move over to attributes for unconfined interfaces.

2006-04-10 21:04:51 +00:00 · 2006-04-10 21:04:51 +00:00 · b518fc2edf
commit b518fc2edf
parent 5516db6703
17 changed files with 163 additions and 135 deletions
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@ -118,6 +118,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -1253,18 +1253,8 @@ interface(`corenet_non_ipsec_sendrecv',`
 #
 interface(`corenet_unconfined',`
 	gen_require(`
-		attribute node_type, netif_type, port_type;
+		attribute corenet_unconfined_type;
 	')
-	allow $1 node_type:node *;
+	typeattribute $1 corenet_unconfined_type;
 	allow $1 netif_type:netif *;
 	allow $1 port_type:tcp_socket { send_msg recv_msg name_connect };
 	allow $1 port_type:udp_socket { send_msg recv_msg };
 	# Bind to any network address.
 	# cjp: rawip_socket doesnt make any sense
 	allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
 	allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 	corenet_non_ipsec_sendrecv($1)
 ')
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.4)
+policy_module(corenetwork,1.1.5)
 ########################################
 #
@ -11,6 +11,8 @@ attribute node_type;
 attribute port_type;
 attribute reserved_port_type;
 attribute corenet_unconfined_type;
 type ppp_device_t;
 dev_node(ppp_device_t)
@ -174,3 +176,19 @@ ifdef(`enable_mls', `
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
 #network_interface(eth0, eth0,s0)
 ########################################
 #
 # Unconfined access to this module
 #
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 # Bind to any network address.
 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
 corenet_non_ipsec_sendrecv(corenet_unconfined_type)
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -2850,13 +2850,8 @@ interface(`dev_execmod_zero',`
 #
 interface(`dev_unconfined',`
 	gen_require(`
-		attribute device_node, memory_raw_write, memory_raw_read;
+		attribute devices_unconfined_type;
 		type mtrr_device_t;
 	')
-	allow $1 device_node:devfile_class_set *;
+	typeattribute $1 devices_unconfined_type;
 	allow $1 mtrr_device_t:{ dir file } *;
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@
-policy_module(devices,1.1.6)
+policy_module(devices,1.1.7)
 ########################################
 #
@ -9,6 +9,7 @@ policy_module(devices,1.1.6)
 attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
 #
 # device_t is the type of /dev.
@ -190,3 +191,12 @@ fs_associate(device_node)
 fs_associate_tmpfs(device_node)
 files_associate_tmp(device_node)
 ########################################
 #
 # Unconfined access to this module
 #
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
 allow devices_unconfined_type mtrr_device_t:{ dir file } *;
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@ -1136,7 +1136,7 @@ interface(`domain_entry_file_spec_domtrans',`
 #
 interface(`domain_unconfined',`
 	gen_require(`
-		attribute domain, set_curr_context;
+		attribute set_curr_context;
 		attribute can_change_process_identity;
 		attribute can_change_process_role;
 		attribute can_change_object_identity;
@ -1145,30 +1145,11 @@ interface(`domain_unconfined',`
 	typeattribute $1 unconfined_domain_type;
-	# pass all constraints
+	# pass constraints
 	typeattribute $1 can_change_process_identity;
 	typeattribute $1 can_change_process_role;
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 	# Use/sendto/connectto sockets created by any domain.
 	allow $1 domain:{ socket_class_set socket key_socket } *;
 	# Use descriptors and pipes created by any domain.
 	allow $1 domain:fd use;
 	allow $1 domain:fifo_file rw_file_perms;
 	# Act upon any other process.
 	allow $1 domain:process ~{ transition dyntransition execmem execstack execheap };
 	# Create/access any System V IPC objects.
 	allow $1 domain:{ sem msgq shm } *;
 	allow $1 domain:msg { send receive };
 	# For /proc/pid
 	allow $1 domain:dir r_dir_perms;
 	allow $1 domain:file r_file_perms;
 	allow $1 domain:lnk_file r_file_perms;
 ')
 #
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@
-policy_module(domain,1.1.0)
+policy_module(domain,1.1.1)
 ########################################
 #
@ -108,3 +108,31 @@ tunable_policy(`global_ssp',`
 	# stack smashing protection.
 	dev_read_urand(domain)
 ')
 ########################################
 #
 # Unconfined access to this module
 #
 # unconfined access also allows constraints, but this
 # is handled in the interface as typeattribute cannot
 # be used on an attribute.
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 # Use descriptors and pipes created by any domain.
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
 allow unconfined_domain_type domain:msg { send receive };
 # For /proc/pid
 allow unconfined_domain_type domain:dir r_dir_perms;
 allow unconfined_domain_type domain:file r_file_perms;
 allow unconfined_domain_type domain:lnk_file r_file_perms;
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@ -330,6 +330,24 @@ interface(`files_dontaudit_list_non_security',`
 	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Allow attempts to modify any directory
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to allow
 ##	</summary>
 ## </param>
 #
 interface(`files_write_non_security_dirs',`
 	gen_require(`
 		attribute file_type, security_file_type;
 	')
 	allow $1 file_type:dir write;
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@ -3843,42 +3861,8 @@ interface(`files_polyinstantiate_all',`
 #
 interface(`files_unconfined',`
 	gen_require(`
-		attribute file_type;
+		attribute files_unconfined_type;
 	')
-	# Create/access any file in a labeled filesystem;
+	typeattribute $1 files_unconfined_type;
 	allow $1 file_type:{ file chr_file } ~execmod;
 	allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
 	# Mount/unmount any filesystem with the context= option. 
 	allow $1 file_type:filesystem *;
 	# Bind to any network address.
 	# cjp: need to check this, I dont think this has any effect.
 	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
 	ifdef(`targeted_policy',`
 		tunable_policy(`allow_execmod',`
 			allow $1 file_type:file execmod;
 		')
 	')
 ')
 ########################################
 ## <summary>
 ##	Allow attempts to modify any directory
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to allow
 ##	</summary>
 ## </param>
 #
 interface(`files_write_non_security_dirs',`
 	gen_require(`
 		attribute file_type, security_file_type;
 	')
 	allow $1 file_type:dir write;
 ')
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@ -1,5 +1,5 @@
-policy_module(files,1.2.4)
+policy_module(files,1.2.5)
 ########################################
 #
@ -7,6 +7,7 @@ policy_module(files,1.2.4)
 #
 attribute file_type;
 attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
@ -195,3 +196,21 @@ fs_associate_tmpfs(tmpfile)
 #
 fs_associate_tmpfs(tmpfsfile)
 ########################################
 #
 # Unconfined access to this module
 #
 # Create/access any file in a labeled filesystem;
 allow files_unconfined_type file_type:{ file chr_file } ~execmod;
 allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
 # Mount/unmount any filesystem with the context= option. 
 allow files_unconfined_type file_type:filesystem *;
 ifdef(`targeted_policy',`
 	tunable_policy(`allow_execmod',`
 		allow files_unconfined_type file_type:file execmod;
 	')
 ')
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -3159,13 +3159,8 @@ interface(`fs_dontaudit_getattr_all_sockets',`
 #
 interface(`fs_unconfined',`
 	gen_require(`
-		attribute filesystem_type;
+		attribute filesystem_unconfined_type;
 	')
-	allow $1 filesystem_type:filesystem *;
+	typeattribute $1 filesystem_unconfined_type;
 	# Create/access other files.  fs_type is to pick up various
 	# pseudo filesystem types that are applied to both the filesystem
 	# and its files.
 	allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
 ')
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.4)
+policy_module(filesystem,1.3.5)
 ########################################
 #
@ -7,6 +7,7 @@ policy_module(filesystem,1.3.4)
 #
 attribute filesystem_type;
 attribute filesystem_unconfined_type;
 attribute noxattrfs;
 ##############################
@ -176,3 +177,15 @@ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 #
 allow filesystem_type self:filesystem associate;
 ########################################
 #
 # Unconfined access to this module
 #
 allow filesystem_unconfined_type filesystem_type:filesystem *;
 # Create/access other files.  fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -2030,24 +2030,8 @@ interface(`kernel_sendrecv_unlabeled_association',`
 #
 interface(`kernel_unconfined',`
 	gen_require(`
 		type kernel_t, unlabeled_t, sysctl_t;
 		attribute proc_type, sysctl_type;
 		attribute kern_unconfined;
 		attribute can_load_kernmodule, can_receive_kernel_messages;
 	')
 	allow $1 proc_type:{ dir file } *;
 	allow $1 sysctl_t:{ dir file } *;
 	allow $1 kernel_t:system *;
 	allow $1 unlabeled_t:dir_file_class_set *;
 	allow $1 unlabeled_t:filesystem *;
 	allow $1 unlabeled_t:association *;
 	typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
 	typeattribute $1 kern_unconfined;
 	kernel_rw_all_sysctls($1)
 ')
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@
-policy_module(kernel,1.3.3)
+policy_module(kernel,1.3.4)
 ########################################
 #
@ -10,7 +10,7 @@ policy_module(kernel,1.3.3)
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
-neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@ -62,11 +62,11 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
-neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
+neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
 type proc_mdstat_t, proc_type;
@ -142,8 +142,8 @@ sid any_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
 sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid init			gen_context(system_u:object_r:unlabeled_t,s0)
+sid init		gen_context(system_u:object_r:unlabeled_t,s0)
-sid kmod			gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid kmod		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid netmsg		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid policy		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
@ -340,3 +340,20 @@ optional_policy(`
 	# since you may have compromised system security.
 	init_sigchld(unlabeled_t)
 ')
 ########################################
 #
 # Rules for unconfined acccess to this module
 #
 allow kern_unconfined proc_type:{ dir file } *;
 allow kern_unconfined sysctl_t:{ dir file } *;
 allow kern_unconfined kernel_t:system *;
 allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 kernel_rw_all_sysctls(kern_unconfined)
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -664,15 +664,8 @@ interface(`storage_setattr_tape_dev',`
 #
 interface(`storage_unconfined',`
 	gen_require(`
-		type fixed_disk_device_t, removable_device_t;
+		attribute storage_unconfined_type;
 		type scsi_generic_device_t, tape_device_t;
 		attribute fixed_disk_raw_read, fixed_disk_raw_write;
 		attribute scsi_generic_read, scsi_generic_write;
 	')
-	allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
+	typeattribute $1 storage_unconfined_type;
 	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 	typeattribute $1 scsi_generic_read, scsi_generic_write;
 ')
--- a/refpolicy/policy/modules/kernel/storage.te
+++ b/refpolicy/policy/modules/kernel/storage.te
@ -1,5 +1,5 @@
-policy_module(storage,1.0.0)
+policy_module(storage,1.0.1)
 ########################################
 #
@ -10,16 +10,17 @@ attribute fixed_disk_raw_read;
 attribute fixed_disk_raw_write;
 attribute scsi_generic_read;
 attribute scsi_generic_write;
 attribute storage_unconfined_type;
 #
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.
 #
-type fixed_disk_device_t alias lvm_vg_t;
+type fixed_disk_device_t;
 dev_node(fixed_disk_device_t)
-neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
-neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
 #
 # scsi_generic_device_t is the type of /dev/sg*
@ -28,8 +29,8 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app
 type scsi_generic_device_t;
 dev_node(scsi_generic_device_t)
-neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
-neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
+neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
 #
 # removable_device_t is the type of
@ -43,3 +44,11 @@ dev_node(removable_device_t)
 #
 type tape_device_t;
 dev_node(tape_device_t)
 ########################################
 #
 # Unconfined access to this module
 #
 allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
 allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@ -88,15 +88,6 @@ interface(`unconfined_domain_noaudit',`
 	optional_policy(`
 		storage_unconfined($1)
 	')
 	ifdef(`TODO',`
 	if (allow_execmod) {
 		ifdef(`targeted_policy', `', `
 			# Allow text relocations on system shared libraries, e.g. libGL.
 			allow $1 home_type:file execmod;
 		')
 	}
 	') dnl end TODO
 ')
 ########################################
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.2)
+policy_module(unconfined,1.3.3)
 ########################################
 #