ifconfig_t; dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; +allow $1 ifconfig_t:fd use; +allow ifconfig_t $1:fd use; +allow ifconfig_t $1:fifo_file rw_file_perms; +allow ifconfig_t $1:process sigchld; ') define(`sysnetwork_ifconfig_transition_depend',` type ifconfig_t, ifconfig_exec_t; class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index cab73b67..bcf83b85 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -10,8 +10,9 @@ allow $1 udev_exec_t:file { getattr read execute }; allow $1 udev_t:process transition; type_transition $1 udev_exec_t:process udev_t; dontaudit $1 udev_t:process { noatsecure siginh rlimitinh }; -# backchannels: +allow $1 udev_t:fd use; allow udev_t $1:fd use; +allow udev_t $1:fifo_file rw_file_perms; allow udev_t $1:process sigchld; ') @@ -19,6 +20,8 @@ define(`udev_transition_depend',` type udev_t, udev_exec_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh sigchld }; +class fd use; +class fifo_file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 882fa9f2..0971b72f 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -150,6 +150,7 @@ authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t corecommands_execute_general_programs($1_t) corecommands_execute_system_programs($1_t) +corecommands_execute_ls($1_t) domain_execute_all_entrypoint_programs($1_t) domain_use_widely_inheritable_file_descriptors($1_t) @@ -808,6 +809,28 @@ allow $1_t eventpollfs_t:file getattr; ') dnl endif TODO ') +######################################## +## +## +## Execute a shell in all user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_all_users_explicit_transition',` +requires_block_template(`$0'_depend) +corecommands_shell_explicit_transition($1,userdomain) +') + +define(`userdomain_all_users_explicit_transition_depend',` +type sysadm_t; +') + ######################################## ## ## @@ -853,14 +876,36 @@ class chr_file { getattr read write ioctl }; ') ######################################## -## +## ## -## Inherit the file descriptors from all user domains +## Search all users home directories. ## ## ## The type of the process performing this action. ## -## +## +## +# +define(`userdomain_search_all_users_home_dirs',` +requires_block_template(`$0'_depend) +files_list_home_directories($1) +allow $1 { home_dir_type home_type }:dir search; +') + +define(`userdomain_search_all_users_home_dirs_depend',` +attribute home_dir_type, home_type; +class dir search; +') + +######################################## +## +## +## Read all files in all users home directories. +## +## +## The type of the process performing this action. +## +## ## # define(`userdomain_read_all_users_data',` @@ -897,6 +942,27 @@ attribute userdomain; class fd use; ') +######################################## +## +## +## Send general signals to all user domains. +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_signal_all_userdomains',` +requires_block_template(`$0'_depend) +allow $1 userdomain:process signal; +') + +define(`userdomain_signal_all_userdomains_depend',` +attribute userdomain; +class process signal; +') + ######################################## ## ## @@ -927,7 +993,7 @@ class fd use; ## ## The type of the process performing this action. ## -## +## ## # define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`