From dd822947d24b1d154dd02760a299f7553076c4e0 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 9 Jun 2005 14:50:48 +0000 Subject: [PATCH] aliases --- refpolicy/policy/modules/system/authlogin.if | 256 ++++++++++++++---- refpolicy/policy/modules/system/authlogin.te | 28 +- refpolicy/policy/modules/system/clock.if | 2 +- refpolicy/policy/modules/system/clock.te | 4 +- .../policy/modules/system/corecommands.if | 50 ++-- refpolicy/policy/modules/system/domain.if | 33 +-- refpolicy/policy/modules/system/files.if | 190 ++++++------- refpolicy/policy/modules/system/getty.te | 4 +- refpolicy/policy/modules/system/hostname.if | 7 +- refpolicy/policy/modules/system/hostname.te | 2 +- refpolicy/policy/modules/system/hotplug.if | 19 +- refpolicy/policy/modules/system/hotplug.te | 12 +- refpolicy/policy/modules/system/init.if | 53 ++-- refpolicy/policy/modules/system/init.te | 30 +- refpolicy/policy/modules/system/iptables.if | 7 +- refpolicy/policy/modules/system/iptables.te | 14 +- refpolicy/policy/modules/system/libraries.if | 26 +- refpolicy/policy/modules/system/libraries.te | 14 +- 18 files changed, 458 insertions(+), 293 deletions(-) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 7ee3f61f..0db38464 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1,6 +1,22 @@ ## ## Common policy for authentication and user login. + +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# + ####################################### # # Per user domain template for this module @@ -47,10 +63,7 @@ define(`authlogin_per_userdomain_template',` #can_ldap($1_chkpwd_t) # Transition from the user domain to this domain. - allow $1_t chkpwd_exec_t:file { getattr read execute }; - allow $1_t $1_chkpwd_t:process transition; - type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t; - dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,chkpwd_exec_t,$1_chkpwd_t) allow $1_chkpwd_t $1_t:fd use; allow $1_t $1_chkpwd_t:fd use; @@ -65,7 +78,7 @@ define(`authlogin_per_userdomain_template',` #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') tunable_policy(`use_dns',` - allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow $1_chkpwd_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t) corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t) corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t) @@ -86,15 +99,30 @@ define(`authlogin_per_userdomain_template_depend',` type chkpwd_exec_t, system_chkpwd_t, shadow_t; - class file { getattr read execute }; + class file rx_file_perms; class process { getattr transition sigchld }; class capability setuid; - class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; class fd use; class fifo_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# + ####################################### # # authlogin_make_login_program_entrypoint(domain) @@ -127,7 +155,7 @@ define(`authlogin_login_program_transition',` requires_block_template(`$0'_depend) # FIXME: search bin_t - allow $1 login_exec_t:file { getattr read execute }; + allow $1 login_exec_t:file rx_file_perms; allow $1 $2:process transition; type_transition $1 login_exec_t:process $2; dontaudit $1 $2:process { noatsecure siginh rlimitinh }; @@ -141,12 +169,26 @@ define(`authlogin_login_program_transition',` define(`authlogin_login_program_transition_depend',` type login_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_check_password_transition(domain) @@ -168,7 +210,7 @@ define(`authlogin_check_password_transition',` #can_ldap($1_t) tunable_policy(`use_dns',` - allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow $1 self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces($1) corenetwork_sendrecv_raw_on_all_interfaces($1) corenetwork_sendrecv_udp_on_all_nodes($1) @@ -182,13 +224,27 @@ define(`authlogin_check_password_transition',` define(`authlogin_check_password_transition_depend',` type system_chkpwd_t, chkpwd_exec_t, shadow_t; - class file { getattr read execute }; - class process { transition sigchld }; - class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + class file rx_file_perms; + class process { transition sigchld }; + class udp_socket create_socket_perms; class fd use; class fifo_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_ignore_get_shadow_passwords_attributes(domain) @@ -202,9 +258,23 @@ define(`authlogin_ignore_get_shadow_passwords_attributes',` define(`authlogin_ignore_get_shadow_passwords_attributes_depend',` type shadow_t; - class file getattr; + class file stat_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_read_shadow_passwords(domain) @@ -213,7 +283,7 @@ define(`authlogin_read_shadow_passwords',` requires_block_template(`$0'_depend) files_read_general_system_config_directory($1) - allow $1 shadow_t:file { getattr read }; + allow $1 shadow_t:file r_file_perms; typeattribute $1 can_read_shadow_passwords; ') @@ -222,9 +292,23 @@ define(`authlogin_read_shadow_passwords_depend',` type shadow_t; - class file { getattr read }; + class file r_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_ignore_read_shadow_passwords(domain) @@ -238,9 +322,23 @@ define(`authlogin_ignore_read_shadow_passwords',` define(`authlogin_ignore_read_shadow_passwords_depend',` type shadow_t; - class file { getattr read }; + class file r_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_modify_shadow_passwords(domain) @@ -349,10 +447,7 @@ define(`authlogin_modify_last_login_log_depend',` define(`authlogin_pam_transition',` requires_block_template(`$0'_depend) - allow $1 pam_exec_t:file { getattr read execute }; - allow $1 pam_t:process transition; - type_transition $1 pam_exec_t:process pam_t; - dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,pam_exec_t,pam_t) allow $1 pam_t:fd use; allow pam_t $1:fd use; @@ -363,7 +458,7 @@ define(`authlogin_pam_transition',` define(`authlogin_pam_transition_depend',` type pam_t, pam_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd class fifo_file rw_file_perms; @@ -381,7 +476,7 @@ define(`authlogin_pam_transition_depend',` ## The role to allow the PAM domain. ## ## -## The type of the terminal allow the PAM domain to use. +B## The type of the terminal allow the PAM domain to use. ## ## ## @@ -391,15 +486,29 @@ define(`authlogin_pam_transition_add_role_use_terminal',` authlogin_pam_transition($1) role $2 types pam_t; - allow pam_t $3:chr_file { getattr read write ioctl }; + allow pam_t $3:chr_file rw_file_perms; ') define(`authlogin_pam_transition_add_role_use_terminal_depend',` type pam_t; - class chr_file { getattr read write ioctl }; + class chr_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_pam_execute(domain) @@ -407,7 +516,7 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',` define(`authlogin_pam_execute',` requires_block_template(`$0'_depend) - allow $1 pam_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,pam_exec_file_t) ') define(`authlogin_pam_execute_depend',` @@ -425,17 +534,31 @@ define(`authlogin_pam_read_runtime_data',` files_search_system_state_data_directory($1) files_search_runtime_data_directory($1) - allow $1 pam_var_run_t:dir { getattr search read }; - allow $1 pam_var_run_t:file { getattr read }; + allow $1 pam_var_run_t:dir r_dir_perms; + allow $1 pam_var_run_t:file r_file_perms; ') define(`authlogin_pam_read_runtime_data_depend',` type pam_var_run_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_pam_remove_runtime_data(domain) @@ -463,10 +586,7 @@ define(`authlogin_pam_remove_runtime_data_depend',` define(`authlogin_pam_console_transition',` requires_block_template(`$0'_depend) - allow $1 pam_console_exec_t:file { getattr read execute }; - allow $1 pam_console_t:process transition; - type_transition $1 pam_console_exec_t:process pam_console_t; - dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,pam_console_exec_t,pam_console_t) allow $1 pam_console_t:fd use; allow pam_console_t $1:fd use; @@ -477,12 +597,26 @@ define(`authlogin_pam_console_transition',` define(`authlogin_pam_console_transition_depend',` type pam_console_t, pam_console_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_pam_console_read_runtime_data_dir(domain) @@ -530,17 +664,17 @@ define(`authlogin_pam_console_manage_runtime_data',` files_search_system_state_data_directory($1) files_search_runtime_data_directory($1) - allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1 pam_var_console_t:dir rw_dir_perms; +B allow $1 pam_var_console_t:file create_file_perms; + allow $1 pam_var_console_t:lnk_file create_lnk_perms; ') define(`authlogin_pam_console_manage_runtime_data_depend',` type pam_var_console_t; - class dir { read getattr lock search ioctl add_name remove_name write }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; - class lnk_file { create read getattr setattr link unlink rename }; + class dir rw_dir_perms; + class file create_file_perms; + class lnk_file create_lnk_perms; ') ######################################## @@ -611,10 +745,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',` define(`authlogin_utempter_transition',` requires_block_template(`$0'_depend) - allow $1 utempter_exec_t:file { getattr read execute }; - allow $1 utempter_t:process transition; - type_transition $1 utempter_exec_t:process utempter_t; - dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,utempter_exec_t,utempter_t) allow $1 utempter_t:fd use; allow utempter_t $1:fd use; @@ -625,7 +756,7 @@ define(`authlogin_utempter_transition',` define(`authlogin_utempter_transition_depend',` type utempter_t, utempter_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -653,15 +784,29 @@ define(`authlogin_utempter_transition_add_role_use_terminal',` authlogin_utempter_transition($1) role $2 types utempter_t; - allow utempter_t $3:chr_file { getattr read write ioctl }; + allow utempter_t $3:chr_file rw_file_perms; ') define(`authlogin_utempter_transition_add_role_use_terminal_depend',` type utempter_t; - class chr_file { getattr read write ioctl }; + class chr_file rw_file_perms; ') +######################################## +## +## +## +## +## +## ... +## +## +## +## +## +## +# ####################################### # # authlogin_read_login_records(domain) @@ -670,15 +815,26 @@ define(`authlogin_read_login_records',` requires_block_template(`$0'_depend) logging_search_system_log_directory($1) - allow $1 wtmp_t:file { getattr read }; + allow $1 wtmp_t:file r_file_perms; ') define(`authlogin_read_login_records_depend',` type wtmp_t; - class file { getattr read }; + class file r_file_perms; ') +######################################## +## +## +## +## +## +## +## +## +## +# ####################################### # # authlogin_ignore_write_login_records(domain) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 3b9df980..b4ea9a40 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -74,21 +74,21 @@ allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; -allow pam_t self:fifo_file { read getattr lock ioctl write append }; -allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow pam_t self:fifo_file rw_file_perms; +allow pam_t self:unix_dgram_socket create_socket_perms; +allow pam_t self:unix_stream_socket rw_stream_socket_perms; allow pam_t self:unix_dgram_socket sendto; allow pam_t self:unix_stream_socket connectto; -allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow pam_t self:shm create_shm_perms; +allow pam_t self:sem create_sem_perms; +allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; allow pam_t pam_var_run_t:file { getattr read unlink }; -allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow pam_t pam_tmp_t:dir create_dir_perms; +allow pam_t pam_tmp_t:file create_file_perms; files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) @@ -132,9 +132,9 @@ dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking -allow pam_console_t pam_var_console_t:dir { getattr read search }; -allow pam_console_t pam_var_console_t:file { read getattr }; -allow pam_console_t pam_var_console_t:lnk_file { getattr read }; +allow pam_console_t pam_var_console_t:dir r_dir_perms;; +allow pam_console_t pam_var_console_t:file r_file_perms; +allow pam_console_t pam_var_console_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(pam_console_t) kernel_read_system_state(pam_console_t) @@ -254,7 +254,7 @@ miscfiles_read_localization(system_chkpwd_t) selinux_read_config(system_chkpwd_t) tunable_policy(`use_dns',` - allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow system_chkpwd_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t) corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t) corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t) @@ -278,9 +278,9 @@ dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms; # allow utempter_t self:capability setgid; -allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow utempter_t self:unix_stream_socket rw_stream_socket_perms; -allow utempter_t wtmp_t:file { ioctl read getattr lock write append }; +allow utempter_t wtmp_t:file rw_file_perms; terminal_get_all_private_physical_terminal_attributes(utempter_t) terminal_get_all_private_pseudoterminal_attributes(utempter_t) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index aab599dc..ede5eadc 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -26,7 +26,7 @@ define(`clock_transition',` define(`clock_transition_depend',` type hwclock_t, hwclock_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 646f74ea..030050fb 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -19,7 +19,7 @@ role system_r types hwclock_t; # Local policy # -allow hwclock_t self:process { sigchld sigkill sigstop signull signal }; +allow hwclock_t self:process signal_perms; # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. @@ -83,7 +83,7 @@ allow hwclock_t proc_t:lnk_file read; optional_policy(`rhgb.te', ` allow hwclock_t rhgb_t:process sigchld; allow hwclock_t rhgb_t:fd use; -allow hwclock_t rhgb_t:fifo_file { read write }; +allow hwclock_t rhgb_t:fifo_file rw_file_perms; ') allow hwclock_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 0132ca7c..a468d3f4 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -41,13 +41,13 @@ define(`corecommands_search_general_programs_directory_depend',` define(`corecommands_read_general_programs_directory',` requires_block_template(`$0'_depend) - allow $1 bin_t:dir { getattr search read }; + allow $1 bin_t:dir r_dir_perms; ') define(`corecommands_read_general_programs_directory_depend',` type bin_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## @@ -57,16 +57,17 @@ define(`corecommands_read_general_programs_directory_depend',` define(`corecommands_execute_general_programs',` requires_block_template(`$0'_depend) - allow $1 bin_t:dir { getattr search read }; - allow $1 bin_t:lnk_file { getattr read }; - allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans }; + allow $1 bin_t:dir r_dir_perms; + allow $1 bin_t:lnk_file r_file_perms; + can_exec($1,bin_t) + ') define(`corecommands_execute_general_programs_depend',` type bin_t; - class dir { getattr search read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; class file { getattr read ioctl lock execute execute_no_trans }; ') @@ -125,16 +126,17 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',` define(`corecommands_execute_system_programs',` requires_block_template(`$0'_depend) - allow $1 sbin_t:dir { getattr search read }; - allow $1 sbin_t:lnk_file { getattr read }; - allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans }; + allow $1 sbin_t:dir r_dir_perms; + allow $1 sbin_t:lnk_file r_file_perms; + can_exec($1,sbin_t) + ') define(`corecommands_execute_system_programs_depend',` type sbin_t; - class dir { getattr search read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; class file { getattr read ioctl lock execute execute_no_trans }; ') @@ -146,15 +148,15 @@ define(`corecommands_execute_shell',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; - allow $1 bin_t:lnk_file { getattr read }; - allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans }; + allow $1 bin_t:lnk_file r_file_perms; + can_exec($1,shell_exec_t) ') define(`corecommands_execute_shell_depend',` type bin_t, shell_exec_t; class dir r_dir_perms; - class lnk_file { getattr read }; + class lnk_file r_file_perms; class file { getattr read lock ioctl execute execute_no_trans }; ') @@ -166,15 +168,15 @@ define(`corecommands_execute_ls',` requires_block_template(`$0'_depend) allow $1 bin_t:dir r_dir_perms; - allow $1 bin_t:lnk_file { getattr read }; - allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans }; + allow $1 bin_t:lnk_file r_file_perms; + can_exec($1,ls_exec_t) ') define(`corecommands_execute_shell_depend',` type bin_t, ls_exec_t; class dir r_dir_perms; - class lnk_file { getattr read }; + class lnk_file r_file_perms; class file { getattr read lock ioctl execute execute_no_trans }; ') @@ -197,9 +199,9 @@ define(`corecommands_execute_shell_depend',` define(`corecommands_shell_explicit_transition',` requires_block_template(`$0'_depend) - allow $1 bin_t:dir { getattr search read }; - allow $1 bin_t:lnk_file { getattr read }; - allow $1 shell_exec_t:file { getattr read execute }; + allow $1 bin_t:dir r_dir_perms; + allow $1 bin_t:lnk_file r_file_perms; + allow $1 shell_exec_t:file rx_file_perms allow $1 $2:process transition; dontaudit $1 $2:process { noatsecure siginh rlimitinh }; @@ -212,9 +214,9 @@ define(`corecommands_shell_explicit_transition',` define(`corecommands_shell_explicit_transition_depend',` type bin_t, shell_exec_t; - class dir { getattr search read }; - class lnk_file { getattr read }; - class file { getattr read execute }; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file rx_file_perms class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 6917bea4..cc0e7411 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -12,8 +12,8 @@ define(`domain_make_base_domain',` typeattribute $1 domain; # allow the domain to read its /proc/pid entries - allow $1 self:dir { getattr search read }; - allow $1 self:{ file lnk_file } { getattr read write ioctl }; + allow $1 self:dir r_dir_perms; + allow $1 self:{ file lnk_file } rw_file_perms; # allow $1 to create child processes in this domain allow $1 self:process { fork sigchld }; @@ -22,9 +22,9 @@ define(`domain_make_base_domain',` define(`domain_make_base_domain_depend',` attribute domain; - class dir { getattr search read }; - class file { getattr read write ioctl }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file rw_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -264,9 +264,9 @@ define(`domain_kill_all_domains_depend',` define(`domain_read_all_domains_process_state',` requires_block_template(`$0'_depend) - allow $1 domain:dir { getattr search read }; - allow $1 domain:lnk_file { getattr read }; - allow $1 domain:file { getattr read }; + allow $1 domain:dir r_dir_perms; + allow $1 domain:lnk_file r_file_perms; + allow $1 domain:file r_file_perms; allow $1 domain:process getattr; # We need to suppress this denial because procps tries to access @@ -279,9 +279,9 @@ define(`domain_read_all_domains_process_state',` define(`domain_read_all_domains_process_state_depend',` attribute domain; - class dir { getattr search read }; - class lnk_file { getattr read }; - class file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; class process { getattr ptrace }; ') @@ -435,8 +435,9 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',` # define(`domain_execute_all_entrypoint_programs',` requires_block_template(`$0'_depend) + + can_exec($1,entry_type) - allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans }; ') define(`domain_execute_all_entrypoint_programs_depend',` @@ -452,7 +453,7 @@ define(`domain_execute_all_entrypoint_programs_depend',` define(`domain_read_all_entrypoint_programs',` requires_block_template(`$0'_depend) - allow $1 entry_type:lnk_file { getattr read }; + allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:file r_file_perms; ') @@ -460,7 +461,7 @@ define(`domain_read_all_entrypoint_programs_depend',` attribute entry_type; class file r_file_perms; - class lnk_file { getattr read }; + class lnk_file r_file_perms; ') ## @@ -478,13 +479,13 @@ define(`domain_read_all_entrypoint_programs_depend',` define(`domain_trans',` requires_block_template(`$0'_depend) - allow $1 $2:file { getattr read execute }; + allow $1 $2:file rx_file_perms; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') define(`domain_trans_depend',` - class file { getattr read execute }; + class file rx_file_perms; process { transition noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index e6f8bc19..ba6a5a8a 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -187,11 +187,11 @@ define(`files_relabel_all_files_depend',` define(`files_manage_all_files',` requires_block_template(`$0'_depend) - allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename }; - allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 { file_type $2 }:dir create_dir_perms; + allow $1 { file_type $2 }:file create_file_perms; + allow $1 { file_type $2 }:lnk_file create_lnk_perms; + allow $1 { file_type $2 }:fifo_file create_file_perms; + allow $1 { file_type $2 }:sock_file create_file_perms; # satisfy the assertions: selinux_write_binary_policy($1) @@ -201,11 +201,11 @@ define(`files_manage_all_files',` define(`files_manage_all_files_depend',` attribute file_type; - class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; - class lnk_file { create read getattr setattr link unlink rename }; - class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + class dir create_dir_perms; + class file create_file_perms; + class lnk_file create_lnk_perms; + class fifo_file create_file_perms; + class sock_file create_file_perms; ') ######################################## @@ -328,14 +328,14 @@ define(`files_read_root_dir',` requires_block_template(`$0'_depend) allow $1 root_t:dir r_dir_perms; - allow $1 root_t:lnk_file { getattr read }; + allow $1 root_t:lnk_file r_file_perms; ') define(`files_read_root_dir_depend',` type root_t; class dir r_dir_perms; - class lnk_file { getattr read }; + class lnk_file r_file_perms; ') ######################################## @@ -446,13 +446,13 @@ class dir rw_dir_perms; define(`files_remove_root_dir_entry',` requires_block_template(`$0'_depend) - allow $1 root_t:dir { getattr search read write remove_name }; + allow $1 root_t:dir rw_dir_perms; ') define(`files_remove_root_dir_entry_depend',` type root_t; - class dir { getattr search read write remove_name }; + class dir rw_dir_perms; ') ######################################## @@ -494,33 +494,33 @@ define(`files_search_general_system_config_directory_depend',` define(`files_read_general_system_config_directory',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read }; + allow $1 etc_t:dir r_dir_perms; ') define(`files_read_general_system_config_directory_depend',` type etc_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## -# +A# # files_read_general_system_config(domain) # define(`files_read_general_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read }; - allow $1 etc_t:file { getattr read ioctl }; - allow $1 etc_t:lnk_file { getattr read }; + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_t:file r_file_perms; + allow $1 etc_t:lnk_file r_file_perms; ') define(`files_read_general_system_config_depend',` type etc_t; - class dir { getattr search read }; - class file { getattr read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -530,17 +530,17 @@ define(`files_read_general_system_config_depend',` define(`files_modify_general_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read }; - allow $1 etc_t:file { getattr read write ioctl }; - allow $1 etc_t:lnk_file { getattr read }; + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_t:file rw_file_perms; + allow $1 etc_t:lnk_file r_file_perms; ') define(`files_modify_general_system_config_depend',` type etc_t; - class dir { getattr search read }; - class file { getattr read write ioctl }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file rw_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -550,17 +550,17 @@ define(`files_modify_general_system_config_depend',` define(`files_manage_general_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1 etc_t:lnk_file { getattr read }; + allow $1 etc_t:dir rw_dir_perms; + allow $1 etc_t:file create_file_perms; + allow $1 etc_t:lnk_file r_file_perms; ') define(`files_manage_general_system_config_depend',` type etc_t; - class dir { read getattr lock search ioctl add_name remove_name write }; - class file { create ioctl read getattr lock write setattr append link unlink rename }; - class lnk_file { getattr read }; + class dir rw_dir_perms; + class file create_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -577,14 +577,14 @@ define(`files_manage_general_system_config_depend',` define(`files_remove_general_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read write remove_name }; + allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file unlink; ') define(`files_remove_general_system_config_depend',` type etc_t; - class dir { getattr search read write remove_name }; + class dir rw_dir_perms; class file unlink; ') @@ -595,16 +595,17 @@ define(`files_remove_general_system_config_depend',` define(`files_execute_system_config_script',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read }; - allow $1 etc_t:lnk_file { getattr read }; - allow $1 etc_t:file { getattr read execute execute_no_trans }; + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_t:lnk_file r_file_perms; + can_exec($1,etc_t) + ') define(`files_execute_system_config_script_depend',` type etc_t; - class dir { getattr search read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; class file { getattr read execute execute_no_trans }; ') @@ -617,7 +618,7 @@ define(`files_execute_system_config_script_depend',` define(`files_create_boot_flag',` requires_block_template(`$0'_depend) - allow $1 root_t:dir { getattr search read write add_name remove_name }; + allow $1 root_t:dir rw_dir_perms; allow $1 etc_runtime_t:file { create read write setattr unlink }; type_transition $1 root_t:file etc_runtime_t; ') @@ -625,8 +626,8 @@ define(`files_create_boot_flag',` define(`files_create_boot_flag_depend',` type root_t, etc_runtime_t; - class dir { getattr search read write add_name }; - class file { create read write setattr }; + class dir rw_dir_perms; + class file { create read write setattr unlink}; ') ######################################## @@ -636,16 +637,16 @@ define(`files_create_boot_flag_depend',` define(`files_manage_runtime_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read write add_name remove_name }; - allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock }; + allow $1 etc_t:dir rw_dir_perms; + allow $1 etc_runtime_t:file create_file_perms; type_transition $1 etc_t:file etc_runtime_t; ') define(`files_manage_runtime_system_config_depend',` type etc_t, etc_runtime_t; - class dir { getattr search read write add_name }; - class file { getattr create read write append setattr rename unlink unlink lock }; + class dir rw_dir_perms; + class file create_file_perms; ') ######################################## @@ -655,15 +656,15 @@ define(`files_manage_runtime_system_config_depend',` define(`files_read_runtime_system_config',` requires_block_template(`$0'_depend) - allow $1 etc_t:dir { getattr search read }; - allow $1 etc_runtime_t:file { getattr read }; + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_runtime_t:file r_file_perms; ') define(`files_read_runtime_system_config_depend',` type etc_t, etc_runtime_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -749,13 +750,13 @@ define(`files_ignore_search_isid_type_dir_depend',` define(`files_list_home_directories',` requires_block_template(`$0'_depend) - allow $1 home_root_t:dir { getattr search read }; + allow $1 home_root_t:dir r_dir_perms; ') define(`files_list_home_directories_depend',` type home_root_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## @@ -765,13 +766,13 @@ define(`files_list_home_directories_depend',` define(`files_read_mnt_dir',` requires_block_template(`$0'_depend) - allow $1 mnt_t:dir { getattr search read }; + allow $1 mnt_t:dir r_dir_perms; ') define(`files_read_runtime_system_config_depend',` type mnt_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## @@ -781,7 +782,7 @@ define(`files_read_runtime_system_config_depend',` define(`files_create_private_tmp_data',` requires_block_template(`$0'_depend) - allow $1 tmp_t:dir { getattr search read write add_name remove_name }; + allow $1 tmp_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 tmp_t:file $2; @@ -793,7 +794,7 @@ define(`files_create_private_tmp_data',` define(`files_create_private_tmp_data_depend',` type tmp_t; - class dir { getattr search read write add_name }; + class dir rw_dir_perms; ') ######################################## @@ -843,16 +844,16 @@ define(`files_search_general_application_resources_dir_depend',` define(`files_read_general_application_resources',` requires_block_template(`$0'_depend) - allow $1 usr_t:dir { getattr search read }; - allow $1 usr_t:{ file lnk_file } { getattr read }; + allow $1 usr_t:dir r_dir_perms; + allow $1 usr_t:{ file lnk_file } r_file_perms; ') define(`files_read_general_application_resources_depend',` type usr_t; - class dir { getattr search read }; - class file { getattr read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -870,17 +871,18 @@ define(`files_execute_system_source_code_scripts',` requires_block_template(`$0'_depend) allow $1 usr_t:dir search; - allow $1 src_t:dir { getattr search read }; - allow $1 src_t:lnk_file { getattr read }; - allow $1 src_t:file { getattr read execute execute_no_trans }; + allow $1 src_t:dir r_dir_perms; + allow $1 src_t:lnk_file r_file_perms; + can_exec($1,src_t) + ') define(`files_read_system_source_code_depend',` type usr_t, src_t; - class dir { getattr search read }; + class dir r_dir_perms; class file { getattr read execute execute_no_trans }; - class lnk_file { getattr read }; + class lnk_file r_file_perms; ') ######################################## @@ -891,16 +893,16 @@ define(`files_read_system_source_code',` requires_block_template(`$0'_depend) allow $1 usr_t:dir search; - allow $1 src_t:dir { getattr search read }; - allow $1 src_t:{ file lnk_file } { getattr read }; + allow $1 src_t:dir r_dir_perms; + allow $1 src_t:{ file lnk_file } r_file_perms; ') define(`files_read_system_source_code_depend',` type usr_t, src_t; - class dir { getattr search read }; - class file { getattr read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; ') ######################################## @@ -943,14 +945,14 @@ define(`files_manage_pseudorandom_saved_seed',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; + allow $1 var_lib_t:dir rw_file_perms; allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') define(`files_manage_pseudorandom_saved_seed_depend',` type var_t, var_lib_t; - class dir { getattr search read write add_name remove_name }; + class dir rw_file_perms; class file { getattr create read write setattr unlink }; ') @@ -961,14 +963,14 @@ define(`files_manage_pseudorandom_saved_seed_depend',` define(`files_get_system_lock_file_attributes',` requires_block_template(`$0'_depend) - allow $1 var_lock_t:dir { getattr search read }; + allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; ') define(`files_get_system_lock_file_attributes_depend',` type var_lock_t; - class dir { getattr search read }; + class dir r_dir_perms; class file getattr; ') @@ -997,14 +999,14 @@ define(`files_manage_system_lock_files_depend',` define(`files_remove_all_lock_files',` requires_block_template(`$0'_depend) - allow $1 lockfile:dir { getattr search read write add_name remove_name }; + allow $1 lockfile:dir rw_file_perms; allow $1 lockfile:file { getattr unlink }; ') define(`files_remove_all_lock_files_depend',` attribute lockfile; - class dir { getattr search read write add_name remove_name }; + class dir rw_dir_perms; class file { getattr unlink }; ') @@ -1072,13 +1074,13 @@ define(`files_read_runtime_data_directory',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_run_t:dir { getattr search read }; + allow $1 var_run_t:dir r_dir_perms; ') define(`files_read_runtime_data_directory_depend',` type var_t, var_run_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## @@ -1112,15 +1114,15 @@ define(`files_modify_system_runtime_data',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_run_t:dir { getattr search read }; - allow $1 var_run_t:file { getattr read write }; + allow $1 var_run_t:dir r_dir_perms; + allow $1 var_run_t:file rw_file_perms; ') define(`files_modify_system_runtime_data_depend',` type var_t, var_run_t; - class dir { getattr search read }; - class file { getattr read write }; + class dir r_dir_perms; + class file rw_file_perms; ') ######################################## @@ -1242,13 +1244,13 @@ define(`files_read_system_spool_directory',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_spool_t:dir { getattr search read }; + allow $1 var_spool_t:dir r_dir_perms; ') define(`files_read_system_spool_directory_depend',` type var_t, var_spool_t; - class dir { getattr search read }; + class dir r_dir_perms; ') ######################################## @@ -1259,15 +1261,15 @@ define(`files_read_system_spools',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_spool_t:dir { getattr search read }; - allow $1 var_spool_t:file { getattr read }; + allow $1 var_spool_t:dir r_dir_perms; + allow $1 var_spool_t:file r_file_perms; ') define(`files_read_system_spools_depend',` type var_t, var_spool_t; - class dir { getattr search read }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -1278,14 +1280,14 @@ define(`files_manage_system_spools',` requires_block_template(`$0'_depend) allow $1 var_t:dir search; - allow $1 var_spool_t:dir { getattr search read write add_name remove_name }; + allow $1 var_spool_t:dir rw_file_perms; allow $1 var_spool_t:file { getattr create read write append unlink setattr }; ') define(`files_manage_system_spools_depend',` type var_t, var_spool_t; - class dir { getattr search read write add_name remove_name }; + class dir rw_file_perms; class file { getattr create read write append unlink setattr }; ') diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 9835db48..b2052ba0 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -32,8 +32,8 @@ allow getty_t self:capability { dac_override chown sys_resource sys_tty_config } allow getty_t self:process { getpgid getsession }; -allow getty_t getty_etc_t:dir { getattr search read }; -allow getty_t getty_etc_t:file { getattr read }; +allow getty_t getty_etc_t:dir r_dir_perms; +allow getty_t getty_etc_t:file r_file_perms; files_create_private_config(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 4efe9793..2345e61c 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -16,7 +16,7 @@ define(`hostname_transition',` requires_block_template(`$0'_depend) - allow $1 hostname_exec_t:file { getattr read execute }; + allow $1 hostname_exec_t:file rx_file_perms; allow $1 hostname_t:process transition; type_transition $1 hostname_exec_t:process hostname_t; dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh }; @@ -30,7 +30,7 @@ define(`hostname_transition',` define(`hostname_transition_depend',` type hostname_t, hostname_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -88,7 +88,8 @@ define(`hostname_transition_add_role_use_terminal_depend',` define(`hostname_execute',` requires_block_template(`$0'_depend) - allow $1 hostname_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,hostname_exec_t) + ') define(`hostname_execute_depend',` diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index e788ec5f..f4b34391 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -65,7 +65,7 @@ ifdef(`targeted_policy', ` ') tunable_policy(`use_dns',` - allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow hostname_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces(hostname_t) corenetwork_sendrecv_raw_on_all_interfaces(hostname_t) corenetwork_sendrecv_udp_on_all_nodes(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index dfea44f4..78dc0751 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -11,7 +11,7 @@ define(`hotplug_transition',` requires_block_template(`$0'_depend) - allow $1 hotplug_exec_t:file { getattr read execute }; + allow $1 hotplug_exec_t:file rx_file_perms; allow $1 hotplug_t:process transition; type_transition $1 hotplug_exec_t:process hotplug_t; dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; @@ -25,7 +25,7 @@ define(`hotplug_transition',` define(`hotplug_transition_depend',` type hotplug_t, hotplug_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -38,7 +38,8 @@ define(`hotplug_transition_depend',` define(`hotplug_execute',` requires_block_template(`$0'_depend) - allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,hotplug_exec_t) + ') define(`hotplug_execute_depend',` @@ -110,17 +111,17 @@ define(`hotplug_read_config',` requires_block_template(`$0'_depend) files_search_general_system_config_directory($1) - allow $1 hotplug_etc_t:file { read getattr lock ioctl }; - allow $1 hotplug_etc_t:dir { read getattr lock search ioctl }; - allow $1 hotplug_etc_t:lnk_file { getattr read }; + allow $1 hotplug_etc_t:file r_file_perms; + allow $1 hotplug_etc_t:dir r_dir_perms; + allow $1 hotplug_etc_t:lnk_file r_file_perms; ') define(`hotplug_read_config_depend',` type hotplug_etc_t; - class file { read getattr lock ioctl }; - class dir { read getattr lock search ioctl }; - class lnk_file { getattr read }; + class file r_file_perms; + class dir r_dir_perms; + class lnk_file r_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 9e659fd4..f9fab4c8 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -29,13 +29,13 @@ dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { getsession getattr }; -allow hotplug_t self:fifo_file { read write getattr ioctl }; -allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept }; +allow hotplug_t self:fifo_file r_file_perms; +allow hotplug_t self:udp_socket create_socket_perms; +allow hotplug_t self:tcp_socket connected_stream_socket_perms; -allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl }; -allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl }; -allow hotplug_t hotplug_etc_t:lnk_file { getattr read }; +allow hotplug_t hotplug_etc_t:file r_file_perms; +allow hotplug_t hotplug_etc_t:dir r_dir_perms; +allow hotplug_t hotplug_etc_t:lnk_file r_file_perms; allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans }; allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 8181116c..9d5e977b 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -14,7 +14,7 @@ define(`init_make_init_domain',` role system_r types $1; allow init_t $1:process transition; - allow init_t $2:file { getattr read execute }; + allow init_t $2:file rx_file_perms; dontaudit init_t $1:process { noatsecure siginh rlimitinh }; type_transition init_t $2:process $1; @@ -33,7 +33,7 @@ define(`init_make_init_domain',` define(`init_make_init_domain_depend',` type init_t; - class file { getattr read execute }; + class file rx_file_perms; class fd use; class fifo_file rw_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; @@ -53,7 +53,7 @@ define(`init_make_daemon_domain',` role system_r types $1; allow initrc_t $1:process transition; - allow initrc_t $2:file { getattr read execute }; + allow initrc_t $2:file rx_file_perms; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; type_transition initrc_t $2:process $1; @@ -75,7 +75,7 @@ define(`init_make_daemon_domain_depend',` role system_r; - class file { getattr read execute }; + class file rx_file_perms; class fifo_file rw_file_perms; class fd use; class process { transition noatsecure siginh rlimitinh sigchld }; @@ -94,7 +94,7 @@ define(`init_make_system_domain',` role system_r types $1; allow initrc_t $1:process transition; - allow initrc_t $2:file { getattr read execute }; + allow initrc_t $2:file rx_file_perms; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; type_transition initrc_t $2:process $1; @@ -115,7 +115,7 @@ define(`init_make_system_domain_depend',` type initrc_t; role system_r; - class file { getattr read execute }; + class file rx_file_perms; class fd use; class fifo_file rw_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; @@ -128,7 +128,7 @@ define(`init_make_system_domain_depend',` define(`init_transition',` requires_block_template(`$0'_depend) - allow $1 init_exec_t:file { getattr read execute }; + allow $1 init_exec_t:file rx_file_perms; allow $1 init_t:process transition; type_transition $1 init_exec_t:process init_t; dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; @@ -142,7 +142,7 @@ define(`init_transition',` define(`init_transition_depend',` type init_t, init_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -204,13 +204,13 @@ define(`init_use_control_channel',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) - allow $1 initctl_t:fifo_file { getattr read write }; + allow $1 initctl_t:fifo_file rw_file_perms; ') define(`init_use_control_channel_depend',` type initctl_t; - class fifo_file { getattr read write }; + class fifo_file rw_file_perms; ') ######################################## @@ -284,7 +284,7 @@ define(`init_ignore_use_file_descriptors_depend',` define(`init_script_transition',` requires_block_template(`$0'_depend) - allow $1 initrc_exec_t:file { getattr read execute }; + allow $1 initrc_exec_t:file rx_file_perms; allow $1 initrc_t:process transition; type_transition $1 initrc_exec_t:process init_t; dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; @@ -298,7 +298,7 @@ define(`init_script_transition',` define(`init_script_transition_depend',` type initrc_t, initrc_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -311,7 +311,8 @@ define(`init_script_transition_depend',` define(`init_script_execute',` requires_block_template(`$0'_depend) - allow $1 initrc_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,initrc_exec_t) + ') define(`init_script_execute_depend',` @@ -334,8 +335,8 @@ define(`init_script_execute_depend',` define(`init_script_read_process_state',` requires_block_template(`$0'_depend) - allow $1 initrc_t:dir { search getattr read }; - allow $1 initrc_t:{ file lnk_file } { read getattr }; + allow $1 initrc_t:dir r_dir_perms; + allow $1 initrc_t:{ file lnk_file } r_file_perms; allow $1 initrc_t:process getattr; # We need to suppress this denial because procps tries to access @@ -348,9 +349,9 @@ define(`init_script_read_process_state',` define(`init_script_read_process_state_depend',` type initrc_t; - class dir { search getattr read }; - class file { read getattr }; - class lnk_file { read getattr }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; class process { getattr ptrace }; ') @@ -426,7 +427,7 @@ define(`init_script_use_pseudoterminal_depend',` define(`init_script_ignore_use_pseudoterminal',` requires_block_template(`$0'_depend) - allow $1 initrc_devpts_t:chr_file { read write ioctl }; + dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; ') define(`init_script_ignore_use_pseudoterminal_depend',` @@ -450,13 +451,13 @@ define(`init_script_modify_temporary_data',` requires_block_template(`$0'_depend) # FIXME: read tmp_t - allow $1 initrc_tmp_t:file { getattr read write }; + allow $1 initrc_tmp_t:file rw_file_perms; ') define(`init_script_modify_temporary_data_depend',` type initrc_var_run_t; - class file { getattr read write }; + class file rw_file_perms; ') ######################################## @@ -467,13 +468,13 @@ define(`init_script_read_runtime_data',` requires_block_template(`$0'_depend) files_read_runtime_data_directory($1) - allow $1 initrc_var_run_t:file { getattr read lock }; + allow $1 initrc_var_run_t:file r_file_perms; ') define(`init_script_read_runtime_data_depend',` type initrc_var_run_t; - class file { getattr read lock }; + class file r_file_perms; ') ######################################## @@ -500,13 +501,13 @@ define(`init_script_modify_runtime_data',` requires_block_template(`$0'_depend) files_read_runtime_data_directory($1) - allow $1 initrc_var_run_t:file { getattr read write append lock }; + allow $1 initrc_var_run_t:file rw_file_perms; ') define(`init_script_modify_runtime_data_depend',` type initrc_var_run_t; - class file { getattr read write append lock }; + class file rw_file_perms; ') ######################################## @@ -522,7 +523,7 @@ define(`init_script_ignore_modify_runtime_data',` define(`init_script_ignore_modify_runtime_data_depend',` type initrc_var_run_t; - class file { getattr read write append }; + class file rw_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 3837c97b..ffd2c534 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -69,7 +69,7 @@ allow init_t self:capability ~sys_module; # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() -allow init_t self:fifo_file { read write ioctl }; +allow init_t self:fifo_file rw_file_perms; # Re-exec itself allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans }; @@ -83,12 +83,12 @@ fs_tmpfs_associate(initctl_t) devices_create_dev_entry(init_t,initctl_t,fifo_file) # Modify utmp. -allow init_t initrc_var_run_t:file { getattr read write setattr lock }; +allow init_t initrc_var_run_t:file rw_file_perms; # Run init scripts. this is ok since initrc # is also in this module allow init_t initrc_t:process transition; -allow init_t initrc_exec_t:file { getattr read execute }; +allow init_t initrc_exec_t:file rx_file_perms; type_transition init_t initrc_exec_t:process initrc_t; dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh }; @@ -163,26 +163,26 @@ allow initrc_t self:capability ~{ sys_admin sys_module }; allow initrc_t self:passwd rootok; # Allow IPC with self -allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow initrc_t self:unix_dgram_socket create_socket_perms; allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; -allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow initrc_t self:fifo_file { getattr read write ioctl }; -allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; +allow initrc_t self:tcp_socket create_stream_socket_perms; +allow initrc_t self:udp_socket create_socket_perms; +allow initrc_t self:fifo_file rw_file_perms; +allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t init_t:fd use; allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans }; -allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir }; -allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow initrc_t initrc_state_t:dir create_dir_perms; +allow initrc_t initrc_state_t:file create_file_perms; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; -allow initrc_t initrc_var_run_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow initrc_t initrc_var_run_t:file create_file_perms; files_create_daemon_runtime_data(initrc_t,initrc_var_run_t) -allow initrc_t initrc_tmp_t : file { create ioctl read getattr lock write setattr append link unlink rename }; -allow initrc_t initrc_tmp_t : dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow initrc_t initrc_tmp_t:file create_file_perms; +allow initrc_t initrc_tmp_t:dir create_dir_perms; files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir }) kernel_read_system_state(initrc_t) @@ -389,7 +389,7 @@ allow initrc_t xconsole_device_t:fifo_file setattr; # for lsof in shutdown scripts can_kerberos(initrc_t) dontaudit initrc_t krb5_conf_t:file write; -allow initrc_t krb5_conf_t:file { getattr read }; +allow initrc_t krb5_conf_t:file r_file_perms; # # These rules are here to allow init scripts to su @@ -409,7 +409,7 @@ ifdef(`distro_debian', ` ifdef(`distro_redhat', ` # readahead asks for these - allow initrc_t var_lib_nfs_t:file { getattr read }; + allow initrc_t var_lib_nfs_t:file r_file_perms; ') ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index fd7d663b..e983c332 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -15,7 +15,7 @@ define(`iptables_transition',` requires_block_template(`$0'_depend) - allow $1 iptables_exec_t:file { getattr read execute }; + allow $1 iptables_exec_t:file rx_file_perms; allow $1 iptables_t:process transition; type_transition $1 iptables_exec_t:process iptables_t; dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; @@ -29,7 +29,7 @@ define(`iptables_transition',` define(`iptables_transition_depend',` type iptables_t, iptables_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -81,7 +81,8 @@ define(`iptables_transition_add_role_use_terminal_depend',` define(`iptables_execute',` requires_block_template(`$0'_depend) - allow $1 iptables_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,iptables_exec_t) + ') define(`iptables_execute_depend',` diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 17fbd3f6..15566454 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -26,16 +26,16 @@ allow iptables_t self:capability { net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; -allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append }; +allow iptables_t iptables_var_run_t:dir rw_dir_perms; files_create_daemon_runtime_data(iptables_t,iptables_var_run_t) -allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans }; +can_exec(iptables_t,iptables_exec_t) -allow iptables_t iptables_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow iptables_t iptables_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow iptables_t iptables_tmp_t:dir create_dir_perms; +allow iptables_t iptables_tmp_t:file create_file_perms; files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir }) -allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow iptables_t self:rawip_socket create_socket_perms; kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) @@ -71,7 +71,7 @@ sysnetwork_ifconfig_transition(iptables_t) userdomain_use_all_users_file_descriptors(iptables_t) tunable_policy(`use_dns',` - allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow iptables_t self:udp_socket create_socket_perms; corenetwork_sendrecv_udp_on_all_interfaces(iptables_t) corenetwork_sendrecv_raw_on_all_interfaces(iptables_t) @@ -108,7 +108,7 @@ ifdef(`TODO',` optional_policy(`rhgb.te', ` allow iptables_t rhgb_t:process sigchld; allow iptables_t rhgb_t:fd use; -allow iptables_t rhgb_t:fifo_file { read write }; +allow iptables_t rhgb_t:fifo_file rw_file_perms; ') allow iptables_t autofs_t:dir { search getattr }; diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index e88e0656..63f8f230 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -15,7 +15,7 @@ define(`libraries_ldconfig_transition',` requires_block_template(`$0'_depend) - allow $1 ldconfig_exec_t:file { getattr read execute }; + allow $1 ldconfig_exec_t:file rx_file_perms; allow $1 ldconfig_t:process transition; type_transition $1 ldconfig_exec_t:process ldconfig_t; dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; @@ -29,7 +29,7 @@ define(`libraries_ldconfig_transition',` define(`libraries_ldconfig_transition_depend',` type ldconfig_t, ldconfig_exec_t; - class file { getattr read execute }; + class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; @@ -172,13 +172,13 @@ define(`libraries_modify_dynamic_loader_cache',` requires_block_template(`$0'_depend) files_read_general_system_config_directory($1) - allow $1 ld_so_cache_t:file { getattr read write }; + allow $1 ld_so_cache_t:file rw_file_perms; ') define(`libraries_modify_dynamic_loader_cache_depend',` type ld_so_cache_t; - class file { getattr read write }; + class file rw_file_perms; ') ######################################## @@ -196,16 +196,16 @@ define(`libraries_modify_dynamic_loader_cache_depend',` define(`libraries_read_library_resources',` requires_block_template(`$0'_depend) - allow $1 lib_t:dir { getattr read search }; - allow $1 lib_t:{ file lnk_file } { getattr read }; + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:{ file lnk_file } r_file_perms; ') define(`libraries_read_library_resources_depend',` type lib_t; - class dir { getattr read search }; - class lnk_file { getattr read }; - class file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; ') ######################################## @@ -222,16 +222,16 @@ define(`libraries_read_library_resources_depend',` define(`libraries_execute_library_scripts',` requires_block_template(`$0'_depend) - allow $1 lib_t:dir { getattr read search }; - allow $1 lib_t:lnk_file { getattr read }; + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:lnk_file r_file_perms allow $1 lib_t:file { getattr read execute execute_no_trans }; ') define(`libraries_execute_library_scripts_depend',` type lib_t; - class dir { getattr read search }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; class file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 004d929b..879c01d6 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -47,16 +47,16 @@ type ldconfig_exec_t; init_make_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; -allow ldconfig_t ld_so_cache_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow ldconfig_t ld_so_cache_t:file create_file_perms; files_create_private_config(ldconfig_t,ld_so_cache_t,file) -allow ldconfig_t lib_t:dir { getattr search read write add_name remove_name }; +allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; -allow ldconfig_t ld_so_t:lnk_file { getattr read }; -allow ldconfig_t ld_so_t:file { getattr read execute }; -allow ldconfig_t ld_so_cache_t:file { getattr read }; -allow ldconfig_t { shlib_t texrel_shlib_t }:lnk_file { getattr read }; -allow ldconfig_t { shlib_t texrel_shlib_t }:file { getattr read execute }; +allow ldconfig_t ld_so_t:lnk_file r_file_perms; +allow ldconfig_t ld_so_t:file rx_file_perms; +allow ldconfig_t ld_so_cache_t:file r_file_perms; +allow ldconfig_t { shlib_t texrel_shlib_t }:lnk_file r_file_perms; +allow ldconfig_t { shlib_t texrel_shlib_t }:file rx_file_perms; kernel_read_system_state(ldconfig_t)