* break up files_getattr_all_files into correct interfaces

* move stuff out of pcmcia into the appropriate modules
This commit is contained in:
Chris PeBenito 2005-07-15 15:17:57 +00:00
parent f136a944c5
commit 50f6503452
8 changed files with 244 additions and 18 deletions

View File

@ -812,6 +812,24 @@ interface(`dev_rw_apm_bios',`
allow $1 apm_bios_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and
## write the PCMCIA card manager device.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
class chr_file { read write };
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
')
########################################
## <summary>
## Read the CPU identity.

View File

@ -259,7 +259,11 @@ files_exec_etc_files(system_crond_t)
files_read_etc_files(system_crond_t)
files_read_etc_runtime_files(system_crond_t)
files_list_all_dirs(system_crond_t)
files_getattr_all_dirs(system_crond_t)
files_getattr_all_files(system_crond_t)
files_getattr_all_symlinks(system_crond_t)
files_getattr_all_pipes(system_crond_t)
files_getattr_all_sockets(system_crond_t)
files_read_usr_files(system_crond_t)
files_read_var_files(system_crond_t)
# for nscd:

View File

@ -104,27 +104,185 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
')
########################################
## <summary>
## Get the attributes of all directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_getattr_all_dirs',`
gen_require(`
attribute file_type;
class dir { getattr search };
')
allow $1 file_type:dir { getattr search };
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_all_dirs',`
gen_require(`
attribute file_type;
class dir getattr;
')
dontaudit $1 file_type:dir getattr;
')
########################################
#
# files_getattr_all_files(domain)
#
interface(`files_getattr_all_files',`
gen_require(`
attribute file_type;
class dir { search getattr };
class dir search;
class file getattr;
')
allow $1 file_type:dir search;
allow $1 file_type:file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all files.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_all_files',`
gen_require(`
attribute file_type;
class file getattr;
')
dontaudit $1 file_type:file getattr;
')
########################################
## <summary>
## Get the attributes of all symbolic links.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_getattr_all_symlinks',`
gen_require(`
attribute file_type;
class dir search;
class lnk_file getattr;
')
allow $1 file_type:dir search;
allow $1 file_type:lnk_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all symbolic links.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_all_symlinks',`
gen_require(`
attribute file_type;
class lnk_file getattr;
')
dontaudit $1 file_type:lnk_file getattr;
')
########################################
## <summary>
## Get the attributes of all named pipes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_getattr_all_pipes',`
gen_require(`
attribute file_type;
class dir search;
class fifo_file getattr;
')
allow $1 file_type:dir search;
allow $1 file_type:fifo_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all named pipes.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_all_pipes',`
gen_require(`
attribute file_type;
class fifo_file getattr;
')
dontaudit $1 file_type:fifo_file getattr;
')
########################################
## <summary>
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_getattr_all_sockets',`
gen_require(`
attribute file_type;
class dir search;
class sock_file getattr;
')
allow $1 file_type:dir { search getattr };
allow $1 file_type:file getattr;
allow $1 file_type:lnk_file getattr;
allow $1 file_type:fifo_file getattr;
allow $1 file_type:dir search;
allow $1 file_type:sock_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all named sockets.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_all_sockets',`
gen_require(`
attribute file_type;
class sock_file getattr;
')
dontaudit $1 file_type:sock_file getattr;
')
########################################
## <summary>
## Relabel all files on the filesystem, except

View File

@ -264,7 +264,11 @@ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_delete_all_tmp_files(initrc_t)
files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t)

View File

@ -103,6 +103,10 @@ logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t)
ifdef(`hide_broken_symptoms',`
dev_dontaudit_rw_cardmgr(insmod_t)
')
optional_policy(`mount.te',`
mount_domtrans(insmod_t)
')

View File

@ -1,5 +1,29 @@
## <summary>PCMCIA card management services</summary>
########################################
## <summary>
## Execute cardmgr in the cardmgr domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`pcmcia_domtrans_cardmgr',`
gen_require(`
type cardmgr_t, cardmgr_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
allow $1 cardmgr_t:fd use;
allow cardmgr_t $1:fd use;
allow cardmgr_t $1:fifo_file rw_file_perms;
allow cardmgr_t $1:process sigchld;
')
########################################
## <summary>
## Execute cardctl in the cardmgr domain.

View File

@ -43,8 +43,11 @@ kernel_read_system_state(cardmgr_t)
kernel_read_kernel_sysctl(cardmgr_t)
kernel_list_proc(cardmgr_t)
kernel_read_proc_symlinks(cardmgr_t)
kernel_dontaudit_getattr_message_if(cardmgr_t)
dev_read_sysfs(cardmgr_t)
dev_getattr_all_chr_files(cardmgr_t)
dev_getattr_all_blk_files(cardmgr_t)
# for SSP
dev_read_urand(cardmgr_t)
@ -52,6 +55,7 @@ fs_getattr_all_fs(cardmgr_t)
fs_search_auto_mountpoints(cardmgr_t)
term_use_unallocated_tty(cardmgr_t)
term_getattr_all_user_ttys(cardmgr_t)
term_dontaudit_use_console(cardmgr_t)
corecmd_exec_bin(cardmgr_t)
@ -59,10 +63,18 @@ corecmd_exec_sbin(cardmgr_t)
domain_use_wide_inherit_fd(cardmgr_t)
domain_exec_all_entry_files(cardmgr_t)
# cjp: these look excessive:
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
files_search_home(cardmgr_t)
files_read_etc_runtime_files(cardmgr_t)
files_exec_etc_files(cardmgr_t)
# cjp: these look excessive:
files_dontaudit_getattr_all_dirs(cardmgr_t)
files_dontaudit_getattr_all_files(cardmgr_t)
files_dontaudit_getattr_all_symlinks(cardmgr_t)
files_dontaudit_getattr_all_pipes(cardmgr_t)
files_dontaudit_getattr_all_sockets(cardmgr_t)
init_use_fd(cardmgr_t)
init_use_script_pty(cardmgr_t)
@ -116,21 +128,17 @@ file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t },
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain)
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;
# cjp: these look excessive:
dontaudit cardmgr_t domain:socket_class_set getattr;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
# this goes to apm
optional_policy(`pcmcia.te',`
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;

View File

@ -285,7 +285,13 @@ seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`pcmcia.te',`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
optional_policy(`udev.te',`
udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
')
')
optional_policy(`nis.te',`