add automount

2005-12-09 20:08:10 +00:00 · 2005-12-09 20:08:10 +00:00 · 7576fad511
parent 5ea24be958
commit 7576fad511
10 changed files with 341 additions and 2 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,5 +1,6 @@
 - Miscellaneous fixes from Dan Walsh.
 - Added modules:
+	automount
 	fetchmail
 	sysstat

--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -47,6 +47,22 @@ interface(`bootloader_run',`
 	allow bootloader_t $3:chr_file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Get attributes of the /boot directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`bootloader_getattr_boot_dir',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get attributes
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@ -1021,6 +1021,22 @@ interface(`files_unmount_rootfs',`
 	allow $1 root_t:filesystem unmount;
 ')

+########################################
+## <summary>
+##	Getattr of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_default_dir',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes of
@ -1467,6 +1483,23 @@ interface(`files_create_etc_config',`
 	')
 ')

+########################################
+## <summary>
+##	Getattr of directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_isid_type_dir',`
+	gen_require(`
+		type file_t;
+	')
+
+	allow $1 file_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search directories on new filesystems
@ -1815,10 +1848,9 @@ interface(`files_manage_lost_found',`
 interface(`files_search_mnt',`
 	gen_require(`
 		type mnt_t;
-		class dir search;
 	')

-	allow $1 mnt_t:dir search;
+	allow $1 mnt_t:dir search_dir_perms;
 ')

 ########################################
@ -2389,6 +2421,22 @@ interface(`files_search_var',`
 	allow $1 var_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write to /var.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_write_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -360,6 +360,23 @@ interface(`fs_search_auto_mountpoints',`
 	allow $1 autofs_t:dir { getattr search };
 ')

+########################################
+## <summary>
+##	Read directories of automatically
+##	mounted filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the domain performing this action.
+## </param>
+#
+interface(`fs_list_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Register an interpreter for new binary
@ -2063,6 +2080,23 @@ interface(`fs_create_tmpfs_data',`
 	')
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete
+##	auto moutpoints.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_manage_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic tmpfs files.
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@ -186,6 +186,10 @@ ifdef(`targeted_policy',`
 	unconfined_domain_template(apmd_t)
 ')

+optional_policy(`automount',`
+	automount_domtrans(apmd_t)
+')
+
 optional_policy(`clock',`
 	clock_domtrans(apmd_t)
 	clock_rw_adjtime(apmd_t)
--- a/refpolicy/policy/modules/services/automount.fc
+++ b/refpolicy/policy/modules/services/automount.fc
@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/apm/event\.d/autofs --	gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/auto\..+		--	gen_context(system_u:object_r:automount_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/autofs(/.*)?		gen_context(system_u:object_r:automount_var_run_t,s0)
--- a/refpolicy/policy/modules/services/automount.if
+++ b/refpolicy/policy/modules/services/automount.if
@ -0,0 +1,41 @@
+## <summary>Filesystem automounter service.</summary>
+
+########################################
+## <summary>
+##	Execute automount in the automount domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`automount_domtrans',`
+	gen_require(`
+		type automount_t, automount_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1, automount_exec_t, automount_t)
+
+	allow $1 automount_t:fd use;
+	allow automount_t $1:fd use;
+	allow automount_t $1:fifo_file rw_file_perms;
+	allow automount_t $1:process sigchld;
+
+')
+
+########################################
+## <summary>
+##	Execute automount in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`automount_exec',`
+	gen_require(`
+		type automount_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	can_exec($1,automount_etc_t)
+')
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@ -0,0 +1,156 @@
+
+policy_module(automount,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type automount_t;
+type automount_exec_t;
+init_daemon_domain(automount_t,automount_exec_t)
+
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
+type automount_etc_t;
+files_config_file(automount_etc_t)
+
+type automount_lock_t;
+files_lock_file(automount_lock_t)
+
+type automount_tmp_t;
+files_tmp_file(automount_tmp_t)
+files_mountpoint(automount_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow automount_t self:capability { sys_nice dac_override };
+dontaudit automount_t self:capability sys_tty_config;
+allow automount_t self:process { signal_perms getpgid setpgid setsched };
+allow automount_t self:fifo_file rw_file_perms;
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+allow automount_t self:tcp_socket create_stream_socket_perms;
+allow automount_t self:udp_socket create_socket_perms;
+
+allow automount_t automount_etc_t:file { getattr read };
+# because config files can be shell scripts
+can_exec(automount_t, automount_etc_t)
+
+allow automount_t automount_lock_t:file create_file_perms;
+files_create_lock(automount_t,automount_lock_t)
+
+allow automount_t automount_tmp_t:dir create_dir_perms;
+allow automount_t automount_tmp_t:file create_file_perms;
+files_create_tmp_files(automount_t, automount_tmp_t, { file dir })
+
+# Allow automount to create and delete directories in / and /home
+allow automount_t automount_tmp_t:dir create_dir_perms;
+files_create_home_dirs(automount_t,automount_tmp_t)
+files_create_root(automount_t,automount_tmp_t,dir)
+
+allow automount_t automount_var_run_t:file create_file_perms;
+allow automount_t automount_var_run_t:dir rw_dir_perms;
+files_create_pid(automount_t,automount_var_run_t)
+
+kernel_read_kernel_sysctl(automount_t)
+kernel_read_proc_symlinks(automount_t)
+kernel_read_system_state(automount_t)
+kernel_list_proc(automount_t)
+
+bootloader_getattr_boot_dir(automount_t)
+
+corecmd_search_sbin(automount_t)
+corecmd_exec_bin(automount_t)
+corecmd_exec_shell(automount_t)
+
+corenet_non_ipsec_sendrecv(automount_t)
+corenet_tcp_sendrecv_generic_if(automount_t)
+corenet_udp_sendrecv_generic_if(automount_t)
+corenet_raw_sendrecv_generic_if(automount_t)
+corenet_tcp_sendrecv_all_nodes(automount_t)
+corenet_udp_sendrecv_all_nodes(automount_t)
+corenet_raw_sendrecv_all_nodes(automount_t)
+corenet_tcp_sendrecv_all_ports(automount_t)
+corenet_udp_sendrecv_all_ports(automount_t)
+corenet_tcp_bind_all_nodes(automount_t)
+corenet_udp_bind_all_nodes(automount_t)
+
+dev_read_sysfs(automount_t)
+# for SSP
+dev_read_urand(automount_t)
+
+domain_use_wide_inherit_fd(automount_t)
+
+files_dontaudit_write_var(automount_t)
+files_search_var_lib_dir(automount_t)
+files_search_mnt(automount_t)
+files_getattr_home_dir(automount_t)
+files_read_etc_files(automount_t)
+files_read_etc_runtime_files(automount_t)
+# for if the mount point is not labelled
+files_getattr_isid_type_dir(automount_t)
+files_getattr_default_dir(automount_t)
+# because config files can be shell scripts
+files_exec_etc_files(automount_t)
+
+fs_getattr_all_fs(automount_t)
+fs_getattr_all_files(automount_t)
+fs_search_auto_mountpoints(automount_t)
+fs_manage_auto_mountpoints(automount_t)
+
+term_dontaudit_use_console(automount_t)
+
+init_use_fd(automount_t)
+init_use_script_pty(automount_t)
+
+libs_use_ld_so(automount_t)
+libs_use_shared_libs(automount_t)
+
+logging_send_syslog_msg(automount_t)
+
+miscfiles_read_localization(automount_t)
+
+# Run mount in the mount_t domain.
+mount_domtrans(automount_t)
+
+sysnet_dns_name_resolve(automount_t)
+sysnet_use_ldap(automount_t)
+sysnet_read_config(automount_t)
+
+userdom_dontaudit_use_unpriv_user_fd(automount_t)
+userdom_dontaudit_search_sysadm_home_dir(automount_t)
+
+ifdef(`targeted_policy', `
+	files_dontaudit_read_root_file(automount_t)
+	term_dontaudit_use_unallocated_tty(automount_t)
+	term_dontaudit_use_generic_pty(automount_t)
+')
+
+optional_policy(`apm',`
+	corecmd_exec_bin(automount_t)
+')
+
+optional_policy(`fstools',`
+	fstools_domtrans(automount_t)
+')
+
+optional_policy(`nis',`
+	nis_use_ypbind(automount_t)
+')
+
+optional_policy(`rpc',`
+	rpc_search_nfs_state_data(automount_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(automount_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(automount_t)
+')
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -477,6 +477,10 @@ optional_policy(`apache',`
 	apache_list_modules(initrc_t)
 ')

+optional_policy(`automount',`
+	automount_exec(initrc_t)
+')
+
 optional_policy(`bind',`
 	bind_read_config(initrc_t)

--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@ -51,6 +51,25 @@ interface(`mount_run',`
 	allow mount_t $3:chr_file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Execute mount in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mount_exec',`
+	gen_require(`
+		type mount_exec_t;
+	')
+
+	allow $1 mount_exec_t:dir r_dir_perms;
+	allow $1 mount_exec_t:lnk_file r_file_perms;
+	can_exec($1,mount_exec_t)
+
+')
+
 ########################################
 ## <summary>
 ##	Use file descriptors for mount.