From 5493c2036b65967d23d9ef48f2a20ed9b4826ebf Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 15 Sep 2005 21:03:45 +0000 Subject: [PATCH] more updates --- docs/macro_conversion_guide | 53 +++-- strict/ChangeLog | 203 ++++++++++++++++++ strict/Makefile | 99 +++++---- strict/VERSION | 2 +- strict/attrib.te | 23 +- strict/constraints | 4 + strict/domains/program/crond.te | 2 + strict/domains/program/dhcpc.te | 5 +- strict/domains/program/hotplug.te | 17 +- strict/domains/program/ipsec.te | 5 +- strict/domains/program/klogd.te | 3 + strict/domains/program/load_policy.te | 3 +- strict/domains/program/login.te | 9 +- strict/domains/program/logrotate.te | 2 +- strict/domains/program/modutil.te | 2 +- strict/domains/program/mount.te | 18 +- strict/domains/program/mta.te | 14 +- strict/domains/program/mysqld.te | 7 +- strict/domains/program/named.te | 8 +- strict/domains/program/newrole.te | 1 + strict/domains/program/nscd.te | 3 + strict/domains/program/ntpd.te | 1 + strict/domains/program/pam.te | 7 +- strict/domains/program/ping.te | 3 + strict/domains/program/udev.te | 14 +- strict/domains/user.te | 18 +- strict/fs_use | 2 + strict/genfs_contexts | 6 +- strict/macros/base_user_macros.te | 42 ++-- strict/macros/core_macros.te | 4 +- strict/macros/global_macros.te | 238 ++++++++++----------- strict/macros/network_macros.te | 15 +- strict/macros/program/games_domain.te | 63 ++++-- strict/macros/program/gift_macros.te | 69 +++--- strict/macros/program/userhelper_macros.te | 8 +- strict/macros/program/ypbind_macros.te | 4 +- strict/tunables/distro.tun | 2 +- strict/tunables/tunable.tun | 19 +- strict/types/nfs.te | 2 +- strict/types/procfs.te | 4 +- 40 files changed, 658 insertions(+), 346 deletions(-) diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide index f01429c8..0d6aeb28 100644 --- a/docs/macro_conversion_guide +++ b/docs/macro_conversion_guide @@ -301,16 +301,7 @@ optional_policy(`kerberos.te',` # # can_ldap(): complete # -optional_policy(`ldap.te',` - allow $1 self:tcp_socket create_socket_perms; - corenet_tcp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) - corenet_tcp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) - corenet_tcp_sendrecv_ldap_port($1) - corenet_tcp_bind_all_nodes($1) - sysnet_read_config($1) -') +sysnet_use_ldap($1) # # can_loadpol(): complete @@ -420,19 +411,15 @@ dontaudit $1 $2:process ptrace; allow $1 $2:process ptrace; allow $2 $1:process sigchld; +# +# can_portmap(): +# +sysnet_use_portmap($1) + # # can_resolve(): complete # -tunable_policy(`use_dns',` - allow $1 self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if($1) - corenet_raw_sendrecv_all_if($1) - corenet_udp_sendrecv_all_nodes($1) - corenet_raw_sendrecv_all_nodes($1) - corenet_udp_sendrecv_dns_port($1) - corenet_udp_bind_all_nodes($1) - sysnet_read_config($1) -') +sysnet_dns_name_resolve($1) # # can_setbool(): complete @@ -790,7 +777,7 @@ optional_policy(`nscd.te',` # # legacy_domain(): complete # -allow $1_t self:process execmem; +allow $1_t self:process { execmem execstack }; libs_legacy_use_shared_libs($1_t) libs_legacy_use_ld_so($1_t) @@ -826,6 +813,30 @@ create_dir_file($1, $2) can_exec($1, $2) allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename }; +# +# polyinstantiater(): +# +ifdef(`support_polyinstantiation', ` +# Need to give access to /selinux/member +selinux_compute_member($1) +# Need sys_admin capability for mounting +allow $1 self:capability sys_admin; +# Need to give access to the directories to be polyinstantiated +allow $1 polydir:dir { getattr mounton add_name create setattr write search }; +# Need to give access to the polyinstantiated subdirectories +allow $1 polymember:dir {getattr search }; +# Need to give access to parent directories where original +# is remounted for polyinstantiation aware programs (like gdm) +allow $1 polyparent:dir { getattr mounton }; +# Need to give permission to create directories where applicable +allow $1 polymember: dir { create setattr }; +allow $1 polydir: dir { write add_name }; +allow $1 self:process setfscreate; +allow $1 polyparent:dir { write add_name }; +# Default type for mountpoints +allow $1 poly_t:dir { create mounton }; +') + # # pty_slave_label(): # diff --git a/strict/ChangeLog b/strict/ChangeLog index 0e38453c..20fcfc3e 100644 --- a/strict/ChangeLog +++ b/strict/ChangeLog @@ -1,3 +1,206 @@ +1.26 2005-09-06 + * Updated version for release. + +1.25.4 2005-08-10 + * Merged small patches from Russell Coker for the restorecon, + kudzu, lvm, radvd, and spamassasin policies. + * Added fs_use_trans rule for mqueue from Mark Gebhart to support + the work he has done on providing SELinux support for mqueue. + * Merged a patch from Dan Walsh. Removes the user_can_mount + tunable. Adds disable_evolution_trans and disable_thunderbird_trans + booleans. Adds the nscd_client_domain attribute to insmod_t. + Removes the user_ping boolean from targeted policy. Adds + hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts. + Adds the isakmp_port for vpnc. Creates the pptp daemon domain. + Allows getty to run sbin_t for pppd. Allows initrc to write to + default_t for booting. Allows Hotplug_t sys_rawio for prism54 + card at boot. Other minor fixes. + +1.25.3 2005-07-18 + * Merged patch from Dan Walsh. Adds auth_bool attribute to allow + domains to have read access to shadow_t. Creates pppd_can_insmod + boolean to control the loading of modem kernel modules. Allows + nfs to export noexattrfile types. Allows unix_chpwd to access + cert files and random devices for encryption purposes. Other + minor cleanups and fixes. + +1.25.2 2005-07-11 + * Merged patch from Dan Walsh. Added allow_ptrace boolean to + allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the + audit_control and audit_write capabilities. Stops targeted policy + from transitioning from unconfined_t to netutils. Allows cupsd to + audit messages. Gives prelink the execheap, execmem, and execstack + permissions by default. Adds can_winbind boolean and functions to + better handle samba and winbind communications. Eliminates + allow_execmod checks around texrel_shlib_t libraries. Other minor + cleanups and fixes. + +1.25.1 2005-07-05 + * Moved role_tty_type_change, reach_sysadm, and priv_user macros + from user.te to user_macros.te as suggested by Steve. + * Modified admin_domain macro so autrace would work and removed + privuser attribute for dhcpc as suggested by Russell Coker. + * Merged rather large patch from Dan Walsh. Moves + targeted/strict/mls policies closer together. Adds local.te for + users to customize. Includes minor fixes to auditd, cups, + cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch + that defines all ports in network.te. Ports are always defined + now, no ifdefs are used in network.te. Also includes Ivan + Gyurdiev's user home directory policy patches. These patches add + alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs, + iceauth, orbit, and thunderbird policy. They create read_content, + write_trusted, and write_untrusted macros in content.te. They + create network_home, write_network_home, read_network_home, + base_domain_ro_access, home_domain_access, home_domain, and + home_domain_ro macros in home_macros.te. They also create + $3_read_content, $3_write_content, and write_untrusted booleans. + +1.24 2005-06-20 + * Updated version for release. + +1.23.18 2005-05-31 + * Merged minor fixes to pppd.fc and courier.te by Russell Coker. + * Removed devfsd policy as suggested by Russell Coker. + * Merged patch from Dan Walsh. Includes beginnings of Ivan + Gyurdiev's Font Config policy. Don't transition to fsadm_t from + unconfined_t (sysadm_t) in targeted policy. Add support for + debugfs in modutil. Allow automount to create and delete + directories in /root and /home dirs. Move can_ypbind to + chkpwd_macro.te. Allow useradd to create additional files and + types via the skell mechanism. Other minor cleanups and fixes. + +1.23.17 2005-05-23 + * Merged minor fixes by Petre Rodan to the daemontools, dante, + gpg, kerberos, and ucspi-tcp policies. + * Merged minor fixes by Russell Coker to the bluetooth, crond, + initrc, postfix, and udev policies. Modifies constraints so that + newaliases can be run. Modifies types.fc so that objects in + lost+found directories will not be relabled. + * Modified fc rules for nvidia. + * Added Chad Sellers policy for polyinstantiation support, which + creates the polydir, polyparent, and polymember attributes. Also + added the support_polyinstantiation tunable. + * Merged patch from Dan Walsh. Includes mount_point attribute, + read_font macros and some other policy fixes from Ivan Gyurdiev. + Adds privkmsg and secadmfile attributes and ddcprobe policy. + Removes the use_syslogng boolean. Many other minor fixes. + +1.23.16 2005-05-13 + * Added rdisc policy from Russell Coker. + * Merged minor fix to named policy by Petre Rodan. + * Merged minor fixes to policy from Russell Coker for kudzu, + named, screen, setfiles, telnet, and xdm. + * Merged minor fix to Makefile from Russell Coker. + +1.23.15 2005-05-06 + * Added tripwire and yam policy from David Hampton. + * Merged minor fixes to amavid and a clarification to the + httpdcontent attribute comments from David Hampton. + * Merged patch from Dan Walsh. Includes fixes for restorecon, + games, and postfix from Russell Coker. Adds support for debugfs. + Restores support for reiserfs. Allows udev to work with tmpfs_t + before /dev is labled. Removes transition from sysadm_t + (unconfined_t) to ifconfig_t for the targeted policy. Other minor + cleanups and fixes. + +1.23.14 2005-04-29 + * Added afs policy from Andrew Reisse. + * Merged patch from Lorenzo Hernández García-Hierro which defines + execstack and execheap permissions. The patch excludes these + permissions from general_domain_access and updates the macros for + X, legacy binaries, users, and unconfined domains. + * Added nlmsg_relay permisison where netlink_audit_socket class is + used. Added nlmsg_readpriv permission to auditd_t and auditctl_t. + * Merged some minor cleanups from Russell Coker and David Hampton. + * Merged patch from Dan Walsh. Many changes made to allow + targeted policy to run closer to strict and now almost all of + non-userspace is protected via SELinux. Kernel is now in + unconfined_domain for targeted and runs as root:system_r:kernel_t. + Added transitionbool to daemon_sub_domain, mainly to turn off + httpd_suexec transitioning. Implemented web_client_domain + name_connect rules. Added yp support for cups. Now the real + hotplug, udev, initial_sid_contexts are used for the targeted + policy. Other minor cleanups and fixes. Auditd fixes by Paul + Moore. + +1.23.13 2005-04-22 + * Merged more changes from Dan Walsh to initrc_t for removal of + unconfined_domain. + * Merged Dan Walsh's split of auditd policy into auditd_t for the + audit daemon and auditctl_t for the autoctl program. + * Added use of name_connect to uncond_can_ypbind macro by Dan + Walsh. + * Merged other cleanup and fixes by Dan Walsh. + +1.23.12 2005-04-20 + * Merged Dan Walsh's Netlink changes to handle new auditing pam + modules. + * Merged Dan Walsh's patch removing the sysadmfile attribute from + policy files to separate sysadm_t from secadm_t. + * Added CVS and uucpd policy from Dan Walsh. + * Cleanup by Dan Walsh to handle turning off unlimitedRC. + * Merged Russell Coker's fixes to ntpd, postgrey, and named + policy. + * Cleanup of chkpwd_domain and added permissions to su_domain + macro due to pam changes to support audit. + * Added nlmsg_relay and nlmsg_readpriv permissions to the + netlink_audit_socket class. + +1.23.11 2005-04-14 + * Merged Dan Walsh's separation of the security manager and system + administrator. + * Removed screensaver.te as suggested by Thomas Bleher + * Cleanup of typealiases that are no longer used by Thomas Bleher. + * Cleanup of fc files and additional rules for SuSE by Thomas + Bleher. + * Merged changes to auditd and named policy by Russell Coker. + * Merged MLS change from Darrel Goeddel to support the policy + hierarchy patch. + +1.23.10 2005-04-08 + * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te + +1.23.9 2005-04-07 + * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup + of x_client apps. + * Added dmidecode policy from Ivan Gyurdiev. + +1.23.8 2005-04-05 + * Added netlink_kobject_uevent_socket class. + * Removed empty files pump.te and pump.fc. + * Added NetworkManager policy from Dan Walsh. + * Merged Dan Walsh's major restructuring of Apache's policy. + +1.23.7 2005-04-04 + * Merged David Hampton's amavis and clamav cleanups. + * Added David Hampton's dcc, pyzor, and razor policy. + +1.23.6 2005-04-01 + * Merged cleanup of the Makefile and other stuff from Dan Walsh. + Dan's patch includes some desktop changes from Ivan Gyurdiev. + * Merged Thomas Bleher's patches which increase the usage of + lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to + DOMAIN_var_lib_t, and removes use of notdevfile_class_set where + possible. + * Merged Greg Norris's cleanup of fetchmail. + +1.23.5 2005-03-23 + * Added name_connect support from Dan Walsh. + * Added httpd_unconfined_t from Dan Walsh. + * Merged cleanup of assert.te to allow unresticted full access + from Dan Walsh. + +1.23.4 2005-03-21 + * Merged diffs from Dan Walsh: + * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan + Gyurdiev. + * Added syslogng support to syslog.te. + +1.23.3 2005-03-15 + * Added policy for nx_server from Thomas Bleher. + * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and + publicfile from Petre Rodan. + 1.23.2 2005-03-14 * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's gift policy. diff --git a/strict/Makefile b/strict/Makefile index 5a70bc70..fec8c3e7 100644 --- a/strict/Makefile +++ b/strict/Makefile @@ -60,7 +60,7 @@ POLICYFILES += $(USER_FILES) POLICYFILES += constraints POLICYFILES += $(DEFCONTEXTFILES) CONTEXTFILES = $(DEFCONTEXTFILES) -POLICY_DIRS = domains/program domains/misc +POLICY_DIRS = domains domains/program domains/misc macros macros/program UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) @@ -70,19 +70,19 @@ FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/pro CONTEXTFILES += $(FCFILES) APPDIR=$(CONTEXTPATH) -APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media +APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media ROOTFILES = $(addprefix $(APPDIR)/users/,root) all: policy -tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) - @echo "Validating file_contexts ..." - $(SETFILES) -q -c $(LOADPATH) $(FCPATH) +tmp/valid_fc: $(LOADPATH) $(FC) + @echo "Validating file contexts files ..." + $(SETFILES) -q -c $(LOADPATH) $(FC) @touch tmp/valid_fc -install: tmp/valid_fc $(USERPATH)/local.users +install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf @mkdir -p $(USERPATH) @@ -91,61 +91,64 @@ $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users @echo "# Please edit local.users to make local changes." >> tmp/system.users @echo "#" >> tmp/system.users - m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users + @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users install -m 644 tmp/system.users $@ $(USERPATH)/local.users: local.users @mkdir -p $(USERPATH) - install -C -b -m 644 $< $@ + install -b -m 644 $< $@ $(CONTEXTPATH)/files/media: appconfig/media - mkdir -p $(CONTEXTPATH)/files/ + @mkdir -p $(CONTEXTPATH)/files/ install -m 644 $< $@ $(APPDIR)/default_contexts: appconfig/default_contexts - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/removable_context: appconfig/removable_context - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/customizable_types: policy.conf - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types install -m 644 tmp/customizable_types $@ +$(APPDIR)/port_types: policy.conf + @mkdir -p $(APPDIR) + @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types + install -m 644 tmp/port_types $@ + $(APPDIR)/default_type: appconfig/default_type - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/userhelper_context: appconfig/userhelper_context - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/initrc_context: appconfig/initrc_context - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/failsafe_context: appconfig/failsafe_context - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/dbus_contexts: appconfig/dbus_contexts - mkdir -p $(APPDIR) + @mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/users/root: appconfig/root_default_contexts - mkdir -p $(APPDIR)/users + @mkdir -p $(APPDIR)/users install -m 644 $< $@ -$(LOADPATH): policy.conf $(CHECKPOLICY) - mkdir -p $(POLICYPATH) +$(LOADPATH): policy.conf $(CHECKPOLICY) + @echo "Compiling policy ..." + @mkdir -p $(POLICYPATH) $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf ifneq ($(MLS),y) -ifneq ($(VERS),18) - $(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf -endif endif # Note: Can't use install, so not sure how to deal with mode, user, and group # other than by default. @@ -154,46 +157,39 @@ policy: $(POLICYVER) $(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifneq ($(MLS),y) -ifneq ($(VERS),18) - $(CHECKPOLICY) -c 18 -o policy.18 policy.conf -endif -endif - @echo "Validating file_contexts ..." + @echo "Validating file contexts files ..." $(SETFILES) -q -c $(POLICYVER) $(FC) -reload tmp/load: $(FCPATH) $(LOADPATH) -ifeq ($(VERS), $(KERNVERS)) +reload tmp/load: $(LOADPATH) + @echo "Loading Policy ..." $(LOADPOLICY) $(LOADPATH) -else - $(LOADPOLICY) $(POLICYPATH)/policy.18 -endif touch tmp/load -load: tmp/load +load: tmp/load $(FCPATH) enableaudit: policy.conf grep -v dontaudit policy.conf > policy.audit mv policy.audit policy.conf policy.conf: $(POLICYFILES) $(POLICY_DIRS) - mkdir -p tmp + @echo "Building policy.conf ..." + @mkdir -p tmp m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp - mv $@.tmp $@ + @mv $@.tmp $@ install-src: rm -rf $(SRCPATH)/policy.old -mv $(SRCPATH)/policy $(SRCPATH)/policy.old - mkdir -p $(SRCPATH)/policy + @mkdir -p $(SRCPATH)/policy cp -R . $(SRCPATH)/policy tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program - mkdir -p tmp + @mkdir -p tmp ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp mv $@.tmp $@ -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` +FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';` checklabels: $(SETFILES) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) @@ -205,20 +201,20 @@ relabel: $(FC) $(SETFILES) $(SETFILES) $(FC) $(FILESYSTEMS) file_contexts/misc: - mkdir -p file_contexts/misc + @mkdir -p file_contexts/misc - -$(FCPATH): $(FC) $(USERPATH)/system.users +$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types + @echo "Installing file contexts files..." @mkdir -p $(CONTEXTPATH)/files - install -m 644 $(FC) $(FCPATH) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) + install -m 644 $(FC) $(FCPATH) @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd - @echo "Building file_contexts ..." + @echo "Building file contexts files..." @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp - @grep -v -e HOME -e ROLE $@.tmp > $@ - @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE) + @grep -v -e HOME -e ROLE -e USER $@.tmp > $@ + @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE) @-rm $@.tmp # Create a tags-file for the policy: @@ -239,7 +235,7 @@ tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ clean: - rm -f policy.conf $(POLICYVER) policy.18 + rm -f policy.conf $(POLICYVER) rm -f tags rm -f tmp/* rm -f $(FC) @@ -324,8 +320,11 @@ mlsconvert: done @for file in $(USER_FILES); do \ echo "Converting $$file"; \ - sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \ + sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \ mv $$file.new $$file; \ done - @sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts + @sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts + @echo "Enabling MLS in the Makefile" + @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new + @mv Makefile.new Makefile @echo "Done" diff --git a/strict/VERSION b/strict/VERSION index aa3e5747..24cffb85 100644 --- a/strict/VERSION +++ b/strict/VERSION @@ -1 +1 @@ -1.23.2-1 +1.26 diff --git a/strict/attrib.te b/strict/attrib.te index cc792352..ca9d8e88 100644 --- a/strict/attrib.te +++ b/strict/attrib.te @@ -110,6 +110,10 @@ attribute privlog; # and an allow rule to permit it attribute privmodule; +# The privsysmod attribute identifies every domain that can have the +# sys_module capability +attribute privsysmod; + # The privmem attribute identifies every domain that can # access kernel memory devices. # This attribute is used in the TE assertions to verify @@ -117,6 +121,13 @@ attribute privmodule; # tagged with this attribute. attribute privmem; +# The privkmsg attribute identifies every domain that can +# read kernel messages (/proc/kmsg) +# This attribute is used in the TE assertions to verify +# that such access is limited to domains that are explicitly +# tagged with this attribute. +attribute privkmsg; + # The privfd attribute identifies every domain that should have # file handles inherited widely (IE sshd_t and getty_t). attribute privfd; @@ -251,6 +262,12 @@ attribute sysadmfile; # overall filesystem statistics. attribute fs_type; +# The mount_point attribute identifies all types that can serve +# as a mount point (for the mount binary). It is used in the mount +# policy to grant mounton permission, and in other domains to grant +# getattr permission over all the mount points. +attribute mount_point; + # The exec_type attribute identifies all types assigned # to entrypoint executables for domains. This attribute is # used in TE rules and assertions that should be applied to all @@ -413,7 +430,11 @@ attribute nscd_client_domain; # For clients of nscd that can use shmem interface. attribute nscd_shmem_domain; -# For labeling of content for httpd +# For labeling of content for httpd. This attribute is only used by +# the httpd_unified domain, which says treat all httpdcontent the +# same. If you want content to be served in a "non-unified" system +# you must specifically add "r_dir_file(httpd_t, your_content_t)" to +# your policy. attribute httpdcontent; # For labeling of domains whos transition can be disabled diff --git a/strict/constraints b/strict/constraints index 17fccc09..46a98757 100644 --- a/strict/constraints +++ b/strict/constraints @@ -61,6 +61,10 @@ ifdef(`crond.te', ` ') ifdef(`userhelper.te', `or (t1 == userhelperdomain)') +ifdef(`postfix.te', ` +ifdef(`direct_sysadm_daemon', + `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') +') or (t1 == priv_system_role and r2 == system_r ) ); diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index d92a4223..43d6bbe1 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -86,6 +86,8 @@ allow crond_t rpm_log_t: file create_file_perms; system_crond_entry(rpm_exec_t, rpm_t) allow system_crond_t rpm_log_t:file create_file_perms; +#read ahead wants to read this +allow initrc_t system_cron_spool_t:file { getattr read }; ') ') diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te index 3703ce49..442d46fd 100644 --- a/strict/domains/program/dhcpc.te +++ b/strict/domains/program/dhcpc.te @@ -64,6 +64,9 @@ allow ping_t hotplug_t:fd use; ifdef(`cardmgr.te', ` allow ping_t cardmgr_t:fd use; ') dnl end if cardmgr +', ` +allow dhcpc_t self:capability setuid; +allow dhcpc_t self:rawip_socket create_socket_perms; ') dnl end if ping ifdef(`dhcpd.te', `', ` @@ -116,7 +119,7 @@ allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t var_lib_t:dir search; file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -allow dhcpc_t bin_t:dir search; +allow dhcpc_t bin_t:dir { getattr search }; allow dhcpc_t bin_t:lnk_file read; can_exec(dhcpc_t, { bin_t shell_exec_t }) diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te index 65f53963..38e1d521 100644 --- a/strict/domains/program/hotplug.te +++ b/strict/domains/program/hotplug.te @@ -65,7 +65,7 @@ allow hotplug_t usbfs_t:file { getattr read }; allow hotplug_t etc_t:dir r_dir_perms; allow hotplug_t etc_t:{ file lnk_file } r_file_perms; -allow hotplug_t kernel_t:process sigchld; +allow hotplug_t kernel_t:process { sigchld setpgid }; ifdef(`distro_redhat', ` allow hotplug_t var_lock_t:dir search; @@ -128,9 +128,9 @@ dontaudit hotplug_t initctl_t:fifo_file { read write }; # Read /usr/lib/gconv/.* allow hotplug_t lib_t:file { getattr read }; -allow hotplug_t self:capability { net_admin sys_tty_config mknod }; -allow hotplug_t sysfs_t:dir { getattr read search }; -allow hotplug_t sysfs_t:file { getattr read }; +allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +allow hotplug_t sysfs_t:dir { getattr read search write }; +allow hotplug_t sysfs_t:file rw_file_perms; allow hotplug_t sysfs_t:lnk_file { getattr read }; allow hotplug_t udev_runtime_t:file rw_file_perms; ifdef(`lpd.te', ` @@ -156,10 +156,7 @@ ifdef(`mta.te', ` domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) ') -allow restorecon_t hotplug_t:fd use; +allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr }; +allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`unlimitedUtils', ` -unconfined_domain(hotplug_t) -') - -allow kernel_t hotplug_etc_t:dir search; +dontaudit hotplug_t selinux_config_t:dir search; diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te index dd32f695..3bb4badb 100644 --- a/strict/domains/program/ipsec.te +++ b/strict/domains/program/ipsec.te @@ -185,9 +185,8 @@ allow ipsec_t etc_t:file { read getattr }; allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; allow ipsec_t null_device_t:chr_file rw_file_perms; -# Allow scripts to use /var/locl/subsys/ipsec -allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms; -allow ipsec_mgmt_t var_lock_t:file create_file_perms; +# Allow scripts to use /var/lock/subsys/ipsec +lock_domain(ipsec_mgmt) # allow tncfg to create sockets allow ipsec_mgmt_t self:udp_socket { create ioctl }; diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te index 42a136e5..dd0b79cc 100644 --- a/strict/domains/program/klogd.te +++ b/strict/domains/program/klogd.te @@ -43,3 +43,6 @@ allow klogd_t kernel_t:system { syslog_mod syslog_console }; # Read /boot/System.map* allow klogd_t system_map_t:file r_file_perms; allow klogd_t boot_t:dir r_dir_perms; +ifdef(`targeted_policy', ` +allow klogd_t unconfined_t:system syslog_mod; +') diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te index 8276f587..e10a6e2c 100644 --- a/strict/domains/program/load_policy.te +++ b/strict/domains/program/load_policy.te @@ -11,6 +11,7 @@ type load_policy_t, domain; role sysadm_r types load_policy_t; +role secadm_r types load_policy_t; role system_r types load_policy_t; type load_policy_exec_t, file_type, exec_type, sysadmfile; @@ -19,7 +20,7 @@ type load_policy_exec_t, file_type, exec_type, sysadmfile; # # Rules -domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) +domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t) allow load_policy_t console_device_t:chr_file { read write }; diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te index 540b68fd..887aa580 100644 --- a/strict/domains/program/login.te +++ b/strict/domains/program/login.te @@ -13,7 +13,7 @@ # $1 is the name of the domain (local or remote) define(`login_domain', ` -type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain; +type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; role system_r types $1_login_t; dontaudit $1_login_t shadow_t:file { getattr read }; @@ -83,6 +83,9 @@ if (use_samba_home_dirs) { r_dir_file($1_login_t, cifs_t) } +# Login can polyinstantiate +polyinstantiater($1_login_t) + # FIXME: what is this for? ifdef(`xdm.te', ` allow xdm_t $1_login_t:process signull; @@ -166,9 +169,7 @@ dontaudit local_login_t mnt_t:dir r_dir_perms; # Create lock file. -allow local_login_t var_lock_t:dir rw_dir_perms; -allow local_login_t var_lock_t:file create_file_perms; - +lock_domain(local_login) # Read and write ttys. allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te index 9cdcf6fc..33c1d51e 100644 --- a/strict/domains/program/logrotate.te +++ b/strict/domains/program/logrotate.te @@ -46,7 +46,7 @@ allow logrotate_t etc_runtime_t:file r_file_perms; allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; # create lock files -rw_dir_create_file(logrotate_t, var_lock_t) +lock_domain(logrotate) # Create temporary files. tmp_domain(logrotate) diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te index ca8d7c15..64028d66 100644 --- a/strict/domains/program/modutil.te +++ b/strict/domains/program/modutil.te @@ -71,7 +71,7 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) # Rules for the insmod_t domain. # -type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ) +type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain ; role system_r types insmod_t; role sysadm_r types insmod_t; diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te index 8f1b7c1e..9efd6a4d 100644 --- a/strict/domains/program/mount.te +++ b/strict/domains/program/mount.te @@ -11,7 +11,7 @@ type mount_exec_t, file_type, sysadmfile, exec_type; -mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain') +mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite') mount_loopback_privs(sysadm, mount) role sysadm_r types mount_t; role system_r types mount_t; @@ -39,20 +39,16 @@ allow mount_t file_t:file { getattr read unlink }; allow mount_t fs_type:filesystem mount_fs_perms; allow mount_t mount_point:dir mounton; allow mount_t nfs_t:dir search; -# nfsv4 has a filesystem to mount for its userspace daemons -allow mount_t var_lib_nfs_t:dir mounton; - -# On some RedHat systems, /boot is a mount point -allow mount_t boot_t:dir mounton; -allow mount_t device_t:dir mounton; -# mount binfmt_misc on /proc/sys/fs/binfmt_misc -allow mount_t sysctl_t:dir { mounton search }; +allow mount_t sysctl_t:dir search; allow mount_t root_t:filesystem unmount; +can_portmap(mount_t) + ifdef(`portmap.te', ` # for nfs can_network(mount_t) +allow mount_t port_type:tcp_socket name_connect; can_ypbind(mount_t) allow mount_t port_t:{ tcp_socket udp_socket } name_bind; allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; @@ -83,11 +79,7 @@ dontaudit mount_t kernel_t:fd use; allow mount_t userdomain:fd use; can_exec(mount_t, { sbin_t bin_t }) allow mount_t device_t:dir r_dir_perms; -ifdef(`distro_redhat', ` allow mount_t tmpfs_t:chr_file { read write }; -allow mount_t tmpfs_t:dir mounton; -') - # tries to read /init dontaudit mount_t root_t:file { getattr read }; diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te index 096c734d..6c141c4c 100644 --- a/strict/domains/program/mta.te +++ b/strict/domains/program/mta.te @@ -13,8 +13,6 @@ ifdef(`sendmail.te', `', ` type sendmail_exec_t, file_type, exec_type, sysadmfile; ') -type smtp_port_t, port_type, reserved_port_type; - # create a system_mail_t domain for daemons, init scripts, etc when they run # "mail user@domain" @@ -25,6 +23,7 @@ ifdef(`targeted_policy', ` # targeted policy. We could move these rules permanantly here. ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') allow system_mail_t self:dir { search }; +allow system_mail_t self:lnk_file read; r_dir_file(system_mail_t, { proc_t proc_net_t }) allow system_mail_t fs_t:filesystem getattr; allow system_mail_t { var_t var_spool_t }:dir getattr; @@ -59,15 +58,6 @@ allow { system_mail_t mta_user_agent } privmail:process sigchld; allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; -ifdef(`arpwatch.te', ` -# why is mail delivered to a directory of type arpwatch_data_t? -allow mta_delivery_agent arpwatch_data_t:dir search; -allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; -ifdef(`hide_broken_symptoms', ` -dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; -') -')dnl end if arpwatch.te - allow mta_delivery_agent home_root_t:dir { getattr search }; # for /var/spool/mail @@ -81,4 +71,4 @@ allow mta_delivery_agent devtty_t:chr_file rw_file_perms; allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t urandom_device_t:chr_file read; +allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te index 84934de6..1bd90732 100644 --- a/strict/domains/program/mysqld.te +++ b/strict/domains/program/mysqld.te @@ -10,15 +10,13 @@ # # mysqld_exec_t is the type of the mysqld executable. # -daemon_domain(mysqld) +daemon_domain(mysqld, `, nscd_client_domain') -type mysqld_port_t, port_type; allow mysqld_t mysqld_port_t:tcp_socket name_bind; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; etcdir_domain(mysqld) -typealias mysqld_etc_t alias etc_mysqld_t; type mysqld_db_t, file_type, sysadmfile; log_domain(mysqld) @@ -36,7 +34,7 @@ allow initrc_t mysqld_var_run_t:sock_file write; allow initrc_t mysqld_log_t:file { write append setattr ioctl }; allow mysqld_t self:capability { dac_override setgid setuid net_bind_service }; -allow mysqld_t self:process getsched; +allow mysqld_t self:process { setsched getsched }; allow mysqld_t proc_t:file { getattr read }; @@ -90,3 +88,4 @@ allow userdomain mysqld_var_run_t:sock_file write; } ') +allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te index 028667e5..39924d7e 100644 --- a/strict/domains/program/named.te +++ b/strict/domains/program/named.te @@ -10,11 +10,13 @@ # # Rules for the named_t domain. # -type rndc_port_t, port_type, reserved_port_type; daemon_domain(named, `, nscd_client_domain') tmp_domain(named) +type named_checkconf_exec_t, file_type, exec_type, sysadmfile; +domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) + # For /var/run/ndc used in BIND 8 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) @@ -54,11 +56,13 @@ allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; #Named can use network can_network(named_t) +allow named_t port_type:tcp_socket name_connect; can_ypbind(named_t) # allow UDP transfer to/from any program can_udp_send(domain, named_t) can_udp_send(named_t, domain) can_tcp_connect(domain, named_t) +log_domain(named) # Bind to the named port. allow named_t dns_port_t:udp_socket name_bind; @@ -103,6 +107,7 @@ type ndc_exec_t, file_type,sysadmfile, exec_type; domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) uses_shlib(ndc_t) can_network_client_tcp(ndc_t) +allow ndc_t rndc_port_t:tcp_socket name_connect; can_ypbind(ndc_t) can_resolve(ndc_t) read_locale(ndc_t) @@ -113,6 +118,7 @@ ifdef(`distro_redhat', ` allow { ndc_t initrc_t } named_conf_t:dir search; # Allow init script to cp localtime to named_conf_t allow initrc_t named_conf_t:file { setattr write }; +allow initrc_t named_conf_t:dir create_dir_perms; ') allow { ndc_t initrc_t } named_conf_t:file { getattr read }; diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te index 6f6489e0..8d66e4ba 100644 --- a/strict/domains/program/newrole.te +++ b/strict/domains/program/newrole.te @@ -17,3 +17,4 @@ newrole_domain(newrole) allow newrole_t var_run_t:dir r_dir_perms; allow newrole_t initrc_var_run_t:file rw_file_perms; +role secadm_r types newrole_t; diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te index 40ffbbce..77e2eb77 100644 --- a/strict/domains/program/nscd.te +++ b/strict/domains/program/nscd.te @@ -73,3 +73,6 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; +log_domain(nscd) +r_dir_file(nscd_t, cert_t) +allow nscd_t tun_tap_device_t:chr_file { read write }; diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te index 2b7480ce..80ea965b 100644 --- a/strict/domains/program/ntpd.te +++ b/strict/domains/program/ntpd.te @@ -43,6 +43,7 @@ can_network(ntpd_t) allow ntpd_t ntp_port_t:tcp_socket name_connect; can_ypbind(ntpd_t) allow ntpd_t ntp_port_t:udp_socket name_bind; +allow sysadm_t ntp_port_t:udp_socket name_bind; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te index 7c5710fd..2d712229 100644 --- a/strict/domains/program/pam.te +++ b/strict/domains/program/pam.te @@ -37,4 +37,9 @@ dontaudit pam_t self:capability sys_tty_config; allow initrc_t pam_var_run_t:dir rw_dir_perms; allow initrc_t pam_var_run_t:file { getattr read unlink }; -dontaudit pam_t initrc_var_run_t:file { read write }; +dontaudit pam_t initrc_var_run_t:file rw_file_perms; + +# Supress xdm denial +ifdef(`xdm.te', ` +dontaudit pam_t xdm_t:fd use; +') dnl ifdef diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te index c23d92b5..cc1407e8 100644 --- a/strict/domains/program/ping.te +++ b/strict/domains/program/ping.te @@ -17,6 +17,7 @@ role system_r types ping_t; in_user_role(ping_t) type ping_exec_t, file_type, sysadmfile, exec_type; +ifdef(`targeted_policy', `', ` bool user_ping false; if (user_ping) { @@ -25,6 +26,7 @@ if (user_ping) { allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') } +') # Transition into this domain when you run this program. domain_auto_trans(sysadm_t, ping_exec_t, ping_t) @@ -32,6 +34,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t) uses_shlib(ping_t) can_network_client(ping_t) +can_resolve(ping_t) can_ypbind(ping_t) allow ping_t etc_t:file { getattr read }; allow ping_t self:unix_stream_socket create_socket_perms; diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te index fb70a359..ae4760c3 100644 --- a/strict/domains/program/udev.te +++ b/strict/domains/program/udev.te @@ -28,18 +28,19 @@ can_exec_any(udev_t) type udev_tdb_t, file_type, sysadmfile, dev_fs; typealias udev_tdb_t alias udev_tbl_t; file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio }; allow udev_t self:file { getattr read }; allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; allow udev_t self:unix_dgram_socket create_socket_perms; allow udev_t self:fifo_file rw_file_perms; allow udev_t self:netlink_kobject_uevent_socket { create bind read }; +allow udev_t device_t:file { unlink rw_file_perms }; allow udev_t device_t:sock_file create_file_perms; allow udev_t device_t:lnk_file create_lnk_perms; allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; ifdef(`distro_redhat', ` -allow udev_t tmpfs_t:dir rw_dir_perms; -allow udev_t tmpfs_t:sock_file create_file_perms; +allow udev_t tmpfs_t:dir create_dir_perms; +allow udev_t tmpfs_t:{ sock_file file } create_file_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms; allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; allow udev_t tmpfs_t:dir search; @@ -53,7 +54,7 @@ allow udev_t { sbin_t bin_t }:lnk_file read; allow udev_t bin_t:lnk_file read; can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) can_exec(udev_t, udev_exec_t) -r_dir_file(udev_t, sysfs_t) +rw_dir_file(udev_t, sysfs_t) allow udev_t sysadm_tty_device_t:chr_file { read write }; # to read the file_contexts file @@ -138,3 +139,8 @@ file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) ') r_dir_file(udev_t, domain) allow udev_t modules_dep_t:file r_file_perms; + +ifdef(`unlimitedUtils', ` +unconfined_domain(udev_t) +') +dontaudit hostname_t udev_t:fd use; diff --git a/strict/domains/user.te b/strict/domains/user.te index 02f6be93..39a76d6d 100644 --- a/strict/domains/user.te +++ b/strict/domains/user.te @@ -10,10 +10,15 @@ bool user_dmesg false; # Support NFS home directories bool use_nfs_home_dirs false; -# Allow execution of anonymous mappings, e.g. executable stack. +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. bool allow_execmem false; -# Support Share libraries with Text Relocation +# Allow making the stack executable via mprotect. +# Also requires allow_execmem. +bool allow_execstack false; + +# Allow making a modified private file mapping executable (text relocation). bool allow_execmod false; # Support SAMBA home directories @@ -126,7 +131,16 @@ dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr role_tty_type_change(sysadm, user) role_tty_type_change(staff, sysadm) role_tty_type_change(sysadm, staff) +role_tty_type_change(sysadm, secadm) +role_tty_type_change(staff, secadm) # "ps aux" and "ls -l /dev/pts" make too much noise without this dontaudit unpriv_userdomain ptyfile:chr_file getattr; +# to allow w to display everyone... +bool user_ttyfile_stat false; + +if (user_ttyfile_stat) { +allow userdomain ttyfile:chr_file getattr; +} + diff --git a/strict/fs_use b/strict/fs_use index 8f167a74..1dec5356 100644 --- a/strict/fs_use +++ b/strict/fs_use @@ -8,6 +8,7 @@ fs_use_xattr ext2 system_u:object_r:fs_t; fs_use_xattr ext3 system_u:object_r:fs_t; fs_use_xattr xfs system_u:object_r:fs_t; fs_use_xattr jfs system_u:object_r:fs_t; +fs_use_xattr reiserfs system_u:object_r:fs_t; # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. @@ -25,6 +26,7 @@ fs_use_task sockfs system_u:object_r:fs_t; fs_use_trans devpts system_u:object_r:devpts_t; fs_use_trans tmpfs system_u:object_r:tmpfs_t; fs_use_trans shm system_u:object_r:tmpfs_t; +fs_use_trans mqueue system_u:object_r:tmpfs_t; # The separate genfs_contexts configuration can be used for filesystem # types that cannot support persistent label mappings or use diff --git a/strict/genfs_contexts b/strict/genfs_contexts index 3c2438bc..6686d2ed 100644 --- a/strict/genfs_contexts +++ b/strict/genfs_contexts @@ -91,8 +91,10 @@ genfscon nfs / system_u:object_r:nfs_t genfscon nfs4 / system_u:object_r:nfs_t genfscon afs / system_u:object_r:nfs_t -# reiserfs - until xattr security support works properly -genfscon reiserfs / system_u:object_r:nfs_t +genfscon debugfs / system_u:object_r:debugfs_t +genfscon inotifyfs / system_u:object_r:inotifyfs_t +genfscon hugetlbfs / system_u:object_r:hugetlbfs_t +genfscon mqueue / system_u:object_r:mqueue_t # needs more work genfscon eventpollfs / system_u:object_r:eventpollfs_t diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te index 06bd8b36..6281fcaf 100644 --- a/strict/macros/base_user_macros.te +++ b/strict/macros/base_user_macros.te @@ -35,7 +35,8 @@ r_dir_file($1_t, usercanread) general_domain_access($1_t) if (allow_execmem) { -# Allow loading DSOs that require executable stack. +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. allow $1_t self:process execmem; } @@ -131,10 +132,6 @@ ifdef(`cardmgr.te', ` allow $1_t cardmgr_var_run_t:file { getattr read }; ') -# Read and write /var/catman. -allow $1_t catman_t:dir rw_dir_perms; -allow $1_t catman_t:file create_file_perms; - # Modify mail spool file. allow $1_t mail_spool_t:dir r_dir_perms; allow $1_t mail_spool_t:file rw_file_perms; @@ -176,19 +173,38 @@ ifdef(`crontab.te', `crontab_domain($1)') ifdef(`screen.te', `screen_domain($1)') ifdef(`tvtime.te', `tvtime_domain($1)') ifdef(`mozilla.te', `mozilla_domain($1)') +ifdef(`thunderbird.te', `thunderbird_domain($1)') ifdef(`samba.te', `samba_domain($1)') -ifdef(`games.te', `games_domain($1)') ifdef(`gpg.te', `gpg_domain($1)') ifdef(`xauth.te', `xauth_domain($1)') +ifdef(`iceauth.te', `iceauth_domain($1)') ifdef(`startx.te', `xserver_domain($1)') ifdef(`lpr.te', `lpr_domain($1)') ifdef(`ssh.te', `ssh_domain($1)') ifdef(`irc.te', `irc_domain($1)') ifdef(`using_spamassassin', `spamassassin_domain($1)') +ifdef(`pyzor.te', `pyzor_domain($1)') +ifdef(`razor.te', `razor_domain($1)') ifdef(`uml.te', `uml_domain($1)') ifdef(`cdrecord.te', `cdrecord_domain($1)') ifdef(`mplayer.te', `mplayer_domains($1)') + +fontconfig_domain($1) + +# GNOME +ifdef(`gnome.te', ` +gnome_domain($1) +ifdef(`games.te', `games_domain($1)') ifdef(`gift.te', `gift_domains($1)') +ifdef(`evolution.te', `evolution_domains($1)') +ifdef(`ethereal.te', `ethereal_domain($1)') +') + +# ICE communication channel +ice_domain($1, $1) + +# ORBit communication channel (independent of GNOME) +orbit_domain($1, $1) # Instantiate a derived domain for user cron jobs. ifdef(`crond.te', `crond_domain($1)') @@ -213,7 +229,9 @@ dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; # Use the network. can_network($1_t) +allow $1_t port_type:tcp_socket name_connect; can_ypbind($1_t) +can_winbind($1_t) ifdef(`pamconsole.te', ` allow $1_t pam_var_console_t:dir search; @@ -321,13 +339,12 @@ allow $1_t mnt_t:dir { getattr search }; # Get attributes of file systems. allow $1_t fs_type:filesystem getattr; -allow $1_t removable_t:filesystem getattr; # Read and write /dev/tty and /dev/null. allow $1_t devtty_t:chr_file rw_file_perms; allow $1_t null_device_t:chr_file rw_file_perms; allow $1_t zero_device_t:chr_file { rw_file_perms execute }; -allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; +allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms; # # Added to allow reading of cdrom # @@ -347,8 +364,11 @@ dontaudit $1_t wtmp_t:file write; # Read the devpts root directory. allow $1_t devpts_t:dir r_dir_perms; -allow $1_t src_t:dir r_dir_perms; -allow $1_t src_t:notdevfile_class_set r_file_perms; +r_dir_file($1_t, src_t) + +# Allow user to read default_t files +# This is different from reading default_t content, +# because it also includes sockets, fifos, and links if (read_default_t) { allow $1_t default_t:dir r_dir_perms; @@ -368,8 +388,6 @@ dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; dontaudit $1_t self:socket create; dontaudit $1_t sysctl_net_t:dir search; -dontaudit $1_t default_context_t:dir search; - ifdef(`rpcd.te', ` create_dir_file($1_t, nfsd_rw_t) ') diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te index 37f2975d..b744fe5f 100644 --- a/strict/macros/core_macros.te +++ b/strict/macros/core_macros.te @@ -662,9 +662,9 @@ allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; # define(`general_domain_access',` # Access other processes in the same domain. -# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem. +# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. # These must be granted separately if desired. -allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem}; +allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; # Access /proc/PID files for processes in the same domain. allow $1 self:dir r_dir_perms; diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te index cfb47cd8..b4cccc4e 100644 --- a/strict/macros/global_macros.te +++ b/strict/macros/global_macros.te @@ -60,7 +60,7 @@ allow $1 self:file { getattr read write }; # read_sysctl(domain) # # Permissions for reading sysctl variables. -# If the second parameter is 'full', allow +# If the second parameter is full, allow # reading of any sysctl variables, else only # sysctl_kernel_t. # @@ -106,6 +106,7 @@ allow $1 ld_so_t:file rx_file_perms; allow $1 ld_so_t:lnk_file r_file_perms; allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; +allow $1 texrel_shlib_t:file execmod; allow $1 ld_so_cache_t:file r_file_perms; allow $1 device_t:dir search; allow $1 null_device_t:chr_file rw_file_perms; @@ -156,7 +157,6 @@ allow $1 lib_t:file r_file_perms; r_dir_file($1, locale_t) ') - ################################### # # access_terminal(domain, typeprefix) @@ -253,7 +253,7 @@ allow $1_t self:process { signal_perms fork }; uses_shlib($1_t) allow $1_t { self proc_t }:dir r_dir_perms; -allow $1_t { self proc_t }:lnk_file read; +allow $1_t { self proc_t }:lnk_file { getattr read }; allow $1_t device_t:dir r_dir_perms; ifdef(`udev.te', ` @@ -293,6 +293,8 @@ domain_auto_trans(init_t, $1_exec_t, $1_t) # Define a daemon domain with a base set of type declarations # and permissions that are common to most daemons. # attribs is the list of attributes which must start with "," if it is not empty +# nosysadm may be given as an optional third parameter, to specify that the +# sysadmin should not transition to the domain when directly calling the executable # # Author: Russell Coker # @@ -353,6 +355,14 @@ file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) allow $1_t var_t:dir search; allow $1_t $1_var_run_t:dir rw_dir_perms; ') + +####################### +# daemon_domain(domain_prefix, attribs) +# +# see daemon_base_domain for calling details +# daemon_domain defines some additional privileges needed by many domains, +# like pid files and locale support + define(`daemon_domain', ` ifdef(`targeted_policy', ` daemon_base_domain($1, `$2, transitionbool', $3) @@ -396,8 +406,19 @@ type $2_exec_t, file_type, sysadmfile, exec_type; role system_r types $2_t; +ifelse(index(`$3',`transitionbool'), -1, ` + domain_auto_trans($1, $2_exec_t, $2_t) +', ` + +bool $2_disable_trans false; + +if (! $2_disable_trans) { +domain_auto_trans($1, $2_exec_t, $2_t) +} + +'); # Inherit and use descriptors from parent. allow $2_t $1:fd use; allow $2_t $1:process sigchld; @@ -422,16 +443,23 @@ ifelse($3, `', `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') ') +# grant access to /tmp. Do not perform an automatic transition. +define(`tmp_domain_notrans', ` +type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; +') + define(`tmpfs_domain', ` +ifdef(`$1_tmpfs_t_defined',`', ` +define(`$1_tmpfs_t_defined') type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; # Use this type when creating tmpfs/shm objects. file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) allow $1_tmpfs_t tmpfs_t:filesystem associate; ') +') define(`var_lib_domain', ` type $1_var_lib_t, file_type, sysadmfile; -typealias $1_var_lib_t alias var_lib_$1_t; file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) allow $1_t $1_var_lib_t:dir rw_dir_perms; ') @@ -474,105 +502,6 @@ type $1_lock_t, file_type, sysadmfile, lockfile; file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) ') -#################################################################### -# home_domain_ro_access(source, user, app) -# -# Gives source access to the read-only home -# domain of app for the given user type -# - -define(`home_domain_ro_access', ` - -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -r_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -r_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; - -r_dir_file($1, $2_$3_ro_home_t) - -') dnl home_domain_ro_access - -#################################################################### -# home_domain_access(source, user, app) -# -# Gives source full access to the home -# domain of app for the given user type -# - -define(`home_domain_access', ` - -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; - -file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t) - -') dnl home_domain_access - -#################################################################### -# home_domain (prefix, app) -# -# Creates a domain in the prefix home where an application can -# store its settings. It's accessible by the prefix domain. -# - -define(`home_domain', ` - -# Declare home domain -# FIXME: the second alias is problematic because -# home_domain and home_domain_ro cannot be used in parallel -# Remove the second alias when compatibility is no longer an issue - -type $1_$2_home_t, file_type, $1_file_type, sysadmfile; -typealias $1_$2_home_t alias $1_$2_rw_t; -typealias $1_$2_home_t alias $1_home_$2_t; - -# User side access -create_dir_file($1_t, $1_$2_home_t) -allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_access($1_$2_t, $1, $2) -') - -#################################################################### -# home_domain_ro (user, app) -# -# Creates a read-only domain in the user home where an application can -# store its settings. It's fully accessible by the user, but -# it's read-only for the application. -# - -define(`home_domain_ro', ` - -# Declare home domain -# FIXME: the second alias is problematic because -# home_domain and home_domain_ro cannot be used in parallel -# Remove the second alias when compatibility is no longer an issue - -type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; -typealias $1_$2_ro_home_t alias $1_$2_ro_t; -typealias $1_$2_ro_home_t alias $1_home_$2_t; - -# User side access -create_dir_file($1_t, $1_$2_ro_home_t) -allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_ro_access($1_$2_t, $1, $2) -') - ####################### # application_domain(domain_prefix) # @@ -589,12 +518,6 @@ domain_auto_trans(sysadm_t, $1_exec_t, $1_t) uses_shlib($1_t) ') -define(`user_application_domain', ` -application_domain($1, `$2') -in_user_role($1_t) -domain_auto_trans(userdomain, $1_exec_t, $1_t) -') - define(`system_domain', ` type $1_t, domain, privlog $2; type $1_exec_t, file_type, sysadmfile, exec_type; @@ -603,23 +526,25 @@ uses_shlib($1_t) allow $1_t etc_t:dir r_dir_perms; ') -# Do not flood message log, if the user does a browse -define(`file_browse_domain', ` +# Dontaudit macros to prevent flooding the log -# Regular files/directories that are not security sensitive +define(`dontaudit_getattr', ` dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; -dontaudit $1 file_type - secure_file_type:dir { read search }; +dontaudit $1 unlabeled_t:dir_file_class_set getattr; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; +')dnl end dontaudit_getattr -# /dev -dontaudit $1 dev_fs:dir_file_class_set getattr; -dontaudit $1 dev_fs:dir { read search }; - -# /proc -dontaudit $1 sysctl_t:dir_file_class_set getattr; -dontaudit $1 proc_fs:dir { read search }; - -')dnl end file_browse_domain +define(`dontaudit_search_dir', ` +dontaudit $1 file_type - secure_file_type:dir search; +dontaudit $1 unlabeled_t:dir search; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; +')dnl end dontaudit_search_dir +define(`dontaudit_read_dir', ` +dontaudit $1 file_type - secure_file_type:dir read; +dontaudit $1 unlabeled_t:dir read; +dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; +')dnl end dontaudit_read_dir # Define legacy_domain for legacy binaries (java) # "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old @@ -629,12 +554,46 @@ dontaudit $1 proc_fs:dir { read search }; # shlib_t and ld_so_t unlike non-legacy binaries. define(`legacy_domain', ` -allow $1_t self:process { execmem }; +allow $1_t self:process { execmem execstack }; allow $1_t { texrel_shlib_t shlib_t }:file execmod; allow $1_t ld_so_t:file execmod; allow $1_t ld_so_cache_t:file execute; ') + +# Allow domain to perform polyinstantiation functions +# polyinstantiater(domain) + +define(`polyinstantiater', ` + +ifdef(`support_polyinstantiation', ` +# Need to give access to /selinux/member +allow $1 security_t:security compute_member; + +# Need to give access to the directories to be polyinstantiated +allow $1 polydir:dir { getattr mounton add_name create setattr write search }; + +# Need to give access to the polyinstantiated subdirectories +allow $1 polymember:dir {getattr search }; + +# Need to give access to parent directories where original +# is remounted for polyinstantiation aware programs (like gdm) +allow $1 polyparent:dir { getattr mounton }; + +# Need to give permission to create directories where applicable +allow $1 polymember: dir { create setattr }; +allow $1 polydir: dir { write add_name }; +allow $1 self:process setfscreate; +allow $1 polyparent:dir { write add_name }; +# Default type for mountpoints +allow $1 poly_t:dir { create mounton }; + +# Need sys_admin capability for mounting +allow $1 self:capability sys_admin; +')dnl end else support_polyinstantiation + +')dnl end polyinstantiater + # # Define a domain that can do anything, so that it is # effectively unconfined by the SELinux policy. This @@ -679,6 +638,7 @@ can_sysctl($1) allow $1 node_type:node *; allow $1 netif_type:netif *; allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; +allow $1 port_type:tcp_socket name_connect; # Bind to any network address. allow $1 port_type:{ tcp_socket udp_socket } name_bind; @@ -698,13 +658,24 @@ allow $1 domain:process ~{ transition dyntransition execmem }; allow $1 self:process transition; if (allow_execmem) { -# Allow loading DSOs that require executable stack. +# Allow making anonymous memory executable, e.g. +# for runtime-code generation or executable stack. allow $1 self:process execmem; } +if (allow_execmem && allow_execstack) { +# Allow making the stack executable via mprotect. +allow $1 self:process execstack; +} + if (allow_execmod) { # Allow text relocations on system shared libraries, e.g. libGL. +ifdef(`targeted_policy', ` +allow $1 file_type:file execmod; +', ` allow $1 texrel_shlib_t:file execmod; +allow $1 home_type:file execmod; +') } # Create/access any System V IPC objects. @@ -737,3 +708,22 @@ allow $1 nscd_t:nscd *; ') ')dnl end unconfined_domain + + +define(`access_removable_media', ` + +can_exec($1, { removable_t noexattrfile } ) +if (user_rw_noexattrfile) { +create_dir_file($1, noexattrfile) +create_dir_file($1, removable_t) +# Write floppies +allow $1 removable_device_t:blk_file rw_file_perms; +allow $1 usbtty_device_t:chr_file write; +} else { +r_dir_file($1, noexattrfile) +r_dir_file($1, removable_t) +allow $1 removable_device_t:blk_file r_file_perms; +} +allow $1 removable_t:filesystem getattr; + +') diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te index bf6761f5..d5eaca14 100644 --- a/strict/macros/network_macros.te +++ b/strict/macros/network_macros.te @@ -155,14 +155,23 @@ allow $1 mount_t:udp_socket rw_socket_perms; ')dnl end can_network definition define(`can_resolve',` -ifdef(`use_dns',` can_network_udp($1, `dns_port_t') ') + +define(`can_portmap',` +can_network_client($1, `portmap_port_t') +allow $1 portmap_port_t:tcp_socket name_connect; ') define(`can_ldap',` -ifdef(`slapd.te',` can_network_client_tcp($1, `ldap_port_t') -') +allow $1 ldap_port_t:tcp_socket name_connect; ') +define(`can_winbind',` +ifdef(`winbind.te', ` +allow $1 winbind_var_run_t:dir { getattr search }; +allow $1 winbind_t:unix_stream_socket connectto; +allow $1 winbind_var_run_t:sock_file { getattr read write }; +') +') diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te index 98168969..d4c1d053 100644 --- a/strict/macros/program/games_domain.te +++ b/strict/macros/program/games_domain.te @@ -10,49 +10,80 @@ # # define(`games_domain', ` -x_client_domain($1, `games', `, transitionbool') +type $1_games_t, domain, nscd_client_domain; + +# Type transition +if (! disable_games_trans) { +domain_auto_trans($1_t, games_exec_t, $1_games_t) +} +can_exec($1_games_t, games_exec_t) +role $1_r types $1_games_t; + +can_create_pty($1_games) + +# X access, GNOME, /tmp files +x_client_domain($1_games, $1) +tmp_domain($1_games, `', { dir notdevfile_class_set }) +gnome_application($1_games, $1) +gnome_file_dialog($1_games, $1) + +# Games seem to need this +if (allow_execmem) { +allow $1_games_t self:process execmem; +} + +allow $1_games_t texrel_shlib_t:file execmod; allow $1_games_t var_t:dir { search getattr }; rw_dir_create_file($1_games_t, games_data_t) allow $1_games_t sound_device_t:chr_file rw_file_perms; -r_dir_file($1_games_t, usr_t) can_udp_send($1_games_t, $1_games_t) can_tcp_connect($1_games_t, $1_games_t) # Access /home/user/.gnome2 -create_dir_file($1_games_t, $1_home_t) -allow $1_games_t $1_home_dir_t:dir search; -allow $1_games_t $1_home_t:dir { read getattr }; +# FIXME: Change to use per app types +create_dir_file($1_games_t, $1_gnome_settings_t) +# FIXME: why is this necessary - ORBit? +# ORBit works differently now create_dir_file($1_games_t, $1_tmp_t) allow $1_games_t $1_tmp_t:sock_file create_file_perms; +can_unix_connect($1_t, $1_games_t) +can_unix_connect($1_games_t, $1_t) -dontaudit $1_games_t sysctl_t:dir search; - -tmp_domain($1_games) -allow $1_games_t urandom_device_t:chr_file { getattr ioctl read }; ifdef(`xdm.te', ` allow $1_games_t xdm_tmp_t:dir rw_dir_perms; allow $1_games_t xdm_tmp_t:sock_file create_file_perms; allow $1_games_t xdm_var_lib_t:file { getattr read }; ')dnl end if xdm.te -can_unix_connect($1_t, $1_games_t) -can_unix_connect($1_games_t, $1_t) - allow $1_games_t var_lib_t:dir search; r_dir_file($1_games_t, man_t) -allow $1_games_t proc_t:file { read getattr }; +allow $1_games_t { proc_t self }:dir search; +allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr }; ifdef(`mozilla.te', ` dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; ') allow $1_games_t event_device_t:chr_file getattr; allow $1_games_t mouse_device_t:chr_file getattr; -allow $1_games_t self:file { getattr read }; -# kpat spews errors -dontaudit $1_games_t bin_t:dir getattr; +allow $1_games_t self:file { getattr read }; +allow $1_games_t self:sem create_sem_perms; + +allow $1_games_t { bin_t sbin_t }:dir { getattr search }; +can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t }) +allow $1_games_t bin_t:lnk_file read; + dontaudit $1_games_t var_run_t:dir search; +dontaudit $1_games_t initrc_var_run_t:file { read write }; +dontaudit $1_games_t var_log_t:dir search; + +can_network($1_games_t) +allow $1_games_t port_t:tcp_socket name_bind; +allow $1_games_t port_t:tcp_socket name_connect; + +# Suppress .icons denial until properly implemented +dontaudit $1_games_t $1_home_t:dir read; ')dnl end macro definition diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te index 3589c05f..c75a0617 100644 --- a/strict/macros/program/gift_macros.te +++ b/strict/macros/program/gift_macros.te @@ -12,49 +12,34 @@ define(`gift_domain', ` -# Connect to X -x_client_domain($1, gift, `') - -# Transition +# Type transition +type $1_gift_t, domain, nscd_client_domain; domain_auto_trans($1_t, gift_exec_t, $1_gift_t) -can_exec($1_gift_t, gift_exec_t) role $1_r types $1_gift_t; -# Self permissions -allow $1_gift_t self:process getsched; - -# Home files +# X access, Home files, GNOME, /tmp +x_client_domain($1_gift, $1) +gnome_application($1_gift, $1) home_domain($1, gift) +file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) -# Fonts, icons -r_dir_file($1_gift_t, usr_t) -r_dir_file($1_gift_t, fonts_t) +# Allow the user domain to signal/ps. +can_ps($1_t, $1_gift_t) +allow $1_t $1_gift_t:process signal_perms; # Launch gift daemon -allow $1_gift_t self:process fork; +allow $1_gift_t bin_t:dir search; domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) # Connect to gift daemon -can_network($1_gift_t) +can_network_client_tcp($1_gift_t, giftd_port_t) +allow $1_gift_t giftd_port_t:tcp_socket name_connect; # Read /proc/meminfo allow $1_gift_t proc_t:dir search; allow $1_gift_t proc_t:file { getattr read }; -# Tmp/ORBit -tmp_domain($1_gift) -file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t) -can_unix_connect($1_t, $1_gift_t) -can_unix_connect($1_gift_t, $1_t) -allow $1_t $1_gift_tmp_t:sock_file write; -allow $1_gift_t $1_tmp_t:file { getattr read write lock }; -allow $1_gift_t $1_tmp_t:sock_file { read write }; -dontaudit $1_gift_t $1_tmp_t:dir setattr; - -# Access random device -allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl }; - -# giftui looks in .icons, .themes, .fonts-cache. +# giftui looks in .icons, .themes. dontaudit $1_gift_t $1_home_t:dir { getattr read search }; dontaudit $1_gift_t $1_home_t:file { getattr read }; @@ -79,26 +64,34 @@ allow $1_giftd_t self:unix_stream_socket create_socket_perms; read_sysctl($1_giftd_t) read_locale($1_giftd_t) uses_shlib($1_giftd_t) +access_terminal($1_giftd_t, $1) + +# Read /proc/meminfo +allow $1_giftd_t proc_t:dir search; +allow $1_giftd_t proc_t:file { getattr read }; + +# Read /etc/mtab +allow $1_giftd_t etc_runtime_t:file { getattr read }; # Access home domain home_domain_access($1_giftd_t, $1, gift) - -# Allow networking -allow $1_giftd_t port_t:tcp_socket name_bind; -allow $1_giftd_t port_t:udp_socket name_bind; -can_network_server($1_giftd_t) -can_network_client($1_giftd_t) +file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) -# FIXME: ??? -dontaudit $1_giftd_t self:udp_socket listen; +# Serve content on various p2p networks. Ports can be random. +can_network_server($1_giftd_t) +allow $1_giftd_t self:udp_socket listen; +allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind; + +# Connect to various p2p networks. Ports can be random. +can_network_client($1_giftd_t) +allow $1_giftd_t port_type:tcp_socket name_connect; # Plugins r_dir_file($1_giftd_t, usr_t) # Connect to xdm ifdef(`xdm.te', ` -allow $1_giftd_t xdm_t:fd use; -allow $1_giftd_t xdm_t:fifo_file write; +can_pipe_xdm($1_giftd_t) ') ') dnl giftd_domain diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te index 109b973a..2c715d37 100644 --- a/strict/macros/program/userhelper_macros.te +++ b/strict/macros/program/userhelper_macros.te @@ -76,8 +76,7 @@ allow $1_userhelper_t devpts_t:dir r_dir_perms; allow $1_userhelper_t etc_t:file r_file_perms; # Read /var. -allow $1_userhelper_t var_t:dir r_dir_perms; -allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms; +r_dir_file($1_userhelper_t, var_t) # Read /dev directories and any symbolic links. allow $1_userhelper_t device_t:dir r_dir_perms; @@ -97,7 +96,7 @@ can_getsecurity($1_userhelper_t) allow $1_userhelper_t fs_t:filesystem getattr; # for some PAM modules and for cwd -dontaudit $1_userhelper_t { home_root_t home_type }:dir search; +allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search; allow $1_userhelper_t proc_t:dir search; allow $1_userhelper_t proc_t:file { getattr read }; @@ -120,8 +119,7 @@ role system_r types $1_userhelper_t; r_dir_file($1_userhelper_t, nfs_t) ifdef(`xdm.te', ` -allow $1_userhelper_t xdm_t:fd use; -allow $1_userhelper_t xdm_t:fifo_file rw_file_perms; +can_pipe_xdm($1_userhelper_t) allow $1_userhelper_t xdm_var_run_t:dir search; ') diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te index 21579959..61db7cc0 100644 --- a/strict/macros/program/ypbind_macros.te +++ b/strict/macros/program/ypbind_macros.te @@ -1,10 +1,12 @@ define(`uncond_can_ypbind', ` -dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; can_network($1) r_dir_file($1,var_yp_t) allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; +allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect; dontaudit $1 self:capability net_bind_service; +dontaudit $1 reserved_port_type:tcp_socket name_connect; +dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; ') define(`can_ypbind', ` diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun index 00b6eca5..2d491895 100644 --- a/strict/tunables/distro.tun +++ b/strict/tunables/distro.tun @@ -5,7 +5,7 @@ # appropriate ifdefs. -define(`distro_redhat') +dnl define(`distro_redhat') dnl define(`distro_suse') diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun index bd8b797b..a6cc2f44 100644 --- a/strict/tunables/tunable.tun +++ b/strict/tunables/tunable.tun @@ -1,27 +1,27 @@ -# Allow users to execute the mount command -define(`user_can_mount') - # Allow rpm to run unconfined. -#define(`unlimitedRPM') +dnl define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -#define(`unlimitedUtils') +dnl define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -#define(`unlimitedRC') +dnl define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') +# Do not allow sysadm_t to be in the security manager domain +dnl define(`separate_secadm') + # Do not audit things that we know to be broken but which # are not security risks -define(`hide_broken_symptoms') +dnl define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -define(`user_canbe_sysadm') +dnl define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. @@ -29,3 +29,6 @@ dnl define(`unlimitedInetd') # for ndc_t to be used for restart shell scripts dnl define(`ndc_shell_script') + +# Enable Polyinstantiation support +dnl define(`support_polyinstatiation') diff --git a/strict/types/nfs.te b/strict/types/nfs.te index 154a65b1..9076bb81 100644 --- a/strict/types/nfs.te +++ b/strict/types/nfs.te @@ -13,7 +13,7 @@ # The nfs_*_t types are used for specific NFS # servers in net_contexts or net_contexts.mls. # -type nfs_t, fs_type; +type nfs_t, mount_point, fs_type; # # Allow NFS files to be associated with an NFS file system. diff --git a/strict/types/procfs.te b/strict/types/procfs.te index 0cab0fae..20703ac5 100644 --- a/strict/types/procfs.te +++ b/strict/types/procfs.te @@ -14,7 +14,7 @@ # proc_mdstat_t is the type of /proc/mdstat. # proc_net_t is the type of /proc/net. # -type proc_t, fs_type, proc_fs; +type proc_t, fs_type, mount_point, proc_fs; type proc_kmsg_t, proc_fs; type proc_kcore_t, proc_fs; type proc_mdstat_t, proc_fs; @@ -35,7 +35,7 @@ type proc_net_t, proc_fs; # These types are applied to both the entries in # /proc/sys and the corresponding sysctl parameters. # -type sysctl_t, sysctl_type; +type sysctl_t, mount_point, sysctl_type; type sysctl_fs_t, sysctl_type; type sysctl_kernel_t, sysctl_type; type sysctl_modprobe_t, sysctl_type;