From b518fc2edfbaf58ec873faaf5803a21cbf3a75c6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Apr 10 2006 21:04:51 +0000 Subject: move over to attributes for unconfined interfaces. --- diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 97f3cde..3def4af 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -118,6 +118,7 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index fc7ba97..461f485 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -1253,18 +1253,8 @@ interface(`corenet_non_ipsec_sendrecv',` # interface(`corenet_unconfined',` gen_require(` - attribute node_type, netif_type, port_type; + attribute corenet_unconfined_type; ') - allow $1 node_type:node *; - allow $1 netif_type:netif *; - allow $1 port_type:tcp_socket { send_msg recv_msg name_connect }; - allow $1 port_type:udp_socket { send_msg recv_msg }; - - # Bind to any network address. - # cjp: rawip_socket doesnt make any sense - allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind; - allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; - - corenet_non_ipsec_sendrecv($1) + typeattribute $1 corenet_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index eca4897..93b9b00 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.4) +policy_module(corenetwork,1.1.5) ######################################## # @@ -11,6 +11,8 @@ attribute node_type; attribute port_type; attribute reserved_port_type; +attribute corenet_unconfined_type; + type ppp_device_t; dev_node(ppp_device_t) @@ -174,3 +176,19 @@ ifdef(`enable_mls', ` network_interface(lo, lo,s0 - s15:c0.c255) ') #network_interface(eth0, eth0,s0) + +######################################## +# +# Unconfined access to this module +# + +allow corenet_unconfined_type node_type:node *; +allow corenet_unconfined_type netif_type:netif *; +allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; +allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + +# Bind to any network address. +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind; + +corenet_non_ipsec_sendrecv(corenet_unconfined_type) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index a5cfa0e..1ee19c4 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2850,13 +2850,8 @@ interface(`dev_execmod_zero',` # interface(`dev_unconfined',` gen_require(` - attribute device_node, memory_raw_write, memory_raw_read; - type mtrr_device_t; + attribute devices_unconfined_type; ') - allow $1 device_node:devfile_class_set *; - allow $1 mtrr_device_t:{ dir file } *; - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_write, memory_raw_read; + typeattribute $1 devices_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 9e8164c..c6108f2 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.6) +policy_module(devices,1.1.7) ######################################## # @@ -9,6 +9,7 @@ policy_module(devices,1.1.6) attribute device_node; attribute memory_raw_read; attribute memory_raw_write; +attribute devices_unconfined_type; # # device_t is the type of /dev. @@ -190,3 +191,12 @@ fs_associate(device_node) fs_associate_tmpfs(device_node) files_associate_tmp(device_node) + +######################################## +# +# Unconfined access to this module +# + +allow devices_unconfined_type self:capability sys_rawio; +allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type mtrr_device_t:{ dir file } *; diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index da70fa0..341eb91 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -1136,7 +1136,7 @@ interface(`domain_entry_file_spec_domtrans',` # interface(`domain_unconfined',` gen_require(` - attribute domain, set_curr_context; + attribute set_curr_context; attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; @@ -1145,30 +1145,11 @@ interface(`domain_unconfined',` typeattribute $1 unconfined_domain_type; - # pass all constraints + # pass constraints typeattribute $1 can_change_process_identity; typeattribute $1 can_change_process_role; typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; - - # Use/sendto/connectto sockets created by any domain. - allow $1 domain:{ socket_class_set socket key_socket } *; - - # Use descriptors and pipes created by any domain. - allow $1 domain:fd use; - allow $1 domain:fifo_file rw_file_perms; - - # Act upon any other process. - allow $1 domain:process ~{ transition dyntransition execmem execstack execheap }; - - # Create/access any System V IPC objects. - allow $1 domain:{ sem msgq shm } *; - allow $1 domain:msg { send receive }; - - # For /proc/pid - allow $1 domain:dir r_dir_perms; - allow $1 domain:file r_file_perms; - allow $1 domain:lnk_file r_file_perms; ') # diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index ae56c65..bde89e0 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain,1.1.0) +policy_module(domain,1.1.1) ######################################## # @@ -108,3 +108,31 @@ tunable_policy(`global_ssp',` # stack smashing protection. dev_read_urand(domain) ') + +######################################## +# +# Unconfined access to this module +# + +# unconfined access also allows constraints, but this +# is handled in the interface as typeattribute cannot +# be used on an attribute. + +# Use/sendto/connectto sockets created by any domain. +allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; + +# Use descriptors and pipes created by any domain. +allow unconfined_domain_type domain:fd use; +allow unconfined_domain_type domain:fifo_file rw_file_perms; + +# Act upon any other process. +allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; + +# Create/access any System V IPC objects. +allow unconfined_domain_type domain:{ sem msgq shm } *; +allow unconfined_domain_type domain:msg { send receive }; + +# For /proc/pid +allow unconfined_domain_type domain:dir r_dir_perms; +allow unconfined_domain_type domain:file r_file_perms; +allow unconfined_domain_type domain:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 050c088..a467391 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -332,6 +332,24 @@ interface(`files_dontaudit_list_non_security',` ######################################## ## +## Allow attempts to modify any directory +## +## +## +## Domain to allow +## +## +# +interface(`files_write_non_security_dirs',` + gen_require(` + attribute file_type, security_file_type; + ') + + allow $1 file_type:dir write; +') + +######################################## +## ## Get the attributes of all files. ## ## @@ -3843,42 +3861,8 @@ interface(`files_polyinstantiate_all',` # interface(`files_unconfined',` gen_require(` - attribute file_type; - ') - - # Create/access any file in a labeled filesystem; - allow $1 file_type:{ file chr_file } ~execmod; - allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; - - # Mount/unmount any filesystem with the context= option. - allow $1 file_type:filesystem *; - - # Bind to any network address. - # cjp: need to check this, I dont think this has any effect. - allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; - - ifdef(`targeted_policy',` - tunable_policy(`allow_execmod',` - allow $1 file_type:file execmod; - ') - ') -') - - -######################################## -## -## Allow attempts to modify any directory -## -## -## -## Domain to allow -## -## -# -interface(`files_write_non_security_dirs',` - gen_require(` - attribute file_type, security_file_type; + attribute files_unconfined_type; ') - allow $1 file_type:dir write; + typeattribute $1 files_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index 4e47285..a7faa68 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.2.4) +policy_module(files,1.2.5) ######################################## # @@ -7,6 +7,7 @@ policy_module(files,1.2.4) # attribute file_type; +attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; @@ -195,3 +196,21 @@ fs_associate_tmpfs(tmpfile) # fs_associate_tmpfs(tmpfsfile) + +######################################## +# +# Unconfined access to this module +# + +# Create/access any file in a labeled filesystem; +allow files_unconfined_type file_type:{ file chr_file } ~execmod; +allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; + +# Mount/unmount any filesystem with the context= option. +allow files_unconfined_type file_type:filesystem *; + +ifdef(`targeted_policy',` + tunable_policy(`allow_execmod',` + allow files_unconfined_type file_type:file execmod; + ') +') diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 9141c54..2f6ce0e 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -3159,13 +3159,8 @@ interface(`fs_dontaudit_getattr_all_sockets',` # interface(`fs_unconfined',` gen_require(` - attribute filesystem_type; + attribute filesystem_unconfined_type; ') - allow $1 filesystem_type:filesystem *; - - # Create/access other files. fs_type is to pick up various - # pseudo filesystem types that are applied to both the filesystem - # and its files. - allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; + typeattribute $1 filesystem_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index f8251f1..f9491c0 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.4) +policy_module(filesystem,1.3.5) ######################################## # @@ -7,6 +7,7 @@ policy_module(filesystem,1.3.4) # attribute filesystem_type; +attribute filesystem_unconfined_type; attribute noxattrfs; ############################## @@ -176,3 +177,15 @@ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) # allow filesystem_type self:filesystem associate; + +######################################## +# +# Unconfined access to this module +# + +allow filesystem_unconfined_type filesystem_type:filesystem *; + +# Create/access other files. fs_type is to pick up various +# pseudo filesystem types that are applied to both the filesystem +# and its files. +allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 574f201..d5d03ff 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -2030,24 +2030,8 @@ interface(`kernel_sendrecv_unlabeled_association',` # interface(`kernel_unconfined',` gen_require(` - type kernel_t, unlabeled_t, sysctl_t; - attribute proc_type, sysctl_type; attribute kern_unconfined; - attribute can_load_kernmodule, can_receive_kernel_messages; ') - allow $1 proc_type:{ dir file } *; - - allow $1 sysctl_t:{ dir file } *; - - allow $1 kernel_t:system *; - - allow $1 unlabeled_t:dir_file_class_set *; - allow $1 unlabeled_t:filesystem *; - allow $1 unlabeled_t:association *; - - typeattribute $1 can_load_kernmodule, can_receive_kernel_messages; typeattribute $1 kern_unconfined; - - kernel_rw_all_sysctls($1) ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index a930f07..70df6fc 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.3) +policy_module(kernel,1.3.4) ######################################## # @@ -10,7 +10,7 @@ policy_module(kernel,1.3.3) attribute can_load_kernmodule; attribute can_receive_kernel_messages; -neverallow ~can_load_kernmodule self:capability sys_module; +neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; # domains with unconfined access to kernel resources attribute kern_unconfined; @@ -62,11 +62,11 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t, proc_type; genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) -neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; +neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; # /proc kcore: inaccessible type proc_kcore_t, proc_type; -neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; +neverallow ~kern_unconfined proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) type proc_mdstat_t, proc_type; @@ -142,8 +142,8 @@ sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) -sid init gen_context(system_u:object_r:unlabeled_t,s0) -sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid init gen_context(system_u:object_r:unlabeled_t,s0) +sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) @@ -340,3 +340,20 @@ optional_policy(` # since you may have compromised system security. init_sigchld(unlabeled_t) ') + +######################################## +# +# Rules for unconfined acccess to this module +# + +allow kern_unconfined proc_type:{ dir file } *; + +allow kern_unconfined sysctl_t:{ dir file } *; + +allow kern_unconfined kernel_t:system *; + +allow kern_unconfined unlabeled_t:dir_file_class_set *; +allow kern_unconfined unlabeled_t:filesystem *; +allow kern_unconfined unlabeled_t:association *; + +kernel_rw_all_sysctls(kern_unconfined) diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index f8c62e4..2fac4d0 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -664,15 +664,8 @@ interface(`storage_setattr_tape_dev',` # interface(`storage_unconfined',` gen_require(` - type fixed_disk_device_t, removable_device_t; - type scsi_generic_device_t, tape_device_t; - attribute fixed_disk_raw_read, fixed_disk_raw_write; - attribute scsi_generic_read, scsi_generic_write; + attribute storage_unconfined_type; ') - allow $1 { fixed_disk_device_t removable_device_t }:blk_file *; - allow $1 { scsi_generic_device_t tape_device_t }:chr_file *; - - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; - typeattribute $1 scsi_generic_read, scsi_generic_write; + typeattribute $1 storage_unconfined_type; ') diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te index f4bf61d..e78c43c 100644 --- a/refpolicy/policy/modules/kernel/storage.te +++ b/refpolicy/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage,1.0.0) +policy_module(storage,1.0.1) ######################################## # @@ -10,16 +10,17 @@ attribute fixed_disk_raw_read; attribute fixed_disk_raw_write; attribute scsi_generic_read; attribute scsi_generic_write; +attribute storage_unconfined_type; # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # -type fixed_disk_device_t alias lvm_vg_t; +type fixed_disk_device_t; dev_node(fixed_disk_device_t) -neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read; -neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write }; +neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; +neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; # # scsi_generic_device_t is the type of /dev/sg* @@ -28,8 +29,8 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app type scsi_generic_device_t; dev_node(scsi_generic_device_t) -neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read; -neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write }; +neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read; +neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write }; # # removable_device_t is the type of @@ -43,3 +44,11 @@ dev_node(removable_device_t) # type tape_device_t; dev_node(tape_device_t) + +######################################## +# +# Unconfined access to this module +# + +allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; +allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 52e2f92..3057feb 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -88,15 +88,6 @@ interface(`unconfined_domain_noaudit',` optional_policy(` storage_unconfined($1) ') - - ifdef(`TODO',` - if (allow_execmod) { - ifdef(`targeted_policy', `', ` - # Allow text relocations on system shared libraries, e.g. libGL. - allow $1 home_type:file execmod; - ') - } - ') dnl end TODO ') ######################################## diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index e14e278..f3fb908 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.2) +policy_module(unconfined,1.3.3) ######################################## #