add unconfined

This commit is contained in:
Chris PeBenito 2005-07-05 20:59:51 +00:00
parent e8f0055b6d
commit 9726b31857
13 changed files with 361 additions and 57 deletions

View File

@ -971,3 +971,29 @@ interface(`corenet_use_tun_tap_device',`
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file { read write };
')
########################################
## <summary>
## Unconfined access to network objects.
## </summary>
## <param name="domain">
## The domain allowed access.
## </param>
#
interface(`corenet_unconfined',`
gen_require(`
attribute node_type, netif_type, port_type;
class tcp_socket { send_msg recv_msg node_bind name_bind };
class udp_socket { send_msg recv_msg node_bind name_bind };
class rawip_socket node_bind;
')
allow $1 node_type:node *;
allow $1 netif_type:netif *;
allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
# Bind to any network address.
# cjp: rawip_socket doesnt make any sense
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
')

View File

@ -2042,3 +2042,25 @@ interface(`dev_dontaudit_setattr_video_dev',`
dontaudit $1 v4l_device_t:chr_file setattr;
')
########################################
## <summary>
## Unconfined access to devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_unconfined',`
gen_require(`
attribute device_node, memory_raw_write, memory_raw_read;
type mtrr_device_t;
')
allow $1 device_node:devfile_class_set *;
allow $1 mtrr_device_t:file *;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
')

View File

@ -1675,3 +1675,23 @@ interface(`fs_getattr_all_files',`
allow $1 filesystem_type:sock_file getattr;
')
########################################
## <summary>
## Unconfined access to filesystems
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_unconfined',`
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem *;
# Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem
# and its files.
allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
')

View File

@ -1015,3 +1015,27 @@ interface(`kernel_relabel_unlabeled',`
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
')
########################################
## <summary>
## Unconfined access to the kernel.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_unconfined',`
gen_require(`
type kernel_t, unlabeled_t;
attribute can_load_kernmodule, can_receive_kernel_messages;
')
# allow $1 proc_fs:{ dir file } *;
allow $1 sysctl_t:{ dir file } *;
allow $1 kernel_t:system *;
allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
kernel_rw_all_sysctl($1)
')

View File

@ -7,9 +7,6 @@ policy_module(kernel,1.0)
#
# assertion related attributes
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
@ -17,7 +14,7 @@ attribute can_receive_kernel_messages;
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, can_load_kernmodule, can_load_policy;
type kernel_t, can_load_kernmodule;
role system_r types kernel_t;
domain_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
@ -173,6 +170,8 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
selinux_load_policy(kernel_t)
term_use_console(kernel_t)
# Mount root file system. Used when loading a policy
@ -200,9 +199,6 @@ logging_send_syslog_msg(kernel_t)
seutil_read_config(kernel_t)
seutil_read_binary_pol(kernel_t)
neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam;
neverallow ~can_load_kernmodule self:capability sys_module;
########################################

View File

@ -250,3 +250,24 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user;
')
########################################
## <desc>
## Unconfined access to the SELinux security server.
## </desc>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`selinux_unconfined',`
gen_require(`
attribute can_load_policy, can_setenforce, can_setsecparam;
type security_t;
class security { load_policy setenforce setbool };
')
# Access the security API.
allow $1 security_t:security *;
auditallow $1 security_t:security { load_policy setenforce setbool };
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
')

View File

@ -6,6 +6,10 @@ policy_module(selinux,1.0)
# Declarations
#
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
#
# security_t is the target type when checking
# the permissions in the security class. It is also
@ -15,3 +19,7 @@ type security_t;
fs_type(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam;

View File

@ -1,10 +1,10 @@
## <summary>Policy controlling access to storage devices</summary>
########################################
## <desc>
## <summary>
## Allow the caller to get the attributes of fixed disk
## device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -20,10 +20,10 @@ interface(`storage_getattr_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
@ -38,10 +38,10 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Allow the caller to set the attributes of fixed disk
## device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -57,10 +57,10 @@ interface(`storage_setattr_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
@ -75,12 +75,12 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -98,12 +98,12 @@ interface(`storage_raw_read_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -121,9 +121,9 @@ interface(`storage_raw_write_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Create block devices in /dev with the fixed disk type.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -197,12 +197,12 @@ interface(`storage_swapon_fixed_disk',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -220,12 +220,12 @@ interface(`storage_raw_read_lvm_volume',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -243,10 +243,10 @@ interface(`storage_raw_write_lvm_volume',`
')
########################################
## <desc>
## <summary>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -262,10 +262,10 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
## <desc>
## <summary>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -281,13 +281,13 @@ interface(`storage_setattr_scsi_generic',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -305,13 +305,13 @@ interface(`storage_read_scsi_generic',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -329,10 +329,10 @@ interface(`storage_write_scsi_generic',`
')
########################################
## <desc>
## <summary>
## Get attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -348,10 +348,10 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
## <desc>
## <summary>
## Set attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -367,10 +367,10 @@ interface(`storage_set_scsi_generic_attributes',`
')
########################################
## <desc>
## <summary>
## Allow the caller to get the attributes of removable
## devices device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -386,10 +386,10 @@ interface(`storage_getattr_removable_device',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
@ -404,10 +404,10 @@ interface(`storage_dontaudit_getattr_removable_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to set the attributes of removable
## devices device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -423,10 +423,10 @@ interface(`storage_setattr_removable_device',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
@ -441,13 +441,13 @@ interface(`storage_dontaudit_setattr_removable_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -463,13 +463,13 @@ interface(`storage_raw_read_removable_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -485,10 +485,10 @@ interface(`storage_raw_write_removable_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read
## a tape device.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -504,10 +504,10 @@ interface(`storage_read_tape_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to directly read
## a tape device.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -523,10 +523,10 @@ interface(`storage_write_tape_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to get the attributes
## of device nodes of tape devices.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -542,10 +542,10 @@ interface(`storage_getattr_tape_device',`
')
########################################
## <desc>
## <summary>
## Allow the caller to set the attributes
## of device nodes of tape devices.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -560,3 +560,23 @@ interface(`storage_setattr_tape_device',`
allow $1 tape_device_t:blk_file setattr;
')
########################################
## <summary>
## Unconfined access to storage devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`storage_unconfined',`
gen_require(`
type fixed_disk_device_t, removable_device_t;
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
')
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
typeattribute $1 scsi_generic_read, scsi_generic_write;
')

View File

@ -452,6 +452,45 @@ interface(`domain_read_all_entry_files',`
allow $1 entry_type:file r_file_perms;
')
########################################
## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_unconfined',`
gen_require(`
attribute domain, set_curr_context;
class fd use;
class fifo_file rw_file_perms;
class process { transition dyntransition execmem };
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
# Use/sendto/connectto sockets created by any domain.
allow $1 domain:{ socket_class_set socket key_socket } *;
# Use descriptors and pipes created by any domain.
allow $1 domain:fd use;
allow $1 domain:fifo_file rw_file_perms;
# Act upon any other process.
allow $1 domain:process ~{ transition dyntransition execmem };
typeattribute $1 set_curr_context;
# Create/access any System V IPC objects.
allow $1 domain:{ sem msgq shm } *;
allow $1 domain:msg { send receive };
# For /proc/pid
allow $1 domain:dir r_dir_perms;
allow $1 domain:file r_file_perms;
allow $1 domain:lnk_file r_file_perms;
')
#
# These next macros are not interfaces, but actually are

View File

@ -1342,3 +1342,30 @@ interface(`files_manage_generic_spools',`
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
')
########################################
## <summary>
## Unconfined access to files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_unconfined',`
gen_require(`
attribute file_type;
class unix_stream_socket name_bind;
class unix_dgram_socket name_bind;
')
# Create/access any file in a labeled filesystem;
allow $1 file_type:{ file chr_file } ~execmod;
allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
# Mount/unmount any filesystem with the context= option.
allow $1 file_type:filesystem *;
# Bind to any network address.
# cjp: need to check this, I dont think this has any effect.
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
')

View File

@ -0,0 +1,3 @@
# Add programs here which should not be confined by SELinux
# e.g.:
# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t

View File

@ -0,0 +1,75 @@
## <summary>The unconfined domain.</summary>
########################################
## <summary>
## A template to make the specified domain unconfined.
## </summary>
## <param name="domain">
## Domain to make unconfined.
## </param>
#
template(`unconfined_access_template',`
# Use any Linux capability.
allow $1 self:capability *;
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
# Userland object managers
allow $1 self:nscd *;
allow $1 self:dbus *;
allow $1 self:passwd *;
kernel_unconfined($1)
dev_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
domain_unconfined($1)
files_unconfined($1)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1 self:process execmem;
')
# to satisfy assertions:
optional_policy(`authlogin.te',`
auth_manage_shadow($1)
auth_relabelto_shadow($1)
')
optional_policy(`bootloader.te',`
bootloader_manage_kernel_modules($1)
')
optional_policy(`selinuxutil.te',`
seutil_create_binary_pol($1)
seutil_relabelto_binary_pol($1)
')
optional_policy(`storage.te',`
storage_unconfined($1)
')
ifdef(`TODO',`
if (allow_execmod) {
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1 texrel_shlib_t:file execmod;
}
ifdef(`dbusd.te', `
# Communicate via dbusd.
allow $1 system_dbusd_t:dbus *;
')
ifdef(`nscd.te', `
# Get info via nscd.
allow $1 nscd_t:nscd *;
')
') dnl end TODO
')

View File

@ -0,0 +1,23 @@
policy_module(unconfined,1.0)
########################################
#
# Declarations
#
type unconfined_t;
type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t)
role system_r types unconfined_t;
########################################
#
# Local policy
#
unconfined_access_template(unconfined_t)
logging_send_syslog_msg(unconfined_t)
#role sysadm_r types unconfined_t;
#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)