move over to attributes for unconfined interfaces.
This commit is contained in:
Chris PeBenito
parent
5516db6703
commit
b518fc2edf
@ -118,6 +118,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -1253,18 +1253,8 @@ interface(`corenet_non_ipsec_sendrecv',`
|
||||
#
|
||||
interface(`corenet_unconfined',`
|
||||
gen_require(`
|
||||
attribute node_type, netif_type, port_type;
|
||||
attribute corenet_unconfined_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node *;
|
||||
allow $1 netif_type:netif *;
|
||||
allow $1 port_type:tcp_socket { send_msg recv_msg name_connect };
|
||||
allow $1 port_type:udp_socket { send_msg recv_msg };
|
||||
|
||||
# Bind to any network address.
|
||||
# cjp: rawip_socket doesnt make any sense
|
||||
allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
|
||||
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
typeattribute $1 corenet_unconfined_type;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.1.4)
|
||||
policy_module(corenetwork,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -11,6 +11,8 @@ attribute node_type;
|
||||
attribute port_type;
|
||||
attribute reserved_port_type;
|
||||
|
||||
attribute corenet_unconfined_type;
|
||||
|
||||
type ppp_device_t;
|
||||
dev_node(ppp_device_t)
|
||||
|
||||
@ -174,3 +176,19 @@ ifdef(`enable_mls', `
|
||||
network_interface(lo, lo,s0 - s15:c0.c255)
|
||||
')
|
||||
#network_interface(eth0, eth0,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
|
||||
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
|
||||
|
||||
# Bind to any network address.
|
||||
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
||||
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
|
||||
|
||||
corenet_non_ipsec_sendrecv(corenet_unconfined_type)
|
||||
|
||||
@ -2850,13 +2850,8 @@ interface(`dev_execmod_zero',`
|
||||
#
|
||||
interface(`dev_unconfined',`
|
||||
gen_require(`
|
||||
attribute device_node, memory_raw_write, memory_raw_read;
|
||||
type mtrr_device_t;
|
||||
attribute devices_unconfined_type;
|
||||
')
|
||||
|
||||
allow $1 device_node:devfile_class_set *;
|
||||
allow $1 mtrr_device_t:{ dir file } *;
|
||||
|
||||
allow $1 self:capability sys_rawio;
|
||||
typeattribute $1 memory_raw_write, memory_raw_read;
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.1.6)
|
||||
policy_module(devices,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -9,6 +9,7 @@ policy_module(devices,1.1.6)
|
||||
attribute device_node;
|
||||
attribute memory_raw_read;
|
||||
attribute memory_raw_write;
|
||||
attribute devices_unconfined_type;
|
||||
|
||||
#
|
||||
# device_t is the type of /dev.
|
||||
@ -190,3 +191,12 @@ fs_associate(device_node)
|
||||
fs_associate_tmpfs(device_node)
|
||||
|
||||
files_associate_tmp(device_node)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
allow devices_unconfined_type self:capability sys_rawio;
|
||||
allow devices_unconfined_type device_node:{ blk_file chr_file } *;
|
||||
allow devices_unconfined_type mtrr_device_t:{ dir file } *;
|
||||
|
||||
@ -1136,7 +1136,7 @@ interface(`domain_entry_file_spec_domtrans',`
|
||||
#
|
||||
interface(`domain_unconfined',`
|
||||
gen_require(`
|
||||
attribute domain, set_curr_context;
|
||||
attribute set_curr_context;
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
attribute can_change_object_identity;
|
||||
@ -1145,30 +1145,11 @@ interface(`domain_unconfined',`
|
||||
|
||||
typeattribute $1 unconfined_domain_type;
|
||||
|
||||
# pass all constraints
|
||||
# pass constraints
|
||||
typeattribute $1 can_change_process_identity;
|
||||
typeattribute $1 can_change_process_role;
|
||||
typeattribute $1 can_change_object_identity;
|
||||
typeattribute $1 set_curr_context;
|
||||
|
||||
# Use/sendto/connectto sockets created by any domain.
|
||||
allow $1 domain:{ socket_class_set socket key_socket } *;
|
||||
|
||||
# Use descriptors and pipes created by any domain.
|
||||
allow $1 domain:fd use;
|
||||
allow $1 domain:fifo_file rw_file_perms;
|
||||
|
||||
# Act upon any other process.
|
||||
allow $1 domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow $1 domain:{ sem msgq shm } *;
|
||||
allow $1 domain:msg { send receive };
|
||||
|
||||
# For /proc/pid
|
||||
allow $1 domain:dir r_dir_perms;
|
||||
allow $1 domain:file r_file_perms;
|
||||
allow $1 domain:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(domain,1.1.0)
|
||||
policy_module(domain,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -108,3 +108,31 @@ tunable_policy(`global_ssp',`
|
||||
# stack smashing protection.
|
||||
dev_read_urand(domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
# unconfined access also allows constraints, but this
|
||||
# is handled in the interface as typeattribute cannot
|
||||
# be used on an attribute.
|
||||
|
||||
# Use/sendto/connectto sockets created by any domain.
|
||||
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||
|
||||
# Use descriptors and pipes created by any domain.
|
||||
allow unconfined_domain_type domain:fd use;
|
||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||
|
||||
# Act upon any other process.
|
||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
||||
allow unconfined_domain_type domain:msg { send receive };
|
||||
|
||||
# For /proc/pid
|
||||
allow unconfined_domain_type domain:dir r_dir_perms;
|
||||
allow unconfined_domain_type domain:file r_file_perms;
|
||||
allow unconfined_domain_type domain:lnk_file r_file_perms;
|
||||
|
||||
@ -330,6 +330,24 @@ interface(`files_dontaudit_list_non_security',`
|
||||
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to modify any directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_write_non_security_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all files.
|
||||
@ -3843,42 +3861,8 @@ interface(`files_polyinstantiate_all',`
|
||||
#
|
||||
interface(`files_unconfined',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
attribute files_unconfined_type;
|
||||
')
|
||||
|
||||
# Create/access any file in a labeled filesystem;
|
||||
allow $1 file_type:{ file chr_file } ~execmod;
|
||||
allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
|
||||
# Mount/unmount any filesystem with the context= option.
|
||||
allow $1 file_type:filesystem *;
|
||||
|
||||
# Bind to any network address.
|
||||
# cjp: need to check this, I dont think this has any effect.
|
||||
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`allow_execmod',`
|
||||
allow $1 file_type:file execmod;
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to modify any directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_write_non_security_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir write;
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.2.4)
|
||||
policy_module(files,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7,6 +7,7 @@ policy_module(files,1.2.4)
|
||||
#
|
||||
|
||||
attribute file_type;
|
||||
attribute files_unconfined_type;
|
||||
attribute lockfile;
|
||||
attribute mountpoint;
|
||||
attribute pidfile;
|
||||
@ -195,3 +196,21 @@ fs_associate_tmpfs(tmpfile)
|
||||
#
|
||||
|
||||
fs_associate_tmpfs(tmpfsfile)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
# Create/access any file in a labeled filesystem;
|
||||
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
|
||||
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
|
||||
# Mount/unmount any filesystem with the context= option.
|
||||
allow files_unconfined_type file_type:filesystem *;
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`allow_execmod',`
|
||||
allow files_unconfined_type file_type:file execmod;
|
||||
')
|
||||
')
|
||||
|
||||
@ -3159,13 +3159,8 @@ interface(`fs_dontaudit_getattr_all_sockets',`
|
||||
#
|
||||
interface(`fs_unconfined',`
|
||||
gen_require(`
|
||||
attribute filesystem_type;
|
||||
attribute filesystem_unconfined_type;
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:filesystem *;
|
||||
|
||||
# Create/access other files. fs_type is to pick up various
|
||||
# pseudo filesystem types that are applied to both the filesystem
|
||||
# and its files.
|
||||
allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
typeattribute $1 filesystem_unconfined_type;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.3.4)
|
||||
policy_module(filesystem,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7,6 +7,7 @@ policy_module(filesystem,1.3.4)
|
||||
#
|
||||
|
||||
attribute filesystem_type;
|
||||
attribute filesystem_unconfined_type;
|
||||
attribute noxattrfs;
|
||||
|
||||
##############################
|
||||
@ -176,3 +177,15 @@ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
#
|
||||
|
||||
allow filesystem_type self:filesystem associate;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
allow filesystem_unconfined_type filesystem_type:filesystem *;
|
||||
|
||||
# Create/access other files. fs_type is to pick up various
|
||||
# pseudo filesystem types that are applied to both the filesystem
|
||||
# and its files.
|
||||
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
|
||||
@ -2030,24 +2030,8 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
||||
#
|
||||
interface(`kernel_unconfined',`
|
||||
gen_require(`
|
||||
type kernel_t, unlabeled_t, sysctl_t;
|
||||
attribute proc_type, sysctl_type;
|
||||
attribute kern_unconfined;
|
||||
attribute can_load_kernmodule, can_receive_kernel_messages;
|
||||
')
|
||||
|
||||
allow $1 proc_type:{ dir file } *;
|
||||
|
||||
allow $1 sysctl_t:{ dir file } *;
|
||||
|
||||
allow $1 kernel_t:system *;
|
||||
|
||||
allow $1 unlabeled_t:dir_file_class_set *;
|
||||
allow $1 unlabeled_t:filesystem *;
|
||||
allow $1 unlabeled_t:association *;
|
||||
|
||||
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
|
||||
typeattribute $1 kern_unconfined;
|
||||
|
||||
kernel_rw_all_sysctls($1)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.3)
|
||||
policy_module(kernel,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,7 +10,7 @@ policy_module(kernel,1.3.3)
|
||||
attribute can_load_kernmodule;
|
||||
attribute can_receive_kernel_messages;
|
||||
|
||||
neverallow ~can_load_kernmodule self:capability sys_module;
|
||||
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
|
||||
|
||||
# domains with unconfined access to kernel resources
|
||||
attribute kern_unconfined;
|
||||
@ -62,11 +62,11 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
|
||||
# kernel message interface
|
||||
type proc_kmsg_t, proc_type;
|
||||
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
|
||||
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
||||
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
|
||||
|
||||
# /proc kcore: inaccessible
|
||||
type proc_kcore_t, proc_type;
|
||||
neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
|
||||
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
|
||||
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
|
||||
|
||||
type proc_mdstat_t, proc_type;
|
||||
@ -142,8 +142,8 @@ sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid init gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid init gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
@ -340,3 +340,20 @@ optional_policy(`
|
||||
# since you may have compromised system security.
|
||||
init_sigchld(unlabeled_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules for unconfined acccess to this module
|
||||
#
|
||||
|
||||
allow kern_unconfined proc_type:{ dir file } *;
|
||||
|
||||
allow kern_unconfined sysctl_t:{ dir file } *;
|
||||
|
||||
allow kern_unconfined kernel_t:system *;
|
||||
|
||||
allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
allow kern_unconfined unlabeled_t:filesystem *;
|
||||
allow kern_unconfined unlabeled_t:association *;
|
||||
|
||||
kernel_rw_all_sysctls(kern_unconfined)
|
||||
|
||||
@ -664,15 +664,8 @@ interface(`storage_setattr_tape_dev',`
|
||||
#
|
||||
interface(`storage_unconfined',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t, removable_device_t;
|
||||
type scsi_generic_device_t, tape_device_t;
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
attribute scsi_generic_read, scsi_generic_write;
|
||||
attribute storage_unconfined_type;
|
||||
')
|
||||
|
||||
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
|
||||
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
typeattribute $1 scsi_generic_read, scsi_generic_write;
|
||||
typeattribute $1 storage_unconfined_type;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(storage,1.0.0)
|
||||
policy_module(storage,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,16 +10,17 @@ attribute fixed_disk_raw_read;
|
||||
attribute fixed_disk_raw_write;
|
||||
attribute scsi_generic_read;
|
||||
attribute scsi_generic_write;
|
||||
attribute storage_unconfined_type;
|
||||
|
||||
#
|
||||
# fixed_disk_device_t is the type of
|
||||
# /dev/hd* and /dev/sd*.
|
||||
#
|
||||
type fixed_disk_device_t alias lvm_vg_t;
|
||||
type fixed_disk_device_t;
|
||||
dev_node(fixed_disk_device_t)
|
||||
|
||||
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||
|
||||
#
|
||||
# scsi_generic_device_t is the type of /dev/sg*
|
||||
@ -28,8 +29,8 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app
|
||||
type scsi_generic_device_t;
|
||||
dev_node(scsi_generic_device_t)
|
||||
|
||||
neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
|
||||
neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
|
||||
|
||||
#
|
||||
# removable_device_t is the type of
|
||||
@ -43,3 +44,11 @@ dev_node(removable_device_t)
|
||||
#
|
||||
type tape_device_t;
|
||||
dev_node(tape_device_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
|
||||
allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
|
||||
|
||||
@ -88,15 +88,6 @@ interface(`unconfined_domain_noaudit',`
|
||||
optional_policy(`
|
||||
storage_unconfined($1)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
if (allow_execmod) {
|
||||
ifdef(`targeted_policy', `', `
|
||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||
allow $1 home_type:file execmod;
|
||||
')
|
||||
}
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.3.2)
|
||||
policy_module(unconfined,1.3.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user