From 8fd367322576cc7b536beaa8d41b4be5a23a748c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 29 Jun 2005 14:26:41 +0000 Subject: [PATCH] another round of renaming, for consistency --- refpolicy/policy/modules/admin/dmesg.te | 2 +- refpolicy/policy/modules/admin/logrotate.te | 12 +- refpolicy/policy/modules/admin/netutils.te | 6 +- refpolicy/policy/modules/admin/rpm.te | 8 +- refpolicy/policy/modules/admin/usermanage.te | 18 +-- refpolicy/policy/modules/apps/gpg.if | 8 +- refpolicy/policy/modules/apps/gpg.te | 8 +- refpolicy/policy/modules/kernel/bootloader.if | 6 +- refpolicy/policy/modules/kernel/bootloader.te | 18 +-- refpolicy/policy/modules/kernel/devices.te | 2 +- refpolicy/policy/modules/kernel/filesystem.te | 2 +- refpolicy/policy/modules/kernel/storage.if | 2 +- refpolicy/policy/modules/services/cron.if | 6 +- refpolicy/policy/modules/services/cron.te | 22 ++-- refpolicy/policy/modules/services/inetd.te | 6 +- refpolicy/policy/modules/services/mta.if | 2 +- refpolicy/policy/modules/services/mta.te | 14 +-- refpolicy/policy/modules/services/nis.te | 10 +- .../policy/modules/services/remotelogin.te | 2 +- refpolicy/policy/modules/services/sendmail.te | 4 +- refpolicy/policy/modules/services/ssh.if | 14 +-- refpolicy/policy/modules/services/ssh.te | 16 +-- refpolicy/policy/modules/system/authlogin.if | 2 +- refpolicy/policy/modules/system/authlogin.te | 18 +-- refpolicy/policy/modules/system/clock.te | 4 +- .../policy/modules/system/corecommands.te | 10 +- refpolicy/policy/modules/system/domain.if | 2 +- refpolicy/policy/modules/system/files.if | 67 +++++------ refpolicy/policy/modules/system/fstools.te | 4 +- refpolicy/policy/modules/system/getty.te | 4 +- refpolicy/policy/modules/system/hostname.te | 4 +- refpolicy/policy/modules/system/hotplug.te | 12 +- refpolicy/policy/modules/system/init.te | 20 ++-- refpolicy/policy/modules/system/iptables.te | 4 +- refpolicy/policy/modules/system/libraries.te | 14 +-- refpolicy/policy/modules/system/locallogin.te | 8 +- refpolicy/policy/modules/system/logging.if | 14 ++- refpolicy/policy/modules/system/logging.te | 14 +-- refpolicy/policy/modules/system/lvm.te | 12 +- refpolicy/policy/modules/system/miscfiles.te | 14 +-- refpolicy/policy/modules/system/modutils.if | 4 +- refpolicy/policy/modules/system/modutils.te | 20 ++-- refpolicy/policy/modules/system/mount.te | 2 +- .../policy/modules/system/selinuxutil.if | 6 +- .../policy/modules/system/selinuxutil.te | 18 +-- refpolicy/policy/modules/system/sysnetwork.te | 16 +-- refpolicy/policy/modules/system/udev.te | 10 +- refpolicy/policy/modules/system/userdomain.if | 113 +++++++++++++----- refpolicy/policy/modules/system/userdomain.te | 6 +- 49 files changed, 335 insertions(+), 275 deletions(-) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index ead44ee5..21cee0d9 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -59,7 +59,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(dmesg_t) + seutil_sigchld_newrole(dmesg_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index e616644c..11022f8d 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -12,13 +12,13 @@ domain_obj_id_change_exempt(logrotate_t) role system_r types logrotate_t; type logrotate_exec_t; -files_file_type(logrotate_exec_t) +files_type(logrotate_exec_t) type logrotate_tmp_t; files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; -files_file_type(logrotate_var_lib_t) +files_type(logrotate_var_lib_t) ######################################## # @@ -76,13 +76,13 @@ domain_signal_all_domains(logrotate_t) domain_use_wide_inherit_fd(logrotate_t) files_read_usr_files(logrotate_t) -files_read_generic_etc_files(logrotate_t) +files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) -files_manage_generic_lock_files(logrotate_t) +files_manage_generic_locks(logrotate_t) files_read_all_pids(logrotate_t) # Write to /var/spool/slrnpull - should be moved into its own type. -files_manage_spools(logrotate_t) -files_manage_spool_dirs(logrotate_t) +files_manage_generic_spools(logrotate_t) +files_manage_generic_spool_dirs(logrotate_t) hostname_exec(logrotate_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index a6b8fb2e..05b30467 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -56,7 +56,7 @@ fs_getattr_xattr_fs(netutils_t) domain_use_wide_inherit_fd(netutils_t) -files_read_generic_etc_files(netutils_t) +files_read_etc_files(netutils_t) # for nscd files_dontaudit_search_var(netutils_t) @@ -110,7 +110,7 @@ fs_dontaudit_getattr_xattr_fs(ping_t) domain_use_wide_inherit_fd(ping_t) -files_read_generic_etc_files(ping_t) +files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) libs_use_ld_so(ping_t) @@ -166,7 +166,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_wide_inherit_fd(traceroute_t) -files_read_generic_etc_files(traceroute_t) +files_read_etc_files(traceroute_t) files_dontaudit_search_var(traceroute_t) libs_use_ld_so(traceroute_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 89c8eb8c..b5fc841b 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -14,7 +14,7 @@ domain_wide_inherit_fd(rpm_t) role system_r types rpm_t; type rpm_file_t; -files_file_type(rpm_file_t) +files_type(rpm_file_t) type rpm_tmp_t; files_tmp_file(rpm_tmp_t) @@ -26,7 +26,7 @@ type rpm_log_t; logging_log_file(rpm_log_t) type rpm_var_lib_t; -files_file_type(rpm_var_lib_t) +files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; type rpm_script_t; #, admin, privmem, priv_system_role; @@ -138,7 +138,7 @@ domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) domain_use_wide_inherit_fd(rpm_t) -files_exec_generic_etc_files(rpm_t) +files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -287,7 +287,7 @@ domain_exec_all_entry_files(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -files_exec_generic_etc_files(rpm_script_t) +files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) init_domtrans_script(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 9c01380b..93cb52af 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -7,7 +7,7 @@ policy_module(usermanage,1.0) # type admin_passwd_exec_t; -files_file_type(admin_passwd_exec_t) +files_type(admin_passwd_exec_t) type chfn_t; domain_obj_id_change_exempt(chfn_t) @@ -24,7 +24,7 @@ type crack_exec_t; domain_entry_file(crack_t,crack_exec_t) type crack_db_t; #, usercanread; -files_file_type(crack_db_t) +files_type(crack_db_t) type crack_tmp_t; files_tmp_file(crack_tmp_t) @@ -49,7 +49,7 @@ domain_type(sysadm_passwd_t) domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t) type sysadm_passwd_tmp_t; -files_file_type(sysadm_passwd_tmp_t) +files_type(sysadm_passwd_tmp_t) type useradd_t; # nscd_client_domain; type useradd_exec_t; @@ -95,7 +95,7 @@ dev_read_urand(chfn_t) domain_use_wide_inherit_fd(chfn_t) -files_manage_generic_etc_files(chfn_t) +files_manage_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) @@ -165,7 +165,7 @@ dev_read_urand(crack_t) fs_getattr_xattr_fs(crack_t) -files_read_generic_etc_files(crack_t) +files_read_etc_files(crack_t) files_read_etc_runtime_files(crack_t) # for dictionaries files_read_usr_files(crack_t) @@ -228,7 +228,7 @@ init_dontaudit_write_script_pid(groupadd_t) domain_use_wide_inherit_fd(groupadd_t) -files_manage_generic_etc_files(groupadd_t) +files_manage_etc_files(groupadd_t) libs_use_ld_so(groupadd_t) libs_use_shared_libs(groupadd_t) @@ -306,7 +306,7 @@ init_dontaudit_rw_script_pid(passwd_t) domain_use_wide_inherit_fd(passwd_t) files_read_etc_runtime_files(passwd_t) -files_manage_generic_etc_files(passwd_t) +files_manage_etc_files(passwd_t) files_search_var(passwd_t) libs_use_ld_so(passwd_t) @@ -405,7 +405,7 @@ files_read_usr_files(sysadm_passwd_t) domain_use_wide_inherit_fd(sysadm_passwd_t) -files_manage_generic_etc_files(sysadm_passwd_t) +files_manage_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate @@ -496,7 +496,7 @@ corecmd_exec_sbin(useradd_t) domain_use_wide_inherit_fd(useradd_t) -files_manage_generic_etc_files(useradd_t) +files_manage_etc_files(useradd_t) init_use_fd(useradd_t) init_rw_script_pid(useradd_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index fdd16906..2ceb904a 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -44,7 +44,7 @@ template(`gpg_per_userdomain_template',` files_tmp_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; #, $1_file_type; - files_file_type($1_gpg_secret_t) + files_type($1_gpg_secret_t) type $1_gpg_helper_t; domain_type($1_gpg_helper_t) @@ -95,7 +95,7 @@ template(`gpg_per_userdomain_template',` fs_getattr_xattr_fs($1_gpg_t) - files_read_generic_etc_files($1_gpg_t) + files_read_etc_files($1_gpg_t) files_read_usr_files($1_gpg_t) libs_use_shared_libs($1_gpg_t) @@ -210,7 +210,7 @@ template(`gpg_per_userdomain_template',` dev_read_urand($1_gpg_helper_t) - files_read_generic_etc_files($1_gpg_helper_t) + files_read_etc_files($1_gpg_helper_t) # for nscd files_dontaudit_search_var($1_gpg_helper_t) @@ -322,7 +322,7 @@ template(`gpg_per_userdomain_template',` files_read_usr_files($1_gpg_pinentry_t) # read /etc/X11/qtrc - files_read_generic_etc_files($1_gpg_pinentry_t) + files_read_etc_files($1_gpg_pinentry_t) libs_use_ld_so($1_gpg_pinentry_t) libs_use_shared_libs($1_gpg_pinentry_t) diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 15154b9c..1097ac2f 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -9,16 +9,16 @@ policy_module(gpg, 1.0) # Type for gpg or pgp executables. type gpg_exec_t; type gpg_helper_exec_t; -files_file_type(gpg_exec_t) -files_file_type(gpg_helper_exec_t) +files_type(gpg_exec_t) +files_type(gpg_helper_exec_t) # Type for the gpg-agent executable. type gpg_agent_exec_t; -files_file_type(gpg_agent_exec_t) +files_type(gpg_agent_exec_t) # type for the pinentry executable type pinentry_exec_t; -files_file_type(pinentry_exec_t) +files_type(pinentry_exec_t) #allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; #allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 920b229c..bd870912 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -59,7 +59,7 @@ interface(`bootloader_run',` ## The type of the process performing this action. ## # -interface(`bootloader_search_boot_dir',` +interface(`bootloader_search_boot',` gen_require(` type boot_t; class dir search; @@ -362,9 +362,9 @@ interface(`bootloader_manage_kernel_modules',` ######################################## # -# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) +# bootloader_create_modules(domain,privatetype,[class(es)]) # -interface(`bootloader_create_private_module_dir_entry',` +interface(`bootloader_create_modules',` gen_require(` type modules_object_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index ae1d044d..4b17b780 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -12,7 +12,7 @@ attribute rw_kern_modules; # boot_t is the type for files in /boot # type boot_t; -files_file_type(boot_t) +files_type(boot_t) files_mountpoint(boot_t) # @@ -21,7 +21,7 @@ files_mountpoint(boot_t) # only for Red Hat # type boot_runtime_t; -files_file_type(boot_runtime_t) +files_type(boot_runtime_t) type bootloader_t; domain_type(bootloader_t) @@ -35,7 +35,7 @@ domain_entry_file(bootloader_t,bootloader_exec_t) # grub.conf, lilo.conf, etc. # type bootloader_etc_t alias etc_bootloader_t; -files_file_type(bootloader_etc_t) +files_type(bootloader_etc_t) # # The temp file is used for initrd creation; @@ -47,7 +47,7 @@ dev_node(bootloader_tmp_t) # kernel modules type modules_object_t; -files_file_type(modules_object_t) +files_type(modules_object_t) neverallow ~rw_kern_modules modules_object_t:file { create append write }; @@ -55,7 +55,7 @@ neverallow ~rw_kern_modules modules_object_t:file { create append write }; # system_map_t is for the system.map files in /boot # type system_map_t; -files_file_type(system_map_t) +files_type(system_map_t) ######################################## # @@ -122,11 +122,11 @@ libs_use_ld_so(bootloader_t) libs_use_shared_libs(bootloader_t) libs_read_lib(bootloader_t) -files_read_generic_etc_files(bootloader_t) +files_read_etc_files(bootloader_t) files_read_etc_runtime_files(bootloader_t) -files_read_usr_src(bootloader_t) +files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) -files_read_var_file(bootloader_t) +files_read_var_files(bootloader_t) # for nscd files_dontaudit_search_pids(bootloader_t) @@ -185,7 +185,7 @@ optional_policy(`lvm.te',` optional_policy(`modutils.te',` modutils_exec_insmod(insmod_t) - modutils_read_kernel_module_dependencies(bootloader_t) + modutils_read_mods_deps(bootloader_t) modutils_read_module_conf(bootloader_t) modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 8a450605..0e776ab1 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -9,7 +9,7 @@ attribute memory_raw_write; # device_t is the type of /dev. # type device_t; -files_file_type(device_t) +files_type(device_t) files_mountpoint(device_t) fs_associate_tmpfs(device_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 42edcd8d..fa8fc1bf 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # tmpfs_t is the type for tmpfs filesystems # type tmpfs_t, filesystem_type; -files_file_type(tmpfs_t) +files_type(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index b2682a0f..996a029d 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -128,7 +128,7 @@ interface(`storage_raw_write_fixed_disk',` ## The type of the process performing this action. ## # -interface(`storage_create_fixed_disk_dev_entry',` +interface(`storage_create_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 5c13c285..ade0f6d7 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -25,7 +25,7 @@ template(`cron_per_userdomain_template',` # Type of user crontabs once moved to cron spool. type $1_cron_spool_t; - files_file_type($1_cron_spool_t) + files_type($1_cron_spool_t) type $1_crond_t; # user_crond_domain; domain_type($1_crond_t); @@ -92,7 +92,7 @@ template(`cron_per_userdomain_template',` domain_exec_all_entry_files($1_crond_t) files_read_usr_files($1_crond_t) - files_exec_generic_etc_files($1_crond_t) + files_exec_etc_files($1_crond_t) # for nscd: files_dontaudit_search_pids($1_crond_t) @@ -176,7 +176,7 @@ template(`cron_per_userdomain_template',` domain_use_wide_inherit_fd($1_crontab_t) - files_read_generic_etc_files($1_crontab_t) + files_read_etc_files($1_crontab_t) libs_use_ld_so($1_crontab_t) libs_use_shared_libs($1_crontab_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 4d1ea1b4..bf07c9ef 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -7,10 +7,10 @@ policy_module(cron, 1.0) # type anacron_exec_t; -files_file_type(anacron_exec_t) +files_type(anacron_exec_t) type cron_spool_t; -files_file_type(cron_spool_t) +files_type(cron_spool_t) type crond_t; #, privmail, nscd_client_domain type crond_exec_t; @@ -27,7 +27,7 @@ type crond_var_run_t; files_pid_file(crond_var_run_t) type crontab_exec_t; -files_file_type(crontab_exec_t) +files_type(crontab_exec_t) type system_cron_spool_t; type system_crond_t; #, privmail, nscd_client_domain; @@ -99,8 +99,8 @@ corecmd_list_sbin(crond_t) domain_use_wide_inherit_fd(crond_t) -files_read_generic_etc_files(crond_t) -files_read_spools(crond_t) +files_read_etc_files(crond_t) +files_read_generic_spools(crond_t) init_use_fd(crond_t) init_use_script_pty(crond_t) @@ -112,7 +112,7 @@ logging_send_syslog_msg(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -seutil_newrole_sigchld(crond_t) +seutil_sigchld_newrole(crond_t) miscfiles_read_localization(crond_t) @@ -206,7 +206,7 @@ allow system_crond_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. allow system_crond_t system_crond_lock_t:file create_file_perms; -files_create_lock_file(system_crond_t,system_crond_lock_t) +files_create_lock(system_crond_t,system_crond_lock_t) # write temporary files allow system_crond_t system_crond_tmp_t:file create_file_perms; @@ -254,18 +254,18 @@ corecmd_exec_sbin(system_crond_t) domain_exec_all_entry_files(system_crond_t) -files_exec_generic_etc_files(system_crond_t) -files_read_generic_etc_files(system_crond_t) +files_exec_etc_files(system_crond_t) +files_read_etc_files(system_crond_t) files_read_etc_runtime_files(system_crond_t) files_list_all_dirs(system_crond_t) files_getattr_all_files(system_crond_t) files_read_usr_files(system_crond_t) -files_read_var_file(system_crond_t) +files_read_var_files(system_crond_t) # for nscd: files_dontaudit_search_pids(system_crond_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. -files_manage_spools(system_crond_t) +files_manage_generic_spools(system_crond_t) init_use_fd(system_crond_t) init_use_script_fd(system_crond_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index b59177ca..97e792df 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -94,7 +94,7 @@ corecmd_read_sbin_symlink(inetd_t) domain_use_wide_inherit_fd(inetd_t) -files_read_generic_etc_files(inetd_t) +files_read_etc_files(inetd_t) init_use_fd(inetd_t) init_use_script_pty(inetd_t) @@ -121,7 +121,7 @@ optional_policy(`mount.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(inetd_t) + seutil_sigchld_newrole(inetd_t) ') optional_policy(`udev.te', ` @@ -199,7 +199,7 @@ dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -files_read_generic_etc_files(inetd_child_t) +files_read_etc_files(inetd_child_t) libs_use_ld_so(inetd_child_t) libs_use_shared_libs(inetd_child_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index f1565410..1773fa88 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -54,7 +54,7 @@ template(`mta_per_userdomain_template',` corecmd_exec_bin($1_mail_t) - files_read_generic_etc_files($1_mail_t) + files_read_etc_files($1_mail_t) logging_send_syslog_msg($1_mail_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 0ac3e9f2..3258ffce 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -7,21 +7,21 @@ policy_module(mta,1.0) # type etc_aliases_t; -files_file_type(etc_aliases_t) +files_type(etc_aliases_t) type etc_mail_t; -files_file_type(etc_mail_t) +files_type(etc_mail_t) attribute mailserver_domain; type mqueue_spool_t; -files_file_type(mqueue_spool_t) +files_type(mqueue_spool_t) type mail_spool_t; -files_file_type(mail_spool_t) +files_type(mail_spool_t) type sendmail_exec_t; -files_file_type(sendmail_exec_t) +files_type(sendmail_exec_t) type system_mail_t; #, user_mail_domain, nscd_client_domain; domain_type(system_mail_t) @@ -67,7 +67,7 @@ fs_getattr_xattr_fs(system_mail_t) init_use_script_pty(system_mail_t) files_read_etc_runtime_files(system_mail_t) -files_read_generic_etc_files(system_mail_t) +files_read_etc_files(system_mail_t) # It wants to check for nscd files_dontaudit_search_pids(system_mail_t) @@ -146,7 +146,7 @@ ifdef(`targeted_policy', ` ifdef(`postfix.te', `', ` domain_exec_all_entry_files(system_mail_t) -files_exec_generic_etc_files(system_mail_t) +files_exec_etc_files(system_mail_t) corecmd_exec_bin(system_mail_t) corecmd_exec_sbin(system_mail_t) libs_use_ld_so(system_mail_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index c5745eff..f7e0fa94 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -7,7 +7,7 @@ policy_module(nis,1.0) # type var_yp_t; -files_file_type(var_yp_t) +files_type(var_yp_t) type ypbind_t; type ypbind_exec_t; @@ -24,7 +24,7 @@ type ypserv_exec_t; init_daemon_domain(ypserv_t,ypserv_exec_t) type ypserv_conf_t; -files_file_type(ypserv_conf_t) +files_type(ypserv_conf_t) type ypserv_tmp_t; files_tmp_file(ypserv_tmp_t) @@ -83,7 +83,7 @@ term_dontaudit_use_console(ypbind_t) domain_use_wide_inherit_fd(ypbind_t) -files_read_generic_etc_files(ypbind_t) +files_read_etc_files(ypbind_t) init_use_fd(ypbind_t) init_use_script_pty(ypbind_t) @@ -111,7 +111,7 @@ optional_policy(`mount.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(ypbind_t) + seutil_sigchld_newrole(ypbind_t) ') optional_policy(`udev.te', ` @@ -200,7 +200,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(ypserv_t) + seutil_sigchld_newrole(ypserv_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 4c5a5b70..d1c4d85f 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -65,7 +65,7 @@ auth_manage_pam_console_data(remote_login_t) domain_read_all_entry_files(remote_login_t) -files_read_generic_etc_files(remote_login_t) +files_read_etc_files(remote_login_t) files_read_etc_runtime_files(remote_login_t) files_list_home(remote_login_t) files_read_usr_files(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 359b5ae3..57a48444 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -63,7 +63,7 @@ term_dontaudit_use_console(sendmail_t) domain_use_wide_inherit_fd(sendmail_t) -files_read_generic_etc_files(sendmail_t) +files_read_etc_files(sendmail_t) files_search_spool(sendmail_t) init_use_fd(sendmail_t) @@ -100,7 +100,7 @@ optional_policy(`nis.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(sendmail_t) + seutil_sigchld_newrole(sendmail_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 0369e9dd..2635c898 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -28,7 +28,7 @@ template(`ssh_per_userdomain_template',` # type $1_home_ssh_t; #, $1_file_type; - files_file_type($1_home_ssh_t) + files_type($1_home_ssh_t) role $1_r types $1_ssh_t; type $1_ssh_t; #, nscd_client_domain; @@ -109,7 +109,7 @@ template(`ssh_per_userdomain_template',` files_list_home($1_ssh_t) files_read_usr_files($1_ssh_t) files_read_etc_runtime_files($1_ssh_t) - files_read_generic_etc_files($1_ssh_t) + files_read_etc_files($1_ssh_t) libs_use_ld_so($1_ssh_t) libs_use_shared_libs($1_ssh_t) @@ -248,7 +248,7 @@ template(`ssh_per_userdomain_template',` domain_use_wide_inherit_fd($1_ssh_agent_t) - files_read_generic_etc_files($1_ssh_agent_t) + files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) libs_read_lib($1_ssh_agent_t) @@ -343,11 +343,11 @@ template(`ssh_per_userdomain_template',` ##

## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the server domain (e.g., sshd +## is the prefix for sshd_t). ## # -template(`sshd_program_domain', ` +template(`ssh_server_template', ` type $1_t, ssh_server; #, nscd_client_domain; role system_r types $1_t; @@ -413,7 +413,7 @@ template(`sshd_program_domain', ` domain_role_change_exempt($1_t) domain_obj_id_change_exempt($1_t) - files_read_generic_etc_files($1_t) + files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) init_rw_script_pid($1_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 9b25e36c..8ecd0a7d 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -10,18 +10,18 @@ attribute ssh_server; # Type for the ssh-agent executable. type ssh_agent_exec_t; -files_file_type(ssh_agent_exec_t) +files_type(ssh_agent_exec_t) # ssh client executable. type ssh_exec_t; -files_file_type(ssh_exec_t) +files_type(ssh_exec_t) type ssh_keygen_t; type ssh_keygen_exec_t; init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t) role system_r types ssh_keygen_t; -sshd_program_domain(sshd) +ssh_server_template(sshd) optional_policy(`inetd.te',` # CJP: commenting this out until typeattribute works in a conditional @@ -37,12 +37,12 @@ optional_policy(`inetd.te',` ') type sshd_exec_t; -files_file_type(sshd_exec_t) +files_type(sshd_exec_t) -sshd_program_domain(sshd_extern) +ssh_server_template(sshd_extern) type sshd_key_t; -files_file_type(sshd_key_t) +files_type(sshd_key_t) type sshd_tmp_t; files_tmp_file(sshd_tmp_t) @@ -191,7 +191,7 @@ term_dontaudit_use_console(ssh_keygen_t) domain_use_wide_inherit_fd(ssh_keygen_t) -files_read_generic_etc_files(ssh_keygen_t) +files_read_etc_files(ssh_keygen_t) init_use_fd(ssh_keygen_t) init_use_script_pty(ssh_keygen_t) @@ -222,7 +222,7 @@ optional_policy(`rhgb.te', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(ssh_keygen_t) + seutil_sigchld_newrole(ssh_keygen_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 6fcb4d0e..91436bd2 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -57,7 +57,7 @@ template(`authlogin_per_userdomain_template',` libs_use_ld_so($1_chkpwd_t) libs_use_shared_libs($1_chkpwd_t) - files_read_generic_etc_files($1_chkpwd_t) + files_read_etc_files($1_chkpwd_t) # for nscd files_dontaudit_search_var($1_chkpwd_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index c33677c9..b13fd9c8 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -11,7 +11,7 @@ attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; -files_file_type(chkpwd_exec_t) +files_type(chkpwd_exec_t) type faillog_t; logging_log_file(faillog_t) @@ -20,7 +20,7 @@ type lastlog_t; logging_log_file(lastlog_t) type login_exec_t; -files_file_type(login_exec_t) +files_type(login_exec_t) type pam_console_t; type pam_console_exec_t; @@ -40,13 +40,13 @@ type pam_tmp_t; files_tmp_file(pam_tmp_t) type pam_var_console_t; #, nscd_client_domain -files_file_type(pam_var_console_t) +files_type(pam_var_console_t) type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; -files_file_type(shadow_t) +files_type(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; @@ -100,7 +100,7 @@ term_use_all_user_ptys(pam_t) init_dontaudit_rw_script_pid(pam_t) -files_read_generic_etc_files(pam_t) +files_read_etc_files(pam_t) files_list_pids(pam_t) libs_use_ld_so(pam_t) @@ -172,7 +172,7 @@ term_setattr_unallocated_ttys(pam_console_t) domain_use_wide_inherit_fd(pam_console_t) -files_read_generic_etc_files(pam_console_t) +files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) @@ -204,7 +204,7 @@ optional_policy(`hotplug.te', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(pam_console_t) + seutil_sigchld_newrole(pam_console_t) ') optional_policy(`udev.te', ` @@ -244,7 +244,7 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t) -files_read_generic_etc_files(system_chkpwd_t) +files_read_etc_files(system_chkpwd_t) # for nscd files_dontaudit_search_var(system_chkpwd_t) @@ -297,7 +297,7 @@ term_dontaudit_use_ptmx(utempter_t) init_rw_script_pid(utempter_t) -files_read_generic_etc_files(utempter_t) +files_read_etc_files(utempter_t) domain_use_wide_inherit_fd(utempter_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 5833654d..71bcd634 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -7,7 +7,7 @@ policy_module(clock,1.0) # type adjtime_t; -files_file_type(adjtime_t) +files_type(adjtime_t) type hwclock_t; type hwclock_exec_t; @@ -65,7 +65,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(hwclock_t) + seutil_sigchld_newrole(hwclock_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 8c49c977..712367ff 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -5,25 +5,25 @@ policy_module(corecommands,1.0) # bin_t is the type of files in the system bin directories. # type bin_t; -files_file_type(bin_t) +files_type(bin_t) # # sbin_t is the type of files in the system sbin directories. # type sbin_t; -files_file_type(sbin_t) +files_type(sbin_t) # # ls_exec_t is the type of the ls program. # type ls_exec_t; -files_file_type(ls_exec_t) +files_type(ls_exec_t) # # shell_exec_t is the type of user shells such as /bin/bash. # type shell_exec_t; -files_file_type(shell_exec_t) +files_type(shell_exec_t) type chroot_exec_t; -files_file_type(chroot_exec_t) +files_type(chroot_exec_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index b77214bc..2675b4a6 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -61,7 +61,7 @@ interface(`domain_entry_file',` class file entrypoint; ') - files_file_type($2) + files_type($2) allow $1 $2:file entrypoint; typeattribute $2 entry_type; ') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index c28b1fb8..1e285b35 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -17,9 +17,9 @@ ######################################## # -# files_file_type(type) +# files_type(type) # -interface(`files_file_type',` +interface(`files_type',` gen_require(` attribute file_type; ') @@ -38,7 +38,7 @@ interface(`files_lock_file',` attribute lockfile; ') - files_file_type($1) + files_type($1) typeattribute $1 lockfile; ') @@ -51,7 +51,7 @@ interface(`files_mountpoint',` attribute mountpoint; ') - files_file_type($1) + files_type($1) typeattribute $1 mountpoint; ') @@ -64,7 +64,7 @@ interface(`files_pid_file',` attribute pidfile; ') - files_file_type($1) + files_type($1) typeattribute $1 pidfile; ') @@ -77,7 +77,7 @@ interface(`files_tmp_file',` attribute tmpfile; ') - files_file_type($1) + files_type($1) typeattribute $1 tmpfile; ') @@ -95,7 +95,7 @@ interface(`files_tmpfs_file',` attribute tmpfsfile; ') - files_file_type($1) + files_type($1) fs_associate_tmpfs($1) typeattribute $1 tmpfsfile; ') @@ -439,9 +439,9 @@ interface(`files_list_etc',` ######################################## # -# files_read_generic_etc_files(domain) +# files_read_etc_files(domain) # -interface(`files_read_generic_etc_files',` +interface(`files_read_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -456,9 +456,9 @@ interface(`files_read_generic_etc_files',` ######################################## # -# files_rw_generic_etc_files(domain) +# files_rw_etc_files(domain) # -interface(`files_rw_generic_etc_files',` +interface(`files_rw_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -473,9 +473,9 @@ interface(`files_rw_generic_etc_files',` ######################################## # -# files_manage_generic_etc_files(domain) +# files_manage_etc_files(domain) # -interface(`files_manage_generic_etc_files',` +interface(`files_manage_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -496,7 +496,7 @@ interface(`files_manage_generic_etc_files',` ## The type of the process performing this action. ## # -interface(`files_delete_generic_etc_files',` +interface(`files_delete_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -509,9 +509,9 @@ interface(`files_delete_generic_etc_files',` ######################################## # -# files_exec_generic_etc_files(domain) +# files_exec_etc_files(domain) # -interface(`files_exec_generic_etc_files',` +interface(`files_exec_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; @@ -591,7 +591,6 @@ interface(`files_create_etc_config',` ') ') - ######################################## ## ## Do not audit attempts to search directories on new filesystems @@ -908,9 +907,9 @@ interface(`files_exec_usr_files',` ######################################## # -# files_read_usr_src(domain) +# files_read_usr_src_files(domain) # -interface(`files_read_usr_src',` +interface(`files_read_usr_src_files',` gen_require(` type usr_t, src_t; class dir r_dir_perms; @@ -957,7 +956,7 @@ interface(`files_dontaudit_search_var',` ## The type of the process performing this action. ## # -interface(`files_read_var_file',` +interface(`files_read_var_files',` gen_require(` type var_t; class dir search; @@ -1003,9 +1002,9 @@ interface(`files_manage_urandom_seed',` ######################################## # -# files_getattr_generic_lock_files(domain) +# files_getattr_generic_locks(domain) # -interface(`files_getattr_generic_lock_files',` +interface(`files_getattr_generic_locks',` gen_require(` type var_lock_t; class dir r_dir_perms; @@ -1018,9 +1017,9 @@ interface(`files_getattr_generic_lock_files',` ######################################## # -# files_manage_generic_lock_files(domain) +# files_manage_generic_locks(domain) # -interface(`files_manage_generic_lock_files',` +interface(`files_manage_generic_locks',` gen_require(` type var_lock_t; class dir { getattr search create read write setattr add_name remove_name rmdir }; @@ -1033,9 +1032,9 @@ interface(`files_manage_generic_lock_files',` ######################################## # -# files_delete_all_lock_files(domain) +# files_delete_all_locks(domain) # -interface(`files_delete_all_lock_files',` +interface(`files_delete_all_locks',` gen_require(` attribute lockfile; class dir rw_dir_perms; @@ -1048,9 +1047,9 @@ interface(`files_delete_all_lock_files',` ######################################## # -# files_create_lock_file(domain,private_type,[object class(es)]) +# files_create_lock(domain,private_type,[object class(es)]) # -interface(`files_create_lock_file',` +interface(`files_create_lock',` gen_require(` type var_t, var_lock_t; class dir rw_dir_perms; @@ -1246,9 +1245,9 @@ interface(`files_list_spool',` ######################################## # -# files_manage_spool_dirs(domain) +# files_manage_generic_spool_dirs(domain) # -interface(`files_manage_spool_dirs',` +interface(`files_manage_generic_spool_dirs',` gen_require(` type var_t, var_spool_t; class dir create_dir_perms; @@ -1260,9 +1259,9 @@ interface(`files_manage_spool_dirs',` ######################################## # -# files_read_spools(domain) +# files_read_generic_spools(domain) # -interface(`files_read_spools',` +interface(`files_read_generic_spools',` gen_require(` type var_t, var_spool_t; class dir r_dir_perms; @@ -1276,9 +1275,9 @@ interface(`files_read_spools',` ######################################## # -# files_manage_spools(domain) +# files_manage_generic_spools(domain) # -interface(`files_manage_spools',` +interface(`files_manage_generic_spools',` gen_require(` type var_t, var_spool_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 17eae076..643195cc 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -14,7 +14,7 @@ type fsadm_tmp_t; files_tmp_file(fsadm_tmp_t) type swapfile_t; -files_file_type(swapfile_t) +files_type(swapfile_t) ######################################## @@ -73,7 +73,7 @@ domain_use_wide_inherit_fd(fsadm_t) files_list_home(fsadm_t) files_read_usr_files(fsadm_t) -files_read_generic_etc_files(fsadm_t) +files_read_etc_files(fsadm_t) files_list_mnt(fsadm_t) files_manage_lost_found(fsadm_t) # Write to /etc/mtab. diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 235375ed..8aaa31a9 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -59,9 +59,9 @@ auth_rw_login_records(getty_t) corecmd_search_bin(getty_t) files_rw_generic_pids(getty_t) -files_manage_generic_lock_files(getty_t) +files_manage_generic_locks(getty_t) files_read_etc_runtime_files(getty_t) -files_read_generic_etc_files(getty_t) +files_read_etc_files(getty_t) init_rw_script_pid(getty_t) init_use_script_pty(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 0605871b..68d95a55 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -41,7 +41,7 @@ init_use_script_pty(hostname_t) domain_use_wide_inherit_fd(hostname_t) -files_read_generic_etc_files(hostname_t) +files_read_etc_files(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(hostname_t) @@ -81,7 +81,7 @@ optional_policy(`hotplug.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(hostname_t) + seutil_sigchld_newrole(hostname_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index ecb0dca2..a3587229 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -12,7 +12,7 @@ kernel_userland_entry(hotplug_t,hotplug_exec_t) init_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; -files_file_type(hotplug_etc_t) +files_type(hotplug_etc_t) type hotplug_var_run_t; files_pid_file(hotplug_var_run_t) @@ -78,9 +78,9 @@ corecmd_exec_sbin(hotplug_t) domain_use_wide_inherit_fd(hotplug_t) -files_read_generic_etc_files(hotplug_t) +files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) -files_exec_generic_etc_files(hotplug_t) +files_exec_etc_files(hotplug_t) # for when filesystems are not mounted early in the boot: files_dontaudit_search_isid_type_dir(hotplug_t) @@ -102,7 +102,7 @@ libs_use_shared_libs(hotplug_t) libs_read_lib(hotplug_t) modutils_domtrans_insmod(hotplug_t) -modutils_read_kernel_module_dependencies(hotplug_t) +modutils_read_mods_deps(hotplug_t) miscfiles_read_localization(hotplug_t) @@ -118,7 +118,7 @@ ifdef(`distro_redhat', ` netutils_domtrans(hotplug_t) fs_use_tmpfs_character_devices(hotplug_t) ') - files_getattr_generic_lock_files(hotplug_t) + files_getattr_generic_locks(hotplug_t) ') ifdef(`targeted_policy', ` @@ -152,7 +152,7 @@ optional_policy(`nis.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(hotplug_t) + seutil_sigchld_newrole(hotplug_t) ') optional_policy(`sysnetwork.te',` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 688df508..114b50d9 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -32,7 +32,7 @@ files_pid_file(init_var_run_t) # to communicate with init. # type initctl_t; -files_file_type(initctl_t) +files_type(initctl_t) type initrc_t; domain_type(initrc_t) @@ -50,7 +50,7 @@ type initrc_var_run_t; files_pid_file(initrc_var_run_t) type initrc_state_t; -files_file_type(initrc_state_t) +files_type(initrc_state_t) type initrc_tmp_t; files_tmp_file(initrc_tmp_t) @@ -108,12 +108,12 @@ domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) -files_read_generic_etc_files(init_t) +files_read_etc_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dir(init_t) files_manage_etc_runtime_files(init_t) # Run /etc/X11/prefdm: -files_exec_generic_etc_files(init_t) +files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_file(init_t) files_dontaudit_rw_root_chr_dev(init_t) @@ -260,16 +260,16 @@ domain_dontaudit_getattr_all_unnamed_pipes(initrc_t) files_getattr_all_files(initrc_t) files_delete_all_tmp_files(initrc_t) -files_delete_all_lock_files(initrc_t) +files_delete_all_locks(initrc_t) files_read_all_pids(initrc_t) files_delete_all_pids(initrc_t) -files_read_generic_etc_files(initrc_t) +files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) -files_manage_generic_lock_files(initrc_t) -files_exec_generic_etc_files(initrc_t) +files_manage_generic_locks(initrc_t) +files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -files_manage_spools(initrc_t) +files_manage_generic_spools(initrc_t) libs_rw_ld_so_cache(initrc_t) libs_use_ld_so(initrc_t) @@ -340,7 +340,7 @@ optional_policy(`hotplug.te',` # init scripts run /etc/hotplug/usb.rc hotplug_read_config(initrc_t) - modutils_read_kernel_module_dependencies(initrc_t) + modutils_read_mods_deps(initrc_t) ') optional_policy(`lvm.te',` diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 27e8af25..9baa855f 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -52,7 +52,7 @@ term_dontaudit_use_console(iptables_t) domain_use_wide_inherit_fd(iptables_t) -files_read_generic_etc_files(iptables_t) +files_read_etc_files(iptables_t) init_use_fd(iptables_t) init_use_script_pty(iptables_t) @@ -103,7 +103,7 @@ optional_policy(`nis.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(iptables_t) + seutil_sigchld_newrole(iptables_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 9064a918..9243b74a 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -10,33 +10,33 @@ policy_module(libraries,1.0) # ld_so_cache_t is the type of /etc/ld.so.cache. # type ld_so_cache_t; -files_file_type(ld_so_cache_t) +files_type(ld_so_cache_t) # # ld_so_t is the type of the system dynamic loaders. # type ld_so_t; -files_file_type(ld_so_t) +files_type(ld_so_t) # # lib_t is the type of files in the system lib directories. # type lib_t; -files_file_type(lib_t) +files_type(lib_t) # # shlib_t is the type of shared objects in the system lib # directories. # type shlib_t; -files_file_type(shlib_t) +files_type(shlib_t) # # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # type texrel_shlib_t; -files_file_type(texrel_shlib_t) +files_type(texrel_shlib_t) ######################################## # @@ -65,9 +65,9 @@ fs_getattr_xattr_fs(ldconfig_t) domain_use_wide_inherit_fd(ldconfig_t) files_search_var_lib(ldconfig_t) -files_read_generic_etc_files(ldconfig_t) +files_read_etc_files(ldconfig_t) # for when /etc/ld.so.cache is mislabeled: -files_delete_generic_etc_files(ldconfig_t) +files_delete_etc_files(ldconfig_t) init_use_script_pty(ldconfig_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 433c4f77..c8779a80 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -16,7 +16,7 @@ domain_wide_inherit_fd(local_login_t) role system_r types local_login_t; type local_login_tmp_t; -files_file_type(local_login_tmp_t) +files_type(local_login_tmp_t) type sulogin_t; type sulogin_exec_t; @@ -102,10 +102,10 @@ auth_manage_pam_console_data(local_login_t) domain_read_all_entry_files(local_login_t) -files_read_generic_etc_files(local_login_t) +files_read_etc_files(local_login_t) files_read_etc_runtime_files(local_login_t) files_read_usr_files(local_login_t) -files_manage_generic_lock_files(var_lock_t) +files_manage_generic_locks(var_lock_t) init_rw_script_pid(local_login_t) init_dontaudit_use_fd(local_login_t) @@ -223,7 +223,7 @@ kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -files_read_generic_etc_files(sulogin_t) +files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dir(sulogin_t) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 07a65c53..295cf62b 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -9,7 +9,7 @@ interface(`logging_log_file',` attribute logfile; ') - files_file_type($1) + files_type($1) typeattribute $1 logfile; ') @@ -143,10 +143,16 @@ interface(`logging_read_all_logs',` allow $1 logfile:file r_file_perms; ') -####################################### -# -# logging_exec_all_logs(domain) +######################################## +## +## Execute all log files in the caller domain. +## +## +## The type of the process performing this action. +## # +# cjp: not sure why this is needed. This was added +# because of logrotate. interface(`logging_exec_all_logs',` gen_require(` attribute logfile; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 4838db1e..134e4112 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -19,7 +19,7 @@ type auditd_var_run_t; files_pid_file(auditd_var_run_t) type devlog_t; -files_file_type(devlog_t) +files_type(devlog_t) type klogd_t; type klogd_exec_t; @@ -42,7 +42,7 @@ type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) type var_log_t, logfile; -files_file_type(var_log_t) +files_type(var_log_t) ######################################## # @@ -72,7 +72,7 @@ init_use_script_pty(auditd_t) domain_use_wide_inherit_fd(auditd_t) -files_read_generic_etc_files(auditd_t) +files_read_etc_files(auditd_t) logging_send_syslog_msg(auditd_t) @@ -90,7 +90,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(auditd_t) + seutil_sigchld_newrole(auditd_t) ') optional_policy(`udev.te', ` @@ -139,7 +139,7 @@ fs_getattr_all_fs(klogd_t) files_create_pid(klogd_t,klogd_var_run_t) files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf -files_read_generic_etc_files(klogd_t) +files_read_etc_files(klogd_t) init_use_fd(klogd_t) @@ -219,7 +219,7 @@ init_use_script_pty(syslogd_t) domain_use_wide_inherit_fd(syslogd_t) -files_read_generic_etc_files(syslogd_t) +files_read_etc_files(syslogd_t) libs_use_ld_so(syslogd_t) libs_use_shared_libs(syslogd_t) @@ -262,7 +262,7 @@ optional_policy(`nis.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(syslogd_t) + seutil_sigchld_newrole(syslogd_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 35098c4d..78d6f0fe 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -15,13 +15,13 @@ domain_obj_id_change_exempt(lvm_t) role system_r types lvm_t; type lvm_etc_t; -files_file_type(lvm_etc_t) +files_type(lvm_etc_t) type lvm_lock_t; files_lock_file(lvm_lock_t) type lvm_metadata_t; -files_file_type(lvm_metadata_t) +files_type(lvm_metadata_t) type lvm_tmp_t; files_tmp_file(lvm_tmp_t) @@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t) # Creating lock files allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; -files_create_lock_file(lvm_t,lvm_lock_t) +files_create_lock(lvm_t,lvm_lock_t) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; @@ -111,7 +111,7 @@ storage_relabel_fixed_disk(lvm_t) # depending on its version # LVM(2) needs to create directores (/dev/mapper, /dev/) # and links from /dev/ to /dev/mapper/- -storage_create_fixed_disk_dev_entry(lvm_t) +storage_create_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -123,7 +123,7 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t) domain_use_wide_inherit_fd(lvm_t) files_search_var(lvm_t) -files_read_generic_etc_files(lvm_t) +files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dir(lvm_t) @@ -141,7 +141,7 @@ miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) -seutil_newrole_sigchld(lvm_t) +seutil_sigchld_newrole(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index c275451e..6a4d3dd7 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -5,41 +5,41 @@ policy_module(miscfiles,1.0) # catman_t is the type for /var/catman. # type catman_t; # , tmpfile; -files_file_type(catman_t) +files_type(catman_t) # # cert_t is the type of files in the system certs directories. # type cert_t; -files_file_type(cert_t) +files_type(cert_t) # # fonts_t is the type of various font # files in /usr # type fonts_t; -files_file_type(fonts_t) +files_type(fonts_t) # # locale_t is the type for system localization # type locale_t; -files_file_type(locale_t) +files_type(locale_t) # # man_t is the type for the man directories. # type man_t; -files_file_type(man_t) +files_type(man_t) # # Base type for the tests directory. # type test_file_t; -files_file_type(test_file_t) +files_type(test_file_t) # # for /var/{spool,lib}/texmf index files # type tetex_data_t; # , tmpfile; -files_file_type(tetex_data_t) +files_type(tetex_data_t) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index eb6d9273..199619de 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -8,7 +8,7 @@ ## The type of the process performing this action. ## # -interface(`modutils_read_kernel_module_dependencies',` +interface(`modutils_read_mods_deps',` gen_require(` type modules_dep_t; class file r_file_perms; @@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',` # This file type can be in /etc or # /lib(64)?/modules files_search_etc($1) - bootloader_search_boot_dir($1) + bootloader_search_boot($1) allow $1 modules_conf_t:file r_file_perms; ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index d03abd92..02f28338 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -8,11 +8,11 @@ policy_module(modutils,1.0) # module loading config type modules_conf_t; -files_file_type(modules_conf_t) +files_type(modules_conf_t) # module dependencies type modules_dep_t; -files_file_type(modules_dep_t) +files_type(modules_dep_t) type insmod_t; type insmod_exec_t; @@ -78,9 +78,9 @@ domain_signal_all_domains(insmod_t) domain_use_wide_inherit_fd(insmod_t) files_read_etc_runtime_files(insmod_t) -files_read_generic_etc_files(insmod_t) +files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) -files_exec_generic_etc_files(insmod_t) +files_exec_etc_files(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) # for when /var is not mounted early in the boot: @@ -127,7 +127,7 @@ can_exec(depmod_t, depmod_exec_t) allow depmod_t modules_conf_t:file r_file_perms; allow depmod_t modules_dep_t:file create_file_perms; -bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) +bootloader_create_modules(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) @@ -148,8 +148,8 @@ init_use_script_fd(depmod_t) init_use_script_pty(depmod_t) files_read_etc_runtime_files(depmod_t) -files_read_generic_etc_files(depmod_t) -files_read_usr_src(depmod_t) +files_read_etc_files(depmod_t) +files_read_usr_src_files(depmod_t) libs_use_ld_so(depmod_t) libs_use_shared_libs(depmod_t) @@ -177,7 +177,7 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file create_file_perms; -bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) +bootloader_create_modules(update_modules_t,modules_conf_t) files_create_etc_config(update_modules_t,modules_conf_t) # transition to depmod @@ -203,8 +203,8 @@ init_use_script_pty(depmod_t) domain_use_wide_inherit_fd(depmod_t) files_read_etc_runtime_files(update_modules_t) -files_read_generic_etc_files(update_modules_t) -files_exec_generic_etc_files(update_modules_t) +files_read_etc_files(update_modules_t) +files_exec_etc_files(update_modules_t) corecmd_exec_bin(update_modules_t) corecmd_exec_sbin(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index acd8425c..ee701ab6 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -55,7 +55,7 @@ corecmd_exec_bin(mount_t) domain_use_wide_inherit_fd(mount_t) files_search_all_dirs(mount_t) -files_read_generic_etc_files(mount_t) +files_read_etc_files(mount_t) files_manage_etc_runtime_files(mount_t) files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index f5e0ec7e..b1e394ce 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -224,7 +224,7 @@ interface(`seutil_exec_newrole',` ## The type of the process performing this action. ## # -interface(`seutil_dontaudit_newrole_signal',` +interface(`seutil_dontaudit_signal_newrole',` gen_require(` type newrole_t; class process signal; @@ -235,9 +235,9 @@ interface(`seutil_dontaudit_newrole_signal',` ####################################### # -# seutil_newrole_sigchld(domain) +# seutil_sigchld_newrole(domain) # -interface(`seutil_newrole_sigchld',` +interface(`seutil_sigchld_newrole',` gen_require(` type newrole_t; class process sigchld; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index ff2423f2..75db193e 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -21,14 +21,14 @@ domain_entry_file(checkpolicy_t,checkpolicy_exec_t) # /etc/selinux/*/contexts/* # type default_context_t; -files_file_type(default_context_t) +files_type(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_file_type(file_context_t) +files_type(file_context_t) type load_policy_t; domain_type(load_policy_t) @@ -51,7 +51,7 @@ domain_entry_file(newrole_t,newrole_exec_t) # the security server policy configuration. # type policy_config_t; -files_file_type(policy_config_t) +files_type(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -61,7 +61,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; # files. # type policy_src_t; -files_file_type(policy_src_t) +files_type(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; @@ -80,7 +80,7 @@ domain_entry_file(run_init_t,run_init_exec_t) # /etc/selinux/config # type selinux_config_t; -files_file_type(selinux_config_t) +files_type(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; domain_obj_id_change_exempt(setfiles_t) @@ -216,7 +216,7 @@ domain_use_wide_inherit_fd(newrole_t) # Write to utmp. init_rw_script_pid(newrole_t) -files_read_generic_etc_files(newrole_t) +files_read_etc_files(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -284,7 +284,7 @@ init_use_script_pty(restorecon_t) domain_use_wide_inherit_fd(restorecon_t) files_read_etc_runtime_files(restorecon_t) -files_read_generic_etc_files(restorecon_t) +files_read_etc_files(restorecon_t) libs_use_ld_so(restorecon_t) libs_use_shared_libs(restorecon_t) @@ -362,7 +362,7 @@ ifdef(`targeted_policy',`',` domain_use_wide_inherit_fd(run_init_t) - files_read_generic_etc_files(run_init_t) + files_read_etc_files(run_init_t) files_dontaudit_search_all_dirs(run_init_t) init_domtrans_script(run_init_t) @@ -427,7 +427,7 @@ libs_use_ld_so(setfiles_t) libs_use_shared_libs(setfiles_t) files_read_etc_runtime_files(setfiles_t) -files_read_generic_etc_files(setfiles_t) +files_read_etc_files(setfiles_t) logging_send_syslog_msg(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index cbccdc30..2d4057a1 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -9,11 +9,11 @@ policy_module(sysnetwork,1.0) # this is shared between dhcpc and dhcpd: type dhcp_etc_t; #, usercanread; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; -files_file_type(dhcp_etc_t) +files_type(dhcp_etc_t) # this is shared between dhcpc and dhcpd: type dhcp_state_t; -files_file_type(dhcp_state_t) +files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; @@ -21,7 +21,7 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; type dhcpc_state_t; -files_file_type(dhcpc_state_t) +files_type(dhcpc_state_t) type dhcpc_tmp_t; files_tmp_file(dhcpc_tmp_t) @@ -35,7 +35,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; -files_file_type(net_conf_t) +files_type(net_conf_t) ######################################## # @@ -118,7 +118,7 @@ corecmd_exec_shell(dhcpc_t) domain_use_wide_inherit_fd(dhcpc_t) -files_read_generic_etc_files(dhcpc_t) +files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) init_use_fd(dhcpc_t) @@ -135,7 +135,7 @@ miscfiles_read_localization(dhcpc_t) modutils_domtrans_insmod(dhcpc_t) ifdef(`distro_redhat', ` - files_exec_generic_etc_files(dhcpc_t) + files_exec_etc_files(dhcpc_t) ') ifdef(`targeted_policy', ` @@ -171,7 +171,7 @@ optional_policy(`ntpd.te',` ') optional_policy(`selinux.te',` - seutil_newrole_sigchld(dhcpc_t) + seutil_sigchld_newrole(dhcpc_t) ') optional_policy(`udev.te',` @@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; -files_read_generic_etc_files(ifconfig_t); +files_read_etc_files(ifconfig_t); kernel_use_fd(ifconfig_t) kernel_read_system_state(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 591ddae8..1e283084 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -16,15 +16,15 @@ domain_wide_inherit_fd(udev_t) init_daemon_domain(udev_t,udev_exec_t) type udev_etc_t alias etc_udev_t; -files_file_type(udev_etc_t) +files_type(udev_etc_t) # udev_runtime_t is the type of the udev table file # cjp: this is probably a copy of udev_tbl_t and can be removed type udev_runtime_t; -files_file_type(udev_runtime_t) +files_type(udev_runtime_t) type udev_tbl_t alias udev_tdb_t; -files_file_type(udev_tbl_t) +files_type(udev_tbl_t) type udev_var_run_t; files_pid_file(udev_var_run_t) @@ -91,8 +91,8 @@ domain_exec_all_entry_files(udev_t) domain_dontaudit_list_all_domains_proc(udev_t) files_read_etc_runtime_files(udev_t) -files_read_generic_etc_files(udev_t) -files_exec_generic_etc_files(udev_t) +files_read_etc_files(udev_t) +files_exec_etc_files(udev_t) files_dontaudit_search_isid_type_dir(udev_t) init_use_fd(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 4a9c7d6c..fd545668 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1,12 +1,28 @@ ## Policy for user domains -######################################## +####################################### +## +## The template containing rules common to unprivileged +## users and administrative users. +## +## +##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+##

+## This generally should not be used, rather the +## unpriv_user_template or admin_user_template should +## be used. +##

+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## # -# Base user domain template -# -# This is common to user and admin domain - -template(`base_user_domain',` +template(`base_user_template',` attribute $1_file_type; @@ -22,11 +38,11 @@ template(`base_user_domain',` # type for contents of home directory type $1_home_t, $1_file_type, home_type; - files_file_type($1_home_t) + files_type($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; - files_file_type($1_home_t) + files_type($1_home_t) type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t) @@ -154,8 +170,8 @@ template(`base_user_domain',` domain_exec_all_entry_files($1_t) domain_use_wide_inherit_fd($1_t) - files_exec_generic_etc_files($1_t) - files_read_usr_src($1_t) + files_exec_etc_files($1_t) + files_read_usr_src_files($1_t) # Caused by su - init scripts init_dontaudit_use_script_pty($1_t) @@ -392,19 +408,30 @@ template(`base_user_domain',` ')dnl end base_user_domain macro -######################################## +####################################### +## +## The template for creating a unprivileged user. +## +## +##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## # -# User domain template -# - -template(`user_domain_template', ` +template(`unpriv_user_template', ` ############################## # # Declarations # # Inherit rules for ordinary users. - base_user_domain($1) + base_user_template($1) typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; domain_wide_inherit_fd($1_t) @@ -455,7 +482,7 @@ template(`user_domain_template', ` # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - files_read_generic_etc_files($1_t) + files_read_etc_files($1_t) files_list_home($1_t) files_read_usr_files($1_t) @@ -494,7 +521,7 @@ template(`user_domain_template', ` optional_policy(`selinux.te',` # for when the network connection is killed - seutil_dontaudit_newrole_signal($1_t) + seutil_dontaudit_signal_newrole($1_t) ') # Need the following rule to allow users to run vpnc @@ -594,18 +621,44 @@ template(`user_domain_template', ` ') dnl end TODO ') -######################################## +####################################### +## +## The template for creating an administrative user. +## +## +##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+## +## +## The privileges given to administrative users are: +##
    +##
  • Raw disk access
    • +##
  • Set all sysctls
    • +##
  • All kernel ring buffer controls
    • +##
  • Set SELinux enforcement mode (enforcing/permissive)
    • +##
  • Set SELinux booleans
    • +##
  • Relabel all files but shadow
    • +##
  • Create, read, write, and delete all files but shadow
    • +##
  • Manage source and binary format SELinux policy
    • +##
  • Run insmod
    • +##
+## +## +## The prefix of the user domain (e.g., sysadm +## is the prefix for sysadm_t). +## # -# Admin domain template -# -template(`admin_domain_template',` +template(`admin_user_template',` ############################## # # Declarations # # Inherit rules for ordinary users. - base_user_domain($1) + base_user_template($1) typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; domain_obj_id_change_exempt($1_t) @@ -658,6 +711,14 @@ template(`admin_domain_template',` kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctl($1_t) + + # signal unlabeled processes: + kernel_kill_unlabeled($1_t) + kernel_signal_unlabeled($1_t) + kernel_sigstop_unlabeled($1_t) + kernel_signull_unlabeled($1_t) + kernel_sigchld_unlabeled($1_t) + selinux_set_enforce_mode($1_t) selinux_set_boolean($1_t) selinux_set_parameters($1_t) @@ -668,12 +729,6 @@ template(`admin_domain_template',` selinux_compute_create_context($1_t) selinux_compute_relabel_context($1_t) selinux_compute_user_contexts($1_t) - # signal unlabeled processes: - kernel_kill_unlabeled($1_t) - kernel_signal_unlabeled($1_t) - kernel_sigstop_unlabeled($1_t) - kernel_signull_unlabeled($1_t) - kernel_sigchld_unlabeled($1_t) corenet_tcp_bind_generic_port($1_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 89988084..36f3763b 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -29,9 +29,9 @@ attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; -admin_domain_template(sysadm) -user_domain_template(staff) -user_domain_template(user) +admin_user_template(sysadm) +unpriv_user_template(staff) +unpriv_user_template(user) ######################################## #