restructure users, and add signalling

This commit is contained in:
Chris PeBenito 2005-05-27 20:44:05 +00:00
parent 07da0af7bd
commit c6fd1f85ba
4 changed files with 261 additions and 94 deletions

View File

@ -128,54 +128,6 @@ attribute can_load_kernmodule;
class capability sys_module; class capability sys_module;
') ')
########################################
#
# kernel_kill_unlabeled_process(domain)
#
define(`kernel_kill_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process sigkill;
')
define(`kernel_kill_unlabeled_process_depend',`
type unlabeled_t;
class process sigkill;
')
########################################
#
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:blk_file getattr;
')
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
type unlabeled_t;
class process getattr;
')
########################################
#
# kernel_relabel_unlabeled_object(domain)
#
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
type unlabeled_t;
class dir { getattr relabelfrom };
class file { getattr relabelfrom };
class lnk_file { getattr relabelfrom };
class fifo_file { getattr relabelfrom };
class sock_file { getattr relabelfrom };
class chr_file { getattr relabelfrom };
class blk_file { getattr relabelfrom };
')
######################################## ########################################
# #
# kernel_get_selinux_enforcement_mode(domain) # kernel_get_selinux_enforcement_mode(domain)
@ -1053,6 +1005,145 @@ class file { getattr read write };
class lnk_file { getattr read }; class lnk_file { getattr read };
') ')
########################################
## <interface name="kernel_kill_unlabeled_process">
## <description>
## Send a kill signal to unlabeled processes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`kernel_kill_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process sigkill;
')
define(`kernel_kill_unlabeled_process_depend',`
type unlabeled_t;
class process sigkill;
')
########################################
## <interface name="kernel_signal_unlabeled_process">
## <description>
## Send general signals to unlabeled processes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`kernel_signal_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process signal;
')
define(`kernel_signal_unlabeled_process_depend',`
type unlabeled_t;
class process signal;
')
########################################
## <interface name="kernel_signull_unlabeled_process">
## <description>
## Send a null signal to unlabeled processes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`kernel_signull_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process signull;
')
define(`kernel_signull_unlabeled_process_depend',`
type unlabeled_t;
class process signull;
')
########################################
## <interface name="kernel_sigstop_unlabeled_process">
## <description>
## Send a stop signal to unlabeled processes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`kernel_sigstop_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process sigstop;
')
define(`kernel_sigstop_unlabeled_process_depend',`
type unlabeled_t;
class process sigstop;
')
########################################
## <interface name="kernel_sigchld_unlabeled_process">
## <description>
## Send a child terminated signal to unlabeled processes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`kernel_sigchld_unlabeled_process',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:process sigchld;
')
define(`kernel_sigchld_unlabeled_process_depend',`
type unlabeled_t;
class process sigchld;
')
########################################
#
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:blk_file getattr;
')
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
type unlabeled_t;
class process getattr;
')
########################################
#
# kernel_relabel_unlabeled_object(domain)
#
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
type unlabeled_t;
class dir { getattr relabelfrom };
class file { getattr relabelfrom };
class lnk_file { getattr relabelfrom };
class fifo_file { getattr relabelfrom };
class sock_file { getattr relabelfrom };
class chr_file { getattr relabelfrom };
class blk_file { getattr relabelfrom };
')
######################################## ########################################
# #
# kernel_list_usb_hardware(domain) # kernel_list_usb_hardware(domain)

View File

@ -126,8 +126,15 @@ class process setsched;
') ')
######################################## ########################################
# ## <interface name="domain_signal_all_domains">
# domain_signal_all_domains(domain) ## <description>
## Send general signals to all domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
# #
define(`domain_signal_all_domains',` define(`domain_signal_all_domains',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -161,8 +168,57 @@ class process signull;
') ')
######################################## ########################################
## <interface name="domain_sigstop_all_domains">
## <description>
## Send a stop signal to all domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
# #
# domain_kill_all_domains(domain) define(`domain_sigstop_all_domains',`
requires_block_template(`$0'_depend)
allow $1 domain:process sigstop;
')
define(`domain_sigstop_all_domains_depend',`
attribute domain;
class process sigstop;
')
########################################
## <interface name="domain_sigchld_all_domains">
## <description>
## Send a child terminated signal to all domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`domain_sigchld_all_domains',`
requires_block_template(`$0'_depend)
allow $1 domain:process sigchld;
')
define(`domain_sigchld_all_domains_depend',`
attribute domain;
class process sigchld;
')
########################################
## <interface name="domain_kill_all_domains">
## <description>
## Send a kill signal to all domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
# #
define(`domain_kill_all_domains',` define(`domain_kill_all_domains',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -100,8 +100,12 @@ corecommands_chroot(init_t)
corecommands_execute_general_programs(init_t) corecommands_execute_general_programs(init_t)
corecommands_execute_system_programs(init_t) corecommands_execute_system_programs(init_t)
domain_signal_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
files_modify_system_runtime_data(init_t) files_modify_system_runtime_data(init_t)
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:

View File

@ -13,10 +13,37 @@ define(`base_user_domain',`
attribute $1_file_type; attribute $1_file_type;
type $1_t, userdomain; type $1_t, userdomain;
domain_make_domain($1_t)
corecommands_make_shell_entrypoint($1_t) corecommands_make_shell_entrypoint($1_t)
role $1_r types $1_t; role $1_r types $1_t;
allow system_r $1_r; allow system_r $1_r;
# user pseudoterminal
type $1_devpts_t;
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_make_file($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_make_file($1_home_t)
type $1_tmp_t, $1_file_type;
files_make_temporary_file($1_tmp_t)
type $1_tmpfs_t;
files_make_tmpfs_file($1_tmpfs_t)
type $1_tty_device_t;
terminal_make_physical_terminal($1_t,$1_tty_device_t)
##############################
#
# Local policy
#
allow $1_t self:capability { setgid chown fowner }; allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid }; dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
@ -57,6 +84,13 @@ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
# cjp: this is combination is not checked and should be removed # cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind; allow $1_t $1_tmp_t:unix_stream_socket name_bind;
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
allow $1_t unpriv_userdomain:fd use; allow $1_t unpriv_userdomain:fd use;
@ -70,10 +104,12 @@ per_userdomain_templates($1)
kernel_read_kernel_sysctl($1_t) kernel_read_kernel_sysctl($1_t)
kernel_get_selinuxfs_mount_point($1_t) kernel_get_selinuxfs_mount_point($1_t)
# Very permissive allowing every domain to see every type. # Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t) kernel_get_sysvipc_info($1_t)
# Find CDROM devices # Find CDROM devices:
kernel_read_device_sysctl($1_t) kernel_read_device_sysctl($1_t)
# GNOME checks for usb and other devices:
kernel_modify_usb_hardware_config_option($1_t)
corenetwork_network_tcp_on_all_interfaces($1_t) corenetwork_network_tcp_on_all_interfaces($1_t)
corenetwork_network_raw_on_all_interfaces($1_t) corenetwork_network_raw_on_all_interfaces($1_t)
@ -247,19 +283,12 @@ allow $1_t removable_device_t:blk_file r_file_perms;
} }
allow $1_t usbtty_device_t:chr_file read; allow $1_t usbtty_device_t:chr_file read;
# GNOME checks for usb and other devices
rw_dir_file($1_t,usbfs_t)
can_exec($1_t, noexattrfile) can_exec($1_t, noexattrfile)
# for running TeX programs # for running TeX programs
r_dir_file($1_t, tetex_data_t) r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t) can_exec($1_t, tetex_data_t)
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
allow $1_tmpfs_t tmpfs_t:filesystem associate;
# Run programs developed by other users in the same domain. # Run programs developed by other users in the same domain.
can_resmgrd_connect($1_t) can_resmgrd_connect($1_t)
@ -378,25 +407,15 @@ define(`user_domain_template', `
base_user_domain($1) base_user_domain($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
domain_make_domain($1_t)
domain_make_file_descriptors_widely_inheritable($1_t) domain_make_file_descriptors_widely_inheritable($1_t)
type $1_devpts_t; # userpty_type, user_tty_type; #typeattribute $1_devpts_t userpty_type, user_tty_type;
terminal_make_user_pseudoterminal($1_t,$1_devpts_t) #typeattribute $1_home_dir_t user_home_dir_type;
#typeattribute $1_home_t user_home_type;
# Type for home directory. #typeattribute $1_tmp_t, user_tmpfile;
type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
files_make_file($1_home_dir_t)
# Type for files and directories in the home directory #typeattribute $1_tty_device_t user_tty_type;
type $1_home_t, $1_file_type, home_type; #, user_home_type;
files_make_file($1_home_t)
type $1_tmp_t, $1_file_type; #, user_tmpfile
files_make_temporary_file($1_tmp_t)
type $1_tty_device_t; #, sysadmfile, ttyfile, user_tty_type, dev_fs;
terminal_make_physical_terminal($1_t,$1_tty_device_t)
############################## ##############################
# #
@ -591,27 +610,14 @@ base_user_domain($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception($1_t) kernel_make_object_identity_change_constraint_exception($1_t)
domain_make_domain($1_t)
role system_r types $1_t; role system_r types $1_t;
#ifdef(`direct_sysadm_daemon', `, priv_system_role') #ifdef(`direct_sysadm_daemon', `, priv_system_role')
#; dnl end of sysadm_t type declaration #; dnl end of sysadm_t type declaration
# Type and access for pty devices. typeattribute $1_devpts_t admin_terminal;
type $1_devpts_t, admin_terminal;
terminal_make_pseudoterminal($1_devpts_t)
type $1_home_t, $1_file_type; #, home_type; typeattribute $1_tty_device_t admin_terminal;
files_make_file($1_home_t)
type $1_home_dir_t; #, home_dir_type, home_type;
files_make_file($1_home_t)
type $1_tmp_t, $1_file_type;
files_make_temporary_file($1_tmp_t)
type $1_tty_device_t, admin_terminal;
terminal_make_physical_terminal($1_t,$1_tty_device_t)
############################## ##############################
# #
@ -663,6 +669,12 @@ kernel_compute_selinux_access_vector($1_t)
kernel_compute_selinux_create_context($1_t) kernel_compute_selinux_create_context($1_t)
kernel_compute_selinux_relabel_context($1_t) kernel_compute_selinux_relabel_context($1_t)
kernel_compute_selinux_reachable_user_contexts($1_t) kernel_compute_selinux_reachable_user_contexts($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled_process($1_t)
kernel_signal_unlabeled_process($1_t)
kernel_sigstop_unlabeled_process($1_t)
kernel_signull_unlabeled_process($1_t)
kernel_sigchld_unlabeled_process($1_t)
corenetwork_bind_tcp_on_general_port($1_t) corenetwork_bind_tcp_on_general_port($1_t)
@ -689,6 +701,13 @@ authlogin_relabel_all_files_except_shadow($1_t)
domain_set_all_domains_priorities($1_t) domain_set_all_domains_priorities($1_t)
domain_read_all_domains_process_state($1_t) domain_read_all_domains_process_state($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
files_execute_system_source_code_scripts($1_t) files_execute_system_source_code_scripts($1_t)
@ -719,9 +738,6 @@ allow $1_t shadow_t:file getattr;
# for lsof # for lsof
allow $1_t mtrr_device_t:file getattr; allow $1_t mtrr_device_t:file getattr;
# Send signals to all processes.
allow $1_t { domain unlabeled_t }:process signal_perms;
allow $1_t serial_device:chr_file setattr; allow $1_t serial_device:chr_file setattr;
# allow setting up tunnels # allow setting up tunnels