- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
This commit is contained in:
parent
00219064d7
commit
e070dd2df0
@ -1,3 +1,6 @@
|
||||
- Move range transitions to modules.
|
||||
- Make number of MLS sensitivities, and number of MLS and MCS
|
||||
categories configurable as build options.
|
||||
- Add role infrastructure.
|
||||
- Debian updates from Erich Schubert.
|
||||
- Add nscd_socket_use() to auth_use_nsswitch().
|
||||
|
22
Makefile
22
Makefile
@ -208,11 +208,16 @@ ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
endif
|
||||
|
||||
# default MLS/MCS sensitivity and category settings.
|
||||
MLS_SENS ?= 16
|
||||
MLS_CATS ?= 256
|
||||
MCS_CATS ?= 256
|
||||
|
||||
ifeq ($(QUIET),y)
|
||||
verbose = @
|
||||
endif
|
||||
|
||||
M4PARAM += -D hide_broken_symptoms
|
||||
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
|
||||
|
||||
# we need exuberant ctags; unfortunately it is named
|
||||
# differently on different distros
|
||||
@ -454,7 +459,15 @@ $(userpath)/local.users: config/local.users
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
# Build Appconfig files
|
||||
#
|
||||
$(tmpdir)/initrc_context: $(appconf)/initrc_context
|
||||
@mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install Appconfig files
|
||||
#
|
||||
install-appconfig: $(appfiles)
|
||||
|
||||
@ -485,7 +498,7 @@ $(appdir)/userhelper_context: $(appconf)/userhelper_context
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(INSTALL) -m 644 $< $@
|
||||
|
||||
$(appdir)/initrc_context: $(appconf)/initrc_context
|
||||
$(appdir)/initrc_context: $(tmpdir)/initrc_context
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(INSTALL) -m 644 $< $@
|
||||
|
||||
@ -527,6 +540,9 @@ endif
|
||||
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
|
||||
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
|
||||
|
||||
########################################
|
||||
|
@ -88,15 +88,19 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
|
||||
#
|
||||
# Create a base module package
|
||||
#
|
||||
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
|
||||
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers $(net_contexts)
|
||||
@echo "Creating $(NAME) base module package"
|
||||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers -n $(net_contexts)
|
||||
|
||||
$(base_mod): $(base_conf)
|
||||
@echo "Compiling $(NAME) base module"
|
||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||
|
||||
$(tmpdir)/seusers: $(seusers)
|
||||
@mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
|
||||
|
||||
$(users_extra): $(m4support) $(user_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
||||
|
14
build.conf
14
build.conf
@ -46,6 +46,20 @@ MONOLITHIC=y
|
||||
# Enable polyinstantiated directory support.
|
||||
POLY=n
|
||||
|
||||
# Number of MLS Sensitivities
|
||||
# The sensitivities will be s0 to s(MLS_SENS-1).
|
||||
# Dominance will be in increasing numerical order
|
||||
# with s0 being lowest.
|
||||
MLS_SENS=16
|
||||
|
||||
# Number of MLS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MLS_CATS=256
|
||||
|
||||
# Number of MCS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MCS_CATS=256
|
||||
|
||||
# Set this to y to only display status messages
|
||||
# during build.
|
||||
QUIET=n
|
||||
|
@ -1,2 +1,2 @@
|
||||
root:root:s0-s0:c0.c255
|
||||
root:root:s0-mcs_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
@ -1 +1 @@
|
||||
system_u:system_r:initrc_t:s0-s15:c0.c255
|
||||
system_u:system_r:initrc_t:s0-mls_systemhigh
|
||||
|
@ -1,2 +1,2 @@
|
||||
root:root:s0-s15:c0.c255
|
||||
root:root:s0-mls_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
@ -1,2 +1,2 @@
|
||||
root:root:s0-s0:c0.c255
|
||||
root:root:s0-mcs_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
@ -1 +1 @@
|
||||
user_u:system_r:initrc_t:s0-s15:c0.c255
|
||||
user_u:system_r:initrc_t:s0-mls_systemhigh
|
||||
|
@ -1,2 +1,2 @@
|
||||
root:root:s0-s15:c0.c255
|
||||
root:root:s0-mls_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
19
policy/mcs
19
policy/mcs
@ -2,32 +2,23 @@ ifdef(`enable_mcs',`
|
||||
#
|
||||
# Define sensitivities
|
||||
#
|
||||
# Each sensitivity has a name and zero or more aliases.
|
||||
#
|
||||
# MCS is single-sensitivity.
|
||||
#
|
||||
sensitivity s0;
|
||||
|
||||
#
|
||||
# Define the ordering of the sensitivity levels (least to greatest)
|
||||
#
|
||||
dominance { s0 }
|
||||
|
||||
gen_sens(1)
|
||||
|
||||
#
|
||||
# Define the categories
|
||||
#
|
||||
# Each category has a name and zero or more aliases.
|
||||
#
|
||||
# Generate declarations
|
||||
|
||||
# generate declarations for c0 to c255
|
||||
gen_cats(256)
|
||||
gen_cats(mcs_num_cats)
|
||||
|
||||
#
|
||||
# Each MCS level specifies a sensitivity and zero or more categories which may
|
||||
# be associated with that sensitivity.
|
||||
#
|
||||
level s0:c0.c255;
|
||||
|
||||
gen_levels(1,mcs_num_cats)
|
||||
|
||||
#
|
||||
# Define the MCS policy
|
||||
|
52
policy/mls
52
policy/mls
@ -2,62 +2,26 @@ ifdef(`enable_mls',`
|
||||
#
|
||||
# Define sensitivities
|
||||
#
|
||||
# Each sensitivity has a name and zero or more aliases.
|
||||
#
|
||||
sensitivity s0;
|
||||
sensitivity s1;
|
||||
sensitivity s2;
|
||||
sensitivity s3;
|
||||
sensitivity s4;
|
||||
sensitivity s5;
|
||||
sensitivity s6;
|
||||
sensitivity s7;
|
||||
sensitivity s8;
|
||||
sensitivity s9;
|
||||
sensitivity s10;
|
||||
sensitivity s11;
|
||||
sensitivity s12;
|
||||
sensitivity s13;
|
||||
sensitivity s14;
|
||||
sensitivity s15;
|
||||
|
||||
#
|
||||
# Define the ordering of the sensitivity levels (least to greatest)
|
||||
#
|
||||
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
|
||||
# Domination of sensitivities is in increasin
|
||||
# numerical order, with s0 being the lowest
|
||||
|
||||
gen_sens(mls_num_sens)
|
||||
|
||||
#
|
||||
# Define the categories
|
||||
#
|
||||
# Each category has a name and zero or more aliases.
|
||||
#
|
||||
|
||||
# generate declarations for c0 to c255
|
||||
gen_cats(256)
|
||||
# Generate declarations
|
||||
|
||||
gen_cats(mls_num_cats)
|
||||
|
||||
#
|
||||
# Each MLS level specifies a sensitivity and zero or more categories which may
|
||||
# be associated with that sensitivity.
|
||||
#
|
||||
level s0:c0.c255;
|
||||
level s1:c0.c255;
|
||||
level s2:c0.c255;
|
||||
level s3:c0.c255;
|
||||
level s4:c0.c255;
|
||||
level s5:c0.c255;
|
||||
level s6:c0.c255;
|
||||
level s7:c0.c255;
|
||||
level s8:c0.c255;
|
||||
level s9:c0.c255;
|
||||
level s10:c0.c255;
|
||||
level s11:c0.c255;
|
||||
level s12:c0.c255;
|
||||
level s13:c0.c255;
|
||||
level s14:c0.c255;
|
||||
level s15:c0.c255;
|
||||
# Generate levels from all sensitivities
|
||||
# with all categories
|
||||
|
||||
gen_levels(mls_num_sens,mls_num_cats)
|
||||
|
||||
#
|
||||
# Define the MLS policy
|
||||
|
@ -165,15 +165,15 @@ portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
# nodes in net_contexts or net_contexts.mls.
|
||||
#
|
||||
type node_t, node_type;
|
||||
sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
|
||||
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
|
||||
|
||||
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
||||
type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
|
||||
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
|
||||
network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
|
||||
network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
|
||||
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||
network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
|
||||
network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
||||
network_node(site_local, s0, fec0::, ffc0::)
|
||||
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
||||
|
||||
@ -186,10 +186,10 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
||||
# netif_t is the default type of network interfaces.
|
||||
#
|
||||
type netif_t, netif_type;
|
||||
sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
|
||||
sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo,s0 - s15:c0.c255)
|
||||
network_interface(lo, lo,s0 - mls_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -25,10 +25,10 @@
|
||||
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
@ -37,11 +37,11 @@
|
||||
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
|
||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
||||
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
|
@ -29,7 +29,7 @@ ifdef(`distro_suse',`
|
||||
/boot -d gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/.* gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/\.journal <<none>>
|
||||
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/boot/lost\+found/.* <<none>>
|
||||
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
||||
|
||||
@ -92,9 +92,9 @@ ifdef(`distro_suse',`
|
||||
# HOME_ROOT
|
||||
# expanded by genhomedircon
|
||||
#
|
||||
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
|
||||
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
|
||||
HOME_ROOT/\.journal <<none>>
|
||||
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
HOME_ROOT/lost\+found/.* <<none>>
|
||||
|
||||
#
|
||||
@ -112,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
#
|
||||
# /lost+found
|
||||
#
|
||||
/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/lost\+found/.* <<none>>
|
||||
|
||||
#
|
||||
@ -176,11 +176,11 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
#
|
||||
# /tmp
|
||||
#
|
||||
/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
|
||||
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
||||
/tmp/.* <<none>>
|
||||
/tmp/\.journal <<none>>
|
||||
|
||||
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/tmp/lost\+found/.* <<none>>
|
||||
|
||||
#
|
||||
@ -200,12 +200,12 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
|
||||
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/usr/local/lost\+found/.* <<none>>
|
||||
|
||||
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
|
||||
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/usr/lost\+found/.* <<none>>
|
||||
|
||||
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
@ -213,7 +213,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
|
||||
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
||||
/usr/tmp/.* <<none>>
|
||||
|
||||
#
|
||||
@ -233,18 +233,18 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
|
||||
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
|
||||
|
||||
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/lost\+found/.* <<none>>
|
||||
|
||||
/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
|
||||
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
|
||||
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/run/.*\.*pid <<none>>
|
||||
|
||||
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
|
||||
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
|
||||
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
||||
/var/tmp/.* <<none>>
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/var/tmp/lost\+found/.* <<none>>
|
||||
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
|
||||
|
@ -35,6 +35,45 @@ interface(`kernel_domtrans_to',`
|
||||
allow $1 kernel_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows to start userland processes
|
||||
## by transitioning to the specified domain,
|
||||
## with a range transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type entered by kernel.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entrypoint">
|
||||
## <summary>
|
||||
## The executable type for the entrypoint.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_ranged_domtrans_to',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
|
||||
kernel_domtrans_to($1,$2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition kernel_t $2:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition kernel_t $2:process $3;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the kernel to mount filesystems on
|
||||
|
@ -39,7 +39,7 @@ type kernel_t, can_load_kernmodule;
|
||||
domain_base_type(kernel_t)
|
||||
mls_rangetrans_source(kernel_t)
|
||||
role system_r types kernel_t;
|
||||
sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
|
||||
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
||||
|
||||
#
|
||||
# DebugFS
|
||||
@ -62,13 +62,13 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
|
||||
|
||||
# kernel message interface
|
||||
type proc_kmsg_t, proc_type;
|
||||
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
|
||||
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
|
||||
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
|
||||
|
||||
# /proc kcore: inaccessible
|
||||
type proc_kcore_t, proc_type;
|
||||
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
|
||||
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
|
||||
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
||||
|
||||
type proc_mdstat_t, proc_type;
|
||||
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
|
||||
@ -136,18 +136,18 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
# have labels that are no longer valid are treated as having this type.
|
||||
#
|
||||
type unlabeled_t;
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
|
||||
# These initial sids are no longer used, and can be removed:
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid init gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
@ -155,7 +155,7 @@ sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
|
||||
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -9,44 +9,3 @@ policy_module(mcs,1.0.4)
|
||||
attribute mcskillall;
|
||||
attribute mcsptraceall;
|
||||
attribute mcssetcats;
|
||||
|
||||
########################################
|
||||
#
|
||||
# THIS IS A HACK
|
||||
#
|
||||
# Only the base module can have range_transitions, so we
|
||||
# temporarily have to break encapsulation to work around this.
|
||||
#
|
||||
|
||||
type auditd_exec_t;
|
||||
type crond_exec_t;
|
||||
type cupsd_exec_t;
|
||||
type getty_t;
|
||||
type init_t;
|
||||
type init_exec_t;
|
||||
type initrc_t;
|
||||
type initrc_exec_t;
|
||||
type login_exec_t;
|
||||
type sshd_exec_t;
|
||||
type udev_exec_t;
|
||||
type unconfined_t;
|
||||
type xdm_exec_t;
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
# The eventual plan is to have a range_transition to s0 for the daemon by
|
||||
# default and have the daemons which need to run with all categories be
|
||||
# exceptions. But while range_transitions have to be in the base module
|
||||
# this is not possible.
|
||||
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
||||
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
|
||||
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
||||
|
||||
# these might be targeted_policy only
|
||||
range_transition unconfined_t initrc_exec_t s0;
|
||||
')
|
||||
|
@ -49,24 +49,3 @@ attribute mlsrangetrans;
|
||||
|
||||
attribute mlsfduse;
|
||||
attribute mlsfdshare;
|
||||
|
||||
########################################
|
||||
#
|
||||
# THIS IS A HACK
|
||||
#
|
||||
# Only the base module can have range_transitions, so we
|
||||
# temporarily have to break encapsulation to work around this.
|
||||
# Other types are declared in the mcs module.
|
||||
#
|
||||
|
||||
type lvm_exec_t;
|
||||
type run_init_t;
|
||||
type setrans_exec_t;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
|
||||
range_transition initrc_t setrans_exec_t s15:c0.c255;
|
||||
range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
|
||||
')
|
||||
|
@ -19,7 +19,7 @@ attribute selinux_unconfined_type;
|
||||
type security_t;
|
||||
fs_type(security_t)
|
||||
mls_trusted_object(security_t)
|
||||
sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
|
||||
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
|
||||
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
|
||||
|
||||
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
|
||||
|
@ -5,36 +5,36 @@
|
||||
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
|
||||
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
|
||||
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
|
||||
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
|
||||
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
ifdef(`distro_redhat', `
|
||||
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
')
|
||||
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
@ -42,25 +42,25 @@ ifdef(`distro_redhat', `
|
||||
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
|
||||
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
|
||||
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
|
||||
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
||||
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
|
||||
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
|
||||
|
||||
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
|
||||
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||
|
||||
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
|
||||
|
@ -26,11 +26,7 @@ type cron_log_t;
|
||||
logging_log_file(cron_log_t)
|
||||
|
||||
type crond_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type crond_exec_t;
|
||||
')
|
||||
type crond_exec_t;
|
||||
init_daemon_domain(crond_t,crond_exec_t)
|
||||
domain_interactive_fd(crond_t)
|
||||
domain_cron_exemption_source(crond_t)
|
||||
@ -67,6 +63,10 @@ ifdef(`targeted_policy',`
|
||||
files_type(sysadm_cron_spool_t)
|
||||
')
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Cron Local policy
|
||||
|
@ -14,11 +14,7 @@ type cupsd_config_var_run_t;
|
||||
files_pid_file(cupsd_config_var_run_t)
|
||||
|
||||
type cupsd_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type cupsd_exec_t;
|
||||
')
|
||||
type cupsd_exec_t;
|
||||
init_daemon_domain(cupsd_t,cupsd_exec_t)
|
||||
|
||||
type cupsd_etc_t;
|
||||
@ -68,6 +64,10 @@ files_config_file(ptal_etc_t)
|
||||
type ptal_var_run_t;
|
||||
files_pid_file(ptal_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Cups local policy
|
||||
|
@ -20,11 +20,7 @@ role system_r types ssh_keygen_t;
|
||||
type ssh_keysign_exec_t;
|
||||
corecmd_executable_file(ssh_keysign_exec_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type sshd_exec_t;
|
||||
')
|
||||
type sshd_exec_t;
|
||||
corecmd_executable_file(sshd_exec_t)
|
||||
|
||||
type sshd_key_t;
|
||||
@ -36,6 +32,10 @@ ifdef(`targeted_policy',`
|
||||
|
||||
type sshd_var_run_t;
|
||||
files_type(sshd_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
',`
|
||||
# Type for the ssh-agent executable.
|
||||
type ssh_agent_exec_t;
|
||||
@ -55,6 +55,10 @@ ifdef(`targeted_policy',`
|
||||
# These rules should match the else block
|
||||
# of the run_ssh_inetd tunable directly above
|
||||
init_daemon_domain(sshd_t,sshd_exec_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
# ')
|
||||
|
||||
type sshd_tmp_t;
|
||||
|
@ -26,11 +26,7 @@ fs_associate_tmpfs(xconsole_device_t)
|
||||
files_associate_tmp(xconsole_device_t)
|
||||
|
||||
type xdm_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type xdm_exec_t;
|
||||
')
|
||||
type xdm_exec_t;
|
||||
auth_login_pgm_domain(xdm_t)
|
||||
init_domain(xdm_t,xdm_exec_t)
|
||||
init_daemon_domain(xdm_t,xdm_exec_t)
|
||||
@ -71,6 +67,11 @@ logging_log_file(xserver_log_t)
|
||||
xserver_common_domain_template(xdm)
|
||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
prelink_object_file(xkb_var_lib_t)
|
||||
')
|
||||
|
@ -280,6 +280,43 @@ interface(`auth_domtrans_login_program',`
|
||||
allow $2 $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a login_program in the target domain,
|
||||
## with a range transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## <summary>
|
||||
## The type of the login_program process.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range of the login program.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_ranged_domtrans_login_program',`
|
||||
gen_require(`
|
||||
type login_exec_t;
|
||||
')
|
||||
|
||||
auth_domtrans_login_program($1,$2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition $1 login_exec_t:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition $1 login_exec_t:process $3;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run unix_chkpwd to check a password.
|
||||
|
@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
|
||||
type chkpwd_exec_t;
|
||||
files_type(chkpwd_exec_t)
|
||||
corecmd_executable_file(chkpwd_exec_t)
|
||||
|
||||
type faillog_t;
|
||||
logging_log_file(faillog_t)
|
||||
@ -19,12 +19,8 @@ logging_log_file(faillog_t)
|
||||
type lastlog_t;
|
||||
logging_log_file(lastlog_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type login_exec_t;
|
||||
')
|
||||
files_type(login_exec_t)
|
||||
type login_exec_t;
|
||||
corecmd_executable_file(login_exec_t)
|
||||
|
||||
type pam_console_t;
|
||||
type pam_console_exec_t;
|
||||
|
@ -6,11 +6,7 @@ policy_module(getty,1.1.4)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type getty_t;
|
||||
')
|
||||
type getty_t;
|
||||
type getty_exec_t;
|
||||
init_domain(getty_t,getty_exec_t)
|
||||
domain_interactive_fd(getty_t)
|
||||
|
@ -42,6 +42,43 @@ interface(`init_domain',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain which can be started by init,
|
||||
## with a range transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_ranged_domain',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
init_domain($1,$2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition init_t $2:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition init_t $2:process $3;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for long running processes
|
||||
@ -127,6 +164,43 @@ interface(`init_daemon_domain',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for long running processes
|
||||
## (daemons) which can be started by init scripts.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_ranged_daemon_domain',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
init_daemon_domain($1,$2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for short running processes
|
||||
@ -170,6 +244,43 @@ interface(`init_system_domain',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for short running processes
|
||||
## which can be started by init scripts.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_ranged_system_domain',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
init_system_domain($1,$2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2 $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2 $3;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute init (/sbin/init) with a domain transition.
|
||||
@ -483,10 +594,17 @@ interface(`init_domtrans_script',`
|
||||
|
||||
files_list_etc($1)
|
||||
domain_auto_trans($1,initrc_exec_t,initrc_t)
|
||||
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:fifo_file rw_file_perms;
|
||||
allow initrc_t $1:process sigchld;
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition $1 initrc_exec_t:process s0;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -22,26 +22,12 @@ attribute daemon;
|
||||
#
|
||||
# init_t is the domain of the init process.
|
||||
#
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
# also remove the extra init_exec_t dependencies
|
||||
# in init_t interfaces when the decl gets moved back here.
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
type init_t;
|
||||
type init_exec_t;
|
||||
domain_type(init_t)
|
||||
role system_r types init_t;
|
||||
|
||||
#
|
||||
# init_exec_t is the type of the init program.
|
||||
#
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type init_exec_t;
|
||||
')
|
||||
kernel_domtrans_to(init_t,init_exec_t)
|
||||
domain_entry_file(init_t,init_exec_t)
|
||||
kernel_domtrans_to(init_t,init_exec_t)
|
||||
role system_r types init_t;
|
||||
|
||||
#
|
||||
# init_var_run_t is the type for /var/run/shutdown.pid.
|
||||
@ -58,20 +44,11 @@ type initctl_t;
|
||||
files_type(initctl_t)
|
||||
mls_trusted_object(initctl_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
type initrc_t;
|
||||
type initrc_exec_t;
|
||||
domain_type(initrc_t)
|
||||
role system_r types initrc_t;
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
')
|
||||
domain_entry_file(initrc_t,initrc_exec_t)
|
||||
role system_r types initrc_t;
|
||||
|
||||
type initrc_devpts_t;
|
||||
term_pty(initrc_devpts_t)
|
||||
@ -86,6 +63,10 @@ files_tmp_file(initrc_tmp_t)
|
||||
type initrc_var_run_t;
|
||||
files_pid_file(initrc_var_run_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init local policy
|
||||
|
@ -16,6 +16,10 @@ interface(`locallogin_domtrans',`
|
||||
')
|
||||
|
||||
auth_domtrans_login_program($1,local_login_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,7 +1,7 @@
|
||||
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
@ -24,11 +24,11 @@ ifdef(`distro_suse', `
|
||||
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
|
@ -21,11 +21,7 @@ files_security_file(auditd_log_t)
|
||||
files_mountpoint(auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type auditd_exec_t;
|
||||
')
|
||||
type auditd_exec_t;
|
||||
init_daemon_domain(auditd_t,auditd_exec_t)
|
||||
|
||||
type auditd_var_run_t;
|
||||
@ -58,6 +54,10 @@ files_pid_file(syslogd_var_run_t)
|
||||
type var_log_t;
|
||||
logging_log_file(var_log_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
|
@ -14,11 +14,7 @@ type clvmd_var_run_t;
|
||||
files_pid_file(clvmd_var_run_t)
|
||||
|
||||
type lvm_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type lvm_exec_t;
|
||||
')
|
||||
type lvm_exec_t;
|
||||
init_system_domain(lvm_t,lvm_exec_t)
|
||||
# needs privowner because it assigns the identity system_u to device nodes
|
||||
# but runs as the identity of the sysadmin
|
||||
|
@ -6,12 +6,12 @@
|
||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
|
||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
|
||||
#
|
||||
# /root
|
||||
|
@ -94,11 +94,7 @@ role system_r types restorecond_t;
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range transitions work in modules
|
||||
gen_require(`
|
||||
type run_init_t;
|
||||
')
|
||||
type run_init_t;
|
||||
type run_init_exec_t;
|
||||
domain_type(run_init_t)
|
||||
domain_entry_file(run_init_t,run_init_exec_t)
|
||||
|
@ -1,3 +1,3 @@
|
||||
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
|
||||
|
||||
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
|
||||
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
|
||||
|
@ -7,17 +7,21 @@ policy_module(setrans,1.0.3)
|
||||
#
|
||||
|
||||
type setrans_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type setrans_exec_t;
|
||||
')
|
||||
type setrans_exec_t;
|
||||
init_daemon_domain(setrans_t, setrans_exec_t)
|
||||
|
||||
type setrans_var_run_t;
|
||||
files_pid_file(setrans_var_run_t)
|
||||
mls_trusted_object(setrans_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(setrans_t, setrans_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(setrans_t, setrans_exec_t,mls_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# setrans local policy
|
||||
|
@ -6,13 +6,8 @@ policy_module(udev,1.3.6)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type udev_exec_t;
|
||||
')
|
||||
|
||||
type udev_t;
|
||||
type udev_exec_t;
|
||||
type udev_helper_exec_t;
|
||||
kernel_domtrans_to(udev_t,udev_exec_t)
|
||||
domain_obj_id_change_exemption(udev_t)
|
||||
@ -34,6 +29,11 @@ files_type(udev_tbl_t)
|
||||
type udev_var_run_t;
|
||||
files_pid_file(udev_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh)
|
||||
init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
|
@ -6,11 +6,7 @@ policy_module(unconfined,1.3.15)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
type unconfined_t;
|
||||
type unconfined_exec_t;
|
||||
init_system_domain(unconfined_t,unconfined_exec_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
ifdef(`strict_policy',`
|
||||
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
|
||||
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
||||
|
||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||
|
@ -15,6 +15,16 @@ define(`policy_module',`
|
||||
require {
|
||||
role system_r;
|
||||
all_kernel_class_perms
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
sensitivity s0;
|
||||
category c0, c`'decr(mcs_num_cats);
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
sensitivity s0, s`'decr(mls_num_sens);
|
||||
category c0, c`'decr(mls_num_cats);
|
||||
')
|
||||
}
|
||||
')
|
||||
')
|
||||
|
@ -76,16 +76,3 @@ define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
|
||||
define(`gen_bool',`
|
||||
bool $1 dflt_or_overr(`$1'_conf,$2);
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_cats(N)
|
||||
#
|
||||
# declares categores c0 to c(N-1)
|
||||
#
|
||||
define(`decl_cats',`dnl
|
||||
category c$1;
|
||||
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
|
||||
')
|
||||
|
||||
define(`gen_cats',`decl_cats(0,decr($1))')
|
||||
|
57
policy/support/mls_mcs_macros.spt
Normal file
57
policy/support/mls_mcs_macros.spt
Normal file
@ -0,0 +1,57 @@
|
||||
########################################
|
||||
#
|
||||
# gen_cats(N)
|
||||
#
|
||||
# declares categores c0 to c(N-1)
|
||||
#
|
||||
define(`decl_cats',`dnl
|
||||
category c$1;
|
||||
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
|
||||
')
|
||||
|
||||
define(`gen_cats',`decl_cats(0,decr($1))')
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_sens(N)
|
||||
#
|
||||
# declares sensitivites s0 to s(N-1) with dominance
|
||||
# in increasing numeric order with s0 lowest, s(N-1) highest
|
||||
#
|
||||
define(`decl_sens',`dnl
|
||||
sensitivity s$1;
|
||||
ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
|
||||
')
|
||||
|
||||
define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
|
||||
|
||||
define(`gen_sens',`
|
||||
# Each sensitivity has a name and zero or more aliases.
|
||||
decl_sens(0,decr($1))
|
||||
|
||||
# Define the ordering of the sensitivity levels (least to greatest)
|
||||
dominance { gen_dominance(0,decr($1)) }
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_levels(N,M)
|
||||
#
|
||||
# levels from s0 to (N-1) with categories c0 to (M-1)
|
||||
#
|
||||
define(`decl_levels',`dnl
|
||||
level s$1:c0.c$3;
|
||||
ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
|
||||
')
|
||||
|
||||
define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Basic level names for system low and high
|
||||
#
|
||||
define(`mls_systemlow',`s0')
|
||||
define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
|
||||
define(`mcs_systemlow',`s0')
|
||||
define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
|
||||
define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')
|
14
policy/users
14
policy/users
@ -16,7 +16,7 @@
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
@ -26,11 +26,11 @@ gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
',`
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
')
|
||||
|
||||
#
|
||||
@ -41,11 +41,11 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
',`
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
',`
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
')
|
||||
')
|
||||
|
@ -76,11 +76,16 @@ ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
endif
|
||||
|
||||
# default MLS/MCS sensitivity and category settings.
|
||||
MLS_SENS ?= 16
|
||||
MLS_CATS ?= 256
|
||||
MCS_CATS ?= 256
|
||||
|
||||
ifeq ($(QUIET),y)
|
||||
verbose := @
|
||||
endif
|
||||
|
||||
M4PARAM += -D hide_broken_symptoms
|
||||
M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
|
||||
|
||||
# policy headers
|
||||
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
|
||||
|
Loading…
Reference in New Issue
Block a user