selinux-policy/policy/modules/system/userdomain.te
Chris PeBenito 00219064d7 This patch adds a GConf policy to refpolicy.
This policy is much tighter than the GConf policy from the old example
policy.  It only allows gconfd to access configuration data stored by
GConf.  Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd.  GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway.  Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.

There is also a difference between this policy and the old example
policy in handling directories in /tmp.  The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t.  This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t.  It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label.  By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.

This patch is related to work that I am doing in making gconfd an
userspace object manager.  If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.

Signed-off-by:  James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00

498 lines
12 KiB
Plaintext

policy_module(userdomain,1.3.36)
gen_require(`
role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
')
')
########################################
#
# Declarations
#
# admin users terminals (tty and pty)
attribute admin_terminal;
# users home directory
attribute home_dir_type;
# users home directory contents
attribute home_type;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# all unprivileged users home directories
attribute user_home_dir_type;
attribute user_home_type;
# all unprivileged users ptys
attribute user_ptynode;
# all unprivileged users tmp files
attribute user_tmpfile;
# all unprivileged users ttys
attribute user_ttynode;
# all user domains
attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
########################################
#
# Local policy
#
ifdef(`strict_policy',`
userdom_admin_user_template(sysadm)
userdom_unpriv_user_template(staff)
userdom_unpriv_user_template(user)
# user role change rules:
# sysadm_r can change to user roles
userdom_role_change_template(sysadm, user)
userdom_role_change_template(sysadm, staff)
# only staff_r can change to sysadm_r
userdom_role_change_template(staff, sysadm)
ifdef(`enable_mls',`
userdom_unpriv_user_template(secadm)
userdom_unpriv_user_template(auditadm)
userdom_role_change_template(staff,auditadm)
userdom_role_change_template(staff,secadm)
userdom_role_change_template(sysadm,secadm)
userdom_role_change_template(sysadm,auditadm)
userdom_role_change_template(auditadm,secadm)
userdom_role_change_template(auditadm,sysadm)
userdom_role_change_template(secadm,auditadm)
userdom_role_change_template(secadm,sysadm)
')
# this should be tunable_policy, but
# currently type_change and RBAC allow
# do not work in conditionals
ifdef(`user_canbe_sysadm',`
userdom_role_change_template(user,sysadm)
')
########################################
#
# Sysadm local policy
#
# for su
allow sysadm_t userdomain:fd use;
# Add/remove user home directories
allow sysadm_t user_home_dir_t:dir create_dir_perms;
files_home_filetrans(sysadm_t,user_home_dir_t,dir)
corecmd_exec_shell(sysadm_t)
mls_process_read_up(sysadm_t)
init_exec(sysadm_t)
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
',`
ifdef(`distro_gentoo',`
optional_policy(`
seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
')
')
ifdef(`enable_mls',`
seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
domain_kill_all_domains(auditadm_t)
seutil_read_bin_policy(auditadm_t)
corecmd_exec_shell(auditadm_t)
logging_send_syslog_msg(auditadm_t)
logging_read_generic_logs(auditadm_t)
logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
allow secadm_t self:capability dac_override;
corecmd_exec_shell(secadm_t)
domain_obj_id_change_exemption(secadm_t)
mls_process_read_up(secadm_t)
mls_file_read_up(secadm_t)
mls_file_write_down(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_relabel_all_files_except_shadow(secadm_t)
auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
tunable_policy(`allow_ptrace',`
domain_ptrace_all_domains(sysadm_t)
')
optional_policy(`
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
')
optional_policy(`
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)
')
optional_policy(`
apt_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
backup_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
consoletype_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
cvs_exec(sysadm_t)
')
optional_policy(`
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
consoletype_exec(auditadm_t)
')
')
optional_policy(`
dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
dmesg_exec(auditadm_t)
')
')
optional_policy(`
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
dpkg_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')
optional_policy(`
fstools_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
')
optional_policy(`
iptables_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
lvm_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
kudzu_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
mysql_stream_connect(sysadm_t)
')
optional_policy(`
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
munin_stream_connect(sysadm_t)
')
optional_policy(`
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')
optional_policy(`
oav_run_update(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
portage_run(sysadm_t,sysadm_r,admin_terminal)
portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
rsync_exec(sysadm_t)
')
optional_policy(`
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
selinux_set_enforce_mode(secadm_t)
selinux_set_boolean(secadm_t)
selinux_set_parameters(secadm_t)
seutil_manage_bin_policy(secadm_t)
seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
logging_send_syslog_msg(secadm_t)
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)
selinux_set_parameters(sysadm_t)
seutil_manage_bin_policy(sysadm_t)
seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
')
')
optional_policy(`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
vpn_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
webalizer_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
')
ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# strict policy.
unconfined_alias_domain(secadm_t)
unconfined_alias_domain(auditadm_t)
unconfined_alias_domain(sysadm_t)
# User home directory type.
type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
files_type(user_home_t)
files_associate_tmp(user_home_t)
fs_associate_tmpfs(user_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
files_type(user_home_dir_t)
files_associate_tmp(user_home_dir_t)
fs_associate_tmpfs(user_home_dir_t)
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
# dominance { role auditadm_r { role system_r; }}
# dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
# dont need to use the full role_change()
allow sysadm_r system_r;
allow sysadm_r user_r;
allow user_r system_r;
allow user_r sysadm_r;
allow system_r sysadm_r;
allow system_r sysadm_r;
allow privhome user_home_t:dir manage_dir_perms;
allow privhome user_home_t:file create_file_perms;
allow privhome user_home_t:lnk_file create_lnk_perms;
allow privhome user_home_t:fifo_file create_file_perms;
allow privhome user_home_t:sock_file create_file_perms;
allow privhome user_home_dir_t:dir rw_dir_perms;
type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
files_search_home(privhome)
ifdef(`enable_mls',`
allow secadm_r system_r;
allow auditadm_r system_r;
allow secadm_r user_r;
allow staff_r secadm_r;
allow staff_r auditadm_r;
')
optional_policy(`
samba_per_role_template(user)
')
')