diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 75f8cd4a..cfd1c5b1 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -122,6 +122,21 @@ type device_t; class blk_file getattr; ') +######################################## +# +# devices_manage_generic_block_device(domain) +# +define(`devices_manage_generic_block_device',` +requires_block_template(`$0'_depend) +allow $1 device_t:dir rw_dir_perms; +allow $1 device_t:blk_file create_file_perms; +') + +define(`devices_manage_generic_block_device_depend',` +type device_t; +class blk_file create_file_perms; +') + ######################################## # # devices_add_generic_character_device(domain) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index f5845552..8f43850f 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1038,6 +1038,24 @@ attribute pidfile; class file ioctl; ') +######################################## +# +# files_read_all_daemon_runtime_data(domain) +# +define(`files_read_all_daemon_runtime_data',` +requires_block_template(`$0'_depend) +allow $1 var_t:dir search; +allow $1 pidfile:dir r_dir_perms; +allow $1 pidfile:file r_file_perms; +') + +define(`files_read_all_daemon_runtime_data_depend',` +attribute pidfile; +type var_t; +class dir r_dir_perms; +class file r_file_perms; +') + ######################################## # # files_remove_all_daemon_runtime_data(domain) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index ce2f2a6d..8d2f593a 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -52,15 +52,17 @@ filesystem_get_persistent_filesystem_attributes(getty_t) terminal_use_all_terminals(getty_t) terminal_set_console_attributes(getty_t) -init_script_modify_runtime_data(getty_t) -init_script_use_pseudoterminal(getty_t) +authlogin_modify_login_records(getty_t) + +corecommands_search_general_programs_directory(getty_t) files_modify_system_runtime_data(getty_t) files_manage_system_lock_files(getty_t) files_read_runtime_system_config(getty_t) files_read_general_system_config(getty_t) -authlogin_modify_login_records(getty_t) +init_script_modify_runtime_data(getty_t) +init_script_use_pseudoterminal(getty_t) libraries_use_dynamic_loader(getty_t) libraries_use_shared_libraries(getty_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index a0e3d423..61e2c011 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -70,12 +70,14 @@ define(`init_make_daemon_domain',` ') define(`init_make_daemon_domain_depend',` -type initrc_t; -class file { getattr read execute }; -class fifo_file rw_file_perms; -class fd use; -class process { transition noatsecure siginh rlimitinh sigchld }; -role system_r; + type initrc_t; + + role system_r; + + class file { getattr read execute }; + class fifo_file rw_file_perms; + class fd use; + class process { transition noatsecure siginh rlimitinh sigchld }; ') ######################################## @@ -83,27 +85,39 @@ role system_r; # init_make_system_domain(domain,entrypointfile) # define(`init_make_system_domain',` -requires_block_template(`$0'_depend) -domain_make_domain($1) -domain_make_entrypoint_file($1,$2) -role system_r types $1; -allow initrc_t $1:process transition; -allow initrc_t $2:file { getattr read execute }; -dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; -type_transition initrc_t $2:process $1; -allow initrc_t $1:fd use; -allow $1 initrc_t:fd use; -allow $1 initrc_t:fifo_file rw_file_perms; -allow $1 initrc_t:process sigchld; + requires_block_template(`$0'_depend) + + domain_make_domain($1) + domain_make_entrypoint_file($1,$2) + + role system_r types $1; + + allow initrc_t $1:process transition; + allow initrc_t $2:file { getattr read execute }; + dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; + type_transition initrc_t $2:process $1; + + allow initrc_t $1:fd use; + allow $1 initrc_t:fd use; + allow $1 initrc_t:fifo_file rw_file_perms; + allow $1 initrc_t:process sigchld; + + # Red Hat systems seem to have a stray + # fd open from the initrd + optional_policy(`distro_redhat',` + kernel_ignore_use_file_descriptors($1) + files_ignore_read_rootfs_file($1) + ') ') define(`init_make_system_domain_depend',` -type initrc_t; -class file { getattr read execute }; -class fd use; -class fifo_file rw_file_perms; -class process { transition noatsecure siginh rlimitinh sigchld }; -role system_r; + type initrc_t; + role system_r; + + class file { getattr read execute }; + class fd use; + class fifo_file rw_file_perms; + class process { transition noatsecure siginh rlimitinh sigchld }; ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7670b6c9..10726aea 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -141,17 +141,17 @@ selinux_read_config(init_t) miscfiles_read_localization(init_t) tunable_policy(`distro_redhat',` -filesystem_use_tmpfs_character_devices(init_t) -filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file) + filesystem_use_tmpfs_character_devices(init_t) + filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file) ') optional_policy(`authlogin.te',` -authlogin_modify_login_records(init_t) + authlogin_modify_login_records(init_t) ') # Run the shell in the sysadm_t domain for single-user mode. optional_policy(`userdomain.te',` -userdomain_sysadm_shell_transition(init_t) + userdomain_sysadm_shell_transition(init_t) ') ######################################## @@ -272,6 +272,7 @@ domain_ignore_get_all_domains_pipe_attributes(initrc_t) files_get_all_file_attributes(initrc_t) files_remove_all_tmp_data(initrc_t) files_remove_all_lock_files(initrc_t) +files_read_all_daemon_runtime_data(initrc_t) files_remove_all_daemon_runtime_data(initrc_t) files_read_general_system_config(initrc_t) files_manage_runtime_system_config(initrc_t) @@ -279,6 +280,7 @@ files_manage_system_lock_files(initrc_t) files_execute_system_config_script(initrc_t) files_read_general_application_resources(initrc_t) files_manage_pseudorandom_saved_seed(initrc_t) +files_manage_system_spools(initrc_t) libraries_modify_dynamic_loader_cache(initrc_t) libraries_use_dynamic_loader(initrc_t) @@ -307,61 +309,71 @@ userdomain_read_all_users_data(initrc_t) userdomain_use_admin_terminals(initrc_t) tunable_policy(`distro_debian', ` -filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) + filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) ') tunable_policy(`distro_redhat',` -kernel_set_selinux_enforcement_mode(initrc_t) + # Red Hat systems seem to have a stray + # fd open from the initrd + kernel_ignore_use_file_descriptors(initrc_t) + files_ignore_read_rootfs_file(initrc_t) -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -bootloader_create_runtime_data(initrc_t) -bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t) + kernel_set_selinux_enforcement_mode(initrc_t) -# These seem to be from the initrd: -kernel_use_file_descriptors(initrc_t) -# during device initialization: -devices_legacy_use_dev_zero(initrc_t) -devices_legacy_raw_read_memory(initrc_t) -devices_legacy_raw_write_memory(initrc_t) -storage_raw_read_fixed_disk(initrc_t) -storage_raw_write_fixed_disk(initrc_t) + # Create and read /boot/kernel.h and /boot/System.map. + # Redhat systems typically create this file at boot time. + bootloader_create_runtime_data(initrc_t) + bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t) -filesystem_use_tmpfs_character_devices(initrc_t) + # These seem to be from the initrd + # during device initialization: + devices_legacy_use_dev_zero(initrc_t) + devices_legacy_raw_read_memory(initrc_t) + devices_legacy_raw_write_memory(initrc_t) + storage_raw_read_fixed_disk(initrc_t) + storage_raw_write_fixed_disk(initrc_t) -files_create_boot_flag(initrc_t) + filesystem_use_tmpfs_character_devices(initrc_t) -# readahead asks for these -mta_read_mail_aliases(initrc_t) + files_create_boot_flag(initrc_t) + + # readahead asks for these + mta_read_mail_aliases(initrc_t) ') dnl end distro_redhat optional_policy(`hotplug.te',` -kernel_read_usb_hardware_state(initrc_t) -# init scripts run /etc/hotplug/usb.rc -hotplug_read_config(initrc_t) -modutils_read_kernel_module_dependencies(initrc_t) + kernel_read_usb_hardware_state(initrc_t) + + # init scripts run /etc/hotplug/usb.rc + hotplug_read_config(initrc_t) + + modutils_read_kernel_module_dependencies(initrc_t) ') optional_policy(`lvm.te',` -#allow initrc_t lvm_control_t:chr_file unlink; -devices_read_lvm_control_channel(initrc_t) -devices_add_generic_character_device(initrc_t) + #allow initrc_t lvm_control_t:chr_file unlink; + + devices_read_lvm_control_channel(initrc_t) + devices_add_generic_character_device(initrc_t) ') optional_policy(`rhgb.te',` -corecommands_make_shell_entrypoint(initrc_t) + corecommands_make_shell_entrypoint(initrc_t) ') optional_policy(`rpm.te',` -# why is this needed: -rpm_manage_package_database(initrc_t) -# for a bug in rm -files_ignore_write_all_daemon_runtime_data(initrc_t) -# bash tries ioctl for some reason -files_ignore_ioctl_all_daemon_runtime_data(initrc_t) -# bash tries to access a block device in the initrd -kernel_ignore_get_unlabeled_block_device_attributes(initrc_t) + # bash tries to access a block device in the initrd + kernel_ignore_get_unlabeled_block_device_attributes(initrc_t) + + # for a bug in rm + files_ignore_write_all_daemon_runtime_data(initrc_t) + + # bash tries ioctl for some reason + files_ignore_ioctl_all_daemon_runtime_data(initrc_t) + + # why is this needed: + rpm_manage_package_database(initrc_t) ') dnl end rpm.te ifdef(`TODO',` @@ -369,8 +381,6 @@ ifdef(`TODO',` # Mount and unmount file systems. allow initrc_t { file_t default_t }:dir { read search getattr mounton }; -allow initrc_t var_spool_t:file rw_file_perms; - # Set device ownerships/modes. allow initrc_t xconsole_device_t:fifo_file setattr; @@ -388,24 +398,24 @@ role system_r types initrc_su_t; ') tunable_policy(`distro_debian', ` -allow initrc_t { etc_t device_t }:dir setattr; + allow initrc_t { etc_t device_t }:dir setattr; -# for storing state under /dev/shm -allow initrc_t tmpfs_t:dir setattr; -file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) -')dnl end distro_debian + # for storing state under /dev/shm + allow initrc_t tmpfs_t:dir setattr; + file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) +') tunable_policy(`distro_redhat', ` -# readahead asks for these -allow initrc_t var_lib_nfs_t:file { getattr read }; -')dnl end distro_redhat + # readahead asks for these + allow initrc_t var_lib_nfs_t:file { getattr read }; +') tunable_policy(`targeted_policy', ` -domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) -allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; -allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; -domain_trans(initrc_t, shell_exec_t, unconfined_t) -') dnl endif targeted policy + domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) + allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; + allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; + domain_trans(initrc_t, shell_exec_t, unconfined_t) +') # # Shutting down xinet causes these diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 883d7a6f..79688517 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -72,32 +72,36 @@ sysnetwork_ifconfig_transition(iptables_t) userdomain_use_all_users_file_descriptors(iptables_t) tunable_policy(`use_dns',` -allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_network_udp_on_all_interfaces(iptables_t) -corenetwork_network_raw_on_all_interfaces(iptables_t) -corenetwork_network_udp_on_all_nodes(iptables_t) -corenetwork_network_raw_on_all_nodes(iptables_t) -corenetwork_bind_udp_on_all_nodes(iptables_t) -corenetwork_network_udp_on_dns_port(iptables_t) -sysnetwork_read_network_config(iptables_t) + allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + + corenetwork_network_udp_on_all_interfaces(iptables_t) + corenetwork_network_raw_on_all_interfaces(iptables_t) + corenetwork_network_udp_on_all_nodes(iptables_t) + corenetwork_network_raw_on_all_nodes(iptables_t) + corenetwork_bind_udp_on_all_nodes(iptables_t) + corenetwork_network_udp_on_dns_port(iptables_t) + + sysnetwork_read_network_config(iptables_t) ') optional_policy(`modutils.te', ` -modutils_insmod_transition(iptables_t) + corecommands_search_system_programs_directory(iptables_t) + modutils_insmod_transition(iptables_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(iptables_t) + selinux_newrole_sigchld(iptables_t) ') optional_policy(`udev.te', ` -udev_read_database(iptables_t) + udev_read_database(iptables_t) ') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(iptables_t) -terminal_ignore_use_general_pseudoterminal(iptables_t) -files_ignore_read_rootfs_file(iptables_t) + terminal_ignore_use_general_physical_terminal(iptables_t) + terminal_ignore_use_general_pseudoterminal(iptables_t) + + files_ignore_read_rootfs_file(iptables_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 23ddcdc7..b3e4fb5b 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -107,6 +107,13 @@ userdomain_use_all_unprivileged_users_file_descriptors(local_login_t) # Search for mail spool file. mta_get_mail_spool_attributes(local_login_t) +# Red Hat systems seem to have a stray +# fd open from the initrd +optional_policy(`distro_redhat',` + kernel_ignore_use_file_descriptors(local_login_t) + files_ignore_read_rootfs_file(local_login_t) +') + ifdef(`TODO',` can_ypbind(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 22ac4cb1..3354d256 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -74,9 +74,16 @@ miscfiles_read_localization(klogd_t) # syslogd local policy # -# Use capabilities. allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:process signal_perms; + +# receive messages to be logged +allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; +allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow syslogd_t self:unix_dgram_socket sendto; +allow syslogd_t self:fifo_file { getattr read write ioctl lock }; +allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; @@ -89,17 +96,12 @@ files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) -# receive messages to be logged -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; -allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:fifo_file { getattr read write ioctl lock }; - # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) +# I belive these are not needed: +allow syslogd_t devlog_t:unix_stream_socket name_bind; +allow syslogd_t devlog_t:unix_dgram_socket name_bind; # manage pid file allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink }; diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 7438aa9e..f3cd829b 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -90,6 +90,7 @@ devices_get_random_data(lvm_t) devices_get_pseudorandom_data(lvm_t) devices_use_lvm_control_channel(lvm_t) devices_manage_dev_symbolic_links(lvm_t) +devices_manage_generic_block_device(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... devices_ignore_get_all_character_device_attributes(lvm_t) @@ -136,27 +137,29 @@ selinux_read_file_contexts(lvm_t) selinux_newrole_sigchld(lvm_t) tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(lvm_t) -terminal_ignore_use_general_pseudoterminal(lvm_t) -files_ignore_read_rootfs_file(lvm_t) -')dnl end targeted_policy tunable + terminal_ignore_use_general_physical_terminal(lvm_t) + terminal_ignore_use_general_pseudoterminal(lvm_t) + + files_ignore_read_rootfs_file(lvm_t) +') optional_policy(`bootloader.te',` -bootloader_modify_temporary_data(lvm_t) + bootloader_modify_temporary_data(lvm_t) ') optional_policy(`udev.te', ` -udev_read_database(lvm_t) + udev_read_database(lvm_t) ') ifdef(`TODO',` allow lvm_t autofs_t:dir { search getattr }; -allow lvm_t device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow lvm_t default_context_t:dir search; allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; + +# cjp: ? this has no effect since LVM does not +# have lnk_file relabelto for anything else. allow lvm_t device_t:lnk_file { relabelfrom relabelto }; dontaudit lvm_t var_run_t:dir getattr; diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc index 5a3823a8..65b5c532 100644 --- a/refpolicy/policy/modules/system/sysnetwork.fc +++ b/refpolicy/policy/modules/system/sysnetwork.fc @@ -8,13 +8,13 @@ # # /etc # -#/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0) -#/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0) -#/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0) +/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0) +/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0) /etc/resolv\.conf.* -- context_template(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- context_template(system_u:object_r:net_conf_t,s0) -#/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0) # # /sbin @@ -40,7 +40,7 @@ # # /var # -#/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0) +/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0) /var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index afd7f465..1531a7af 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -7,6 +7,15 @@ policy_module(sysnetwork,1.0) # Declarations # +# this is shared between dhcpc and dhcpd: +type dhcp_etc_t; #, usercanread; +typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; +files_make_file(dhcp_etc_t) + +# this is shared between dhcpc and dhcpd: +type dhcp_state_t; +files_make_file(dhcp_state_t) + type dhcpc_t; type dhcpc_exec_t; init_make_daemon_domain(dhcpc_t,dhcpc_exec_t) @@ -38,20 +47,24 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; +allow dhcpc_t self:fifo_file { ioctl read getattr lock write append }; + +allow dhcpc_t dhcp_etc_t:dir r_dir_perms; +allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; +allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans }; + +allow dhcpc_t dhcpc_state_t:dir rw_dir_perms; +allow dhcpc_t dhcpc_state_t:file create_file_perms; +type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; + # create pid file allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink }; files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t) -# transition to ifconfig -allow dhcpc_t ifconfig_exec_t:file { getattr read execute }; -allow dhcpc_t ifconfig_t:process transition; -type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t; -dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh }; -allow dhcpc_t ifconfig_t:fd use; -allow ifconfig_t dhcpc_t:fd use; -allow ifconfig_t dhcpc_t:fifo_file rw_file_perms; -allow ifconfig_t dhcpc_t:process sigchld; - # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; @@ -62,15 +75,18 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) -allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; - -allow dhcpc_t self:fifo_file { ioctl read getattr lock write append }; - allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans }; +# transition to ifconfig +allow dhcpc_t ifconfig_exec_t:file { getattr read execute }; +allow dhcpc_t ifconfig_t:process transition; +type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t; +dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh }; +allow dhcpc_t ifconfig_t:fd use; +allow ifconfig_t dhcpc_t:fd use; +allow ifconfig_t dhcpc_t:fifo_file rw_file_perms; +allow ifconfig_t dhcpc_t:process sigchld; + kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) kernel_read_kernel_sysctl(dhcpc_t) @@ -121,34 +137,39 @@ miscfiles_read_localization(dhcpc_t) modutils_insmod_transition(dhcpc_t) +ifdef(`distro_redhat', ` + files_execute_system_config_script(dhcpc_t) +') + tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(dhcpc_t) -terminal_ignore_use_general_pseudoterminal(dhcpc_t) -files_ignore_read_rootfs_file(dhcpc_t) + terminal_ignore_use_general_physical_terminal(dhcpc_t) + terminal_ignore_use_general_pseudoterminal(dhcpc_t) + + files_ignore_read_rootfs_file(dhcpc_t) ') optional_policy(`consoletype.te',` -consoletype_transition(dhcpc_t) + consoletype_transition(dhcpc_t) ') optional_policy(`hostname.te',` -hostname_transition(dhcpc_t) + hostname_transition(dhcpc_t) ') optional_policy(`nscd.te',` -nscd_transition(dhcpc_t) + nscd_transition(dhcpc_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(dhcpc_t) + selinux_newrole_sigchld(dhcpc_t) ') optional_policy(`udev.te',` -udev_read_database(dhcpc_t) + udev_read_database(dhcpc_t) ') optional_policy(`userdomain.te',` -userdomain_use_all_users_file_descriptors(dhcpc_t) + userdomain_use_all_users_file_descriptors(dhcpc_t) ') # @@ -156,10 +177,10 @@ userdomain_use_all_users_file_descriptors(dhcpc_t) # init_script_execute(dhcpc_t) optional_policy(`ypbind.te',` -ypbind_transition(dhcpc_t) + ypbind_transition(dhcpc_t) ') optional_policy(`ntpd.te',` -ntpd_transition(dhcpc_t) + ntpd_transition(dhcpc_t) ') ifdef(`TODO',` @@ -201,24 +222,11 @@ allow ping_t cardmgr_t:fd use; ') dnl end if cardmgr ') dnl end if ping -ifdef(`dhcpd.te', `', ` -#type dhcp_state_t, file_type, sysadmfile; -#type dhcp_etc_t, file_type, sysadmfile, usercanread; -#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; -') - -allow dhcpc_t dhcp_etc_t:dir { getattr read search }; -allow dhcpc_t dhcp_etc_t:file { read getattr }; -allow dhcpc_t dhcp_etc_t:lnk_file { getattr read }; -allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans }; - ifdef(`distro_redhat', ` -files_execute_system_config_script(dhcpc_t) allow initrc_t dhcp_etc_t:file rw_file_perms; ') allow dhcpc_t var_lib_t:dir search; -file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) allow dhcpc_t home_root_t:dir search; allow initrc_t dhcpc_state_t:file { getattr read };