restructure users, and add signalling

2005-05-27 20:44:05 +00:00 · 2005-05-27 20:44:05 +00:00 · c6fd1f85ba
commit c6fd1f85ba
parent 07da0af7bd
4 changed files with 261 additions and 94 deletions
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -128,54 +128,6 @@ attribute can_load_kernmodule;
 class capability sys_module;
 ')

-########################################
-#
-# kernel_kill_unlabeled_process(domain)
-#
-define(`kernel_kill_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process sigkill;
-')
-
-define(`kernel_kill_unlabeled_process_depend',`
-type unlabeled_t;
-class process sigkill;
-')
-
-########################################
-#
-# kernel_ignore_get_unlabeled_block_device_attributes(domain)
-#
-define(`kernel_ignore_get_unlabeled_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:blk_file getattr;
-')
-
-define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
-type unlabeled_t;
-class process getattr;
-')
-
-########################################
-#
-# kernel_relabel_unlabeled_object(domain)
-#
-define(`kernel_relabel_unlabeled_object',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
-')
-
-define(`kernel_relabel_unlabeled_object_depend',`
-type unlabeled_t;
-class dir { getattr relabelfrom };
-class file { getattr relabelfrom };
-class lnk_file { getattr relabelfrom };
-class fifo_file { getattr relabelfrom };
-class sock_file { getattr relabelfrom };
-class chr_file { getattr relabelfrom };
-class blk_file { getattr relabelfrom };
-')
-
 ########################################
 #
 # kernel_get_selinux_enforcement_mode(domain)
@ -1053,6 +1005,145 @@ class file { getattr read write };
 class lnk_file { getattr read };
 ')

+########################################
+## <interface name="kernel_kill_unlabeled_process">
+##	<description>
+##		Send a kill signal to unlabeled processes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`kernel_kill_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigkill;
+')
+
+define(`kernel_kill_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigkill;
+')
+
+########################################
+## <interface name="kernel_signal_unlabeled_process">
+##	<description>
+##		Send general signals to unlabeled processes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`kernel_signal_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process signal;
+')
+
+define(`kernel_signal_unlabeled_process_depend',`
+type unlabeled_t;
+class process signal;
+')
+
+########################################
+## <interface name="kernel_signull_unlabeled_process">
+##	<description>
+##		Send a null signal to unlabeled processes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`kernel_signull_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process signull;
+')
+
+define(`kernel_signull_unlabeled_process_depend',`
+type unlabeled_t;
+class process signull;
+')
+
+########################################
+## <interface name="kernel_sigstop_unlabeled_process">
+##	<description>
+##		Send a stop signal to unlabeled processes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`kernel_sigstop_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigstop;
+')
+
+define(`kernel_sigstop_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigstop;
+')
+
+########################################
+## <interface name="kernel_sigchld_unlabeled_process">
+##	<description>
+##		Send a child terminated signal to unlabeled processes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`kernel_sigchld_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigchld;
+')
+
+define(`kernel_sigchld_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigchld;
+')
+
+########################################
+#
+# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+#
+define(`kernel_ignore_get_unlabeled_block_device_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:blk_file getattr;
+')
+
+define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
+type unlabeled_t;
+class process getattr;
+')
+
+########################################
+#
+# kernel_relabel_unlabeled_object(domain)
+#
+define(`kernel_relabel_unlabeled_object',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
+')
+
+define(`kernel_relabel_unlabeled_object_depend',`
+type unlabeled_t;
+class dir { getattr relabelfrom };
+class file { getattr relabelfrom };
+class lnk_file { getattr relabelfrom };
+class fifo_file { getattr relabelfrom };
+class sock_file { getattr relabelfrom };
+class chr_file { getattr relabelfrom };
+class blk_file { getattr relabelfrom };
+')
+
 ########################################
 #
 # kernel_list_usb_hardware(domain)
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -126,8 +126,15 @@ class process setsched;
 ')

 ########################################
-#
-# domain_signal_all_domains(domain)
+## <interface name="domain_signal_all_domains">
+##	<description>
+##		Send general signals to all domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
 #
 define(`domain_signal_all_domains',`
 requires_block_template(`$0'_depend)
@ -161,8 +168,57 @@ class process signull;
 ')

 ########################################
+## <interface name="domain_sigstop_all_domains">
+##	<description>
+##		Send a stop signal to all domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
 #
-# domain_kill_all_domains(domain)
+define(`domain_sigstop_all_domains',`
+requires_block_template(`$0'_depend)
+allow $1 domain:process sigstop;
+')
+
+define(`domain_sigstop_all_domains_depend',`
+attribute domain;
+class process sigstop;
+')
+
+########################################
+## <interface name="domain_sigchld_all_domains">
+##	<description>
+##		Send a child terminated signal to all domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`domain_sigchld_all_domains',`
+requires_block_template(`$0'_depend)
+allow $1 domain:process sigchld;
+')
+
+define(`domain_sigchld_all_domains_depend',`
+attribute domain;
+class process sigchld;
+')
+
+########################################
+## <interface name="domain_kill_all_domains">
+##	<description>
+##		Send a kill signal to all domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
 #
 define(`domain_kill_all_domains',`
 requires_block_template(`$0'_depend)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -100,8 +100,12 @@ corecommands_chroot(init_t)
 corecommands_execute_general_programs(init_t)
 corecommands_execute_system_programs(init_t)

-domain_signal_all_domains(init_t)
 domain_kill_all_domains(init_t)
+domain_signal_all_domains(init_t)
+domain_signull_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigchld_all_domains(init_t)

 files_modify_system_runtime_data(init_t)
 # file descriptors inherited from the rootfs:
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -13,10 +13,37 @@ define(`base_user_domain',`
 attribute $1_file_type;

 type $1_t, userdomain;
+domain_make_domain($1_t)
 corecommands_make_shell_entrypoint($1_t)
 role $1_r types $1_t;
 allow system_r $1_r;

+# user pseudoterminal
+type $1_devpts_t;
+terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
+
+# type for contents of home directory
+type $1_home_t, $1_file_type, home_type;
+files_make_file($1_home_t)
+
+# type of home directory
+type $1_home_dir_t, home_dir_type, home_type;
+files_make_file($1_home_t)
+
+type $1_tmp_t, $1_file_type;
+files_make_temporary_file($1_tmp_t)
+
+type $1_tmpfs_t;
+files_make_tmpfs_file($1_tmpfs_t)
+
+type $1_tty_device_t; 
+terminal_make_physical_terminal($1_t,$1_tty_device_t)
+
+##############################
+#
+# Local policy
+#
+
 allow $1_t self:capability { setgid chown fowner };
 dontaudit $1_t self:capability { sys_nice fsetid };
 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
@ -57,6 +84,13 @@ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
 # cjp: this is combination is not checked and should be removed
 allow $1_t $1_tmp_t:unix_stream_socket name_bind;

+allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
 allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };

 allow $1_t unpriv_userdomain:fd use;
@ -70,10 +104,12 @@ per_userdomain_templates($1)

 kernel_read_kernel_sysctl($1_t)
 kernel_get_selinuxfs_mount_point($1_t)
-# Very permissive allowing every domain to see every type.
+# Very permissive allowing every domain to see every type:
 kernel_get_sysvipc_info($1_t)
-# Find CDROM devices
+# Find CDROM devices:
 kernel_read_device_sysctl($1_t)
+# GNOME checks for usb and other devices:
+kernel_modify_usb_hardware_config_option($1_t)

 corenetwork_network_tcp_on_all_interfaces($1_t)
 corenetwork_network_raw_on_all_interfaces($1_t)
@ -247,19 +283,12 @@ allow $1_t removable_device_t:blk_file r_file_perms;
 }
 allow $1_t usbtty_device_t:chr_file read;

-# GNOME checks for usb and other devices
-rw_dir_file($1_t,usbfs_t)
-
 can_exec($1_t, noexattrfile)

 # for running TeX programs
 r_dir_file($1_t, tetex_data_t)
 can_exec($1_t, tetex_data_t)

-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
-
 # Run programs developed by other users in the same domain.

 can_resmgrd_connect($1_t)
@ -378,25 +407,15 @@ define(`user_domain_template', `
 base_user_domain($1)

 typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
-domain_make_domain($1_t)
 domain_make_file_descriptors_widely_inheritable($1_t)

-type $1_devpts_t; # userpty_type, user_tty_type;
-terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
+#typeattribute $1_devpts_t userpty_type, user_tty_type;
+#typeattribute $1_home_dir_t user_home_dir_type;
+#typeattribute $1_home_t user_home_type;

-# Type for home directory.
-type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
-files_make_file($1_home_dir_t)
+#typeattribute $1_tmp_t, user_tmpfile;

-# Type for files and directories in the home directory
-type $1_home_t, $1_file_type, home_type; #, user_home_type;
-files_make_file($1_home_t)
-
-type $1_tmp_t, $1_file_type; #, user_tmpfile
-files_make_temporary_file($1_tmp_t)
-
-type $1_tty_device_t; #, sysadmfile, ttyfile, user_tty_type, dev_fs;
-terminal_make_physical_terminal($1_t,$1_tty_device_t)
+#typeattribute $1_tty_device_t user_tty_type;
 
 ##############################
 #
@ -591,27 +610,14 @@ base_user_domain($1)

 typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception($1_t)
-domain_make_domain($1_t)
 role system_r types $1_t;

 #ifdef(`direct_sysadm_daemon', `, priv_system_role')
 #; dnl end of sysadm_t type declaration

-# Type and access for pty devices.
-type $1_devpts_t, admin_terminal;
-terminal_make_pseudoterminal($1_devpts_t)
+typeattribute $1_devpts_t admin_terminal;

-type $1_home_t, $1_file_type; #, home_type;
-files_make_file($1_home_t)
-
-type $1_home_dir_t; #, home_dir_type, home_type;
-files_make_file($1_home_t)
-
-type $1_tmp_t, $1_file_type;
-files_make_temporary_file($1_tmp_t)
-
-type $1_tty_device_t, admin_terminal;
-terminal_make_physical_terminal($1_t,$1_tty_device_t)
+typeattribute $1_tty_device_t admin_terminal;

 ##############################
 #
@ -663,6 +669,12 @@ kernel_compute_selinux_access_vector($1_t)
 kernel_compute_selinux_create_context($1_t)
 kernel_compute_selinux_relabel_context($1_t)
 kernel_compute_selinux_reachable_user_contexts($1_t)
+# signal unlabeled processes:
+kernel_kill_unlabeled_process($1_t)
+kernel_signal_unlabeled_process($1_t)
+kernel_sigstop_unlabeled_process($1_t)
+kernel_signull_unlabeled_process($1_t)
+kernel_sigchld_unlabeled_process($1_t)

 corenetwork_bind_tcp_on_general_port($1_t)

@ -689,6 +701,13 @@ authlogin_relabel_all_files_except_shadow($1_t)

 domain_set_all_domains_priorities($1_t)
 domain_read_all_domains_process_state($1_t)
+# signal all domains:
+domain_kill_all_domains($1_t)
+domain_signal_all_domains($1_t)
+domain_signull_all_domains($1_t)
+domain_sigstop_all_domains($1_t)
+domain_sigstop_all_domains($1_t)
+domain_sigchld_all_domains($1_t)

 files_execute_system_source_code_scripts($1_t)

@ -719,9 +738,6 @@ allow $1_t shadow_t:file getattr;
 # for lsof
 allow $1_t mtrr_device_t:file getattr;

-# Send signals to all processes.
-allow $1_t { domain unlabeled_t }:process signal_perms;
-
 allow $1_t serial_device:chr_file setattr;

 # allow setting up tunnels