add polyinstantiation.
This commit is contained in:
parent
d163a43f90
commit
b07eaef9d8
@ -1,3 +1,4 @@
|
|||||||
|
- Add polyinstantiation build option.
|
||||||
- Add setcontext to the association object class.
|
- Add setcontext to the association object class.
|
||||||
- Add apache relay and db connect tunables.
|
- Add apache relay and db connect tunables.
|
||||||
- Rename texrel_shlib_t to textrel_shlib_t.
|
- Rename texrel_shlib_t to textrel_shlib_t.
|
||||||
|
@ -109,6 +109,11 @@ ifneq ($(DISTRO),)
|
|||||||
override M4PARAM += -D distro_$(DISTRO)
|
override M4PARAM += -D distro_$(DISTRO)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
# enable polyinstantiation
|
||||||
|
ifeq ($(POLY),y)
|
||||||
|
override M4PARAM += -D enable_polyinstantiation
|
||||||
|
endif
|
||||||
|
|
||||||
ifneq ($(OUTPUT_POLICY),)
|
ifneq ($(OUTPUT_POLICY),)
|
||||||
override CHECKPOLICY += -c $(OUTPUT_POLICY)
|
override CHECKPOLICY += -c $(OUTPUT_POLICY)
|
||||||
endif
|
endif
|
||||||
|
@ -42,5 +42,9 @@ DIRECT_INITRC=n
|
|||||||
# will build a loadable module policy.
|
# will build a loadable module policy.
|
||||||
MONOLITHIC=y
|
MONOLITHIC=y
|
||||||
|
|
||||||
|
# Polyinstantiation
|
||||||
|
# Enable polyinstantiated directory support.
|
||||||
|
POLY=n
|
||||||
|
|
||||||
# Uncomment this to disable command echoing
|
# Uncomment this to disable command echoing
|
||||||
#QUIET:=@
|
#QUIET:=@
|
||||||
|
@ -212,6 +212,24 @@ template(`su_per_userdomain_template',`
|
|||||||
userdom_use_user_terminals($1,$1_su_t)
|
userdom_use_user_terminals($1,$1_su_t)
|
||||||
userdom_search_user_home($1,$1_su_t)
|
userdom_search_user_home($1,$1_su_t)
|
||||||
|
|
||||||
|
ifdef(`enable_polyinstantiation',`
|
||||||
|
mls_file_read_up($1_su_t)
|
||||||
|
mls_file_write_down($1_su_t)
|
||||||
|
mls_file_upgrade($1_su_t)
|
||||||
|
mls_file_downgrade($1_su_t)
|
||||||
|
mls_process_set_level($1_su_t)
|
||||||
|
|
||||||
|
# Su can polyinstantiate
|
||||||
|
files_polyinstantiate_all($1_su_t)
|
||||||
|
|
||||||
|
# Su needs additional permission to mount over a previous mount
|
||||||
|
files_mounton_all_poly_members($1_su_t)
|
||||||
|
|
||||||
|
# Su has to unmount polyinstantiated directories (like home)
|
||||||
|
# that should not be polyinstantiated under the new user
|
||||||
|
fs_unmount_xattr_fs($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
# allow user to suspend terminal.
|
# allow user to suspend terminal.
|
||||||
# does not work in strict since the
|
# does not work in strict since the
|
||||||
@ -262,23 +280,6 @@ template(`su_per_userdomain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
ifdef(`support_polyinstantiation', `
|
|
||||||
mls_file_read_up($1_su_t)
|
|
||||||
mls_file_write_down($1_su_t)
|
|
||||||
mls_file_upgrade($1_su_t)
|
|
||||||
mls_file_downgrade($1_su_t)
|
|
||||||
mls_process_set_level($1_su_t)
|
|
||||||
|
|
||||||
# Su can polyinstantiate
|
|
||||||
polyinstantiater($1_su_t)
|
|
||||||
# Su has to unmount polyinstantiated directories (like home)
|
|
||||||
# that should not be polyinstantiated under the new user
|
|
||||||
allow $1_su_t fs_t:filesystem unmount;
|
|
||||||
# Su needs additional permission to mount over a previous mount
|
|
||||||
allow $1_su_t polymember:dir mounton;
|
|
||||||
')
|
|
||||||
|
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(su,1.1.1)
|
policy_module(su,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -3044,6 +3044,23 @@ interface(`files_read_all_pids',`
|
|||||||
allow $1 pidfile:file r_file_perms;
|
allow $1 pidfile:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Mount filesystems on all polyinstantiation
|
||||||
|
## member directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_mounton_all_poly_members',`
|
||||||
|
gen_require(`
|
||||||
|
attribute polymember;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 polymember:dir mounton;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_delete_all_pids(domain)
|
# files_delete_all_pids(domain)
|
||||||
@ -3153,6 +3170,47 @@ interface(`files_manage_generic_spools',`
|
|||||||
allow $1 var_spool_t:file create_file_perms;
|
allow $1 var_spool_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow access to manage all polyinstantiated
|
||||||
|
## directories on the system.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_polyinstantiate_all',`
|
||||||
|
gen_require(`
|
||||||
|
attribute polydir, polymember, polyparent;
|
||||||
|
type poly_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
# Need to give access to /selinux/member
|
||||||
|
selinux_compute_member($1)
|
||||||
|
|
||||||
|
# Need sys_admin capability for mounting
|
||||||
|
allow $1 self:capability sys_admin;
|
||||||
|
|
||||||
|
# Need to give access to the directories to be polyinstantiated
|
||||||
|
allow $1 polydir:dir { create getattr search write add_name setattr mounton };
|
||||||
|
|
||||||
|
# Need to give access to the polyinstantiated subdirectories
|
||||||
|
allow $1 polymember:dir search_dir_perms;
|
||||||
|
|
||||||
|
# Need to give access to parent directories where original
|
||||||
|
# is remounted for polyinstantiation aware programs (like gdm)
|
||||||
|
allow $1 polyparent:dir { getattr mounton };
|
||||||
|
|
||||||
|
# Need to give permission to create directories where applicable
|
||||||
|
allow $1 self:process setfscreate;
|
||||||
|
allow $1 polymember: dir { create setattr };
|
||||||
|
allow $1 polydir: dir { write add_name };
|
||||||
|
allow $1 polyparent:dir { write add_name };
|
||||||
|
|
||||||
|
# Default type for mountpoints
|
||||||
|
allow $1 poly_t:dir { create mounton };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Unconfined access to files.
|
## Unconfined access to files.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(files,1.0.0)
|
policy_module(files,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -228,6 +228,8 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
files_exec_etc_files($1_t)
|
files_exec_etc_files($1_t)
|
||||||
files_search_locks($1_t)
|
files_search_locks($1_t)
|
||||||
|
# Check to see if cdrom is mounted
|
||||||
|
files_search_mnt($1_t)
|
||||||
# old broswer_domain():
|
# old broswer_domain():
|
||||||
files_dontaudit_list_non_security($1_t)
|
files_dontaudit_list_non_security($1_t)
|
||||||
files_dontaudit_getattr_non_security_files($1_t)
|
files_dontaudit_getattr_non_security_files($1_t)
|
||||||
@ -443,9 +445,6 @@ template(`base_user_template',`
|
|||||||
#
|
#
|
||||||
dontaudit $1_t usr_t:file setattr;
|
dontaudit $1_t usr_t:file setattr;
|
||||||
|
|
||||||
# Check to see if cdrom is mounted
|
|
||||||
allow $1_t mnt_t:dir { getattr search };
|
|
||||||
|
|
||||||
# /initrd is left mounted, various programs try to look at it
|
# /initrd is left mounted, various programs try to look at it
|
||||||
dontaudit $1_t ramfs_t:dir getattr;
|
dontaudit $1_t ramfs_t:dir getattr;
|
||||||
|
|
||||||
@ -601,7 +600,7 @@ template(`unpriv_user_template', `
|
|||||||
|
|
||||||
ifdef(`enable_polyinstantiation',`
|
ifdef(`enable_polyinstantiation',`
|
||||||
type_member $1_t $1_home_dir_t:dir $1_home_t;
|
type_member $1_t $1_home_dir_t:dir $1_home_t;
|
||||||
files_poly_member_tmp($1_t)
|
files_poly_member_tmp($1_t,$1_tmp_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`user_dmesg',`
|
tunable_policy(`user_dmesg',`
|
||||||
@ -659,9 +658,9 @@ template(`unpriv_user_template', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
ifdef(`enable_mls',`',`
|
ifdef(`enable_mls',`',`
|
||||||
fs_exec_noxattr($1_t)
|
fs_exec_noxattr($1_t)
|
||||||
|
|
||||||
tunable_policy(`user_rw_noexattrfile',`
|
tunable_policy(`user_rw_noexattrfile',`
|
||||||
create_dir_file($1_t, noexattrfile)
|
create_dir_file($1_t, noexattrfile)
|
||||||
# Write floppies
|
# Write floppies
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.1.2)
|
policy_module(userdomain,1.1.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r, secadm_r;
|
role sysadm_r, staff_r, user_r, secadm_r;
|
||||||
|
Loading…
Reference in New Issue
Block a user