rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

reverse

Browse Source
This commit is contained in:
Chris PeBenito 2006-02-16 16:45:03 +00:00
parent fcfe684b16
commit b389cd4533
20 changed files with 37 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
refpolicy/Makefile
View File

@ -284,10 +284,6 @@ else
include $(ROOT)/Rules.modular include $(ROOT)/Rules.modular
endif endif
test:
# $(MODDIR)
# $(ALL_LAYERS)
######################################## ########################################
# #
# Generated files # Generated files

2
refpolicy/Rules.monolithic
View File

@ -105,7 +105,7 @@ $(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES)
@test -d $(TMPDIR) || mkdir -p $(TMPDIR) @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) cat $^ > $@ $(verbose) cat $^ > $@
$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES) $(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
# per-userdomain templates: # per-userdomain templates:
@test -d $(TMPDIR) || mkdir -p $(TMPDIR) @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) echo "define(\`base_per_userdomain_template',\`" > $@ $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@

13
refpolicy/policy/mcs
View File

@ -137,24 +137,15 @@ level s0:c0.c255;
# Only files are constrained by MCS at this stage. # Only files are constrained by MCS at this stage.
# #
mlsconstrain file { write setattr append unlink link rename mlsconstrain file { write setattr append unlink link rename
ioctl lock execute relabelfrom } (h1 dom h2); create ioctl lock execute } (h1 dom h2);
mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
mlsconstrain file { read } ((h1 dom h2) or mlsconstrain file { read } ((h1 dom h2) or
( t1 == mlsfileread )); ( t1 == mlsfileread ));
# new file labels must be dominated by the relabeling subject clearance # new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
( h1 dom h2 ); ( h1 dom h2 );
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { ptrace } ( h1 dom h2 );
mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
( t1 == mcskillall );
define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
link unlink rename relabelfrom relabelto }') link unlink rename relabelfrom relabelto }')

19
refpolicy/policy/modules/kernel/devices.if
View File

@ -2656,22 +2656,3 @@ interface(`dev_unconfined',`
typeattribute $1 memory_raw_write, memory_raw_read; typeattribute $1 memory_raw_write, memory_raw_read;
') ')
########################################
## <summary>
## Read and write the USB device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_usb',`
gen_require(`
type usb_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:chr_file { read write };
')

1
refpolicy/policy/modules/kernel/mcs.fc
View File

@ -1 +0,0 @@
# no MCS file contexts

23
refpolicy/policy/modules/kernel/mcs.if
View File

@ -1,23 +0,0 @@
## <summary>Multicategory security policy</summary>
## <required val="true">
## Contains attributes used in MCS policy.
## </required>
########################################
## <summary>
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS level.
## </summary>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`mcs_killall',`
gen_require(`
attribute mcskillall;
')
typeattribute $1 mcskillall;
')

47
refpolicy/policy/modules/kernel/mcs.te
View File

@ -1,47 +0,0 @@
policy_module(mcs,1.0.0)
########################################
#
# Declarations
#
attribute mcskillall;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
#
type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
type init_t;
type init_exec_t;
type initrc_t;
type initrc_exec_t;
type login_exec_t;
type sshd_exec_t;
type su_exec_t;
type udev_exec_t;
type unconfined_t;
type xdm_exec_t;
ifdef(`enable_mcs',`
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
# these might be targeted_policy only
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition unconfined_t initrc_exec_t s0;
')

30
refpolicy/policy/modules/kernel/mls.te
View File

@ -53,10 +53,38 @@ attribute mlsrangetrans;
# #
# Only the base module can have range_transitions, so we # Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this. # temporarily have to break encapsulation to work around this.
# Other types are declared in the mcs module.
# #
type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
type init_t;
type init_exec_t;
type initrc_t;
type initrc_exec_t;
type login_exec_t;
type lvm_exec_t; type lvm_exec_t;
type sshd_exec_t;
type su_exec_t;
type udev_exec_t;
type unconfined_t;
type xdm_exec_t;
ifdef(`enable_mcs',`
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
# these might be targeted_policy only
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition unconfined_t initrc_exec_t s0;
')
ifdef(`enable_mls',` ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255; range_transition initrc_t auditd_exec_t s15:c0.c255;

1
refpolicy/policy/modules/services/bluetooth.te
View File

@ -101,7 +101,6 @@ corenet_udp_bind_all_nodes(bluetooth_t)
dev_read_sysfs(bluetooth_t) dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t) dev_rw_usbfs(bluetooth_t)
dev_rw_usb(bluetooth_t)
dev_read_urand(bluetooth_t) dev_read_urand(bluetooth_t)
fs_getattr_all_fs(bluetooth_t) fs_getattr_all_fs(bluetooth_t)

3
refpolicy/policy/modules/services/hal.te
View File

@ -97,8 +97,6 @@ fs_search_auto_mountpoints(hald_t)
mls_file_read_up(hald_t) mls_file_read_up(hald_t)
modutils_domtrans_insmod(hald_t)
selinux_get_fs_mount(hald_t) selinux_get_fs_mount(hald_t)
selinux_validate_context(hald_t) selinux_validate_context(hald_t)
selinux_compute_access_vector(hald_t) selinux_compute_access_vector(hald_t)
@ -130,7 +128,6 @@ libs_exec_ld_so(hald_t)
libs_exec_lib_files(hald_t) libs_exec_lib_files(hald_t)
logging_send_syslog_msg(hald_t) logging_send_syslog_msg(hald_t)
logging_search_logs(hald_t)
miscfiles_read_localization(hald_t) miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t) miscfiles_read_hwdata(hald_t)

3
refpolicy/policy/modules/services/mta.te
View File

@ -44,9 +44,6 @@ role system_r types system_mail_t;
# System mail local policy # System mail local policy
# #
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override };
allow system_mail_t etc_mail_t:dir { getattr search }; allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms; allow system_mail_t etc_mail_t:file r_file_perms;

2
refpolicy/policy/modules/services/networkmanager.te
View File

@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid
dontaudit NetworkManager_t self:capability sys_tty_config; dontaudit NetworkManager_t self:capability sys_tty_config;
allow NetworkManager_t self:process { setcap getsched signal_perms }; allow NetworkManager_t self:process { setcap getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_file_perms; allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms;

4
refpolicy/policy/modules/services/postfix.te
View File

@ -273,8 +273,6 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t) corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t) corecmd_exec_bin(postfix_local_t)
files_read_etc_files(postfix_local_t)
mta_read_aliases(postfix_local_t) mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t) mta_delete_spool(postfix_local_t)
# For reading spamassasin # For reading spamassasin
@ -397,8 +395,6 @@ allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t postfix_private_t:dir search; allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write; allow postfix_pipe_t postfix_private_t:sock_file write;
allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms; allow postfix_pipe_t postfix_spool_t:file rw_file_perms;

3
refpolicy/policy/modules/system/init.fc
View File

@ -22,8 +22,7 @@ ifdef(`targeted_policy', `', `
# #
# /sbin # /sbin
# #
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) /sbin/init -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', ` ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)

4
refpolicy/policy/modules/system/init.te
View File

@ -155,8 +155,6 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t) logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t) logging_rw_generic_logs(init_t)
mcs_killall(init_t)
mls_file_read_up(init_t) mls_file_read_up(init_t)
mls_file_write_down(init_t) mls_file_write_down(init_t)
mls_rangetrans_target(init_t) mls_rangetrans_target(init_t)
@ -362,8 +360,6 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript # slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t) miscfiles_read_certs(initrc_t)
mcs_killall(initrc_t)
mls_file_read_up(initrc_t) mls_file_read_up(initrc_t)
mls_file_write_down(initrc_t) mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t) mls_process_read_up(initrc_t)

1
refpolicy/policy/modules/system/libraries.if
View File

@ -283,7 +283,6 @@ interface(`libs_manage_lib_files',`
allow $1 lib_t:dir search_dir_perms; allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file manage_file_perms; allow $1 lib_t:file manage_file_perms;
allow $1 lib_t:lnk_file unlink;
') ')
######################################## ########################################

3
refpolicy/policy/modules/system/selinuxutil.fc
View File

@ -10,7 +10,6 @@
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
@ -40,5 +39,3 @@
ifdef(`distro_debian', ` ifdef(`distro_debian', `
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
') ')
/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0)

23
refpolicy/policy/modules/system/selinuxutil.if
View File

@ -585,28 +585,6 @@ interface(`seutil_read_file_contexts',`
allow $1 file_context_t:lnk_file { getattr read }; allow $1 file_context_t:lnk_file { getattr read };
') ')
########################################
## <summary>
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_rw_file_contexts',`
gen_require(`
type selinux_config_t, file_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file rw_file_perms;
allow $1 file_context_t:lnk_file { getattr read };
')
######################################## ########################################
# #
# seutil_read_bin_policy(domain) # seutil_read_bin_policy(domain)
@ -705,3 +683,4 @@ interface(`seutil_manage_src_policy',`
allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms; allow $1 policy_src_t:file create_file_perms;
') ')

3
refpolicy/policy/modules/system/unconfined.if
View File

@ -55,11 +55,10 @@ interface(`unconfined_domain_noaudit',`
tunable_policy(`allow_execmem && allow_execstack',` tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect. # Allow making the stack executable via mprotect.
allow $1 self:process execstack; allow $1 self:process execstack;
auditallow $1 self:process execstack;
', ` ', `
# These are fairly common but seem to be harmless # These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains # caused by using shared libraries built with old tool chains
#dontaudit $1 self:process execstack; dontaudit $1 self:process execstack;
') ')

7
refpolicy/policy/modules/system/userdomain.te
View File

@ -165,13 +165,9 @@ ifdef(`targeted_policy',`
') ')
ifdef(`enable_mls',` ifdef(`enable_mls',`
corecmd_exec_shell(secadm_t)
mls_process_read_up(secadm_t)
mls_file_write_down(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
logging_read_audit_log(secadm_t) logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t) logging_domtrans_auditctl(secadm_t)
mls_process_read_up(secadm_t)
userdom_dontaudit_append_staff_home_files(secadm_t) userdom_dontaudit_append_staff_home_files(secadm_t)
', ` ', `
logging_domtrans_auditctl(sysadm_t) logging_domtrans_auditctl(sysadm_t)
@ -358,7 +354,6 @@ ifdef(`targeted_policy',`
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal) seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
', ` ', `
selinux_set_enforce_mode(sysadm_t) selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t) selinux_set_boolean(sysadm_t)