From fd89e19f125ea6b3e17ad293ec13b4d06222987e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 30 Jun 2005 18:54:08 +0000 Subject: [PATCH] more work on current modules --- refpolicy/policy/modules/admin/consoletype.te | 20 +- refpolicy/policy/modules/admin/logrotate.te | 2 - refpolicy/policy/modules/admin/netutils.te | 6 +- .../policy/modules/kernel/corenetwork.te.in | 5 + refpolicy/policy/modules/kernel/devices.if | 181 +++++++++++++++++- refpolicy/policy/modules/kernel/devices.te | 7 +- refpolicy/policy/modules/kernel/filesystem.te | 11 +- refpolicy/policy/modules/kernel/storage.te | 5 + refpolicy/policy/modules/kernel/terminal.te | 4 + refpolicy/policy/modules/services/cron.if | 18 ++ refpolicy/policy/modules/system/authlogin.te | 4 +- .../policy/modules/system/corecommands.te | 5 + refpolicy/policy/modules/system/domain.te | 5 + refpolicy/policy/modules/system/files.if | 17 ++ refpolicy/policy/modules/system/files.te | 5 + refpolicy/policy/modules/system/fstools.te | 4 + refpolicy/policy/modules/system/init.te | 2 +- refpolicy/policy/modules/system/locallogin.if | 40 ++-- refpolicy/policy/modules/system/locallogin.te | 24 +-- refpolicy/policy/modules/system/logging.te | 7 +- refpolicy/policy/modules/system/miscfiles.te | 5 + refpolicy/policy/modules/system/modutils.te | 27 ++- .../policy/modules/system/selinuxutil.te | 2 +- refpolicy/policy/modules/system/sysnetwork.te | 30 +-- refpolicy/policy/modules/system/udev.te | 11 +- refpolicy/policy/modules/system/userdomain.if | 105 +++++++++- 26 files changed, 460 insertions(+), 92 deletions(-) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 55003bc8..fad69bb3 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -51,6 +51,10 @@ files_dontaudit_read_root_file(consoletype_t) libs_use_ld_so(consoletype_t) libs_use_shared_libs(consoletype_t) +userdom_use_sysadm_terms(consoletype_t) +userdom_use_sysadm_fd(consoletype_t) +userdom_rw_sysadm_pipe(consoletype_t) + ifdef(`distro_redhat', ` fs_use_tmpfs_chr_dev(consoletype_t) ') @@ -59,6 +63,10 @@ optional_policy(`authlogin.te', ` auth_read_pam_pid(consoletype_t) ') +optional_policy(`cron.te',` + cron_read_pipe(consoletype_t) +') + optional_policy(`logrotate.te',` logrotate_dontaudit_use_fd(consoletype_t) ') @@ -77,21 +85,19 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` - -allow consoletype_t sysadm_t:fd use; -allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms; -allow consoletype_t sysadm_t:fifo_file rw_file_perms; - allow consoletype_t nfs_t:file write; -allow consoletype_t crond_t:fifo_file r_file_perms; allow consoletype_t system_crond_t:fd use; optional_policy(`xdm.te', ` -domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) allow consoletype_t xdm_tmp_t:file rw_file_perms; ') +# is goes to xserver module +optional_policy(`consoletype.te',` + consoletype_domtrans(xdm_t) +') + optional_policy(`lpd.te', ` allow consoletype_t printconf_t:file r_file_perms; ') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 13cb5476..d2fbe05c 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -150,8 +150,6 @@ allow squid_t self:capability kill; # for /var/lib/logrotate.status and /var/lib/logcheck file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file) -allow crond_t logrotate_var_lib_t:dir search; - # for /var/backups on Debian ifdef(`backup.te', ` rw_dir_create_file(logrotate_t, backup_store_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 9b858f61..a0d80e3c 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -135,13 +135,17 @@ optional_policy(`sysnetwork.te',` ') ') + + ifdef(`TODO',` in_user_role(ping_t) tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') ') - +ifdef(`cardmgr.te',` + allow ping_t cardmgr_t:fd use; +') ') dnl end TODO ######################################## diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 250bd019..d4f0251e 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,6 +1,11 @@ policy_module(corenetwork,1.0) +######################################## +# +# Declarations +# + attribute netif_type; attribute node_type; attribute port_type; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index eccb027c..1b6de8e1 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -646,6 +646,80 @@ interface(`dev_manage_all_chr_files',` typeattribute $1 memory_raw_read, memory_raw_write; ') +######################################## +## +## Get the attributes of the apm bios device node. +## +## +## Domain allowed access. +## +# +interface(`dev_getattr_apm_bios',` + gen_require(` + type device_t, apm_bios_t; + class dir r_dir_perms; + class chr_file getattr; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 apm_bios_t:chr_file getattr; +') + +######################################## +## +## Do not audit attempts to get the attributes of +## the apm bios device node. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_getattr_apm_bios',` + gen_require(` + type apm_bios_t; + class chr_file getattr; + ') + + dontaudit $1 apm_bios_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of the apm bios device node. +## +## +## Domain allowed access. +## +# +interface(`dev_setattr_apm_bios',` + gen_require(` + type device_t, apm_bios_t; + class dir r_dir_perms; + class chr_file setattr; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 apm_bios_t:chr_file setattr; +') + +######################################## +## +## Do not audit attempts to set the attributes of +## the apm bios device node. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_setattr_apm_bios',` + gen_require(` + type apm_bios_t; + class chr_file setattr; + ') + + dontaudit $1 apm_bios_t:chr_file setattr; +') + ######################################## ## ## Read and write the apm bios. @@ -1163,7 +1237,7 @@ interface(`dev_write_mtrr',` ######################################## ## -## Get the attributes of the framebuffer device. +## Get the attributes of the framebuffer device node. ## ## ## Domain allowed access. @@ -1171,7 +1245,7 @@ interface(`dev_write_mtrr',` # interface(`dev_getattr_framebuffer',` gen_require(` - type framebuf_device_t; + type device_t, framebuf_device_t; class dir r_dir_perms; class chr_file getattr; ') @@ -1182,7 +1256,7 @@ interface(`dev_getattr_framebuffer',` ######################################## ## -## Set the attributes of the framebuffer device. +## Set the attributes of the framebuffer device node. ## ## ## Domain allowed access. @@ -1190,9 +1264,9 @@ interface(`dev_getattr_framebuffer',` # interface(`dev_setattr_framebuffer',` gen_require(` - type framebuf_device_t; + type device_t, framebuf_device_t; class dir r_dir_perms; - class chr_file getattr; + class chr_file setattr; ') allow $1 device_t:dir r_dir_perms; @@ -1201,7 +1275,25 @@ interface(`dev_setattr_framebuffer',` ######################################## ## -## Read the framebuffer device. +## Dot not audit attempts to set the attributes +## of the framebuffer device node. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_setattr_framebuffer',` + gen_require(` + type framebuf_device_t; + class chr_file setattr; + ') + + dontaudit $1 framebuf_device_t:chr_file setattr; +') + +######################################## +## +## Read the framebuffer. ## ## ## Domain allowed access. @@ -1220,7 +1312,24 @@ interface(`dev_read_framebuffer',` ######################################## ## -## Write the framebuffer device. +## Do not audit attempts to read the framebuffer. +## +## +## Domain allowed access. +## +# +interface(`dev_dontaudit_read_framebuffer',` + gen_require(` + type framebuf_device_t; + class chr_file r_file_perms; + ') + + dontaudit $1 framebuf_device_t:chr_file { getattr read }; +') + +######################################## +## +## Write the framebuffer. ## ## ## Domain allowed access. @@ -1763,6 +1872,23 @@ interface(`dev_rw_sysfs',` allow $1 sysfs_t:file rw_file_perms; ') +######################################## +## +## Mount a usbfs filesystem. +## +## +## The type of the process performing this action. +## +# +interface(`dev_mount_usbfs',` + gen_require(` + type usbfs_t; + class filesystem mount; + ') + + allow $1 usbfs_t:filesystem mount; +') + ######################################## ## ## Search the directory containing USB hardware information. @@ -1848,7 +1974,7 @@ interface(`dev_rw_usbfs',` ## Get the attributes of video4linux devices. ## ## -## The process type modifying the options. +## Domain allowed access. ## # interface(`dev_getattr_video_dev',` @@ -1864,10 +1990,28 @@ interface(`dev_getattr_video_dev',` ######################################## ## -## Set the attributes of video4linux devices. +## Do not audit attempts to get the attributes +## of video4linux device nodes. ## ## -## The process type modifying the options. +## Domain to not audit. +## +# +interface(`dev_dontaudit_getattr_video_dev',` + gen_require(` + type v4l_device_t; + class chr_file getattr; + ') + + dontaudit $1 v4l_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of video4linux device nodes. +## +## +## Domain allowed access. ## # interface(`dev_setattr_video_dev',` @@ -1881,3 +2025,20 @@ interface(`dev_setattr_video_dev',` allow $1 v4l_device_t:chr_file setattr; ') +######################################## +## +## Do not audit attempts to set the attributes +## of video4linux device nodes. +## +## +## Domain to not audit. +## +# +interface(`dev_dontaudit_setattr_video_dev',` + gen_require(` + type v4l_device_t; + class chr_file setattr; + ') + + dontaudit $1 v4l_device_t:chr_file setattr; +') diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 0e776ab1..0ba36972 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,6 +1,11 @@ policy_module(devices,1.0) +######################################## +# +# Declarations +# + attribute device_node; attribute memory_raw_read; attribute memory_raw_write; @@ -19,7 +24,7 @@ fs_associate_tmpfs(device_t) # a device node has no specific type yet, but is for some # reason labeled with a specific type #cjp: want this, but udev policy breaks this -#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; +#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; # # Type for /dev/agpgart diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index fa8fc1bf..37aa654f 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,10 +1,15 @@ policy_module(filesystem,1.0) +######################################## +# +# Declarations +# + attribute filesystem_type; attribute noxattrfs; -######################################## +############################## # # fs_t is the default type for persistent # filesystems with extended attributes @@ -27,7 +32,7 @@ fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0); fs_use_task pipefs context_template(system_u:object_r:fs_t,s0); fs_use_task sockfs context_template(system_u:object_r:fs_t,s0); -######################################## +############################## # # Non-persistent/pseudo filesystems # @@ -75,7 +80,7 @@ fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0); allow tmpfs_t self:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate; -######################################## +############################## # # Filesystems without extended attribute support # diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te index 4fc8b66b..d90dddb6 100644 --- a/refpolicy/policy/modules/kernel/storage.te +++ b/refpolicy/policy/modules/kernel/storage.te @@ -1,6 +1,11 @@ policy_module(storage,1.0) +######################################## +# +# Declarations +# + attribute fixed_disk_raw_read; attribute fixed_disk_raw_write; attribute scsi_generic_read; diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index ce98f3db..53b52a21 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -1,6 +1,10 @@ policy_module(terminal,1.0) +######################################## +# +# Declarations +# attribute ttynode; attribute ptynode; attribute server_ptynode; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index ade0f6d7..6a99aaa2 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -302,6 +302,24 @@ interface(`cron_system_entry',` allow $1 crond_t:process sigchld; ') +######################################## +## +## Read a cron daemon unnamed pipe +## +## +## The type of the process to performing this action. +## +# +interface(`cron_read_pipe',` + gen_require(` + type crond_t; + class file r_file_perms; + ') + + allow $1 crond_t:file r_file_perms; +') + + ######################################## ## ## Read and write the cron daemon log files. diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 2ecc4056..eb4461f4 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -142,6 +142,8 @@ kernel_read_system_state(pam_console_t) kernel_use_fd(pam_console_t) dev_read_sysfs(pam_console_t) +dev_getattr_apm_bios(pam_console_t) +dev_setattr_apm_bios(pam_console_t) dev_getattr_framebuffer(pam_console_t) dev_setattr_framebuffer(pam_console_t) dev_getattr_misc(pam_console_t) @@ -216,8 +218,6 @@ optional_policy(`rhgb.te', ` rhgb_domain(pam_console_t) ') -allow pam_console_t apm_bios_t:chr_file { getattr setattr }; - ifdef(`gpm.te', ` allow pam_console_t gpmctl_t:sock_file { getattr setattr }; ') diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 712367ff..7ee474b9 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -1,6 +1,11 @@ policy_module(corecommands,1.0) +######################################## +# +# Declarations +# + # # bin_t is the type of files in the system bin directories. # diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index be824fb6..cd9b41ec 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -1,6 +1,11 @@ policy_module(domain,1.0) +######################################## +# +# Declarations +# + # Mark process types as domains attribute domain; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 264d7eec..0ebd3ff4 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -745,6 +745,23 @@ interface(`files_manage_isid_type_chr_node',` allow $1 file_t:chr_file create_file_perms; ') +######################################## +## +## Search home directories. +## +## +## The type of the process performing this action. +## +# +interface(`files_search_home',` + gen_require(` + type home_root_t; + class dir search; + ') + + allow $1 home_root_t:dir search; +') + ######################################## ## ## Get listing of home directories. diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 3f2c476c..519e1085 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -1,6 +1,11 @@ policy_module(files,1.0) +######################################## +# +# Declarations +# + attribute file_type; attribute lockfile; attribute mountpoint; diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 643195cc..e8729a8f 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -5,6 +5,7 @@ policy_module(fstools,1.0) # # Declarations # + type fsadm_t; type fsadm_exec_t; init_system_domain(fsadm_t,fsadm_exec_t) @@ -17,6 +18,9 @@ type swapfile_t; files_type(swapfile_t) ######################################## +# +# local policy +# # ipc_lock is for losetup allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ad80edb9..ab32337a 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -291,7 +291,7 @@ sysnet_read_config(initrc_t) udev_rw_db(initrc_t) -userdom_read_all_user_data(initrc_t) +userdom_read_all_user_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 07dc7670..15991ef3 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -1,12 +1,12 @@ ## Policy for local logins. ######################################## -## -## Execute local logins in the locallogin domain. -## -## -## The type of the process performing this action. -## +## +## Execute local logins in the local login domain. +## +## +## The type of the process performing this action. +## # interface(`locallogin_domtrans',` gen_require(` @@ -17,12 +17,12 @@ interface(`locallogin_domtrans',` ') ######################################## -## -## Allow processes to inherit local login file descriptors -## -## -## The type of the process performing this action. -## +## +## Allow processes to inherit local login file descriptors +## +## +## The type of the process performing this action. +## # interface(`locallogin_use_fd',` gen_require(` @@ -33,3 +33,19 @@ interface(`locallogin_use_fd',` allow $1 local_login_t:fd use; ') +######################################## +## +## Send a null signal to local login processes. +## +## +## Domain allowed access. +## +# +interface(`locallogin_signull',` + gen_require(` + type local_login_t; + class process signull; + ') + + allow $1 local_login_t:process signull; +') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index b125b21e..c1cd442f 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -56,10 +56,14 @@ kernel_read_kernel_sysctl(local_login_t) dev_setattr_mouse(local_login_t) dev_getattr_mouse(local_login_t) -dev_getattr_snd_dev(local_login_t) -dev_setattr_snd_dev(local_login_t) dev_getattr_power_management(local_login_t) dev_setattr_power_management(local_login_t) +dev_getattr_snd_dev(local_login_t) +dev_setattr_snd_dev(local_login_t) +dev_dontaudit_getattr_apm_bios(local_login_t) +dev_dontaudit_setattr_apm_bios(local_login_t) +dev_dontaudit_read_framebuffer(local_login_t) +dev_dontaudit_setattr_framebuffer(local_login_t) dev_dontaudit_getattr_generic_blk_file(local_login_t) dev_dontaudit_setattr_generic_blk_file(local_login_t) dev_dontaudit_getattr_generic_chr_file(local_login_t) @@ -69,6 +73,8 @@ dev_dontaudit_setattr_misc(local_login_t) dev_dontaudit_getattr_scanner(local_login_t) dev_dontaudit_setattr_scanner(local_login_t) dev_dontaudit_search_sysfs(local_login_t) +dev_dontaudit_getattr_video_dev(local_login_t) +dev_dontaudit_setattr_video_dev(local_login_t) # for SSP/ProPolice dev_read_urand(local_login_t) @@ -175,16 +181,12 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms; # for when /var/mail is a sym-link allow local_login_t var_t:lnk_file read; -# Do not audit denied attempts to access devices. dontaudit local_login_t device_t:lnk_file { getattr setattr }; -dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; -dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; - -# FIXME: what is this for? -optional_policy(`xdm.te', ` - allow xdm_t local_login_t:process signull; +# this goes to xserver: +optional_policy(`locallogin.te',` + # FIXME: what is this for? + locallogin_signull(xdm_t) ') ifdef(`targeted_policy',` @@ -237,6 +239,7 @@ auth_read_shadow(sulogin_t) userdom_shell_domtrans_sysadm(sulogin_t) userdom_use_unpriv_users_fd(sulogin_t) +userdom_use_sysadm_pty(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`monolithic_policy',` @@ -262,6 +265,5 @@ optional_policy(`nis.te',` ') ifdef(`TODO',` -allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index f9b3922c..14eac6d2 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -82,6 +82,10 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) userdom_dontaudit_use_unpriv_user_fd(auditd_t) +# cjp: this is questionable. it should probably +# be a userdom_dontaudit_use_sysadm_terms(auditd_t) +# in a direct_sysadm_daemon tunable +userdom_use_sysadm_tty(auditd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(auditd_t) @@ -106,9 +110,6 @@ rhgb_domain(auditd_t) ') dontaudit auditd_t sysadm_home_dir_t:dir search; - -# cjp: this is questionable: -allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms; ') dnl endif TODO ######################################## diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 6a4d3dd7..cfcc67c3 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -1,6 +1,11 @@ policy_module(miscfiles,1.0) +######################################## +# +# Declarations +# + # # catman_t is the type for /var/catman. # diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 7ac91ac7..e149b7f9 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -68,6 +68,9 @@ dev_rw_agp_dev(insmod_t) dev_read_snd_dev(insmod_t) dev_write_snd_dev(insmod_t) dev_rw_apm_bios(insmod_t) +# cjp: why is this needed? insmod cannot mounton any dir +# and it also transitions to mount +dev_mount_usbfs(insmod_t) fs_getattr_xattr_fs(insmod_t) @@ -104,17 +107,10 @@ optional_policy(`mount.te',` mount_domtrans(insmod_t) ') -ifdef(`TODO',` - -ifdef(`xserver.te', ` - allow insmod_t xserver_log_t:file getattr; +optional_policy(`xserver.te',` + xserver_getattr_log(insmod_t) ') -# why is this needed? insmod cannot mounton any dir -# and it also transitions to mount -allow insmod_t usbfs_t:filesystem mount; -') dnl if TODO - ######################################## # # depmod local policy @@ -153,13 +149,14 @@ files_read_usr_src_files(depmod_t) libs_use_ld_so(depmod_t) libs_use_shared_libs(depmod_t) -ifdef(`TODO',` - -ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') - # Read System.map from home directories. -allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; -r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) +files_list_home(depmod_t) +userdom_read_staff_home_files(depmod_t) +userdom_read_sysadm_home_files(depmod_t) + + +ifdef(`TODO',` +ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') ') dnl end ifdef TODO ################################# diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index bc042504..90c4e9d4 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -435,7 +435,7 @@ miscfiles_read_localization(setfiles_t) userdom_use_all_user_fd(setfiles_t) # for config files in a home directory -userdom_read_all_user_data(setfiles_t) +userdom_read_all_user_files(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 2ed834f2..73530de5 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -120,6 +120,7 @@ domain_use_wide_inherit_fd(dhcpc_t) files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) +files_search_home(dhcpc_t) init_use_fd(dhcpc_t) init_use_script_pty(dhcpc_t) @@ -153,6 +154,11 @@ optional_policy(`hostname.te',` hostname_domtrans(dhcpc_t) ') +# for the dhcp client to run ping to check IP addresses +optional_policy(`netutils.te',` + netutils_domtrans_ping(dhcpc_t) +') + optional_policy(`nis.te',` nis_use_ypbind(dhcpc_t) # dhclient sometimes starts ypbind @@ -189,10 +195,18 @@ optional_policy(`rhgb.te',` rhgb_domain(dhcpc_t) ') -ifdef(`cardmgr.te', ` +ifdef(`cardmgr.te',` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) -allow cardmgr_t dhcpc_var_run_t:file { getattr read }; -allow cardmgr_t dhcpc_t:process signal_perms; +') + +#this goes to pcmcia module +optional_policy(`sysnetwork.te',` + sysnet_read_dhcpc_pid(cardmgr_t) + sysnet_kill_dhcpc(cardmgr_t) + sysnet_sigchld_dhcpc(cardmgr_t) + sysnet_signal_dhcpc(cardmgr_t) + sysnet_signull_dhcpc(cardmgr_t) + sysnet_sigstop_dhcpc(cardmgr_t) ') optional_policy(`hotplug.te', ` @@ -203,17 +217,7 @@ optional_policy(`hotplug.te', ` ') ') -# for the dhcp client to run ping to check IP addresses -optional_policy(`netutils.te',` - netutils_domtrans_ping(dhcpc_t) - - ifdef(`cardmgr.te',` - allow ping_t cardmgr_t:fd use; - ') -') - allow dhcpc_t var_lib_t:dir search; -allow dhcpc_t home_root_t:dir search; dontaudit dhcpc_t var_lock_t:dir search; dontaudit dhcpc_t selinux_config_t:dir search; dontaudit dhcpc_t domain:dir getattr; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 046d9f9b..6a07df38 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -118,6 +118,8 @@ seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) +userdom_use_sysadm_tty(udev_t) + ifdef(`distro_redhat',` fs_manage_tmpfs_symlinks(udev_t) fs_manage_tmpfs_sockets(udev_t) @@ -147,9 +149,12 @@ optional_policy(`sysnetwork.te',` sysnet_domtrans_dhcpc(udev_t) ') +optional_policy(`xserver.te',` + xserver_read_xdm_pid(udev_t) +') + ifdef(`TODO',` allow udev_t devpts_t:dir { getattr search }; -allow udev_t sysadm_tty_device_t:chr_file { read write }; # Dontaudits dontaudit udev_t staff_home_dir_t:dir search; @@ -159,8 +164,4 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; dbusd_client(system, udev) -optional_policy(`xdm.te',` -allow udev_t xdm_var_run_t:file { getattr read }; -') - ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 95e6300b..655b608a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -907,6 +907,27 @@ interface(`userdom_shell_domtrans_sysadm',` corecmd_domtrans_shell($1,sysadm_t) ') +######################################## +## +## Read files in the staff users home directory. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_read_staff_home_files',` + gen_require(` + type staff_home_dir_t, staff_home_t; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; + ') + + files_search_home($1) + allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms; + allow $1 staff_home_t:{ file lnk_file } r_file_perms; +') + ######################################## ## ## Read and write sysadm ttys. @@ -918,12 +939,31 @@ interface(`userdom_shell_domtrans_sysadm',` interface(`userdom_use_sysadm_tty',` gen_require(` type sysadm_tty_device_t; - class chr_file { getattr read write ioctl }; + class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) term_list_ptys($1) - allow $1 sysadm_tty_device_t:chr_file { getattr read write ioctl }; + allow $1 sysadm_tty_device_t:chr_file rw_term_perms; +') + +######################################## +## +## Read and write sysadm ptys. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_use_sysadm_pty',` + gen_require(` + type sysadm_devpts_t; + class chr_file rw_term_perms; + ') + + dev_list_all_dev_nodes($1) + term_list_ptys($1) + allow $1 sysadm_devpts_t:chr_file rw_term_perms; ') ######################################## @@ -937,12 +977,12 @@ interface(`userdom_use_sysadm_tty',` interface(`userdom_use_sysadm_terms',` gen_require(` attribute admin_terminal; - class chr_file { getattr read write ioctl }; + class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) term_list_ptys($1) - allow $1 admin_terminal:chr_file { getattr read write ioctl }; + allow $1 admin_terminal:chr_file rw_term_perms; ') ######################################## @@ -962,6 +1002,61 @@ interface(`userdom_dontaudit_use_sysadm_terms',` dontaudit $1 admin_terminal:chr_file { read write }; ') +######################################## +## +## Inherit and use sysadm file descriptors +## +## +## The type of the process performing this action. +## +# +interface(`userdom_use_sysadm_fd',` + gen_require(` + type sysadm_t; + class fd use; + ') + + allow $1 sysadm_t:fd use; +') + +######################################## +## +## Read and write sysadm user unnamed pipes. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_rw_sysadm_pipe',` + gen_require(` + type sysadm_t; + class fd use; + ') + + allow $1 sysadm_t:fd use; +') + +######################################## +## +## Read files in the sysadm users home directory. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_read_sysadm_home_files',` + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; + ') + + files_search_home($1) + allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms; + allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; +') + ######################################## ## ## Search all users home directories. @@ -988,7 +1083,7 @@ interface(`userdom_search_all_users_home',` ## The type of the process performing this action. ## # -interface(`userdom_read_all_user_data',` +interface(`userdom_read_all_user_files',` gen_require(` attribute home_type; class dir r_dir_perms;