support for targeted policy
This commit is contained in:
parent
83ce670b3d
commit
c98340cfeb
@ -117,7 +117,11 @@ MODDIR = $(POLDIR)/modules
|
||||
|
||||
BASE_MODULE = $(MODDIR)/kernel
|
||||
FLASKDIR = $(POLDIR)/flask
|
||||
APPCONF = config/appconfig
|
||||
ifneq ($(findstring targeted,$(TYPE)),)
|
||||
APPCONF := config/appconfig-targeted
|
||||
else
|
||||
APPCONF := config/appconfig-strict
|
||||
endif
|
||||
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
|
||||
|
||||
GLOBALTUN := $(POLDIR)/global_tunables
|
||||
|
6
refpolicy/config/appconfig-targeted/dbus_contexts
Normal file
6
refpolicy/config/appconfig-targeted/dbus_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
6
refpolicy/config/appconfig-targeted/default_contexts
Normal file
6
refpolicy/config/appconfig-targeted/default_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:initrc_t system_r:unconfined_t
|
||||
system_r:local_login_t system_r:unconfined_t
|
||||
system_r:remote_login_t system_r:unconfined_t
|
||||
system_r:rshd_t system_r:unconfined_t
|
||||
system_r:crond_t system_r:unconfined_t
|
1
refpolicy/config/appconfig-targeted/default_type
Normal file
1
refpolicy/config/appconfig-targeted/default_type
Normal file
@ -0,0 +1 @@
|
||||
system_r:unconfined_t
|
1
refpolicy/config/appconfig-targeted/failsafe_context
Normal file
1
refpolicy/config/appconfig-targeted/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
system_r:unconfined_t
|
1
refpolicy/config/appconfig-targeted/initrc_context
Normal file
1
refpolicy/config/appconfig-targeted/initrc_context
Normal file
@ -0,0 +1 @@
|
||||
user_u:system_r:unconfined_t
|
@ -0,0 +1,2 @@
|
||||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:initrc_t system_r:unconfined_t
|
1
refpolicy/config/appconfig-targeted/userhelper_context
Normal file
1
refpolicy/config/appconfig-targeted/userhelper_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:system_r:unconfined_t
|
@ -33,37 +33,64 @@
|
||||
# SELinux process identity change constraint:
|
||||
#
|
||||
constrain process transition
|
||||
( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
|
||||
( u1 == u2 or
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
t1 == can_change_process_identity
|
||||
',`
|
||||
( t1 == can_change_process_identity and t2 == userdomain )
|
||||
ifdef(`crond.te',`
|
||||
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
|
||||
or (
|
||||
t1 == crond_t
|
||||
and (
|
||||
t2 == user_crond_domain
|
||||
or u2 == system_u
|
||||
)
|
||||
)
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)
|
||||
|
||||
ifdef(`userhelper.te',`
|
||||
or (t1 == userhelperdomain)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and u2 == system_u )
|
||||
') dnl end TODO
|
||||
')
|
||||
);
|
||||
|
||||
#
|
||||
# SELinux process role change constraint:
|
||||
#
|
||||
constrain process transition
|
||||
( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
|
||||
( r1 == r2 or
|
||||
ifdef(`targeted_policy',`
|
||||
t1 == can_change_process_role
|
||||
',`
|
||||
( t1 == can_change_process_role and t2 == userdomain )
|
||||
|
||||
ifdef(`crond.te',`
|
||||
or (t1 == crond_t and t2 == user_crond_domain)
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)
|
||||
|
||||
ifdef(`userhelper.te',`
|
||||
or (t1 == userhelperdomain)
|
||||
')
|
||||
|
||||
ifdef(`postfix.te',`
|
||||
ifdef(`direct_sysadm_daemon',
|
||||
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
or (
|
||||
t1 == sysadm_mail_t
|
||||
and t2 == system_mail_t
|
||||
and r2 == system_r
|
||||
)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and r2 == system_r )
|
||||
') dnl end TODO
|
||||
')
|
||||
);
|
||||
|
||||
#
|
||||
|
@ -1032,8 +1032,11 @@ interface(`kernel_unconfined',`
|
||||
# allow $1 proc_fs:{ dir file } *;
|
||||
|
||||
allow $1 sysctl_t:{ dir file } *;
|
||||
|
||||
allow $1 kernel_t:system *;
|
||||
|
||||
allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
allow $1 unlabeled_t:filesystem *;
|
||||
|
||||
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
|
||||
|
||||
|
@ -211,3 +211,7 @@ neverallow ~can_load_kernmodule self:capability sys_module;
|
||||
# If you load an incompatible policy, you should probably reboot,
|
||||
# since you may have compromised system security.
|
||||
init_sigchld(unlabeled_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow unlabeled_t self:filesystem associate;
|
||||
')
|
||||
|
@ -12,6 +12,12 @@ policy_module(corecommands,1.0)
|
||||
type bin_t;
|
||||
files_type(bin_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
typealias bin_t alias su_exec_t;
|
||||
')
|
||||
|
||||
#
|
||||
# sbin_t is the type of files in the system sbin directories.
|
||||
#
|
||||
|
@ -47,6 +47,11 @@ interface(`domain_type',`
|
||||
# send init a sigchld
|
||||
init_sigchld($1)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_use_fd($1)
|
||||
unconfined_sigchld($1)
|
||||
')
|
||||
|
||||
# this seems highly questionable:
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_fd($1)
|
||||
|
@ -783,6 +783,27 @@ interface(`files_list_home',`
|
||||
allow $1 home_root_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create home directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="home_type">
|
||||
## The type of the home directory
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_home_dirs',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir rw_dir_perms;
|
||||
type_transition $1 home_root_t:dir $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete objects in
|
||||
|
@ -8,7 +8,7 @@
|
||||
## Domain to make unconfined.
|
||||
## </param>
|
||||
#
|
||||
template(`unconfined_access_template',`
|
||||
template(`unconfined_domain_template',`
|
||||
|
||||
# Use any Linux capability.
|
||||
allow $1 self:capability *;
|
||||
@ -73,3 +73,87 @@ template(`unconfined_access_template',`
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the unconfined domain by executing a shell.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domtrans_shell',`
|
||||
|
||||
gen_require(`
|
||||
unconfined_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,unconfined_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit file descriptors from the unconfined domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_use_fd',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the unconfined domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_sigchld',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unconfined domain unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_rw_pipe',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add the unconfined domain to the specified role.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_role',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
role $1 types unconfined_t;
|
||||
')
|
||||
|
@ -16,8 +16,23 @@ role system_r types unconfined_t;
|
||||
# Local policy
|
||||
#
|
||||
|
||||
unconfined_access_template(unconfined_t)
|
||||
unconfined_domain_template(unconfined_t)
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
|
||||
#role sysadm_r types unconfined_t;
|
||||
#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow unconfined_t self:system syslog_read;
|
||||
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||
|
||||
userdom_unconfined(unconfined_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
#cjp: why is this needed?
|
||||
ifdef(`samba.te', `samba_domain(user)')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
@ -902,12 +902,17 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_shell_domtrans_sysadm',`
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_domtrans_shell($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,sysadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -939,6 +944,9 @@ interface(`userdom_read_staff_home_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_tty',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_tty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_tty_device_t;
|
||||
class chr_file rw_term_perms;
|
||||
@ -948,6 +956,7 @@ interface(`userdom_use_sysadm_tty',`
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -958,6 +967,9 @@ interface(`userdom_use_sysadm_tty',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_pty',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_devpts_t;
|
||||
class chr_file rw_term_perms;
|
||||
@ -967,6 +979,7 @@ interface(`userdom_use_sysadm_pty',`
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -977,14 +990,8 @@ interface(`userdom_use_sysadm_pty',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_terms',`
|
||||
gen_require(`
|
||||
attribute admin_terminal;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 admin_terminal:chr_file rw_term_perms;
|
||||
userdom_use_sysadm_tty($1)
|
||||
userdom_use_sysadm_pty($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -996,6 +1003,9 @@ interface(`userdom_use_sysadm_terms',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
attribute admin_terminal;
|
||||
class chr_file { read write };
|
||||
@ -1003,6 +1013,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
|
||||
dontaudit $1 admin_terminal:chr_file { read write };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -1013,6 +1024,10 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_fd',`
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_use_fd($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fd use;
|
||||
@ -1020,6 +1035,7 @@ interface(`userdom_use_sysadm_fd',`
|
||||
|
||||
allow $1 sysadm_t:fd use;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -1030,12 +1046,17 @@ interface(`userdom_use_sysadm_fd',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_rw_sysadm_pipe',`
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_rw_pipe($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1217,3 +1238,21 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
|
||||
|
||||
dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_unconfined',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir create_dir_perms;
|
||||
files_create_home_dirs($1,user_home_dir_t)
|
||||
')
|
||||
|
@ -32,16 +32,11 @@ attribute userdomain;
|
||||
# unprivileged user domains
|
||||
attribute unpriv_userdomain;
|
||||
|
||||
admin_user_template(sysadm)
|
||||
unpriv_user_template(staff)
|
||||
unpriv_user_template(user)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
# user role change rules:
|
||||
define(`role_change',`
|
||||
allow $1_r $2_r;
|
||||
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||
@ -50,6 +45,31 @@ define(`role_change',`
|
||||
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# User home directory type.
|
||||
type user_home_t alias { staff_home_t sysadm_home_t}, home_type;
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
|
||||
|
||||
unconfined_role(user_r)
|
||||
unconfined_role(sysadm_r)
|
||||
|
||||
# dont need to use the full role_change()
|
||||
allow sysadm_r system_r;
|
||||
allow user_r system_r;
|
||||
allow user_r sysadm_r;
|
||||
allow system_r sysadm_r;
|
||||
allow system_r sysadm_r;
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
|
||||
')
|
||||
',`
|
||||
admin_user_template(sysadm)
|
||||
unpriv_user_template(staff)
|
||||
unpriv_user_template(user)
|
||||
|
||||
# user role change rules:
|
||||
# sysadm_r can change to user roles
|
||||
role_change(sysadm, user)
|
||||
role_change(sysadm, staff)
|
||||
@ -66,9 +86,6 @@ ifdef(`user_canbe_sysadm',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -79,6 +96,10 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
# for su
|
||||
allow sysadm_t userdomain:fd use;
|
||||
|
||||
# Add/remove user home directories
|
||||
allow sysadm_t user_home_dir_t:dir create_dir_perms;
|
||||
files_create_home_dirs(sysadm_t,user_home_dir_t)
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
@ -149,3 +170,4 @@ optional_policy(`usermanage.te',`
|
||||
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
@ -24,7 +24,11 @@ gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
|
||||
',`
|
||||
gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
|
||||
')
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
@ -33,4 +37,8 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
|
||||
',`
|
||||
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user