add fstools, and more cleanup

This commit is contained in:
Chris PeBenito 2005-06-27 20:59:28 +00:00
parent 80436b9b8f
commit 58c3da55f3
12 changed files with 456 additions and 53 deletions

View File

@ -126,6 +126,7 @@ files_read_generic_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_file(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
@ -145,6 +146,9 @@ ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)
')
ifdef(`distro_redhat',`
@ -157,6 +161,13 @@ ifdef(`distro_redhat', `
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dir(bootloader_t)
files_manage_isid_type_file(bootloader_t)
files_manage_isid_type_symlink(bootloader_t)
files_manage_isid_type_blk_node(bootloader_t)
files_manage_isid_type_chr_node(bootloader_t)
# for mke2fs
mount_domtrans(bootloader_t)
')
@ -165,8 +176,6 @@ optional_policy(`filesystemtools.te', `
filesystemtools_execute(bootloader_t)
')
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
optional_policy(`lvm.te',`
dev_rw_lvm_control(bootloader_t)
@ -185,8 +194,9 @@ optional_policy(`modutils.te',`
ifdef(`TODO',`
allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read };
dontaudit bootloader_t selinux_config_t:dir search;
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
ifdef(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
@ -197,18 +207,6 @@ ifdef(`distro_debian', `
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
# for /usr/share/initrd-tools/scripts
can_exec(bootloader_t, usr_t)
')
ifdef(`distro_redhat', `
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
allow bootloader_t file_t:lnk_file create_lnk_perms;
')
dontaudit bootloader_t selinux_config_t:dir search;
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
') dnl end TODO

View File

@ -172,11 +172,11 @@ interface(`kernel_dontaudit_read_ring_buffer',`
')
########################################
## <desc>
##
## </desc>
## <summary>
## Change the level of kernel messages logged to the console.
## </summary>
## <param name="domain">
##
## The type of the process performing this action.
## </param>
#
interface(`kernel_change_ring_buffer_level',`

View File

@ -88,6 +88,10 @@ fs_search_auto_mountpoints(inetd_t)
term_dontaudit_use_console(inetd_t)
# Run other daemons in the inetd_child_t domain.
corecmd_search_bin(inetd_t)
corecmd_read_sbin_symlink(inetd_t)
domain_use_wide_inherit_fd(inetd_t)
files_read_generic_etc_files(inetd_t)
@ -112,8 +116,8 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(inetd_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(inetd_t)
optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t)
')
optional_policy(`selinux.te',`
@ -129,17 +133,13 @@ allow inetd_t proc_t:dir r_dir_perms;
allow inetd_t proc_t:lnk_file read;
dontaudit inetd_t sysadm_home_dir_t:dir search;
ifdef(`mount.te', `
allow inetd_t mount_t:udp_socket rw_socket_perms;
optional_policy(`rhgb.te',`
rhgb_domain(inetd_t)
')
# allow any domain to connect to inetd
can_tcp_connect(userdomain, inetd_t)
# Run other daemons in the inetd_child_t domain.
allow inetd_t { bin_t sbin_t }:dir search;
allow inetd_t sbin_t:lnk_file read;
# Bind to the telnet, ftp, rlogin and rsh ports.
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;

View File

@ -51,7 +51,7 @@ interface(`clock_run',`
########################################
## <desc>
## Execute hwclock
## Execute hwclock in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.

View File

@ -43,6 +43,7 @@ interface(`corecmd_list_bin',`
allow $1 bin_t:dir r_dir_perms;
')
########################################
## <summary>
## Get the attributes of files in bin directories.
## </summary>
@ -58,6 +59,7 @@ interface(`corecmd_getattr_bin_file',`
allow $1 bin_t:file getattr;
')
########################################
## <summary>
## Read symbolic links in bin directories.
## </summary>
@ -144,6 +146,24 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
dontaudit $1 sbin_t:file getattr;
')
########################################
## <summary>
## Read symbolic links in sbin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
interface(`corecmd_read_sbin_symlink',`
gen_require(`
type sbin_t;
class dir search;
class lnk_file read;
')
allow $1 sbin_t:dir search;
allow $1 sbin_t:lnk_file read;
')
########################################
#
# corecmd_exec_sbin(domain)

View File

@ -591,9 +591,33 @@ interface(`files_create_etc_config',`
')
')
########################################
## <summary>
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
# files_rw_isid_type_dir(domain)
interface(`files_dontaudit_search_isid_type_dir',`
gen_require(`
type file_t;
class dir search;
')
dontaudit $1 file_t:dir search;
')
########################################
## <summary>
## Read and write directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_rw_isid_type_dir',`
gen_require(`
@ -605,29 +629,121 @@ interface(`files_rw_isid_type_dir',`
')
########################################
## <summary>
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
# files_dontaudit_getattr_isid_type_dir(domain)
#
interface(`files_dontaudit_getattr_isid_type_dir',`
interface(`files_manage_isid_type_dir',`
gen_require(`
type file_t;
class dir search;
class dir create_dir_perms;
')
dontaudit $1 file_t:dir search;
allow $1 file_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## on new filesystems that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
# files_dontaudit_search_isid_type_dir(domain)
interface(`files_manage_isid_type_file',`
gen_require(`
type file_t;
class dir rw_dir_perms;
class file create_file_perms;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic links
## on new filesystems that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_dontaudit_search_isid_type_dir',`
interface(`files_manage_isid_type_symlink',`
gen_require(`
type file_t;
class dir rw_dir_perms;
class lnk_file create_lnk_perms;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Read and write block device nodes on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_rw_isid_type_blk_node',`
gen_require(`
type file_t;
class dir search;
class blk_file rw_file_perms;
')
dontaudit $1 file_t:dir search;
allow $1 file_t:dir search;
allow $1 file_t:blk_file rw_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_manage_isid_type_blk_node',`
gen_require(`
type file_t;
class dir rw_dir_perms;
class blk_file create_file_perms;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:blk_file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete character device nodes
## on new filesystems that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_manage_isid_type_chr_node',`
gen_require(`
type file_t;
class dir rw_dir_perms;
class chr_file create_file_perms;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:chr_file create_file_perms;
')
########################################
@ -807,6 +923,25 @@ interface(`files_dontaudit_search_var',`
dontaudit $1 var_t:dir search;
')
########################################
## <summary>
## Read files in the /var directory.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_read_var_file',`
gen_require(`
type var_t;
class dir search;
class file r_file_perms;
')
allow $1 var_t:dir search;
allow $1 var_t:file r_file_perms;
')
########################################
## <desc>
## Search the /var/lib directory.

View File

@ -0,0 +1,36 @@
/sbin/blockdev -- system_u:object_r:fsadm_exec_t
/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
/sbin/e2label -- system_u:object_r:fsadm_exec_t
/sbin/fdisk -- system_u:object_r:fsadm_exec_t
/sbin/findfs -- system_u:object_r:fsadm_exec_t
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
/sbin/lsraid -- system_u:object_r:fsadm_exec_t
/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
/sbin/mkraid -- system_u:object_r:fsadm_exec_t
/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
/sbin/mkswap -- system_u:object_r:fsadm_exec_t
/sbin/parted -- system_u:object_r:fsadm_exec_t
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
/sbin/partx -- system_u:object_r:fsadm_exec_t
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
/usr/bin/raw -- system_u:object_r:fsadm_exec_t
/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t

View File

@ -0,0 +1,66 @@
## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
########################################
## <desc>
## Execute fs tools in the fstools domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fstools_domtrans',`
gen_require(`
type fsadm_t, fsadm_exec_t;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,fsadm_exec_t,fsadm_t)
allow $1 fsadm_t:fd use;
allow fsadm_t $1:fd use;
allow fsadm_t $1:fifo_file rw_file_perms;
allow fsadm_t $1:process sigchld;
')
########################################
## <desc>
## Execute fs tools in the fstools domain, and
## allow the specified role the fs tools domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the fs tools domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the fs tools domain to use.
## </param>
#
interface(`fstools_run',`
gen_require(`
type fsadm_t;
class chr_file { getattr read write ioctl };
')
fstools_domtrans($1)
role $2 types fsadm_t;
allow fsadm_t $3:chr_file { getattr read write ioctl };
')
########################################
## <desc>
## Execute fsadm in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fstools_exec',`
gen_require(`
type fsadm_exec_t;
')
can_exec($1,fsadm_exec_t)
')

View File

@ -0,0 +1,143 @@
policy_module(fstools,1.0)
########################################
#
# Declarations
#
type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
role system_r types fsadm_t;
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
type swapfile_t;
files_file_type(swapfile_t)
########################################
# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
allow fsadm_t self:unix_stream_socket connectto;
allow fsadm_t self:shm create_shm_perms;
allow fsadm_t self:sem create_sem_perms;
allow fsadm_t self:msgq create_msgq_perms;
allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
allow fsadm_t fsadm_tmp_t:file create_file_perms;
files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
# Enable swapping to files
allow fsadm_t swapfile_t:file { getattr swapon };
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctl(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
# Recreate /dev/cdrom.
dev_manage_generic_symlinks(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_generic_etc_files(fsadm_t)
files_list_mnt(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
# Access to /initrd devices
files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t)
init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t)
libs_use_ld_so(fsadm_t)
libs_use_shared_libs(fsadm_t)
logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
modutils_read_module_conf(fsadm_t)
seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fd(fsadm_t)
optional_policy(`nis.te',`
nis_use_ypbind(fsadm_t)
')
ifdef(`TODO',`
# for swapon
allow fsadm_t sysfs_t:dir { search getattr };
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t bin_t:dir r_dir_perms;
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
allow fsadm_t sbin_t:dir r_dir_perms;
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) {
allow fsadm_t default_t:dir r_dir_perms;
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
}
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { rmdir create };
# Enable swapping to devices and files
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)
# Access to /initrd devices
allow fsadm_t unlabeled_t:dir rw_dir_perms;
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir getattr;
') dnl end TODO

View File

@ -131,6 +131,10 @@ optional_policy(`consoletype.te',`
consoletype_domtrans(hotplug_t)
')
optional_policy(`fstools.te',`
fstools_domtrans(hotplug_t)
')
optional_policy(`hostname.te',`
hostname_exec(hotplug_t)
')
@ -188,10 +192,6 @@ optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:file { getattr read };
')
optional_policy(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')

View File

@ -138,12 +138,15 @@ fs_getattr_xattr_fs(depmod_t)
term_use_console(depmod_t)
corecmd_search_bin(depmod_t)
corecmd_search_sbin(depmod_t)
domain_use_wide_inherit_fd(depmod_t)
init_use_fd(depmod_t)
init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t)
domain_use_wide_inherit_fd(depmod_t)
files_read_etc_runtime_files(depmod_t)
files_read_generic_etc_files(depmod_t)
files_read_usr_src(depmod_t)
@ -153,8 +156,6 @@ libs_use_shared_libs(depmod_t)
ifdef(`TODO',`
allow depmod_t { bin_t sbin_t }:dir search;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.

View File

@ -84,6 +84,10 @@ optional_policy(`clock.te',`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`fstools.te',`
fstools_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`hostname.te',`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')