try to knock out more of the distro_debian bootloader stuff

2005-08-15 19:31:37 +00:00 · 2005-08-15 19:31:37 +00:00 · 5f38a65aab
commit 5f38a65aab
parent 21468a6076
6 changed files with 124 additions and 9 deletions
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)

 term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dir(bootloader_t)

 corecmd_exec_bin(bootloader_t)
 corecmd_exec_sbin(bootloader_t)
@ -149,8 +150,18 @@ ifdef(`distro_debian',`
 	allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
 	allow bootloader_t boot_t:file relabelfrom;

+	fs_list_tmpfs(bootloader_t)
+
+	files_relabelto_usr_files(bootloader_t)
+	files_search_var_lib(bootloader_t)
+	files_list_script_pids(bootloader_t)
 	# for /usr/share/initrd-tools/scripts
 	files_exec_usr_files(bootloader_t)
+
+	fstools_manage_entry_files(bootloader_t)
+	fstools_relabelto_entry_files(bootloader_t)
+
+	libs_relabelto_lib_files(bootloader_t)
 ')

 ifdef(`distro_redhat',`
@ -204,16 +215,15 @@ optional_policy(`userdomain.te',`
 ')

 ifdef(`TODO',`
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
 ifdef(`distro_debian', `
-	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
-	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
-	allow bootloader_t tmpfs_t:dir r_dir_perms;
-	allow bootloader_t initrc_var_run_t:dir r_dir_perms;
-	allow bootloader_t var_lib_t:dir search;
+	# cjp: there is no setfscreate or type_transition, and
+	# bootloader_t cannot rw a usr_t or lib_t directory, so
+	# how can this work?  This is probably rw_file_perms,
+	# possibly with unlink.  Files are probably "created"
+	# by the above relabeling permissions.
+	allow bootloader_t { usr_t lib_t }:file create_file_perms;
+
 	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
 	allow bootloader_t dpkg_var_lib_t:file { getattr read };
-
 ')
-
 ') dnl end TODO
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -233,7 +233,7 @@ interface(`term_list_ptys',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to read the
-##	/dev/pts directory to.
+##	/dev/pts directory.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process to not audit.
@ -248,6 +248,24 @@ interface(`term_dontaudit_list_ptys',`
 	dontaudit $1 devpts_t:dir { getattr search read };
 ')

+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, or delete the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`term_dontaudit_manage_pty_dir',`
+	gen_require(`
+		type devpts_t;
+		class dir create_dir_perms;
+	')
+
+	dontaudit $1 devpts_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the generic pty
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1591,6 +1591,23 @@ interface(`files_read_usr_files',`
 	allow $1 usr_t:{ file lnk_file } r_file_perms;
 ')

+########################################
+## <summary>
+##	Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+	gen_require(`
+		type usr_t;
+		class file relabelto;
+	')
+
+	allow $1 usr_t:file relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in /usr.
--- a/refpolicy/policy/modules/system/fstools.if
+++ b/refpolicy/policy/modules/system/fstools.if
@ -65,3 +65,38 @@ interface(`fstools_exec',`

 	can_exec($1,fsadm_exec_t)
 ')
+
+########################################
+## <summary>
+##	Relabel a file to the type used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fstools_relabelto_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete a file used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fstools_manage_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+		class file create_file_perms;
+	')
+
+	allow $1 fsadm_exec_t:file create_file_perms;
+')
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -484,6 +484,24 @@ interface(`init_rw_script_tmp_files',`
 	allow $1 initrc_tmp_t:file rw_file_perms;
 ')

+########################################
+## <summary>
+##	List the contents of an init script
+##	process id directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## 
+interface(`init_list_script_pids',`
+	gen_require(`
+		type initrc_var_run_t;
+		class dir r_dir_perms;
+	')
+
+	files_search_pids($1)
+	allow $1 initrc_var_run_t:dir r_dir_perms;
+')
+
 ########################################
 #
 # init_read_script_pid(domain)
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -195,6 +195,23 @@ interface(`libs_exec_lib_files',`
 	can_exec($1,lib_t)
 ')

+########################################
+## <summary>
+##	Relabel files to the type used in library directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`libs_relabelto_lib_files',`
+	gen_require(`
+		type lib_t;
+		class file relabelto;
+	')
+
+	allow $1 lib_t:file relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Load and execute functions from shared libraries.