1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
136 lines
3.7 KiB
Plaintext
136 lines
3.7 KiB
Plaintext
|
|
policy_module(portslave,1.2.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type portslave_t;
|
|
type portslave_exec_t;
|
|
init_domain(portslave_t,portslave_exec_t)
|
|
init_daemon_domain(portslave_t,portslave_exec_t)
|
|
|
|
type portslave_etc_t;
|
|
files_type(portslave_etc_t)
|
|
|
|
type portslave_lock_t;
|
|
files_lock_file(portslave_lock_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# setuid setgid net_admin fsetid for pppd
|
|
# sys_admin for ctlportslave
|
|
# net_bind_service for rlogin
|
|
allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
|
|
dontaudit portslave_t self:capability sys_admin;
|
|
allow portslave_t self:process signal_perms;
|
|
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow portslave_t self:fd use;
|
|
allow portslave_t self:fifo_file rw_fifo_file_perms;
|
|
allow portslave_t self:unix_dgram_socket create_socket_perms;
|
|
allow portslave_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow portslave_t self:unix_dgram_socket sendto;
|
|
allow portslave_t self:unix_stream_socket connectto;
|
|
allow portslave_t self:shm create_shm_perms;
|
|
allow portslave_t self:sem create_sem_perms;
|
|
allow portslave_t self:msgq create_msgq_perms;
|
|
allow portslave_t self:msg { send receive };
|
|
allow portslave_t self:tcp_socket create_stream_socket_perms;
|
|
allow portslave_t self:udp_socket create_socket_perms;
|
|
|
|
allow portslave_t portslave_etc_t:dir list_dir_perms;
|
|
read_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t)
|
|
read_lnk_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t)
|
|
|
|
allow portslave_t portslave_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(portslave_t,portslave_lock_t,file)
|
|
|
|
kernel_read_system_state(portslave_t)
|
|
kernel_read_kernel_sysctls(portslave_t)
|
|
|
|
corecmd_exec_bin(portslave_t)
|
|
corecmd_exec_shell(portslave_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(portslave_t)
|
|
corenet_all_recvfrom_netlabel(portslave_t)
|
|
corenet_tcp_sendrecv_generic_if(portslave_t)
|
|
corenet_udp_sendrecv_generic_if(portslave_t)
|
|
corenet_tcp_sendrecv_all_nodes(portslave_t)
|
|
corenet_udp_sendrecv_all_nodes(portslave_t)
|
|
corenet_tcp_sendrecv_all_ports(portslave_t)
|
|
corenet_udp_sendrecv_all_ports(portslave_t)
|
|
corenet_rw_ppp_dev(portslave_t)
|
|
|
|
dev_read_sysfs(portslave_t)
|
|
# for ssh
|
|
dev_read_urand(portslave_t)
|
|
|
|
domain_use_interactive_fds(portslave_t)
|
|
|
|
files_read_etc_files(portslave_t)
|
|
files_read_etc_runtime_files(portslave_t)
|
|
files_exec_etc_files(portslave_t)
|
|
|
|
fs_search_auto_mountpoints(portslave_t)
|
|
fs_getattr_xattr_fs(portslave_t)
|
|
|
|
term_use_unallocated_ttys(portslave_t)
|
|
term_setattr_unallocated_ttys(portslave_t)
|
|
term_use_all_user_ttys(portslave_t)
|
|
term_search_ptys(portslave_t)
|
|
|
|
auth_rw_login_records(portslave_t)
|
|
auth_domtrans_chk_passwd(portslave_t)
|
|
|
|
init_rw_utmp(portslave_t)
|
|
|
|
libs_use_ld_so(portslave_t)
|
|
libs_use_shared_libs(portslave_t)
|
|
|
|
logging_send_syslog_msg(portslave_t)
|
|
logging_search_logs(portslave_t)
|
|
|
|
sysnet_read_config(portslave_t)
|
|
|
|
userdom_use_unpriv_users_fds(portslave_t)
|
|
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
|
userdom_search_all_users_home_dirs(portslave_t)
|
|
|
|
mta_send_mail(portslave_t)
|
|
|
|
# this should probably be a domtrans to pppd
|
|
# instead of exec.
|
|
ppp_read_rw_config(portslave_t)
|
|
ppp_exec(portslave_t)
|
|
ppp_read_secrets(portslave_t)
|
|
ppp_manage_pid_files(portslave_t)
|
|
ppp_pid_filetrans(portslave_t)
|
|
|
|
ssh_exec(portslave_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(portslave_t)
|
|
term_dontaudit_use_generic_ptys(portslave_t)
|
|
files_dontaudit_read_root_files(portslave_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(portslave_t,portslave_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(portslave_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(portslave_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(portslave_t)
|
|
')
|