From 7576fad511cc550e2aca7445f8904c9835d8edf2 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 9 Dec 2005 20:08:10 +0000 Subject: [PATCH] add automount --- refpolicy/Changelog | 1 + refpolicy/policy/modules/kernel/bootloader.if | 16 ++ refpolicy/policy/modules/kernel/files.if | 52 +++++- refpolicy/policy/modules/kernel/filesystem.if | 34 ++++ refpolicy/policy/modules/services/apm.te | 4 + .../policy/modules/services/automount.fc | 16 ++ .../policy/modules/services/automount.if | 41 +++++ .../policy/modules/services/automount.te | 156 ++++++++++++++++++ refpolicy/policy/modules/system/init.te | 4 + refpolicy/policy/modules/system/mount.if | 19 +++ 10 files changed, 341 insertions(+), 2 deletions(-) create mode 100644 refpolicy/policy/modules/services/automount.fc create mode 100644 refpolicy/policy/modules/services/automount.if create mode 100644 refpolicy/policy/modules/services/automount.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 1319db0d..d7cf04d2 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,5 +1,6 @@ - Miscellaneous fixes from Dan Walsh. - Added modules: + automount fetchmail sysstat diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index e620283b..7e8b1986 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -47,6 +47,22 @@ interface(`bootloader_run',` allow bootloader_t $3:chr_file rw_file_perms; ') +######################################## +## +## Get attributes of the /boot directory. +## +## +## Domain to not audit. +## +# +interface(`bootloader_getattr_boot_dir',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir getattr; +') + ######################################## ## ## Do not audit attempts to get attributes diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index b178766c..74c154fc 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -1021,6 +1021,22 @@ interface(`files_unmount_rootfs',` allow $1 root_t:filesystem unmount; ') +######################################## +## +## Getattr of directories with the default file type. +## +## +## Domain allowed access. +## +# +interface(`files_getattr_default_dir',` + gen_require(` + type default_t; + ') + + allow $1 default_t:dir getattr; +') + ######################################## ## ## Do not audit attempts to get the attributes of @@ -1467,6 +1483,23 @@ interface(`files_create_etc_config',` ') ') +######################################## +## +## Getattr of directories on new filesystems +## that have not yet been labeled. +## +## +## The type of the process performing this action. +## +# +interface(`files_getattr_isid_type_dir',` + gen_require(` + type file_t; + ') + + allow $1 file_t:dir getattr; +') + ######################################## ## ## Do not audit attempts to search directories on new filesystems @@ -1815,10 +1848,9 @@ interface(`files_manage_lost_found',` interface(`files_search_mnt',` gen_require(` type mnt_t; - class dir search; ') - allow $1 mnt_t:dir search; + allow $1 mnt_t:dir search_dir_perms; ') ######################################## @@ -2389,6 +2421,22 @@ interface(`files_search_var',` allow $1 var_t:dir search_dir_perms; ') +######################################## +## +## Do not audit attempts to write to /var. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_write_var',` + gen_require(` + type var_t; + ') + + dontaudit $1 var_t:dir write; +') + ######################################## ## ## Do not audit attempts to search diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index f0f72559..d7b64238 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -360,6 +360,23 @@ interface(`fs_search_auto_mountpoints',` allow $1 autofs_t:dir { getattr search }; ') +######################################## +## +## Read directories of automatically +## mounted filesystems. +## +## +## The type of the domain performing this action. +## +# +interface(`fs_list_auto_mountpoints',` + gen_require(` + type autofs_t; + ') + + allow $1 autofs_t:dir r_dir_perms; +') + ######################################## ## ## Register an interpreter for new binary @@ -2063,6 +2080,23 @@ interface(`fs_create_tmpfs_data',` ') ') +######################################## +## +## Create, read, write, and delete +## auto moutpoints. +## +## +## Domain allowed access. +## +# +interface(`fs_manage_auto_mountpoints',` + gen_require(` + type autofs_t; + ') + + allow $1 autofs_t:dir manage_dir_perms; +') + ######################################## ## ## Read and write generic tmpfs files. diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 3e00a918..5618677c 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -186,6 +186,10 @@ ifdef(`targeted_policy',` unconfined_domain_template(apmd_t) ') +optional_policy(`automount',` + automount_domtrans(apmd_t) +') + optional_policy(`clock',` clock_domtrans(apmd_t) clock_rw_adjtime(apmd_t) diff --git a/refpolicy/policy/modules/services/automount.fc b/refpolicy/policy/modules/services/automount.fc new file mode 100644 index 00000000..746c1206 --- /dev/null +++ b/refpolicy/policy/modules/services/automount.fc @@ -0,0 +1,16 @@ +# +# /etc +# +/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) +/etc/auto\..+ -- gen_context(system_u:object_r:automount_etc_t,s0) + +# +# /usr +# +/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + +# +# /var +# + +/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/automount.if b/refpolicy/policy/modules/services/automount.if new file mode 100644 index 00000000..6a8fd519 --- /dev/null +++ b/refpolicy/policy/modules/services/automount.if @@ -0,0 +1,41 @@ +## Filesystem automounter service. + +######################################## +## +## Execute automount in the automount domain. +## +## +## Domain allowed access. +## +# +interface(`automount_domtrans',` + gen_require(` + type automount_t, automount_exec_t; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1, automount_exec_t, automount_t) + + allow $1 automount_t:fd use; + allow automount_t $1:fd use; + allow automount_t $1:fifo_file rw_file_perms; + allow automount_t $1:process sigchld; + +') + +######################################## +## +## Execute automount in the caller domain. +## +## +## Domain allowed access. +## +# +interface(`automount_exec',` + gen_require(` + type automount_exec_t; + ') + + corecmd_search_sbin($1) + can_exec($1,automount_etc_t) +') diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te new file mode 100644 index 00000000..d1aeb623 --- /dev/null +++ b/refpolicy/policy/modules/services/automount.te @@ -0,0 +1,156 @@ + +policy_module(automount,1.0.1) + +######################################## +# +# Declarations +# + +type automount_t; +type automount_exec_t; +init_daemon_domain(automount_t,automount_exec_t) + +type automount_var_run_t; +files_pid_file(automount_var_run_t) + +type automount_etc_t; +files_config_file(automount_etc_t) + +type automount_lock_t; +files_lock_file(automount_lock_t) + +type automount_tmp_t; +files_tmp_file(automount_tmp_t) +files_mountpoint(automount_tmp_t) + +######################################## +# +# Local policy +# + +allow automount_t self:capability { sys_nice dac_override }; +dontaudit automount_t self:capability sys_tty_config; +allow automount_t self:process { signal_perms getpgid setpgid setsched }; +allow automount_t self:fifo_file rw_file_perms; +allow automount_t self:unix_stream_socket create_socket_perms; +allow automount_t self:unix_dgram_socket create_socket_perms; +allow automount_t self:tcp_socket create_stream_socket_perms; +allow automount_t self:udp_socket create_socket_perms; + +allow automount_t automount_etc_t:file { getattr read }; +# because config files can be shell scripts +can_exec(automount_t, automount_etc_t) + +allow automount_t automount_lock_t:file create_file_perms; +files_create_lock(automount_t,automount_lock_t) + +allow automount_t automount_tmp_t:dir create_dir_perms; +allow automount_t automount_tmp_t:file create_file_perms; +files_create_tmp_files(automount_t, automount_tmp_t, { file dir }) + +# Allow automount to create and delete directories in / and /home +allow automount_t automount_tmp_t:dir create_dir_perms; +files_create_home_dirs(automount_t,automount_tmp_t) +files_create_root(automount_t,automount_tmp_t,dir) + +allow automount_t automount_var_run_t:file create_file_perms; +allow automount_t automount_var_run_t:dir rw_dir_perms; +files_create_pid(automount_t,automount_var_run_t) + +kernel_read_kernel_sysctl(automount_t) +kernel_read_proc_symlinks(automount_t) +kernel_read_system_state(automount_t) +kernel_list_proc(automount_t) + +bootloader_getattr_boot_dir(automount_t) + +corecmd_search_sbin(automount_t) +corecmd_exec_bin(automount_t) +corecmd_exec_shell(automount_t) + +corenet_non_ipsec_sendrecv(automount_t) +corenet_tcp_sendrecv_generic_if(automount_t) +corenet_udp_sendrecv_generic_if(automount_t) +corenet_raw_sendrecv_generic_if(automount_t) +corenet_tcp_sendrecv_all_nodes(automount_t) +corenet_udp_sendrecv_all_nodes(automount_t) +corenet_raw_sendrecv_all_nodes(automount_t) +corenet_tcp_sendrecv_all_ports(automount_t) +corenet_udp_sendrecv_all_ports(automount_t) +corenet_tcp_bind_all_nodes(automount_t) +corenet_udp_bind_all_nodes(automount_t) + +dev_read_sysfs(automount_t) +# for SSP +dev_read_urand(automount_t) + +domain_use_wide_inherit_fd(automount_t) + +files_dontaudit_write_var(automount_t) +files_search_var_lib_dir(automount_t) +files_search_mnt(automount_t) +files_getattr_home_dir(automount_t) +files_read_etc_files(automount_t) +files_read_etc_runtime_files(automount_t) +# for if the mount point is not labelled +files_getattr_isid_type_dir(automount_t) +files_getattr_default_dir(automount_t) +# because config files can be shell scripts +files_exec_etc_files(automount_t) + +fs_getattr_all_fs(automount_t) +fs_getattr_all_files(automount_t) +fs_search_auto_mountpoints(automount_t) +fs_manage_auto_mountpoints(automount_t) + +term_dontaudit_use_console(automount_t) + +init_use_fd(automount_t) +init_use_script_pty(automount_t) + +libs_use_ld_so(automount_t) +libs_use_shared_libs(automount_t) + +logging_send_syslog_msg(automount_t) + +miscfiles_read_localization(automount_t) + +# Run mount in the mount_t domain. +mount_domtrans(automount_t) + +sysnet_dns_name_resolve(automount_t) +sysnet_use_ldap(automount_t) +sysnet_read_config(automount_t) + +userdom_dontaudit_use_unpriv_user_fd(automount_t) +userdom_dontaudit_search_sysadm_home_dir(automount_t) + +ifdef(`targeted_policy', ` + files_dontaudit_read_root_file(automount_t) + term_dontaudit_use_unallocated_tty(automount_t) + term_dontaudit_use_generic_pty(automount_t) +') + +optional_policy(`apm',` + corecmd_exec_bin(automount_t) +') + +optional_policy(`fstools',` + fstools_domtrans(automount_t) +') + +optional_policy(`nis',` + nis_use_ypbind(automount_t) +') + +optional_policy(`rpc',` + rpc_search_nfs_state_data(automount_t) +') + +optional_policy(`selinuxutil',` + seutil_sigchld_newrole(automount_t) +') + +optional_policy(`udev',` + udev_read_db(automount_t) +') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7eb987f1..49c9a858 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -477,6 +477,10 @@ optional_policy(`apache',` apache_list_modules(initrc_t) ') +optional_policy(`automount',` + automount_exec(initrc_t) +') + optional_policy(`bind',` bind_read_config(initrc_t) diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 569f6165..6d55b2f4 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -51,6 +51,25 @@ interface(`mount_run',` allow mount_t $3:chr_file rw_file_perms; ') +######################################## +## +## Execute mount in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`mount_exec',` + gen_require(` + type mount_exec_t; + ') + + allow $1 mount_exec_t:dir r_dir_perms; + allow $1 mount_exec_t:lnk_file r_file_perms; + can_exec($1,mount_exec_t) + +') + ######################################## ## ## Use file descriptors for mount.