selinux-policy/refpolicy/policy/modules/admin/rpm.te
2005-06-29 14:26:41 +00:00

398 lines
11 KiB
Plaintext

policy_module(rpm,1.0)
########################################
#
# Declarations
#
type rpm_t; #, admin, privmem, priv_system_role;
type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t)
domain_obj_id_change_exempt(rpm_t)
domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
type rpm_file_t;
files_type(rpm_file_t)
type rpm_tmp_t;
files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role;
type rpm_script_exec_t;
domain_obj_id_change_exempt(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t,rpm_script_exec_t)
domain_wide_inherit_fd(rpm_script_t)
role system_r types rpm_script_t;
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
type rpm_script_tmpfs_t;
files_tmpfs_file(rpm_script_tmpfs_t)
type rpmbuild_t;
domain_type(rpmbuild_t)
type rpmbuild_exec_t;
domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
########################################
#
# rpm Local policy
#
allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
allow rpm_t self:udp_socket create_socket_perms;
allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file create_file_perms;
logging_create_log(rpm_t,rpm_log_t)
allow rpm_t rpm_tmp_t:dir create_dir_perms;
allow rpm_t rpm_tmp_t:file create_file_perms;
files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir })
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
allow rpm_t rpm_tmpfs_t:file create_file_perms;
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file create_file_perms;
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
selinux_compute_access_vector(rpm_t)
selinux_compute_create_context(rpm_t)
selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
corenet_tcp_sendrecv_all_nodes(rpm_t)
corenet_raw_sendrecv_all_nodes(rpm_t)
corenet_udp_sendrecv_all_nodes(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_bind_all_nodes(rpm_t)
corenet_udp_bind_all_nodes(rpm_t)
dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t)
#fs_manage_nfs_dir(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
corecmd_exec_bin(rpm_t)
corecmd_exec_sbin(rpm_t)
corecmd_domtrans_shell(rpm_t,rpm_script_t)
domain_exec_all_entry_files(rpm_t)
domain_read_all_domains_state(rpm_t)
domain_use_wide_inherit_fd(rpm_t)
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
libs_use_ld_so(rpm_t)
libs_use_shared_libs(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy
seutil_manage_src_pol(rpm_t)
seutil_manage_binary_pol(rpm_t)
sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fd(rpm_t)
optional_policy(`cron.te',`
cron_system_entry(rpm_t,rpm_exec_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(rpm_t)
')
ifdef(`TODO',`
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
# needs rw permission to the directory for an rpm package that includes a mount
# point
allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
allow rpm_t sysfs_t:dir r_dir_perms;
allow rpm_t usbdevfs_t:dir r_dir_perms;
allow rpm_t rpc_pipefs_t:dir search;
optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
optional_policy(`mount.te', `
allow rpm_t mount_t:udp_socket rw_socket_perms;
')
# for kernel package installation
optional_policy(`mount.te', `
allow mount_t rpm_t:fifo_file rw_file_perms;
')
# Commonly used from postinst scripts
optional_policy(`consoletype.te', `
allow consoletype_t rpm_t:fifo_file r_file_perms;
')
optional_policy(`crond.te', `
allow crond_t rpm_t:fifo_file r_file_perms;
')
') dnl endif TODO
########################################
#
# rpm-script Local policy
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir })
allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t)
selinux_get_fs_mount(rpm_script_t)
selinux_validate_context(rpm_script_t)
selinux_compute_access_vector(rpm_script_t)
selinux_compute_create_context(rpm_script_t)
selinux_compute_relabel_context(rpm_script_t)
selinux_compute_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t)
# ideally we would not need this
dev_manage_generic_blk_file(rpm_script_t)
dev_manage_generic_chr_file(rpm_script_t)
dev_manage_all_blk_files(rpm_script_t)
dev_manage_all_chr_files(rpm_script_t)
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
corecmd_exec_bin(rpm_script_t)
corecmd_exec_sbin(rpm_script_t)
domain_read_all_domains_state(rpm_script_t)
domain_use_wide_inherit_fd(rpm_script_t)
domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
libs_use_ld_so(rpm_script_t)
libs_use_shared_libs(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
libs_domtrans_ldconfig(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
modutils_domtrans_depmod(rpm_script_t)
modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpol(rpm_script_t)
seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
optional_policy(`bootloader.te', `
bootloader_domtrans(rpm_script_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(rpm_script_t)
')
ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
can_exec(rpm_script_t,usr_t)
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
')
') dnl end TODO
########################################
#
# rpm-build Local policy
#
# cjp: this looks like dead policy. nothing
# can transition to this domain, nor can it
# really do anything useful.
selinux_get_fs_mount(rpmbuild_t)
selinux_validate_context(rpmbuild_t)
selinux_compute_access_vector(rpmbuild_t)
selinux_compute_create_context(rpmbuild_t)
selinux_compute_relabel_context(rpmbuild_t)
selinux_compute_user_contexts(rpmbuild_t)
seutil_read_src_pol(rpmbuild_t)
ifdef(`TODO',`
allow userdomain var_lib_t:dir { getattr search };
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
optional_policy(`cups.te', `
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
allow cupsd_t rpm_var_lib_t:file r_file_perms;
allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
allow cupsd_t initrc_exec_t:file r_file_perms;
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
')
optional_policy(`ssh-agent.te', `
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
optional_policy(`useradd.te', `
domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
role system_r types { useradd_t groupadd_t };
allow { useradd_t groupadd_t } rpm_t:fd use;
allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
')
optional_policy(`bootloader.te',`
allow bootloader_t rpm_t:fifo_file rw_file_perms;
')
optional_policy(`prelink.te', `
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
')
ifdef(`hide_broken_symptoms', `
optional_policy(`pamconsole.te', `
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
')
')
ifdef(`unlimitedRPM', `
typeattribute rpm_t auth_write;
unconfined_domain(rpm_t)
typeattribute rpm_script_t auth_write;
unconfined_domain(rpm_script_t)
')
') dnl end TODO