make mountpoints work, plus misc

refpolicy/policy/modules/kernel/bootloader.te

@@ -2,6 +2,11 @@
 
 policy_module(bootloader,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute can_modify_kernel_modules;
 
 #
@@ -9,6 +14,7 @@ attribute can_modify_kernel_modules;
 #
 type boot_t;
 files_make_file(boot_t)
+files_make_mountpoint(boot_t)
 
 #
 # boot_runtime_t is the type for /boot/kernel.h,
@@ -51,7 +57,6 @@ neverallow ~can_modify_kernel_modules modules_object_t:file { create append writ
 type system_map_t;
 files_make_file(system_map_t)
 
-
 ########################################
 #
 # bootloader local policy
@@ -76,6 +81,12 @@ devices_set_all_block_device_attributes(bootloader_t)
 # for reading BIOS data (cjp: ?)
 devices_raw_read_memory(bootloader_t)
 
+init_get_control_channel_attributes(bootloader_t)
+init_script_use_pseudoterminal(bootloader_t)
+init_script_use_file_descriptors(bootloader_t)
+
+domain_use_widely_inheritable_file_descriptors(bootloader_t)
+
 libraries_use_dynamic_loader(bootloader_t)
 libraries_read_shared_libraries(bootloader_t)
 
@@ -92,10 +103,11 @@ logging_send_system_log_message(bootloader_t)
 filesystem_get_persistent_filesystem_attributes(bootloader_t)
 
 terminal_use_controlling_terminal(bootloader_t)
+terminal_get_user_terminal_attributes(bootloader_t)
 
 allow bootloader_t bootloader_etc_t:file { getattr read };
 
-define(`initrc_insmod_optional_policy', `
+optional_policy(modutils.te,`
 modutils_insmod_execute(insmod_t)
 ')
 
@@ -116,6 +128,7 @@ bootloader_install_initrd(bootloader_t)
 
 devices_get_random_data(bootloader_t)
 devices_get_pseudorandom_data(bootloader_t)
+
 corecommands_execute_general_programs(bootloader_t)
 corecommands_execute_system_programs(bootloader_t)
 corecommands_execute_shell(bootloader_t)
@@ -144,23 +157,36 @@ optional_policy(`fsadm.te', `
 filesystemtools_execute(bootloader_t)
 ')
 
-################################################################################
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+')
+
+ifdef(`distro_redhat', `
+files_make_mountpoint(bootloader_tmp_t)
+
+# for mke2fs
+mount_transition(bootloader_t)
+allow bootloader_t modules_object_t:lnk_file { getattr read };
+
+# new file system defaults to file_t, granting file_t access is still bad.
+allow bootloader_t self:unix_stream_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+# for memlock
+devices_get_zeros(bootloader_t)
+allow bootloader_t self:capability ipc_lock;
+')
+
 ifdef(`TODO',`
 
 # admin runs bootloader:
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
 allow bootloader_t admin_tty_type:chr_file rw_file_perms;
-allow bootloader_t privfd:fd use;
 
-allow bootloader_t { device_type ttyfile }:chr_file getattr;
-allow bootloader_t initctl_t:fifo_file getattr;
-
-# no transition from initrc to bootloader,
-# so why are these rules needed
 role system_r types bootloader_t;
-allow bootloader_t initrc_devpts_t:chr_file rw_file_perms; 
 allow bootloader_t initrc_t:fifo_file { read write };
-allow bootloader_t initrc_t:fd use;
 
 allow bootloader_t lib_t:file { getattr read };
 
@@ -171,17 +197,14 @@ allow bootloader_t var_t:file { getattr read };
 
 # LVM2 / Device Mapper's /dev/mapper/control
 # maybe we should change the labeling for this
-ifdef(`lvm.te', `
+optional_policy(`lvm.te', `
+lvm_transition(bootloader_t)
 allow bootloader_t lvm_control_t:chr_file rw_file_perms;
-domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
 allow lvm_t bootloader_tmp_t:file rw_file_perms;
 r_dir_file(bootloader_t, lvm_etc_t)
 ')
 
 ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
 allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
 allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
 allow bootloader_t tmpfs_t:dir r_dir_perms;
@@ -194,21 +217,10 @@ can_exec(bootloader_t, usr_t)
 ')
 
 ifdef(`distro_redhat', `
-# for mke2fs
-domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
-allow mount_t bootloader_tmp_t:dir mounton;
-allow bootloader_t modules_object_t:lnk_file { getattr read };
-
 # new file system defaults to file_t, granting file_t access is still bad.
 allow bootloader_t file_t:dir create_dir_perms;
 allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
 allow bootloader_t file_t:lnk_file create_lnk_perms;
-allow bootloader_t self:unix_stream_socket create_socket_perms;
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-
-# for memlock
-allow bootloader_t zero_device_t:chr_file { getattr read };
-allow bootloader_t self:capability ipc_lock;
 ')
 
 dontaudit bootloader_t selinux_config_t:dir search;
@@ -218,15 +230,3 @@ dontaudit bootloader_t devpts_t:dir create_dir_perms;
 dontaudit bootloader_t var_run_t:dir search;
 
 ') dnl end TODO
-
-########################################
-#
-# Conditional policy logic
-#
-
-ifdef(`monolithic_policy',`
-ifdef(`modutils.te',`initrc_insmod_optional_policy')
-',`
-optional modutils { modutils_insmod_execute_depend }
-ifopt (modutils) { initrc_insmod_optional_policy }
-') dnl end monolithic_policy

refpolicy/policy/modules/kernel/corenetwork.if

@@ -791,7 +791,7 @@ allow $1 self:capability net_bind_service;
 ')
 
 define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
-type reserved_port_type;
+attribute reserved_port_type;
 class tcp_socket name_bind;
 class capability net_bind_service;
 ')
@@ -807,11 +807,39 @@ allow $1 self:capability net_bind_service;
 ')
 
 define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
-type reserved_port_type;
+attribute reserved_port_type;
 class udp_socket name_bind;
 class self:capability net_bind_service;
 ')
 
+#######################################
+#
+# corenetwork_ignore_bind_tcp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_ignore_bind_tcp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_ignore_bind_tcp_on_all_reserved_ports_depend',$2)
+dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_ignore_bind_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',$2)
+dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class udp_socket name_bind;
+')
+
 ########################################
 #
 # This section is processed through m4 to create real interfaces

refpolicy/policy/modules/kernel/devices.te

@@ -13,6 +13,7 @@ attribute device_node;
 #
 type device_t;
 files_make_file(device_t)
+files_make_mountpoint(device_t)
 filesystem_tmpfs_associate(device_t)
 
 # Only directories and symlinks should be labeled device_t.

refpolicy/policy/modules/kernel/filesystem.te

@@ -110,6 +110,7 @@ allow removable_t usbfs_t:filesystem associate;
 # and their files.
 #
 type nfs_t, fs_type;
+files_make_mountpoint(nfs_t)
 allow nfs_t self:filesystem associate;
 genfscon nfs / system_u:object_r:nfs_t
 genfscon nfs4 / system_u:object_r:nfs_t

refpolicy/policy/modules/kernel/kernel.if

@@ -55,6 +55,20 @@ type kernel_t;
 class fd use;
 ')
 
+########################################
+#
+# kernel_ignore_use_file_descriptors(domain,[`optional'])
+#
+define(`kernel_ignore_use_file_descriptors',`
+requires_block_template(kernel_ignore_use_file_descriptors_depend,$2)
+dontaudit $1 kernel_t:fd use;
+')
+
+define(`kernel_ignore_use_file_descriptors_depend',`
+type kernel_t;
+class fd use;
+')
+
 ########################################
 #
 # kernel_make_root_filesystem_mountpoint(domain,[`optional'])

refpolicy/policy/modules/kernel/kernel.te

@@ -36,6 +36,7 @@ genfscon selinuxfs / system_u:object_r:security_t
 # sysfs_t is the type for /sys
 #
 type sysfs_t;
+files_make_mountpoint(sysfs_t)
 filesystem_make_filesystem(sysfs_t)
 genfscon sysfs / system_u:object_r:sysfs_t
 
@@ -43,6 +44,7 @@ genfscon sysfs / system_u:object_r:sysfs_t
 # usbfs_t is the type for /proc/bus/usb
 #
 type usbfs_t alias usbdevfs_t;
+files_make_mountpoint(usbfs_t)
 filesystem_make_filesystem(usbfs_t)
 genfscon usbfs / system_u:object_r:usbfs_t
 genfscon usbdevfs / system_u:object_r:usbfs_t
@@ -52,6 +54,7 @@ genfscon usbdevfs / system_u:object_r:usbfs_t
 #
 
 type proc_t;
+files_make_mountpoint(proc_t)
 genfscon proc / system_u:object_r:proc_t
 genfscon proc /sysvipc system_u:object_r:proc_t
 
@@ -89,6 +92,7 @@ genfscon proc /sys system_u:object_r:sysctl_t
 
 # /proc/sys/fs directory and files
 type sysctl_fs_t;
+files_make_mountpoint(sysctl_fs_t)
 genfscon proc /sys/fs system_u:object_r:sysctl_fs_t
 
 # /proc/sys/kernel directory and files

refpolicy/policy/modules/kernel/terminal.if

@@ -153,3 +153,19 @@ define(`terminal_ignore_list_pseudoterminals_depend',`
 type devpts_t;
 class dir { getattr search read };
 ')
+
+########################################
+#
+# terminal_get_user_terminal_attributes(domain,[`optional'])
+#
+define(`terminal_get_user_terminal_attributes',`
+requires_block_template(terminal_get_user_terminal_attributes_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 ttynode:chr_file getattr;
+')
+
+define(`terminal_get_user_terminal_attributes_depend',`
+attribute ttynode;
+class chr_file getattr;
+devices_list_device_nodes_depend
+')

refpolicy/policy/modules/kernel/terminal.te

@@ -5,35 +5,31 @@ policy_module(terminal,1.0)
 attribute ttynode;
 attribute ptynode;
 
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t;
+devices_make_device_node(bsdpty_device_t)
+
 #
 # console_device_t is the type of /dev/console.
 #
 type console_device_t;
 devices_make_device_node(console_device_t)
 
+#
+# devpts_t is the type of the devpts file system and 
+# the type of the root directory of the file system.
+#
+type devpts_t;
+files_make_mountpoint(devpts_t)
+filesystem_make_filesystem(devpts_t)
+
 #
 # devtty_t is the type of /dev/tty.
 #
 type devtty_t;
 devices_make_device_node(devtty_t)
 
-#
-# tty_device_t is the type of /dev/*tty*
-#
-type tty_device_t, ttynode;
-devices_make_device_node(tty_device_t)
-
-#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t, ptynode;
-devices_make_device_node(bsdpty_device_t)
-
-#
-# usbtty_device_t is the type of /dev/usr/tty*
-#
-type usbtty_device_t;
-devices_make_device_node(usbtty_device_t)
-
 #
 # ptmx_t is the type for /dev/ptmx.
 #
@@ -41,8 +37,13 @@ type ptmx_t;
 devices_make_device_node(ptmx_t)
 
 #
-# devpts_t is the type of the devpts file system and 
+# tty_device_t is the type of /dev/*tty*
-# the type of the root directory of the file system.
 #
-type devpts_t;
+type tty_device_t;
-filesystem_make_filesystem(devpts_t)
+devices_make_device_node(tty_device_t)
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t;
+devices_make_device_node(usbtty_device_t)

refpolicy/policy/modules/system/domain.if

@@ -113,6 +113,20 @@ define(`domain_make_file_descriptors_widely_inheritable_depend',`
 attribute privfd;
 ')
 
+########################################
+#
+# domain_use_widely_inheritable_file_descriptors(domain,[`optional'])
+#
+define(`domain_use_widely_inheritable_file_descriptors',`
+requires_block_template(domain_use_widely_inheritable_file_descriptors_depend,$2)
+allow $1 privfd:fd use;
+')
+
+define(`domain_use_widely_inheritable_file_descriptors_depend',`
+attribute privfd;
+class fd use;
+')
+
 ########################################
 #
 # domain_all_init_domains_transition(domain,[`optional'])

refpolicy/policy/modules/system/files.if

@@ -17,6 +17,19 @@ filesystem_associate_depend
 filesystem_noxattr_associate_depend
 ')
 
+########################################
+#
+# files_make_mountpoint(type,[`optional'])
+#
+define(`files_make_mountpoint',`
+requires_block_template(files_make_mountpoint_depend,$2)
+typeattribute $1 mountpoint;
+')
+
+define(`files_make_mountpoint_depend',`
+attribute mountpoint;
+')
+
 ########################################
 #
 # files_get_all_file_attributes(type,[`optional'])
@@ -93,6 +106,20 @@ attribute file_type;
 class dir { getattr search read };
 ')
 
+########################################
+#
+# files_mount_on_all_mountpoints(type,[`optional'])
+#
+define(`files_mount_on_all_mountpoints',`
+requires_block_template(files_mount_on_all_mountpoints_depend,$2)
+allow $1 mountpoint:dir { getattr search mounton };
+')
+
+define(`files_mount_on_all_mountpoints_depend',`
+attribute mountpoint;
+class dir { getattr search mounton };
+')
+
 ########################################
 #
 # files_read_root_dir(domain,[`optional'])
@@ -184,6 +211,20 @@ type root_t;
 class dir { getattr search read write remove_name };
 ')
 
+########################################
+#
+# files_unmount_root_filesystem(domain,[`optional'])
+#
+define(`files_unmount_root_filesystem',`
+requires_block_template(files_unmount_root_filesystem_depend,$2)
+allow $1 root_t:filesystem unmount;
+')
+
+define(`files_unmount_root_filesystem_depend',`
+type root_t;
+class filesystem unmount;
+')
+
 ########################################
 #
 # files_read_general_system_config(type,[`optional'])

refpolicy/policy/modules/system/files.te

@@ -6,11 +6,12 @@ attribute file_type;
 attribute lockfile;
 attribute pidfile;
 attribute tmpfile;
+attribute mountpoint;
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
-type default_t, file_type;
+type default_t, file_type, mountpoint;
 filesystem_associate(default_t)
 filesystem_noxattr_associate(default_t)
 
@@ -35,26 +36,16 @@ filesystem_noxattr_associate(etc_runtime_t)
 # assigned an extended attribute (EA) value (when using a filesystem
 # that supports EAs).
 #
-type file_t, file_type;
+type file_t, file_type, mountpoint;
 filesystem_associate(file_t)
 filesystem_noxattr_associate(file_t)
 kernel_make_root_filesystem_mountpoint(file_t)
 
-#
-# root_t is the type for rootfs and the root directory.
-#
-type root_t, file_type;
-filesystem_associate(root_t)
-filesystem_noxattr_associate(root_t)
-kernel_read_directory_from(root_t)
-kernel_make_root_filesystem_mountpoint(root_t)
-genfscon rootfs / system_u:object_r:root_t
-
 #
 # home_root_t is the type for the directory where user home directories
 # are created
 #
-type home_root_t, file_type;
+type home_root_t, file_type, mountpoint;
 filesystem_associate(home_root_t)
 filesystem_noxattr_associate(home_root_t)
 
@@ -68,7 +59,7 @@ filesystem_noxattr_associate(lost_found_t)
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
 #
-type mnt_t, file_type;
+type mnt_t, file_type, mountpoint;
 filesystem_associate(mnt_t)
 filesystem_noxattr_associate(mnt_t)
 
@@ -84,6 +75,16 @@ type readable_t, file_type;
 filesystem_associate(readable_t)
 filesystem_noxattr_associate(readable_t)
 
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t, file_type, mountpoint;
+filesystem_associate(root_t)
+filesystem_noxattr_associate(root_t)
+kernel_read_directory_from(root_t)
+kernel_make_root_filesystem_mountpoint(root_t)
+genfscon rootfs / system_u:object_r:root_t
+
 #
 # src_t is the type of files in the system src directories.
 #
@@ -94,21 +95,21 @@ filesystem_noxattr_associate(src_t)
 #
 # tmp_t is the type of the temporary directories
 #
-type tmp_t, file_type, tmpfile;
+type tmp_t, file_type, tmpfile, mountpoint;
 filesystem_associate(tmp_t)
 filesystem_noxattr_associate(tmp_t)
 
 #
 # usr_t is the type for /usr.
 #
-type usr_t, file_type;
+type usr_t, file_type, mountpoint;
 filesystem_associate(usr_t)
 filesystem_noxattr_associate(usr_t)
 
 #
 # var_t is the type of /var
 #
-type var_t, file_type;
+type var_t, file_type, mountpoint;
 filesystem_associate(var_t)
 filesystem_noxattr_associate(var_t)
 

refpolicy/policy/modules/system/init.if

@@ -18,6 +18,20 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+#
+# init_get_control_channel_attributes(domain,[`optional'])
+#
+define(`init_get_control_channel_attributes',`
+requires_block_template(init_get_control_channel_attributes_depend,$2)
+allow $1 initctl_t:fifo_file getattr;
+')
+
+define(`init_get_control_channel_attributes_depend',`
+type initctl_t;
+class fifo_file getattr;
+')
+
 ########################################
 #
 # init_sigchld(domain,[`optional'])

refpolicy/policy/modules/system/mount.te

@@ -21,6 +21,7 @@ allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlin
 allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
 
 kernel_read_system_state(mount_t)
+kernel_ignore_use_file_descriptors(mount_t)
 
 devices_get_all_block_device_attributes(mount_t)
 devices_list_device_nodes(mount_t)
@@ -34,13 +35,23 @@ filesystem_get_persistent_filesystem_attributes(mount_t)
 filesystem_mount_all_filesystems(mount_t)
 filesystem_unmount_all_filesystems(mount_t)
 filesystem_remount_all_filesystems(mount_t)
+files_unmount_root_filesystem(mount_t)
 
 terminal_use_console(mount_t)
 
+corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
+corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
+
+init_use_file_descriptors(mount_t)
+init_script_use_pseudoterminal(mount_t)
+
+domain_use_widely_inheritable_file_descriptors(mount_t)
+
 files_search_all_directories(mount_t)
 files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
 files_read_general_system_config(mount_t)
 files_create_runtime_system_config(mount_t)
+files_mount_on_all_mountpoints(mount_t)
 
 libraries_use_dynamic_loader(mount_t)
 libraries_read_shared_libraries(mount_t)
@@ -54,31 +65,9 @@ logging_send_system_log_message(mount_t)
 miscfiles_read_localization(mount_t)
 
 ifdef(`TODO',`
-
 # Mount, remount and unmount file systems.
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir { mounton getattr };
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir { mounton search };
-allow mount_t nfs_t:dir { mounton search };
 # nfsv4 has a filesystem to mount for its userspace daemons
 allow mount_t var_lib_nfs_t:dir mounton;
-allow mount_t boot_t:dir mounton;
-allow mount_t device_t:dir mounton;
-# mount binfmt_misc on /proc/sys/fs/binfmt_misc
-allow mount_t sysctl_t:dir { mounton search };
-#TODO: Need macro for unmounting root filesystem
-#allow mount_t root_t:filesystem unmount;
-
-allow mount_t initrc_devpts_t:chr_file { read write };
 
 #domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 
@@ -91,10 +80,6 @@ allow sysadm_t sysadm_mount_source_t:file create_file_perms;
 allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
 allow mount_t sysadm_mount_source_t:file rw_file_perms;
 
-# TODO: Examine these further; may need macros
-allow mount_t init_t:fd use;
-allow mount_t privfd:fd use;
-
 # TODO: Probably need a macro for reading/unlinking files
 # for when /etc/mtab loses its type
 allow mount_t file_t:file { getattr read unlink };
@@ -123,7 +108,6 @@ allow $2_t dosfs_t:filesystem relabelfrom;
 ') dnl end pamconsole.te
 ') dnl end distro_redhat
 
-# TODO: This macro contains an ifdef for rhgb.te
 ifdef(`rhgb.te', `
 allow mount_t rhgb_t:process sigchld;
 allow mount_t rhgb_t:fd use;
@@ -152,8 +136,4 @@ can_udp_send(portmap_t, mount_t)
 allow mount_t rpc_pipefs_t:dir search;
 ')
 
-# Dontaudits
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
-dontaudit mount_t kernel_t:fd use;
-
 ') dnl endif TODO