add firstboot

This commit is contained in:
Chris PeBenito 2005-08-17 14:14:07 +00:00
parent 2d803edc73
commit 57a96cbd0b
13 changed files with 614 additions and 70 deletions

View File

@ -67,6 +67,12 @@ optional_policy(`cron.te',`
cron_read_pipe(consoletype_t) cron_read_pipe(consoletype_t)
') ')
optional_policy(`firstboot.te',`
files_read_etc_files(consoletype_t)
firstboot_use_fd(consoletype_t)
firstboot_write_pipe(consoletype_t)
')
optional_policy(`logrotate.te',` optional_policy(`logrotate.te',`
logrotate_dontaudit_use_fd(consoletype_t) logrotate_dontaudit_use_fd(consoletype_t)
') ')
@ -102,8 +108,4 @@ optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file r_file_perms; allow consoletype_t printconf_t:file r_file_perms;
') ')
optional_policy(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
') dnl end TODO ') dnl end TODO

View File

@ -0,0 +1,5 @@
# firstboot
/usr/sbin/firstboot -- context_template(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot context_template(system_u:object_r:firstboot_rw_t,s0)
/usr/share/firstboot/firstboot\.py -- context_template(system_u:object_r:firstboot_exec_t,s0)

View File

@ -0,0 +1,88 @@
## <summary>
## Final system configuration run during the first boot
## after installation of Red Hat/Fedora systems.
## </summary>
########################################
## <summary>
## Execute firstboot in the firstboot domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`firstboot_domtrans',`
gen_require(`
type firstboot_t, firstboot_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,firstboot_exec_t,firstboot_t)
allow $1 firstboot_t:fd use;
allow firstboot_t $1:fd use;
allow firstboot_t $1:fifo_file rw_file_perms;
allow firstboot_t $1:process sigchld;
')
########################################
## <summary>
## Execute firstboot in the firstboot domain, and
## allow the specified role the firstboot domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the firstboot domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the firstboot domain to use.
## </param>
#
interface(`firstboot_run',`
gen_require(`
type firstboot_t;
class chr_file rw_term_perms;
')
firstboot_domtrans($1)
role $2 types firstboot_t;
allow firstboot_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Inherit and use a file descriptor from firstboot.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`firstboot_use_fd',`
gen_require(`
type firstboot_t;
class fd use;
')
allow $1 firstboot_t:fd use;
')
########################################
## <summary>
## Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`firstboot_write_pipe',`
gen_require(`
type firstboot_t;
class fifo_file write;
')
allow $1 firstboot_t:fifo_file write;
')

View File

@ -0,0 +1,136 @@
policy_module(firstboot,1.0)
########################################
#
# Declarations
#
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t,firstboot_exec_t)
domain_obj_id_change_exempt(firstboot_t)
role system_r types firstboot_t;
type firstboot_etc_t; #, usercanread;
files_type(firstboot_etc_t)
type firstboot_rw_t;
files_type(firstboot_rw_t)
########################################
#
# Local policy
#
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:file { read write };
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:tcp_socket create_stream_socket_perms;
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file { getattr read };
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
allow firstboot_t firstboot_rw_t:file create_file_perms;
files_create_etc_config(firstboot_t,firstboot_rw_t,file)
# The big hammer
unconfined_domain_template(firstboot_t)
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctl(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_raw_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_raw_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
corenet_tcp_bind_all_nodes(firstboot_t)
dev_read_urand(firstboot_t)
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
selinux_compute_create_context(firstboot_t)
selinux_compute_relabel_context(firstboot_t)
selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
corecmd_exec_bin(firstboot_t)
corecmd_exec_sbin(firstboot_t)
domain_exec_all_entry_files(firstboot_t)
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
files_read_etc_runtime_files(firstboot_t)
files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
init_read_script(firstboot_t)
init_rw_script_pid(firstboot_t)
libs_use_ld_so(firstboot_t)
libs_use_shared_libs(firstboot_t)
libs_exec_ld_so(firstboot_t)
libs_exec_lib_files(firstboot_t)
locallogin_use_fd(firstboot_t)
logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
modutils_domtrans_insmod(firstboot_t)
modutils_read_module_conf(firstboot_t)
modutils_read_mods_deps(firstboot_t)
sysnet_manage_config(firstboot_t)
# Add/remove user home directories
userdom_create_user_home_dir(firstboot_t)
userdom_manage_user_home_dir(firstboot_t)
userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
userdom_manage_user_home_dirs(firstboot_t)
userdom_manage_user_home_files(firstboot_t)
userdom_manage_user_home_symlinks(firstboot_t)
userdom_manage_user_home_pipes(firstboot_t)
userdom_manage_user_home_sockets(firstboot_t)
usermanage_domtrans_useradd(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
optional_policy(`kerberos.te',`
kerberos_rw_config(firstboot_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(firstboot_t)
')
ifdef(`TODO',`
allow firstboot_t proc_t:file write;
ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
ifdef(`xserver.te', `
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
')
') dnl end TODO

View File

@ -68,7 +68,7 @@ interface(`kerberos_use',`
## Domain allowed access. ## Domain allowed access.
## </param> ## </param>
# #
interface(`kerberos_read_conf',` interface(`kerberos_read_config',`
gen_require(` gen_require(`
type krb5_conf_t; type krb5_conf_t;
class files r_file_perms; class files r_file_perms;
@ -77,3 +77,21 @@ interface(`kerberos_read_conf',`
files_search_etc($1) files_search_etc($1)
allow $1 krb5_conf_t:file r_file_perms; allow $1 krb5_conf_t:file r_file_perms;
') ')
########################################
## <summary>
## Read and write the kerberos configuration file (/etc/krb5.conf).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kerberos_rw_config',`
gen_require(`
type krb5_conf_t;
class files rw_file_perms;
')
files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms;
')

View File

@ -546,12 +546,6 @@ interface(`files_create_root',`
gen_require(` gen_require(`
type root_t; type root_t;
class dir create_dir_perms; class dir create_dir_perms;
class file create_file_perms;
class lnk_file create_lnk_perms;
class fifo_file create_file_perms;
class sock_file create_file_perms;
class blk_file create_file_perms;
class chr_file create_file_perms;
') ')
allow $1 root_t:dir rw_dir_perms; allow $1 root_t:dir rw_dir_perms;
@ -1692,6 +1686,24 @@ interface(`files_dontaudit_search_var',`
dontaudit $1 var_t:dir search; dontaudit $1 var_t:dir search;
') ')
########################################
## <summary>
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_manage_var_dirs',`
gen_require(`
type var_t;
class dir create_dir_perms;
')
allow $1 var_t:dir create_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the /var directory. ## Read files in the /var directory.
@ -1711,6 +1723,25 @@ interface(`files_read_var_files',`
allow $1 var_t:file r_file_perms; allow $1 var_t:file r_file_perms;
') ')
########################################
## <summary>
## Create, read, write, and delete files in the /var directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_manage_var_files',`
gen_require(`
type var_t;
class dir rw_dir_perms;
class file create_file_perms;
')
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:file create_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read symbolic links in the /var directory. ## Read symbolic links in the /var directory.
@ -1730,6 +1761,26 @@ interface(`files_read_var_symlink',`
allow $1 var_t:lnk_file { getattr read }; allow $1 var_t:lnk_file { getattr read };
') ')
########################################
## <summary>
## Create, read, write, and delete symbolic
## links in the /var directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_manage_var_symlinks',`
gen_require(`
type var_t;
class dir rw_dir_perms;
class lnk_file create_lnk_perms;
')
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:lnk_file create_lnk_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the /var/lib directory. ## Get the attributes of the /var/lib directory.

View File

@ -78,6 +78,10 @@ tunable_policy(`use_dns',`
sysnet_read_config(hostname_t) sysnet_read_config(hostname_t)
') ')
optional_policy(`firstboot.te',`
firstboot_use_fd(hostname_t)
')
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_dontaudit_use_fd(hostname_t) hotplug_dontaudit_use_fd(hostname_t)
') ')

View File

@ -301,6 +301,13 @@ interface(`init_domtrans_script',`
## <summary> ## <summary>
## Start and stop daemon programs directly. ## Start and stop daemon programs directly.
## </summary> ## </summary>
## <desc>
## <p>
## Start and stop daemon programs directly
## in the traditional "/etc/init.d/daemon start"
## style, and do not require run_init.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -323,6 +330,24 @@ interface(`init_run_daemon',`
dontaudit direct_init $3:chr_file rw_file_perms; dontaudit direct_init $3:chr_file rw_file_perms;
') ')
########################################
## <summary>
## Read init scripts.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`init_read_script',`
gen_require(`
type initrc_exec_t;
class file { getattr read };
')
files_list_etc($1)
allow $1 initrc_exec_t:file { getattr read };
')
######################################## ########################################
# #
# init_exec_script(domain) # init_exec_script(domain)
@ -440,8 +465,21 @@ interface(`init_udp_sendto_script',`
') ')
######################################## ########################################
# ## <summary>
# init_use_script_pty(domain) ## Read and write the init script pty.
## </summary>
## <desc>
## <p>
## Read and write the init script pty. This
## pty is generally opened by the open_init_pty
## portion of the run_init program so that the
## daemon does not require direct access to
## the administrator terminal.
## </p>
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
# #
interface(`init_use_script_pty',` interface(`init_use_script_pty',`
gen_require(` gen_require(`
@ -453,6 +491,24 @@ interface(`init_use_script_pty',`
allow $1 initrc_devpts_t:chr_file rw_term_perms; allow $1 initrc_devpts_t:chr_file rw_term_perms;
') ')
########################################
## <summary>
## Read init scripts.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`init_read_script_file',`
gen_require(`
type initrc_exec_t;
class file r_file_perms;
')
files_search_etc($1)
allow $1 initrc_exec_t:file r_file_perms;
')
######################################## ########################################
# #
# init_dontaudit_use_script_pty(domain) # init_dontaudit_use_script_pty(domain)

View File

@ -92,6 +92,11 @@ tunable_policy(`use_dns',`
sysnet_read_config(iptables_t) sysnet_read_config(iptables_t)
') ')
optional_policy(`firstboot.te',`
firstboot_use_fd(iptables_t)
firstboot_write_pipe(iptables_t)
')
optional_policy(`modutils.te', ` optional_policy(`modutils.te', `
corecmd_search_sbin(iptables_t) corecmd_search_sbin(iptables_t)
modutils_domtrans_insmod(iptables_t) modutils_domtrans_insmod(iptables_t)
@ -118,8 +123,4 @@ rhgb_domain(iptables_t)
optional_policy(`gnome-pty-helper.te',` optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use; allow iptables_t sysadm_gph_t:fd use;
') ')
optional_policy(`firstboot.te', `
allow iptables_t firstboot_t:fifo_file write;
')
') dnl ifdef TODO ') dnl ifdef TODO

View File

@ -104,6 +104,7 @@ miscfiles_read_localization(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t) sysnet_domtrans_ifconfig(cardmgr_t)
# for /etc/resolv.conf # for /etc/resolv.conf
sysnet_create_config(cardmgr_t)
sysnet_manage_config(cardmgr_t) sysnet_manage_config(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)

View File

@ -163,6 +163,24 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:file r_file_perms; allow $1 net_conf_t:file r_file_perms;
') ')
#######################################
## <summary>
## Create files in /etc with the type used for
## the network config files.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sysnet_create_config',`
gen_require(`
type net_conf_t;
class file create_file_perms;
')
files_create_etc_config($1,net_conf_t,file)
')
####################################### #######################################
## <summary> ## <summary>
## Create, read, write, and delete network config files. ## Create, read, write, and delete network config files.
@ -177,8 +195,7 @@ interface(`sysnet_manage_config',`
class file create_file_perms; class file create_file_perms;
') ')
allow $1 net_conf_t:file r_file_perms; allow $1 net_conf_t:file create_file_perms;
files_create_etc_config($1,net_conf_t,file)
') ')
####################################### #######################################

View File

@ -1248,57 +1248,6 @@ interface(`userdom_read_all_user_files',`
allow $1 home_type:file r_file_perms; allow $1 home_type:file r_file_perms;
') ')
########################################
## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_write_unpriv_user_tmp',`
gen_require(`
attribute user_tmpfile;
class file { getattr write append };
')
allow $1 user_tmpfile:file { getattr write append };
')
########################################
## <summary>
## Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_all_user_fd',`
gen_require(`
attribute userdomain;
class fd use;
')
allow $1 userdomain:fd use;
')
########################################
## <summary>
## Send general signals to all user domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_signal_all_users',`
gen_require(`
attribute userdomain;
class process signal;
')
allow $1 userdomain:process signal;
')
######################################## ########################################
## <summary> ## <summary>
## Send general signals to unprivileged user domains. ## Send general signals to unprivileged user domains.
@ -1351,6 +1300,184 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
dontaudit $1 unpriv_userdomain:fd use; dontaudit $1 unpriv_userdomain:fd use;
') ')
########################################
## <summary>
## Create generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_create_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_create_home_dirs($1,user_home_dir_t)
')
########################################
## <summary>
## Create, read, write, and delete
## generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_dir',`
gen_require(`
type user_home_dir_t;
class dir create_dir_perms;
')
allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
## <summary>
## Create objects in generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="object_class" optional="true">
## The class of the object to be created.
## If not specified, file is used.
## </param>
#
interface(`userdom_create_user_home',`
gen_require(`
type user_home_dir_t, user_home_t;
class dir rw_dir_perms;
')
allow $1 etc_t:dir rw_dir_perms;
ifelse(`$2',`',`
type_transition $1 user_home_dir_t:file user_home_t;
',`
type_transition $1 user_home_dir_t:$2 user_home_t;
')
')
########################################
## <summary>
## Create, read, write, and delete
## subdirectories of generic user
## home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_dirs',`
gen_require(`
type user_home_t;
class dir create_dir_perms;
')
allow $1 user_home_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_files',`
gen_require(`
type user_home_t;
class dir rw_dir_perms;
class file create_file_perms;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic
## links in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_symlinks',`
gen_require(`
type user_home_t;
class dir rw_dir_perms;
class lnk_file create_lnk_perms;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Create, read, write, and delete named
## pipes in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_pipes',`
gen_require(`
type user_home_t;
class dir rw_dir_perms;
class fifo_file create_file_perms;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:fifo_file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete named
## sockets in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_user_home_sockets',`
gen_require(`
type user_home_t;
class dir rw_dir_perms;
class sock_file create_file_perms;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:sock_file create_file_perms;
')
########################################
## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_write_unpriv_user_tmp',`
gen_require(`
attribute user_tmpfile;
class file { getattr write append };
')
allow $1 user_tmpfile:file { getattr write append };
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to use unprivileged ## Do not audit attempts to use unprivileged
@ -1369,6 +1496,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
dontaudit $1 user_ttynode:chr_file rw_file_perms; dontaudit $1 user_ttynode:chr_file rw_file_perms;
') ')
########################################
## <summary>
## Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_all_user_fd',`
gen_require(`
attribute userdomain;
class fd use;
')
allow $1 userdomain:fd use;
')
########################################
## <summary>
## Send general signals to all user domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_signal_all_users',`
gen_require(`
attribute userdomain;
class process signal;
')
allow $1 userdomain:process signal;
')
######################################## ########################################
## <summary> ## <summary>
## Unconfined access to user domains. ## Unconfined access to user domains.

View File

@ -117,6 +117,10 @@ ifdef(`targeted_policy',`
clock_run(sysadm_t,sysadm_r,admin_terminal) clock_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`firstboot.te',`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')
optional_policy(`fstools.te',` optional_policy(`fstools.te',`
fstools_run(sysadm_t,sysadm_r,admin_terminal) fstools_run(sysadm_t,sysadm_r,admin_terminal)
') ')