1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
559 lines
13 KiB
Plaintext
559 lines
13 KiB
Plaintext
|
|
policy_module(userdomain,2.2.4)
|
|
|
|
gen_require(`
|
|
role sysadm_r, staff_r, user_r;
|
|
|
|
ifdef(`enable_mls',`
|
|
role secadm_r;
|
|
role auditadm_r;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
ifdef(`strict_policy',`
|
|
## <desc>
|
|
## <p>
|
|
## Allow sysadm to ptrace all processes
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ptrace,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow users to connect to mysql
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_user_mysql_connect,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow users to connect to PostgreSQL
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_user_postgresql_connect,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow regular users direct mouse access
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(user_direct_mouse,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow users to read system messages.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(user_dmesg,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow user to r/w files on filesystems
|
|
## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(user_rw_noexattrfile,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow w to display everyone
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(user_ttyfile_stat,false)
|
|
')
|
|
|
|
# admin users terminals (tty and pty)
|
|
attribute admin_terminal;
|
|
|
|
# users home directory
|
|
attribute home_dir_type;
|
|
|
|
# users home directory contents
|
|
attribute home_type;
|
|
|
|
# The privhome attribute identifies every domain that can create files under
|
|
# regular user home directories in the regular context (IE act on behalf of
|
|
# a user in writing regular files)
|
|
attribute privhome;
|
|
|
|
# all unprivileged users home directories
|
|
attribute user_home_dir_type;
|
|
attribute user_home_type;
|
|
|
|
# all unprivileged users ptys
|
|
attribute user_ptynode;
|
|
|
|
# all unprivileged users tmp files
|
|
attribute user_tmpfile;
|
|
|
|
# all unprivileged users ttys
|
|
attribute user_ttynode;
|
|
|
|
# all user domains
|
|
attribute userdomain;
|
|
|
|
# unprivileged user domains
|
|
attribute unpriv_userdomain;
|
|
|
|
attribute untrusted_content_type;
|
|
attribute untrusted_content_tmp_type;
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
ifdef(`strict_policy',`
|
|
userdom_admin_user_template(sysadm)
|
|
userdom_unpriv_user_template(staff)
|
|
userdom_unpriv_user_template(user)
|
|
|
|
# user role change rules:
|
|
# sysadm_r can change to user roles
|
|
userdom_role_change_template(sysadm, user)
|
|
userdom_role_change_template(sysadm, staff)
|
|
|
|
# only staff_r can change to sysadm_r
|
|
userdom_role_change_template(staff, sysadm)
|
|
dontaudit staff_t admin_terminal:chr_file { read write };
|
|
|
|
ifdef(`enable_mls',`
|
|
userdom_unpriv_user_template(secadm)
|
|
userdom_unpriv_user_template(auditadm)
|
|
|
|
userdom_role_change_template(staff,auditadm)
|
|
userdom_role_change_template(staff,secadm)
|
|
|
|
userdom_role_change_template(sysadm,secadm)
|
|
userdom_role_change_template(sysadm,auditadm)
|
|
|
|
userdom_role_change_template(auditadm,secadm)
|
|
userdom_role_change_template(auditadm,sysadm)
|
|
|
|
userdom_role_change_template(secadm,auditadm)
|
|
userdom_role_change_template(secadm,sysadm)
|
|
')
|
|
|
|
# this should be tunable_policy, but
|
|
# currently type_change and RBAC allow
|
|
# do not work in conditionals
|
|
ifdef(`user_canbe_sysadm',`
|
|
userdom_role_change_template(user,sysadm)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Sysadm local policy
|
|
#
|
|
|
|
# for su
|
|
allow sysadm_t userdomain:fd use;
|
|
|
|
# Add/remove user home directories
|
|
allow sysadm_t user_home_dir_t:dir manage_dir_perms;
|
|
files_home_filetrans(sysadm_t,user_home_dir_t,dir)
|
|
|
|
corecmd_exec_shell(sysadm_t)
|
|
|
|
mls_process_read_up(sysadm_t)
|
|
|
|
init_exec(sysadm_t)
|
|
|
|
# Following for sending reboot and wall messages
|
|
userdom_use_unpriv_users_ptys(sysadm_t)
|
|
userdom_use_unpriv_users_ttys(sysadm_t)
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
optional_policy(`
|
|
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
',`
|
|
ifdef(`distro_gentoo',`
|
|
optional_policy(`
|
|
seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
')
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
allow auditadm_t self:capability { dac_read_search dac_override };
|
|
seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
|
domain_kill_all_domains(auditadm_t)
|
|
seutil_read_bin_policy(auditadm_t)
|
|
corecmd_exec_shell(auditadm_t)
|
|
logging_send_syslog_msg(auditadm_t)
|
|
logging_read_generic_logs(auditadm_t)
|
|
logging_manage_audit_log(auditadm_t)
|
|
logging_manage_audit_config(auditadm_t)
|
|
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
|
|
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
|
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
|
|
|
|
allow secadm_t self:capability { dac_read_search dac_override };
|
|
corecmd_exec_shell(secadm_t)
|
|
domain_obj_id_change_exemption(secadm_t)
|
|
mls_process_read_up(secadm_t)
|
|
mls_file_read_up(secadm_t)
|
|
mls_file_write_down(secadm_t)
|
|
mls_file_upgrade(secadm_t)
|
|
mls_file_downgrade(secadm_t)
|
|
auth_relabel_all_files_except_shadow(secadm_t)
|
|
dev_relabel_all_dev_nodes(secadm_t)
|
|
auth_relabel_shadow(secadm_t)
|
|
init_exec(secadm_t)
|
|
logging_read_audit_log(secadm_t)
|
|
logging_read_generic_logs(secadm_t)
|
|
logging_read_audit_config(secadm_t)
|
|
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
|
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
|
|
|
optional_policy(`
|
|
aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
|
|
')
|
|
|
|
optional_policy(`
|
|
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
|
|
')
|
|
',`
|
|
logging_manage_audit_log(sysadm_t)
|
|
logging_manage_audit_config(sysadm_t)
|
|
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
tunable_policy(`allow_ptrace',`
|
|
domain_ptrace_all_domains(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
|
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
|
#apache_domtrans_sys_script(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tzdata_domtrans(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_domtrans_mdadm(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# cjp: why is this not apm_run_client
|
|
apm_domtrans_client(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apt_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
backup_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
cvs_exec(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_exec(sysadm_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
consoletype_exec(auditadm_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_admin_template(sysadm,sysadm_t,sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
|
|
dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
|
|
dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
dmesg_exec(sysadm_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
dmesg_exec(auditadm_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
dpkg_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
|
|
ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
# allow system administrator to use the ipsec script to look
|
|
# at things (e.g., ipsec auto --status)
|
|
# probably should create an ipsec_admin role for this kind of thing
|
|
ipsec_exec_mgmt(sysadm_t)
|
|
ipsec_stream_connect(sysadm_t)
|
|
# for lsof
|
|
ipsec_getattr_key_sockets(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
|
|
lpr_admin_template(sysadm,sysadm_t,sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
kudzu_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
|
|
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
|
|
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_admin_template(sysadm,sysadm_t,sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_run(sysadm_t,sysadm_r,admin_terminal)
|
|
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
|
|
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_domtrans_nfsd(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
munin_stream_connect(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ntp_stub()
|
|
corenet_udp_bind_ntp_port(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oav_run_update(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
portage_run(sysadm_t,sysadm_r,admin_terminal)
|
|
portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
rsync_exec(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
|
|
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
|
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
|
|
|
ifdef(`enable_mls',`
|
|
userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
|
', `
|
|
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
|
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
|
|
tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
|
|
tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
|
|
tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
|
|
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
|
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
vpn_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
webalizer_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`
|
|
yam_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
# Define some type aliases to help with compatibility with
|
|
# strict policy.
|
|
unconfined_alias_domain(secadm_t)
|
|
unconfined_alias_domain(auditadm_t)
|
|
unconfined_alias_domain(sysadm_t)
|
|
|
|
# User home directory type.
|
|
type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
|
|
files_type(user_home_t)
|
|
files_associate_tmp(user_home_t)
|
|
fs_associate_tmpfs(user_home_t)
|
|
|
|
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
|
|
files_type(user_home_dir_t)
|
|
files_associate_tmp(user_home_dir_t)
|
|
fs_associate_tmpfs(user_home_dir_t)
|
|
|
|
# compatibility for switching from strict
|
|
# dominance { role secadm_r { role system_r; }}
|
|
# dominance { role auditadm_r { role system_r; }}
|
|
# dominance { role sysadm_r { role system_r; }}
|
|
# dominance { role user_r { role system_r; }}
|
|
# dominance { role staff_r { role system_r; }}
|
|
|
|
# dont need to use the full role_change()
|
|
allow sysadm_r system_r;
|
|
allow sysadm_r user_r;
|
|
allow user_r system_r;
|
|
allow user_r sysadm_r;
|
|
allow system_r sysadm_r;
|
|
allow system_r sysadm_r;
|
|
|
|
manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
|
|
manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
|
|
manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
|
|
manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
|
|
manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
|
|
filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
|
|
files_search_home(privhome)
|
|
|
|
ifdef(`enable_mls',`
|
|
allow secadm_r system_r;
|
|
allow auditadm_r system_r;
|
|
allow secadm_r user_r;
|
|
allow staff_r secadm_r;
|
|
allow staff_r auditadm_r;
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_per_role_template(user)
|
|
')
|
|
')
|