move over to attributes for unconfined interfaces.
This commit is contained in:
		
							parent
							
								
									5516db6703
								
							
						
					
					
						commit
						b518fc2edf
					
				| @ -118,6 +118,7 @@ ifdef(`distro_gentoo',` | |||||||
| 
 | 
 | ||||||
| /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) | /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) | ||||||
| /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0) | /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  | /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0) | ||||||
| /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0) | /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
| /usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0) | /usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
| /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0) | /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0) | ||||||
|  | |||||||
| @ -1253,18 +1253,8 @@ interface(`corenet_non_ipsec_sendrecv',` | |||||||
| # | # | ||||||
| interface(`corenet_unconfined',` | interface(`corenet_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		attribute node_type, netif_type, port_type; | 		attribute corenet_unconfined_type; | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	allow $1 node_type:node *; | 	typeattribute $1 corenet_unconfined_type; | ||||||
| 	allow $1 netif_type:netif *; |  | ||||||
| 	allow $1 port_type:tcp_socket { send_msg recv_msg name_connect }; |  | ||||||
| 	allow $1 port_type:udp_socket { send_msg recv_msg }; |  | ||||||
| 
 |  | ||||||
| 	# Bind to any network address. |  | ||||||
| 	# cjp: rawip_socket doesnt make any sense |  | ||||||
| 	allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind; |  | ||||||
| 	allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; |  | ||||||
| 
 |  | ||||||
| 	corenet_non_ipsec_sendrecv($1) |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(corenetwork,1.1.4) | policy_module(corenetwork,1.1.5) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -11,6 +11,8 @@ attribute node_type; | |||||||
| attribute port_type; | attribute port_type; | ||||||
| attribute reserved_port_type; | attribute reserved_port_type; | ||||||
| 
 | 
 | ||||||
|  | attribute corenet_unconfined_type; | ||||||
|  | 
 | ||||||
| type ppp_device_t; | type ppp_device_t; | ||||||
| dev_node(ppp_device_t) | dev_node(ppp_device_t) | ||||||
| 
 | 
 | ||||||
| @ -174,3 +176,19 @@ ifdef(`enable_mls', ` | |||||||
| network_interface(lo, lo,s0 - s15:c0.c255) | network_interface(lo, lo,s0 - s15:c0.c255) | ||||||
| ') | ') | ||||||
| #network_interface(eth0, eth0,s0) | #network_interface(eth0, eth0,s0) | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | allow corenet_unconfined_type node_type:node *; | ||||||
|  | allow corenet_unconfined_type netif_type:netif *; | ||||||
|  | allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; | ||||||
|  | allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; | ||||||
|  | 
 | ||||||
|  | # Bind to any network address. | ||||||
|  | allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; | ||||||
|  | allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind; | ||||||
|  | 
 | ||||||
|  | corenet_non_ipsec_sendrecv(corenet_unconfined_type) | ||||||
|  | |||||||
| @ -2850,13 +2850,8 @@ interface(`dev_execmod_zero',` | |||||||
| # | # | ||||||
| interface(`dev_unconfined',` | interface(`dev_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		attribute device_node, memory_raw_write, memory_raw_read; | 		attribute devices_unconfined_type; | ||||||
| 		type mtrr_device_t; |  | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	allow $1 device_node:devfile_class_set *; | 	typeattribute $1 devices_unconfined_type; | ||||||
| 	allow $1 mtrr_device_t:{ dir file } *; |  | ||||||
| 
 |  | ||||||
| 	allow $1 self:capability sys_rawio; |  | ||||||
| 	typeattribute $1 memory_raw_write, memory_raw_read; |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(devices,1.1.6) | policy_module(devices,1.1.7) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -9,6 +9,7 @@ policy_module(devices,1.1.6) | |||||||
| attribute device_node; | attribute device_node; | ||||||
| attribute memory_raw_read; | attribute memory_raw_read; | ||||||
| attribute memory_raw_write; | attribute memory_raw_write; | ||||||
|  | attribute devices_unconfined_type; | ||||||
| 
 | 
 | ||||||
| # | # | ||||||
| # device_t is the type of /dev. | # device_t is the type of /dev. | ||||||
| @ -190,3 +191,12 @@ fs_associate(device_node) | |||||||
| fs_associate_tmpfs(device_node) | fs_associate_tmpfs(device_node) | ||||||
| 
 | 
 | ||||||
| files_associate_tmp(device_node) | files_associate_tmp(device_node) | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | allow devices_unconfined_type self:capability sys_rawio; | ||||||
|  | allow devices_unconfined_type device_node:{ blk_file chr_file } *; | ||||||
|  | allow devices_unconfined_type mtrr_device_t:{ dir file } *; | ||||||
|  | |||||||
| @ -1136,7 +1136,7 @@ interface(`domain_entry_file_spec_domtrans',` | |||||||
| # | # | ||||||
| interface(`domain_unconfined',` | interface(`domain_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		attribute domain, set_curr_context; | 		attribute set_curr_context; | ||||||
| 		attribute can_change_process_identity; | 		attribute can_change_process_identity; | ||||||
| 		attribute can_change_process_role; | 		attribute can_change_process_role; | ||||||
| 		attribute can_change_object_identity; | 		attribute can_change_object_identity; | ||||||
| @ -1145,30 +1145,11 @@ interface(`domain_unconfined',` | |||||||
| 
 | 
 | ||||||
| 	typeattribute $1 unconfined_domain_type; | 	typeattribute $1 unconfined_domain_type; | ||||||
| 
 | 
 | ||||||
| 	# pass all constraints | 	# pass constraints | ||||||
| 	typeattribute $1 can_change_process_identity; | 	typeattribute $1 can_change_process_identity; | ||||||
| 	typeattribute $1 can_change_process_role; | 	typeattribute $1 can_change_process_role; | ||||||
| 	typeattribute $1 can_change_object_identity; | 	typeattribute $1 can_change_object_identity; | ||||||
| 	typeattribute $1 set_curr_context; | 	typeattribute $1 set_curr_context; | ||||||
| 
 |  | ||||||
| 	# Use/sendto/connectto sockets created by any domain. |  | ||||||
| 	allow $1 domain:{ socket_class_set socket key_socket } *; |  | ||||||
| 
 |  | ||||||
| 	# Use descriptors and pipes created by any domain. |  | ||||||
| 	allow $1 domain:fd use; |  | ||||||
| 	allow $1 domain:fifo_file rw_file_perms; |  | ||||||
| 
 |  | ||||||
| 	# Act upon any other process. |  | ||||||
| 	allow $1 domain:process ~{ transition dyntransition execmem execstack execheap }; |  | ||||||
| 
 |  | ||||||
| 	# Create/access any System V IPC objects. |  | ||||||
| 	allow $1 domain:{ sem msgq shm } *; |  | ||||||
| 	allow $1 domain:msg { send receive }; |  | ||||||
| 
 |  | ||||||
| 	# For /proc/pid |  | ||||||
| 	allow $1 domain:dir r_dir_perms; |  | ||||||
| 	allow $1 domain:file r_file_perms; |  | ||||||
| 	allow $1 domain:lnk_file r_file_perms; |  | ||||||
| ') | ') | ||||||
| 
 | 
 | ||||||
| # | # | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(domain,1.1.0) | policy_module(domain,1.1.1) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -108,3 +108,31 @@ tunable_policy(`global_ssp',` | |||||||
| 	# stack smashing protection. | 	# stack smashing protection. | ||||||
| 	dev_read_urand(domain) | 	dev_read_urand(domain) | ||||||
| ') | ') | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | # unconfined access also allows constraints, but this | ||||||
|  | # is handled in the interface as typeattribute cannot | ||||||
|  | # be used on an attribute. | ||||||
|  | 
 | ||||||
|  | # Use/sendto/connectto sockets created by any domain. | ||||||
|  | allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; | ||||||
|  | 
 | ||||||
|  | # Use descriptors and pipes created by any domain. | ||||||
|  | allow unconfined_domain_type domain:fd use; | ||||||
|  | allow unconfined_domain_type domain:fifo_file rw_file_perms; | ||||||
|  | 
 | ||||||
|  | # Act upon any other process. | ||||||
|  | allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; | ||||||
|  | 
 | ||||||
|  | # Create/access any System V IPC objects. | ||||||
|  | allow unconfined_domain_type domain:{ sem msgq shm } *; | ||||||
|  | allow unconfined_domain_type domain:msg { send receive }; | ||||||
|  | 
 | ||||||
|  | # For /proc/pid | ||||||
|  | allow unconfined_domain_type domain:dir r_dir_perms; | ||||||
|  | allow unconfined_domain_type domain:file r_file_perms; | ||||||
|  | allow unconfined_domain_type domain:lnk_file r_file_perms; | ||||||
|  | |||||||
| @ -330,6 +330,24 @@ interface(`files_dontaudit_list_non_security',` | |||||||
| 	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; | 	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; | ||||||
| ') | ') | ||||||
| 
 | 
 | ||||||
|  | ######################################## | ||||||
|  | ## <summary> | ||||||
|  | ##	Allow attempts to modify any directory | ||||||
|  | ## </summary> | ||||||
|  | ## <param name="domain"> | ||||||
|  | ##	<summary> | ||||||
|  | ##	Domain to allow | ||||||
|  | ##	</summary> | ||||||
|  | ## </param> | ||||||
|  | # | ||||||
|  | interface(`files_write_non_security_dirs',` | ||||||
|  | 	gen_require(` | ||||||
|  | 		attribute file_type, security_file_type; | ||||||
|  | 	') | ||||||
|  | 
 | ||||||
|  | 	allow $1 file_type:dir write; | ||||||
|  | ') | ||||||
|  | 
 | ||||||
| ######################################## | ######################################## | ||||||
| ## <summary> | ## <summary> | ||||||
| ##	Get the attributes of all files. | ##	Get the attributes of all files. | ||||||
| @ -3843,42 +3861,8 @@ interface(`files_polyinstantiate_all',` | |||||||
| # | # | ||||||
| interface(`files_unconfined',` | interface(`files_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		attribute file_type; | 		attribute files_unconfined_type; | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	# Create/access any file in a labeled filesystem; | 	typeattribute $1 files_unconfined_type; | ||||||
| 	allow $1 file_type:{ file chr_file } ~execmod; |  | ||||||
| 	allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; |  | ||||||
| 
 |  | ||||||
| 	# Mount/unmount any filesystem with the context= option.  |  | ||||||
| 	allow $1 file_type:filesystem *; |  | ||||||
| 
 |  | ||||||
| 	# Bind to any network address. |  | ||||||
| 	# cjp: need to check this, I dont think this has any effect. |  | ||||||
| 	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; |  | ||||||
| 
 |  | ||||||
| 	ifdef(`targeted_policy',` |  | ||||||
| 		tunable_policy(`allow_execmod',` |  | ||||||
| 			allow $1 file_type:file execmod; |  | ||||||
| 		') |  | ||||||
| 	') |  | ||||||
| ') |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| ######################################## |  | ||||||
| ## <summary> |  | ||||||
| ##	Allow attempts to modify any directory |  | ||||||
| ## </summary> |  | ||||||
| ## <param name="domain"> |  | ||||||
| ##	<summary> |  | ||||||
| ##	Domain to allow |  | ||||||
| ##	</summary> |  | ||||||
| ## </param> |  | ||||||
| # |  | ||||||
| interface(`files_write_non_security_dirs',` |  | ||||||
| 	gen_require(` |  | ||||||
| 		attribute file_type, security_file_type; |  | ||||||
| 	') |  | ||||||
| 
 |  | ||||||
| 	allow $1 file_type:dir write; |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(files,1.2.4) | policy_module(files,1.2.5) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -7,6 +7,7 @@ policy_module(files,1.2.4) | |||||||
| # | # | ||||||
| 
 | 
 | ||||||
| attribute file_type; | attribute file_type; | ||||||
|  | attribute files_unconfined_type; | ||||||
| attribute lockfile; | attribute lockfile; | ||||||
| attribute mountpoint; | attribute mountpoint; | ||||||
| attribute pidfile; | attribute pidfile; | ||||||
| @ -195,3 +196,21 @@ fs_associate_tmpfs(tmpfile) | |||||||
| # | # | ||||||
| 
 | 
 | ||||||
| fs_associate_tmpfs(tmpfsfile) | fs_associate_tmpfs(tmpfsfile) | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | # Create/access any file in a labeled filesystem; | ||||||
|  | allow files_unconfined_type file_type:{ file chr_file } ~execmod; | ||||||
|  | allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; | ||||||
|  | 
 | ||||||
|  | # Mount/unmount any filesystem with the context= option.  | ||||||
|  | allow files_unconfined_type file_type:filesystem *; | ||||||
|  | 
 | ||||||
|  | ifdef(`targeted_policy',` | ||||||
|  | 	tunable_policy(`allow_execmod',` | ||||||
|  | 		allow files_unconfined_type file_type:file execmod; | ||||||
|  | 	') | ||||||
|  | ') | ||||||
|  | |||||||
| @ -3159,13 +3159,8 @@ interface(`fs_dontaudit_getattr_all_sockets',` | |||||||
| # | # | ||||||
| interface(`fs_unconfined',` | interface(`fs_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		attribute filesystem_type; | 		attribute filesystem_unconfined_type; | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	allow $1 filesystem_type:filesystem *; | 	typeattribute $1 filesystem_unconfined_type; | ||||||
| 
 |  | ||||||
| 	# Create/access other files.  fs_type is to pick up various |  | ||||||
| 	# pseudo filesystem types that are applied to both the filesystem |  | ||||||
| 	# and its files. |  | ||||||
| 	allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(filesystem,1.3.4) | policy_module(filesystem,1.3.5) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -7,6 +7,7 @@ policy_module(filesystem,1.3.4) | |||||||
| # | # | ||||||
| 
 | 
 | ||||||
| attribute filesystem_type; | attribute filesystem_type; | ||||||
|  | attribute filesystem_unconfined_type; | ||||||
| attribute noxattrfs; | attribute noxattrfs; | ||||||
| 
 | 
 | ||||||
| ############################## | ############################## | ||||||
| @ -176,3 +177,15 @@ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) | |||||||
| # | # | ||||||
| 
 | 
 | ||||||
| allow filesystem_type self:filesystem associate; | allow filesystem_type self:filesystem associate; | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | allow filesystem_unconfined_type filesystem_type:filesystem *; | ||||||
|  | 
 | ||||||
|  | # Create/access other files.  fs_type is to pick up various | ||||||
|  | # pseudo filesystem types that are applied to both the filesystem | ||||||
|  | # and its files. | ||||||
|  | allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; | ||||||
|  | |||||||
| @ -2030,24 +2030,8 @@ interface(`kernel_sendrecv_unlabeled_association',` | |||||||
| # | # | ||||||
| interface(`kernel_unconfined',` | interface(`kernel_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		type kernel_t, unlabeled_t, sysctl_t; |  | ||||||
| 		attribute proc_type, sysctl_type; |  | ||||||
| 		attribute kern_unconfined; | 		attribute kern_unconfined; | ||||||
| 		attribute can_load_kernmodule, can_receive_kernel_messages; |  | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	allow $1 proc_type:{ dir file } *; |  | ||||||
| 
 |  | ||||||
| 	allow $1 sysctl_t:{ dir file } *; |  | ||||||
| 
 |  | ||||||
| 	allow $1 kernel_t:system *; |  | ||||||
| 
 |  | ||||||
| 	allow $1 unlabeled_t:dir_file_class_set *; |  | ||||||
| 	allow $1 unlabeled_t:filesystem *; |  | ||||||
| 	allow $1 unlabeled_t:association *; |  | ||||||
| 
 |  | ||||||
| 	typeattribute $1 can_load_kernmodule, can_receive_kernel_messages; |  | ||||||
| 	typeattribute $1 kern_unconfined; | 	typeattribute $1 kern_unconfined; | ||||||
| 
 |  | ||||||
| 	kernel_rw_all_sysctls($1) |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(kernel,1.3.3) | policy_module(kernel,1.3.4) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -10,7 +10,7 @@ policy_module(kernel,1.3.3) | |||||||
| attribute can_load_kernmodule; | attribute can_load_kernmodule; | ||||||
| attribute can_receive_kernel_messages; | attribute can_receive_kernel_messages; | ||||||
| 
 | 
 | ||||||
| neverallow ~can_load_kernmodule self:capability sys_module; | neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; | ||||||
| 
 | 
 | ||||||
| # domains with unconfined access to kernel resources | # domains with unconfined access to kernel resources | ||||||
| attribute kern_unconfined; | attribute kern_unconfined; | ||||||
| @ -62,11 +62,11 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) | |||||||
| # kernel message interface | # kernel message interface | ||||||
| type proc_kmsg_t, proc_type; | type proc_kmsg_t, proc_type; | ||||||
| genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) | genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) | ||||||
| neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; | neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; | ||||||
| 
 | 
 | ||||||
| # /proc kcore: inaccessible | # /proc kcore: inaccessible | ||||||
| type proc_kcore_t, proc_type; | type proc_kcore_t, proc_type; | ||||||
| neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; | neverallow ~kern_unconfined proc_kcore_t:file ~getattr; | ||||||
| genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) | genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) | ||||||
| 
 | 
 | ||||||
| type proc_mdstat_t, proc_type; | type proc_mdstat_t, proc_type; | ||||||
| @ -340,3 +340,20 @@ optional_policy(` | |||||||
| 	# since you may have compromised system security. | 	# since you may have compromised system security. | ||||||
| 	init_sigchld(unlabeled_t) | 	init_sigchld(unlabeled_t) | ||||||
| ') | ') | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Rules for unconfined acccess to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | allow kern_unconfined proc_type:{ dir file } *; | ||||||
|  | 
 | ||||||
|  | allow kern_unconfined sysctl_t:{ dir file } *; | ||||||
|  | 
 | ||||||
|  | allow kern_unconfined kernel_t:system *; | ||||||
|  | 
 | ||||||
|  | allow kern_unconfined unlabeled_t:dir_file_class_set *; | ||||||
|  | allow kern_unconfined unlabeled_t:filesystem *; | ||||||
|  | allow kern_unconfined unlabeled_t:association *; | ||||||
|  | 
 | ||||||
|  | kernel_rw_all_sysctls(kern_unconfined) | ||||||
|  | |||||||
| @ -664,15 +664,8 @@ interface(`storage_setattr_tape_dev',` | |||||||
| # | # | ||||||
| interface(`storage_unconfined',` | interface(`storage_unconfined',` | ||||||
| 	gen_require(` | 	gen_require(` | ||||||
| 		type fixed_disk_device_t, removable_device_t; | 		attribute storage_unconfined_type; | ||||||
| 		type scsi_generic_device_t, tape_device_t; |  | ||||||
| 		attribute fixed_disk_raw_read, fixed_disk_raw_write; |  | ||||||
| 		attribute scsi_generic_read, scsi_generic_write; |  | ||||||
| 	') | 	') | ||||||
| 
 | 
 | ||||||
| 	allow $1 { fixed_disk_device_t removable_device_t }:blk_file *; | 	typeattribute $1 storage_unconfined_type; | ||||||
| 	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *; |  | ||||||
| 
 |  | ||||||
| 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; |  | ||||||
| 	typeattribute $1 scsi_generic_read, scsi_generic_write; |  | ||||||
| ') | ') | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(storage,1.0.0) | policy_module(storage,1.0.1) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
| @ -10,16 +10,17 @@ attribute fixed_disk_raw_read; | |||||||
| attribute fixed_disk_raw_write; | attribute fixed_disk_raw_write; | ||||||
| attribute scsi_generic_read; | attribute scsi_generic_read; | ||||||
| attribute scsi_generic_write; | attribute scsi_generic_write; | ||||||
|  | attribute storage_unconfined_type; | ||||||
| 
 | 
 | ||||||
| # | # | ||||||
| # fixed_disk_device_t is the type of  | # fixed_disk_device_t is the type of  | ||||||
| # /dev/hd* and /dev/sd*. | # /dev/hd* and /dev/sd*. | ||||||
| # | # | ||||||
| type fixed_disk_device_t alias lvm_vg_t; | type fixed_disk_device_t; | ||||||
| dev_node(fixed_disk_device_t) | dev_node(fixed_disk_device_t) | ||||||
| 
 | 
 | ||||||
| neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read; | neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; | ||||||
| neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write }; | neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; | ||||||
| 
 | 
 | ||||||
| # | # | ||||||
| # scsi_generic_device_t is the type of /dev/sg* | # scsi_generic_device_t is the type of /dev/sg* | ||||||
| @ -28,8 +29,8 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app | |||||||
| type scsi_generic_device_t; | type scsi_generic_device_t; | ||||||
| dev_node(scsi_generic_device_t) | dev_node(scsi_generic_device_t) | ||||||
| 
 | 
 | ||||||
| neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read; | neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read; | ||||||
| neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write }; | neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write }; | ||||||
| 
 | 
 | ||||||
| # | # | ||||||
| # removable_device_t is the type of | # removable_device_t is the type of | ||||||
| @ -43,3 +44,11 @@ dev_node(removable_device_t) | |||||||
| # | # | ||||||
| type tape_device_t; | type tape_device_t; | ||||||
| dev_node(tape_device_t) | dev_node(tape_device_t) | ||||||
|  | 
 | ||||||
|  | ######################################## | ||||||
|  | # | ||||||
|  | # Unconfined access to this module | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; | ||||||
|  | allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; | ||||||
|  | |||||||
| @ -88,15 +88,6 @@ interface(`unconfined_domain_noaudit',` | |||||||
| 	optional_policy(` | 	optional_policy(` | ||||||
| 		storage_unconfined($1) | 		storage_unconfined($1) | ||||||
| 	') | 	') | ||||||
| 
 |  | ||||||
| 	ifdef(`TODO',` |  | ||||||
| 	if (allow_execmod) { |  | ||||||
| 		ifdef(`targeted_policy', `', ` |  | ||||||
| 			# Allow text relocations on system shared libraries, e.g. libGL. |  | ||||||
| 			allow $1 home_type:file execmod; |  | ||||||
| 		') |  | ||||||
| 	} |  | ||||||
| 	') dnl end TODO |  | ||||||
| ') | ') | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| policy_module(unconfined,1.3.2) | policy_module(unconfined,1.3.3) | ||||||
| 
 | 
 | ||||||
| ######################################## | ######################################## | ||||||
| # | # | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user