From efd8ede34d97578cc661c53f63f480050cdb3bf4 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 25 2005 20:58:21 +0000 Subject: many fixes from cab testing --- diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 9803431..988ee39 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -266,6 +266,8 @@ terminal_get_general_physical_terminal_attributes(rpm_script_t) terminal_list_pseudoterminals(rpm_script_t) authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t) +# ideally we would not need this +authlogin_manage_all_files_except_shadow(rpm_script_t) corecommands_execute_general_programs(rpm_script_t) corecommands_execute_system_programs(rpm_script_t) @@ -307,8 +309,6 @@ ifdef(`TODO',` allow rpm_script_t sysfs_t:dir r_dir_perms; # ideally we would not need this -allow rpm_script_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename }; allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename }; allow rpm_script_t usr_t:file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 9e28046..742e7a5 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -300,9 +300,11 @@ define(`bootloader_modify_kernel_modules',` requires_block_template(`$0'_depend) allow $1 modules_object_t:file { getattr create read write setattr unlink }; allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; +typeattribute $1 can_modify_kernel_modules; ') define(`bootloader_modify_kernel_modules_depend',` +attribute can_modify_kernel_modules; type modules_object_t; class file { getattr create read write setattr unlink }; class dir { getattr search read write add_name remove_name }; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 151b359..d64ae40 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -427,84 +427,34 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_read_dev_null(domain) -# -define(`devices_read_dev_null',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; -allow $1 null_device_t:chr_file { getattr read }; -') - -define(`devices_read_dev_null_depend',` -type device_t, null_device_t; -class device_t:dir { getattr read search }; -class chr_file { getattr read }; -') - -######################################## -# -# devices_write_dev_null(domain) -# -define(`devices_write_dev_null',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr read search }; -allow $1 null_device_t:chr_file { getattr append write }; -') - -define(`devices_write_dev_null_depend',` -type device_t, null_device_t; -class device_t:dir { getattr read search }; -class chr_file { getattr append write }; -') - -######################################## -# # devices_use_dev_null(domain) # define(`devices_use_dev_null',` -devices_read_dev_null($1) -devices_write_dev_null($1) -') - -######################################## -# -# devices_read_dev_zero(domain) -# -define(`devices_read_dev_zero',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; -allow $1 zero_device_t:chr_file { getattr read }; +allow $1 null_device_t:chr_file { getattr read write append ioctl }; ') -define(`devices_read_dev_zero_depend',` -type device_t, zero_device_t; +define(`devices_use_dev_null_depend',` +type device_t, null_device_t; class device_t:dir { getattr read search }; -class chr_file { getattr read }; +class chr_file { getattr read write append ioctl }; ') ######################################## # -# devices_write_dev_zero(domain) +# devices_use_dev_zero(domain) # -define(`devices_write_dev_zero',` +define(`devices_use_dev_zero',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; -allow $1 zero_device_t:chr_file { getattr append write }; +allow $1 zero_device_t:chr_file { getattr read write append ioctl }; ') -define(`devices_write_dev_zero_depend',` +define(`devices_use_dev_zero_depend',` type device_t, zero_device_t; class device_t:dir { getattr read search }; -class chr_file { getattr append write }; -') - -######################################## -# -# devices_use_dev_zero(domain) -# -define(`devices_use_dev_zero',` -devices_read_dev_zero($1) -devices_write_dev_zero($1) +class chr_file { getattr read write append ioctl }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index e226fec..6f566b9 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -973,6 +973,29 @@ class chr_file { getattr read write ioctl }; ') ######################################## +## +## +## Relabel character nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_relabel_tmpfs_character_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read }; +allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; +') + +define(`filesystem_relabel_tmpfs_character_devices_depend',` +type tmpfs_t; +class dir { getattr search read }; +class chr_file { getattr relabelfrom relabelto }; +') + +######################################## ## ## ## Read and write block nodes on tmpfs filesystems. @@ -996,6 +1019,29 @@ class blk_file { getattr read write ioctl }; ') ######################################## +## +## +## Relabel block nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +## +## +# +define(`filesystem_relabel_tmpfs_block_devices',` +requires_block_template(`$0'_depend) +allow $1 tmpfs_t:dir { getattr search read }; +allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; +') + +define(`filesystem_use_tmpfs_block_devices_depend',` +type tmpfs_t; +class dir { getattr search read }; +class blk_file { getattr relabelfrom relabelto }; +') + +######################################## ## ## ## Read and write, create and delete character diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index c8c904e..8b4c7e2 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -94,15 +94,19 @@ filesystem_get_all_filesystems_attributes(crond_t) terminal_ignore_use_console(crond_t) -init_use_file_descriptors(crond_t) -init_script_use_pseudoterminal(crond_t) +# need auth_chkpwd to check for locked accounts. +authlogin_check_password_transition(crond_t) + +corecommands_execute_shell(crond_t) +corecommands_read_system_programs_directory(crond_t) domain_use_widely_inheritable_file_descriptors(crond_t) files_read_general_system_config(crond_t) +files_read_system_spools(crond_t) -corecommands_execute_shell(crond_t) -corecommands_read_system_programs_directory(crond_t) +init_use_file_descriptors(crond_t) +init_script_use_pseudoterminal(crond_t) libraries_use_dynamic_loader(crond_t) libraries_use_shared_libraries(crond_t) @@ -115,8 +119,7 @@ selinux_newrole_sigchld(crond_t) miscfiles_read_localization(crond_t) -# need auth_chkpwd to check for locked accounts. -authlogin_check_password_transition(crond_t) +userdomain_use_all_unprivileged_users_file_descriptors(crond_t) tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; @@ -136,7 +139,6 @@ ifdef(`TODO',` # NB The constraints file has some entries for crond_t, this makes it # different from all other domains... -allow crond_t unpriv_userdomain:fd use; allow crond_t autofs_t:dir { search getattr }; dontaudit crond_t sysadm_home_dir_t:dir search; @@ -153,18 +155,15 @@ allow crond_t autofs_t:dir { search getattr }; # Read from /var/spool/cron. allow crond_t var_lib_t:dir search; -allow crond_t var_spool_t:dir r_dir_perms; -allow crond_t var_spool_t:file { getattr read }; allow crond_t mail_spool_t:dir search; +# for if /var/mail is a symlink +allow crond_t mail_spool_t:lnk_file read; allow crond_t default_t:dir search; # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; -# for if /var/mail is a symlink -allow crond_t mail_spool_t:lnk_file read; - # to search /home allow crond_t user_home_dir_type:dir r_dir_perms; @@ -269,6 +268,9 @@ files_get_all_file_attributes(system_crond_t) files_read_general_application_resources(system_crond_t) # for nscd: files_ignore_search_runtime_data_directory(system_crond_t) +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +files_manage_system_spools(system_crond_t) corecommands_execute_general_programs(system_crond_t) corecommands_execute_system_programs(system_crond_t) @@ -324,14 +326,9 @@ allow system_crond_t var_t:file { getattr read ioctl }; allow system_crond_t var_lib_t:dir rw_dir_perms; allow system_crond_t var_lib_t:file create_file_perms; -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -allow system_crond_t var_spool_t:file create_file_perms; -allow system_crond_t var_spool_t:dir rw_dir_perms; # for if /var/mail is a symlink allow system_crond_t mail_spool_t:lnk_file read; - # # These rules are here to allow system cron jobs to su # @@ -360,7 +357,6 @@ mta_send_mail_transition(system_crond_t) # system_mail_t should only be reading from the cron fifo not needing to write dontaudit system_mail_t crond_t:fifo_file write; allow mta_user_agent system_crond_t:fd use; -allow mta_user_agent system_crond_t:fd use; r_dir_file(system_mail_t, crond_tmp_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index ecaf4d1..de01298 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -441,6 +441,58 @@ class lnk_file { create read getattr setattr link unlink rename }; ') ######################################## +## +## +## Relabel all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## +# + +define(`authlogin_relabel_all_files_except_shadow',` +requires_block_template(`$0'_depend) +files_relabel_all_files($1,$2 -shadow_t) +') + +define(`authlogin_relabel_all_files_except_shadow_depend',` +type shadow_t; +') + +######################################## +## +## +## Manage all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## +# + +define(`authlogin_manage_all_files_except_shadow',` +requires_block_template(`$0'_depend) +files_manage_all_files($1,$2 -shadow_t) +') + +define(`authlogin_manage_all_files_except_shadow_depend',` +type shadow_t; +') + +######################################## ## ## ## Execute utempter programs in the utempter domain. diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 3246c7a..42de0c9 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -62,7 +62,7 @@ define(`domain_make_entrypoint_file',` requires_block_template(`$0'_depend) allow $1 $2:file entrypoint; files_make_file($2) -typeattribute $1 entry_type; +typeattribute $2 entry_type; ') define(`domain_make_entrypoint_file_depend',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 03542e2..6735cf0 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -99,7 +99,7 @@ attribute tmpfsfile; ######################################## # # files_get_all_file_attributes(domain) -# + define(`files_get_all_file_attributes',` requires_block_template(`$0'_depend) allow $1 file_type:dir { search getattr }; @@ -119,23 +119,37 @@ class sock_file getattr; ') ######################################## +## +## +## Relabel all files on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## # -# files_manage_all_files_labels(type) -# -define(`files_manage_all_files_labels',` +define(`files_relabel_all_files',` requires_block_template(`$0'_depend) -allow $1 file_type:dir { getattr relabelfrom relabelto }; -allow $1 file_type:file { getattr relabelfrom relabelto }; -allow $1 file_type:lnk_file { getattr relabelfrom relabelto }; -allow $1 file_type:fifo_file { getattr relabelfrom relabelto }; -allow $1 file_type:sock_file { getattr relabelfrom relabelto }; -allow $1 file_type:blk_file { getattr relabelfrom }; -allow $1 file_type:chr_file { getattr relabelfrom }; -') - -define(`files_manage_all_files_labels_depend',` +allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto }; +allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; +allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; +allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; +allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto }; +allow $1 { file_type $2 }:blk_file { getattr relabelfrom }; +allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; +# satisfy the assertions: +selinux_relabelto_binary_policy($1) +') + +define(`files_relabel_all_files_depend',` attribute file_type; -class dir { relabelfrom relabelto }; +class dir { getattr search read relabelfrom relabelto }; class file { relabelfrom relabelto }; class lnk_file { relabelfrom relabelto }; class fifo_file { relabelfrom relabelto }; @@ -145,6 +159,43 @@ class chr_file relabelfrom; ') ######################################## +## +## +## Manage all files on the filesystem, except +## the listed exceptions. +## +## +## The type of the domain perfoming this action. +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## +# +define(`files_manage_all_files',` +requires_block_template(`$0'_depend) +allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename }; +allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +# satisfy the assertions: +selinux_write_binary_policy($1) +bootloader_modify_kernel_modules($1) +') + +define(`files_manage_all_files_depend',` +attribute file_type; +class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +class file { create ioctl read getattr lock write setattr append link unlink rename }; +class lnk_file { create read getattr setattr link unlink rename }; +class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +') + +######################################## # # files_search_all_directories(domain) # @@ -648,6 +699,20 @@ class sock_file { getattr unlink }; ######################################## # +# files_search_general_application_resources_dir(domain) +# +define(`files_search_general_application_resources_dir',` +requires_block_template(`$0'_depend) +allow $1 usr_t:dir search; +') + +define(`files_search_general_application_resources_dir_depend',` +type usr_t; +class dir search; +') + +######################################## +# # files_read_general_application_resources(domain) # define(`files_read_general_application_resources',` @@ -998,4 +1063,38 @@ type var_t, var_spool_t; class dir { getattr search read }; ') +######################################## +# +# files_read_system_spools(domain) +# +define(`files_read_system_spools',` +requires_block_template(`$0'_depend) +allow $1 var_t:dir search; +allow $1 var_spool_t:dir { getattr search read }; +allow $1 var_spool_t:file { getattr read }; +') + +define(`files_read_system_spools_depend',` +type var_t, var_spool_t; +class dir { getattr search read }; +class file { getattr read }; +') + +######################################## +# +# files_manage_system_spools(domain) +# +define(`files_manage_system_spools',` +requires_block_template(`$0'_depend) +allow $1 var_t:dir search; +allow $1 var_spool_t:dir { getattr search read write add_name remove_name }; +allow $1 var_spool_t:file { getattr create read write append unlink setattr }; +') + +define(`files_manage_system_spools_depend',` +type var_t, var_spool_t; +class dir { getattr search read write add_name remove_name }; +class file { getattr create read write append unlink setattr }; +') + ## diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index c4d0c56..9536e3e 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -44,6 +44,7 @@ filesystem_get_persistent_filesystem_attributes(getty_t) terminal_use_all_terminals(getty_t) terminal_set_console_attributes(getty_t) +init_script_modify_runtime_data(getty_t) init_script_use_pseudoterminal(getty_t) files_modify_system_runtime_data(getty_t) @@ -55,6 +56,9 @@ files_read_general_system_config(getty_t) authlogin_modify_login_records(getty_t) +libraries_use_dynamic_loader(getty_t) +libraries_use_shared_libraries(getty_t) + locallogin_transition(getty_t) logging_send_system_log_message(getty_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 3acb8cc..bc63bb8 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -112,7 +112,7 @@ optional_policy(`netutils.te', ` netutils_transition(hotplug_t) filesystem_use_tmpfs_character_devices(hotplug_t) ') dnl endif netutils optional -files_get_system_lock_file_attribues(hotplug_t) +files_get_system_lock_file_attributes(hotplug_t) ')dnl end distro_redhat tunable tunable_policy(`targeted_policy', ` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 6b38a53..937b98c 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -22,20 +22,18 @@ kernel_make_userland_entrypoint(init_t,init_exec_t) domain_make_entrypoint_file(init_t,init_exec_t) # +# init_var_run_t is the type for /var/run/shutdown.pid. +# +type init_var_run_t; +files_make_daemon_runtime_file(init_var_run_t) + +# # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. # type initctl_t; files_make_file(initctl_t) -filesystem_tmpfs_associate(initctl_t) -devices_create_dev_entry(init_t,initctl_t,fifo_file) - -# -# init_var_run_t is the type for /var/run/shutdown.pid. -# -type init_var_run_t; -files_make_daemon_runtime_file(init_var_run_t) type initrc_t; domain_make_domain(initrc_t) @@ -70,6 +68,10 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans }; allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; files_create_daemon_runtime_data(init_t,init_var_run_t) +allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; +filesystem_tmpfs_associate(initctl_t) +devices_create_dev_entry(init_t,initctl_t,fifo_file) + # Run init scripts. this is ok since initrc # is also in this module allow init_t initrc_t:process transition; diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 3f22b3d..23b6ea8 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -132,6 +132,7 @@ class file { getattr read write }; # define(`libraries_use_shared_libraries',` requires_block_template(`$0'_depend) +files_search_general_application_resources_dir($1) allow $1 lib_t:dir { getattr search read }; allow $1 lib_t:lnk_file { getattr read }; allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read }; diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 4d2f562..fd97ed4 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -571,6 +571,29 @@ class file { getattr create write unlink }; ') ######################################## +## +## +## Allow the caller to relabel a file to the binary policy type. +## +## +## The type of the process performing this action. +## +## +## +# +define(`selinux_relabelto_binary_policy',` +requires_block_template(`$0'_depend) +allow $1 policy_config_t:file relabelto; +typeattribute $1 can_relabelto_binary_policy; +') + +define(`selinux_relabelto_binary_policy_depend',` +attribute can_relabelto_binary_policy; +type policy_config_t; +class file relabelto; +') + +######################################## # # selinux_manage_binary_policy(domain) # diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 7ecde92..96f0f0c 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; -allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; +allow checkpolicy_t policy_src_t:file { getattr read ioctl }; +allow checkpolicy_t policy_src_t:lnk_file { getattr read }; allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) @@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir { getattr search read }; allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; -allow newrole_t selinux_config_t:dir { getattr read search }; -allow newrole_t selinux_config_t:file { read getattr }; -allow newrole_t selinux_config_t:lnk_file { getattr read }; +allow load_policy_t selinux_config_t:dir { getattr read search }; +allow load_policy_t selinux_config_t:file { read getattr }; +allow load_policy_t selinux_config_t:lnk_file { getattr read }; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) @@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t) domain_use_widely_inheritable_file_descriptors(load_policy_t) +files_search_general_system_config_directory(load_policy_t) + libraries_use_dynamic_loader(load_policy_t) libraries_use_shared_libraries(load_policy_t) @@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t) -ifdef(`TODO',` - -# directory search permissions for path to binary policy files -allow load_policy_t etc_t:dir search; -') dnl endif TODO - ######################################## # # Newrole local policy @@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t) # relabeling rules kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) -files_manage_all_files_labels(restorecon_t) +files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) @@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t) tunable_policy(`distro_redhat', ` filesystem_use_tmpfs_character_devices(restorecon_t) filesystem_use_tmpfs_block_devices(restorecon_t) +filesystem_relabel_tmpfs_block_devices(restorecon_t) +filesystem_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` @@ -333,11 +332,6 @@ ifdef(`TODO',` # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; -tunable_policy(`distro_redhat', ` -allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto }; -allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto }; -') - allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; @@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_read_all_directories(setfiles_t) -files_manage_all_files_labels(setfiles_t) +files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 4d2f562..fd97ed4 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -571,6 +571,29 @@ class file { getattr create write unlink }; ') ######################################## +## +## +## Allow the caller to relabel a file to the binary policy type. +## +## +## The type of the process performing this action. +## +## +## +# +define(`selinux_relabelto_binary_policy',` +requires_block_template(`$0'_depend) +allow $1 policy_config_t:file relabelto; +typeattribute $1 can_relabelto_binary_policy; +') + +define(`selinux_relabelto_binary_policy_depend',` +attribute can_relabelto_binary_policy; +type policy_config_t; +class file relabelto; +') + +######################################## # # selinux_manage_binary_policy(domain) # diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 7ecde92..96f0f0c 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; -allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; +allow checkpolicy_t policy_src_t:file { getattr read ioctl }; +allow checkpolicy_t policy_src_t:lnk_file { getattr read }; allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) @@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir { getattr search read }; allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; -allow newrole_t selinux_config_t:dir { getattr read search }; -allow newrole_t selinux_config_t:file { read getattr }; -allow newrole_t selinux_config_t:lnk_file { getattr read }; +allow load_policy_t selinux_config_t:dir { getattr read search }; +allow load_policy_t selinux_config_t:file { read getattr }; +allow load_policy_t selinux_config_t:lnk_file { getattr read }; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) @@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t) domain_use_widely_inheritable_file_descriptors(load_policy_t) +files_search_general_system_config_directory(load_policy_t) + libraries_use_dynamic_loader(load_policy_t) libraries_use_shared_libraries(load_policy_t) @@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t) -ifdef(`TODO',` - -# directory search permissions for path to binary policy files -allow load_policy_t etc_t:dir search; -') dnl endif TODO - ######################################## # # Newrole local policy @@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t) # relabeling rules kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) -files_manage_all_files_labels(restorecon_t) +files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) @@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t) tunable_policy(`distro_redhat', ` filesystem_use_tmpfs_character_devices(restorecon_t) filesystem_use_tmpfs_block_devices(restorecon_t) +filesystem_relabel_tmpfs_block_devices(restorecon_t) +filesystem_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` @@ -333,11 +332,6 @@ ifdef(`TODO',` # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; -tunable_policy(`distro_redhat', ` -allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto }; -allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto }; -') - allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; @@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_read_all_directories(setfiles_t) -files_manage_all_files_labels(setfiles_t) +files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 95753f8..8c377ac 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -57,9 +57,9 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) -# Allow dhcpc_t to use packet sockets +allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; allow dhcpc_t self:fifo_file { ioctl read getattr lock write append }; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index e0b7ab2..55d3e48 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -10,6 +10,10 @@ define(`base_user_domain',` +attribute $1_file_type; + +type $1_t, userdomain; +corecommands_make_shell_entrypoint($1_t) role $1_r types $1_t; allow system_r $1_r; @@ -370,9 +374,10 @@ define(`user_domain_template', ` # Declarations # -attribute $1_file_type; +# Inherit rules for ordinary users. +base_user_domain($1) -type $1_t, userdomain, unpriv_userdomain; #, web_client_domain, nscd_client_domain; +typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; domain_make_domain($1_t) domain_make_file_descriptors_widely_inheritable($1_t) @@ -398,9 +403,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t) # Local policy # -# Inherit rules for ordinary users. -base_user_domain($1) - allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; terminal_create_private_pseudoterminal($1_t,$1_devpts_t) @@ -584,9 +586,10 @@ define(`admin_domain_template',` # Declarations # -attribute $1_file_type; +# Inherit rules for ordinary users. +base_user_domain($1) -type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain; +typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; kernel_make_object_identity_change_constraint_exception($1_t) domain_make_domain($1_t) role system_r types $1_t; @@ -615,9 +618,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t) # $1_t local policy # -# Inherit rules for ordinary users. -base_user_domain($1) - allow $1_t self:capability ~sys_module; allow $1_t self:process { setexec setfscreate }; @@ -682,6 +682,11 @@ terminal_use_general_physical_terminal($1_t) terminal_use_all_private_pseudoterminals($1_t) terminal_use_all_private_physical_terminals($1_t) +# Manage almost all files +authlogin_manage_all_files_except_shadow($1_t) +# Relabel almost all files +authlogin_relabel_all_files_except_shadow($1_t) + domain_set_all_domains_priorities($1_t) files_execute_system_source_code_scripts($1_t) @@ -710,18 +715,6 @@ ifdef(`TODO',` # Let admin stat the shadow file. allow $1_t shadow_t:file getattr; -# Create and use all files that have the sysadmfile attribute. -allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; -allow $1_t sysadmfile:lnk_file create_lnk_perms; -allow $1_t sysadmfile:dir create_dir_perms; - -# Relabel all files. -# Actually this will not allow relabeling ALL files unless you change -# sysadmfile to file_type (and change the assertion in assert.te that -# only auth_write can relabel shadow_t) -allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; -allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; - # for lsof allow $1_t mtrr_device_t:file getattr;