rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

final updates from nsa cvs

This commit is contained in:
Chris PeBenito 2005-09-19 21:17:45 +00:00
parent 41c4800de4
commit a1fcff33f2
54 changed files with 1665 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/Changelog
View File

@ -5,9 +5,11 @@
- Added policies:
ktalk
portmap
postgresql
samba
snmp
tftp
vpn
zebra
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907

10
refpolicy/policy/global_tunables
View File

@ -46,6 +46,11 @@ gen_tunable(named_write_master_zones,false)
## Allow reading of default_t files.
gen_tunable(read_default_t,false)
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
gen_tunable(read_untrusted_content,false)
## Allow ssh to run from inetd instead of as a daemon.
gen_tunable(run_ssh_inetd,false)
@ -97,3 +102,8 @@ gen_tunable(user_tcp_server,false)
## Allow w to display everyone
gen_tunable(user_ttyfile_stat,false)
## Allow applications to write untrusted content
## If this is disallowed, no Internet content
## will be stored.
gen_tunable(write_untrusted_content,false)

9
refpolicy/policy/modules/admin/vpn.fc Normal file
View File

@ -0,0 +1,9 @@
#
# /usr
#
/usr/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)
#
# sbin
#
/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)

51
refpolicy/policy/modules/admin/vpn.if Normal file
View File

@ -0,0 +1,51 @@
## <summary>Virtual Private Networking client</summary>
########################################
## <summary>
## Execute VPN clients in the vpnc domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`vpn_domtrans',`
gen_require(`
type vpnc_t, vpnc_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
allow $1 vpnc_t:fd use;
allow vpnc_t $1:fd use;
allow vpnc_t $1:fifo_file rw_file_perms;
allow vpnc_t $1:process sigchld;
')
########################################
## <summary>
## Execute VPN clients in the vpnc domain, and
## allow the specified role the vpnc domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the vpnc domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the vpnc domain to use.
## </param>
#
interface(`vpn_run',`
gen_require(`
type vpnc_t;
class chr_file rw_term_perms;
')
vpn_domtrans($1)
role $2 types vpnc_t;
allow vpnc_t $3:chr_file rw_term_perms;
')

114
refpolicy/policy/modules/admin/vpn.te Normal file
View File

@ -0,0 +1,114 @@
policy_module(vpnc,1.0)
########################################
#
# Declarations
#
type vpnc_t;
domain_type(vpnc_t)
type vpnc_exec_t;
domain_entry_file(vpnc_t,vpnc_exec_t)
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
type vpnc_var_run_t;
files_pid_file(vpnc_var_run_t)
########################################
#
# Local policy
#
allow vpnc_t self:capability { net_admin ipc_lock net_raw };
allow vpnc_t self:fifo_file { getattr ioctl read write };
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
allow vpnc_t vpnc_tmp_t:file create_file_perms;
files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir })
allow vpnc_t vpnc_var_run_t:file create_file_perms;
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
files_create_pid(vpnc_t,vpnc_var_run_t)
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
kernel_read_kernel_sysctl(vpnc_t)
kernel_rw_net_sysctl(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
corenet_raw_sendrecv_all_if(vpnc_t)
corenet_tcp_sendrecv_all_nodes(vpnc_t)
corenet_udp_sendrecv_all_nodes(vpnc_t)
corenet_raw_sendrecv_all_nodes(vpnc_t)
corenet_tcp_sendrecv_all_ports(vpnc_t)
corenet_udp_sendrecv_all_ports(vpnc_t)
corenet_tcp_bind_all_nodes(vpnc_t)
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_use_tun_tap_device(vpnc_t)
dev_read_rand(vpnc_t)
dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
fs_getattr_xattr_fs(vpnc_t)
term_use_all_user_ptys(vpnc_t)
term_use_all_user_ttys(vpnc_t)
corecmd_exec_bin(vpnc_t)
corecmd_exec_sbin(vpnc_t)
corecmd_exec_shell(vpnc_t)
domain_exec_all_entry_files(vpnc_t)
files_exec_etc_files(vpnc_t)
files_read_etc_runtime_files(vpnc_t)
files_read_etc_files(vpnc_t)
files_dontaudit_search_home(vpnc_t)
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
libs_use_ld_so(vpnc_t)
libs_use_shared_libs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
sysnet_exec_ifconfig(vpnc_t)
sysnet_create_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_user_fd(vpnc_t)
optional_policy(`mount.te',`
mount_send_nfs_client_request(vpnc_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(vpnc_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(vpnc_t)
')
ifdef(`TODO',`
dontaudit vpnc_t user_home_dir_type:dir search;
')

6
refpolicy/policy/modules/apps/gpg.te
View File

@ -20,5 +20,7 @@ files_type(gpg_agent_exec_t)
type pinentry_exec_t;
files_type(pinentry_exec_t)
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
ifdef(`TODO',`
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
')

165
refpolicy/policy/modules/kernel/filesystem.if
View File

@ -472,6 +472,23 @@ interface(`fs_list_cifs',`
allow $1 cifs_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list the contents
## of directories on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`fs_dontaudit_list_cifs',`
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir r_dir_perms;
')
########################################
## <summary>
## Read files on a CIFS or SMB filesystem.
@ -483,14 +500,29 @@ interface(`fs_list_cifs',`
interface(`fs_read_cifs_files',`
gen_require(`
type cifs_t;
class dir r_dir_perms;
class file r_file_perms;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
## The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_read_cifs_files',`
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read or
@ -503,7 +535,6 @@ interface(`fs_read_cifs_files',`
interface(`fs_dontaudit_rw_cifs_files',`
gen_require(`
type cifs_t;
class file { read write };
')
dontaudit $1 cifs_t:file { read write };
@ -578,10 +609,27 @@ interface(`fs_read_cifs_files',`
interface(`fs_manage_cifs_dirs',`
gen_require(`
type cifs_t;
class dir create_dir_perms;
')
allow $1 cifs_t:dir create_file_perms;
allow $1 cifs_t:dir create_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete directories
## on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
## The type of the domain managing the directories.
## </param>
#
interface(`fs_dontaudit_manage_cifs_dirs',`
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir create_dir_perms;
')
########################################
@ -604,6 +652,24 @@ interface(`fs_manage_cifs_files',`
allow $1 cifs_t:file create_file_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete files
## on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_cifs_files',`
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic links
@ -959,6 +1025,23 @@ interface(`fs_search_nfs',`
allow $1 nfs_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to list the contents
## of directories on a NFS filesystem.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`fs_dontaudit_list_nfs',`
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir r_dir_perms;
')
########################################
## <summary>
## Read files on a NFS filesystem.
@ -978,6 +1061,23 @@ interface(`fs_read_nfs_files',`
allow $1 nfs_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read
## files on a NFS filesystem.
## </summary>
## <param name="domain">
## The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_read_nfs_files',`
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file r_file_perms;
')
########################################
## <summary>
## Execute files on a NFS filesystem.
@ -1008,7 +1108,6 @@ interface(`fs_execute_nfs_files',`
interface(`fs_dontaudit_rw_nfs_files',`
gen_require(`
type nfs_t;
class file { read write };
')
dontaudit $1 nfs_t:file { read write };
@ -1051,6 +1150,24 @@ interface(`fs_manage_nfs_dirs',`
allow $1 nfs_t:dir create_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete directories
## on a NFS filesystem.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_nfs_dirs',`
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
@ -1071,6 +1188,24 @@ interface(`fs_manage_nfs_files',`
allow $1 nfs_t:file create_file_perms;
')
########################################
## <summary>
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_nfs_files',`
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file create_file_perms;
')
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@ -1984,6 +2119,23 @@ interface(`fs_relabelfrom_all_fs',`
allow $1 filesystem_type:filesystem relabelfrom;
')
########################################
## <summary>
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_search_all',`
gen_require(`
attribute filesystem_type;
class dir { getattr search };
')
allow $1 filesystem_type:dir { getattr search };
')
########################################
## <summary>
## List all directories with a filesystem type.
@ -2001,7 +2153,6 @@ interface(`fs_list_all',`
allow $1 filesystem_type:dir r_dir_perms;
')
########################################
#
# fs_getattr_all_files(type)

3
refpolicy/policy/modules/kernel/filesystem.te
View File

@ -44,9 +44,6 @@ type binfmt_misc_fs_t, filesystem_type;
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
type debugfs_t, filesystem_type;
allow debugfs_t self:filesystem associate;
type eventpollfs_t, filesystem_type;
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)

80
refpolicy/policy/modules/kernel/kernel.if
View File

@ -343,6 +343,86 @@ interface(`kernel_get_sysvipc_info',`
allow $1 kernel_t:system ipc_info;
')
########################################
## <summary>
## Get the attributes of a kernel debugging filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_getattr_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem getattr;
')
########################################
## <summary>
## Mount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## The type of the domain mounting the filesystem.
## </param>
#
interface(`kernel_mount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem mount;
')
########################################
## <summary>
## Unmount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## The type of the domain unmounting the filesystem.
## </param>
#
interface(`kernel_unmount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem unmount;
')
########################################
## <summary>
## Remount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## The type of the domain remounting the filesystem.
## </param>
#
interface(`kernel_remount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem remount;
')
########################################
## <summary>
## Search the contents of a kernel debugging filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_search_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:dir search;
')
########################################
## <summary>
## Get the attributes of the proc filesystem.

9
refpolicy/policy/modules/kernel/kernel.te
View File

@ -30,6 +30,15 @@ role system_r types kernel_t;
domain_base_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
# DebugFS
#
type debugfs_t;
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0)
#
# Procfs types
#

5
refpolicy/policy/modules/services/cron.te
View File

@ -152,6 +152,11 @@ optional_policy(`rpm.te',`
rpm_read_pipe(crond_t)
')
optional_policy(`postgresql.te', `
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
postgresql_search_db_dir(crond_t)
')
optional_policy(`udev.te', `
udev_read_db(crond_t)
')

8
refpolicy/policy/modules/services/dbus.te
View File

@ -1,6 +1,10 @@
policy_module(dbus,1.0)
gen_require(`
class dbus { send_msg acquire_svc };
')
##############################
#
# Delcarations
@ -29,8 +33,9 @@ files_pid_file(system_dbusd_var_run_t)
allow system_dbusd_t self:capability { dac_override setgid setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process getattr;
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@ -75,6 +80,7 @@ corecmd_read_sbin_symlink(system_dbusd_t)
corecmd_read_sbin_file(system_dbusd_t)
corecmd_read_sbin_pipe(system_dbusd_t)
corecmd_read_sbin_socket(system_dbusd_t)
corecmd_exec_sbin(system_dbusd_t)
domain_use_wide_inherit_fd(system_dbusd_t)

27
refpolicy/policy/modules/services/hal.te
View File

@ -16,6 +16,11 @@ files_tmp_file(hald_tmp_t)
type hald_var_run_t;
files_pid_file(hald_var_run_t)
########################################
#
# Local policy
#
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:fifo_file rw_file_perms;
@ -46,15 +51,17 @@ corenet_tcp_sendrecv_all_ports(hald_t)
corenet_tcp_bind_all_nodes(hald_t)
dev_read_sysfs(hald_t)
dev_read_usbfs(hald_t)
dev_rw_usbfs(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_file(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
fs_search_auto_mountpoints(hald_t)
selinux_get_fs_mount(hald_t)
@ -120,6 +127,10 @@ optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
optional_policy(`mount.te',`
mount_domtrans(hald_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(hald_t)
')
@ -164,4 +175,18 @@ allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
ifdef(`apmd.te', `
allow hald_t apmd_var_run_t:sock_file write;
allow hald_t apmd_t:unix_stream_socket connectto;
')
# For /usr/libexec/hald-probe-smbios
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
') dnl end TODO

36
refpolicy/policy/modules/services/postgresql.fc Normal file
View File

@ -0,0 +1,36 @@
#
# /etc
#
/etc/postgresql(/.*)? context_template(system_u:object_r:postgresql_etc_t,s0)
#
# /usr
#
/usr/bin/initdb -- context_template(system_u:object_r:postgresql_exec_t,s0)
/usr/bin/postgres -- context_template(system_u:object_r:postgresql_exec_t,s0)
/usr/lib/pgsql/test/regres(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- context_template(system_u:object_r:postgresql_exec_t,s0)
/usr/lib(64)?/postgresql/bin/.* -- context_template(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
')
#
# /var
#
/var/lib/postgres(ql)?(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
/var/lib/pgsql/data(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
/var/lib/pgsql/pgstartup.log context_template(system_u:object_r:postgresql_log_t,s0)
/var/log/postgres\.log.* -- context_template(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
ifdef(`distro_redhat', `
/var/log/rhdb/rhdb(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
')
/var/run/postgresql(/.*)? context_template(system_u:object_r:postgresql_var_run_t,s0)

110
refpolicy/policy/modules/services/postgresql.if Normal file
View File

@ -0,0 +1,110 @@
## <summary>PostgreSQL relational database</summary>
########################################
## <summary>
## Allow the specified domain to search postgresql's database directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`postgresql_search_db_dir',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search;
')
########################################
## <summary>
## Allow the specified domain to manage postgresql's database.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
allow $1 postgresql_db_t:lnk_file { getattr read };
')
########################################
## <summary>
## Execute postgresql in the postgresql domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`postgresql_domtrans',`
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domain_auto_trans($1,postgresql_exec_t,postgresql_t)
allow $1 postgresql_t:fd use;
allow postgresql_t $1:fd use;
allow postgresql_t $1:fifo_file rw_file_perms;
allow postgresql_t $1:process sigchld;
')
########################################
## <summary>
## Allow the specified domain to read postgresql's etc.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`postgresql_read_config',`
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir { getattr read search };
allow $1 postgresql_etc_t:file { read getattr };
allow $1 postgresql_etc_t:lnk_file { getattr read };
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`postgresql_tcp_connect',`
gen_require(`
type postgresql_t;
')
kernel_tcp_recvfrom($1)
allow $1 postgresql_t:tcp_socket { connectto recvfrom };
allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a unix socket.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`postgresql_unix_connect',`
gen_require(`
type postgresql_t, postgresql_var_run_t;
')
files_search_pids($1)
allow $1 postgresql_t:unix_stream_socket connectto;
allow $1 postgresql_var_run_t:sock_file write;
')

223
refpolicy/policy/modules/services/postgresql.te Normal file
View File

@ -0,0 +1,223 @@
policy_module(postgresql,1.0)
#################################
#
# Declarations
#
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t,postgresql_exec_t)
type postgresql_db_t;
files_type(postgresql_db_t)
type postgresql_etc_t; #, usercanread;
files_type(postgresql_etc_t)
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
type postgresql_log_t;
logging_log_file(postgresql_log_t)
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t postgresql_db_t:dir create_dir_perms;
allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
allow postgresql_t postgresql_db_t:file create_file_perms;
allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
allow postgresql_t postgresql_db_t:sock_file create_file_perms;
files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
allow postgresql_t postgresql_etc_t:dir r_dir_perms;
allow postgresql_t postgresql_etc_t:file r_file_perms;
allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file create_file_perms;
files_create_lock(postgresql_t,postgresql_lock_t)
allow postgresql_t postgresql_log_t:dir rw_dir_perms;
allow postgresql_t postgresql_log_t:file create_file_perms;
logging_create_log(postgresql_t,postgresql_log_t,{ file dir })
allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
allow postgresql_t postgresql_tmp_t:file create_file_perms;
allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
allow postgresql_t postgresql_var_run_t:file create_file_perms;
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
files_create_pid(postgresql_t,postgresql_var_run_t)
kernel_read_kernel_sysctl(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctl(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
kernel_tcp_recvfrom(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_raw_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
corenet_udp_sendrecv_all_nodes(postgresql_t)
corenet_raw_sendrecv_all_nodes(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
corenet_tcp_bind_all_nodes(postgresql_t)
corenet_udp_bind_all_nodes(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
term_use_controlling_term(postgresql_t)
term_dontaudit_use_console(postgresql_t)
corecmd_exec_bin(postgresql_t)
corecmd_exec_ls(postgresql_t)
corecmd_exec_sbin(postgresql_t)
corecmd_exec_shell(postgresql_t)
domain_dontaudit_list_all_domains_proc(postgresql_t)
domain_use_wide_inherit_fd(postgresql_t)
files_dontaudit_search_home(postgresql_t)
files_manage_etc_files(postgresql_t)
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
init_read_script_pid(postgresql_t)
init_use_fd(postgresql_t)
init_use_script_pty(postgresql_t)
libs_use_ld_so(postgresql_t)
libs_use_shared_libs(postgresql_t)
logging_send_syslog_msg(postgresql_t)
miscfiles_read_localization(postgresql_t)
seutil_dontaudit_search_config(postgresql_t)
sysnet_read_config(postgresql_t)
userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
userdom_dontaudit_use_sysadm_tty(postgresql_t)
userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
mta_getattr_spool(postgresql_t)
ifdef(`targeted_policy', `
files_dontaudit_read_root_file(postgresql_t)
term_dontaudit_use_generic_pty(postgresql_t)
term_dontaudit_use_unallocated_tty(postgresql_t)
')
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
optional_policy(`consoletype.te', `
consoletype_exec(postgresql_t)
')
optional_policy(`cron.te',`
cron_search_spool(postgresql_t)
cron_system_entry(postgresql_t,postgresql_exec_t)
')
optional_policy(`hostname.te', `
hostname_exec(postgresql_t)
')
optional_policy(`kerberos.te',`
kerberos_use(postgresql_t)
')
optional_policy(`mount.te',`
mount_send_nfs_client_request(postgresql_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(postgresql_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(postgresql_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(postgresql_t)
')
optional_policy(`udev.te', `
udev_read_db(postgresql_t)
')
ifdef(`TODO',`
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;
if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`distro_debian', `
init_exec_script(postgresql_t)
# gross hack
postgresql_domtrans(dpkg_t)
can_exec(postgresql_t, dpkg_exec_t)
')
ifdef(`distro_gentoo', `
allow postgresql_t initrc_su_t:process { sigchld };
# "su - postgres ..." is called from initrc_t
postgresql_search_db_dir(initrc_su_t)
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
# Goes to apache.te:
# Allow httpd to work with postgresql
optional_policy(`postgresql.te', `
# Original policy had apache connecting to postgresql_tmp_t:sock_file
# instead of what is assumed to be correct: postgresql_var_run_t. -Don
postgresql_unix_connect(httpd_t)
')
')

19
refpolicy/policy/modules/system/authlogin.if
View File

@ -600,6 +600,25 @@ interface(`auth_manage_pam_console_data',`
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
')
#######################################
## <summary>
## Delete pam_console data.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`auth_delete_pam_console_data',`
gen_require(`
type pam_var_console_t;
')
files_search_var($1)
files_search_pids($1)
allow $1 pam_var_console_t:dir rw_dir_perms;
allow $1 pam_var_console_t:file unlink;
')
########################################
## <summary>
## Relabel all files on the filesystem, except

2
refpolicy/policy/modules/system/corecommands.fc
View File

@ -69,6 +69,8 @@ ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0)
')
/usr/lib/pgsql/test/regress/.*\.sh -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)

153
refpolicy/policy/modules/system/files.if
View File

@ -72,6 +72,85 @@ interface(`files_pid_file',`
typeattribute $1 pidfile;
')
########################################
## <summary>
## Make the specified type a
## polyinstantiated directory.
## </summary>
## <param name="file_type">
## Type of the file to be used as a
## polyinstantiated directory.
## </param>
#
interface(`files_poly',`
gen_require(`
attribute polydir;
')
files_type($1)
typeattribute $1 polydir;
')
########################################
## <summary>
## Make the specified type a parent
## of a polyinstantiated directory.
## </summary>
## <param name="file_type">
## Type of the file to be used as a
## parent directory.
## </param>
#
interface(`files_poly_parent',`
gen_require(`
attribute polyparent;
')
files_type($1)
typeattribute $1 polyparent;
')
########################################
## <summary>
## Make the specified type a
## polyinstantiation member directory.
## </summary>
## <param name="file_type">
## Type of the file to be used as a
## member directory.
## </param>
#
interface(`files_poly_member',`
gen_require(`
attribute polymember;
')
files_type($1)
typeattribute $1 polymember;
')
########################################
## <summary>
## Make the domain use the specified
## type of polyinstantiated directory.
## </summary>
## <param name="domain">
## Domain using the polyinstantiated
## directory.
## </param>
## <param name="file_type">
## Type of the file to be used as a
## member directory.
## </param>
#
interface(`files_poly_member_tmp',`
gen_require(`
type tmp_t;
')
type_member $1 tmp_t:dir $2;
')
########################################
## <summary>
## Make the specified type a file
@ -81,14 +160,18 @@ interface(`files_pid_file',`
## Type of the file to be used as a
## temporary file.
## </param>
#
interface(`files_tmp_file',`
gen_require(`
attribute tmpfile;
type tmp_t;
')
files_type($1)
files_poly_member($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfile;
allow $1 tmp_t:filesystem associate;
')
########################################
@ -648,7 +731,6 @@ interface(`files_unmount_rootfs',`
interface(`files_dontaudit_getattr_default_dir',`
gen_require(`
type default_t;
class dir getattr;
')
dontaudit $1 default_t:dir getattr;
@ -665,12 +747,28 @@ interface(`files_dontaudit_getattr_default_dir',`
interface(`files_list_default',`
gen_require(`
type default_t;
class dir r_dir_perms;
')
allow $1 default_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list contents of
## directories with the default file type.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_list_default',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir r_dir_perms;
')
########################################
## <summary>
## Mount a filesystem on a directory with the default file type.
@ -682,7 +780,6 @@ interface(`files_list_default',`
interface(`files_mounton_default',`
gen_require(`
type default_t;
class dir { getattr search mounton };
')
allow $1 default_t:dir { getattr search mounton };
@ -716,12 +813,28 @@ interface(`files_dontaudit_getattr_default_files',`
interface(`files_read_default_files',`
gen_require(`
type default_t;
class file r_file_perms;
')
allow $1 default_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read files
## with the default file type.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_read_default_files',`
gen_require(`
type default_t;
')
dontaudit $1 default_t:file r_file_perms;
')
########################################
## <summary>
## Read symbolic links with the default file type.
@ -1531,6 +1644,24 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file r_file_perms;
')
########################################
## <summary>
## Allow the specified type to associate
## to a filesystem with the type of the
## temporary directory (/tmp).
## </summary>
## <param name="file_type">
## Type of the file to associate.
## </param>
#
interface(`files_associate_tmp',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:filesystem associate;
')
########################################
## <summary>
## Do not audit attempts to get the
@ -2322,6 +2453,20 @@ interface(`files_delete_all_pids',`
allow $1 pidfile:sock_file { getattr unlink };
')
########################################
#
# files_delete_all_pid_dirs(domain)
#
interface(`files_delete_all_pid_dirs',`
gen_require(`
attribute pidfile;
type var_t;
')
allow $1 var_t:dir search;
allow $1 pidfile:dir { rw_dir_perms rmdir };
')
########################################
#
# files_search_spool(domain)

12
refpolicy/policy/modules/system/files.te
View File

@ -10,6 +10,18 @@ attribute file_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;
attribute tmpfile;
attribute tmpfsfile;

3
refpolicy/policy/modules/system/fstools.te
View File

@ -55,6 +55,7 @@ kernel_getattr_proc(fsadm_t)
kernel_rw_unlabeled_dir(fsadm_t)
kernel_use_unlabeled_blk_dev(fsadm_t)
dev_getattr_all_chr_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
@ -145,5 +146,7 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
allow fsadm_t tmpfs_t:file { read write };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
') dnl end TODO

7
refpolicy/policy/modules/system/hostname.te
View File

@ -21,7 +21,6 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
allow hostname_t self:capability sys_admin;
dontaudit hostname_t self:capability sys_tty_config;
kernel_read_kernel_sysctl(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@ -84,9 +83,3 @@ optional_policy(`udev.te',`
udev_dontaudit_use_fd(hostname_t)
udev_read_db(hostname_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
rhgb_domain(hostname_t)
')
') dnl end TODO

22
refpolicy/policy/modules/system/init.te
View File

@ -51,15 +51,15 @@ type initrc_devpts_t;
term_pty(initrc_devpts_t)
files_type(initrc_devpts_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
type initrc_state_t;
files_type(initrc_state_t)
type initrc_tmp_t;
files_tmp_file(initrc_tmp_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
########################################
#
# Init local policy
@ -263,7 +263,7 @@ auth_rw_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_list_pam_console_data(initrc_t)
auth_delete_pam_console_data(initrc_t)
corecmd_exec_bin(initrc_t)
corecmd_exec_sbin(initrc_t)
@ -297,6 +297,7 @@ files_purge_tmp(initrc_t)
files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t)
files_manage_generic_locks(initrc_t)
@ -477,6 +478,11 @@ optional_policy(`raid.te',`
raid_manage_mdadm_pid(initrc_t)
')
optional_policy(`postgresql.te',`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
optional_policy(`quota.te',`
quota_manage_flags(initrc_t)
')
@ -535,6 +541,14 @@ ifdef(`TODO',`
allow initrc_t xconsole_device_t:fifo_file setattr;
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write;
# rhgb-console writes to ramfs
allow initrc_t ramfs_t:fifo_file write;
# during boot up initrc needs to do the following
allow initrc_t default_t:dir write;
#
# These rules are here to allow init scripts to su

10
refpolicy/policy/modules/system/libraries.fc
View File

@ -26,10 +26,6 @@
#
# /usr
#
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
@ -43,8 +39,14 @@
/usr(/.*)?/nvidia/.*\.so(\..*)? -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/pgsql/test/regress/.*\.so -- context_template(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)

1
refpolicy/policy/modules/system/logging.if
View File

@ -15,6 +15,7 @@ interface(`logging_log_file',`
')
files_type($1)
files_associate_tmp($1)
fs_associate_tmpfs($1)
typeattribute $1 logfile;
')

1
refpolicy/policy/modules/system/logging.te
View File

@ -51,6 +51,7 @@ files_pid_file(syslogd_var_run_t)
type var_log_t, logfile;
files_type(var_log_t)
files_associate_tmp(var_log_t)
########################################
#

12
refpolicy/policy/modules/system/lvm.te
View File

@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_type(lvm_metadata_t)
type lvm_var_run_t;
files_pid_file(lvm_var_run_t)
type lvm_tmp_t;
files_tmp_file(lvm_tmp_t)
@ -148,6 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
files_create_lock(lvm_t,lvm_lock_t)
allow lvm_t lvm_var_run_t:file create_file_perms;
allow lvm_t lvm_var_run_t:dir create_dir_perms;
files_create_pid(lvm_t,lvm_var_run_t)
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
@ -213,7 +220,6 @@ domain_use_wide_inherit_fd(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
files_dontaudit_getattr_pid_dir(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t)
@ -258,6 +264,10 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
# it has no reason to need this
allow lvm_t var_t:dir { search getattr };
allow lvm_t ramfs_t:filesystem unmount;
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')

4
refpolicy/policy/modules/system/modutils.te
View File

@ -51,6 +51,8 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_search_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
@ -128,6 +130,7 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
allow insmod_t proc_t:file rw_file_perms;
optional_policy(`xserver.te',`
xserver_getattr_log(insmod_t)
allow insmod_t xserver_misc_device_t:chr_file { read write };
@ -182,6 +185,7 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
allow depmod_t modules_object_t:file unlink;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
') dnl end ifdef TODO

4
refpolicy/policy/modules/system/pcmcia.te
View File

@ -140,6 +140,10 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow cardmgr_t modules_object_t:dir search;
ifdef(`dhcpc.te',`
allow cardmgr_t dhcpc_var_run_t:file unlink;
')
# Create device files in /tmp.
# cjp: why is this created all over the place?
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })

48
refpolicy/policy/modules/system/sysnetwork.if
View File

@ -25,6 +25,31 @@ interface(`sysnet_domtrans_dhcpc',`
allow dhcpc_t $1:process sigchld;
')
########################################
## <summary>
## Execute DHCP clients in the dhcpc domain, and
## allow the specified role the dhcpc domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the clock domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the clock domain to use.
## </param>
#
interface(`sysnet_run_dhcpc',`
gen_require(`
type dhcpc_t;
')
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
allow dhcpc_t $3:chr_file { getattr read write ioctl };
')
########################################
## <summary>
## Send a SIGCHLD signal to the dhcp client.
@ -227,9 +252,6 @@ interface(`sysnet_read_dhcpc_pid',`
interface(`sysnet_domtrans_ifconfig',`
gen_require(`
type ifconfig_t, ifconfig_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@ -260,7 +282,6 @@ interface(`sysnet_domtrans_ifconfig',`
interface(`sysnet_run_ifconfig',`
gen_require(`
type ifconfig_t;
class chr_file rw_term_perms;
')
corecmd_search_sbin($1)
@ -269,6 +290,23 @@ interface(`sysnet_run_ifconfig',`
allow ifconfig_t $3:chr_file rw_term_perms;
')
#######################################
## <summary>
## Execute ifconfig in the caller domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`sysnet_exec_ifconfig',`
gen_require(`
type ifconfig_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,ifconfig_exec_t)
')
########################################
## <summary>
## Read the DHCP configuration files.
@ -280,8 +318,6 @@ interface(`sysnet_run_ifconfig',`
interface(`sysnet_read_dhcp_config',`
gen_require(`
type dhcp_etc_t;
class dir search;
class file { getattr read };
')
files_search_etc($1)

22
refpolicy/policy/modules/system/sysnetwork.te
View File

@ -112,6 +112,7 @@ term_dontaudit_use_console(dhcpc_t)
term_dontaudit_use_all_user_ttys(dhcpc_t)
term_dontaudit_use_all_user_ptys(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t)
term_dontaudit_use_generic_pty(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_sbin(dhcpc_t)
@ -209,6 +210,27 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
ifdef(`cardmgr.te',`
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`ypbind.te',`
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
')
ifdef(`dbusd.te', `
dbusd_client(system, dhcpc)
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
allow dhcpc_t self:dbus send_msg;
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
')dnl end ifdef unconfined.te
')
optional_policy(`rhgb.te',`
rhgb_domain(dhcpc_t)
')

228
refpolicy/policy/modules/system/userdomain.if
View File

@ -41,11 +41,13 @@ template(`base_user_template',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
type $1_tmp_t, $1_file_type;
@ -54,6 +56,14 @@ template(`base_user_template',`
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
# types for network-obtained content
type $1_untrusted_content_t, $1_file_type; #, customizable
files_type($1_untrusted_content_t)
files_poly_member($1_untrusted_content_t)
type $1_untrusted_content_tmp_t, $1_file_type; # customizable
files_tmp_file($1_untrusted_content_tmp_t)
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
@ -77,8 +87,7 @@ template(`base_user_template',`
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
# Irrelevant until we have labeled networking.
#allow $1_t self:udp_socket { sendto recvfrom };
allow $1_t self:udp_socket { sendto recvfrom };
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@ -93,11 +102,19 @@ template(`base_user_template',`
allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir create_dir_perms;
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
can_exec($1_t,$1_tmp_t)
# user temporary files
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
# Bind to a Unix domain socket in /tmp.
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
@ -111,6 +128,10 @@ template(`base_user_template',`
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
# Allow user to relabel untrusted content
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
allow $1_t unpriv_userdomain:fd use;
# Instantiate derived domains for a number of programs.
@ -160,7 +181,14 @@ template(`base_user_template',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t)
fs_exec_noxattr($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
@ -196,10 +224,13 @@ template(`base_user_template',`
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_fonts($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_rw_spool($1_t)
@ -209,12 +240,29 @@ template(`base_user_template',`
allow $1_t self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
',`
files_dontaudit_list_default($1_t)
files_dontaudit_read_default_files($1_t)
')
tunable_policy(`read_untrusted_content',`
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
',`
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
@ -224,6 +272,9 @@ template(`base_user_template',`
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
fs_execute_nfs_files($1_t)
',`
fs_dontaudit_manage_nfs_dirs($1_t)
fs_dontaudit_manage_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
@ -233,6 +284,9 @@ template(`base_user_template',`
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
fs_execute_cifs_files($1_t)
',`
fs_dontaudit_manage_cifs_dirs($1_t)
fs_dontaudit_manage_cifs_files($1_t)
')
tunable_policy(`user_direct_mouse',`
@ -329,36 +383,17 @@ template(`base_user_template',`
r_dir_file($1_t, usercanread)
tunable_policy(`allow_execmod',`
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
')
allow $1_t fs_type:dir getattr;
# old "file_browse_domain":
# Regular files/directories that are not security sensitive
dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
dontaudit $1_t file_type - secure_file_type:dir { read search };
# /dev
dontaudit $1_t dev_fs:dir_file_class_set getattr;
dontaudit $1_t dev_fs:dir { read search };
# /proc
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
dontaudit $1 file_type - secure_file_type:dir search;
dontaudit $1 file_type - secure_file_type:dir read;
dontaudit $1 unlabeled_t:dir_file_class_set getattr;
dontaudit $1 unlabeled_t:dir search;
dontaudit $1 unlabeled_t:dir read;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
allow $1_t usbtty_device_t:chr_file read;
@ -390,21 +425,16 @@ template(`base_user_template',`
# Connect to portmap.
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
# Use X
x_client_domain($1, $1)
ifdef(`xserver.te', `
# for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
allow $1_t xdm_tmp_t:dir r_dir_perms;
allow $1_t xdm_tmp_t:file r_file_perms;
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_t xdm_xserver_tmp_t:dir search;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file r_file_perms;
@ -412,12 +442,26 @@ template(`base_user_template',`
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
# for shared memory
allow xdm_xserver_t $1_tmpfs_t:file { read write };
')
# start read_fonts()
# cjp: this macro is unconditional, though
# its in a conditional file.
# Manipulate the global font cache
create_dir_file($1, $1_fonts_cache_t)
# Read per user fonts and font config
r_dir_file($1, $1_fonts_t)
r_dir_file($1, $1_fonts_config_t)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $1 $2_gnome_settings_t:dir { getattr search };
')
# end read_fonts()
ifdef(`rpcd.te', `
create_dir_file($1_t, nfsd_rw_t)
')
@ -467,8 +511,13 @@ template(`unpriv_user_template', `
domain_wide_inherit_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
typeattribute $1_home_dir_t user_home_dir_type;
files_poly($1_home_dir_t)
typeattribute $1_home_t user_home_type;
files_poly_member($1_home_t)
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@ -484,14 +533,6 @@ template(`unpriv_user_template', `
allow $1_home_t self:filesystem associate;
allow $1_file_type $1_home_t:filesystem associate;
# user temporary files
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
# privileged home directory writers
allow privhome $1_home_t:file create_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
@ -537,6 +578,11 @@ template(`unpriv_user_template', `
# so it can be used without privilege to write real binary policy file
seutil_exec_checkpol($1_t)
ifdef(`enable_polyinstantiation',`
type_member $1_t $1_home_dir_t:dir $1_home_t;
files_poly_member_tmp($1_t)
')
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
@ -575,6 +621,22 @@ template(`unpriv_user_template', `
ifdef(`TODO',`
ifdef(`enable_mls',`',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
')
dontaudit $1_t boot_t:lnk_file read;
dontaudit $1_t boot_t:file read;
@ -596,16 +658,20 @@ template(`unpriv_user_template', `
')
')
ifdef(`useradd.te', `
# Useradd relabels /etc/skel files so needs these privs
allow useradd_t $1_file_type:dir create_dir_perms;
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
')
# Stat lost+found.
allow $1_t lost_found_t:dir getattr;
# Read /var, /var/spool, /var/run.
allow $1_t var_t:dir r_dir_perms;
allow $1_t var_t:notdevfile_class_set r_file_perms;
allow $1_t var_spool_t:dir r_dir_perms;
allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
allow $1_t var_run_t:dir r_dir_perms;
allow $1_t var_run_t:{ file lnk_file } r_file_perms;
r_dir_file($1_t, var_t)
# what about pipes and sockets under /var/spool?
r_dir_file($1_t, var_spool_t)
r_dir_file($1_t, var_run_t)
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
@ -631,23 +697,6 @@ template(`unpriv_user_template', `
allow $1_t initrc_t:fifo_file write;
ifdef(`user_can_mount', `
#
# Allow users to mount file systems like floppies and cdrom
#
mount_domain($1, $1_mount, `, fs_domain')
r_dir_file($1_t, mnt_t)
allow $1_mount_t device_t:lnk_file read;
allow $1_mount_t removable_device_t:blk_file read;
allow $1_mount_t iso9660_t:filesystem relabelfrom;
allow $1_mount_t removable_t:filesystem { mount relabelto };
allow $1_mount_t removable_t:dir mounton;
ifdef(`xdm.te', `
allow $1_mount_t xdm_t:fd use;
allow $1_mount_t xdm_t:fifo_file { read write };
')
')
') dnl end TODO
')
@ -721,16 +770,11 @@ template(`admin_user_template',`
# for the administrator to run TCP servers directly
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
@ -761,6 +805,7 @@ template(`admin_user_template',`
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
@ -847,7 +892,7 @@ template(`admin_user_template',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
')
allow $1_t xdm_t:fifo_file rw_file_perms;
can_pipe_xdm($1_t)
')
# Connect data port to ftpd.
@ -877,6 +922,21 @@ template(`admin_user_template',`
# Run programs from staff home directories.
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
allow $1 removable_t:filesystem getattr;
') dnl endif TODO
')
@ -2037,7 +2097,7 @@ interface(`userdom_sigcld_all_users',`
class process sigchld;
')
allow $1 userdomain:process sigghld;
allow $1 userdomain:process sigchld;
')
########################################

5
refpolicy/policy/modules/system/userdomain.te
View File

@ -223,6 +223,7 @@ ifdef(`targeted_policy',`
optional_policy(`sysnetwork.te',`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`unconfined.te',`
@ -233,4 +234,8 @@ ifdef(`targeted_policy',`
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`vpn.te',`
vpn_run(sysadm_t,sysadm_r,admin_terminal)
')
')

28
strict/domains/admin.te
View File

@ -17,19 +17,27 @@ general_proc_read_access(sysadm_t)
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
# Allow administrator domains to set the enforcing flag.
can_setenforce(sysadm_t)
# Allow administrator domains to set policy booleans.
can_setbool(sysadm_t)
# Allow administrator domains to set security parameters
can_setsecparam(sysadm_t)
# for su
allow sysadm_t userdomain:fd use;
define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
ifdef(`separate_secadm', `', `
security_manager_domain(sysadm_t)
')
# Add/remove user home directories
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
limited_user_role(secadm)
typeattribute secadm_t admin;
role secadm_r types secadm_t;
security_manager_domain(secadm_t)
r_dir_file(secadm_t, { var_t var_log_t })
typeattribute secadm_tty_device_t admin_tty_type;
typeattribute secadm_devpts_t admin_tty_type;
bool allow_ptrace false;
if (allow_ptrace) {
can_ptrace(sysadm_t, domain)
}

18
strict/domains/misc/screensaver.te
View File

@ -1,18 +0,0 @@
#
# Alias file to stop blow up during policy upgrade, since
# screensaver policy is being removed.
#
typealias bin_t alias screensaver_exec_t;
typealias sysadm_home_t alias sysadm_screensaver_t;
typealias sysadm_home_t alias sysadm_screensaver_rw_t;
typealias sysadm_home_t alias sysadm_screensaver_ro_t;
typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
typealias user_home_t alias user_screensaver_t;
typealias user_home_t alias user_screensaver_rw_t;
typealias user_home_t alias user_screensaver_ro_t;
typealias user_home_t alias user_screensaver_tmpfs_t;
typealias staff_home_t alias staff_screensaver_t;
typealias staff_home_t alias staff_screensaver_rw_t;
typealias staff_home_t alias staff_screensaver_ro_t;
typealias staff_home_t alias staff_screensaver_tmpfs_t;

5
strict/domains/program/dbusd.te
View File

@ -17,4 +17,9 @@ can_ypbind(system_dbusd_t)
# I expect we need more than this
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write;
can_exec(system_dbusd_t, sbin_t)
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:unix_stream_socket connectto;

19
strict/domains/program/dhcpc.te
View File

@ -43,6 +43,8 @@ ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
allow cardmgr_t dhcpc_var_run_t:file unlink;
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
@ -126,7 +128,7 @@ can_exec(dhcpc_t, { bin_t shell_exec_t })
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
@ -142,7 +144,22 @@ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
')
role sysadm_r types dhcpc_t;
domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
ifdef(`dbusd.te', `
dbusd_client(system, dhcpc)
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
allow dhcpc_t self:dbus send_msg;
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
')dnl end ifdef unconfined.te
')

3
strict/domains/program/fsadm.te
View File

@ -29,6 +29,7 @@ read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t tmpfs_t:file { read write };
base_file_read_access(fsadm_t)
@ -115,3 +116,5 @@ system_crond_entry(fsadm_exec_t, fsadm_t)
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;

5
strict/domains/program/gpg.te
View File

@ -8,11 +8,8 @@
type gpg_exec_t, file_type, sysadmfile, exec_type;
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
# Allow gpg exec stack
bool allow_gpg_execstack false;
# Everything else is in the gpg_domain macro in
# macros/program/gpg_macros.te.

29
strict/domains/program/hald.te
View File

@ -65,10 +65,9 @@ allow hald_t udev_tbl_t:file { getattr read };
ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
allow hald_t usbfs_t:file { getattr read };
allow hald_t fs_type:dir { search getattr };
allow hald_t usbfs_t:dir r_dir_perms;
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
@ -80,3 +79,25 @@ allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
ifdef(`apmd.te', `
allow hald_t apmd_var_run_t:sock_file write;
allow hald_t apmd_t:unix_stream_socket connectto;
')
# For /usr/libexec/hald-probe-smbios
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
# ??
ifdef(`lvm.te', `
allow hald_t lvm_control_t:chr_file r_file_perms;
')
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
ifdef(`mount.te', `
domain_auto_trans(hald_t, mount_exec_t, mount_t)
')

4
strict/domains/program/hostname.te
View File

@ -4,9 +4,7 @@
# X-Debian-Packages: hostname
# for setting the hostname
daemon_base_domain(hostname, , nosysadm)
role sysadm_r types hostname_t;
daemon_core_rules(hostname, , nosysadm)
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };

10
strict/domains/program/initrc.te
View File

@ -123,7 +123,10 @@ allow initrc_t fs_type:filesystem mount_fs_perms;
allow initrc_t file_t:dir { read search getattr mounton };
# during boot up initrc needs to do the following
allow initrc_t default_t:dir { read search getattr mounton };
allow initrc_t default_t:dir { write read search getattr mounton };
# rhgb-console writes to ramfs
allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@ -233,7 +236,7 @@ allow initrc_t home_type:file r_file_perms;
allow initrc_t pidfile:file { getattr read unlink };
# for system start scripts
allow initrc_t pidfile:dir rw_dir_perms;
allow initrc_t pidfile:dir { rmdir rw_dir_perms };
allow initrc_t pidfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
@ -316,3 +319,6 @@ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
ifdef(`dbusd.te', `
allow initrc_t system_dbusd_var_run_t:sock_file write;
')

6
strict/domains/program/lvm.te
View File

@ -108,11 +108,11 @@ dontaudit lvm_t gpmctl_t:sock_file getattr;
')
dontaudit lvm_t initctl_t:fifo_file getattr;
allow lvm_t sbin_t:dir search;
dontaudit lvm_t sbin_t:file getattr;
dontaudit lvm_t sbin_t:file { getattr read };
allow lvm_t lvm_control_t:chr_file rw_file_perms;
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
allow initrc_t device_t:chr_file create;
dontaudit lvm_t var_run_t:dir getattr;
var_run_domain(lvm)
# for when /usr is not mounted
dontaudit lvm_t file_t:dir search;
@ -122,6 +122,8 @@ r_dir_file(lvm_t, selinux_config_t)
# it has no reason to need this
dontaudit lvm_t proc_kcore_t:file getattr;
allow lvm_t var_t:dir { search getattr };
allow lvm_t ramfs_t:filesystem unmount;
# cluster LVM daemon
daemon_domain(clvmd)

7
strict/domains/program/modutil.te
View File

@ -56,6 +56,7 @@ file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
# Read module objects.
allow depmod_t modules_object_t:dir r_dir_perms;
allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
allow depmod_t modules_object_t:file unlink;
# Access terminals.
allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
@ -137,15 +138,15 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t fs_t:filesystem getattr;
allow insmod_t sysfs_t:dir search;
allow insmod_t { usbfs_t usbdevfs_t }:dir search;
allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
# Rules for /proc/sys/kernel/tainted
read_sysctl(insmod_t)
allow insmod_t proc_t:dir search;
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
allow insmod_t proc_t:file { getattr read };
allow insmod_t proc_t:file rw_file_perms;
allow insmod_t proc_t:lnk_file read;
# Write to /proc/mtrr.

3
strict/domains/program/pamconsole.te
View File

@ -45,5 +45,6 @@ allow pam_console_t hotplug_t:fd use;
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
allow initrc_t pam_var_console_t:dir r_dir_perms;
allow initrc_t pam_var_console_t:dir rw_dir_perms;
allow initrc_t pam_var_console_t:file unlink;
allow pam_console_t file_context_t:file { getattr read };

20
strict/domains/program/postgresql.te
View File

@ -10,7 +10,6 @@
#
# postgresql_exec_t is the type of the postgresql executable.
#
type postgresql_port_t, port_type;
daemon_domain(postgresql)
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
@ -37,7 +36,6 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
dontaudit postgresql_t self:capability sys_admin;
etcdir_domain(postgresql)
typealias postgresql_etc_t alias etc_postgresql_t;
type postgresql_db_t, file_type, sysadmfile;
logdir_domain(postgresql)
@ -52,7 +50,7 @@ tmp_domain(postgresql, `', `{ dir file sock_file }')
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
# Use the network.
can_network_server(postgresql_t)
can_network(postgresql_t)
can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
@ -69,6 +67,7 @@ if (allow_user_postgresql_connect) {
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`consoletype.te', `
@ -80,6 +79,7 @@ can_exec(postgresql_t, hostname_exec_t)
')
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
allow postgresql_t auth_port_t:tcp_socket name_connect;
allow postgresql_t { proc_t self }:file { getattr read };
@ -110,9 +110,9 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t initrc_var_run_t:file { getattr read lock };
dontaudit postgresql_t selinux_config_t:dir { search };
allow postgresql_t mail_spool_t:dir { search };
rw_dir_create_file(postgresql_t, var_lock_t)
dontaudit postgresql_t selinux_config_t:dir search;
allow postgresql_t mail_spool_t:dir search;
lock_domain(postgresql)
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
ifdef(`apache.te', `
#
@ -124,11 +124,15 @@ can_unix_connect(httpd_t, postgresql_t)
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
allow initrc_su_t postgresql_db_t:dir { search };
allow postgresql_t initrc_su_t:process { sigchld };
allow initrc_su_t postgresql_db_t:dir search;
allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
if (allow_execmem) {
allow postgresql_t self:process execmem;
}

17
strict/domains/program/vpnc.te
View File

@ -10,9 +10,9 @@
# vpnc_t is the domain for the vpnc program.
# vpnc_exec_t is the type of the vpnc executable.
#
daemon_domain(vpnc, `, sysctl_net_writer')
application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
# Use the network.
can_network(vpnc_t)
@ -31,7 +31,7 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
allow vpnc_t port_t:udp_socket name_bind;
allow vpnc_t etc_runtime_t:file { getattr read };
allow vpnc_t proc_t:file { getattr read };
@ -42,6 +42,8 @@ allow vpnc_t sysctl_net_t:file write;
allow vpnc_t sbin_t:dir search;
allow vpnc_t bin_t:dir search;
allow vpnc_t bin_t:lnk_file read;
allow vpnc_t self:dir search;
r_dir_file(vpnc_t, proc_t)
r_dir_file(vpnc_t, proc_net_t)
tmp_domain(vpnc)
allow vpnc_t self:fifo_file { getattr ioctl read write };
@ -49,3 +51,12 @@ allow vpnc_t self:file { getattr read };
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
dontaudit vpnc_t home_root_t:dir search;
dontaudit vpnc_t user_home_dir_type:dir search;
var_run_domain(vpnc)
allow vpnc_t userdomain:fd use;
r_dir_file(vpnc_t, sysfs_t)
allow vpnc_t self:process { fork sigchld };
read_locale(vpnc_t)
read_sysctl(vpnc_t)
allow vpnc_t fs_t:filesystem getattr;

58
strict/domains/user.te
View File

@ -4,6 +4,16 @@
# Booleans for user domains.
# Allow applications to read untrusted content
# If this is disallowed, Internet content has
# to be manually relabeled for read access to be granted
bool read_untrusted_content false;
# Allow applications to write untrusted content
# If this is disallowed, no Internet content
# will be stored.
bool write_untrusted_content false;
# Allow users to read system messages.
bool user_dmesg false;
@ -54,54 +64,6 @@ bool read_default_t false;
# files (such as ~/.bashrc)
bool staff_read_sysadm_file false;
# change from role $1_r to $2_r and relabel tty appropriately
define(`role_tty_type_change', `
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
# Reach sysadm_t via programs like userhelper/sudo/su
undefine(`reach_sysadm')
define(`reach_sysadm', `
ifdef(`userhelper.te', `userhelper_domain($1)')
ifdef(`sudo.te', `sudo_domain($1)')
ifdef(`su.te', `
su_domain($1)
# When an ordinary user domain runs su, su may try to
# update the /root/.Xauthority file, and the user shell may
# try to update the shell history. This is not allowed, but
# we dont need to audit it.
dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
') dnl ifdef su.te
')
# Privileged user domain
undefine(`priv_user')
define(`priv_user', `
# Reach sysadm_t
reach_sysadm($1)
# Read file_contexts for rpm and get security decisions.
r_dir_file($1_t, file_context_t)
can_getsecurity($1_t)
# Signal and see information about unprivileged user domains.
allow $1_t unpriv_userdomain:process signal_perms;
can_ps($1_t, unpriv_userdomain)
allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
# Read /root files if boolean is enabled.
if (staff_read_sysadm_file) {
allow $1_t sysadm_home_dir_t:dir { getattr search };
allow $1_t sysadm_home_t:file { getattr read };
}
') dnl priv_user
full_user_role(user)

4
strict/file_contexts/program/postgresql.fc
View File

@ -14,3 +14,7 @@
/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
')

80
strict/macros/admin_macros.te
View File

@ -20,15 +20,19 @@ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
# Type and access for pty devices.
can_create_pty($1)
can_create_pty($1, `, admin_tty_type')
tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
# Transition manually for { lnk sock fifo }. The rest is in content macros.
tmp_domain_notrans($1, `, $1_file_type')
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
# Type for tty devices.
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
# Inherit rules for ordinary users.
base_user_domain($1)
access_removable_media($1_t)
allow $1_t self:capability setuid;
@ -36,11 +40,6 @@ ifdef(`su.te', `su_domain($1)')
ifdef(`userhelper.te', `userhelper_domain($1)')
ifdef(`sudo.te', `sudo_domain($1)')
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
create_dir_file($1_t, policy_config_t)
r_dir_file($1_t, selinux_config_t)
# Let admin stat the shadow file.
allow $1_t shadow_t:file getattr;
@ -51,12 +50,12 @@ allow $1_crond_t var_log_t:file r_file_perms;
# Allow system log read
allow $1_t kernel_t:system syslog_read;
# Allow autrace
# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
# Use capabilities other than sys_module.
allow $1_t self:capability ~sys_module;
# Get security policy decisions.
can_getsecurity($1_t)
# Use system operations.
allow $1_t kernel_t:system *;
@ -82,12 +81,6 @@ allow $1_t sysadmfile:dir create_dir_perms;
allow $1_t mtrr_device_t:file getattr;
allow $1_t fs_type:dir getattr;
# Set an exec context, e.g. for runcon.
can_setexec($1_t)
# Set a context other than the default one for newly created files.
can_setfscreate($1_t)
# Access removable devices.
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
@ -124,18 +117,6 @@ can_exec($1_t, staff_home_t)
# Run programs from /usr/src.
can_exec($1_t, src_t)
# Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file.
# added by mayerf@tresys.com
# The following rules are temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
#
allow $1_t policy_src_t:file create_file_perms;
allow $1_t policy_src_t:lnk_file create_lnk_perms;
allow $1_t policy_src_t:dir create_dir_perms;
# Relabel all files.
# Actually this will not allow relabeling ALL files unless you change
# sysadmfile to file_type (and change the assertion in assert.te that
@ -157,7 +138,7 @@ if (xdm_sysadm_login) {
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
}
allow $1_t xdm_t:fifo_file rw_file_perms;
can_pipe_xdm($1_t)
')dnl end ifdef xauth.te
')dnl end ifdef xdm.te
@ -205,3 +186,42 @@ allow $1_t device_t:lnk_file { create read };
allow $1_t domain:socket_class_set getattr;
allow $1_t eventpollfs_t:file getattr;
')
define(`security_manager_domain', `
typeattribute $1 secadmin;
# Allow administrator domains to set the enforcing flag.
can_setenforce($1)
# Allow administrator domains to set policy booleans.
can_setbool($1)
# Get security policy decisions.
can_getsecurity($1)
# Allow administrator domains to set security parameters
can_setsecparam($1)
# Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file.
# added by mayerf@tresys.com
# The following rules are temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
#
allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
# Set an exec context, e.g. for runcon.
can_setexec($1)
# Set a context other than the default one for newly created files.
can_setfscreate($1)
allow $1 self:netlink_audit_socket nlmsg_readpriv;
')

100
strict/macros/base_user_macros.te
View File

@ -2,12 +2,6 @@
# Macros for all user login domains.
#
define(`network_home_dir', `
create_dir_file($1, $2)
can_exec($1, $2)
allow $1 $2:{ sock_file fifo_file } create_file_perms;
')
#
# base_user_domain(domain_prefix)
#
@ -22,6 +16,30 @@ allow $1 $2:{ sock_file fifo_file } create_file_perms;
undefine(`base_user_domain')
define(`base_user_domain', `
# Type for network-obtained content
type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
# Allow user to relabel untrusted content
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
# Read content
read_content($1_t, $1)
# Write trusted content. This includes proper transition
# for /home, and /tmp, so no other transition is necessary (or allowed)
write_trusted($1_t, $1)
# Maybe the home directory is networked
network_home($1_t)
# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
# Relabel files in the home directory
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@ -40,10 +58,13 @@ if (allow_execmem) {
allow $1_t self:process execmem;
}
if (allow_execmod) {
if (allow_execmem && allow_execstack) {
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
}
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
}
#
# kdeinit wants this access
@ -63,38 +84,23 @@ allow $1_t event_device_t:chr_file { getattr read ioctl };
allow $1_t dri_device_t:chr_file getattr;
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
file_browse_domain($1_t)
# Supress ls denials:
# getattr() - ls -l
# search_dir() - symlink path resolution
# read_dir() - deep ls: ls parent/...
dontaudit_getattr($1_t)
dontaudit_search_dir($1_t)
dontaudit_read_dir($1_t)
# allow ptrace
can_ptrace($1_t, $1_t)
# Create, access, and remove files in home directory.
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
can_setfscreate($1_t)
# Allow user to run restorecon and relabel files
can_getsecurity($1_t)
r_dir_file($1_t, default_context_t)
r_dir_file($1_t, file_context_t)
allow $1_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs) {
network_home_dir($1_t, nfs_t)
}
if (use_samba_home_dirs) {
network_home_dir($1_t, cifs_t)
}
can_exec($1_t, { removable_t noexattrfile } )
if (user_rw_noexattrfile) {
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
# Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms;
allow $1_t usbtty_device_t:chr_file write;
} else {
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
}
allow $1_t usbtty_device_t:chr_file read;
# GNOME checks for usb and other devices
@ -104,16 +110,9 @@ can_exec($1_t, noexattrfile)
# Bind to a Unix domain socket in /tmp.
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
# Access ttys.
allow $1_t privfd:fd use;
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
# Use the type when relabeling terminal devices.
type_change $1_t tty_device_t:chr_file $1_tty_device_t;
# read localization information
read_locale($1_t)
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
type_change $1_t ttyfile:chr_file $1_tty_device_t;
@ -297,21 +296,16 @@ dontaudit $1_t domain:process { getattr getsession };
#
dontaudit $1_t usr_t:file setattr;
# Use X
x_client_domain($1, $1)
ifdef(`xserver.te', `
# for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
allow $1_t xdm_tmp_t:dir r_dir_perms;
allow $1_t xdm_tmp_t:file { getattr read };
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_t xdm_xserver_tmp_t:dir search;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file { getattr read };
@ -320,9 +314,6 @@ ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
# for shared memory
allow xdm_xserver_t $1_tmpfs_t:file { read write };
')dnl end ifdef xdm.te
# Access the sound device.
@ -375,6 +366,9 @@ allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms;
}
# Read fonts
read_fonts($1_t, $1)
read_sysctl($1_t);
#

2
strict/macros/global_macros.te
View File

@ -437,7 +437,7 @@ allow $2_t device_t:dir getattr;
# by default, only plain files and dirs may be stored there.
# This can be overridden with a third parameter
define(`tmp_domain', `
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
ifelse($3, `',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')

202
strict/macros/user_macros.te
View File

@ -2,6 +2,76 @@
# Macros for all user login domains.
#
# role_tty_type_change(starting_role, ending_role)
#
# change from role $1_r to $2_r and relabel tty appropriately
#
undefine(`role_tty_type_change')
define(`role_tty_type_change', `
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
#
# reach_sysadm(user)
#
# Reach sysadm_t via programs like userhelper/sudo/su
#
undefine(`reach_sysadm')
define(`reach_sysadm', `
ifdef(`userhelper.te', `userhelper_domain($1)')
ifdef(`sudo.te', `sudo_domain($1)')
ifdef(`su.te', `
su_domain($1)
# When an ordinary user domain runs su, su may try to
# update the /root/.Xauthority file, and the user shell may
# try to update the shell history. This is not allowed, but
# we dont need to audit it.
dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
') dnl ifdef su.te
ifdef(`xauth.te', `
file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
ifdef(`userhelper.te', `
file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
') dnl userhelper.te
') dnl xauth.te
') dnl reach_sysadm
#
# priv_user(user)
#
# Privileged user domain
#
undefine(`priv_user')
define(`priv_user', `
# Reach sysadm_t
reach_sysadm($1)
# Read file_contexts for rpm and get security decisions.
r_dir_file($1_t, file_context_t)
can_getsecurity($1_t)
# Signal and see information about unprivileged user domains.
allow $1_t unpriv_userdomain:process signal_perms;
can_ps($1_t, unpriv_userdomain)
allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
# Read /root files if boolean is enabled.
if (staff_read_sysadm_file) {
allow $1_t sysadm_home_dir_t:dir { getattr search };
allow $1_t sysadm_home_t:file { getattr read };
}
') dnl priv_user
#
# user_domain(domain_prefix)
#
@ -18,18 +88,23 @@ define(`user_domain', `
# Use capabilities
# Type for home directory.
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
# Transition manually for { lnk sock fifo }. The rest is in content macros.
tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
# Type and access for pty devices.
can_create_pty($1, `, userpty_type, user_tty_type')
ifdef(`support_polyinstantiation', `
type_member $1_t tmp_t:dir $1_tmp_t;
type_member $1_t $1_home_dir_t:dir $1_home_t;
')
#Type for tty devices.
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
base_user_domain($1)
ifdef(`mls_policy', `', `
access_removable_media($1_t)
')
# do not allow privhome access to sysadm_home_dir_t
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
@ -44,7 +119,9 @@ allow $1_t system_map_t:file { getattr read };
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
ifdef(`apache.te', `apache_domain($1)')
ifelse($1, sysadm, `',`
ifdef(`apache.te', `apache_user_domain($1)')
')
ifdef(`slocate.te', `locate_domain($1)')
ifdef(`lockdev.te', `lockdev_domain($1)')
@ -110,19 +187,73 @@ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
#
# Domains for ordinary users.
#
undefine(`full_user_role')
define(`full_user_role', `
undefine(`limited_user_role')
define(`limited_user_role', `
# user_t/$1_t is an unprivileged users domain.
type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
#Type for tty devices.
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
# Type and access for pty devices.
can_create_pty($1, `, userpty_type, user_tty_type')
# Access ttys.
allow $1_t privfd:fd use;
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
attribute $1_file_type;
# Grant read/search permissions to some of /proc.
r_dir_file($1_t, proc_t)
r_dir_file($1_t, proc_net_t)
base_file_read_access($1_t)
# Execute from the system shared libraries.
uses_shlib($1_t)
# Read /etc.
r_dir_file($1_t, etc_t)
allow $1_t etc_runtime_t:file r_file_perms;
allow $1_t etc_runtime_t:lnk_file { getattr read };
allow $1_t self:process { fork sigchld setpgid signal_perms };
# read localization information
read_locale($1_t)
read_sysctl($1_t)
can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
allow $1_t self:dir search;
allow $1_t self:file { getattr read };
allow secadm_t self:fifo_file rw_file_perms;
allow $1_t self:lnk_file read;
allow $1_t self:unix_stream_socket create_socket_perms;
allow $1_t urandom_device_t:chr_file { getattr read };
dontaudit $1_t { var_spool_t var_log_t }:dir search;
# Read /dev directories and any symbolic links.
allow $1_t device_t:dir r_dir_perms;
allow $1_t device_t:lnk_file { getattr read };
allow $1_t devtty_t:chr_file { read write };
')
undefine(`full_user_role')
define(`full_user_role', `
limited_user_role($1)
typeattribute $1_t web_client_domain;
attribute $1_file_type;
ifdef(`useradd.te', `
# Useradd relabels /etc/skel files so needs these privs
allow useradd_t $1_file_type:dir create_dir_perms;
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
')
can_exec($1_t, usr_t)
# Read directories and files with the readable_t type.
@ -134,28 +265,18 @@ allow $1_t readable_t:notdevfile_class_set r_file_perms;
allow $1_t lost_found_t:dir getattr;
# Read /var, /var/spool, /var/run.
allow $1_t var_t:dir r_dir_perms;
allow $1_t var_t:notdevfile_class_set r_file_perms;
allow $1_t var_spool_t:dir r_dir_perms;
allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
allow $1_t var_run_t:dir r_dir_perms;
allow $1_t var_run_t:{ file lnk_file } r_file_perms;
r_dir_file($1_t, var_t)
# what about pipes and sockets under /var/spool?
r_dir_file($1_t, var_spool_t)
r_dir_file($1_t, var_run_t)
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
read_sysctl($1_t)
# Read /etc.
allow $1_t etc_t:dir r_dir_perms;
allow $1_t etc_t:notdevfile_class_set r_file_perms;
allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
# for running depmod as part of the kernel packaging process
allow $1_t modules_conf_t:file { getattr read };
# Read man directories and files.
allow $1_t man_t:dir r_dir_perms;
allow $1_t man_t:notdevfile_class_set r_file_perms;
r_dir_file($1_t, man_t)
# Allow users to rw usb devices
if (user_rw_usb) {
@ -166,16 +287,9 @@ r_dir_file($1_t,usbdevfs_t)
r_dir_file($1_t,sysfs_t)
# Read /dev directories and any symbolic links.
allow $1_t device_t:dir r_dir_perms;
allow $1_t device_t:lnk_file r_file_perms;
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
# Execute from the system shared libraries.
uses_shlib($1_t);
# $1_t is also granted permissions specific to user domains.
user_domain($1)
@ -193,22 +307,6 @@ dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
dontaudit $1_t init_t:fd use;
dontaudit $1_t initrc_t:fd use;
allow $1_t initrc_t:fifo_file write;
ifdef(`user_can_mount', `
#
# Allow users to mount file systems like floppies and cdrom
#
mount_domain($1, $1_mount, `, fs_domain')
r_dir_file($1_t, mnt_t)
allow $1_mount_t device_t:lnk_file read;
allow $1_mount_t removable_device_t:blk_file read;
allow $1_mount_t iso9660_t:filesystem relabelfrom;
allow $1_mount_t removable_t:filesystem { mount relabelto };
allow $1_mount_t removable_t:dir mounton;
ifdef(`xdm.te', `
allow $1_mount_t xdm_t:fd use;
allow $1_mount_t xdm_t:fifo_file { read write };
')
')
#
# Rules used to associate a homedir as a mountpoint

2
strict/types/file.te
View File

@ -278,7 +278,7 @@ allow devpts_t self:filesystem associate;
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
allow { logfile tmpfile home_type } tmp_t:filesystem associate;
ifdef(`distro_redhat', `
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
')