support for targeted policy

2005-07-06 20:28:29 +00:00 · 2005-07-06 20:28:29 +00:00 · c98340cfeb
commit c98340cfeb
parent 83ce670b3d
28 changed files with 408 additions and 152 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -117,7 +117,11 @@ MODDIR = $(POLDIR)/modules
 BASE_MODULE = $(MODDIR)/kernel
 FLASKDIR = $(POLDIR)/flask
-APPCONF = config/appconfig
+ifneq ($(findstring targeted,$(TYPE)),)
 	APPCONF := config/appconfig-targeted
 else
 	APPCONF := config/appconfig-strict
 endif
 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 GLOBALTUN := $(POLDIR)/global_tunables
--- a/refpolicy/config/appconfig-strict/dbus_contexts
+++ b/refpolicy/config/appconfig-strict/dbus_contexts
--- a/refpolicy/config/appconfig-strict/default_contexts
+++ b/refpolicy/config/appconfig-strict/default_contexts
--- a/refpolicy/config/appconfig-strict/default_type
+++ b/refpolicy/config/appconfig-strict/default_type
--- a/refpolicy/config/appconfig-strict/failsafe_context
+++ b/refpolicy/config/appconfig-strict/failsafe_context
--- a/refpolicy/config/appconfig-strict/initrc_context
+++ b/refpolicy/config/appconfig-strict/initrc_context
--- a/refpolicy/config/appconfig-strict/media
+++ b/refpolicy/config/appconfig-strict/media
--- a/refpolicy/config/appconfig-strict/removable_context
+++ b/refpolicy/config/appconfig-strict/removable_context
--- a/refpolicy/config/appconfig-strict/root_default_contexts
+++ b/refpolicy/config/appconfig-strict/root_default_contexts
--- a/refpolicy/config/appconfig-strict/userhelper_context
+++ b/refpolicy/config/appconfig-strict/userhelper_context
--- a/refpolicy/config/appconfig-targeted/dbus_contexts
+++ b/refpolicy/config/appconfig-targeted/dbus_contexts
@ -0,0 +1,6 @@
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
  <selinux>
  </selinux>
 </busconfig>
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@ -0,0 +1,6 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
 system_r:local_login_t system_r:unconfined_t
 system_r:remote_login_t system_r:unconfined_t
 system_r:rshd_t		system_r:unconfined_t
 system_r:crond_t	system_r:unconfined_t
--- a/refpolicy/config/appconfig-targeted/default_type
+++ b/refpolicy/config/appconfig-targeted/default_type
@ -0,0 +1 @@
 system_r:unconfined_t
--- a/refpolicy/config/appconfig-targeted/failsafe_context
+++ b/refpolicy/config/appconfig-targeted/failsafe_context
@ -0,0 +1 @@
 system_r:unconfined_t
--- a/refpolicy/config/appconfig-targeted/initrc_context
+++ b/refpolicy/config/appconfig-targeted/initrc_context
@ -0,0 +1 @@
 user_u:system_r:unconfined_t
--- a/refpolicy/config/appconfig-targeted/root_default_contexts
+++ b/refpolicy/config/appconfig-targeted/root_default_contexts
@ -0,0 +1,2 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
--- a/refpolicy/config/appconfig-targeted/userhelper_context
+++ b/refpolicy/config/appconfig-targeted/userhelper_context
@ -0,0 +1 @@
 system_u:system_r:unconfined_t	
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@ -33,37 +33,64 @@
 # SELinux process identity change constraint:
 #
 constrain process transition
-	( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
+	( u1 == u2 or 
 ifdef(`targeted_policy',`
 	t1 == can_change_process_identity
 ',`
 	( t1 == can_change_process_identity and t2 == userdomain )
 	ifdef(`crond.te',`
-         or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
+        	or (
 			t1 == crond_t
 			and (
 				t2 == user_crond_domain
 				or u2 == system_u
 			)
 		)
 	')
-ifdef(`userhelper.te', 
+
-	`or (t1 == userhelperdomain)
+	ifdef(`userhelper.te',`
 		or (t1 == userhelperdomain)
 	')
 	ifdef(`TODO',`
 	or (t1 == priv_system_role and u2 == system_u )
 	') dnl end TODO
 ')
 );
 #
 # SELinux process role change constraint:
 #
 constrain process transition 
-	( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
+	( r1 == r2 or
 ifdef(`targeted_policy',`
 	t1 == can_change_process_role
 ',`
 	( t1 == can_change_process_role and t2 == userdomain )
 	ifdef(`crond.te',`
        	or (t1 == crond_t and t2 == user_crond_domain)
 	')
-ifdef(`userhelper.te', 
+
-	`or (t1 == userhelperdomain)
+	ifdef(`userhelper.te',`
 		or (t1 == userhelperdomain)
 	')
 	ifdef(`postfix.te',`
-ifdef(`direct_sysadm_daemon',
+		ifdef(`direct_sysadm_daemon',`
-	`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
+			or (
 				t1 == sysadm_mail_t
 				and t2 == system_mail_t
 				and r2 == system_r
 			)
 		')
 	')
 	ifdef(`TODO',`
 	or (t1 == priv_system_role and r2 == system_r )
 	') dnl end TODO
 ')
 );
 #
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -1032,8 +1032,11 @@ interface(`kernel_unconfined',`
 #	allow $1 proc_fs:{ dir file } *;
 	allow $1 sysctl_t:{ dir file } *;
 	allow $1 kernel_t:system *;
 	allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
 	allow $1 unlabeled_t:filesystem *;
 	typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -211,3 +211,7 @@ neverallow ~can_load_kernmodule self:capability sys_module;
 # If you load an incompatible policy, you should probably reboot,
 # since you may have compromised system security.
 init_sigchld(unlabeled_t)
 ifdef(`targeted_policy',`
 	allow unlabeled_t self:filesystem associate;
 ')
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@ -12,6 +12,12 @@ policy_module(corecommands,1.0)
 type bin_t;
 files_type(bin_t)
 ifdef(`targeted_policy',`
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	typealias bin_t alias su_exec_t;
 ')
 #
 # sbin_t is the type of files in the system sbin directories.
 #
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -47,6 +47,11 @@ interface(`domain_type',`
 	# send init a sigchld
 	init_sigchld($1)
 	ifdef(`targeted_policy',`
 		unconfined_use_fd($1)
 		unconfined_sigchld($1)
 	')
 	# this seems highly questionable:
 	optional_policy(`rpm.te',`
 		rpm_use_fd($1)
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -783,6 +783,27 @@ interface(`files_list_home',`
 	allow $1 home_root_t:dir r_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Create home directories
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## <param name="home_type">
 ##	The type of the home directory
 ## </param>
 #
 interface(`files_create_home_dirs',`
 	gen_require(`
 		type home_root_t;
 		class dir rw_dir_perms;
 	')
 	allow $1 home_root_t:dir rw_dir_perms;
 	type_transition $1 home_root_t:dir $2;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete objects in
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@ -8,7 +8,7 @@
 ##	Domain to make unconfined.
 ## </param>
 #
-template(`unconfined_access_template',`
+template(`unconfined_domain_template',`
 	# Use any Linux capability.
 	allow $1 self:capability *;
@ -73,3 +73,87 @@ template(`unconfined_access_template',`
 	')
 	') dnl end TODO
 ')
 ########################################
 ## <summary>
 ##	Transition to the unconfined domain by executing a shell.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`unconfined_domtrans_shell',`
 	gen_require(`
 		unconfined_t;
 	')
 	corecmd_domtrans_shell($1,unconfined_t)
 ')
 ########################################
 ## <summary>
 ##	Inherit file descriptors from the unconfined domain.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`unconfined_use_fd',`
 	gen_require(`
 		type unconfined_t;
 		class fd use;
 	')
 	allow $1 unconfined_t:fd use;
 ')
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to the unconfined domain.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`unconfined_sigchld',`
 	gen_require(`
 		type unconfined_t;
 		class process sigchld;
 	')
 	allow $1 unconfined_t:process sigchld;
 ')
 ########################################
 ## <summary>
 ##	Read and write unconfined domain unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`unconfined_rw_pipe',`
 	gen_require(`
 		type unconfined_t;
 		class fifo_file rw_file_perms;
 	')
 	allow $1 unconfined_t:fifo_file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Add the unconfined domain to the specified role.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`unconfined_role',`
 	gen_require(`
 		type unconfined_t;
 	')
 	role $1 types unconfined_t;
 ')
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -16,8 +16,23 @@ role system_r types unconfined_t;
 # Local policy
 #
-unconfined_access_template(unconfined_t)
+unconfined_domain_template(unconfined_t)
 logging_send_syslog_msg(unconfined_t)
 #role sysadm_r types unconfined_t;
 #domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 #	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
 	userdom_unconfined(unconfined_t)
 	ifdef(`TODO',`
 	#cjp: why is this needed?
 	ifdef(`samba.te', `samba_domain(user)')
 	') dnl end TODO
 ')
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -902,12 +902,17 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 ## </param>
 #
 interface(`userdom_shell_domtrans_sysadm',`
 	ifdef(`targeted_policy',`
 		#cjp: need to doublecheck this one
 		unconfined_domtrans_shell($1)
 	',`
 		gen_require(`
 			type sysadm_t;
 		')
 		corecmd_domtrans_shell($1,sysadm_t)
 	')
 ')
 ########################################
 ## <summary>
@ -939,6 +944,9 @@ interface(`userdom_read_staff_home_files',`
 ## </param>
 #
 interface(`userdom_use_sysadm_tty',`
 	ifdef(`targeted_policy',`
 		term_use_unallocated_tty($1)
 	',`
 		gen_require(`
 			type sysadm_tty_device_t;
 			class chr_file rw_term_perms;
@ -948,6 +956,7 @@ interface(`userdom_use_sysadm_tty',`
 		term_list_ptys($1)
 		allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
 	')
 ')
 ########################################
 ## <summary>
@ -958,6 +967,9 @@ interface(`userdom_use_sysadm_tty',`
 ## </param>
 #
 interface(`userdom_use_sysadm_pty',`
 	ifdef(`targeted_policy',`
 		term_use_generic_pty($1)
 	',`
 		gen_require(`
 			type sysadm_devpts_t;
 			class chr_file rw_term_perms;
@ -967,6 +979,7 @@ interface(`userdom_use_sysadm_pty',`
 		term_list_ptys($1)
 		allow $1 sysadm_devpts_t:chr_file rw_term_perms;
 	')
 ')
 ########################################
 ## <summary>
@ -977,14 +990,8 @@ interface(`userdom_use_sysadm_pty',`
 ## </param>
 #
 interface(`userdom_use_sysadm_terms',`
-	gen_require(`
+	userdom_use_sysadm_tty($1)
-		attribute admin_terminal;
+	userdom_use_sysadm_pty($1)
 		class chr_file rw_term_perms;
 	')
 	dev_list_all_dev_nodes($1)
 	term_list_ptys($1)
 	allow $1 admin_terminal:chr_file rw_term_perms;
 ')
 ########################################
@ -996,6 +1003,9 @@ interface(`userdom_use_sysadm_terms',`
 ## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_terms',`
 	ifdef(`targeted_policy',`
 		term_dontaudit_use_generic_pty($1)
 	',`
 		gen_require(`
 			attribute admin_terminal;
 			class chr_file { read write };
@ -1003,6 +1013,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 		dontaudit $1 admin_terminal:chr_file { read write };
 	')
 ')
 ########################################
 ## <summary>
@ -1013,6 +1024,10 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ## </param>
 #
 interface(`userdom_use_sysadm_fd',`
 	ifdef(`targeted_policy',`
 		#cjp: need to doublecheck this one
 		unconfined_use_fd($1)
 	',`
 		gen_require(`
 			type sysadm_t;
 			class fd use;
@ -1020,6 +1035,7 @@ interface(`userdom_use_sysadm_fd',`
 		allow $1 sysadm_t:fd use;
 	')
 ')
 ########################################
 ## <summary>
@ -1030,12 +1046,17 @@ interface(`userdom_use_sysadm_fd',`
 ## </param>
 #
 interface(`userdom_rw_sysadm_pipe',`
 	ifdef(`targeted_policy',`
 		#cjp: need to doublecheck this one
 		unconfined_rw_pipe($1)
 	',`
 		gen_require(`
 			type sysadm_t;
-		class fd use;
+			class fifo_file rw_file_perms;
 		')
-	allow $1 sysadm_t:fd use;
+		allow $1 sysadm_t:fifo_file rw_file_perms;
 	')
 ')
 ########################################
@ -1217,3 +1238,21 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 	dontaudit $1 user_ttynode:chr_file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Unconfined access to user domains.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_unconfined',`
 	gen_require(`
 		type user_home_dir_t;
 		class dir create_dir_perms;
 	')
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_create_home_dirs($1,user_home_dir_t)
 ')
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -32,16 +32,11 @@ attribute userdomain;
 # unprivileged user domains
 attribute unpriv_userdomain;
 admin_user_template(sysadm)
 unpriv_user_template(staff)
 unpriv_user_template(user)
 ########################################
 #
 # Local policy
 #
 # user role change rules:
 define(`role_change',`
 	allow $1_r $2_r;
 	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
@ -50,6 +45,31 @@ define(`role_change',`
 	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
 ')
 ifdef(`targeted_policy',`
 	# User home directory type.
 	type user_home_t alias { staff_home_t sysadm_home_t}, home_type;
 	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
 	unconfined_role(user_r)
 	unconfined_role(sysadm_r)
 	# dont need to use the full role_change()
 	allow sysadm_r system_r;
 	allow user_r system_r;
 	allow user_r sysadm_r;
 	allow system_r sysadm_r;
 	allow system_r sysadm_r;
 	ifdef(`TODO',`
 	allow privhome home_root_t:dir { getattr search };
 	file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
 	')
 ',`
 	admin_user_template(sysadm)
 	unpriv_user_template(staff)
 	unpriv_user_template(user)
 	# user role change rules:
 	# sysadm_r can change to user roles
 	role_change(sysadm, user)
 	role_change(sysadm, staff)
@ -66,9 +86,6 @@ ifdef(`user_canbe_sysadm',`
 	ifdef(`TODO',`
 	allow privhome home_root_t:dir { getattr search };
 # Add/remove user home directories
 file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
 	')
 	########################################
@ -79,6 +96,10 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
 	# for su
 	allow sysadm_t userdomain:fd use;
 	# Add/remove user home directories
 	allow sysadm_t user_home_dir_t:dir create_dir_perms;
 	files_create_home_dirs(sysadm_t,user_home_dir_t)
 	optional_policy(`bootloader.te',`
 		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
 	')
@ -149,3 +170,4 @@ optional_policy(`usermanage.te',`
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
 	')
 ')
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@ -24,7 +24,11 @@ gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 ifdef(`targeted_policy',`
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
 ',`
 gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 ')
 #
 # The following users correspond to Unix identities.
@ -33,4 +37,8 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
 gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
 ',`
 gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
 ')
		`@ -0,0 +1,2 @@`
							`system_r:unconfined_t system_r:unconfined_t`
							`system_r:initrc_t system_r:unconfined_t`