trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.

This commit is contained in:
Chris PeBenito 2007-11-16 14:58:17 +00:00
parent 226c06969c
commit eeef8dc451
5 changed files with 99 additions and 27 deletions

View File

@ -1,3 +1,5 @@
- Add interface for libselinux constructor, for libselinux-linked
SELinux-enabled programs.
- Patch to restructure user role templates to create restricted user roles - Patch to restructure user role templates to create restricted user roles
from Dan Walsh. from Dan Walsh.
- Russian man page translations from Andrey Markelov. - Russian man page translations from Andrey Markelov.

View File

@ -7,11 +7,11 @@
######################################## ########################################
## <summary> ## <summary>
## Gets the caller the mountpoint of the selinuxfs filesystem. ## Get the mountpoint of the selinuxfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## The process type requesting the selinuxfs mountpoint. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
@ -30,6 +30,32 @@ interface(`selinux_get_fs_mount',`
kernel_read_system_state($1) kernel_read_system_state($1)
') ')
########################################
## <summary>
## Do not audit attempts to get the mountpoint
## of the selinuxfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`selinux_dontaudit_get_fs_mount',`
gen_require(`
type security_t;
')
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
dontaudit $1 security_t:filesystem getattr;
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the selinuxfs filesystem ## Get the attributes of the selinuxfs filesystem

View File

@ -1,5 +1,5 @@
policy_module(selinux,1.4.0) policy_module(selinux,1.4.1)
######################################## ########################################
# #

View File

@ -1058,3 +1058,57 @@ interface(`seutil_get_semanage_trans_lock',`
files_search_etc($1) files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
') ')
########################################
## <summary>
## SELinux-enabled program access for
## libselinux-linked programs.
## </summary>
## <desc>
## <p>
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will allow access required for
## the libselinux constructor to function.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_libselinux_linked',`
selinux_get_fs_mount($1)
seutil_read_config($1)
')
########################################
## <summary>
## Do not audit SELinux-enabled program access for
## libselinux-linked programs.
## </summary>
## <desc>
## <p>
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will dontaudit access required for
## the libselinux constructor to function.
## </p>
## <p>
## Generally this should not be used on anything
## but simple SELinux-enabled programs that do not
## rely on data initialized by the libselinux
## constructor.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.7.1) policy_module(selinuxutil,1.7.2)
gen_require(` gen_require(`
bool secure_mode; bool secure_mode;
@ -160,9 +160,6 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files # only allow read of policy config files
read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t) read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
domain_use_interactive_fds(load_policy_t) domain_use_interactive_fds(load_policy_t)
# for mcs.conf # for mcs.conf
@ -173,7 +170,6 @@ fs_getattr_xattr_fs(load_policy_t)
mls_file_read_all_levels(load_policy_t) mls_file_read_all_levels(load_policy_t)
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t) selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t) selinux_set_boolean(load_policy_t)
@ -188,6 +184,8 @@ libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
seutil_libselinux_linked(load_policy_t)
userdom_use_all_users_fds(load_policy_t) userdom_use_all_users_fds(load_policy_t)
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
@ -217,9 +215,6 @@ allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_files_pattern(newrole_t,default_context_t,default_context_t) read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
@ -238,7 +233,6 @@ mls_file_downgrade(newrole_t)
mls_process_set_level(newrole_t) mls_process_set_level(newrole_t)
mls_fd_share_all_levels(newrole_t) mls_fd_share_all_levels(newrole_t)
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t) selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t) selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t) selinux_compute_create_context(newrole_t)
@ -277,6 +271,8 @@ logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
userdom_use_unpriv_users_fds(newrole_t) userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd # for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content(newrole_t) userdom_dontaudit_search_all_users_home_content(newrole_t)
@ -309,7 +305,6 @@ optional_policy(`
allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms; allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms; allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file) files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
@ -323,7 +318,6 @@ fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t) fs_getattr_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t) fs_list_inotifyfs(restorecond_t)
selinux_get_fs_mount(restorecond_t)
selinux_validate_context(restorecond_t) selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t) selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t) selinux_compute_create_context(restorecond_t)
@ -343,14 +337,10 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t) miscfiles_read_localization(restorecond_t)
optional_policy(` seutil_libselinux_linked(restorecond_t)
rpm_use_script_fds(restorecond_t)
')
optional_policy(` optional_policy(`
# restorecond watches for users logging in, rpm_use_script_fds(restorecond_t)
# so it getspwnam when a user logs in to find his homedir
nis_use_ypbind(restorecond_t)
') ')
################################# #################################
@ -385,7 +375,6 @@ domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t) files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t) files_dontaudit_search_all_dirs(run_init_t)
selinux_get_fs_mount(run_init_t)
selinux_validate_context(run_init_t) selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t) selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t) selinux_compute_create_context(run_init_t)
@ -401,7 +390,7 @@ init_rw_utmp(run_init_t)
libs_use_ld_so(run_init_t) libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t) libs_use_shared_libs(run_init_t)
seutil_read_config(run_init_t) seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t) seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t) miscfiles_read_localization(run_init_t)
@ -476,11 +465,11 @@ logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t) miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t) seutil_manage_file_contexts(semanage_t)
seutil_manage_selinux_config(semanage_t) seutil_manage_selinux_config(semanage_t)
seutil_domtrans_setfiles(semanage_t) seutil_domtrans_setfiles(semanage_t)
seutil_domtrans_loadpolicy(semanage_t) seutil_domtrans_loadpolicy(semanage_t)
seutil_read_config(semanage_t)
seutil_manage_bin_policy(semanage_t) seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t) seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t) seutil_manage_module_store(semanage_t)
@ -517,9 +506,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner };
dontaudit setfiles_t self:capability sys_tty_config; dontaudit setfiles_t self:capability sys_tty_config;
allow setfiles_t self:fifo_file rw_file_perms; allow setfiles_t self:fifo_file rw_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
kernel_read_system_state(setfiles_t) kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t)
@ -545,7 +534,6 @@ mls_file_write_all_levels(setfiles_t)
mls_file_upgrade(setfiles_t) mls_file_upgrade(setfiles_t)
mls_file_downgrade(setfiles_t) mls_file_downgrade(setfiles_t)
selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t) selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t) selinux_compute_access_vector(setfiles_t)
selinux_compute_create_context(setfiles_t) selinux_compute_create_context(setfiles_t)
@ -579,6 +567,8 @@ logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
seutil_libselinux_linked(setfiles_t)
userdom_use_all_users_fds(setfiles_t) userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory # for config files in a home directory
userdom_read_all_users_home_content_files(setfiles_t) userdom_read_all_users_home_content_files(setfiles_t)