1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
123 lines
3.3 KiB
Plaintext
123 lines
3.3 KiB
Plaintext
|
|
policy_module(nscd,1.4.1)
|
|
|
|
gen_require(`
|
|
class nscd all_nscd_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
# cjp: this is out of order because of an
|
|
# ordering problem with loadable modules
|
|
type nscd_var_run_t;
|
|
files_pid_file(nscd_var_run_t)
|
|
|
|
# nscd is both the client program and the daemon.
|
|
type nscd_t;
|
|
type nscd_exec_t;
|
|
init_daemon_domain(nscd_t,nscd_exec_t)
|
|
|
|
type nscd_log_t;
|
|
logging_log_file(nscd_log_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow nscd_t self:capability { kill setgid setuid audit_write };
|
|
dontaudit nscd_t self:capability sys_tty_config;
|
|
allow nscd_t self:process { getattr setsched signal_perms };
|
|
allow nscd_t self:fifo_file { read write };
|
|
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
|
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
|
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
allow nscd_t self:tcp_socket create_socket_perms;
|
|
allow nscd_t self:udp_socket create_socket_perms;
|
|
|
|
# For client program operation, invoked from sysadm_t.
|
|
# Transition occurs to nscd_t due to direct_sysadm_daemon.
|
|
allow nscd_t self:nscd { admin getstat };
|
|
|
|
allow nscd_t nscd_log_t:file manage_file_perms;
|
|
logging_log_filetrans(nscd_t,nscd_log_t,file)
|
|
|
|
manage_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
|
|
manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
|
|
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
|
|
|
|
kernel_read_kernel_sysctls(nscd_t)
|
|
kernel_list_proc(nscd_t)
|
|
kernel_read_proc_symlinks(nscd_t)
|
|
|
|
dev_read_sysfs(nscd_t)
|
|
dev_read_rand(nscd_t)
|
|
dev_read_urand(nscd_t)
|
|
|
|
fs_getattr_all_fs(nscd_t)
|
|
fs_search_auto_mountpoints(nscd_t)
|
|
|
|
# for when /etc/passwd has just been updated and has the wrong type
|
|
auth_getattr_shadow(nscd_t)
|
|
auth_use_nsswitch(nscd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(nscd_t)
|
|
corenet_all_recvfrom_netlabel(nscd_t)
|
|
corenet_tcp_sendrecv_all_if(nscd_t)
|
|
corenet_udp_sendrecv_all_if(nscd_t)
|
|
corenet_tcp_sendrecv_all_nodes(nscd_t)
|
|
corenet_udp_sendrecv_all_nodes(nscd_t)
|
|
corenet_tcp_sendrecv_all_ports(nscd_t)
|
|
corenet_udp_sendrecv_all_ports(nscd_t)
|
|
corenet_tcp_connect_all_ports(nscd_t)
|
|
corenet_sendrecv_all_client_packets(nscd_t)
|
|
corenet_rw_tun_tap_dev(nscd_t)
|
|
|
|
selinux_get_fs_mount(nscd_t)
|
|
selinux_validate_context(nscd_t)
|
|
selinux_compute_access_vector(nscd_t)
|
|
selinux_compute_create_context(nscd_t)
|
|
selinux_compute_relabel_context(nscd_t)
|
|
selinux_compute_user_contexts(nscd_t)
|
|
domain_use_interactive_fds(nscd_t)
|
|
|
|
files_read_etc_files(nscd_t)
|
|
files_read_generic_tmp_symlinks(nscd_t)
|
|
# Needed to read files created by firstboot "/etc/hesiod.conf"
|
|
files_read_etc_runtime_files(nscd_t)
|
|
|
|
libs_use_ld_so(nscd_t)
|
|
libs_use_shared_libs(nscd_t)
|
|
|
|
logging_send_syslog_msg(nscd_t)
|
|
|
|
miscfiles_read_localization(nscd_t)
|
|
|
|
seutil_read_config(nscd_t)
|
|
seutil_read_default_contexts(nscd_t)
|
|
seutil_sigchld_newrole(nscd_t)
|
|
|
|
sysnet_read_config(nscd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_use_unallocated_ttys(nscd_t)
|
|
term_use_generic_ptys(nscd_t)
|
|
files_dontaudit_read_root_files(nscd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(nscd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
|
xen_append_log(nscd_t)
|
|
')
|