selinux-policy/policy/modules/services/razor.if
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

221 lines
6.0 KiB
Plaintext

## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
## <desc>
## <p>
## A distributed, collaborative, spam detection and filtering network.
## </p>
## <p>
## This policy will work with either the ATrpms provided config
## file in /etc/razor, or with the default of dumping everything into
## $HOME/.razor.
## </p>
## </desc>
#######################################
## <summary>
## Template to create types and rules common to
## all razor domains.
## </summary>
## <param name="prefix">
## <summary>
## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:tcp_socket create_socket_perms;
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
manage_dirs_pattern($1_t,razor_log_t,razor_log_t)
manage_files_pattern($1_t,razor_log_t,razor_log_t)
manage_lnk_files_pattern($1_t,razor_log_t,razor_log_t)
logging_log_filetrans($1_t,razor_log_t,file)
manage_dirs_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
manage_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
manage_lnk_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
dev_read_urand($1_t)
files_search_pids($1_t)
# Allow access to various files in the /etc/directory including mtab
# and nsswitch
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
fs_search_auto_mountpoints($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_read_lib_files($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
userdom_use_unpriv_users_fds($1_t)
optional_policy(`
nis_use_ypbind($1_t)
')
')
#######################################
## <summary>
## The per role template for the razor module.
## </summary>
## <desc>
## <p>
## The per role template for the razor module.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`razor_per_role_template',`
gen_require(`
type razor_exec_t;
')
type $1_razor_t;
domain_type($1_razor_t)
domain_entry_file($1_razor_t,razor_exec_t)
razor_common_domain_template($1_razor)
role $3 types $1_razor_t;
type $1_razor_home_t alias $1_razor_rw_t;
files_poly_member($1_razor_home_t)
userdom_user_home_content($1,$1_razor_home_t)
type $1_razor_tmp_t;
files_tmp_file($1_razor_tmp_t)
##############################
#
# Local policy
#
allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
manage_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
manage_lnk_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
manage_dirs_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t)
manage_files_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t)
files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
domtrans_pattern($2, razor_exec_t, $1_razor_t)
manage_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t)
manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
manage_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
relabel_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t)
relabel_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
relabel_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
logging_send_syslog_msg($1_razor_t)
userdom_search_user_home_dirs($1,$1_razor_t)
# Allow razor to be run by hand. Needed by any action other than
# invocation from a spam filter.
userdom_use_user_terminals($1,$1_razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_razor_t)
fs_manage_nfs_files($1_razor_t)
fs_manage_nfs_symlinks($1_razor_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_razor_t)
fs_manage_cifs_files($1_razor_t)
fs_manage_cifs_symlinks($1_razor_t)
')
optional_policy(`
nscd_socket_use($1_razor_t)
')
')
########################################
## <summary>
## Execute razor in the system razor domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`razor_domtrans',`
gen_require(`
type razor_t, razor_exec_t;
')
domtrans_pattern($1, razor_exec_t, razor_t)
')