rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add polyinstantiation.

This commit is contained in:
Chris PeBenito 2006-01-10 21:03:16 +00:00
parent d163a43f90
commit b07eaef9d8
9 changed files with 94 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
refpolicy/Changelog
View File

@ -1,3 +1,4 @@
- Add polyinstantiation build option.
- Add setcontext to the association object class. - Add setcontext to the association object class.
- Add apache relay and db connect tunables. - Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t. - Rename texrel_shlib_t to textrel_shlib_t.

5
refpolicy/Makefile
View File

@ -109,6 +109,11 @@ ifneq ($(DISTRO),)
override M4PARAM += -D distro_$(DISTRO) override M4PARAM += -D distro_$(DISTRO)
endif endif
# enable polyinstantiation
ifeq ($(POLY),y)
override M4PARAM += -D enable_polyinstantiation
endif
ifneq ($(OUTPUT_POLICY),) ifneq ($(OUTPUT_POLICY),)
override CHECKPOLICY += -c $(OUTPUT_POLICY) override CHECKPOLICY += -c $(OUTPUT_POLICY)
endif endif

4
refpolicy/build.conf
View File

@ -42,5 +42,9 @@ DIRECT_INITRC=n
# will build a loadable module policy. # will build a loadable module policy.
MONOLITHIC=y MONOLITHIC=y
# Polyinstantiation
# Enable polyinstantiated directory support.
POLY=n
# Uncomment this to disable command echoing # Uncomment this to disable command echoing
#QUIET:=@ #QUIET:=@

35
refpolicy/policy/modules/admin/su.if
View File

@ -212,6 +212,24 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t) userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home($1,$1_su_t) userdom_search_user_home($1,$1_su_t)
ifdef(`enable_polyinstantiation',`
mls_file_read_up($1_su_t)
mls_file_write_down($1_su_t)
mls_file_upgrade($1_su_t)
mls_file_downgrade($1_su_t)
mls_process_set_level($1_su_t)
# Su can polyinstantiate
files_polyinstantiate_all($1_su_t)
# Su needs additional permission to mount over a previous mount
files_mounton_all_poly_members($1_su_t)
# Su has to unmount polyinstantiated directories (like home)
# that should not be polyinstantiated under the new user
fs_unmount_xattr_fs($1_su_t)
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
# allow user to suspend terminal. # allow user to suspend terminal.
# does not work in strict since the # does not work in strict since the
@ -262,23 +280,6 @@ template(`su_per_userdomain_template',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`support_polyinstantiation', `
mls_file_read_up($1_su_t)
mls_file_write_down($1_su_t)
mls_file_upgrade($1_su_t)
mls_file_downgrade($1_su_t)
mls_process_set_level($1_su_t)
# Su can polyinstantiate
polyinstantiater($1_su_t)
# Su has to unmount polyinstantiated directories (like home)
# that should not be polyinstantiated under the new user
allow $1_su_t fs_t:filesystem unmount;
# Su needs additional permission to mount over a previous mount
allow $1_su_t polymember:dir mounton;
')
# Caused by su - init scripts # Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };

2
refpolicy/policy/modules/admin/su.te
View File

@ -1,5 +1,5 @@
policy_module(su,1.1.1) policy_module(su,1.1.2)
######################################## ########################################
# #

58
refpolicy/policy/modules/kernel/files.if
View File

@ -3044,6 +3044,23 @@ interface(`files_read_all_pids',`
allow $1 pidfile:file r_file_perms; allow $1 pidfile:file r_file_perms;
') ')
########################################
## <summary>
## Mount filesystems on all polyinstantiation
## member directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_mounton_all_poly_members',`
gen_require(`
attribute polymember;
')
allow $1 polymember:dir mounton;
')
######################################## ########################################
# #
# files_delete_all_pids(domain) # files_delete_all_pids(domain)
@ -3153,6 +3170,47 @@ interface(`files_manage_generic_spools',`
allow $1 var_spool_t:file create_file_perms; allow $1 var_spool_t:file create_file_perms;
') ')
########################################
## <summary>
## Allow access to manage all polyinstantiated
## directories on the system.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_polyinstantiate_all',`
gen_require(`
attribute polydir, polymember, polyparent;
type poly_t;
')
# Need to give access to /selinux/member
selinux_compute_member($1)
# Need sys_admin capability for mounting
allow $1 self:capability sys_admin;
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create getattr search write add_name setattr mounton };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr };
allow $1 polydir: dir { write add_name };
allow $1 polyparent:dir { write add_name };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
')
######################################## ########################################
## <summary> ## <summary>
## Unconfined access to files. ## Unconfined access to files.

2
refpolicy/policy/modules/kernel/files.te
View File

@ -1,5 +1,5 @@
policy_module(files,1.0.0) policy_module(files,1.0.1)
######################################## ########################################
# #

11
refpolicy/policy/modules/system/userdomain.if
View File

@ -228,6 +228,8 @@ template(`base_user_template',`
files_exec_etc_files($1_t) files_exec_etc_files($1_t)
files_search_locks($1_t) files_search_locks($1_t)
# Check to see if cdrom is mounted
files_search_mnt($1_t)
# old broswer_domain(): # old broswer_domain():
files_dontaudit_list_non_security($1_t) files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t) files_dontaudit_getattr_non_security_files($1_t)
@ -443,9 +445,6 @@ template(`base_user_template',`
# #
dontaudit $1_t usr_t:file setattr; dontaudit $1_t usr_t:file setattr;
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
# /initrd is left mounted, various programs try to look at it # /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr; dontaudit $1_t ramfs_t:dir getattr;
@ -540,7 +539,7 @@ template(`unpriv_user_template', `
typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode; typeattribute $1_tty_device_t user_ttynode;
############################## ##############################
# #
# Local policy # Local policy
@ -601,7 +600,7 @@ template(`unpriv_user_template', `
ifdef(`enable_polyinstantiation',` ifdef(`enable_polyinstantiation',`
type_member $1_t $1_home_dir_t:dir $1_home_t; type_member $1_t $1_home_dir_t:dir $1_home_t;
files_poly_member_tmp($1_t) files_poly_member_tmp($1_t,$1_tmp_t)
') ')
tunable_policy(`user_dmesg',` tunable_policy(`user_dmesg',`
@ -659,9 +658,9 @@ template(`unpriv_user_template', `
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`enable_mls',`',` ifdef(`enable_mls',`',`
fs_exec_noxattr($1_t) fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',` tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile) create_dir_file($1_t, noexattrfile)
# Write floppies # Write floppies

2
refpolicy/policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.1.2) policy_module(userdomain,1.1.3)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r, secadm_r; role sysadm_r, staff_r, user_r, secadm_r;