move modules_object_t back to bootloader

This commit is contained in:
Chris PeBenito 2005-04-25 21:32:09 +00:00
parent 91a7ab6cb3
commit 5f75f56066
4 changed files with 103 additions and 67 deletions

View File

@ -144,3 +144,69 @@ type boot_t, boot_runtime_t;
class dir { getattr search read write add_name remove_name }; class dir { getattr search read write add_name remove_name };
class file { getattr create read write append unlink }; class file { getattr create read write append unlink };
') ')
########################################
#
# bootloader_list_kernel_modules(domain,[`optional'])
#
define(`bootloader_list_kernel_modules',`
requires_block_template(bootloader_list_kernel_modules_depend,$2)
allow $1 modules_object_t:dir { getattr search read };
')
define(`bootloader_list_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
')
########################################
#
# bootloader_read_kernel_modules(domain,[`optional'])
#
define(`bootloader_read_kernel_modules',`
requires_block_template(bootloader_read_kernel_modules_depend,$2)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:{ lnk_file file } { getattr read };
')
define(`bootloader_read_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read };
')
########################################
#
# bootloader_modify_kernel_modules(domain,[`optional'])
#
define(`bootloader_modify_kernel_modules',`
requires_block_template(bootloader_modify_kernel_modules_depend,$2)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
')
define(`bootloader_modify_kernel_modules_depend',`
type modules_object_t;
class file { getattr create read write setattr unlink };
class dir { getattr search read write add_name remove_name };
')
########################################
#
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional'])
#
define(`bootloader_create_private_module_dir_entry',`
requires_block_template(bootloader_create_private_module_dir_entry_depend,$2)
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
ifelse(`$3',`',`
type_transition $1 modules_object_t:file $2;
',`
type_transition $1 modules_object_t:$3 $2;
') dnl end ifelse
')
define(`bootloader_create_private_module_dir_entry_depend',`
type modules_object_t;
class dir { getattr search read write add_name remove_name };
')

View File

@ -1,10 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
type bootloader_t; attribute can_modify_kernel_modules;
domain_make_domain(bootloader_t)
type bootloader_exec_t;
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
# #
# boot_t is the type for files in /boot # boot_t is the type for files in /boot
@ -12,9 +8,20 @@ domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
type boot_t; type boot_t;
files_make_file(boot_t) files_make_file(boot_t)
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t; type boot_runtime_t;
files_make_file(boot_runtime_t) files_make_file(boot_runtime_t)
type bootloader_t;
domain_make_domain(bootloader_t)
type bootloader_exec_t;
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
# #
# bootloader_etc_t is the configuration file, # bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc. # grub.conf, lilo.conf, etc.
@ -22,12 +29,6 @@ files_make_file(boot_runtime_t)
type bootloader_etc_t alias etc_bootloader_t; type bootloader_etc_t alias etc_bootloader_t;
files_make_file(bootloader_etc_t) files_make_file(bootloader_etc_t)
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_make_file(system_map_t)
# #
# The temp file is used for initrd creation; # The temp file is used for initrd creation;
# it consists of files and device nodes # it consists of files and device nodes
@ -36,6 +37,19 @@ type bootloader_tmp_t;
files_make_file(bootloader_tmp_t) files_make_file(bootloader_tmp_t)
devices_make_device_node(bootloader_tmp_t) devices_make_device_node(bootloader_tmp_t)
# kernel modules
type modules_object_t;
files_make_file(modules_object_t)
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_make_file(system_map_t)
######################################## ########################################
# #
# bootloader local policy # bootloader local policy
@ -92,6 +106,9 @@ devices_ignore_modify_generic_devices(bootloader_t)
# mkinitrd policy # mkinitrd policy
# #
allow bootloader_t modules_object_t:dir { getattr search read };
allow bootloader_t modules_object_t:file { getattr read };
files_read_general_system_resources(bootloader_t) files_read_general_system_resources(bootloader_t)
bootloader_install_initrd(bootloader_t) bootloader_install_initrd(bootloader_t)
@ -104,7 +121,6 @@ corecommands_execute_shell(bootloader_t)
selinux_read_binary_policy(bootloader_t) selinux_read_binary_policy(bootloader_t)
selinux_read_load_policy_binary(bootloader_t) selinux_read_load_policy_binary(bootloader_t)
modutils_read_kernel_modules(bootloader_t)
modutils_read_kernel_module_dependencies(bootloader_t) modutils_read_kernel_module_dependencies(bootloader_t)
modutils_read_kernel_module_loading_config(bootloader_t) modutils_read_kernel_module_loading_config(bootloader_t)
modutils_insmod_execute(bootloader_t) modutils_insmod_execute(bootloader_t)

View File

@ -1,36 +1,20 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
########################################
#
# modutils_read_kernel_modules(domain,[`optional'])
#
define(`modutils_read_kernel_modules',`
requires_block_template(modutils_read_kernel_modules_depend,$2)
allow $1 modules_object_t:dir { getattr search read };
allow $1 modules_object_t:{ lnk_file file } { getattr read };
')
define(`modutils_read_kernel_modules_depend',`
type modules_object_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read };
')
######################################## ########################################
# #
# modutils_read_kernel_module_dependencies(domain,[`optional']) # modutils_read_kernel_module_dependencies(domain,[`optional'])
# #
define(`modutils_read_kernel_module_dependencies',` define(`modutils_read_kernel_module_dependencies',`
requires_block_template(modutils_read_kernel_module_dependencies_depend,$2) requires_block_template(modutils_read_kernel_module_dependencies_depend,$2)
bootloader_list_kernel_modules($1,optional)
allow $1 modules_dep_t:file { getattr read }; allow $1 modules_dep_t:file { getattr read };
allow $1 modules_object_t:dir { getattr search read };
') ')
define(`modutils_read_kernel_module_dependencies_depend',` define(`modutils_read_kernel_module_dependencies_depend',`
type modules_object_t, modules_dep_t; type modules_dep_t;
class file { getattr create read write setattr unlink }; class file { getattr create read write setattr unlink };
class dir { search read write add_name remove_name }; class dir { search read write add_name remove_name };
bootloader_list_kernel_modules_depend
') ')
######################################## ########################################
@ -47,22 +31,6 @@ type modules_conf_t;
class file { getattr create read write setattr unlink }; class file { getattr create read write setattr unlink };
') ')
########################################
#
# modutils_modify_kernel_modules(domain,[`optional'])
#
define(`modutils_modify_kernel_modules',`
requires_block_template(modutils_modify_kernel_modules_depend,$2)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
')
define(`modutils_modify_kernel_modules_depend',`
type modules_object_t;
class file { getattr create read write setattr unlink };
class dir { getattr search read write add_name remove_name };
')
######################################## ########################################
# #
# modutils_insmod_transition(domain,[`optional']) # modutils_insmod_transition(domain,[`optional'])

View File

@ -1,12 +1,5 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
attribute can_modify_kernel_modules;
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
# kernel modules
type modules_object_t;
files_make_file(modules_object_t)
# module loading config # module loading config
type modules_conf_t; type modules_conf_t;
files_make_file(modules_conf_t) files_make_file(modules_conf_t)
@ -49,10 +42,6 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
# Read module config and dependency information # Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
# read modules
allow insmod_t modules_object_t:dir { getattr search read };
allow insmod_t modules_object_t:file { getattr read };
allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:capability { dac_override net_raw sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
@ -68,6 +57,8 @@ kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t) kernel_modify_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctl(insmod_t) kernel_read_hotplug_sysctl(insmod_t)
bootloader_read_kernel_modules(insmod_t)
terminal_use_controlling_terminal(insmod_t) terminal_use_controlling_terminal(insmod_t)
devices_write_mtrr(insmod_t) devices_write_mtrr(insmod_t)
@ -160,22 +151,18 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
# Read conf.modules. # Read conf.modules.
allow depmod_t modules_conf_t:file { getattr read }; allow depmod_t modules_conf_t:file { getattr read };
# Read module objects.
allow depmod_t modules_object_t:dir { getattr search read };
allow depmod_t modules_object_t:{ file lnk_file } { getattr read };
# Create modules.dep.
allow depmod_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write };
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
type_transition depmod_t modules_object_t:file modules_dep_t;
kernel_read_system_state(depmod_t) kernel_read_system_state(depmod_t)
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
filesystem_get_persistent_filesystem_attributes(depmod_t) filesystem_get_persistent_filesystem_attributes(depmod_t)
terminal_use_console(depmod_t) terminal_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t) bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
files_read_runtime_system_config(depmod_t) files_read_runtime_system_config(depmod_t)
files_read_general_system_config(depmod_t) files_read_general_system_config(depmod_t)
@ -218,9 +205,8 @@ allow update_modules_t modules_dep_t:file { getattr read write };
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans }; allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans }; allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
allow update_modules_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write }; bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
type_transition update_modules_t modules_object_t:file modules_conf_t;
allow update_modules_t depmod_exec_t:file { getattr read execute }; allow update_modules_t depmod_exec_t:file { getattr read execute };
type_transition update_modules_t depmod_exec_t:process depmod_t; type_transition update_modules_t depmod_exec_t:process depmod_t;