From dc771ff40edec3e7a02695983982ca6196bcf120 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 24 May 2005 15:55:57 +0000 Subject: [PATCH] another cleanup pass --- refpolicy/policy/modules/admin/rpm.if | 39 +++++-- refpolicy/policy/modules/kernel/bootloader.if | 15 +++ refpolicy/policy/modules/kernel/bootloader.te | 3 - refpolicy/policy/modules/kernel/devices.if | 25 ++++- refpolicy/policy/modules/kernel/filesystem.if | 28 +++++ refpolicy/policy/modules/kernel/kernel.if | 14 +++ refpolicy/policy/modules/system/authlogin.if | 100 ++++++++++++++++- refpolicy/policy/modules/system/authlogin.te | 14 +-- refpolicy/policy/modules/system/files.if | 102 ++++++++++++++++++ refpolicy/policy/modules/system/hotplug.te | 35 +++--- refpolicy/policy/modules/system/init.te | 39 +++---- refpolicy/policy/modules/system/locallogin.te | 13 ++- refpolicy/policy/modules/system/modutils.te | 4 +- refpolicy/policy/modules/system/mount.te | 15 ++- refpolicy/policy/modules/system/userdomain.if | 2 + refpolicy/policy/modules/system/userdomain.te | 4 + 16 files changed, 372 insertions(+), 80 deletions(-) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 9d3925e4..a3fcfbdd 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -30,13 +30,13 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## ## ## -## Execute rpm programs in the rpm domain. +## Execute RPM programs in the RPM domain. ## ## ## The type of the process performing this action. ## ## -## The role to allow the rpm domain. +## The role to allow the RPM domain. ## ## ## The type of the terminal allow the RPM domain to use. @@ -100,18 +100,43 @@ class fifo_file { getattr read }; ') ######################################## +## +## +## Read RPM package database. +## +## +## The type of the process performing this action. +## +## +## # -# rpm_read_library_state(domain) -# -define(`rpm_read_library_state',` +define(`rpm_read_package_database',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir { getattr read search }; allow $1 rpm_var_lib_t:file { read getattr }; allow $1 rpm_var_lib_t:lnk_file { getattr read }; ') -define(`kernel_read_system_state_depend',` -type proc_t; +define(`rpm_read_package_database_depend',` +type rpm_var_lib_t_t; +class dir { search getattr read }; +class lnk_file { getattr read }; +class file { getattr read }; +') + +######################################## +# +# rpm_manage_package_database(domain) +# +define(`rpm_manage_package_database',` +requires_block_template(`$0'_depend) +allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name }; +allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; +allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; +') + +define(`rpm_manage_package_database_depend',` +type rpm_var_lib_t_t; class dir { search getattr read }; class lnk_file { getattr read }; class file { getattr read }; diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index e617929d..5eeed996 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -86,6 +86,21 @@ type boot_t; class dir search; ') +######################################## +# +# bootloader_modify_bootloader_data_directory_symbolic_links(domain) +# +define(`bootloader_modify_bootloader_data_directory_symbolic_links',` +requires_block_template(`$0'_depend) +allow $1 boot_t:dir { getattr search read }; +allow $1 boot_t:lnk_file { getattr read write }; +') + +define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',` +type boot_t; +class dir { getattr search read }; +') + ######################################## # # bootloader_install_kernel(domain) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index a5e9bbc5..292dad78 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -179,9 +179,6 @@ modutils_update_modules_execute(bootloader_t) ') ifdef(`TODO',` -# admin runs bootloader: -domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) -allow bootloader_t admin_tty_type:chr_file rw_file_perms; allow bootloader_t initrc_t:fifo_file { read write }; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 3a94fc21..151b359e 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -132,6 +132,30 @@ type device_t; class chr_file getattr; ') +######################################## +## +## +## Delete symbolic links in /dev. +## +## +## The type of the process performing this action. +## +## +## +# +define(`devices_remove_dev_symbolic_links',` +requires_block_template(`$0'_depend) +allow $1 device_t:dir { getattr read write remove_name }; +allow $1 device_t:lnk_file unlink; +') + +define(`devices_remove_dev_symbolic_links_depend',` +attribute device_node, memory_raw_read, memory_raw_write; +type device_t; +class dir { getattr read write remove_name }; +class lnk_file unlink; +') + ######################################## # # devices_manage_dev_symbolic_links(domain) @@ -143,7 +167,6 @@ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; ') define(`devices_manage_dev_symbolic_links_depend',` -attribute device_node, memory_raw_read, memory_raw_write; type device_t; class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; class lnk_file { create read getattr setattr link unlink rename }; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 9357d48d..e226fec1 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -117,6 +117,20 @@ type fs_t; class filesystem getattr; ') +######################################## +# +# filesystem_relabelfrom_persistent_filesystem(domain) +# +define(`filesystem_relabelfrom_persistent_filesystem',` +requires_block_template(`$0'_depend) +allow $1 fs_t:filesystem relabelfrom; +') + +define(`filesystem_relabelfrom_persistent_filesystem_depend',` +type fs_t; +class filesystem relabelfrom; +') + ######################################## # # filesystem_mount_automount_filesystem(domain) @@ -395,6 +409,20 @@ type dosfs_t; class filesystem getattr; ') +######################################## +# +# filesystem_relabelfrom_dos_filesystem(domain) +# +define(`filesystem_relabelfrom_dos_filesystem',` +requires_block_template(`$0'_depend) +allow $1 dosfs_t:filesystem relabelfrom; +') + +define(`filesystem_relabelfrom_dos_filesystem_depend',` +type dosfs_t; +class filesystem relabelfrom; +') + ######################################## # # filesystem_mount_cd_filesystem(domain) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index cc23bf38..0a6eecef 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -142,6 +142,20 @@ type unlabeled_t; class process sigkill; ') +######################################## +# +# kernel_ignore_get_unlabeled_block_device_attributes(domain) +# +define(`kernel_ignore_get_unlabeled_block_device_attributes',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:blk_file getattr; +') + +define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',` +type unlabeled_t; +class process getattr; +') + ######################################## # # kernel_relabel_unlabeled_object(domain) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 1e4154b8..7fd505ee 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1,4 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Common policy for authentication and user login. ####################################### # @@ -249,9 +251,16 @@ type lastlog_t; class file { getattr read write setattr }; ') -####################################### -# -# authlogin_pam_transition(domain) +######################################## +## +## +## Execute pam programs in the pam domain. +## +## +## The type of the process performing this action. +## +## +## # define(`authlogin_pam_transition',` requires_block_template(`$0'_depend) @@ -267,6 +276,35 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +## +## +## Execute pam programs in the PAM domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the PAM domain. +## +## +## The type of the terminal allow the PAM domain to use. +## +## +## +# +define(`authlogin_pam_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +authlogin_pam_transition($1) +role $2 types pam_t; +allow pam_t $3:chr_file { getattr read write ioctl }; +') + +define(`authlogin_pam_transition_add_role_use_terminal_depend',` +type pam_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # authlogin_pam_execute(domain) @@ -373,6 +411,60 @@ class file { create ioctl read getattr lock write setattr append link unlink ren class lnk_file { create read getattr setattr link unlink rename }; ') +######################################## +## +## +## Execute utempter programs in the utempter domain. +## +## +## The type of the process performing this action. +## +## +## +# +define(`authlogin_utempter_transition',` +requires_block_template(`$0'_depend) +allow $1 utempter_exec_t:file { getattr read execute }; +allow $1 utempter_t:process transition; +type_transition $1 utempter_exec_t:file utempter_t; +dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; +') + +define(`authlogin_utempter_transition_depend',` +type utempter_t, utempter_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +## +## +## Execute utempter programs in the utempter domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the utempter domain. +## +## +## The type of the terminal allow the utempter domain to use. +## +## +## +# +define(`authlogin_utempter_transition_add_role_use_terminal',` +requires_block_template(`$0'_depend) +authlogin_utempter_transition($1) +role $2 types utempter_t; +allow utempter_t $3:chr_file { getattr read write ioctl }; +') + +define(`authlogin_utempter_transition_add_role_use_terminal_depend',` +type utempter_t; +class chr_file { getattr read write ioctl }; +') + ####################################### # # authlogin_read_login_records(domain) @@ -416,3 +508,5 @@ define(`authlogin_modify_login_records_depend',` type wtmp_t; class file { getattr read write setattr }; ') + +## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 7b7f2279..32c4fc8b 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -107,19 +107,18 @@ libraries_use_shared_libraries(pam_t) logging_send_system_log_message(pam_t) +userdomain_use_all_unprivileged_users_file_descriptors(pam_t) + optional_policy(`locallogin.te',` locallogin_use_file_descriptors(pam_t) ') ifdef(`TODO',` -allow pam_t unpriv_userdomain:fd use; can_ypbind(pam_t) ifdef(`automount.te', ` allow pam_t autofs_t:dir { search getattr }; ') -in_user_role(pam_t) -domain_auto_trans(userdomain, pam_exec_t, pam_t) ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ') dnl endif TODO @@ -169,6 +168,8 @@ logging_send_system_log_message(pam_console_t) selinux_read_file_contexts(pam_console_t) +userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t) + tunable_policy(`direct_sysadm_daemon', ` dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; ') @@ -198,7 +199,6 @@ allow pam_console_t rhgb_t:process sigchld; allow pam_console_t rhgb_t:fd use; allow pam_console_t rhgb_t:fifo_file { read write }; ') -dontaudit pam_console_t unpriv_userdomain:fd use; allow pam_console_t autofs_t:dir { search getattr }; allow pam_console_t { @@ -214,8 +214,6 @@ removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; - - allow pam_console_t mnt_t:dir r_dir_perms; ifdef(`gpm.te', ` @@ -306,10 +304,6 @@ libraries_use_shared_libraries(utempter_t) logging_search_system_log_directory(utempter_t) ifdef(`TODO',` -in_user_role(utempter_t) -role sysadm_r types utempter_t; -domain_auto_trans(userdomain, utempter_exec_t, utempter_t) - # Allow utemper to write to /tmp/.xses-* allow utempter_t user_tmpfile:file { getattr write append }; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 2d8f3c94..03542e2d 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -200,6 +200,48 @@ attribute file_type; class dir { getattr search read }; ') +####################################### +# +# files_relabelto_all_file_type_filesystems(domain) +# +define(`files_relabelto_all_file_type_filesystems',` +requires_block_template(`$0'_depend) +allow $1 file_type:filesystem relabelto; +') + +define(`files_relabelto_all_file_type_filesystems_depend',` +attribute file_type; +filesystem relabelto; +') + +####################################### +# +# files_mount_all_file_type_filesystems(domain) +# +define(`files_mount_all_file_type_filesystems',` +requires_block_template(`$0'_depend) +allow $1 file_type:filesystem mount; +') + +define(`files_mount_all_file_type_filesystems_depend',` +attribute file_type; +filesystem mount; +') + +####################################### +# +# files_unmount_all_file_type_filesystems(domain) +# +define(`files_unmount_all_file_type_filesystems',` +requires_block_template(`$0'_depend) +allow $1 file_type:filesystem mount; +') + +define(`files_unmount_all_file_type_filesystems_depend',` +attribute file_type; +filesystem mount; +') + ######################################## # # files_mount_on_all_mountpoints(domain) @@ -710,6 +752,22 @@ class dir { getattr search read write add_name remove_name }; class file { getattr create read write setattr unlink }; ') +######################################## +# +# files_get_system_lock_file_attributes(domain) +# +define(`files_get_system_lock_file_attributes',` +requires_block_template(`$0'_depend) +allow $1 var_lock_t:dir { getattr search read }; +allow $1 var_lock_t:file getattr; +') + +define(`files_get_system_lock_file_attributes_depend',` +type var_lock_t; +class dir { getattr search read }; +class file getattr; +') + ######################################## # # files_manage_system_lock_files(domain) @@ -843,6 +901,50 @@ class dir { getattr search read }; class file { getattr read write }; ') +######################################## +## +## +## Do not audit attempts to write to daemon runtime data files. +## +## +## The type of the process performing this action. +## +## +## +# + +define(`files_ignore_write_all_daemon_runtime_data',` +requires_block_template(`$0'_depend) +dontaudit $1 pidfile:file write; +') + +define(`files_ignore_write_all_daemon_runtime_data_depend',` +attribute pidfile; +class file write; +') + +######################################## +## +## +## Do not audit attempts to ioctl daemon runtime data files. +## +## +## The type of the process performing this action. +## +## +## +# + +define(`files_ignore_ioctl_all_daemon_runtime_data',` +requires_block_template(`$0'_depend) +dontaudit $1 pidfile:file ioctl; +') + +define(`files_ignore_ioctl_all_daemon_runtime_data_depend',` +attribute pidfile; +class file ioctl; +') + ######################################## # # files_remove_all_daemon_runtime_data(domain) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 8adac10f..3acb8cc3 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -32,6 +32,7 @@ allow hotplug_t self:process { getsession getattr }; allow hotplug_t self:fifo_file { read write getattr ioctl }; allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept }; allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl }; allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl }; @@ -50,6 +51,13 @@ kernel_read_usb_hardware_state(hotplug_t) bootloader_read_kernel_modules(hotplug_t) +corenetwork_network_tcp_on_all_interfaces(hotplug_t) +corenetwork_network_raw_on_all_interfaces(hotplug_t) +corenetwork_network_tcp_on_all_nodes(hotplug_t) +corenetwork_network_raw_on_all_nodes(hotplug_t) +corenetwork_network_tcp_on_all_ports(hotplug_t) +corenetwork_bind_tcp_on_all_nodes(hotplug_t) + # for SSP devices_get_pseudorandom_data(hotplug_t) @@ -94,8 +102,19 @@ miscfiles_read_localization(hotplug_t) mount_transition(hotplug_t) +sysnetwork_read_network_config(hotplug_t) + userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) +tunable_policy(`distro_redhat', ` +optional_policy(`netutils.te', ` +# for arping used for static IP addresses on PCMCIA ethernet +netutils_transition(hotplug_t) +filesystem_use_tmpfs_character_devices(hotplug_t) +') dnl endif netutils optional +files_get_system_lock_file_attribues(hotplug_t) +')dnl end distro_redhat tunable + tunable_policy(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t) @@ -144,13 +163,10 @@ allow hotplug_t rhgb_t:fd use; allow hotplug_t rhgb_t:fifo_file { read write }; ') -can_exec(hotplug_t, { ls_exec_t }) - allow kernel_t hotplug_etc_t:dir search; allow hotplug_t sound_device_t:chr_file setattr; -can_network_server(hotplug_t) can_ypbind(hotplug_t) dbusd_client(system, hotplug) @@ -159,23 +175,10 @@ allow hotplug_t kernel_t:process sigchld; # for when filesystems are not mounted early in the boot dontaudit hotplug_t file_t:dir { search getattr }; -allow hotplug_t udev_runtime_t:file rw_file_perms; - # for ps dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; -tunable_policy(`distro_redhat', ` -optional_policy(`netutils.te', ` -# for arping used for static IP addresses on PCMCIA ethernet -netutils_transition(hotplug_t) -allow hotplug_t tmpfs_t:dir search; -allow hotplug_t tmpfs_t:chr_file rw_file_perms; -') dnl endif netutils optional -allow hotplug_t var_lock_t:dir search; -allow hotplug_t var_lock_t:file getattr; -')dnl end distro_redhat tunable - optional_policy(`hald.te', ` allow hotplug_t hald_t:unix_dgram_socket sendto; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 4ea8f37c..e78c4a9c 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -209,6 +209,8 @@ devices_read_realtime_clock(initrc_t) devices_read_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t) devices_set_all_character_device_attributes(initrc_t) +# Wants to remove udev.tbl: +devices_remove_dev_symbolic_links(initrc_t) filesystem_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy @@ -283,6 +285,7 @@ kernel_set_selinux_enforcement_mode(initrc_t) # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. bootloader_create_runtime_data(initrc_t) +bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t) filesystem_use_tmpfs_character_devices(initrc_t) @@ -304,6 +307,17 @@ hotplug_read_config(initrc_t) modutils_read_kernel_module_dependencies(initrc_t) ') +optional_policy(`rpm.te',` +# why is this needed: +rpm_manage_package_database(initrc_t) +# for a bug in rm +files_ignore_write_all_daemon_runtime_data(initrc_t) +# bash tries ioctl for some reason +files_ignore_ioctl_all_daemon_runtime_data(initrc_t) +# bash tries to access a block device in the initrd +kernel_ignore_get_unlabeled_block_device_attributes(initrc_t) +') dnl end rpm.te + ifdef(`TODO',` # Mount and unmount file systems. @@ -319,12 +333,6 @@ can_kerberos(initrc_t) dontaudit initrc_t krb5_conf_t:file write; allow initrc_t krb5_conf_t:file { getattr read }; -# -# Wants to remove udev.tbl -# -allow initrc_t device_t:dir rw_dir_perms; -allow initrc_t device_t:lnk_file unlink; - # # These rules are here to allow init scripts to su # @@ -343,10 +351,6 @@ file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) ')dnl end distro_debian tunable_policy(`distro_redhat', ` -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -allow initrc_t boot_t:lnk_file rw_file_perms; - # readahead asks for these allow initrc_t var_lib_nfs_t:file { getattr read }; ')dnl end distro_redhat @@ -360,19 +364,4 @@ dontaudit initrc_t mail_spool_t:lnk_file read; # for lsof which is used by alsa shutdown dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -optional_policy(`rpm.te',` -# Access /var/lib/rpm. -allow initrc_t rpm_var_lib_t:dir rw_dir_perms; -allow initrc_t rpm_var_lib_t:file create_file_perms; - -# for a bug in rm -dontaudit initrc_t pidfile:file write; - -# bash tries to access a block device in the initrd -dontaudit initrc_t unlabeled_t:blk_file getattr; - -# bash tries ioctl for some reason -dontaudit initrc_t pidfile:file ioctl; -') dnl end rpm.te - ') dnl end TODO diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index fdaad08f..9a611c69 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -94,9 +94,10 @@ miscfiles_read_localization(local_login_t) selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) +userdomain_use_all_unprivileged_users_file_descriptors(local_login_t) ifdef(`TODO',` -allow local_login_t unpriv_userdomain:fd use; + can_ypbind(local_login_t) ifdef(`automount.te', ` allow local_login_t autofs_t:dir { search getattr }; @@ -240,6 +241,8 @@ selinux_read_default_contexts(sulogin_t) authlogin_read_shadow_passwords(sulogin_t) +userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t) + # suse and debian do not use pam with sulogin... ifdef(`monolithic_policy',` ifdef(`distro_suse', `define(`sulogin_no_pam')') @@ -249,7 +252,6 @@ ifdef(`distro_debian', `define(`sulogin_no_pam')') tunable_policy(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; init_get_process_group(sulogin_t) -#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) ', ` allow sulogin_t self:process setexec; kernel_get_selinuxfs_mount_point(sulogin_t) @@ -258,17 +260,18 @@ kernel_compute_selinux_access_vector(sulogin_t) kernel_compute_selinux_create_context(sulogin_t) kernel_compute_selinux_relabel_context(sulogin_t) kernel_compute_selinux_reachable_user_contexts(sulogin_t) -#domain_trans(sulogin_t, shell_exec_t, sysadm_t) ') ifdef(`TODO',` -allow sulogin_t unpriv_userdomain:fd use; + +domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) +allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; + can_ypbind(sulogin_t) ifdef(`automount.te', ` allow sulogin_t autofs_t:dir { search getattr }; ') -allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; # because file systems are not mounted diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 97a80d3b..7080d0b6 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -69,6 +69,8 @@ files_read_runtime_system_config(insmod_t) files_read_general_system_config(insmod_t) files_read_general_application_resources(insmod_t) files_execute_system_config_script(insmod_t) +# for nscd +files_ignore_search_runtime_data_directory(insmod_t) init_use_file_descriptors(insmod_t) init_script_use_file_descriptors(insmod_t) @@ -113,8 +115,6 @@ allow insmod_t usbfs_t:filesystem mount; # for when /var is not mounted early in the boot dontaudit insmod_t file_t:dir search; -# for nscd -dontaudit insmod_t var_run_t:dir search; ') dnl if TODO diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index b2e18b0b..42c28cdb 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -36,7 +36,7 @@ filesystem_get_persistent_filesystem_attributes(mount_t) filesystem_mount_all_filesystems(mount_t) filesystem_unmount_all_filesystems(mount_t) filesystem_remount_all_filesystems(mount_t) -files_unmount_root_filesystem(mount_t) +filesystem_relabelfrom_persistent_filesystem(mount_t) terminal_use_console(mount_t) @@ -51,6 +51,11 @@ files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) files_read_general_system_config(mount_t) files_create_runtime_system_config(mount_t) files_mount_on_all_mountpoints(mount_t) +files_unmount_root_filesystem(mount_t) +# These rules need to be generalized. Only admin, initrc should have it: +files_relabelto_all_file_type_filesystems(mount_t) +files_mount_all_file_type_filesystems(mount_t) +files_mount_all_file_type_filesystems(mount_t) init_use_file_descriptors(mount_t) init_script_use_pseudoterminal(mount_t) @@ -71,7 +76,7 @@ allow mount_t tmpfs_t:dir mounton; optional_policy(`authlogin.te',` authlogin_pam_console_read_runtime_data(mount_t) # mount config by default sets fscontext=removable_t -allow mount_t dosfs_t:filesystem relabelfrom; +filesystem_relabelfrom_dos_filesystem(mount_t) ') dnl end authlogin ') dnl end distro_redhat @@ -112,12 +117,6 @@ files_make_mountpoint(var_lib_nfs_t) # for when /etc/mtab loses its type allow mount_t file_t:file { getattr read unlink }; -# TODO: Need macro for granting relabelto, relabelfrom -allow mount_t fs_t:filesystem relabelfrom; - -# This rule needs to be generalized. Only admin, initrc should have it. -allow mount_t file_type:filesystem { unmount mount relabelto }; - ifdef(`gnome-pty-helper.te', ` allow mount_t sysadm_gph_t:fd use; ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index d53d9fa6..e0b7ab26 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -105,6 +105,8 @@ storage_get_fixed_disk_attributes($1_t) authlogin_read_login_records($1_t) authlogin_ignore_write_login_records($1_t) +authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) corecommands_execute_general_programs($1_t) corecommands_execute_system_programs($1_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 9daa601a..b47b421e 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -98,6 +98,10 @@ admin_domain_template(sysadm) # for su allow sysadm_t userdomain:fd use; +optional_policy(`bootloader.te',` +bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) +') + optional_policy(`iptables.te',` iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ')