1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
95 lines
2.7 KiB
Plaintext
95 lines
2.7 KiB
Plaintext
|
|
policy_module(nx,1.1.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type nx_server_t;
|
|
type nx_server_exec_t;
|
|
domain_type(nx_server_t)
|
|
domain_entry_file(nx_server_t,nx_server_exec_t)
|
|
domain_user_exemption_target(nx_server_t)
|
|
# we need an extra role because nxserver is called from sshd
|
|
# cjp: do we really need this?
|
|
role nx_server_r types nx_server_t;
|
|
allow system_r nx_server_r;
|
|
|
|
type nx_server_devpts_t;
|
|
term_user_pty(nx_server_t,nx_server_devpts_t)
|
|
|
|
type nx_server_tmp_t;
|
|
files_tmp_file(nx_server_tmp_t)
|
|
|
|
type nx_server_var_run_t;
|
|
files_pid_file(nx_server_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# NX server local policy
|
|
#
|
|
|
|
allow nx_server_t self:fifo_file { getattr ioctl read write };
|
|
allow nx_server_t self:tcp_socket create_socket_perms;
|
|
allow nx_server_t self:udp_socket create_socket_perms;
|
|
|
|
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(nx_server_t,nx_server_devpts_t)
|
|
|
|
manage_dirs_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t)
|
|
manage_files_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t)
|
|
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(nx_server_t,nx_server_var_run_t,nx_server_var_run_t)
|
|
files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
|
|
|
|
kernel_read_system_state(nx_server_t)
|
|
kernel_read_kernel_sysctls(nx_server_t)
|
|
|
|
# nxserver is a shell script --> call other programs
|
|
corecmd_exec_shell(nx_server_t)
|
|
corecmd_exec_bin(nx_server_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(nx_server_t)
|
|
corenet_all_recvfrom_netlabel(nx_server_t)
|
|
corenet_tcp_sendrecv_generic_if(nx_server_t)
|
|
corenet_udp_sendrecv_generic_if(nx_server_t)
|
|
corenet_tcp_sendrecv_all_nodes(nx_server_t)
|
|
corenet_udp_sendrecv_all_nodes(nx_server_t)
|
|
corenet_tcp_sendrecv_all_ports(nx_server_t)
|
|
corenet_udp_sendrecv_all_ports(nx_server_t)
|
|
corenet_tcp_connect_all_ports(nx_server_t)
|
|
corenet_sendrecv_all_client_packets(nx_server_t)
|
|
|
|
dev_read_urand(nx_server_t)
|
|
|
|
files_read_etc_files(nx_server_t)
|
|
files_read_etc_runtime_files(nx_server_t)
|
|
# for reading the config files; maybe a separate type,
|
|
# but users need to be able to also read the config
|
|
files_read_usr_files(nx_server_t)
|
|
|
|
libs_use_ld_so(nx_server_t)
|
|
libs_use_shared_libs(nx_server_t)
|
|
|
|
miscfiles_read_localization(nx_server_t)
|
|
|
|
seutil_dontaudit_search_config(nx_server_t)
|
|
|
|
sysnet_read_config(nx_server_t)
|
|
|
|
ifdef(`TODO',`
|
|
# clients already have create permissions; the nxclient wants to also have unlink rights
|
|
allow userdomain xdm_tmp_t:sock_file unlink;
|
|
# for a lockfile created by the client process
|
|
allow nx_server_t user_tmpfile:file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# SSH component local policy
|
|
#
|
|
|
|
ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)
|