1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
374 lines
11 KiB
Plaintext
374 lines
11 KiB
Plaintext
|
|
policy_module(kernel,1.6.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
# assertion related attributes
|
|
attribute can_load_kernmodule;
|
|
attribute can_receive_kernel_messages;
|
|
|
|
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
|
|
|
|
# domains with unconfined access to kernel resources
|
|
attribute kern_unconfined;
|
|
|
|
# regular entries in proc
|
|
attribute proc_type;
|
|
|
|
# sysctls
|
|
attribute sysctl_type;
|
|
|
|
role system_r;
|
|
role sysadm_r;
|
|
role staff_r;
|
|
role user_r;
|
|
|
|
ifdef(`enable_mls',`
|
|
role secadm_r;
|
|
role auditadm_r;
|
|
')
|
|
|
|
#
|
|
# kernel_t is the domain of kernel threads.
|
|
# It is also the target type when checking permissions in the system class.
|
|
#
|
|
type kernel_t, can_load_kernmodule;
|
|
domain_base_type(kernel_t)
|
|
mls_rangetrans_source(kernel_t)
|
|
role system_r types kernel_t;
|
|
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
|
|
|
#
|
|
# DebugFS
|
|
#
|
|
|
|
type debugfs_t;
|
|
fs_type(debugfs_t)
|
|
allow debugfs_t self:filesystem associate;
|
|
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
|
|
|
#
|
|
# kvmFS
|
|
#
|
|
|
|
type kvmfs_t;
|
|
fs_type(kvmfs_t)
|
|
genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
|
|
|
|
#
|
|
# Procfs types
|
|
#
|
|
|
|
type proc_t, proc_type;
|
|
files_mountpoint(proc_t)
|
|
fs_type(proc_t)
|
|
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
|
|
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
|
|
|
|
# kernel message interface
|
|
type proc_kmsg_t, proc_type;
|
|
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
|
|
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
|
|
|
|
# /proc kcore: inaccessible
|
|
type proc_kcore_t, proc_type;
|
|
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
|
|
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
|
|
|
type proc_mdstat_t, proc_type;
|
|
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
|
|
|
|
type proc_net_t, proc_type;
|
|
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
|
|
|
|
type proc_xen_t, proc_type;
|
|
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
|
|
|
|
#
|
|
# Sysctl types
|
|
#
|
|
|
|
# /proc/sys directory, base directory of sysctls
|
|
type sysctl_t, sysctl_type;
|
|
files_mountpoint(sysctl_t)
|
|
sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
|
|
genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
|
|
|
|
# /proc/irq directory and files
|
|
type sysctl_irq_t, sysctl_type;
|
|
genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
|
|
|
|
# /proc/net/rpc directory and files
|
|
type sysctl_rpc_t, sysctl_type;
|
|
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
|
|
|
|
# /proc/sys/fs directory and files
|
|
type sysctl_fs_t, sysctl_type;
|
|
files_mountpoint(sysctl_fs_t)
|
|
genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
|
|
|
|
# /proc/sys/kernel directory and files
|
|
type sysctl_kernel_t, sysctl_type;
|
|
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
|
|
|
|
# /proc/sys/kernel/modprobe file
|
|
type sysctl_modprobe_t, sysctl_type;
|
|
genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
|
|
|
|
# /proc/sys/kernel/hotplug file
|
|
type sysctl_hotplug_t, sysctl_type;
|
|
genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
|
|
|
|
# /proc/sys/net directory and files
|
|
type sysctl_net_t, sysctl_type;
|
|
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
|
|
|
|
# /proc/sys/net/unix directory and files
|
|
type sysctl_net_unix_t, sysctl_type;
|
|
genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
|
|
|
|
# /proc/sys/vm directory and files
|
|
type sysctl_vm_t, sysctl_type;
|
|
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
|
|
|
|
# /proc/sys/dev directory and files
|
|
type sysctl_dev_t, sysctl_type;
|
|
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
|
|
|
#
|
|
# unlabeled_t is the type of unlabeled objects.
|
|
# Objects that have no known labeling information or that
|
|
# have labels that are no longer valid are treated as having this type.
|
|
#
|
|
type unlabeled_t;
|
|
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
|
|
# These initial sids are no longer used, and can be removed:
|
|
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid init gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
|
|
sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
|
|
|
########################################
|
|
#
|
|
# kernel local policy
|
|
#
|
|
|
|
allow kernel_t self:capability *;
|
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow kernel_t self:shm create_shm_perms;
|
|
allow kernel_t self:sem create_sem_perms;
|
|
allow kernel_t self:msg { send receive };
|
|
allow kernel_t self:msgq create_msgq_perms;
|
|
allow kernel_t self:unix_dgram_socket create_socket_perms;
|
|
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow kernel_t self:unix_dgram_socket sendto;
|
|
allow kernel_t self:unix_stream_socket connectto;
|
|
allow kernel_t self:fifo_file rw_file_perms;
|
|
allow kernel_t self:sock_file r_file_perms;
|
|
allow kernel_t self:fd use;
|
|
|
|
allow kernel_t proc_t:dir r_dir_perms;
|
|
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
|
|
|
|
allow kernel_t proc_net_t:dir r_dir_perms;
|
|
allow kernel_t proc_net_t:file r_file_perms;
|
|
|
|
allow kernel_t proc_mdstat_t:file r_file_perms;
|
|
|
|
allow kernel_t proc_kcore_t:file getattr;
|
|
|
|
allow kernel_t proc_kmsg_t:file getattr;
|
|
|
|
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
|
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
|
allow kernel_t sysctl_t:dir r_dir_perms;
|
|
|
|
# Other possible mount points for the root fs are in files
|
|
allow kernel_t unlabeled_t:dir mounton;
|
|
# Kernel-generated traffic e.g., TCP resets on
|
|
# connections with invalidated labels:
|
|
allow kernel_t unlabeled_t:packet send;
|
|
|
|
corenet_all_recvfrom_unlabeled(kernel_t)
|
|
corenet_all_recvfrom_netlabel(kernel_t)
|
|
# Kernel-generated traffic e.g., ICMP replies:
|
|
corenet_raw_sendrecv_all_if(kernel_t)
|
|
corenet_raw_sendrecv_all_nodes(kernel_t)
|
|
corenet_raw_send_generic_if(kernel_t)
|
|
# Kernel-generated traffic e.g., TCP resets:
|
|
corenet_tcp_sendrecv_all_if(kernel_t)
|
|
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
|
corenet_raw_send_generic_node(kernel_t)
|
|
corenet_raw_send_multicast_node(kernel_t)
|
|
corenet_send_all_packets(kernel_t)
|
|
|
|
dev_read_sysfs(kernel_t)
|
|
dev_search_usbfs(kernel_t)
|
|
|
|
# Mount root file system. Used when loading a policy
|
|
# from initrd, then mounting the root filesystem
|
|
fs_mount_all_fs(kernel_t)
|
|
|
|
selinux_load_policy(kernel_t)
|
|
|
|
term_use_console(kernel_t)
|
|
|
|
corecmd_exec_shell(kernel_t)
|
|
corecmd_list_bin(kernel_t)
|
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
corecmd_exec_bin(kernel_t)
|
|
|
|
domain_signal_all_domains(kernel_t)
|
|
domain_search_all_domains_state(kernel_t)
|
|
|
|
files_list_root(kernel_t)
|
|
files_list_etc(kernel_t)
|
|
files_list_home(kernel_t)
|
|
files_read_usr_files(kernel_t)
|
|
|
|
mcs_process_set_categories(kernel_t)
|
|
|
|
mls_process_read_up(kernel_t)
|
|
mls_process_write_down(kernel_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# Bugzilla 222337
|
|
fs_rw_tmpfs_chr_files(kernel_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain(kernel_t)
|
|
')
|
|
|
|
tunable_policy(`read_default_t',`
|
|
files_list_default(kernel_t)
|
|
files_read_default_files(kernel_t)
|
|
files_read_default_symlinks(kernel_t)
|
|
files_read_default_sockets(kernel_t)
|
|
files_read_default_pipes(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hotplug_search_config(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
init_sigchld(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_use_ld_so(kernel_t)
|
|
libs_use_shared_libs(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
logging_send_syslog_msg(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(kernel_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
|
# to just give it everything.
|
|
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
|
allow kernel_t self:udp_socket create_socket_perms;
|
|
|
|
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
|
# to just give it everything.
|
|
corenet_udp_sendrecv_all_if(kernel_t)
|
|
corenet_udp_sendrecv_all_nodes(kernel_t)
|
|
corenet_udp_sendrecv_all_ports(kernel_t)
|
|
corenet_udp_bind_all_nodes(kernel_t)
|
|
corenet_sendrecv_portmap_client_packets(kernel_t)
|
|
corenet_sendrecv_generic_server_packets(kernel_t)
|
|
|
|
fs_getattr_xattr_fs(kernel_t)
|
|
|
|
auth_dontaudit_getattr_shadow(kernel_t)
|
|
|
|
sysnet_read_config(kernel_t)
|
|
|
|
rpc_manage_nfs_ro_content(kernel_t)
|
|
rpc_manage_nfs_rw_content(kernel_t)
|
|
rpc_udp_rw_nfs_sockets(kernel_t)
|
|
|
|
tunable_policy(`nfs_export_all_ro',`
|
|
fs_getattr_noxattr_fs(kernel_t)
|
|
fs_list_noxattr_fs(kernel_t)
|
|
fs_read_noxattr_fs_files(kernel_t)
|
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
|
|
|
auth_read_all_dirs_except_shadow(kernel_t)
|
|
auth_read_all_files_except_shadow(kernel_t)
|
|
auth_read_all_symlinks_except_shadow(kernel_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_rw',`
|
|
fs_getattr_noxattr_fs(kernel_t)
|
|
fs_list_noxattr_fs(kernel_t)
|
|
fs_read_noxattr_fs_files(kernel_t)
|
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
|
|
|
auth_manage_all_files_except_shadow(kernel_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_read_config(kernel_t)
|
|
seutil_read_bin_policy(kernel_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unlabeled process local policy
|
|
#
|
|
|
|
ifdef(`targeted_policy',`
|
|
allow unlabeled_t self:filesystem associate;
|
|
')
|
|
|
|
optional_policy(`
|
|
# If you load a new policy that removes active domains, processes can
|
|
# get stuck if you do not allow unlabeled processes to signal init.
|
|
# If you load an incompatible policy, you should probably reboot,
|
|
# since you may have compromised system security.
|
|
init_sigchld(unlabeled_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Rules for unconfined acccess to this module
|
|
#
|
|
|
|
allow kern_unconfined proc_type:{ dir file lnk_file } *;
|
|
|
|
allow kern_unconfined sysctl_t:{ dir file } *;
|
|
|
|
allow kern_unconfined kernel_t:system *;
|
|
|
|
allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
|
allow kern_unconfined unlabeled_t:filesystem *;
|
|
allow kern_unconfined unlabeled_t:association *;
|
|
allow kern_unconfined unlabeled_t:packet *;
|
|
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
|
|
|
|
kernel_rw_all_sysctls(kern_unconfined)
|