This commit is contained in:
Chris PeBenito 2005-08-08 21:03:23 +00:00
parent 9465452eec
commit 9489149ec0
6 changed files with 325 additions and 92 deletions

View File

@ -8,6 +8,7 @@
* Added policies: * Added policies:
acct acct
mysql mysql
su
tmpreaper tmpreaper
updfstab updfstab

View File

@ -59,20 +59,6 @@ files = base
# #
domain = base domain = base
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = base
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = base
# Layer: admin # Layer: admin
# Module: usermanage # Module: usermanage
# #
@ -101,6 +87,48 @@ dmesg = base
# #
logrotate = off logrotate = off
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = base
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = base
# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
acct = base
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = base
# Layer: admin
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = base
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = off
# Layer: apps # Layer: apps
# Module: gpg # Module: gpg
# #
@ -136,20 +164,6 @@ storage = base
# #
terminal = base terminal = base
# Layer: services
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = base
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = off
# Layer: services # Layer: services
# Module: remotelogin # Module: remotelogin
# #
@ -157,6 +171,20 @@ ssh = off
# #
remotelogin = base remotelogin = base
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = base
# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = base
# Layer: services # Layer: services
# Module: sendmail # Module: sendmail
# #
@ -165,18 +193,18 @@ remotelogin = base
sendmail = off sendmail = off
# Layer: services # Layer: services
# Module: mta # Module: ssh
# #
# Policy common to all email tranfer agents. # Secure shell client and server policy.
# #
mta = base ssh = off
# Layer: services # Layer: services
# Module: nis # Module: cron
# #
# Policy for NIS (YP) servers and clients # Periodic execution of scheduled commands.
# #
nis = base cron = base
# Layer: services # Layer: services
# Module: inetd # Module: inetd
@ -193,11 +221,32 @@ inetd = base
kerberos = base kerberos = base
# Layer: services # Layer: services
# Module: nscd # Module: mta
# #
# Name service cache daemon # Policy common to all email tranfer agents.
# #
nscd = base mta = base
# Layer: services
# Module: mysql
#
# Policy for MySQL
#
mysql = base
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = base
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: system # Layer: system
# Module: selinuxutil # Module: selinuxutil
@ -221,11 +270,11 @@ getty = base
mount = base mount = base
# Layer: system # Layer: system
# Module: logging # Module: ipsec
# #
# Policy for the kernel message logger and system logging daemon. # TCP/IP encryption
# #
logging = base ipsec = base
# Layer: system # Layer: system
# Module: locallogin # Module: locallogin
@ -234,6 +283,13 @@ logging = base
# #
locallogin = base locallogin = base
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: system # Layer: system
# Module: sysnetwork # Module: sysnetwork
# #
@ -241,6 +297,20 @@ locallogin = base
# #
sysnetwork = base sysnetwork = base
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = base
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = base
# Layer: system # Layer: system
# Module: iptables # Module: iptables
# #
@ -255,13 +325,6 @@ iptables = base
# #
userdomain = base userdomain = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = base
# Layer: system # Layer: system
# Module: corecommands # Module: corecommands
# #
@ -278,6 +341,13 @@ corecommands = base
# #
hotplug = base hotplug = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = base
# Layer: system # Layer: system
# Module: lvm # Module: lvm
# #
@ -292,13 +362,6 @@ lvm = base
# #
modutils = base modutils = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = base
# Layer: system # Layer: system
# Module: init # Module: init
# #
@ -306,6 +369,13 @@ udev = base
# #
init = base init = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = base
# Layer: system # Layer: system
# Module: hostname # Module: hostname
# #
@ -314,11 +384,11 @@ init = base
hostname = base hostname = base
# Layer: system # Layer: system
# Module: authlogin # Module: raid
# #
# Common policy for authentication and user login. # RAID array management tools
# #
authlogin = base raid = base
# Layer: system # Layer: system
# Module: libraries # Module: libraries
@ -327,20 +397,6 @@ authlogin = base
# #
libraries = base libraries = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = base
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = base
# Layer: system # Layer: system
# Module: miscfiles # Module: miscfiles
# #
@ -348,24 +404,3 @@ unconfined = base
# #
miscfiles = base miscfiles = base
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = base
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = base
# Layer: system
# Module: raid
#
# RAID array management tools
#
raid = base

View File

@ -0,0 +1,2 @@
/bin/su -- context_template(system_u:object_r:su_exec_t,s0)

View File

@ -0,0 +1,149 @@
## <summary>Run shells with substitute user and group</summary>
template(`su_per_userdomain_template',`
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_role_change_exempt($1_su_t)
domain_subj_id_change_exempt($1_su_t)
domain_obj_id_change_exempt($1_su_t)
domain_wide_inherit_fd($1_su_t)
role $1_r types $1_su_t;
allow $1_t $1_su_t:process signal;
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
# Transition from the user domain to this domain.
domain_auto_trans($1_t, su_exec_t, $1_su_t)
allow $1_t $1_su_t:fd use;
allow $1_su_t $1_t:fd use;
allow $1_su_t $1_t:fifo_file rw_file_perms;
allow $1_su_t $1_t:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$1_t)
allow $1_t $1_su_t:fd use;
allow $1_su_t $1_t:fd use;
allow $1_su_t $1_t:fifo_file rw_file_perms;
allow $1_su_t $1_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctl($1_su_t)
# for SSP
dev_read_urand($1_su_t)
fs_search_auto_mountpoints($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_user_ttys($1_su_t)
term_relabel_all_user_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_user_ttys($1_su_t)
term_use_all_user_ptys($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
domain_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
files_search_var_lib($1_su_t)
init_dontaudit_use_fd($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
if(secure_mode)
{
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
if (use_nfs_home_dirs) {
fs_search_nfs($1_su_t)
}
if (use_samba_home_dirs) {
fs_search_cifs($1_su_t)
}
optional_policy(`crond.te',`
cron_read_pipe($1_su_t)
')
optional_policy(`kerberos.te',`
kerberos_use($1_su_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_su_t)
')
optional_policy(`nscd.te',`
nscd_use_socket($1_su_t)
')
ifdef(`TODO',`
domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
# Write to the user domain tty.
access_terminal($1_su_t, $1)
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
allow $1_su_t $1_home_t:file create_file_perms;
ifdef(`user_canbe_sysadm', `
allow $1_su_t home_dir_type:dir { search write };
', `
dontaudit $1_su_t home_dir_type:dir { search write };
')
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
')
ifdef(`cyrus.te', `
allow $1_su_t cyrus_var_lib_t:dir search;
')
ifdef(`ssh.te', `
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
')
') dnl end TODO
')

View File

@ -0,0 +1,12 @@
policy_module(su,1.0)
########################################
#
# Declarations
#
type su_exec_t;
files_type(su_exec_t)
# Remaining policy in the per-user domain template

View File

@ -401,6 +401,23 @@ interface(`fs_getattr_cifs',`
allow $1 cifs_t:filesystem getattr; allow $1 cifs_t:filesystem getattr;
') ')
########################################
## <summary>
## Search directories on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
## The type of the domain reading the files.
## </param>
#
interface(`fs_search_cifs',`
gen_require(`
type cifs_t;
class dir search;
')
allow $1 cifs_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Read files on a CIFS or SMB filesystem. ## Read files on a CIFS or SMB filesystem.
@ -871,6 +888,23 @@ interface(`fs_getattr_nfs',`
allow $1 nfs_t:filesystem getattr; allow $1 nfs_t:filesystem getattr;
') ')
########################################
## <summary>
## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
## The type of the domain reading the files.
## </param>
#
interface(`fs_search_nfs',`
gen_require(`
type nfs_t;
class dir search;
')
allow $1 nfs_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Read files on a NFS filesystem. ## Read files on a NFS filesystem.