From be4a8011d46b326e6270c84c933b36c15691d3fa Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 14 2005 20:12:46 +0000 Subject: move selinux to selinuxutil --- diff --git a/refpolicy/policy/modules/system/selinux.fc b/refpolicy/policy/modules/system/selinux.fc deleted file mode 100644 index fb39d89..0000000 --- a/refpolicy/policy/modules/system/selinux.fc +++ /dev/null @@ -1,40 +0,0 @@ - -# -# /etc -# -/etc/selinux(/.*)? context_template(system_u:object_r:selinux_config_t,s0) - -/etc/selinux/([^/]*/)?contexts(/.*)? context_template(system_u:object_r:default_context_t,s0) - -/etc/selinux/([^/]*/)?contexts/files(/.*)? context_template(system_u:object_r:file_context_t,s0) - -/etc/selinux/([^/]*/)?policy(/.*)? context_template(system_u:object_r:policy_config_t,s0) - -/etc/selinux/([^/]*/)?src(/.*)? context_template(system_u:object_r:policy_src_t,s0) - -# -# /root -# -/root/\.default_contexts -- context_template(system_u:object_r:default_context_t,s0) - -# -# /sbin -# -/sbin/load_policy -- context_template(system_u:object_r:load_policy_exec_t,s0) -/sbin/restorecon -- context_template(system_u:object_r:restorecon_exec_t,s0) - -# -# /usr -# -/usr/bin/checkpolicy -- context_template(system_u:object_r:checkpolicy_exec_t,s0) -/usr/bin/newrole -- context_template(system_u:object_r:newrole_exec_t,s0) - -/usr/lib(64)?/selinux(/.*)? context_template(system_u:object_r:policy_src_t,s0) - -/usr/sbin/load_policy -- context_template(system_u:object_r:load_policy_exec_t,s0) -/usr/sbin/run_init -- context_template(system_u:object_r:run_init_exec_t,s0) -/usr/sbin/setfiles.* -- context_template(system_u:object_r:setfiles_exec_t,s0) - -ifdef(`distro_debian', ` -/usr/share/selinux(/.*)? context_template(system_u:object_r:policy_src_t,s0) -') diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if deleted file mode 100644 index 433d28e..0000000 --- a/refpolicy/policy/modules/system/selinux.if +++ /dev/null @@ -1,744 +0,0 @@ -## -## Policy for SELinux policy and userland applications. - -####################################### -## -## -## Execute checkpolicy in the checkpolicy domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_checkpol',` - gen_require(`$0'_depend) - - allow $1 checkpolicy_exec_t:file rx_file_perms; - allow $1 checkpolicy_t:process transition; - type_transition $1 checkpolicy_exec_t:process checkpolicy_t; - dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; - - allow $1 checkpolicy_t:fd use; - allow checkpolicy_t $1:fd use; - allow checkpolicy_t $1:fifo_file rw_file_perms; - allow checkpolicy_t $1:process sigchld; -') - -define(`selinux_domtrans_checkpol_depend',` - type checkpolicy_t, checkpolicy_exec_t; - - class file rx_file_perms - class process { transition noatsecure siginh rlimitinh sigchld sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute checkpolicy in the checkpolicy domain, and -## allow the specified role the checkpolicy domain, -## and use the caller's terminal. -## Has a SIGCHLD signal backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the checkpolicy domain. -## -## -## The type of the terminal allow the checkpolicy domain to use. -## -## -# -define(`selinux_run_checkpol',` - gen_require(`$0'_depend) - - selinux_domtrans_checkpol($1) - role $2 types checkpolicy_t; - allow checkpolicy_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_checkpol_depend',` - type checkpolicy_t; - - class chr_file { getattr read write ioctl }; -') - -####################################### -# -# selinux_exec_checkpol(domain) -# -define(`selinux_exec_checkpol',` - gen_require(`$0'_depend) - - can_exec($1,checkpolicy_exec_t) -') - -define(`selinux_exec_checkpol_depend',` - type checkpolicy_exec_t; - - class file { rx_file_perms execute_no_trans }; -') - -####################################### -## -## -## Execute load_policy in the load_policy domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_loadpol',` - gen_require(`$0'_depend) - - allow $1 load_policy_exec_t:file rx_file_perms; - allow $1 load_policy_t:process transition; - type_transition $1 load_policy_exec_t:process load_policy_t; - dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; - - allow $1 load_policy_t:fd use; - allow load_policy_t $1:fd use; - allow load_policy_t $1:fifo_file rw_file_perms; - allow load_policy_t $1:process sigchld; -') - -define(`selinux_domtrans_loadpol_depend',` - type load_policy_t, load_policy_exec_t; - - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute load_policy in the load_policy domain, and -## allow the specified role the load_policy domain, -## and use the caller's terminal. -## Has a SIGCHLD signal backchannel. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the load_policy domain. -## -## -## The type of the terminal allow the load_policy domain to use. -## -## -# -define(`selinux_run_loadpol',` - gen_require(`$0'_depend) - - selinux_domtrans_loadpol($1) - role $2 types load_policy_t; - allow load_policy_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_loadpol_depend',` - type load_policy_t; - - class chr_file { getattr read write ioctl }; -') - -####################################### -# -# selinux_exec_loadpol(domain) -# -define(`selinux_exec_loadpol',` - gen_require(`$0'_depend) - - can_exec($1,load_policy_exec_t) -') - -define(`selinux_exec_loadpol_depend',` - type load_policy_exec_t; - - class file { rx_file_perms execute_no_trans }; -') - -####################################### -# -# selinux_read_loadpol(domain) -# -define(`selinux_read_loadpol',` - gen_require(`$0'_depend) - - allow $1 load_policy_exec_t:file r_file_perms; -') - -define(`selinux_read_loadpol_depend',` - type load_policy_exec_t; - - class file r_file_perms -') - -####################################### -## -## -## Execute newrole in the load_policy domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_newrole',` - gen_require(`$0'_depend) - - allow $1 newrole_exec_t:file rx_file_perms; - allow $1 newrole_t:process transition; - type_transition $1 newrole_exec_t:process newrole_t; - dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; - - allow $1 newrole_t:fd use; - allow newrole_t $1:fd use; - allow newrole_t $1:fifo_file rw_file_perms; - allow newrole_t $1:process sigchld; -') - -define(`selinux_domtrans_newrole_depend',` - type newrole_t, newrole_exec_t; - - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute newrole in the newrole domain, and -## allow the specified role the newrole domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the newrole domain. -## -## -## The type of the terminal allow the newrole domain to use. -## -## -# -define(`selinux_run_newrole',` - gen_require(`$0'_depend) - - selinux_domtrans_newrole($1) - role $2 types newrole_t; - allow newrole_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_newrole_depend',` - type newrole_t; - - class chr_file { getattr read write ioctl }; -') - -####################################### -# -# selinux_exec_newrole(domain) -# -define(`selinux_exec_newrole',` - gen_require(`$0'_depend) - - can_exec($1,newrole_exec_t) -') - -define(`selinux_exec_newrole_depend',` - type newrole_t, newrole_exec_t; - - class file { rx_file_perms execute_no_trans }; -') - -######################################## -## -## -## Do not audit the caller attempts to send -## a signal to newrole. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_dontaudit_newrole_signal',` - gen_require(`$0'_depend) - - dontaudit $1 newrole_t:process signal; -') - -define(`selinux_dontaudit_newrole_signal_depend',` - type newrole_t; - - class process signal; -') - -####################################### -# -# selinux_newrole_sigchld(domain) -# -define(`selinux_newrole_sigchld',` - gen_require(`$0'_depend) - - allow $1 newrole_t:process sigchld; -') - -define(`selinux_newrole_sigchld_depend',` - type newrole_t; - - class process sigchld; -') - -####################################### -# -# selinux_use_newrole_fd(domain) -# -define(`selinux_use_newrole_fd',` - gen_require(`$0'_depend) - - allow $1 newrole_t:fd use; -') - -define(`selinux_use_newrole_fd_depend',` - type newrole_t; - - class fd use; -') - -####################################### -## -## -## Execute restorecon in the restorecon domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_restorecon',` - gen_require(`$0'_depend) - - allow $1 restorecon_exec_t:file rx_file_perms; - allow $1 restorecon_t:process transition; - type_transition $1 restorecon_exec_t:process restorecon_t; - dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; - - allow $1 restorecon_t:fd use; - allow restorecon_t $1:fd use; - allow restorecon_t $1:fifo_file rw_file_perms; - allow restorecon_t $1:process sigchld; -') - -define(`selinux_domtrans_restorecon_depend',` - type restorecon_t, restorecon_exec_t; - - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute restorecon in the restorecon domain, and -## allow the specified role the restorecon domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the restorecon domain. -## -## -## The type of the terminal allow the restorecon domain to use. -## -## -# -define(`selinux_run_restorecon',` - gen_require(`$0'_depend) - - selinux_domtrans_restorecon($1) - role $2 types restorecon_t; - allow restorecon_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_restorecon_depend',` - type restorecon_t; - - class chr_file { getattr read write ioctl }; -') - -####################################### -# -# selinux_exec_restorecon(domain) -# -define(`selinux_exec_restorecon',` -gen_require(`$0'_depend) - can_exec($1,restorecon_exec_t) -') - -define(`selinux_exec_restorecon_depend',` - type restorecon_t, restorecon_exec_t; - - class file { rx_file_perms execute_no_trans }; -') - -######################################## -## -## -## Execute run_init in the run_init domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_runinit',` - gen_require(`$0'_depend) - - allow $1 run_init_exec_t:file rx_file_perms; - allow $1 run_init_t:process transition; - type_transition $1 run_init_exec_t:process run_init_t; - dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; - - allow $1 run_init_t:fd use; - allow run_init_t $1:fd use; - allow run_init_t $1:fifo_file rw_file_perms; - allow run_init_t $1:process sigchld; -') - -define(`selinux_domtrans_runinit_depend',` - type run_init_t, run_init_exec_t; - - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute run_init in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the run_init domain. -## -## -## The type of the terminal allow the run_init domain to use. -## -## -# -define(`selinux_run_runinit',` - gen_require(`$0'_depend) - - selinux_domtrans_runinit($1) - role $2 types run_init_t; - allow run_init_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_runinit_depend',` - type run_init_t; - - class chr_file { getattr read write ioctl }; -') - -######################################## -# -# selinux_use_runinit_fd(domain) -# -define(`selinux_use_runinit_fd',` - gen_require(`$0'_depend) - - allow $1 run_init_t:fd use; -') - -define(`selinux_use_runinit_fd_depend',` - type run_init_t; - - class fd use; -') - -######################################## -## -## -## Execute setfiles in the setfiles domain. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_domtrans_setfiles',` - gen_require(`$0'_depend) - - allow $1 setfiles_exec_t:file rx_file_perms; - allow $1 setfiles_t:process transition; - type_transition $1 setfiles_exec_t:process setfiles_t; - dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; - - allow $1 setfiles_t:fd use; - allow setfiles_t $1:fd use; - allow setfiles_t $1:fifo_file rw_file_perms; - allow setfiles_t $1:process sigchld; -') - -define(`selinux_domtrans_setfiles_depend',` - type setfiles_t, setfiles_exec_t; - - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh sigchld }; - class fd use; - class fifo_file rw_file_perms; -') - -######################################## -## -## -## Execute setfiles in the setfiles domain, and -## allow the specified role the setfiles domain, -## and use the caller's terminal. -## -## -## The type of the process performing this action. -## -## -## The role to be allowed the setfiles domain. -## -## -## The type of the terminal allow the setfiles domain to use. -## -## -# -define(`selinux_run_setfiles',` - gen_require(`$0'_depend) - - selinux_domtrans_setfiles($1) - role $2 types setfiles_t; - allow setfiles_t $3:chr_file { getattr read write ioctl }; -') - -define(`selinux_run_setfiles_depend',` - type setfiles_t; - - class chr_file { getattr read write ioctl }; -') - -####################################### -# -# selinux_exec_setfiles(domain) -# -define(`selinux_exec_setfiles',` - gen_require(`$0'_depend) - - can_exec($1,setfiles_exec_t) -') - -define(`selinux_exec_setfiles_depend',` - type setfiles_exec_t; - - class file { rx_file_perms execute_no_trans }; -') - -######################################## -# -# selinux_read_config(domain) -# -define(`selinux_read_config',` - gen_require(`$0'_depend) - - allow $1 selinux_config_t:dir r_dir_perms; - allow $1 selinux_config_t:file r_file_perms; -') - -define(`selinux_read_config_depend',` - type selinux_config_t; - - class dir r_dir_perms; - class file r_file_perms; -') - -######################################## -# -# selinux_read_default_contexts(domain) -# -define(`selinux_read_default_contexts',` - gen_require(`$0'_depend) - - allow $1 selinux_config_t:dir search; - allow $1 default_context_t:dir r_dir_perms; - allow $1 default_context_t:file r_file_perms; -') - -define(`selinux_read_default_contexts_depend',` - type selinux_config_t, default_context_t; - - class dir r_dir_perms; - class file r_file_perms; -') - -######################################## -# -# selinux_read_file_contexts(domain) -# -define(`selinux_read_file_contexts',` - gen_require(`$0'_depend) - - allow $1 selinux_config_t:dir search; - allow $1 file_context_t:dir r_dir_perms; - allow $1 file_context_t:file r_file_perms; -') - -define(`selinux_read_file_contexts_depend',` - type selinux_config_t, file_context_t; - - class dir r_dir_perms; - class file r_file_perms; -') - -######################################## -# -# selinux_read_binary_pol(domain) -# -define(`selinux_read_binary_pol',` - gen_require(`$0'_depend) - - allow $1 policy_config_t:dir r_dir_perms; - allow $1 policy_config_t:file r_file_perms; -') - -define(`selinux_read_binary_pol_depend',` - type policy_config_t; - - class dir r_dir_perms; - class file r_file_perms; -') - -######################################## -# -# selinux_write_binary_pol(domain) -# -define(`selinux_write_binary_pol',` - gen_require(`$0'_depend) - - allow $1 policy_config_t:dir rw_dir_perms; - allow $1 policy_config_t:file { getattr create write unlink }; - typeattribute $1 can_write_binary_policy; -') - -define(`selinux_write_binary_pol_depend',` - attribute can_write_binary_policy; - - type policy_config_t; - - class dir rw_dir_perms; - class file { getattr create write unlink }; -') - -######################################## -## -## -## Allow the caller to relabel a file to the binary policy type. -## -## -## The type of the process performing this action. -## -## -# -define(`selinux_relabelto_binary_pol',` - gen_require(`$0'_depend) - - allow $1 policy_config_t:file relabelto; - typeattribute $1 can_relabelto_binary_policy; -') - -define(`selinux_relabelto_binary_pol_depend',` - attribute can_relabelto_binary_policy; - - type policy_config_t; - - class file relabelto; -') - -######################################## -# -# selinux_manage_binary_pol(domain) -# -define(`selinux_manage_binary_pol',` - gen_require(`$0'_depend) - - # FIXME: search etc_t:dir - allow $1 selinux_config_t:dir search; - allow $1 policy_config_t:dir r_dir_perms; - allow $1 policy_config_t:file create_file_perms; - typeattribute $1 can_write_binary_policy; -') - -define(`selinux_manage_binary_pol_depend',` - attribute can_write_binary_policy; - - type selinux_config_t, policy_config_t; - class dir create_dir_perms; - class file create_file_perms; -') - -######################################## -# -# selinux_read_src_pol(domain) -# -define(`selinux_read_src_pol',` - gen_require(`$0'_depend) - - # FIXME: search etc_t:dir - allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir r_dir_perms; - allow $1 policy_src_t:file r_file_perms; -') - -define(`selinux_read_src_pol_depend',` - type selinux_config_t, policy_src_t; - - class dir r_dir_perms; - class file r_file_perms; -') - -######################################## -# -# selinux_manage_src_pol(domain) -# -define(`selinux_manage_src_pol',` - gen_require(`$0'_depend) - - # FIXME: search etc_t:dir - allow $1 selinux_config_t:dir search; - allow $1 policy_src_t:dir create_dir_perms; - allow $1 policy_src_t:file create_file_perms; -') - -define(`selinux_manage_src_pol_depend',` - type selinux_config_t, policy_src_t; - - class dir create_dir_perms; - class file create_file_perms; -') - -## diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te deleted file mode 100644 index 6027d4a..0000000 --- a/refpolicy/policy/modules/system/selinux.te +++ /dev/null @@ -1,467 +0,0 @@ - -policy_module(selinux,1.0) - -######################################## -# -# Declarations -# - -attribute can_write_binary_policy; -attribute can_relabelto_binary_policy; - -type checkpolicy_t, can_write_binary_policy; -domain_type(checkpolicy_t) -role system_r types checkpolicy_t; - -type checkpolicy_exec_t; -domain_entry_file(checkpolicy_t,checkpolicy_exec_t) - -# -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* -# -type default_context_t; -files_file_type(default_context_t) - -# -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files -# -type file_context_t; -files_file_type(file_context_t) - -type load_policy_t; -domain_type(load_policy_t) -role system_r types load_policy_t; - -type load_policy_exec_t; -domain_entry_file(load_policy_t,load_policy_exec_t) - -type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; -domain_role_change_exempt(newrole_t) -domain_obj_id_change_exempt(newrole_t) -domain_type(newrole_t) -domain_wide_inherit_fd(newrole_t) - -type newrole_exec_t; -domain_entry_file(newrole_t,newrole_exec_t) - -# -# policy_config_t is the type of /etc/security/selinux/* -# the security server policy configuration. -# -type policy_config_t; -files_file_type(policy_config_t) - -neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; -neverallow ~can_write_binary_policy policy_config_t:file { write append }; - -# -# policy_src_t is the type of the policy source -# files. -# -type policy_src_t; -files_file_type(policy_src_t) - -type restorecon_t, can_relabelto_binary_policy; -type restorecon_exec_t; -domain_obj_id_change_exempt(restorecon_t) -init_system_domain(restorecon_t,restorecon_exec_t) -role system_r types restorecon_t; - -type run_init_t; -domain_type(run_init_t) - -type run_init_exec_t; -domain_entry_file(run_init_t,run_init_exec_t) - -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -type selinux_config_t; -files_file_type(selinux_config_t) - -type setfiles_t, can_relabelto_binary_policy; -domain_obj_id_change_exempt(setfiles_t) -domain_type(setfiles_t) -role system_r types setfiles_t; - -type setfiles_exec_t; -domain_entry_file(setfiles_t,setfiles_exec_t) - -######################################## -# -# Checkpolicy local policy -# - -allow checkpolicy_t self:capability dac_override; - -# able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:file create_file_perms; - -# allow test policies to be created in src directories -allow checkpolicy_t policy_src_t:dir rw_dir_perms; -type_transition checkpolicy_t policy_src_t:file policy_config_t; - -# only allow read of policy source files -allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:file r_file_perms; -allow checkpolicy_t policy_src_t:lnk_file r_file_perms; -allow checkpolicy_t selinux_config_t:dir search; - -fs_getattr_xattr_fs(checkpolicy_t) - -term_use_console(checkpolicy_t) - -domain_use_wide_inherit_fd(checkpolicy_t) - -# directory search permissions for path to source and binary policy files -files_search_etc(checkpolicy_t) - -init_use_fd(checkpolicy_t) -init_use_script_pty(checkpolicy_t) - -libs_use_ld_so(checkpolicy_t) -libs_use_shared_libs(checkpolicy_t) - -userdom_use_all_user_fd(checkpolicy_t) - -ifdef(`TODO',` -# Read the devpts root directory. -ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') -') dnl endif TODO - -######################################## -# -# Load_policy local policy -# - -allow load_policy_t self:capability dac_override; - -# only allow read of policy config files -allow load_policy_t policy_src_t:dir search; -allow load_policy_t policy_config_t:dir r_dir_perms; -allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; - -allow load_policy_t selinux_config_t:dir r_dir_perms; -allow load_policy_t selinux_config_t:file r_file_perms; -allow load_policy_t selinux_config_t:lnk_file r_file_perms; - -kernel_get_selinuxfs_mount_point(load_policy_t) -kernel_load_policy(load_policy_t) -kernel_set_boolean(load_policy_t) - -fs_getattr_xattr_fs(load_policy_t) - -term_use_console(load_policy_t) -term_list_ptys(load_policy_t) - -init_use_script_fd(load_policy_t) -init_use_script_pty(load_policy_t) - -domain_use_wide_inherit_fd(load_policy_t) - -files_search_etc(load_policy_t) - -libs_use_ld_so(load_policy_t) -libs_use_shared_libs(load_policy_t) - -miscfiles_read_localization(load_policy_t) - -userdom_use_all_user_fd(load_policy_t) - -######################################## -# -# Newrole local policy -# - -allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; - -allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; -allow newrole_t self:process setexec; -allow newrole_t self:fd use; -allow newrole_t self:fifo_file rw_file_perms; -allow newrole_t self:unix_dgram_socket sendto; -allow newrole_t self:unix_stream_socket connectto; -allow newrole_t self:shm create_shm_perms; -allow newrole_t self:sem create_sem_perms; -allow newrole_t self:msgq create_msgq_perms; -allow newrole_t self:msg { send receive }; - -allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; -allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; -allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; - -kernel_read_system_state(newrole_t) -kernel_read_kernel_sysctl(newrole_t) -kernel_get_selinuxfs_mount_point(newrole_t) -kernel_validate_context(newrole_t) -kernel_compute_access_vector(newrole_t) -kernel_compute_create_context(newrole_t) -kernel_compute_relabel_context(newrole_t) -kernel_compute_reachable_user_contexts(newrole_t) - -dev_read_urand(newrole_t) - -fs_getattr_xattr_fs(newrole_t) - -term_use_all_user_ttys(newrole_t) -term_use_all_user_ptys(newrole_t) - -auth_domtrans_chk_passwd(newrole_t) - -domain_use_wide_inherit_fd(newrole_t) - -# Write to utmp. -init_rw_script_pid(newrole_t) - -files_read_generic_etc_files(newrole_t) - -libs_use_ld_so(newrole_t) -libs_use_shared_libs(newrole_t) - -logging_send_syslog_msg(newrole_t) - -miscfiles_read_localization(newrole_t) - -userdom_use_unpriv_users_fd(newrole_t) - -ifdef(`TODO',` - -can_ypbind(newrole) -ifdef(`automount.te', ` -allow newrole_t autofs_t:dir { search getattr }; -') - -# for when the user types "exec newrole" at the command line -allow newrole_t privfd:process sigchld; - -# Execute /sbin/pwdb_chkpwd to check the password. -allow newrole_t sbin_t:dir r_dir_perms; - -# Execute shells -allow newrole_t bin_t:dir r_dir_perms; -allow newrole_t bin_t:lnk_file read; - -# Allow newrole_t to transition to user domains. -bool secure_mode false; -domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans(newrole_t, shell_exec_t, sysadm_t) -} - -# Read /var. -allow newrole_t var_t:dir r_dir_perms; -allow newrole_t var_t:notdevfile_class_set r_file_perms; - -# Relabel terminals. -allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') - -# for some PAM modules and for cwd -dontaudit newrole_t { home_root_t home_type }:dir search; -') dnl ifdef TODO - -######################################## -# -# Restorecon local policy -# - -allow restorecon_t self:capability { dac_override dac_read_search fowner }; - -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; -allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; - -kernel_use_fd(restorecon_t) -kernel_read_system_state(restorecon_t) -kernel_get_selinuxfs_mount_point(restorecon_t) -kernel_validate_context(restorecon_t) -kernel_compute_access_vector(restorecon_t) -kernel_compute_create_context(restorecon_t) -kernel_compute_relabel_context(restorecon_t) -kernel_compute_reachable_user_contexts(restorecon_t) - -fs_getattr_xattr_fs(restorecon_t) - -term_use_unallocated_tty(restorecon_t) - -init_use_fd(restorecon_t) -init_use_script_pty(restorecon_t) - -domain_use_wide_inherit_fd(restorecon_t) - -files_read_etc_runtime_files(restorecon_t) -files_read_generic_etc_files(restorecon_t) - -libs_use_ld_so(restorecon_t) -libs_use_shared_libs(restorecon_t) - -logging_send_syslog_msg(restorecon_t) - -userdom_use_all_user_fd(restorecon_t) - -optional_policy(`hotplug.te',` - hotplug_use_fd(restorecon_t) -') - -# relabeling rules -kernel_relabel_unlabeled(restorecon_t) -dev_relabel_all_dev_nodes(restorecon_t) - -files_relabel_all_files(restorecon_t) -files_list_all_dirs(restorecon_t) -# this is to satisfy the assertion: -auth_relabelto_shadow(restorecon_t) - -ifdef(`distro_redhat', ` -fs_use_tmpfs_character_devices(restorecon_t) -fs_use_tmpfs_block_devices(restorecon_t) -fs_relabel_tmpfs_block_devices(restorecon_t) -fs_relabel_tmpfs_character_devices(restorecon_t) -') - -ifdef(`TODO',` - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that restorecon can not be run! -allow restorecon_t lib_t:file { read execute }; - -allow restorecon_t fs_type:dir r_dir_perms; - -allow restorecon_t device_t:file { read write }; -allow restorecon_t kernel_t:fifo_file { read write }; -') dnl endif TODO - -################################# -# -# Run_init local policy -# - -kernel_get_selinuxfs_mount_point(run_init_t) -kernel_validate_context(run_init_t) -kernel_compute_access_vector(run_init_t) -kernel_compute_create_context(run_init_t) -kernel_compute_relabel_context(run_init_t) -kernel_compute_reachable_user_contexts(run_init_t) - -ifdef(`targeted_policy',`',` - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; - - allow run_init_t self:fifo_file rw_file_perms; - - # often the administrator runs such programs from a directory that is owned - # by a different user or has restrictive SE permissions, do not want to audit - # the failed access to the current directory - dontaudit run_init_t self:capability { dac_override dac_read_search }; - - fs_getattr_xattr_fs(run_init_t) - - dev_dontaudit_list_all_dev_nodes(run_init_t) - - term_dontaudit_list_ptys(run_init_t) - - auth_domtrans_chk_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) - - corecmd_exec_bin(run_init_t) - corecmd_exec_shell(run_init_t) - - domain_use_wide_inherit_fd(run_init_t) - - files_read_generic_etc_files(run_init_t) - files_dontaudit_search_all_dirs(run_init_t) - - init_domtrans_script(run_init_t) - # for utmp - init_rw_script_pid(run_init_t) - - libs_use_ld_so(run_init_t) - libs_use_shared_libs(run_init_t) - - selinux_read_config(run_init_t) - selinux_read_default_contexts(run_init_t) - - miscfiles_read_localization(run_init_t) - - logging_send_syslog_msg(run_init_t) -') dnl end ifdef targeted policy - -ifdef(`TODO',` - -ifdef(`distro_gentoo', ` - # Gentoo integrated run_init+open_init_pty-runscript: - domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) - domain_entry_file(run_init_t,initrc_exec_t) -') -') dnl end TODO - -######################################## -# -# Setfiles local policy -# - -allow setfiles_t self:capability { dac_override dac_read_search fowner }; - -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; - -kernel_read_system_state(setfiles_t) -kernel_get_selinuxfs_mount_point(setfiles_t) -kernel_validate_context(setfiles_t) -kernel_compute_access_vector(setfiles_t) -kernel_compute_create_context(setfiles_t) -kernel_compute_relabel_context(setfiles_t) -kernel_compute_reachable_user_contexts(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) - -term_use_all_user_ttys(setfiles_t) -term_use_all_user_ptys(setfiles_t) -term_use_unallocated_tty(setfiles_t) - -init_use_fd(setfiles_t) -init_use_script_fd(setfiles_t) -init_use_script_pty(setfiles_t) - -domain_use_wide_inherit_fd(setfiles_t) - -libs_use_ld_so(setfiles_t) -libs_use_shared_libs(setfiles_t) - -files_read_etc_runtime_files(setfiles_t) -files_read_generic_etc_files(setfiles_t) - -logging_send_syslog_msg(setfiles_t) - -miscfiles_read_localization(setfiles_t) - -userdom_use_all_user_fd(setfiles_t) -# for config files in a home directory -userdom_read_all_user_data(setfiles_t) - -# relabeling rules -kernel_relabel_unlabeled(setfiles_t) -dev_relabel_all_dev_nodes(setfiles_t) -files_list_all_dirs(setfiles_t) -files_relabel_all_files(setfiles_t) -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - -ifdef(`TODO',` -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that setfiles can not be run! -allow setfiles_t lib_t:file { read execute }; - -allow setfiles_t unlabeled_t:dir read; - -allow setfiles_t fs_type:dir r_dir_perms; - -') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc index fb39d89..13db385 100644 --- a/refpolicy/policy/modules/system/selinuxutil.fc +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -1,3 +1,4 @@ +# SELinux userland utilities # # /etc diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 433d28e..5a4a99f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -1,4 +1,4 @@ -## +## ## Policy for SELinux policy and userland applications. ####################################### diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 6027d4a..81aea9a 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinux,1.0) +policy_module(selinuxutil,1.0) ######################################## #