- Move range transitions to modules.

- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
This commit is contained in:
Chris PeBenito 2006-10-04 17:25:34 +00:00
parent 00219064d7
commit e070dd2df0
47 changed files with 473 additions and 316 deletions

View File

@ -1,3 +1,6 @@
- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
categories configurable as build options.
- Add role infrastructure. - Add role infrastructure.
- Debian updates from Erich Schubert. - Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch(). - Add nscd_socket_use() to auth_use_nsswitch().

View File

@ -208,11 +208,16 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon M4PARAM += -D direct_sysadm_daemon
endif endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256
MCS_CATS ?= 256
ifeq ($(QUIET),y) ifeq ($(QUIET),y)
verbose = @ verbose = @
endif endif
M4PARAM += -D hide_broken_symptoms M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
# we need exuberant ctags; unfortunately it is named # we need exuberant ctags; unfortunately it is named
# differently on different distros # differently on different distros
@ -454,7 +459,15 @@ $(userpath)/local.users: config/local.users
######################################## ########################################
# #
# Appconfig files # Build Appconfig files
#
$(tmpdir)/initrc_context: $(appconf)/initrc_context
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
########################################
#
# Install Appconfig files
# #
install-appconfig: $(appfiles) install-appconfig: $(appfiles)
@ -485,7 +498,7 @@ $(appdir)/userhelper_context: $(appconf)/userhelper_context
@mkdir -p $(appdir) @mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@ $(verbose) $(INSTALL) -m 644 $< $@
$(appdir)/initrc_context: $(appconf)/initrc_context $(appdir)/initrc_context: $(tmpdir)/initrc_context
@mkdir -p $(appdir) @mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@ $(verbose) $(INSTALL) -m 644 $< $@
@ -527,6 +540,9 @@ endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
$(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf $(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile $(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
######################################## ########################################

View File

@ -88,15 +88,19 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
# #
# Create a base module package # Create a base module package
# #
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts) $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers $(net_contexts)
@echo "Creating $(NAME) base module package" @echo "Creating $(NAME) base module package"
@test -d $(builddir) || mkdir -p $(builddir) @test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts) $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers -n $(net_contexts)
$(base_mod): $(base_conf) $(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module" @echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@ $(verbose) $(CHECKMODULE) $^ -o $@
$(tmpdir)/seusers: $(seusers)
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
$(users_extra): $(m4support) $(user_files) $(users_extra): $(m4support) $(user_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir) @test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \

View File

@ -46,6 +46,20 @@ MONOLITHIC=y
# Enable polyinstantiated directory support. # Enable polyinstantiated directory support.
POLY=n POLY=n
# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
# with s0 being lowest.
MLS_SENS=16
# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS=256
# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS=256
# Set this to y to only display status messages # Set this to y to only display status messages
# during build. # during build.
QUIET=n QUIET=n

View File

@ -1,2 +1,2 @@
root:root:s0-s0:c0.c255 root:root:s0-mcs_systemhigh
__default__:user_u:s0 __default__:user_u:s0

View File

@ -1 +1 @@
system_u:system_r:initrc_t:s0-s15:c0.c255 system_u:system_r:initrc_t:s0-mls_systemhigh

View File

@ -1,2 +1,2 @@
root:root:s0-s15:c0.c255 root:root:s0-mls_systemhigh
__default__:user_u:s0 __default__:user_u:s0

View File

@ -1,2 +1,2 @@
root:root:s0-s0:c0.c255 root:root:s0-mcs_systemhigh
__default__:user_u:s0 __default__:user_u:s0

View File

@ -1 +1 @@
user_u:system_r:initrc_t:s0-s15:c0.c255 user_u:system_r:initrc_t:s0-mls_systemhigh

View File

@ -1,2 +1,2 @@
root:root:s0-s15:c0.c255 root:root:s0-mls_systemhigh
__default__:user_u:s0 __default__:user_u:s0

View File

@ -2,32 +2,23 @@ ifdef(`enable_mcs',`
# #
# Define sensitivities # Define sensitivities
# #
# Each sensitivity has a name and zero or more aliases.
#
# MCS is single-sensitivity. # MCS is single-sensitivity.
#
sensitivity s0;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }
gen_sens(1)
# #
# Define the categories # Define the categories
# #
# Each category has a name and zero or more aliases. # Generate declarations
#
# generate declarations for c0 to c255 gen_cats(mcs_num_cats)
gen_cats(256)
# #
# Each MCS level specifies a sensitivity and zero or more categories which may # Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity. # be associated with that sensitivity.
# #
level s0:c0.c255;
gen_levels(1,mcs_num_cats)
# #
# Define the MCS policy # Define the MCS policy

View File

@ -2,62 +2,26 @@ ifdef(`enable_mls',`
# #
# Define sensitivities # Define sensitivities
# #
# Each sensitivity has a name and zero or more aliases. # Domination of sensitivities is in increasin
# # numerical order, with s0 being the lowest
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
sensitivity s7;
sensitivity s8;
sensitivity s9;
sensitivity s10;
sensitivity s11;
sensitivity s12;
sensitivity s13;
sensitivity s14;
sensitivity s15;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
gen_sens(mls_num_sens)
# #
# Define the categories # Define the categories
# #
# Each category has a name and zero or more aliases. # Generate declarations
#
# generate declarations for c0 to c255
gen_cats(256)
gen_cats(mls_num_cats)
# #
# Each MLS level specifies a sensitivity and zero or more categories which may # Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity. # be associated with that sensitivity.
# #
level s0:c0.c255; # Generate levels from all sensitivities
level s1:c0.c255; # with all categories
level s2:c0.c255;
level s3:c0.c255;
level s4:c0.c255;
level s5:c0.c255;
level s6:c0.c255;
level s7:c0.c255;
level s8:c0.c255;
level s9:c0.c255;
level s10:c0.c255;
level s11:c0.c255;
level s12:c0.c255;
level s13:c0.c255;
level s14:c0.c255;
level s15:c0.c255;
gen_levels(mls_num_sens,mls_num_cats)
# #
# Define the MLS policy # Define the MLS policy

View File

@ -165,15 +165,15 @@ portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
# nodes in net_contexts or net_contexts.mls. # nodes in net_contexts or net_contexts.mls.
# #
type node_t, node_type; type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255) sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, ) network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255) network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::) network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
network_node(site_local, s0, fec0::, ffc0::) network_node(site_local, s0, fec0::, ffc0::)
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
@ -186,10 +186,10 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
# netif_t is the default type of network interfaces. # netif_t is the default type of network interfaces.
# #
type netif_t, netif_type; type netif_t, netif_type;
sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255) sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',` build_option(`enable_mls',`
network_interface(lo, lo,s0 - s15:c0.c255) network_interface(lo, lo,s0 - mls_systemhigh)
') ')
######################################## ########################################

View File

@ -25,10 +25,10 @@
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
@ -37,11 +37,11 @@
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)

View File

@ -29,7 +29,7 @@ ifdef(`distro_suse',`
/boot -d gen_context(system_u:object_r:boot_t,s0) /boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>> /boot/\.journal <<none>>
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <<none>> /boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
@ -92,9 +92,9 @@ ifdef(`distro_suse',`
# HOME_ROOT # HOME_ROOT
# expanded by genhomedircon # expanded by genhomedircon
# #
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255) HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <<none>> HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>> HOME_ROOT/lost\+found/.* <<none>>
# #
@ -112,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# #
# /lost+found # /lost+found
# #
/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/lost\+found/.* <<none>> /lost\+found/.* <<none>>
# #
@ -176,11 +176,11 @@ HOME_ROOT/lost\+found/.* <<none>>
# #
# /tmp # /tmp
# #
/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>> /tmp/.* <<none>>
/tmp/\.journal <<none>> /tmp/\.journal <<none>>
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>> /tmp/lost\+found/.* <<none>>
# #
@ -200,12 +200,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <<none>> /usr/local/lost\+found/.* <<none>>
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>> /usr/lost\+found/.* <<none>>
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
@ -213,7 +213,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>> /usr/tmp/.* <<none>>
# #
@ -233,18 +233,18 @@ HOME_ROOT/lost\+found/.* <<none>>
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>> /var/lost\+found/.* <<none>>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255) /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>> /var/run/.*\.*pid <<none>>
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <<none>> /var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>> /var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)

View File

@ -35,6 +35,45 @@ interface(`kernel_domtrans_to',`
allow $1 kernel_t:process sigchld; allow $1 kernel_t:process sigchld;
') ')
########################################
## <summary>
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## The process type entered by kernel.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The executable type for the entrypoint.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`kernel_ranged_domtrans_to',`
gen_require(`
type kernel_t;
')
kernel_domtrans_to($1,$2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition kernel_t $2:process $3;
')
')
######################################## ########################################
## <summary> ## <summary>
## Allows the kernel to mount filesystems on ## Allows the kernel to mount filesystems on

View File

@ -39,7 +39,7 @@ type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t) domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t) mls_rangetrans_source(kernel_t)
role system_r types kernel_t; role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255) sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
# #
# DebugFS # DebugFS
@ -62,13 +62,13 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
# kernel message interface # kernel message interface
type proc_kmsg_t, proc_type; type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
# /proc kcore: inaccessible # /proc kcore: inaccessible
type proc_kcore_t, proc_type; type proc_kcore_t, proc_type;
neverallow ~kern_unconfined proc_kcore_t:file ~getattr; neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type; type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -136,18 +136,18 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
# have labels that are no longer valid are treated as having this type. # have labels that are no longer valid are treated as having this type.
# #
type unlabeled_t; type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# These initial sids are no longer used, and can be removed: # These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0) sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
@ -155,7 +155,7 @@ sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
######################################## ########################################
# #

View File

@ -9,44 +9,3 @@ policy_module(mcs,1.0.4)
attribute mcskillall; attribute mcskillall;
attribute mcsptraceall; attribute mcsptraceall;
attribute mcssetcats; attribute mcssetcats;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
#
type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
type init_t;
type init_exec_t;
type initrc_t;
type initrc_exec_t;
type login_exec_t;
type sshd_exec_t;
type udev_exec_t;
type unconfined_t;
type xdm_exec_t;
ifdef(`enable_mcs',`
# The eventual plan is to have a range_transition to s0 for the daemon by
# default and have the daemons which need to run with all categories be
# exceptions. But while range_transitions have to be in the base module
# this is not possible.
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
# these might be targeted_policy only
range_transition unconfined_t initrc_exec_t s0;
')

View File

@ -49,24 +49,3 @@ attribute mlsrangetrans;
attribute mlsfduse; attribute mlsfduse;
attribute mlsfdshare; attribute mlsfdshare;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
# Other types are declared in the mcs module.
#
type lvm_exec_t;
type run_init_t;
type setrans_exec_t;
ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
range_transition initrc_t setrans_exec_t s15:c0.c255;
range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
')

View File

@ -19,7 +19,7 @@ attribute selinux_unconfined_type;
type security_t; type security_t;
fs_type(security_t) fs_type(security_t)
mls_trusted_object(security_t) mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,s15:c0.c255) sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;

View File

@ -5,36 +5,36 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
') ')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
@ -42,25 +42,25 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255) /dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)

View File

@ -18,7 +18,7 @@
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255) /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)

View File

@ -26,11 +26,7 @@ type cron_log_t;
logging_log_file(cron_log_t) logging_log_file(cron_log_t)
type crond_t; type crond_t;
# real declaration moved to mls until type crond_exec_t;
# range_transition works in loadable modules
gen_require(`
type crond_exec_t;
')
init_daemon_domain(crond_t,crond_exec_t) init_daemon_domain(crond_t,crond_exec_t)
domain_interactive_fd(crond_t) domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t) domain_cron_exemption_source(crond_t)
@ -67,6 +63,10 @@ ifdef(`targeted_policy',`
files_type(sysadm_cron_spool_t) files_type(sysadm_cron_spool_t)
') ')
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
######################################## ########################################
# #
# Cron Local policy # Cron Local policy

View File

@ -14,11 +14,7 @@ type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t) files_pid_file(cupsd_config_var_run_t)
type cupsd_t; type cupsd_t;
# real declaration moved to mls until type cupsd_exec_t;
# range_transition works in loadable modules
gen_require(`
type cupsd_exec_t;
')
init_daemon_domain(cupsd_t,cupsd_exec_t) init_daemon_domain(cupsd_t,cupsd_exec_t)
type cupsd_etc_t; type cupsd_etc_t;
@ -68,6 +64,10 @@ files_config_file(ptal_etc_t)
type ptal_var_run_t; type ptal_var_run_t;
files_pid_file(ptal_var_run_t) files_pid_file(ptal_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
######################################## ########################################
# #
# Cups local policy # Cups local policy

View File

@ -20,11 +20,7 @@ role system_r types ssh_keygen_t;
type ssh_keysign_exec_t; type ssh_keysign_exec_t;
corecmd_executable_file(ssh_keysign_exec_t) corecmd_executable_file(ssh_keysign_exec_t)
# real declaration moved to mls until type sshd_exec_t;
# range_transition works in loadable modules
gen_require(`
type sshd_exec_t;
')
corecmd_executable_file(sshd_exec_t) corecmd_executable_file(sshd_exec_t)
type sshd_key_t; type sshd_key_t;
@ -36,6 +32,10 @@ ifdef(`targeted_policy',`
type sshd_var_run_t; type sshd_var_run_t;
files_type(sshd_var_run_t) files_type(sshd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
',` ',`
# Type for the ssh-agent executable. # Type for the ssh-agent executable.
type ssh_agent_exec_t; type ssh_agent_exec_t;
@ -55,6 +55,10 @@ ifdef(`targeted_policy',`
# These rules should match the else block # These rules should match the else block
# of the run_ssh_inetd tunable directly above # of the run_ssh_inetd tunable directly above
init_daemon_domain(sshd_t,sshd_exec_t) init_daemon_domain(sshd_t,sshd_exec_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
# ') # ')
type sshd_tmp_t; type sshd_tmp_t;

View File

@ -26,11 +26,7 @@ fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t) files_associate_tmp(xconsole_device_t)
type xdm_t; type xdm_t;
# real declaration moved to mls until type xdm_exec_t;
# range_transition works in loadable modules
gen_require(`
type xdm_exec_t;
')
auth_login_pgm_domain(xdm_t) auth_login_pgm_domain(xdm_t)
init_domain(xdm_t,xdm_exec_t) init_domain(xdm_t,xdm_exec_t)
init_daemon_domain(xdm_t,xdm_exec_t) init_daemon_domain(xdm_t,xdm_exec_t)
@ -71,6 +67,11 @@ logging_log_file(xserver_log_t)
xserver_common_domain_template(xdm) xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t) init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
')
optional_policy(` optional_policy(`
prelink_object_file(xkb_var_lib_t) prelink_object_file(xkb_var_lib_t)
') ')

View File

@ -280,6 +280,43 @@ interface(`auth_domtrans_login_program',`
allow $2 $1:process sigchld; allow $2 $1:process sigchld;
') ')
########################################
## <summary>
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the login_program process.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range of the login program.
## </summary>
## </param>
#
interface(`auth_ranged_domtrans_login_program',`
gen_require(`
type login_exec_t;
')
auth_domtrans_login_program($1,$2)
ifdef(`enable_mcs',`
range_transition $1 login_exec_t:process $3;
')
ifdef(`enable_mls',`
range_transition $1 login_exec_t:process $3;
')
')
######################################## ########################################
## <summary> ## <summary>
## Run unix_chkpwd to check a password. ## Run unix_chkpwd to check a password.

View File

@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords; attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t; type chkpwd_exec_t;
files_type(chkpwd_exec_t) corecmd_executable_file(chkpwd_exec_t)
type faillog_t; type faillog_t;
logging_log_file(faillog_t) logging_log_file(faillog_t)
@ -19,12 +19,8 @@ logging_log_file(faillog_t)
type lastlog_t; type lastlog_t;
logging_log_file(lastlog_t) logging_log_file(lastlog_t)
# real declaration moved to mls until type login_exec_t;
# range_transition works in loadable modules corecmd_executable_file(login_exec_t)
gen_require(`
type login_exec_t;
')
files_type(login_exec_t)
type pam_console_t; type pam_console_t;
type pam_console_exec_t; type pam_console_exec_t;

View File

@ -6,11 +6,7 @@ policy_module(getty,1.1.4)
# Declarations # Declarations
# #
# real declaration moved to mls until type getty_t;
# range_transition works in loadable modules
gen_require(`
type getty_t;
')
type getty_exec_t; type getty_exec_t;
init_domain(getty_t,getty_exec_t) init_domain(getty_t,getty_exec_t)
domain_interactive_fd(getty_t) domain_interactive_fd(getty_t)

View File

@ -42,6 +42,43 @@ interface(`init_domain',`
') ')
') ')
########################################
## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_domain',`
gen_require(`
type init_t;
')
init_domain($1,$2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
')
')
######################################## ########################################
## <summary> ## <summary>
## Create a domain for long running processes ## Create a domain for long running processes
@ -127,6 +164,43 @@ interface(`init_daemon_domain',`
') ')
') ')
########################################
## <summary>
## Create a domain for long running processes
## (daemons) which can be started by init scripts.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
')
init_daemon_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
')
')
######################################## ########################################
## <summary> ## <summary>
## Create a domain for short running processes ## Create a domain for short running processes
@ -170,6 +244,43 @@ interface(`init_system_domain',`
') ')
') ')
########################################
## <summary>
## Create a domain for short running processes
## which can be started by init scripts.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
')
init_system_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2 $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2 $3;
')
')
######################################## ########################################
## <summary> ## <summary>
## Execute init (/sbin/init) with a domain transition. ## Execute init (/sbin/init) with a domain transition.
@ -483,10 +594,17 @@ interface(`init_domtrans_script',`
files_list_etc($1) files_list_etc($1)
domain_auto_trans($1,initrc_exec_t,initrc_t) domain_auto_trans($1,initrc_exec_t,initrc_t)
allow initrc_t $1:fd use; allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms; allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld; allow initrc_t $1:process sigchld;
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
') ')
######################################## ########################################

View File

@ -22,26 +22,12 @@ attribute daemon;
# #
# init_t is the domain of the init process. # init_t is the domain of the init process.
# #
# real declaration moved to mls until type init_t;
# range_transition works in loadable modules type init_exec_t;
# also remove the extra init_exec_t dependencies
# in init_t interfaces when the decl gets moved back here.
gen_require(`
type init_t;
')
domain_type(init_t) domain_type(init_t)
role system_r types init_t;
#
# init_exec_t is the type of the init program.
#
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type init_exec_t;
')
kernel_domtrans_to(init_t,init_exec_t)
domain_entry_file(init_t,init_exec_t) domain_entry_file(init_t,init_exec_t)
kernel_domtrans_to(init_t,init_exec_t)
role system_r types init_t;
# #
# init_var_run_t is the type for /var/run/shutdown.pid. # init_var_run_t is the type for /var/run/shutdown.pid.
@ -58,20 +44,11 @@ type initctl_t;
files_type(initctl_t) files_type(initctl_t)
mls_trusted_object(initctl_t) mls_trusted_object(initctl_t)
# real declaration moved to mls until type initrc_t;
# range_transition works in loadable modules type initrc_exec_t;
gen_require(`
type initrc_t;
')
domain_type(initrc_t) domain_type(initrc_t)
role system_r types initrc_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type initrc_exec_t;
')
domain_entry_file(initrc_t,initrc_exec_t) domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
type initrc_devpts_t; type initrc_devpts_t;
term_pty(initrc_devpts_t) term_pty(initrc_devpts_t)
@ -86,6 +63,10 @@ files_tmp_file(initrc_tmp_t)
type initrc_var_run_t; type initrc_var_run_t;
files_pid_file(initrc_var_run_t) files_pid_file(initrc_var_run_t)
ifdef(`enable_mls',`
kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
')
######################################## ########################################
# #
# Init local policy # Init local policy

View File

@ -16,6 +16,10 @@ interface(`locallogin_domtrans',`
') ')
auth_domtrans_login_program($1,local_login_t) auth_domtrans_login_program($1,local_login_t)
ifdef(`enable_mcs',`
auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh)
')
') ')
######################################## ########################################

View File

@ -1,7 +1,7 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0) /dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
@ -24,11 +24,11 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)

View File

@ -21,11 +21,7 @@ files_security_file(auditd_log_t)
files_mountpoint(auditd_log_t) files_mountpoint(auditd_log_t)
type auditd_t; type auditd_t;
# real declaration moved to mls until type auditd_exec_t;
# range_transition works in loadable modules
gen_require(`
type auditd_exec_t;
')
init_daemon_domain(auditd_t,auditd_exec_t) init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t; type auditd_var_run_t;
@ -58,6 +54,10 @@ files_pid_file(syslogd_var_run_t)
type var_log_t; type var_log_t;
logging_log_file(var_log_t) logging_log_file(var_log_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
######################################## ########################################
# #
# Auditd local policy # Auditd local policy

View File

@ -14,11 +14,7 @@ type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t) files_pid_file(clvmd_var_run_t)
type lvm_t; type lvm_t;
# real declaration moved to mls until type lvm_exec_t;
# range_transition works in loadable modules
gen_require(`
type lvm_exec_t;
')
init_system_domain(lvm_t,lvm_exec_t) init_system_domain(lvm_t,lvm_exec_t)
# needs privowner because it assigns the identity system_u to device nodes # needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin # but runs as the identity of the sysadmin

View File

@ -6,12 +6,12 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
# #
# /root # /root

View File

@ -94,11 +94,7 @@ role system_r types restorecond_t;
type restorecond_var_run_t; type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t) files_pid_file(restorecond_var_run_t)
# real declaration moved to mls until type run_init_t;
# range transitions work in modules
gen_require(`
type run_init_t;
')
type run_init_exec_t; type run_init_exec_t;
domain_type(run_init_t) domain_type(run_init_t)
domain_entry_file(run_init_t,run_init_exec_t) domain_entry_file(run_init_t,run_init_exec_t)

View File

@ -1,3 +1,3 @@
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255) /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)

View File

@ -7,17 +7,21 @@ policy_module(setrans,1.0.3)
# #
type setrans_t; type setrans_t;
# real declaration moved to mls until type setrans_exec_t;
# range_transition works in loadable modules
gen_require(`
type setrans_exec_t;
')
init_daemon_domain(setrans_t, setrans_exec_t) init_daemon_domain(setrans_t, setrans_exec_t)
type setrans_var_run_t; type setrans_var_run_t;
files_pid_file(setrans_var_run_t) files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t) mls_trusted_object(setrans_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t,s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t,mls_systemhigh)
')
######################################## ########################################
# #
# setrans local policy # setrans local policy

View File

@ -6,13 +6,8 @@ policy_module(udev,1.3.6)
# Declarations # Declarations
# #
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type udev_exec_t;
')
type udev_t; type udev_t;
type udev_exec_t;
type udev_helper_exec_t; type udev_helper_exec_t;
kernel_domtrans_to(udev_t,udev_exec_t) kernel_domtrans_to(udev_t,udev_exec_t)
domain_obj_id_change_exemption(udev_t) domain_obj_id_change_exemption(udev_t)
@ -34,6 +29,11 @@ files_type(udev_tbl_t)
type udev_var_run_t; type udev_var_run_t;
files_pid_file(udev_var_run_t) files_pid_file(udev_var_run_t)
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh)
')
######################################## ########################################
# #
# Local policy # Local policy

View File

@ -6,11 +6,7 @@ policy_module(unconfined,1.3.15)
# Declarations # Declarations
# #
# real declaration moved to mls until type unconfined_t;
# range_transition works in loadable modules
gen_require(`
type unconfined_t;
')
type unconfined_exec_t; type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t) init_system_domain(unconfined_t,unconfined_exec_t)

View File

@ -1,5 +1,5 @@
ifdef(`strict_policy',` ifdef(`strict_policy',`
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255) HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)

View File

@ -15,6 +15,16 @@ define(`policy_module',`
require { require {
role system_r; role system_r;
all_kernel_class_perms all_kernel_class_perms
ifdef(`enable_mcs',`
sensitivity s0;
category c0, c`'decr(mcs_num_cats);
')
ifdef(`enable_mls',`
sensitivity s0, s`'decr(mls_num_sens);
category c0, c`'decr(mls_num_cats);
')
} }
') ')
') ')

View File

@ -76,16 +76,3 @@ define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
define(`gen_bool',` define(`gen_bool',`
bool $1 dflt_or_overr(`$1'_conf,$2); bool $1 dflt_or_overr(`$1'_conf,$2);
') ')
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
define(`decl_cats',`dnl
category c$1;
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
')
define(`gen_cats',`decl_cats(0,decr($1))')

View File

@ -0,0 +1,57 @@
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
define(`decl_cats',`dnl
category c$1;
ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
')
define(`gen_cats',`decl_cats(0,decr($1))')
########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
define(`decl_sens',`dnl
sensitivity s$1;
ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
')
define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
define(`gen_sens',`
# Each sensitivity has a name and zero or more aliases.
decl_sens(0,decr($1))
# Define the ordering of the sensitivity levels (least to greatest)
dominance { gen_dominance(0,decr($1)) }
')
########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
define(`decl_levels',`dnl
level s$1:c0.c$3;
ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
')
define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
########################################
#
# Basic level names for system low and high
#
define(`mls_systemlow',`s0')
define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
define(`mcs_systemlow',`s0')
define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')

View File

@ -16,7 +16,7 @@
# and a user process should never be assigned the system user # and a user process should never be assigned the system user
# identity. # identity.
# #
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255) gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
# user_u is a generic user identity for Linux users who have no # user_u is a generic user identity for Linux users who have no
@ -26,11 +26,11 @@ gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',` ',`
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
') ')
# #
@ -41,11 +41,11 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
# not in the sysadm_r. # not in the sysadm_r.
# #
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',` ',`
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255) gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',` ',`
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255) gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
') ')
') ')

View File

@ -76,11 +76,16 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon M4PARAM += -D direct_sysadm_daemon
endif endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256
MCS_CATS ?= 256
ifeq ($(QUIET),y) ifeq ($(QUIET),y)
verbose := @ verbose := @
endif endif
M4PARAM += -D hide_broken_symptoms M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
# policy headers # policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt) m4support = $(wildcard $(HEADERDIR)/support/*.spt)