trunk: add support for labeled booleans.
This commit is contained in:
parent
c1262146e0
commit
f0435b1ac4
|
@ -1,3 +1,4 @@
|
||||||
|
- Add support for labeled Booleans.
|
||||||
- Remove node definitions and change node usage to generic nodes.
|
- Remove node definitions and change node usage to generic nodes.
|
||||||
- Add kernel_service access vectors, from Stephen Smalley.
|
- Add kernel_service access vectors, from Stephen Smalley.
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,44 @@
|
||||||
## Contains the policy for the kernel SELinux security interface.
|
## Contains the policy for the kernel SELinux security interface.
|
||||||
## </required>
|
## </required>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make the specified type used for labeling SELinux Booleans.
|
||||||
|
## This interface is only usable in the base module.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make the specified type used for labeling SELinux Booleans.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This makes use of genfscon statements, which are only
|
||||||
|
## available in the base module. Thus any module which calls this
|
||||||
|
## interface must be included in the base module.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="type">
|
||||||
|
## <summary>
|
||||||
|
## Type used for labeling a Boolean.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="boolean">
|
||||||
|
## <summary>
|
||||||
|
## Name of the Boolean.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`selinux_labeled_boolean',`
|
||||||
|
gen_require(`
|
||||||
|
attribute boolean_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 boolean_type;
|
||||||
|
|
||||||
|
# because of this statement, any module which
|
||||||
|
# calls this interface must be in the base module:
|
||||||
|
genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the mountpoint of the selinuxfs filesystem.
|
## Get the mountpoint of the selinuxfs filesystem.
|
||||||
|
@ -266,7 +304,7 @@ interface(`selinux_load_policy',`
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow caller to set the state of Booleans to
|
## Allow caller to set the state of Booleans to
|
||||||
## enable or disable conditional portions of the policy.
|
## enable or disable conditional portions of the policy. (Deprecated)
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
|
@ -277,6 +315,38 @@ interface(`selinux_load_policy',`
|
||||||
## Since this is a security event, this action is
|
## Since this is a security event, this action is
|
||||||
## always audited.
|
## always audited.
|
||||||
## </p>
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This interface has been deprecated. Please use
|
||||||
|
## selinux_set_generic_booleans() or selinux_set_all_booleans()
|
||||||
|
## instead.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The process type allowed to set the Boolean.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`selinux_set_boolean',`
|
||||||
|
refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
|
||||||
|
selinux_set_generic_booleans($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to set the state of generic Booleans to
|
||||||
|
## enable or disable conditional portions of the policy.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow caller to set the state of generic Booleans to
|
||||||
|
## enable or disable conditional portions of the policy.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Since this is a security event, this action is
|
||||||
|
## always audited.
|
||||||
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -285,7 +355,7 @@ interface(`selinux_load_policy',`
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
interface(`selinux_set_boolean',`
|
interface(`selinux_set_generic_booleans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type security_t;
|
type security_t;
|
||||||
bool secure_mode_policyload;
|
bool secure_mode_policyload;
|
||||||
|
@ -304,6 +374,48 @@ interface(`selinux_set_boolean',`
|
||||||
}
|
}
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow caller to set the state of all Booleans to
|
||||||
|
## enable or disable conditional portions of the policy.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow caller to set the state of all Booleans to
|
||||||
|
## enable or disable conditional portions of the policy.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Since this is a security event, this action is
|
||||||
|
## always audited.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The process type allowed to set the Boolean.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`selinux_set_all_booleans',`
|
||||||
|
gen_require(`
|
||||||
|
type security_t;
|
||||||
|
attribute boolean_type;
|
||||||
|
bool secure_mode_policyload;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 security_t:dir list_dir_perms;
|
||||||
|
allow $1 boolean_type:file rw_file_perms;
|
||||||
|
|
||||||
|
if(!secure_mode_policyload) {
|
||||||
|
allow $1 security_t:security setbool;
|
||||||
|
|
||||||
|
ifdef(`distro_rhel4',`
|
||||||
|
# needed for systems without audit support
|
||||||
|
auditallow $1 security_t:security setbool;
|
||||||
|
')
|
||||||
|
}
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow caller to set SELinux access vector cache parameters.
|
## Allow caller to set SELinux access vector cache parameters.
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
|
|
||||||
policy_module(selinux, 1.7.0)
|
policy_module(selinux, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
attribute boolean_type;
|
||||||
attribute can_load_policy;
|
attribute can_load_policy;
|
||||||
attribute can_setenforce;
|
attribute can_setenforce;
|
||||||
attribute can_setsecparam;
|
attribute can_setsecparam;
|
||||||
|
@ -16,7 +17,7 @@ attribute selinux_unconfined_type;
|
||||||
# the permissions in the security class. It is also
|
# the permissions in the security class. It is also
|
||||||
# applied to selinuxfs inodes.
|
# applied to selinuxfs inodes.
|
||||||
#
|
#
|
||||||
type security_t;
|
type security_t, boolean_type;
|
||||||
fs_type(security_t)
|
fs_type(security_t)
|
||||||
mls_trusted_object(security_t)
|
mls_trusted_object(security_t)
|
||||||
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
|
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
|
||||||
|
@ -35,11 +36,13 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
|
||||||
# use SELinuxfs
|
# use SELinuxfs
|
||||||
allow selinux_unconfined_type security_t:dir list_dir_perms;
|
allow selinux_unconfined_type security_t:dir list_dir_perms;
|
||||||
allow selinux_unconfined_type security_t:file rw_file_perms;
|
allow selinux_unconfined_type security_t:file rw_file_perms;
|
||||||
|
allow selinux_unconfined_type boolean_type:file read_file_perms;
|
||||||
|
|
||||||
# Access the security API.
|
# Access the security API.
|
||||||
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
|
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
|
||||||
|
|
||||||
if(!secure_mode_policyload) {
|
if(!secure_mode_policyload) {
|
||||||
|
allow selinux_unconfined_type boolean_type:file rw_file_perms;
|
||||||
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
||||||
|
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(init, 1.13.0)
|
policy_module(init, 1.13.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
@ -151,7 +151,7 @@ mls_file_write_all_levels(init_t)
|
||||||
mls_process_write_down(init_t)
|
mls_process_write_down(init_t)
|
||||||
mls_fd_use_all_levels(init_t)
|
mls_fd_use_all_levels(init_t)
|
||||||
|
|
||||||
selinux_set_boolean(init_t)
|
selinux_set_all_booleans(init_t)
|
||||||
|
|
||||||
term_use_all_terms(init_t)
|
term_use_all_terms(init_t)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(selinuxutil, 1.12.0)
|
policy_module(selinuxutil, 1.12.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool secure_mode;
|
bool secure_mode;
|
||||||
|
@ -170,7 +170,7 @@ fs_getattr_xattr_fs(load_policy_t)
|
||||||
mls_file_read_all_levels(load_policy_t)
|
mls_file_read_all_levels(load_policy_t)
|
||||||
|
|
||||||
selinux_load_policy(load_policy_t)
|
selinux_load_policy(load_policy_t)
|
||||||
selinux_set_boolean(load_policy_t)
|
selinux_set_all_booleans(load_policy_t)
|
||||||
|
|
||||||
term_use_console(load_policy_t)
|
term_use_console(load_policy_t)
|
||||||
term_list_ptys(load_policy_t)
|
term_list_ptys(load_policy_t)
|
||||||
|
@ -453,7 +453,7 @@ selinux_validate_context(semanage_t)
|
||||||
selinux_get_enforce_mode(semanage_t)
|
selinux_get_enforce_mode(semanage_t)
|
||||||
selinux_getattr_fs(semanage_t)
|
selinux_getattr_fs(semanage_t)
|
||||||
# for setsebool:
|
# for setsebool:
|
||||||
selinux_set_boolean(semanage_t)
|
selinux_set_all_booleans(semanage_t)
|
||||||
|
|
||||||
term_use_all_terms(semanage_t)
|
term_use_all_terms(semanage_t)
|
||||||
|
|
||||||
|
|
|
@ -1231,7 +1231,7 @@ template(`userdom_security_admin_template',`
|
||||||
mls_file_downgrade($1)
|
mls_file_downgrade($1)
|
||||||
|
|
||||||
selinux_set_enforce_mode($1)
|
selinux_set_enforce_mode($1)
|
||||||
selinux_set_boolean($1)
|
selinux_set_all_booleans($1)
|
||||||
selinux_set_parameters($1)
|
selinux_set_parameters($1)
|
||||||
|
|
||||||
auth_relabel_all_files_except_shadow($1)
|
auth_relabel_all_files_except_shadow($1)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(userdomain, 4.1.2)
|
policy_module(userdomain, 4.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue