diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 0fb22506..38e603c1 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -33,7 +33,7 @@ override M4PARAM += -D distro_redhat # Uncomment this to disable command echoing #QUIET:=@ -# Policy type (strict, targeted, etc) +# Policy type (strict, mls) TYPE := strict ######################################## @@ -89,7 +89,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template BASE_MODULE = kernel FLASKDIR = flask APPCONF = appconfig -M4SUPPORT = support_macros +M4SUPPORT = support_macros $(wildcard macros/*.spt) APPDIR := $(CONTEXTPATH) APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt new file mode 100644 index 00000000..a70719dd --- /dev/null +++ b/refpolicy/policy/support/loadable_module.spt @@ -0,0 +1,60 @@ +######################################## +# +# Macros for switching between source policy +# and loadable policy module support +# + +############################## +# +# For adding the module statement +# +define(`policy_module',` +ifdef(`monolithic_policy',`',` +module $1 $2; +') +') + +############################## +# +# For use in interfaces, to optionally insert a requires block +# +define(`requires_block_template',` +ifdef(`monolithic_policy',`',` +require { +$1 +} +') dnl end ifdef monolithic_policy +') dnl end requires_block_template + +############################## +# +# Optional policy handling +# +define(`optional_policy',` +ifdef(`monolithic_policy',` +ifdef(`$1',$2,$3) +',` +optional { +$2 +} else { +$3 +} +') dnl end ifdef monolithic_policy +') dnl end optional_policy + +############################## +# +# Tunable policy handling +# +define(`tunable_policy',` +ifdef(`monolithic_policy',` +ifdef(`$1',$2,$3) +',` +optional { +require { $1 } +$2 +} else { +$3 +} +') dnl end ifdef monolithic_policy +') dnl end tunable_policy diff --git a/refpolicy/policy/support/sets.spt b/refpolicy/policy/support/sets.spt new file mode 100644 index 00000000..9d26d802 --- /dev/null +++ b/refpolicy/policy/support/sets.spt @@ -0,0 +1,190 @@ +######################################## +# +# Macros for sets of object classes +# + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +######################################## +# +# Macros for sets of permissions +# + +# +# Permissions for getting file attributes. +# +define(`stat_file_perms', `{ getattr }') + +# +# Permissions for executing files. +# +define(`x_file_perms', `{ getattr execute }') + +# +# Permissions for reading files and their attributes. +# +define(`r_file_perms', `{ read getattr lock ioctl }') + +# +# Permissions for reading and executing files. +# +define(`rx_file_perms', `{ read getattr lock execute ioctl }') + +# +# Permissions for reading and writing files and their attributes. +# +define(`rw_file_perms', `{ ioctl read getattr lock write append }') + +# +# Permissions for reading and appending to files. +# +define(`ra_file_perms', `{ ioctl read getattr lock append }') + +# +# Permissions for linking, unlinking and renaming files. +# +define(`link_file_perms', `{ getattr link unlink rename }') + +# +# Permissions for creating lnk_files. +# +define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') + +# +# Permissions for creating and using files. +# +define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') + +# +# Permissions for reading directories and their attributes. +# +define(`r_dir_perms', `{ read getattr lock search ioctl }') + +# +# Permissions for reading and writing directories and their attributes. +# +define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') + +# +# Permissions for reading and adding names to directories. +# +define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') + + +# +# Permissions for creating and using directories. +# +define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros index 218471b4..48b5ba0d 100644 --- a/refpolicy/policy/support/support_macros +++ b/refpolicy/policy/support/support_macros @@ -1,65 +1,4 @@ -######################################## -# -# Macros for switching between source policy -# and loadable policy module support -# - -############################## -# -# For adding the module statement -# -define(`policy_module',` -ifdef(`monolithic_policy',`',` -module $1 $2; -') -') - -############################## -# -# For use in interfaces, to optionally insert a requires block -# -define(`requires_block_template',` -ifdef(`monolithic_policy',`',` -require { -$1 -} -') dnl end ifdef monolithic_policy -') dnl end requires_block_template - -############################## -# -# Optional policy handling -# -define(`optional_policy',` -ifdef(`monolithic_policy',` -ifdef(`$1',$2,$3) -',` -optional { -$2 -} else { -$3 -} -') dnl end ifdef monolithic_policy -') dnl end optional_policy - -############################## -# -# Tunable policy handling -# -define(`tunable_policy',` -ifdef(`monolithic_policy',` -ifdef(`$1',$2,$3) -',` -optional { -require { $1 } -$2 -} else { -$3 -} -') dnl end ifdef monolithic_policy -') dnl end tunable_policy - ######################################## # # Helper macros @@ -86,189 +25,3 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl # define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl -######################################## -# -# Macros for sets of classes and permissions. -# - -# -# All directory and file classes -# -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# All non-directory file classes. -# -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# Non-device file classes. -# -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') - -# -# Device file classes. -# -define(`devfile_class_set', `{ chr_file blk_file }') - -# -# All socket classes. -# -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }') - - -# -# Datagram socket classes. -# -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') - -# -# Stream socket classes. -# -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - - -# -# Permissions for getting file attributes. -# -define(`stat_file_perms', `{ getattr }') - -# -# Permissions for executing files. -# -define(`x_file_perms', `{ getattr execute }') - -# -# Permissions for reading files and their attributes. -# -define(`r_file_perms', `{ read getattr lock ioctl }') - -# -# Permissions for reading and executing files. -# -define(`rx_file_perms', `{ read getattr lock execute ioctl }') - -# -# Permissions for reading and writing files and their attributes. -# -define(`rw_file_perms', `{ ioctl read getattr lock write append }') - -# -# Permissions for reading and appending to files. -# -define(`ra_file_perms', `{ ioctl read getattr lock append }') - -# -# Permissions for linking, unlinking and renaming files. -# -define(`link_file_perms', `{ getattr link unlink rename }') - -# -# Permissions for creating lnk_files. -# -define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') - -# -# Permissions for creating and using files. -# -define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') - -# -# Permissions for reading directories and their attributes. -# -define(`r_dir_perms', `{ read getattr lock search ioctl }') - -# -# Permissions for reading and writing directories and their attributes. -# -define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') - -# -# Permissions for reading and adding names to directories. -# -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') - - -# -# Permissions for creating and using directories. -# -define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') - -# -# Permissions to mount and unmount file systems. -# -define(`mount_fs_perms', `{ mount remount unmount getattr }') - -# -# Permissions for using sockets. -# -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`create_socket_perms', `{ create rw_socket_perms }') - -# -# Permissions for using stream sockets. -# -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') - -# -# Permissions for creating and using stream sockets. -# -define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') - -# -# Permissions for creating and using sockets. -# -define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - - -# -# Permissions for creating and using netlink sockets. -# -define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that modify state. -# -define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that observe state. -# -define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') - -# -# Permissions for sending all signals. -# -define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') - -# -# Permissions for sending and receiving network packets. -# -define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') - -# -# Permissions for using System V IPC -# -define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') -define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') -define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')