rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2e77b29e67
selinux-policy/refpolicy/policy/modules/system/modutils.te
Chris PeBenito dd14d0d892 change read_shared_libraries to use_shared_libraries, since the execute 
permission is checked when using shared libs to execute code in them, which
is not the same as just reading the shared libs.
2005-05-17 15:32:52 +00:00

236 lines
7.1 KiB
Plaintext
Raw Blame History

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(modutils,1.0)
########################################
#
# Declarations
#
# module loading config
type modules_conf_t;
files_make_file(modules_conf_t)
# module dependencies
type modules_dep_t;
files_make_file(modules_dep_t)
type insmod_t;
type insmod_exec_t;
kernel_make_userland_entrypoint(insmod_t,insmod_exec_t)
init_make_system_domain(insmod_t,insmod_exec_t)
role system_r types insmod_t;
type depmod_t;
type depmod_exec_t;
init_make_system_domain(depmod_t,depmod_exec_t)
role system_r types depmod_t;
type update_modules_t;
type update_modules_exec_t;
init_make_system_domain(update_modules_t,update_modules_exec_t)
role system_r types update_modules_t;
type update_modules_tmp_t;
files_make_temporary_file(update_modules_tmp_t)
########################################
#
# insmod local policy
#
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
# Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
kernel_load_module(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctl(insmod_t)
bootloader_read_kernel_modules(insmod_t)
devices_write_mtrr(insmod_t)
devices_get_pseudorandom_data(insmod_t)
devices_direct_agp_access(insmod_t)
filesystem_get_persistent_filesystem_attributes(insmod_t)
files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t)
init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t)
init_script_use_pseudoterminal(insmod_t)
domain_signal_all_domains(insmod_t)
domain_use_widely_inheritable_file_descriptors(insmod_t)
libraries_use_dynamic_loader(insmod_t)
libraries_use_shared_libraries(insmod_t)
corecommands_execute_general_programs(insmod_t)
corecommands_execute_system_programs(insmod_t)
corecommands_execute_shell(insmod_t)
miscfiles_read_localization(insmod_t)
logging_send_system_log_message(insmod_t)
optional_policy(`mount.te',`
mount_transition(insmod_t)
')
ifdef(`TODO',`
allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t { var_t var_log_t }:dir search;
allow insmod_t apm_bios_t:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write };
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
')
allow insmod_t sysfs_t:dir search;
allow insmod_t usbfs_t:dir search;
allow insmod_t usbfs_t:filesystem mount;
allow insmod_t admin_tty_type:chr_file { getattr read write };
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
# for nscd
dontaudit insmod_t var_run_t:dir search;
') dnl if TODO
########################################
#
# depmod local policy
#
allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
# Read conf.modules.
allow depmod_t modules_conf_t:file { getattr read };
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t)
filesystem_get_persistent_filesystem_attributes(depmod_t)
terminal_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)
init_script_use_pseudoterminal(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t)
files_read_runtime_system_config(depmod_t)
files_read_general_system_config(depmod_t)
files_read_system_source_code(depmod_t)
libraries_use_dynamic_loader(depmod_t)
libraries_use_shared_libraries(depmod_t)
ifdef(`TODO',`
allow depmod_t { bin_t sbin_t }:dir search;
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
# Access terminals.
allow depmod_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
') dnl end ifdef TODO
#################################
#
# update-modules local policy
#
allow update_modules_t self:fifo_file { getattr read write };
allow update_modules_t modules_dep_t:file { getattr read write };
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
# manage module loading configuration
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
files_create_private_config(update_modules_t,modules_conf_t)
# transition to depmod
allow update_modules_t depmod_exec_t:file { getattr read execute };
allow update_modules_t depmod_t:process transition;
type_transition update_modules_t depmod_exec_t:process depmod_t;
dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctl(update_modules_t)
kernel_read_system_state(update_modules_t)
devices_get_pseudorandom_data(update_modules_t)
filesystem_get_persistent_filesystem_attributes(update_modules_t)
terminal_use_console(update_modules_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)
init_script_use_pseudoterminal(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t)
files_read_runtime_system_config(update_modules_t)
files_read_general_system_config(update_modules_t)
files_execute_system_config_script(update_modules_t)
corecommands_execute_general_programs(update_modules_t)
corecommands_execute_system_programs(update_modules_t)
corecommands_execute_shell(update_modules_t)
libraries_use_dynamic_loader(update_modules_t)
libraries_use_shared_libraries(update_modules_t)
logging_send_system_log_message(update_modules_t)
miscfiles_read_localization(update_modules_t)
ifdef(`TODO',`
role sysadm_r types update_modules_t;
domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
allow update_modules_t admin_tty_type:chr_file rw_file_perms;
dontaudit update_modules_t sysadm_home_dir_t:dir search;
') dnl endif TODO
Reference in New Issue View Git Blame Copy Permalink