add xml comments to interfaces, convert over userdomain stuff

This commit is contained in:
Chris PeBenito 2005-05-19 21:06:06 +00:00
parent bee546bfd4
commit daa0e0b01f
34 changed files with 1655 additions and 409 deletions

View File

@ -51,13 +51,20 @@ files_ignore_read_rootfs_file(consoletype_t)
libraries_use_dynamic_loader(consoletype_t) libraries_use_dynamic_loader(consoletype_t)
libraries_use_shared_libraries(consoletype_t) libraries_use_shared_libraries(consoletype_t)
tunable_policy(`distro_redhat', `
filesystem_use_tmpfs_character_devices(consoletype_t)
')
optional_policy(`authlogin.te', ` optional_policy(`authlogin.te', `
authlogin_pam_read_runtime_data(consoletype_t) authlogin_pam_read_runtime_data(consoletype_t)
') ')
optional_policy(`userdomain.te',`
userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow consoletype_t unpriv_userdomain:fd use;
allow consoletype_t sysadm_t:fd use; allow consoletype_t sysadm_t:fd use;
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
allow consoletype_t sysadm_t:fifo_file rw_file_perms; allow consoletype_t sysadm_t:fifo_file rw_file_perms;
@ -97,10 +104,6 @@ optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read }; allow consoletype_t printconf_t:file { getattr read };
') ')
tunable_policy(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
')
optional_policy(`firstboot.te', ` optional_policy(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write; allow consoletype_t firstboot_t:fifo_file write;
') ')

View File

@ -882,8 +882,15 @@ class filesystem getattr;
') ')
######################################## ########################################
# ## <interface name="filesystem_tmpfs_associate">
# filesystem_tmpfs_associate(type) ## <description>
## Allow the type to associate to tmpfs filesystems.
## </description>
## <parameter name="type">
## The type of the object to be associated.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
# #
define(`filesystem_tmpfs_associate',` define(`filesystem_tmpfs_associate',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -914,6 +921,100 @@ type tmpfs_t;
class dir { getattr search read write add_name }; class dir { getattr search read write add_name };
') ')
########################################
## <interface name="filesystem_use_tmpfs_character_devices">
## <description>
## Read and write character nodes on tmpfs filesystems.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`filesystem_use_tmpfs_character_devices',`
requires_block_template(`$0'_depend)
allow $1 tmpfs_t:dir { getattr search read };
allow $1 tmpfs_t:chr_file { getattr read write ioctl };
')
define(`filesystem_use_tmpfs_character_devices_depend',`
type tmpfs_t;
class dir { getattr search read };
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="filesystem_use_tmpfs_block_devices">
## <description>
## Read and write block nodes on tmpfs filesystems.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`filesystem_use_tmpfs_block_devices',`
requires_block_template(`$0'_depend)
allow $1 tmpfs_t:dir { getattr search read };
allow $1 tmpfs_t:blk_file { getattr read write ioctl };
')
define(`filesystem_use_tmpfs_block_devices_depend',`
type tmpfs_t;
class dir { getattr search read };
class blk_file { getattr read write ioctl };
')
########################################
## <interface name="filesystem_manage_tmpfs_character_devices">
## <description>
## Read and write, create and delete character
## nodes on tmpfs filesystems.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`filesystem_manage_tmpfs_character_devices',`
requires_block_template(`$0'_depend)
allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr };
')
define(`filesystem_mange_tmpfs_character_devices_depend',`
type tmpfs_t;
class dir { getattr search read write add_name remove_name };
class chr_file { getattr read write ioctl create unlink setattr };
')
########################################
## <interface name="filesystem_manage_tmpfs_block_devices">
## <description>
## Read and write, create and delete block nodes
## on tmpfs filesystems.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`filesystem_manage_tmpfs_block_devices',`
requires_block_template(`$0'_depend)
allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr };
')
define(`filesystem_manage_tmpfs_block_devices_depend',`
type tmpfs_t;
class dir { getattr search read write add_name remove_name };
class blk_file { getattr read write ioctl create unlink setattr };
')
######################################## ########################################
# #
# filesystem_mount_all_filesystems(type) # filesystem_mount_all_filesystems(type)

View File

@ -1058,8 +1058,16 @@ class lnk_file { getattr read };
') ')
######################################## ########################################
# ## <interface name="kernel_read_usb_hardware_state">
# kernel_read_usb_hardware_state(domain) ## <description>
## Read USB hardware information using
## the usbfs filesystem interface.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`kernel_read_usb_hardware_state',` define(`kernel_read_usb_hardware_state',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -104,24 +104,37 @@ class chr_file { read write };
') ')
######################################## ########################################
# ## <interface name="terminal_use_console">
# terminal_use_console(domain) ## <description>
## Read from and write to the console.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
# #
define(`terminal_use_console',` define(`terminal_use_console',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
devices_list_device_nodes($1,optional) devices_list_device_nodes($1)
allow $1 console_device_t:chr_file { read write }; allow $1 console_device_t:chr_file { read write };
') ')
define(`terminal_use_console_depend',` define(`terminal_use_console_depend',`
type console_device_t; type console_device_t;
class chr_file { read write }; class chr_file { read write };
devices_list_device_nodes_depend
') ')
######################################## ########################################
# ## <interface name="terminal_ignore_use_console">
# terminal_ignore_use_console(domain) ## <description>
## Do not audit read from or write to the console.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
# #
define(`terminal_ignore_use_console',` define(`terminal_ignore_use_console',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -155,7 +168,7 @@ devices_list_device_nodes_depend
# #
define(`terminal_list_pseudoterminals',` define(`terminal_list_pseudoterminals',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
devices_list_device_nodes($1,optional) devices_list_device_nodes($1)
allow $1 devpts_t:dir { getattr search read }; allow $1 devpts_t:dir { getattr search read };
') ')
@ -333,6 +346,29 @@ class chr_file { relabelfrom relabelto };
devices_list_device_nodes_depend devices_list_device_nodes_depend
') ')
########################################
## <interface name="terminal_write_general_physical_terminal">
## <description>
## Write to general ttys. Has a backchannel of
## getting all tty attributes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`terminal_write_general_physical_terminal',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tty_device_t:chr_file { getattr write };
')
define(`terminal_write_general_physical_terminal_depend',`
type tty_device_t;
class chr_file { read write };
')
######################################## ########################################
# #
# terminal_use_general_physical_terminal(domain) # terminal_use_general_physical_terminal(domain)
@ -391,6 +427,29 @@ attribute ttynode;
class chr_file getattr; class chr_file getattr;
') ')
########################################
## <interface name="terminal_write_all_private_physical_terminals">
## <description>
## Write to all private ttys. Has a backchannel of
## getting all private tty attributes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`terminal_write_all_private_physical_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 ttynode:chr_file { getattr write };
')
define(`terminal_write_all_private_physical_terminals_depend',`
attribute ttynode;
class chr_file { getattr write };
')
######################################## ########################################
# #
# terminal_use_all_private_physical_terminals(domain) # terminal_use_all_private_physical_terminals(domain)

View File

@ -2,7 +2,7 @@
######################################## ########################################
# #
# cron_per_userdomain_template(domain) # cron_per_userdomain_template(domainprefix)
# #
define(`cron_per_userdomain_template',` define(`cron_per_userdomain_template',`
@ -213,3 +213,24 @@ ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
dontaudit $1_crontab_t var_run_t:dir search; dontaudit $1_crontab_t var_run_t:dir search;
') dnl endif TODO ') dnl endif TODO
') ')
########################################
#
# cron_admin_template(domainprefix)
#
define(`cron_admin_template',`
logging_read_system_logs($1_crond_t)
# Allow our crontab domain to unlink a user cron spool file.
#allow $1_crontab_t user_cron_spool_t:file unlink;
# Manipulate other users crontab.
kernel_get_selinuxfs_mount_point($1_crontab_t)
kernel_validate_selinux_context($1_crontab_t)
kernel_compute_selinux_access_vector($1_crontab_t)
kernel_compute_selinux_create_context($1_crontab_t)
kernel_compute_selinux_relabel_context($1_crontab_t)
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
')

View File

@ -204,6 +204,27 @@ type sendmail_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
## <interface name="mta_read_mail_aliases">
## <description>
## Read mail address aliases.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
#
define(`mta_read_mail_aliases',`
requires_block_template(`$0'_depend)
allow $1 etc_aliases_t:file { getattr read };
')
define(`mta_read_mail_aliases_depend',`
type etc_aliases_t;
class file { getattr read };
')
####################################### #######################################
# #
# mta_modify_mail_aliases(domain) # mta_modify_mail_aliases(domain)

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### ########################################
# ## <interface name="clock_transition">
# clock_transition(domain) ## <description>
## Execute hwclock in the clock domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`clock_transition',` define(`clock_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,6 +25,36 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="clock_transition_add_role_use_terminal">
## <description>
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the clock domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the clock domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`clock_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
clock_transition($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
')
define(`clock_transition_add_role_use_terminal_depend',`
type hwclock_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# clock_execute(domain) # clock_execute(domain)

View File

@ -68,6 +68,10 @@ optional_policy(`udev.te', `
udev_read_database(hwclock_t) udev_read_database(hwclock_t)
') ')
optional_policy(`userdomain.te',`
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow hwclock_t proc_t:dir r_dir_perms; allow hwclock_t proc_t:dir r_dir_perms;
@ -79,10 +83,8 @@ allow hwclock_t rhgb_t:fd use;
allow hwclock_t rhgb_t:fifo_file { read write }; allow hwclock_t rhgb_t:fifo_file { read write };
') ')
dontaudit hwclock_t unpriv_userdomain:fd use;
allow hwclock_t autofs_t:dir { search getattr }; allow hwclock_t autofs_t:dir { search getattr };
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
optional_policy(`apmd.te', ` optional_policy(`apmd.te', `

View File

@ -148,8 +148,15 @@ class capability kill;
') ')
######################################## ########################################
# ## <interface name="domain_read_all_domains_process_state">
# domain_read_all_domains_process_state(domain) ## <description>
## Read the process state (/proc/pid) of all domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`domain_read_all_domains_process_state',` define(`domain_read_all_domains_process_state',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -263,7 +263,7 @@ type root_t;
class chr_file { read write }; class chr_file { read write };
') ')
# ########################################
## <interface name="files_create_private_root_dir_entry"> ## <interface name="files_create_private_root_dir_entry">
## <description> ## <description>
## Create an object in the root directory, with a private ## Create an object in the root directory, with a private
@ -282,7 +282,6 @@ class chr_file { read write };
## <infoflow type="write" weight="10"/> ## <infoflow type="write" weight="10"/>
## </interface> ## </interface>
# #
define(`files_create_private_root_dir_entry',` define(`files_create_private_root_dir_entry',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 root_t:dir { getattr search read write add_name remove_name }; allow $1 root_t:dir { getattr search read write add_name remove_name };
@ -498,8 +497,15 @@ class dir { getattr search read write add_name remove_name };
') ')
######################################## ########################################
# ## <interface name="files_list_home_directories">
# files_list_home_directories(type) ## <description>
## Get listing home home directories.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`files_list_home_directories',` define(`files_list_home_directories',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -569,6 +575,32 @@ class file { getattr read };
class lnk_file { getattr read }; class lnk_file { getattr read };
') ')
########################################
## <interface name="files_execute_system_source_code_scripts">
## <description>
## Execute programs in /usr/src in the caller domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`files_execute_system_source_code_scripts',`
requires_block_template(`$0'_depend)
allow $1 usr_t:dir search;
allow $1 src_t:dir { getattr search read };
allow $1 src_t:lnk_file { getattr read };
allow $1 src_t:file { getattr read execute execute_no_trans };
')
define(`files_read_system_source_code_depend',`
type usr_t, src_t;
class dir { getattr search read };
class file { getattr read execute execute_no_trans };
class lnk_file { getattr read };
')
######################################## ########################################
# #
# files_read_system_source_code(domain) # files_read_system_source_code(domain)

View File

@ -75,8 +75,15 @@ class dir search;
') ')
######################################## ########################################
# ## <interface name="hotplug_read_config">
# hotplug_read_config(domain) ## <description>
## Read the configuration files for hotplug.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`hotplug_read_config',` define(`hotplug_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -60,13 +60,9 @@ storage_set_removable_device_attributes(hotplug_t)
terminal_ignore_use_console(hotplug_t) terminal_ignore_use_console(hotplug_t)
init_use_file_descriptors(hotplug_t) corecommands_execute_general_programs(hotplug_t)
init_script_use_pseudoterminal(hotplug_t) corecommands_execute_shell(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and corecommands_execute_system_programs(hotplug_t)
# run sendmail -q
init_script_transition(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
init_ignore_use_control_channel(hotplug_t)
domain_use_widely_inheritable_file_descriptors(hotplug_t) domain_use_widely_inheritable_file_descriptors(hotplug_t)
@ -74,11 +70,17 @@ files_read_general_system_config(hotplug_t)
files_create_runtime_system_config(hotplug_t) files_create_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t) files_execute_system_config_script(hotplug_t)
corecommands_execute_general_programs(hotplug_t) init_use_file_descriptors(hotplug_t)
corecommands_execute_shell(hotplug_t) init_script_use_pseudoterminal(hotplug_t)
corecommands_execute_system_programs(hotplug_t) init_script_read_process_state(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
# run sendmail -q
init_script_transition(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
init_ignore_use_control_channel(hotplug_t)
logging_send_system_log_message(hotplug_t) logging_send_system_log_message(hotplug_t)
logging_search_system_log_directory(hotplug_t)
libraries_use_dynamic_loader(hotplug_t) libraries_use_dynamic_loader(hotplug_t)
libraries_use_shared_libraries(hotplug_t) libraries_use_shared_libraries(hotplug_t)
@ -92,6 +94,8 @@ miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t) mount_transition(hotplug_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
tunable_policy(`targeted_policy', ` tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t) terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t)
@ -110,6 +114,10 @@ optional_policy(`iptables.te',`
iptables_transition(hotplug_t) iptables_transition(hotplug_t)
') ')
optional_policy(`mta.te', `
mta_send_mail(hotplug_t)
')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(hotplug_t) selinux_newrole_sigchld(hotplug_t)
') ')
@ -128,7 +136,6 @@ updfstab_transition(hotplug_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
dontaudit hotplug_t unpriv_userdomain:fd use;
allow hotplug_t autofs_t:dir { search getattr }; allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search; dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
@ -147,11 +154,6 @@ can_network_server(hotplug_t)
can_ypbind(hotplug_t) can_ypbind(hotplug_t)
dbusd_client(system, hotplug) dbusd_client(system, hotplug)
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
# init scripts run /etc/hotplug/usb.rc
allow initrc_t hotplug_etc_t:dir r_dir_perms;
allow hotplug_t kernel_t:process sigchld; allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot # for when filesystems are not mounted early in the boot
@ -159,8 +161,6 @@ dontaudit hotplug_t file_t:dir { search getattr };
allow hotplug_t udev_runtime_t:file rw_file_perms; allow hotplug_t udev_runtime_t:file rw_file_perms;
allow hotplug_t var_log_t:dir search;
# for ps # for ps
dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read; dontaudit hotplug_t { init_t kernel_t }:file read;
@ -178,6 +178,10 @@ allow hotplug_t var_lock_t:file getattr;
optional_policy(`hald.te', ` optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto; allow hotplug_t hald_t:unix_dgram_socket sendto;
')
# this goes to hald:
optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:dir search; allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read }; allow hald_t hotplug_etc_t:file { getattr read };
') ')
@ -186,15 +190,7 @@ optional_policy(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
') ')
optional_policy(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
optional_policy(`lpd.te', ` optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr; allow hotplug_t printer_device_t:chr_file setattr;
') ')
optional_policy(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
') dnl end TODO ') dnl end TODO

View File

@ -221,6 +221,37 @@ type initrc_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
## <interface name="init_script_read_process_state">
## <description>
## Read the process state (/proc/pid) of the init scripts.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
#
define(`init_script_read_process_state',`
requires_block_template(`$0'_depend)
allow $1 initrc_t:dir { search getattr read };
allow $1 initrc_t:{ file lnk_file } { read getattr };
allow $1 initrc_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 initrc_t:process ptrace;
')
define(`init_script_read_process_state_depend',`
type initrc_t;
class dir { search getattr read };
class file { read getattr };
class lnk_file { read getattr };
class process { getattr ptrace };
')
######################################## ########################################
# #
# init_script_direct_admin_transition(role,domain) # init_script_direct_admin_transition(role,domain)
@ -255,6 +286,20 @@ type initrc_t;
class fd use; class fd use;
') ')
########################################
#
# init_script_ignore_use_file_descriptors(domain)
#
define(`init_script_ignore_use_file_descriptors',`
requires_block_template(`$0'_depend)
dontaudit $1 initrc_t:fd use;
')
define(`init_script_ignore_use_file_descriptors_depend',`
type initrc_t;
class fd use;
')
######################################## ########################################
# #
# init_script_get_process_group(domain) # init_script_get_process_group(domain)
@ -275,6 +320,7 @@ class process getpgid;
# #
define(`init_script_use_pseudoterminal',` define(`init_script_use_pseudoterminal',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
terminal_list_pseudoterminals($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
') ')
@ -297,6 +343,28 @@ type initrc_devpts_t;
class chr_file { read write ioctl }; class chr_file { read write ioctl };
') ')
########################################
## <interface name="init_script_modify_temporary_data">
## <description>
## Read and write init script temporary data.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
#
define(`init_script_modify_temporary_data',`
requires_block_template(`$0'_depend)
# FIXME: read tmp_t
allow $1 initrc_tmp_t:file { getattr read write };
')
define(`init_script_modify_temporary_data_depend',`
type initrc_var_run_t;
class file { getattr read write };
')
######################################## ########################################
# #
# init_script_read_runtime_data(domain) # init_script_read_runtime_data(domain)

View File

@ -187,12 +187,7 @@ kernel_list_usb_hardware(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
kernel_ignore_get_message_interface_attributes(initrc_t) kernel_ignore_get_message_interface_attributes(initrc_t)
filesystem_register_binary_executable_type(initrc_t) bootloader_read_kernel_symbol_table(initrc_t)
# cjp: not sure why these are here; should use mount policy
filesystem_mount_all_filesystems(initrc_t)
filesystem_unmount_all_filesystems(initrc_t)
filesystem_remount_all_filesystems(initrc_t)
filesystem_get_all_filesystems_attributes(initrc_t)
corenetwork_network_tcp_on_all_interfaces(initrc_t) corenetwork_network_tcp_on_all_interfaces(initrc_t)
corenetwork_network_raw_on_all_interfaces(initrc_t) corenetwork_network_raw_on_all_interfaces(initrc_t)
@ -215,6 +210,13 @@ devices_read_sound_mixer_levels(initrc_t)
devices_write_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t)
devices_set_all_character_device_attributes(initrc_t) devices_set_all_character_device_attributes(initrc_t)
filesystem_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy
filesystem_mount_all_filesystems(initrc_t)
filesystem_unmount_all_filesystems(initrc_t)
filesystem_remount_all_filesystems(initrc_t)
filesystem_get_all_filesystems_attributes(initrc_t)
storage_get_fixed_disk_attributes(initrc_t) storage_get_fixed_disk_attributes(initrc_t)
storage_set_fixed_disk_attributes(initrc_t) storage_set_fixed_disk_attributes(initrc_t)
storage_set_removable_device_attributes(initrc_t) storage_set_removable_device_attributes(initrc_t)
@ -222,17 +224,14 @@ storage_set_removable_device_attributes(initrc_t)
terminal_use_all_terminals(initrc_t) terminal_use_all_terminals(initrc_t)
terminal_reset_physical_terminal_labels(initrc_t) terminal_reset_physical_terminal_labels(initrc_t)
bootloader_read_kernel_symbol_table(initrc_t) corecommands_execute_general_programs(initrc_t)
corecommands_execute_system_programs(initrc_t)
corecommands_execute_shell(initrc_t)
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t) domain_read_all_domains_process_state(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t) domain_use_widely_inheritable_file_descriptors(initrc_t)
libraries_modify_dynamic_loader_cache(initrc_t)
libraries_use_dynamic_loader(initrc_t)
libraries_use_shared_libraries(initrc_t)
libraries_execute_library_scripts(initrc_t)
files_get_all_file_attributes(initrc_t) files_get_all_file_attributes(initrc_t)
files_remove_all_tmp_data(initrc_t) files_remove_all_tmp_data(initrc_t)
files_remove_all_lock_files(initrc_t) files_remove_all_lock_files(initrc_t)
@ -244,9 +243,10 @@ files_execute_system_config_script(initrc_t)
files_read_general_application_resources(initrc_t) files_read_general_application_resources(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t) files_manage_pseudorandom_saved_seed(initrc_t)
corecommands_execute_general_programs(initrc_t) libraries_modify_dynamic_loader_cache(initrc_t)
corecommands_execute_system_programs(initrc_t) libraries_use_dynamic_loader(initrc_t)
corecommands_execute_shell(initrc_t) libraries_use_shared_libraries(initrc_t)
libraries_execute_library_scripts(initrc_t)
logging_send_system_log_message(initrc_t) logging_send_system_log_message(initrc_t)
@ -267,14 +267,29 @@ logging_append_all_logs(initrc_t)
udev_modify_database(initrc_t) udev_modify_database(initrc_t)
userdomain_read_all_users_data(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdomain_use_admin_terminals(initrc_t)
tunable_policy(`distro_debian', `
filesystem_tmpfs_associate(initrc_var_run_t)
')
tunable_policy(`distro_redhat',` tunable_policy(`distro_redhat',`
kernel_set_selinux_enforcement_mode(initrc_t) kernel_set_selinux_enforcement_mode(initrc_t)
files_create_boot_flag(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map. # Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time. # Redhat systems typically create this file at boot time.
bootloader_create_runtime_data(initrc_t) bootloader_create_runtime_data(initrc_t)
filesystem_use_tmpfs_character_devices(initrc_t)
files_create_boot_flag(initrc_t)
# readahead asks for these
mta_read_mail_aliases(initrc_t)
') dnl end distro_redhat ') dnl end distro_redhat
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
@ -282,7 +297,15 @@ authlogin_pam_read_runtime_data(initrc_t)
authlogin_pam_remove_runtime_data(initrc_t) authlogin_pam_remove_runtime_data(initrc_t)
') ')
optional_policy(`hotplug.te',`
kernel_read_usb_hardware_state(initrc_t)
# init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# Mount and unmount file systems. # Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton }; allow initrc_t { file_t default_t }:dir { read search getattr mounton };
@ -291,15 +314,6 @@ allow initrc_t var_spool_t:file rw_file_perms;
# Set device ownerships/modes. # Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr; allow initrc_t xconsole_device_t:fifo_file setattr;
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
allow initrc_t admin_tty_type:chr_file rw_file_perms;
# Read user home directories.
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
allow initrc_t home_type:file r_file_perms;
# for lsof in shutdown scripts # for lsof in shutdown scripts
can_kerberos(initrc_t) can_kerberos(initrc_t)
dontaudit initrc_t krb5_conf_t:file write; dontaudit initrc_t krb5_conf_t:file write;
@ -326,7 +340,6 @@ allow initrc_t { etc_t device_t }:dir setattr;
allow initrc_t tmpfs_t:dir setattr; allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')dnl end distro_debian ')dnl end distro_debian
tunable_policy(`distro_redhat', ` tunable_policy(`distro_redhat', `
@ -334,22 +347,13 @@ tunable_policy(`distro_redhat', `
# Redhat systems typically create this file at boot time. # Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms; allow initrc_t boot_t:lnk_file rw_file_perms;
allow initrc_t tmpfs_t:chr_file rw_file_perms;
allow initrc_t tmpfs_t:dir r_dir_perms;
#
# readahead asks for these # readahead asks for these
#
allow initrc_t etc_aliases_t:file { getattr read };
allow initrc_t var_lib_nfs_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read };
')dnl end distro_redhat ')dnl end distro_redhat
# #
# Shutting down xinet causes these # Shutting down xinet causes these
# #
# Fam
dontaudit initrc_t device_t:dir { read write };
# Rsync # Rsync
dontaudit initrc_t mail_spool_t:lnk_file read; dontaudit initrc_t mail_spool_t:lnk_file read;

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### ########################################
# ## <interface name="iptables_transition">
# iptables_transition(domain) ## <description>
## Execute iptables in the iptables domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`iptables_transition',` define(`iptables_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,9 +25,46 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
####################################### ########################################
## <interface name="iptables_transition_add_role_use_terminal">
## <description>
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the iptables domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the iptables domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
# iptables_execute(domain) define(`iptables_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
iptables_transition($1)
role $2 types iptables_t;
allow iptables_t $3:chr_file { getattr read write ioctl };
')
define(`iptables_transition_add_role_use_terminal_depend',`
type iptables_t;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="iptables_execute">
## <description>
## Execute iptables in the caller domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`iptables_execute',` define(`iptables_execute',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -49,13 +49,15 @@ filesystem_get_persistent_filesystem_attributes(iptables_t)
terminal_ignore_use_console(iptables_t) terminal_ignore_use_console(iptables_t)
init_use_file_descriptors(iptables_t)
init_script_use_pseudoterminal(iptables_t)
domain_use_widely_inheritable_file_descriptors(iptables_t) domain_use_widely_inheritable_file_descriptors(iptables_t)
files_read_general_system_config(iptables_t) files_read_general_system_config(iptables_t)
init_use_file_descriptors(iptables_t)
init_script_use_pseudoterminal(iptables_t)
# to allow rules to be saved on reboot:
init_script_modify_temporary_data(iptables_t)
libraries_use_dynamic_loader(iptables_t) libraries_use_dynamic_loader(iptables_t)
libraries_use_shared_libraries(iptables_t) libraries_use_shared_libraries(iptables_t)
@ -67,6 +69,19 @@ miscfiles_read_localization(iptables_t)
sysnetwork_ifconfig_transition(iptables_t) sysnetwork_ifconfig_transition(iptables_t)
userdomain_use_all_users_file_descriptors(iptables_t)
tunable_policy(`use_dns',`
allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenetwork_network_udp_on_all_interfaces(iptables_t)
corenetwork_network_raw_on_all_interfaces(iptables_t)
corenetwork_network_udp_on_all_nodes(iptables_t)
corenetwork_network_raw_on_all_nodes(iptables_t)
corenetwork_bind_udp_on_all_nodes(iptables_t)
corenetwork_network_udp_on_dns_port(iptables_t)
sysnetwork_read_network_config(iptables_t)
')
optional_policy(`modutils.te', ` optional_policy(`modutils.te', `
modutils_insmod_transition(iptables_t) modutils_insmod_transition(iptables_t)
') ')
@ -92,26 +107,12 @@ allow iptables_t rhgb_t:process sigchld;
allow iptables_t rhgb_t:fd use; allow iptables_t rhgb_t:fd use;
allow iptables_t rhgb_t:fifo_file { read write }; allow iptables_t rhgb_t:fifo_file { read write };
') ')
dontaudit iptables_t unpriv_userdomain:fd use;
allow iptables_t autofs_t:dir { search getattr }; allow iptables_t autofs_t:dir { search getattr };
tunable_policy(`direct_sysadm_daemon', `
dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
')
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
role sysadm_r types iptables_t;
# to allow rules to be saved on reboot
allow iptables_t initrc_tmp_t:file rw_file_perms;
# for iptables -L # for iptables -L
can_resolve(iptables_t)
can_ypbind(iptables_t) can_ypbind(iptables_t)
allow iptables_t userdomain:fd use;
# Access terminals.
allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
optional_policy(`gnome-pty-helper.te',` optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use; allow iptables_t sysadm_gph_t:fd use;
') ')

View File

@ -11,9 +11,9 @@ type local_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(local_login_t) kernel_make_object_identity_change_constraint_exception(local_login_t)
kernel_make_process_identity_change_constraint_exception(local_login_t) kernel_make_process_identity_change_constraint_exception(local_login_t)
kernel_make_role_change_constraint_exception(local_login_t) kernel_make_role_change_constraint_exception(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t)
domain_make_domain(local_login_t) domain_make_domain(local_login_t)
domain_make_file_descriptors_widely_inheritable(local_login_t) domain_make_file_descriptors_widely_inheritable(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t)
role system_r types local_login_t; role system_r types local_login_t;
type local_login_tmp_t; type local_login_tmp_t;
@ -24,10 +24,9 @@ type sulogin_exec_t;
kernel_make_object_identity_change_constraint_exception(sulogin_t) kernel_make_object_identity_change_constraint_exception(sulogin_t)
kernel_make_process_identity_change_constraint_exception(sulogin_t) kernel_make_process_identity_change_constraint_exception(sulogin_t)
kernel_make_role_change_constraint_exception(sulogin_t) kernel_make_role_change_constraint_exception(sulogin_t)
domain_make_file_descriptors_widely_inheritable(sulogin_t)
init_make_init_domain(sulogin_t,sulogin_exec_t) init_make_init_domain(sulogin_t,sulogin_exec_t)
init_make_system_domain(sulogin_t,sulogin_exec_t) init_make_system_domain(sulogin_t,sulogin_exec_t)
domain_make_file_descriptors_widely_inheritable(sulogin_t)
role system_r types sulogin_t; role system_r types sulogin_t;
######################################## ########################################
@ -68,8 +67,12 @@ devices_get_pseudorandom_data(local_login_t)
terminal_use_all_private_physical_terminals(local_login_t) terminal_use_all_private_physical_terminals(local_login_t)
terminal_use_general_physical_terminal(local_login_t) terminal_use_general_physical_terminal(local_login_t)
init_script_modify_runtime_data(local_login_t) authlogin_check_password_transition(local_login_t)
init_ignore_use_file_descriptors(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t)
authlogin_modify_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t)
authlogin_pam_execute(local_login_t)
authlogin_pam_console_manage_runtime_data(local_login_t)
domain_read_all_entrypoint_programs(local_login_t) domain_read_all_entrypoint_programs(local_login_t)
@ -78,22 +81,19 @@ files_read_runtime_system_config(local_login_t)
files_list_home_directories(local_login_t) files_list_home_directories(local_login_t)
files_read_general_application_resources(local_login_t) files_read_general_application_resources(local_login_t)
init_script_modify_runtime_data(local_login_t)
init_ignore_use_file_descriptors(local_login_t)
libraries_use_dynamic_loader(local_login_t) libraries_use_dynamic_loader(local_login_t)
libraries_use_shared_libraries(local_login_t) libraries_use_shared_libraries(local_login_t)
logging_send_system_log_message(local_login_t) logging_send_system_log_message(local_login_t)
miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t) selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t) selinux_read_default_contexts(local_login_t)
authlogin_check_password_transition(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t)
authlogin_modify_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t)
authlogin_pam_execute(local_login_t)
authlogin_pam_console_manage_runtime_data(local_login_t)
miscfiles_read_localization(local_login_t)
ifdef(`TODO',` ifdef(`TODO',`
allow local_login_t unpriv_userdomain:fd use; allow local_login_t unpriv_userdomain:fd use;

View File

@ -57,9 +57,18 @@ class unix_dgram_socket { create read getattr write setattr append bind connect
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto }; class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
') ')
####################################### ########################################
# ## <interface name="logging_search_system_log_directory">
# logging_search_system_log_directory(domain) ## <description>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="3"/>
## </interface>
# #
define(`logging_search_system_log_directory',` define(`logging_search_system_log_directory',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -36,6 +36,8 @@ files_make_file(var_log_t)
# #
allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink }; allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink }; allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
allow klogd_t self:capability sys_admin; allow klogd_t self:capability sys_admin;
@ -46,26 +48,25 @@ kernel_read_messages(klogd_t)
# Control syslog and console logging # Control syslog and console logging
kernel_clear_ring_buffer(klogd_t) kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t) kernel_change_ring_buffer_level(klogd_t)
bootloader_read_kernel_symbol_table(klogd_t)
devices_raw_read_memory(klogd_t) devices_raw_read_memory(klogd_t)
filesystem_get_all_filesystems_attributes(klogd_t) filesystem_get_all_filesystems_attributes(klogd_t)
bootloader_read_kernel_symbol_table(klogd_t) files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
files_read_runtime_system_config(klogd_t)
# read /etc/nsswitch.conf
files_read_general_system_config(klogd_t)
libraries_use_dynamic_loader(klogd_t) libraries_use_dynamic_loader(klogd_t)
libraries_use_shared_libraries(klogd_t) libraries_use_shared_libraries(klogd_t)
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
# read /etc/nsswitch.conf
files_read_general_system_config(klogd_t)
files_read_runtime_system_config(klogd_t)
miscfiles_read_localization(klogd_t)
logging_send_system_log_message(klogd_t) logging_send_system_log_message(klogd_t)
miscfiles_read_localization(klogd_t)
######################################## ########################################
# #
# syslogd local policy # syslogd local policy
@ -104,6 +105,13 @@ kernel_read_kernel_sysctl(syslogd_t)
devices_create_dev_entry(syslogd_t,devlog_t,sock_file) devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
terminal_ignore_use_console(syslogd_t) terminal_ignore_use_console(syslogd_t)
# Allow syslog to a terminal
terminal_write_general_physical_terminal(syslogd_t)
# for sending messages to logged in users
init_script_read_runtime_data(syslogd_t)
init_script_ignore_write_runtime_data(syslogd_t)
terminal_write_all_private_physical_terminals(syslogd_t)
corenetwork_network_raw_on_all_interfaces(syslogd_t) corenetwork_network_raw_on_all_interfaces(syslogd_t)
corenetwork_network_udp_on_all_interfaces(syslogd_t) corenetwork_network_udp_on_all_interfaces(syslogd_t)
@ -132,11 +140,13 @@ sysnetwork_read_network_config(syslogd_t)
miscfiles_read_localization(syslogd_t) miscfiles_read_localization(syslogd_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
# #
# /initrd is not umounted before minilog starts # /initrd is not umounted before minilog starts
# #
#dontaudit syslogd_t file_t:dir search; #dontaudit syslogd_t file_t:dir search;
#allow syslogd_t { tmpfs_t devpts_t }:dir search; #allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read; #dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin; allow syslogd_t self:capability net_admin;
@ -165,7 +175,6 @@ files_ignore_read_rootfs_file(syslogd_t)
ifdef(`TODO',` ifdef(`TODO',`
allow syslogd_t proc_t:lnk_file read; allow syslogd_t proc_t:lnk_file read;
dontaudit syslogd_t unpriv_userdomain:fd use;
allow syslogd_t autofs_t:dir { search getattr }; allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search; dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
@ -199,16 +208,8 @@ ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms; allow logrotate_t syslogd_exec_t:file r_file_perms;
') ')
# for sending messages to logged in users
allow syslogd_t initrc_var_run_t:file { read lock };
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };
# #
# Special case to handle crashes # Special case to handle crashes
# #
allow syslogd_t { device_t file_t }:sock_file unlink; allow syslogd_t { device_t file_t }:sock_file unlink;
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
') dnl end TODO ') dnl end TODO

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### ########################################
# ## <interface name="lvm_transition">
# lvm_transition(domain) ## <description>
## Execute lvm programs in the lvm domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`lvm_transition',` define(`lvm_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,9 +25,45 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
####################################### ########################################
## <interface name="lvm_transition_add_role_use_terminal">
## <description>
## Execute lvm programs in the lvm domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to allow the LVM domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the LVM domain to use.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
# #
# lvm_read_config(domain) define(`lvm_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
lvm_transition($1)
role $2 types lvm_t;
allow lvm_t $3:chr_file { getattr read write ioctl };
')
define(`lvm_transition_add_role_use_terminal_depend',`
type lvm_t;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="lvm_read_config">
## <description>
## Read LVM configuration files.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`lvm_read_config',` define(`lvm_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)

View File

@ -15,18 +15,18 @@ init_make_system_domain(lvm_t,lvm_exec_t)
kernel_make_object_identity_change_constraint_exception(lvm_t) kernel_make_object_identity_change_constraint_exception(lvm_t)
role system_r types lvm_t; role system_r types lvm_t;
type lvm_tmp_t;
files_make_temporary_file(lvm_tmp_t)
type lvm_metadata_t;
files_make_file(lvm_metadata_t)
type lvm_etc_t; type lvm_etc_t;
files_make_file(lvm_etc_t) files_make_file(lvm_etc_t)
type lvm_lock_t; type lvm_lock_t;
files_make_lock_file(lvm_lock_t) files_make_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_make_file(lvm_metadata_t)
type lvm_tmp_t;
files_make_temporary_file(lvm_tmp_t)
######################################## ########################################
# #
# Local policy # Local policy
@ -137,7 +137,6 @@ udev_read_database(lvm_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types lvm_t;
allow lvm_t autofs_t:dir { search getattr }; allow lvm_t autofs_t:dir { search getattr };
# LVM creates block devices in /dev/mapper or /dev/<vg> # LVM creates block devices in /dev/mapper or /dev/<vg>
@ -154,9 +153,6 @@ allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
allow lvm_t device_t:lnk_file { relabelfrom relabelto }; allow lvm_t device_t:lnk_file { relabelfrom relabelto };
# Access terminals.
allow lvm_t admin_tty_type:chr_file { ioctl read getattr lock write append };
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dontaudit lvm_t device_t:fifo_file getattr; dontaudit lvm_t device_t:fifo_file getattr;

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
######################################## ########################################
# ## <interface name="modutils_read_kernel_module_dependencies">
# modutils_read_kernel_module_dependencies(domain) ## <description>
## Read the dependencies of kernel modules.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`modutils_read_kernel_module_dependencies',` define(`modutils_read_kernel_module_dependencies',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,8 +25,16 @@ bootloader_list_kernel_modules_depend
') ')
######################################## ########################################
# ## <interface name="modutils_read_kernel_module_loading_config">
# modutils_read_kernel_module_loading_config(domain) ## <description>
## Read the configuration options used when
## loading modules.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
define(`modutils_read_kernel_module_loading_config',` define(`modutils_read_kernel_module_loading_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -32,8 +47,15 @@ class file { getattr create read write setattr unlink };
') ')
######################################## ########################################
# ## <interface name="modutils_insmod_transition">
# modutils_insmod_transition(domain) ## <description>
## Execute insmod in the insmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`modutils_insmod_transition',` define(`modutils_insmod_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -49,6 +71,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="modutils_insmod_transition_add_role_use_terminal">
## <description>
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the insmod domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the insmod domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`modutils_insmod_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
modutils_insmod_transition($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_insmod_transition_add_role_use_terminal_depend',`
type insmod_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# modutils_insmod_execute(domain) # modutils_insmod_execute(domain)
@ -64,8 +117,15 @@ class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
# ## <interface name="modutils_depmod_transition">
# modutils_depmod_transition(domain) ## <description>
## Execute depmod in the depmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`modutils_depmod_transition',` define(`modutils_depmod_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -81,6 +141,35 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="modutils_depmod_transition_add_role_use_terminal">
## <description>
## Execute depmod in the depmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the depmod domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the depmod domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`modutils_depmod_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
modutils_depmod_transition($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_depmod_transition_add_role_use_terminal_depend',`
type depmod_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# modutils_depmod_execute(domain) # modutils_depmod_execute(domain)
@ -96,8 +185,15 @@ class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
# ## <interface name="modutils_update_modules_transition">
# modutils_update_modules_transition(domain) ## <description>
## Execute depmod in the depmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`modutils_update_modules_transition',` define(`modutils_update_modules_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -113,6 +209,35 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="modutils_update_modules_transition_add_role_use_terminal">
## <description>
## Execute update_modules in the update_modules domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the update_modules domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the update_modules domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`modutils_update_modules_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
modutils_update_modules_transition($1)
role $2 types update_modules_t;
allow update_modules_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
type update_modules_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# modutils_update_modules_execute(domain) # modutils_update_modules_execute(domain)

View File

@ -110,8 +110,6 @@ allow insmod_t sysfs_t:dir search;
allow insmod_t usbfs_t:dir search; allow insmod_t usbfs_t:dir search;
allow insmod_t usbfs_t:filesystem mount; allow insmod_t usbfs_t:filesystem mount;
allow insmod_t admin_tty_type:chr_file { getattr read write };
# for when /var is not mounted early in the boot # for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search; dontaudit insmod_t file_t:dir search;
@ -159,10 +157,6 @@ ifdef(`TODO',`
allow depmod_t { bin_t sbin_t }:dir search; allow depmod_t { bin_t sbin_t }:dir search;
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
# Access terminals.
allow depmod_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories. # Read System.map from home directories.
@ -228,8 +222,5 @@ logging_send_system_log_message(update_modules_t)
miscfiles_read_localization(update_modules_t) miscfiles_read_localization(update_modules_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types update_modules_t;
domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
allow update_modules_t admin_tty_type:chr_file rw_file_perms;
dontaudit update_modules_t sysadm_home_dir_t:dir search; dontaudit update_modules_t sysadm_home_dir_t:dir search;
') dnl endif TODO ') dnl endif TODO

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### ########################################
# ## <interface name="mount_transition">
# mount_transition(domain) ## <description>
## Execute mount in the mount domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`mount_transition',` define(`mount_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="mount_transition_add_role_use_terminal">
## <description>
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the mount domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the mount domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`mount_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
mount_transition($1)
role $2 types mount_t;
allow mount_t $3:chr_file { getattr read write ioctl };
')
define(`mount_transition_add_role_use_terminal_depend',`
type mount_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# mount_use_file_descriptors(domain) # mount_use_file_descriptors(domain)

View File

@ -21,6 +21,9 @@ allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr
kernel_read_system_state(mount_t) kernel_read_system_state(mount_t)
kernel_ignore_use_file_descriptors(mount_t) kernel_ignore_use_file_descriptors(mount_t)
corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
devices_get_all_block_device_attributes(mount_t) devices_get_all_block_device_attributes(mount_t)
devices_list_device_nodes(mount_t) devices_list_device_nodes(mount_t)
@ -37,11 +40,9 @@ files_unmount_root_filesystem(mount_t)
terminal_use_console(mount_t) terminal_use_console(mount_t)
corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t) # required for mount.smbfs
corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t) corecommands_execute_system_programs(mount_t)
corecommands_execute_general_programs(mount_t)
init_use_file_descriptors(mount_t)
init_script_use_pseudoterminal(mount_t)
domain_use_widely_inheritable_file_descriptors(mount_t) domain_use_widely_inheritable_file_descriptors(mount_t)
@ -51,21 +52,55 @@ files_read_general_system_config(mount_t)
files_create_runtime_system_config(mount_t) files_create_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t) files_mount_on_all_mountpoints(mount_t)
init_use_file_descriptors(mount_t)
init_script_use_pseudoterminal(mount_t)
libraries_use_dynamic_loader(mount_t) libraries_use_dynamic_loader(mount_t)
libraries_use_shared_libraries(mount_t) libraries_use_shared_libraries(mount_t)
# required for mount.smbfs
corecommands_execute_system_programs(mount_t)
corecommands_execute_general_programs(mount_t)
logging_send_system_log_message(mount_t) logging_send_system_log_message(mount_t)
miscfiles_read_localization(mount_t) miscfiles_read_localization(mount_t)
userdomain_use_all_users_file_descriptors(mount_t)
tunable_policy(`distro_redhat',`
filesystem_use_tmpfs_character_devices(mount_t)
allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(mount_t)
# mount config by default sets fscontext=removable_t
allow mount_t dosfs_t:filesystem relabelfrom;
') dnl end authlogin
') dnl end distro_redhat
optional_policy(`portmap.te', `
# for nfs
#can_ypbind(mount_t)
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
#allow mount_t rpc_pipefs_t:dir search;
corenetwork_network_tcp_on_all_interfaces(mount_t)
corenetwork_network_raw_on_all_interfaces(mount_t)
corenetwork_network_udp_on_all_interfaces(mount_t)
corenetwork_network_tcp_on_all_nodes(mount_t)
corenetwork_network_raw_on_all_nodes(mount_t)
corenetwork_network_udp_on_all_nodes(mount_t)
corenetwork_network_tcp_on_all_ports(mount_t)
corenetwork_network_udp_on_all_ports(mount_t)
corenetwork_bind_tcp_on_all_nodes(mount_t)
corenetwork_bind_udp_on_all_nodes(mount_t)
corenetwork_bind_tcp_on_general_port(mount_t)
corenetwork_bind_udp_on_general_port(mount_t)
corenetwork_bind_tcp_on_reserved_port(mount_t)
corenetwork_bind_udp_on_reserved_port(mount_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# Mount, remount and unmount file systems. # this goes to the nfs/rpc module
# nfsv4 has a filesystem to mount for its userspace daemons files_make_mountpoint(var_lib_nfs_t)
allow mount_t var_lib_nfs_t:dir mounton;
# TODO: Need to examine this further. Not sure how to handle this # TODO: Need to examine this further. Not sure how to handle this
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
@ -83,59 +118,18 @@ allow mount_t fs_t:filesystem relabelfrom;
# This rule needs to be generalized. Only admin, initrc should have it. # This rule needs to be generalized. Only admin, initrc should have it.
allow mount_t file_type:filesystem { unmount mount relabelto }; allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t userdomain:fd use;
domain_auto_trans(sysadm_t, mount_exec_t, mount_t)
role sysadm_r types mount_t;
allow mount_t sysadm_tty_device_t:chr_file { getattr read write ioctl };
allow mount_t sysadm_devpts_t:chr_file { getattr read write };
ifdef(`gnome-pty-helper.te', ` ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use; allow mount_t sysadm_gph_t:fd use;
') ')
tunable_policy(`distro_redhat',`
optional_policy(`authlogin.te',`
r_dir_file($2_t,pam_var_console_t)
# mount config by default sets fscontext=removable_t
allow $2_t dosfs_t:filesystem relabelfrom;
') dnl end authlogin
') dnl end distro_redhat
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
allow mount_t rhgb_t:process sigchld; allow mount_t rhgb_t:process sigchld;
allow mount_t rhgb_t:fd use; allow mount_t rhgb_t:fd use;
allow mount_t rhgb_t:fifo_file { read write }; allow mount_t rhgb_t:fifo_file { read write };
') ')
tunable_policy(`distro_redhat', `
allow mount_t tmpfs_t:chr_file { read write };
allow mount_t tmpfs_t:dir mounton;
')
optional_policy(`automount.te', ` optional_policy(`automount.te', `
allow mount_t autofs_t:dir read; allow mount_t autofs_t:dir read;
') ')
optional_policy(`portmap.te', `
# for nfs
can_ypbind(mount_t)
can_udp_send(mount_t, portmap_t)
can_udp_send(portmap_t, mount_t)
allow mount_t rpc_pipefs_t:dir search;
corenetwork_network_tcp_on_all_interfaces(mount_t)
corenetwork_network_raw_on_all_interfaces(mount_t)
corenetwork_network_udp_on_all_interfaces(mount_t)
corenetwork_network_tcp_on_all_nodes(mount_t)
corenetwork_network_raw_on_all_nodes(mount_t)
corenetwork_network_udp_on_all_nodes(mount_t)
corenetwork_network_tcp_on_all_ports(mount_t)
corenetwork_network_udp_on_all_ports(mount_t)
corenetwork_bind_tcp_on_all_nodes(mount_t)
corenetwork_bind_udp_on_all_nodes(mount_t)
corenetwork_bind_tcp_on_general_port(mount_t)
corenetwork_bind_udp_on_general_port(mount_t)
corenetwork_bind_tcp_on_reserved_port(mount_t)
corenetwork_bind_udp_on_reserved_port(mount_t)
')
') dnl endif TODO ') dnl endif TODO

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### #######################################
# ## <interface name="selinux_checkpolicy_transition">
# selinux_checkpolicy_transition(domain) ## <description>
## Execute checkpolicy in the checkpolicy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_checkpolicy_transition',` define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
## <description>
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the checkpolicy domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the checkpolicy domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_checkpolicy_transition($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
type checkpolicy_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_checkpolicy_execute(domain) # selinux_checkpolicy_execute(domain)
@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
') ')
####################################### #######################################
# ## <interface name="selinux_load_policy_transition">
# selinux_load_policy_transition(domain) ## <description>
## Execute load_policy in the load_policy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_load_policy_transition',` define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -50,6 +95,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_load_policy_transition_add_role_use_terminal">
## <description>
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the load_policy domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the load_policy domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_load_policy_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_load_policy_transition($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
type load_policy_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_load_policy_execute(domain) # selinux_load_policy_execute(domain)
@ -79,8 +155,15 @@ class file { getattr read };
') ')
####################################### #######################################
# ## <interface name="selinux_newrole_transition">
# selinux_newrole_transition(domain) ## <description>
## Execute newrole in the load_policy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_newrole_transition',` define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
') ')
define(`selinux_newrole_transition_depend',` define(`selinux_newrole_transition_depend',`
type newrole_exec_t; type newrole_t, newrole_exec_t;
class file { getattr read execute }; class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_newrole_transition_add_role_use_terminal">
## <description>
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the newrole domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the newrole domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_newrole_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_newrole_transition($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
type newrole_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_newrole_execute(domain) # selinux_newrole_execute(domain)
@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
## <interface name="selinux_newrole_ignore_signal">
## <description>
## Do not audit the caller attempts to send
## a signal to newrole.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`selinux_newrole_ignore_signal',`
requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal;
')
define(`selinux_newrole_ignore_signal_depend',`
type newrole_t;
class process signal;
')
####################################### #######################################
# #
# selinux_newrole_sigchld(domain) # selinux_newrole_sigchld(domain)
@ -139,8 +275,15 @@ class fd use;
') ')
####################################### #######################################
# ## <interface name="selinux_restorecon_transition">
# selinux_restorecon_transition(domain) ## <description>
## Execute restorecon in the restorecon domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_restorecon_transition',` define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -156,6 +299,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_restorecon_transition_add_role_use_terminal">
## <description>
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the restorecon domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the restorecon domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_restorecon_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_restorecon_transition($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
type restorecon_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_restorecon_execute(domain) # selinux_restorecon_execute(domain)
@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
# ## <interface name="selinux_run_init_transition">
# selinux_run_init_transition(domain) ## <description>
## Execute run_init in the run_init domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_run_init_transition',` define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -188,6 +369,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_run_init_transition_add_role_use_terminal">
## <description>
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the run_init domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the run_init domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_run_init_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_run_init_transition($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
type run_init_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# selinux_run_init_use_file_descriptors(domain) # selinux_run_init_use_file_descriptors(domain)
@ -202,9 +414,16 @@ type run_init_t;
class fd use; class fd use;
') ')
####################################### ########################################
# ## <interface name="selinux_setfiles_transition">
# selinux_setfiles_transition(domain) ## <description>
## Execute setfiles in the setfiles domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_setfiles_transition',` define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -220,6 +439,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_setfiles_transition_add_role_use_terminal">
## <description>
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the setfiles domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the setfiles domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_setfiles_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_setfiles_transition($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
type setfiles_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_setfiles_execute(domain) # selinux_setfiles_execute(domain)

View File

@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
# directory search permissions for path to source and binary policy files
files_search_general_system_config_directory(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t)
@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t) userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
allow checkpolicy_t sysadm_tmp_t:file { getattr write };
# directory search permissions for path to source and binary policy files
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory. # Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
allow load_policy_t sysadm_tmp_t:file { getattr write };
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files # directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search; allow load_policy_t etc_t:dir search;
@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t)
# Write to utmp. authlogin_check_password_transition(newrole_t)
init_script_modify_runtime_data(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t)
# Write to utmp.
init_script_modify_runtime_data(newrole_t)
files_read_general_system_config(newrole_t) files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t) libraries_use_dynamic_loader(newrole_t)
@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
authlogin_check_password_transition(newrole_t) userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(newrole_t)
role sysadm_r types newrole_t;
allow newrole_t unpriv_userdomain:fd use;
can_ypbind(newrole) can_ypbind(newrole)
ifdef(`automount.te', ` ifdef(`automount.te', `
allow newrole_t autofs_t:dir { search getattr }; allow newrole_t autofs_t:dir { search getattr };
@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd # for some PAM modules and for cwd
dontaudit newrole_t { home_root_t home_type }:dir search; dontaudit newrole_t { home_root_t home_type }:dir search;
# for when the network connection is killed
dontaudit unpriv_userdomain newrole_t:process signal;
') dnl ifdef TODO ') dnl ifdef TODO
######################################## ########################################
@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t) authlogin_relabel_to_shadow_passwords(restorecon_t)
tunable_policy(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute }; allow restorecon_t lib_t:file { read execute };
tunable_policy(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
') ')
allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t fs_type:dir r_dir_perms;
@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t)
authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t) corecommands_execute_general_programs(run_init_t)
@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t) domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy ') dnl endif targeted policy
tunable_policy(`distro_gentoo', ` tunable_policy(`distro_gentoo', `
@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t) userdomain_use_all_users_file_descriptors(setfiles_t)
# for config files in a home directory
userdomain_read_all_users_data(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled_object(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t)
@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
authlogin_relabel_to_shadow_passwords(setfiles_t) authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',` ifdef(`TODO',`
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run! # scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute }; allow setfiles_t lib_t:file { read execute };
@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
allow setfiles_t fs_type:dir r_dir_perms; allow setfiles_t fs_type:dir r_dir_perms;
# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
') dnl endif TODO ') dnl endif TODO

View File

@ -1,8 +1,15 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
####################################### #######################################
# ## <interface name="selinux_checkpolicy_transition">
# selinux_checkpolicy_transition(domain) ## <description>
## Execute checkpolicy in the checkpolicy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_checkpolicy_transition',` define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -18,6 +25,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
## <description>
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the checkpolicy domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the checkpolicy domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_checkpolicy_transition($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
type checkpolicy_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_checkpolicy_execute(domain) # selinux_checkpolicy_execute(domain)
@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
') ')
####################################### #######################################
# ## <interface name="selinux_load_policy_transition">
# selinux_load_policy_transition(domain) ## <description>
## Execute load_policy in the load_policy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_load_policy_transition',` define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -50,6 +95,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_load_policy_transition_add_role_use_terminal">
## <description>
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the load_policy domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the load_policy domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_load_policy_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_load_policy_transition($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
type load_policy_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_load_policy_execute(domain) # selinux_load_policy_execute(domain)
@ -79,8 +155,15 @@ class file { getattr read };
') ')
####################################### #######################################
# ## <interface name="selinux_newrole_transition">
# selinux_newrole_transition(domain) ## <description>
## Execute newrole in the load_policy domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_newrole_transition',` define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
') ')
define(`selinux_newrole_transition_depend',` define(`selinux_newrole_transition_depend',`
type newrole_exec_t; type newrole_t, newrole_exec_t;
class file { getattr read execute }; class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_newrole_transition_add_role_use_terminal">
## <description>
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the newrole domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the newrole domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_newrole_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_newrole_transition($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
type newrole_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_newrole_execute(domain) # selinux_newrole_execute(domain)
@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
## <interface name="selinux_newrole_ignore_signal">
## <description>
## Do not audit the caller attempts to send
## a signal to newrole.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`selinux_newrole_ignore_signal',`
requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal;
')
define(`selinux_newrole_ignore_signal_depend',`
type newrole_t;
class process signal;
')
####################################### #######################################
# #
# selinux_newrole_sigchld(domain) # selinux_newrole_sigchld(domain)
@ -139,8 +275,15 @@ class fd use;
') ')
####################################### #######################################
# ## <interface name="selinux_restorecon_transition">
# selinux_restorecon_transition(domain) ## <description>
## Execute restorecon in the restorecon domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_restorecon_transition',` define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -156,6 +299,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_restorecon_transition_add_role_use_terminal">
## <description>
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the restorecon domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the restorecon domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_restorecon_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_restorecon_transition($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
type restorecon_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_restorecon_execute(domain) # selinux_restorecon_execute(domain)
@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
# ## <interface name="selinux_run_init_transition">
# selinux_run_init_transition(domain) ## <description>
## Execute run_init in the run_init domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_run_init_transition',` define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -188,6 +369,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_run_init_transition_add_role_use_terminal">
## <description>
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the run_init domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the run_init domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_run_init_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_run_init_transition($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
type run_init_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# selinux_run_init_use_file_descriptors(domain) # selinux_run_init_use_file_descriptors(domain)
@ -202,9 +414,16 @@ type run_init_t;
class fd use; class fd use;
') ')
####################################### ########################################
# ## <interface name="selinux_setfiles_transition">
# selinux_setfiles_transition(domain) ## <description>
## Execute setfiles in the setfiles domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`selinux_setfiles_transition',` define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -220,6 +439,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="selinux_setfiles_transition_add_role_use_terminal">
## <description>
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the setfiles domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the setfiles domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_setfiles_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
selinux_setfiles_transition($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl };
')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
type setfiles_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# selinux_setfiles_execute(domain) # selinux_setfiles_execute(domain)

View File

@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
# directory search permissions for path to source and binary policy files
files_search_general_system_config_directory(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t)
@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t) userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
allow checkpolicy_t sysadm_tmp_t:file { getattr write };
# directory search permissions for path to source and binary policy files
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory. # Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
allow load_policy_t sysadm_tmp_t:file { getattr write };
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files # directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search; allow load_policy_t etc_t:dir search;
@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t)
# Write to utmp. authlogin_check_password_transition(newrole_t)
init_script_modify_runtime_data(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t)
# Write to utmp.
init_script_modify_runtime_data(newrole_t)
files_read_general_system_config(newrole_t) files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t) libraries_use_dynamic_loader(newrole_t)
@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
authlogin_check_password_transition(newrole_t) userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(newrole_t)
role sysadm_r types newrole_t;
allow newrole_t unpriv_userdomain:fd use;
can_ypbind(newrole) can_ypbind(newrole)
ifdef(`automount.te', ` ifdef(`automount.te', `
allow newrole_t autofs_t:dir { search getattr }; allow newrole_t autofs_t:dir { search getattr };
@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd # for some PAM modules and for cwd
dontaudit newrole_t { home_root_t home_type }:dir search; dontaudit newrole_t { home_root_t home_type }:dir search;
# for when the network connection is killed
dontaudit unpriv_userdomain newrole_t:process signal;
') dnl ifdef TODO ') dnl ifdef TODO
######################################## ########################################
@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t) authlogin_relabel_to_shadow_passwords(restorecon_t)
tunable_policy(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute }; allow restorecon_t lib_t:file { read execute };
tunable_policy(`distro_redhat', ` tunable_policy(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
') ')
allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t fs_type:dir r_dir_perms;
@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t)
authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t) corecommands_execute_general_programs(run_init_t)
@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t) domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy ') dnl endif targeted policy
tunable_policy(`distro_gentoo', ` tunable_policy(`distro_gentoo', `
@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t) userdomain_use_all_users_file_descriptors(setfiles_t)
# for config files in a home directory
userdomain_read_all_users_data(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled_object(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t)
@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
authlogin_relabel_to_shadow_passwords(setfiles_t) authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',` ifdef(`TODO',`
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run! # scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute }; allow setfiles_t lib_t:file { read execute };
@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
allow setfiles_t fs_type:dir r_dir_perms; allow setfiles_t fs_type:dir r_dir_perms;
# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
') dnl endif TODO ') dnl endif TODO

View File

@ -18,9 +18,16 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
######################################## #######################################
# ## <interface name="sysnetwork_ifconfig_transition">
# sysnetwork_ifconfig_transition(domain) ## <description>
## Execute ifconfig in the ifconfig domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`sysnetwork_ifconfig_transition',` define(`sysnetwork_ifconfig_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -36,6 +43,37 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="sysnetwork_ifconfig_transition_add_role_use_terminal">
## <description>
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to be allowed the ifconfig domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the ifconfig domain to use.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
sysnetwork_ifconfig_transition($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file { getattr read write ioctl };
')
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
type ifconfig_t;
class chr_file { getattr read write ioctl };
')
######################################## ########################################
# #
# sysnetwork_read_network_config(domain) # sysnetwork_read_network_config(domain)

View File

@ -94,28 +94,28 @@ terminal_ignore_use_all_private_physical_terminals(dhcpc_t)
terminal_ignore_use_all_private_pseudoterminals(dhcpc_t) terminal_ignore_use_all_private_pseudoterminals(dhcpc_t)
terminal_ignore_use_general_physical_terminal(dhcpc_t) terminal_ignore_use_general_physical_terminal(dhcpc_t)
init_use_file_descriptors(dhcpc_t) corecommands_execute_general_programs(dhcpc_t)
init_script_use_pseudoterminal(dhcpc_t) corecommands_execute_system_programs(dhcpc_t)
init_script_modify_runtime_data(dhcpc_t) corecommands_execute_shell(dhcpc_t)
domain_use_widely_inheritable_file_descriptors(dhcpc_t) domain_use_widely_inheritable_file_descriptors(dhcpc_t)
files_read_general_system_config(dhcpc_t) files_read_general_system_config(dhcpc_t)
files_read_runtime_system_config(dhcpc_t) files_read_runtime_system_config(dhcpc_t)
corecommands_execute_general_programs(dhcpc_t) init_use_file_descriptors(dhcpc_t)
corecommands_execute_system_programs(dhcpc_t) init_script_use_pseudoterminal(dhcpc_t)
corecommands_execute_shell(dhcpc_t) init_script_modify_runtime_data(dhcpc_t)
logging_send_system_log_message(dhcpc_t) logging_send_system_log_message(dhcpc_t)
libraries_use_dynamic_loader(dhcpc_t) libraries_use_dynamic_loader(dhcpc_t)
libraries_use_shared_libraries(dhcpc_t) libraries_use_shared_libraries(dhcpc_t)
modutils_insmod_transition(dhcpc_t)
miscfiles_read_localization(dhcpc_t) miscfiles_read_localization(dhcpc_t)
modutils_insmod_transition(dhcpc_t)
tunable_policy(`targeted_policy', ` tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dhcpc_t) terminal_ignore_use_general_physical_terminal(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t)
@ -142,6 +142,10 @@ optional_policy(`udev.te',`
udev_read_database(dhcpc_t) udev_read_database(dhcpc_t)
') ')
optional_policy(`userdomain.te',`
userdomain_use_all_users_file_descriptors(dhcpc_t)
')
# #
# dhclient sometimes starts ypbind and ntpd # dhclient sometimes starts ypbind and ntpd
# #
@ -203,8 +207,6 @@ allow dhcpc_t dhcp_etc_t:file { read getattr };
allow dhcpc_t dhcp_etc_t:lnk_file { getattr read }; allow dhcpc_t dhcp_etc_t:lnk_file { getattr read };
allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans }; allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans };
allow dhcpc_t userdomain:fd use;
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
files_execute_system_config_script(dhcpc_t) files_execute_system_config_script(dhcpc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms; allow initrc_t dhcp_etc_t:file rw_file_perms;
@ -273,6 +275,8 @@ miscfiles_read_localization(ifconfig_t)
selinux_run_init_use_file_descriptors(ifconfig_t) selinux_run_init_use_file_descriptors(ifconfig_t)
userdomain_use_all_users_file_descriptors(ifconfig_t)
ifdef(`TODO',` ifdef(`TODO',`
can_ypbind(ifconfig_t) can_ypbind(ifconfig_t)
@ -280,10 +284,6 @@ ifdef(`automount.te', `
allow ifconfig_t autofs_t:dir { search getattr }; allow ifconfig_t autofs_t:dir { search getattr };
') ')
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
role sysadm_r types ifconfig_t;
allow ifconfig_t userdomain:fd use;
# Access terminals. # Access terminals.
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')

View File

@ -81,6 +81,7 @@ devices_manage_device_nodes(udev_t)
filesystem_get_all_filesystems_attributes(udev_t) filesystem_get_all_filesystems_attributes(udev_t)
init_script_read_runtime_data(udev_t) init_script_read_runtime_data(udev_t)
init_script_ignore_write_runtime_data(udev_t)
files_read_runtime_system_config(udev_t) files_read_runtime_system_config(udev_t)
files_read_general_system_config(udev_t) files_read_general_system_config(udev_t)
@ -102,6 +103,14 @@ logging_send_system_log_message(udev_t)
sysnetwork_ifconfig_transition(udev_t) sysnetwork_ifconfig_transition(udev_t)
tunable_policy(`distro_redhat',`
filesystem_manage_tmpfs_block_devices(udev_t)
filesystem_manage_tmpfs_character_devices(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(udev_t)
') dnl end ifdef distro_redhat
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(udev_t) authlogin_pam_console_read_runtime_data(udev_t)
authlogin_pam_console_transition(udev_t) authlogin_pam_console_transition(udev_t)
@ -127,10 +136,10 @@ allow udev_t var_lock_t:file getattr;
allow udev_t mnt_t:dir search; allow udev_t mnt_t:dir search;
allow udev_t devpts_t:dir { getattr search }; allow udev_t devpts_t:dir { getattr search };
allow udev_t sysadm_tty_device_t:chr_file { read write }; allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits # Dontaudits
dontaudit udev_t initrc_var_run_t:file write;
dontaudit udev_t staff_home_dir_t:dir search; dontaudit udev_t staff_home_dir_t:dir search;
dontaudit udev_t file_t:dir search; dontaudit udev_t file_t:dir search;
dontaudit udev_t domain:dir r_dir_perms; dontaudit udev_t domain:dir r_dir_perms;
@ -142,14 +151,9 @@ dbusd_client(system, udev)
# Ifdefs # Ifdefs
tunable_policy(`distro_redhat',` tunable_policy(`distro_redhat',`
allow udev_t tmpfs_t:dir rw_dir_perms;
allow udev_t tmpfs_t:sock_file create_file_perms; allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
allow udev_t tmpfs_t:dir search;
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(udev_t)
') dnl end ifdef distro_redhat ') dnl end ifdef distro_redhat
tunable_policy(`hide_broken_symptoms',` tunable_policy(`hide_broken_symptoms',`

View File

@ -128,6 +128,8 @@ logging_ignore_get_all_logs_attributes($1_t)
miscfiles_read_localization($1_t) miscfiles_read_localization($1_t)
miscfiles_manage_man_page_cache($1_t) miscfiles_manage_man_page_cache($1_t)
selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_modify_mail_spool($1_t) mta_modify_mail_spool($1_t)
if (allow_execmem) { if (allow_execmem) {
@ -376,11 +378,11 @@ type $1_devpts_t; # userpty_type, user_tty_type;
terminal_make_user_pseudoterminal($1_t,$1_devpts_t) terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
# Type for home directory. # Type for home directory.
type $1_home_dir_t; #, home_dir_type, home_type, user_home_dir_type; type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
files_make_file($1_home_dir_t) files_make_file($1_home_dir_t)
# Type for files and directories in the home directory # Type for files and directories in the home directory
type $1_home_t, $1_file_type; #, home_type, user_home_type; type $1_home_t, $1_file_type, home_type; #, user_home_type;
files_make_file($1_home_t) files_make_file($1_home_t)
type $1_tmp_t, $1_file_type; #, user_tmpfile type $1_tmp_t, $1_file_type; #, user_tmpfile
@ -438,8 +440,16 @@ init_script_read_runtime_data($1_t)
# The library functions always try to open read-write first, # The library functions always try to open read-write first,
# then fall back to read-only if it fails. # then fall back to read-only if it fails.
init_script_ignore_write_runtime_data($1_t) init_script_ignore_write_runtime_data($1_t)
# Stop warnings about access to /dev/console
init_ignore_use_file_descriptors($1_t)
init_script_ignore_use_file_descriptors($1_t)
miscfiles_read_man_pages($1_t)
selinux_read_config($1_t) selinux_read_config($1_t)
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
selinux_checkpolicy_execute($1_t)
if (user_dmesg) { if (user_dmesg) {
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
@ -454,6 +464,16 @@ if (user_tcp_server) {
corenetwork_bind_tcp_on_general_port($1_t) corenetwork_bind_tcp_on_general_port($1_t)
} }
# for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',`
modutils_read_kernel_module_loading_config($1_t)
')
optional_policy(`selinux.te',`
# for when the network connection is killed
selinux_newrole_ignore_signal($1_t)
')
# Need the following rule to allow users to run vpnc # Need the following rule to allow users to run vpnc
optional_policy(`xserver.te', ` optional_policy(`xserver.te', `
corenetwork_bind_tcp_on_xserver_port($1_t) corenetwork_bind_tcp_on_xserver_port($1_t)
@ -509,13 +529,6 @@ allow $1_t var_run_t:{ file lnk_file } r_file_perms;
allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read }; allow $1_t var_lib_t:file { getattr read };
# for running depmod as part of the kernel packaging process
allow $1_t modules_conf_t:file { getattr read };
# Read man directories and files.
allow $1_t man_t:dir r_dir_perms;
allow $1_t man_t:notdevfile_class_set r_file_perms;
# Allow users to rw usb devices # Allow users to rw usb devices
if (user_rw_usb) { if (user_rw_usb) {
rw_dir_create_file($1_t,usbdevfs_t) rw_dir_create_file($1_t,usbdevfs_t)
@ -523,10 +536,6 @@ rw_dir_create_file($1_t,usbdevfs_t)
r_dir_file($1_t,usbdevfs_t) r_dir_file($1_t,usbdevfs_t)
} }
# Read /dev directories and any symbolic links.
allow $1_t device_t:dir r_dir_perms;
allow $1_t device_t:lnk_file r_file_perms;
# Do not audit write denials to /etc/ld.so.cache. # Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write; dontaudit $1_t ld_so_cache_t:file write;
@ -540,10 +549,8 @@ dontaudit $1_t devlog_t:sock_file { read write };
dontaudit $1_t syslogd_t:unix_dgram_socket sendto; dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
') ')
# Stop warnings about access to /dev/console
dontaudit $1_t init_t:fd use;
dontaudit $1_t initrc_t:fd use;
allow $1_t initrc_t:fifo_file write; allow $1_t initrc_t:fifo_file write;
ifdef(`user_can_mount', ` ifdef(`user_can_mount', `
# #
# Allow users to mount file systems like floppies and cdrom # Allow users to mount file systems like floppies and cdrom
@ -586,7 +593,7 @@ role system_r types $1_t;
#; dnl end of sysadm_t type declaration #; dnl end of sysadm_t type declaration
# Type and access for pty devices. # Type and access for pty devices.
type $1_devpts_t; type $1_devpts_t, admin_terminal;
terminal_make_pseudoterminal($1_devpts_t) terminal_make_pseudoterminal($1_devpts_t)
type $1_home_t, $1_file_type; #, home_type; type $1_home_t, $1_file_type; #, home_type;
@ -598,7 +605,7 @@ files_make_file($1_home_t)
type $1_tmp_t, $1_file_type; type $1_tmp_t, $1_file_type;
files_make_temporary_file($1_tmp_t) files_make_temporary_file($1_tmp_t)
type $1_tty_device_t; type $1_tty_device_t, admin_terminal;
terminal_make_physical_terminal($1_t,$1_tty_device_t) terminal_make_physical_terminal($1_t,$1_tty_device_t)
############################## ##############################
@ -675,6 +682,8 @@ terminal_use_all_private_physical_terminals($1_t)
domain_set_all_domains_priorities($1_t) domain_set_all_domains_priorities($1_t)
files_execute_system_source_code_scripts($1_t)
init_use_control_channel($1_t) init_use_control_channel($1_t)
logging_send_system_log_message($1_t) logging_send_system_log_message($1_t)
@ -690,6 +699,10 @@ selinux_manage_source_policy($1_t)
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
selinux_manage_binary_policy($1_t) selinux_manage_binary_policy($1_t)
optional_policy(`cron.te',`
cron_admin_template($1)
')
ifdef(`TODO',` ifdef(`TODO',`
# Let admin stat the shadow file. # Let admin stat the shadow file.
@ -727,9 +740,6 @@ allow $1_t ptyfile:chr_file getattr;
# Not ideal, but typical if users want to login as both sysadm_t or staff_t. # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t) can_exec($1_t, staff_home_t)
# Run programs from /usr/src.
can_exec($1_t, src_t)
# Run admin programs that require different permissions in their own domain. # Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file. # These rules were moved into the appropriate program domain file.
@ -764,16 +774,6 @@ allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
allow $1_gph_t user_home_type:file create_file_perms; allow $1_gph_t user_home_type:file create_file_perms;
') ')
# Manipulate other users crontab.
can_getsecurity(sysadm_crontab_t)
ifdef(`crond.te', `
allow $1_crond_t var_log_t:file r_file_perms;
')
# Allow our crontab domain to unlink a user cron spool file.
ifdef(`crontab.te',`allow $1_crontab_t user_cron_spool_t:file unlink;')
# for the administrator to run TCP servers directly # for the administrator to run TCP servers directly
allow $1_t kernel_t:tcp_socket recvfrom; allow $1_t kernel_t:tcp_socket recvfrom;
@ -794,7 +794,55 @@ allow $1_t eventpollfs_t:file getattr;
') dnl endif TODO ') dnl endif TODO
') ')
########################################
## <interface name="userdomain_use_admin_terminals">
## <description>
## Read and write administrative users
## physical and pseudo terminals.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
# #
define(`userdomain_use_admin_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
terminal_list_pseudoterminals($1)
allow $1 admin_terminal:chr_file { getattr read write ioctl };
')
define(`userdomain_use_admin_terminals_depend',`
attribute admin_terminal;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="userdomain_read_all_users_data">
## <description>
## Inherit the file descriptors from all user domains
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="1"/>
## </interface>
#
define(`userdomain_read_all_users_data',`
requires_block_template(`$0'_depend)
files_list_home_directories($1)
allow $1 home_type:dir { getattr search read };
allow $1 home_type:file { getattr read };
')
define(`userdomain_read_all_users_data_depend',`
attribute home_type;
class dir { getattr search read };
class file { getattr read };
')
########################################
## <interface name="userdomain_use_all_users_file_descriptors"> ## <interface name="userdomain_use_all_users_file_descriptors">
## <description> ## <description>
## Inherit the file descriptors from all user domains ## Inherit the file descriptors from all user domains
@ -815,4 +863,47 @@ attribute userdomain;
class fd use; class fd use;
') ')
########################################
## <interface name="userdomain_use_all_unprivileged_users_file_descriptors">
## <description>
## Inherit the file descriptors from all user domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="1"/>
## </interface>
#
define(`userdomain_use_all_unprivileged_users_file_descriptors',`
requires_block_template(`$0'_depend)
allow $1 unpriv_userdomain:fd use;
')
define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
attribute unpriv_userdomain;
class fd use;
')
########################################
## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors">
## <description>
## Do not audit attempts to inherit the
## file descriptors from all user domains.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="1"/>
## </interface>
#
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
requires_block_template(`$0'_depend)
dontaudit $1 unpriv_userdomain:fd use;
')
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
attribute unpriv_userdomain;
class fd use;
')
## </module> ## </module>

View File

@ -7,6 +7,15 @@ policy_module(userdomain,1.0)
# Declarations # Declarations
# #
# admin users terminals (tty and pty)
attribute admin_terminal;
# users home directory
attribute home_dir_type;
# users home directory contents
attribute home_type;
# The privhome attribute identifies every domain that can create files under # The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of # regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files) # a user in writing regular files)
@ -66,7 +75,6 @@ bool user_tcp_server false;
# Allow w to display everyone # Allow w to display everyone
bool user_ttyfile_stat false; bool user_ttyfile_stat false;
admin_domain_template(sysadm)
user_domain_template(staff) user_domain_template(staff)
user_domain_template(user) user_domain_template(user)
@ -77,8 +85,51 @@ user_domain_template(user)
#allow privhome home_root_t:dir { getattr search }; #allow privhome home_root_t:dir { getattr search };
# Add/remove user home directories
#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
########################################
#
# Sysadm local policy
#
admin_domain_template(sysadm)
# for su # for su
allow sysadm_t userdomain:fd use; allow sysadm_t userdomain:fd use;
# Add/remove user home directories optional_policy(`iptables.te',`
#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`lvm.te',`
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`modutils.te',`
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`mount.te',`
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`selinux.te',`
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',`
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
')
optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`clock.te',`
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')