diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 2c7ba7e..2010b36 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -302,7 +302,7 @@ tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf $(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\ fi -$(JAVABYTE) doctool: $(JAVASRC) +$(JAVABYTE): $(JAVASRC) javac $(JAVASRC) html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT) diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 7cbc587..401465c 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -4,23 +4,26 @@ # consoletype_transition(domain) # define(`consoletype_transition',` -requires_block_template(`$0'_depend) -allow $1 consoletype_exec_t:file { getattr read execute }; -allow $1 consoletype_t:process transition; -type_transition $1 consoletype_exec_t:process consoletype_t; -dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; -allow $1 consoletype_t:fd use; -allow consoletype_t $1:fd use; -allow consoletype_t $1:fifo_file rw_file_perms; -allow consoletype_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 consoletype_exec_t:file { getattr read execute }; + allow $1 consoletype_t:process transition; + type_transition $1 consoletype_exec_t:process consoletype_t; + dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; + + allow $1 consoletype_t:fd use; + allow consoletype_t $1:fd use; + allow consoletype_t $1:fifo_file rw_file_perms; + allow consoletype_t $1:process sigchld; ') define(`consoletype_transition_depend',` -type consoletype_t, consoletype_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type consoletype_t, consoletype_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -28,11 +31,13 @@ class fifo_file rw_file_perms; # consoletype_execute(domain) # define(`consoletype_execute',` -requires_block_template(`$0'_depend) -allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans }; ') define(`consoletype_execute_depend',` -type consoletype_exec_t; -class file { getattr read execute execute_no_trans }; + type consoletype_exec_t; + + class file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 34739c0..d3fd863 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -51,15 +51,15 @@ libraries_use_dynamic_loader(consoletype_t) libraries_use_shared_libraries(consoletype_t) tunable_policy(`distro_redhat', ` -filesystem_use_tmpfs_character_devices(consoletype_t) + filesystem_use_tmpfs_character_devices(consoletype_t) ') optional_policy(`authlogin.te', ` -authlogin_pam_read_runtime_data(consoletype_t) + authlogin_pam_read_runtime_data(consoletype_t) ') optional_policy(`userdomain.te',` -userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t) + userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 7e9c23f..2b2b8c6 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -13,23 +13,26 @@ ## # define(`dmesg_transition',` -requires_block_template(`$0'_depend) -allow $1 dmesg_exec_t:file { getattr read execute }; -allow $1 dmesg_t:process transition; -type_transition $1 dmesg_exec_t:process dmesg_t; -dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh }; -allow $1 dmesg_t:fd use; -allow dmesg_t $1:fd use; -allow dmesg_t $1:fifo_file rw_file_perms; -allow dmesg_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 dmesg_exec_t:file { getattr read execute }; + allow $1 dmesg_t:process transition; + type_transition $1 dmesg_exec_t:process dmesg_t; + dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh }; + + allow $1 dmesg_t:fd use; + allow dmesg_t $1:fd use; + allow dmesg_t $1:fifo_file rw_file_perms; + allow dmesg_t $1:process sigchld; ') define(`dmesg_transition_depend',` -type dmesg_t, dmesg_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type dmesg_t, dmesg_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -44,13 +47,15 @@ class fifo_file rw_file_perms; ## # define(`dmesg_execute',` -requires_block_template(`$0'_depend) -allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans }; ') define(`dmesg_execute_depend',` -type dmesg_exec_t; -class file { getattr read execute execute_no_trans }; + type dmesg_exec_t; + + class file { getattr read execute execute_no_trans }; ') ## diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 4bf876b..30b7389 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -50,17 +50,17 @@ userdomain_use_admin_terminals(dmesg_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t) tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(dmesg_t) -terminal_ignore_use_general_pseudoterminal(dmesg_t) -files_ignore_read_rootfs_file(dmesg_t) + terminal_ignore_use_general_physical_terminal(dmesg_t) + terminal_ignore_use_general_pseudoterminal(dmesg_t) + files_ignore_read_rootfs_file(dmesg_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(dmesg_t) + selinux_newrole_sigchld(dmesg_t) ') optional_policy(`udev.te', ` -udev_read_database(dmesg_t) + udev_read_database(dmesg_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index aff0524..79b2e61 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -4,23 +4,26 @@ # netutils_transition(domain) # define(`netutils_transition',` -requires_block_template(`$0'_depend) -allow $1 netutils_exec_t:file { getattr read execute }; -allow $1 netutils_t:process transition; -type_transition $1 netutils_exec_t:process netutils_t; -dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh }; -allow $1 netutils_t:fd use; -allow netutils_t $1:fd use; -allow netutils_t $1:fifo_file rw_file_perms; -allow netutils_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 netutils_exec_t:file { getattr read execute }; + allow $1 netutils_t:process transition; + type_transition $1 netutils_exec_t:process netutils_t; + dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh }; + + allow $1 netutils_t:fd use; + allow netutils_t $1:fd use; + allow netutils_t $1:fifo_file rw_file_perms; + allow netutils_t $1:process sigchld; ') define(`netutils_transition_depend',` -type netutils_t, netutils_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type netutils_t, netutils_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -28,11 +31,13 @@ class fifo_file rw_file_perms; # netutils_execute(domain) # define(`netutils_execute',` -requires_block_template(`$0'_depend) -allow $1 netutils_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 netutils_exec_t:file { getattr read execute execute_no_trans }; ') define(`netutils_execute_depend',` -type netutils_exec_t; -class file { getattr read execute execute_no_trans }; + type netutils_exec_t; + + class file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index fccd0f0..ac47688 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -13,23 +13,26 @@ ## # define(`rpm_transition',` -requires_block_template(`$0'_depend) -allow $1 rpm_exec_t:file { getattr read execute }; -allow $1 rpm_t:process transition; -type_transition $1 rpm_exec_t:process rpm_t; -dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; -allow $1 rpm_t:fd use; -allow rpm_t $1:fd use; -allow rpm_t $1:fifo_file rw_file_perms; -allow rpm_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 rpm_exec_t:file { getattr read execute }; + allow $1 rpm_t:process transition; + type_transition $1 rpm_exec_t:process rpm_t; + dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; + + allow $1 rpm_t:fd use; + allow rpm_t $1:fd use; + allow rpm_t $1:fifo_file rw_file_perms; + allow rpm_t $1:process sigchld; ') define(`rpm_transition_depend',` -type rpm_t, rpm_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type rpm_t, rpm_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -50,16 +53,18 @@ class fifo_file rw_file_perms; ## # define(`rpm_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -rpm_transition($1) -role $2 types rpm_t; -role $2 types rpm_script_t; -allow rpm_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + rpm_transition($1) + role $2 types rpm_t; + role $2 types rpm_script_t; + allow rpm_t $3:chr_file { getattr read write ioctl }; ') define(`rpm_transition_add_role_use_terminal_depend',` -type rpm_t, rpm_script_t; -class chr_file { getattr read write ioctl }; + type rpm_t, rpm_script_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl }; ## # define(`rpm_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 rpm_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 rpm_t:fd use; ') define(`rpm_use_file_descriptors_depend',` -type rpm_t; -class fd use; + type rpm_t; + + class fd use; ') ######################################## @@ -95,13 +102,15 @@ class fd use; ## # define(`rpm_read_pipe',` -requires_block_template(`$0'_depend) -allow $1 rpm_t:fifo_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 rpm_t:fifo_file { getattr read }; ') define(`rpm_read_pipe_depend',` -type rpm_t; -class fifo_file { getattr read }; + type rpm_t; + + class fifo_file { getattr read }; ') ######################################## @@ -116,17 +125,19 @@ class fifo_file { getattr read }; ## # define(`rpm_read_package_database',` -requires_block_template(`$0'_depend) -allow $1 rpm_var_lib_t:dir { getattr read search }; -allow $1 rpm_var_lib_t:file { read getattr }; -allow $1 rpm_var_lib_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 rpm_var_lib_t:dir { getattr read search }; + allow $1 rpm_var_lib_t:file { read getattr }; + allow $1 rpm_var_lib_t:lnk_file { getattr read }; ') define(`rpm_read_package_database_depend',` -type rpm_var_lib_t_t; -class dir { search getattr read }; -class lnk_file { getattr read }; -class file { getattr read }; + type rpm_var_lib_t_t; + + class dir { search getattr read }; + class lnk_file { getattr read }; + class file { getattr read }; ') ######################################## @@ -134,17 +145,19 @@ class file { getattr read }; # rpm_manage_package_database(domain) # define(`rpm_manage_package_database',` -requires_block_template(`$0'_depend) -allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name }; -allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; -allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; + requires_block_template(`$0'_depend) + + allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name }; + allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; + allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') define(`rpm_manage_package_database_depend',` -type rpm_var_lib_t_t; -class dir { search getattr read }; -class lnk_file { getattr read }; -class file { getattr read }; + type rpm_var_lib_t_t; + + class dir { search getattr read }; + class lnk_file { getattr read }; + class file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 2bd4b70..aa03a72 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -13,23 +13,26 @@ ## # define(`usermanage_chfn_transition',` -requires_block_template(`$0'_depend) -allow $1 chfn_exec_t:file { getattr read execute }; -allow $1 chfn_t:process transition; -type_transition $1 chfn_exec_t:process chfn_t; -dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh }; -allow $1 chfn_t:fd use; -allow chfn_t $1:fd use; -allow chfn_t $1:fifo_file rw_file_perms; -allow chfn_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 chfn_exec_t:file { getattr read execute }; + allow $1 chfn_t:process transition; + type_transition $1 chfn_exec_t:process chfn_t; + dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh }; + + allow $1 chfn_t:fd use; + allow chfn_t $1:fd use; + allow chfn_t $1:fifo_file rw_file_perms; + allow chfn_t $1:process sigchld; ') define(`usermanage_chfn_transition_depend',` -type chfn_t, chfn_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type chfn_t, chfn_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -51,15 +54,17 @@ class fifo_file rw_file_perms; ## # define(`usermanage_chfn_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -usermanage_chfn_transition($1) -role $2 types chfn_t; -allow chfn_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + usermanage_chfn_transition($1) + role $2 types chfn_t; + allow chfn_t $3:chr_file { getattr read write ioctl }; ') define(`usermanage_chfn_transition_add_role_use_terminal_depend',` -type chfn_t; -class chr_file { getattr read write ioctl }; + type chfn_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -74,23 +79,26 @@ class chr_file { getattr read write ioctl }; ## # define(`usermanage_groupadd_transition',` -requires_block_template(`$0'_depend) -allow $1 groupadd_exec_t:file { getattr read execute }; -allow $1 groupadd_t:process transition; -type_transition $1 groupadd_exec_t:process groupadd_t; -dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh }; -allow $1 groupadd_t:fd use; -allow groupadd_t $1:fd use; -allow groupadd_t $1:fifo_file rw_file_perms; -allow groupadd_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 groupadd_exec_t:file { getattr read execute }; + allow $1 groupadd_t:process transition; + type_transition $1 groupadd_exec_t:process groupadd_t; + dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh }; + + allow $1 groupadd_t:fd use; + allow groupadd_t $1:fd use; + allow groupadd_t $1:fifo_file rw_file_perms; + allow groupadd_t $1:process sigchld; ') define(`usermanage_groupadd_transition_depend',` -type groupadd_t, groupadd_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type groupadd_t, groupadd_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -112,15 +120,17 @@ class fifo_file rw_file_perms; ## # define(`usermanage_groupadd_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -usermanage_groupadd_transition($1) -role $2 types groupadd_t; -allow groupadd_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + usermanage_groupadd_transition($1) + role $2 types groupadd_t; + allow groupadd_t $3:chr_file { getattr read write ioctl }; ') define(`usermanage_groupadd_transition_add_role_use_terminal_depend',` -type groupadd_t; -class chr_file { getattr read write ioctl }; + type groupadd_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -135,23 +145,26 @@ class chr_file { getattr read write ioctl }; ## # define(`usermanage_passwd_transition',` -requires_block_template(`$0'_depend) -allow $1 passwd_exec_t:file { getattr read execute }; -allow $1 passwd_t:process transition; -type_transition $1 passwd_exec_t:process passwd_t; -dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh }; -allow $1 passwd_t:fd use; -allow passwd_t $1:fd use; -allow passwd_t $1:fifo_file rw_file_perms; -allow passwd_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 passwd_exec_t:file { getattr read execute }; + allow $1 passwd_t:process transition; + type_transition $1 passwd_exec_t:process passwd_t; + dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh }; + + allow $1 passwd_t:fd use; + allow passwd_t $1:fd use; + allow passwd_t $1:fifo_file rw_file_perms; + allow passwd_t $1:process sigchld; ') define(`usermanage_passwd_transition_depend',` -type passwd_t, passwd_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type passwd_t, passwd_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -173,15 +186,17 @@ class fifo_file rw_file_perms; ## # define(`usermanage_passwd_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -usermanage_passwd_transition($1) -role $2 types passwd_t; -allow passwd_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + usermanage_passwd_transition($1) + role $2 types passwd_t; + allow passwd_t $3:chr_file { getattr read write ioctl }; ') define(`usermanage_passwd_transition_add_role_use_terminal_depend',` -type passwd_t; -class chr_file { getattr read write ioctl }; + type passwd_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -196,23 +211,26 @@ class chr_file { getattr read write ioctl }; ## # define(`usermanage_useradd_transition',` -requires_block_template(`$0'_depend) -allow $1 useradd_exec_t:file { getattr read execute }; -allow $1 useradd_t:process transition; -type_transition $1 useradd_exec_t:process useradd_t; -dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh }; -allow $1 useradd_t:fd use; -allow useradd_t $1:fd use; -allow useradd_t $1:fifo_file rw_file_perms; -allow useradd_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 useradd_exec_t:file { getattr read execute }; + allow $1 useradd_t:process transition; + type_transition $1 useradd_exec_t:process useradd_t; + dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh }; + + allow $1 useradd_t:fd use; + allow useradd_t $1:fd use; + allow useradd_t $1:fifo_file rw_file_perms; + allow useradd_t $1:process sigchld; ') define(`usermanage_useradd_transition_depend',` -type useradd_t, useradd_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type useradd_t, useradd_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -234,15 +252,17 @@ class fifo_file rw_file_perms; ## # define(`usermanage_useradd_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -usermanage_useradd_transition($1) -role $2 types useradd_t; -allow useradd_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + usermanage_useradd_transition($1) + role $2 types useradd_t; + allow useradd_t $3:chr_file { getattr read write ioctl }; ') define(`usermanage_useradd_transition_add_role_use_terminal_depend',` -type useradd_t; -class chr_file { getattr read write ioctl }; + type useradd_t; + + class chr_file { getattr read write ioctl }; ') ## diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index dcb7431..3ed253e 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -6,333 +6,342 @@ # gpg_per_userdomain_template(userdomain_prefix) # define(`gpg_per_userdomain_template',` -requires_block_template(`$0'_depend) + requires_block_template(`$0'_depend) -######################################## -# -# Declarations -# + ######################################## + # + # Declarations + # -type $1_gpg_t; -domain_make_domain($1_gpg_t) -domain_make_entrypoint_file($1_gpg_t,gpg_exec_t) -role $1_r types $1_gpg_t; + type $1_gpg_t; + domain_make_domain($1_gpg_t) + domain_make_entrypoint_file($1_gpg_t,gpg_exec_t) + role $1_r types $1_gpg_t; -type $1_gpg_agent_t; -domain_make_domain($1_gpg_agent_t) -domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t) -role $1_r types $1_gpg_agent_t; + type $1_gpg_agent_t; + domain_make_domain($1_gpg_agent_t) + domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t) + role $1_r types $1_gpg_agent_t; -type $1_gpg_agent_tmp_t; -files_make_temporary_file($1_gpg_agent_tmp_t) + type $1_gpg_agent_tmp_t; + files_make_temporary_file($1_gpg_agent_tmp_t) -type $1_gpg_secret_t; #, $1_file_type; -files_make_file($1_gpg_secret_t) + type $1_gpg_secret_t; #, $1_file_type; + files_make_file($1_gpg_secret_t) -type $1_gpg_helper_t; -domain_make_domain($1_gpg_helper_t) -role $1_r types $1_gpg_helper_t; + type $1_gpg_helper_t; + domain_make_domain($1_gpg_helper_t) + role $1_r types $1_gpg_helper_t; -type $1_gpg_pinentry_t; -domain_make_domain($1_gpg_pinentry_t) -role $1_r types $1_gpg_pinentry_t; + type $1_gpg_pinentry_t; + domain_make_domain($1_gpg_pinentry_t) + role $1_r types $1_gpg_pinentry_t; -######################################## -# -# GPG local policy -# + ######################################## + # + # GPG local policy + # -# transition from the userdomain to the derived domain -allow $1_t $1_gpg_t:process transition; -allow $1_t gpg_exec_t:file { getattr read execute }; -type_transition $1_t gpg_exec_t:process $1_gpg_t; -allow $1_t $1_gpg_t:fd use; -allow $1_gpg_t $1_t:fd use; -allow $1_gpg_t $1_t:fifo_file rw_file_perms; + # transition from the userdomain to the derived domain + allow $1_t $1_gpg_t:process transition; + allow $1_t gpg_exec_t:file { getattr read execute }; + type_transition $1_t gpg_exec_t:process $1_gpg_t; + dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh }; -allow $1_gpg_t self:capability { ipc_lock setuid }; -allow { $1_t $1_gpg_t } $1_gpg_t:process signal; -# setrlimit is for ulimit -c 0 -allow $1_gpg_t self:process { setrlimit setcap }; + allow $1_t $1_gpg_t:fd use; + allow $1_gpg_t $1_t:fd use; + allow $1_gpg_t $1_t:fifo_file rw_file_perms; + allow $1_gpg_t $1_t:process sigchld; -allow $1_gpg_t self:fifo_file { getattr read write }; -allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_gpg_t self:capability { ipc_lock setuid }; + allow { $1_t $1_gpg_t } $1_gpg_t:process signal; + # setrlimit is for ulimit -c 0 + allow $1_gpg_t self:process { setrlimit setcap }; -allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_gpg_t self:fifo_file { getattr read write }; + allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t) -corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t) -corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t) -corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t) -corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t) -corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t) -corenetwork_sendrecv_udp_on_all_ports($1_gpg_t) -corenetwork_bind_tcp_on_all_nodes($1_gpg_t) -corenetwork_bind_udp_on_all_nodes($1_gpg_t) + allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename }; -devices_get_random_data($1_gpg_t) -devices_get_pseudorandom_data($1_gpg_t) + corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t) + corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t) + corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t) + corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t) + corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t) + corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t) + corenetwork_sendrecv_udp_on_all_ports($1_gpg_t) + corenetwork_bind_tcp_on_all_nodes($1_gpg_t) + corenetwork_bind_udp_on_all_nodes($1_gpg_t) -filesystem_get_persistent_filesystem_attributes($1_gpg_t) + devices_get_random_data($1_gpg_t) + devices_get_pseudorandom_data($1_gpg_t) -files_read_general_system_config($1_gpg_t) -files_read_general_application_resources($1_gpg_t) + filesystem_get_persistent_filesystem_attributes($1_gpg_t) -libraries_use_shared_libraries($1_gpg_t) -libraries_use_dynamic_loader($1_gpg_t) + files_read_general_system_config($1_gpg_t) + files_read_general_application_resources($1_gpg_t) -miscfiles_read_localization($1_gpg_t) + libraries_use_shared_libraries($1_gpg_t) + libraries_use_dynamic_loader($1_gpg_t) -logging_send_system_log_message($1_gpg_t) + miscfiles_read_localization($1_gpg_t) -sysnetwork_read_network_config($1_gpg_t) + logging_send_system_log_message($1_gpg_t) -# Legacy -if (allow_gpg_execstack) { -allow $1_gpg_t self:process execmem; -libraries_legacy_use_shared_libraries($1_gpg_t) -libraries_legacy_use_dynamic_loader($1_gpg_t) -miscfiles_legacy_read_localization($1_gpg_t) -# Not quite sure why this is needed... -allow $1_gpg_t gpg_exec_t:file execmod; -} + sysnetwork_read_network_config($1_gpg_t) -ifdef(`TODO',` + # Legacy + if (allow_gpg_execstack) { + allow $1_gpg_t self:process execmem; + libraries_legacy_use_shared_libraries($1_gpg_t) + libraries_legacy_use_dynamic_loader($1_gpg_t) + miscfiles_legacy_read_localization($1_gpg_t) + # Not quite sure why this is needed... + allow $1_gpg_t gpg_exec_t:file execmod; + } -can_ypbind($1_gpg_t) + ifdef(`TODO',` -allow $1_t $1_gpg_secret_t:file getattr; + can_ypbind($1_gpg_t) -access_terminal($1_gpg_t, $1) -ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') + allow $1_t $1_gpg_secret_t:file getattr; -# Inherit and use descriptors -allow $1_gpg_t { privfd $1_t }:fd use; + access_terminal($1_gpg_t, $1) + ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') -# allow ps to show gpg -can_ps($1_t, $1_gpg_t) + # Inherit and use descriptors + allow $1_gpg_t { privfd $1_t }:fd use; -# should not need read access... -allow $1_gpg_t home_root_t:dir { read search }; + # allow ps to show gpg + can_ps($1_t, $1_gpg_t) -# use $1_gpg_secret_t for files it creates -# NB we are doing the type transition for directory creation only! -# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as -# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt -# a file and write output to your home directory it will use user_home_t. -file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) + # should not need read access... + allow $1_gpg_t home_root_t:dir { read search }; -file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) -create_dir_file($1_gpg_t, $1_home_t) + # use $1_gpg_secret_t for files it creates + # NB we are doing the type transition for directory creation only! + # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as + # secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt + # a file and write output to your home directory it will use user_home_t. + file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) -# allow the usual access to /tmp -file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) + file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) + create_dir_file($1_gpg_t, $1_home_t) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_t, cifs_t) -} + # allow the usual access to /tmp + file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) -rw_dir_create_file($1_gpg_t, $1_file_type) + if (use_nfs_home_dirs) { + create_dir_file($1_gpg_t, nfs_t) + } + if (use_samba_home_dirs) { + create_dir_file($1_gpg_t, cifs_t) + } -allow $1_t $1_gpg_secret_t:dir rw_dir_perms; + rw_dir_create_file($1_gpg_t, $1_file_type) -dontaudit $1_gpg_t var_t:dir search; -') dnl end TODO + allow $1_t $1_gpg_secret_t:dir rw_dir_perms; -######################################## -# -# GPG helper local policy -# + dontaudit $1_gpg_t var_t:dir search; + ') dnl end TODO -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. + ######################################## + # + # GPG helper local policy + # -# transition from the gpg domain to the helper domain -allow $1_gpg_t $1_gpg_helper_t:process transition; -allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute }; -type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t; -allow $1_gpg_t $1_gpg_helper_t:fd use; -allow $1_gpg_helper_t $1_t:fd use; -allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms; + # for helper programs (which automatically fetch keys) + # Note: this is only tested with the hkp interface. If you use eg the + # mail interface you will likely need additional permissions. -allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + # transition from the gpg domain to the helper domain + allow $1_gpg_t $1_gpg_helper_t:process transition; + allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute }; + type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t; + dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh }; -allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_gpg_t $1_gpg_helper_t:fd use; + allow $1_gpg_helper_t $1_gpg_t:fd use; + allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; + allow $1_gpg_helper_t $1_gpg_t:process sigchld; -dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; + allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t) -corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t) -corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t) -corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t) -corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t) -corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t) -corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t) -corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t) -corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t) + allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -devices_get_pseudorandom_data($1_gpg_helper_t) + dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -files_read_general_system_config($1_gpg_helper_t) -# for nscd -files_ignore_search_system_state_data_directory($1_gpg_helper_t) + corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t) + corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t) + corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t) + corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t) + corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t) + corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t) + corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t) + corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t) + corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t) -libraries_use_dynamic_loader($1_gpg_helper_t) -libraries_use_shared_libraries($1_gpg_helper_t) + devices_get_pseudorandom_data($1_gpg_helper_t) -sysnetwork_read_network_config($1_gpg_helper_t) + files_read_general_system_config($1_gpg_helper_t) + # for nscd + files_ignore_search_system_state_data_directory($1_gpg_helper_t) -ifdef(`TODO',` + libraries_use_dynamic_loader($1_gpg_helper_t) + libraries_use_shared_libraries($1_gpg_helper_t) -if (use_nfs_home_dirs) { -dontaudit $1_gpg_helper_t nfs_t:file { read write }; -} -if (use_samba_home_dirs) { -dontaudit $1_gpg_helper_t cifs_t:file { read write }; -} + sysnetwork_read_network_config($1_gpg_helper_t) -# communicate with the user -allow $1_gpg_helper_t $1_t:fd use; -allow $1_gpg_helper_t $1_t:fifo_file write; - -ifdef(`xdm.te', ` -dontaudit $1_gpg_t xdm_t:fd use; -dontaudit $1_gpg_t xdm_t:fifo_file read; -') -') dnl end TODO - -######################################## -# -# GPG agent local policy -# + ifdef(`TODO',` -# rlimit: gpg-agent wants to prevent coredumps -allow $1_gpg_agent_t self:process setrlimit; + if (use_nfs_home_dirs) { + dontaudit $1_gpg_helper_t nfs_t:file { read write }; + } + if (use_samba_home_dirs) { + dontaudit $1_gpg_helper_t cifs_t:file { read write }; + } -allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -allow $1_gpg_agent_t self:fifo_file { getattr read write }; + # communicate with the user + allow $1_gpg_helper_t $1_t:fd use; + allow $1_gpg_helper_t $1_t:fifo_file write; -allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + ifdef(`xdm.te', ` + dontaudit $1_gpg_t xdm_t:fd use; + dontaudit $1_gpg_t xdm_t:fifo_file read; + ') + ') dnl end TODO -domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) + ######################################## + # + # GPG agent local policy + # -libraries_use_dynamic_loader($1_gpg_agent_t) -libraries_use_shared_libraries($1_gpg_agent_t) + # rlimit: gpg-agent wants to prevent coredumps + allow $1_gpg_agent_t self:process setrlimit; -miscfiles_read_localization($1_gpg_agent_t) + allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_gpg_agent_t self:fifo_file { getattr read write }; -ifdef(`TODO',` -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) + allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + + domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) -allow $1_gpg_agent_t xdm_t:fd use; + libraries_use_dynamic_loader($1_gpg_agent_t) + libraries_use_shared_libraries($1_gpg_agent_t) + + miscfiles_read_localization($1_gpg_agent_t) + + ifdef(`TODO',` + # Transition from the user domain to the derived domain. + domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) + + allow $1_gpg_agent_t xdm_t:fd use; + + # Write to the user domain tty. + access_terminal($1_gpg_agent_t, $1) + + # Allow the user shell to signal the gpg-agent program. + allow $1_t $1_gpg_agent_t:process { signal sigkill }; + # allow ps to show gpg-agent + can_ps($1_t, $1_gpg_agent_t) + + allow $1_gpg_agent_t proc_t:dir search; + allow $1_gpg_agent_t proc_t:lnk_file read; + + allow $1_gpg_agent_t device_t:dir { getattr read }; + + # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) + allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; + create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) + if (use_nfs_home_dirs) { + create_dir_file($1_gpg_agent_t, nfs_t) + } + if (use_samba_home_dirs) { + create_dir_file($1_gpg_agent_t, cifs_t) + } + + # gpg connect + allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; + allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; + can_unix_connect($1_gpg_t, $1_gpg_agent_t) + ') dnl endif TODO + + ############################## + # + # Pinentry local policy + # + + # we need to allow gpg-agent to call pinentry so it can get the passphrase + # from the user. + allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition; + allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute }; + type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t; + dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh }; -# Write to the user domain tty. -access_terminal($1_gpg_agent_t, $1) - -# Allow the user shell to signal the gpg-agent program. -allow $1_t $1_gpg_agent_t:process { signal sigkill }; -# allow ps to show gpg-agent -can_ps($1_t, $1_gpg_agent_t) - -allow $1_gpg_agent_t proc_t:dir search; -allow $1_gpg_agent_t proc_t:lnk_file read; - -allow $1_gpg_agent_t device_t:dir { getattr read }; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; -create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_agent_t, cifs_t) -} - -# gpg connect -allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; -allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; -can_unix_connect($1_gpg_t, $1_gpg_agent_t) -') dnl endif TODO - -############################## -# -# Pinentry local policy -# - -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition; -allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute }; -type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t; -allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; -allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; -allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; - -allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; - -# read /proc/meminfo -kernel_read_system_state($1_gpg_pinentry_t) - -files_read_general_application_resources($1_gpg_pinentry_t) -# read /etc/X11/qtrc -files_read_general_system_config($1_gpg_pinentry_t) - -libraries_use_dynamic_loader($1_gpg_pinentry_t) -libraries_use_shared_libraries($1_gpg_pinentry_t) - -miscfiles_read_fonts($1_gpg_pinentry_t) -miscfiles_read_localization($1_gpg_pinentry_t) - -ifdef(`TODO',` - -allow $1_gpg_agent_t bin_t:dir search; - -ifdef(`xdm.te', ` -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; -can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) -allow $1_gpg_pinentry_t xdm_t:fd use; -')dnl end ig xdm.te - -allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; - -# for .Xauthority -allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; -allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; -# wants to put some lock files into the user home dir, seems to work fine without -dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; -dontaudit $1_gpg_pinentry_t $1_home_t:file write; - -if (use_nfs_home_dirs) { -allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; -allow $1_gpg_pinentry_t nfs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t nfs_t:file write; -} - -if (use_samba_home_dirs) { -allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; -allow $1_gpg_pinentry_t cifs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t cifs_t:file write; -} - -dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; -') dnl end TODO -') dnl end gpg_per_userdomain_template + allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; + allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; + allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; + allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; + + allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; + allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; + + # read /proc/meminfo + kernel_read_system_state($1_gpg_pinentry_t) + + files_read_general_application_resources($1_gpg_pinentry_t) + # read /etc/X11/qtrc + files_read_general_system_config($1_gpg_pinentry_t) + + libraries_use_dynamic_loader($1_gpg_pinentry_t) + libraries_use_shared_libraries($1_gpg_pinentry_t) + + miscfiles_read_fonts($1_gpg_pinentry_t) + miscfiles_read_localization($1_gpg_pinentry_t) + + ifdef(`TODO',` + + allow $1_gpg_agent_t bin_t:dir search; + + ifdef(`xdm.te', ` + allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; + allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; + can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) + allow $1_gpg_pinentry_t xdm_t:fd use; + ') + + allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; + + # for .Xauthority + allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; + allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; + # wants to put some lock files into the user home dir, seems to work fine without + dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; + dontaudit $1_gpg_pinentry_t $1_home_t:file write; + + if (use_nfs_home_dirs) { + allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; + allow $1_gpg_pinentry_t nfs_t:file { getattr read }; + dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; + dontaudit $1_gpg_pinentry_t nfs_t:file write; + } + + if (use_samba_home_dirs) { + allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; + allow $1_gpg_pinentry_t cifs_t:file { getattr read }; + dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; + dontaudit $1_gpg_pinentry_t cifs_t:file write; + } + + dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index d50652b..7e40d50 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -146,35 +146,39 @@ allow bootloader_t boot_t:file relabelfrom; ') tunable_policy(`distro_redhat', ` -# for memlock -allow bootloader_t self:capability ipc_lock; -# new file system defaults to file_t, granting file_t access is still bad. -allow bootloader_t boot_runtime_t:file { read getattr unlink }; -# mkinitrd mount initrd on bootloader temp dir -files_make_mountpoint(bootloader_tmp_t) -# for mke2fs -mount_transition(bootloader_t) + # for memlock + allow bootloader_t self:capability ipc_lock; + + # new file system defaults to file_t, granting file_t access is still bad. + allow bootloader_t boot_runtime_t:file { read getattr unlink }; + + # mkinitrd mount initrd on bootloader temp dir + files_make_mountpoint(bootloader_tmp_t) + + # for mke2fs + mount_transition(bootloader_t) ') optional_policy(`filesystemtools.te', ` -filesystemtools_execute(bootloader_t) + filesystemtools_execute(bootloader_t) ') # LVM2 / Device Mapper's /dev/mapper/control # maybe we should change the labeling for this optional_policy(`lvm.te', ` -devices_use_lvm_control_channel(bootloader_t) -lvm_transition(bootloader_t) -lvm_read_config(bootloader_t) + devices_use_lvm_control_channel(bootloader_t) + + lvm_transition(bootloader_t) + lvm_read_config(bootloader_t) ') optional_policy(`modutils.te',` -modutils_insmod_execute(insmod_t) -modutils_read_kernel_module_dependencies(bootloader_t) -modutils_read_kernel_module_loading_config(bootloader_t) -modutils_insmod_execute(bootloader_t) -modutils_depmod_execute(bootloader_t) -modutils_update_modules_execute(bootloader_t) + modutils_insmod_execute(insmod_t) + modutils_read_kernel_module_dependencies(bootloader_t) + modutils_read_kernel_module_loading_config(bootloader_t) + modutils_insmod_execute(bootloader_t) + modutils_depmod_execute(bootloader_t) + modutils_update_modules_execute(bootloader_t) ') ifdef(`TODO',` @@ -187,22 +191,23 @@ allow bootloader_t var_t:dir search; allow bootloader_t var_t:file { getattr read }; tunable_policy(`distro_debian', ` -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; -allow bootloader_t tmpfs_t:dir r_dir_perms; -allow bootloader_t initrc_var_run_t:dir r_dir_perms; -allow bootloader_t var_lib_t:dir search; -allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; -allow bootloader_t dpkg_var_lib_t:file { getattr read }; -# for /usr/share/initrd-tools/scripts -can_exec(bootloader_t, usr_t) + allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; + allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; + allow bootloader_t tmpfs_t:dir r_dir_perms; + allow bootloader_t initrc_var_run_t:dir r_dir_perms; + allow bootloader_t var_lib_t:dir search; + allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; + allow bootloader_t dpkg_var_lib_t:file { getattr read }; + + # for /usr/share/initrd-tools/scripts + can_exec(bootloader_t, usr_t) ') tunable_policy(`distro_redhat', ` -# new file system defaults to file_t, granting file_t access is still bad. -allow bootloader_t file_t:dir create_dir_perms; -allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; -allow bootloader_t file_t:lnk_file create_lnk_perms; + # new file system defaults to file_t, granting file_t access is still bad. + allow bootloader_t file_t:dir create_dir_perms; + allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; + allow bootloader_t file_t:lnk_file create_lnk_perms; ') dontaudit bootloader_t selinux_config_t:dir search; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 359dffd..95c2e0f 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -275,30 +275,35 @@ define(`devices_manage_dev_symbolic_links_depend',` # devices_manage_device_nodes(domain) # define(`devices_manage_device_nodes',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; -allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; -allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -# these next rules are to satisfy assertions broken by the above lines. -# the permissions hopefully can be cut back a lot -storage_raw_read_fixed_disk($1) -storage_raw_write_fixed_disk($1) -storage_read_scsi_generic($1) -storage_write_scsi_generic($1) -typeattribute $1 memory_raw_read; -typeattribute $1 memory_raw_write; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + + # these next rules are to satisfy assertions broken by the above lines. + # the permissions hopefully can be cut back a lot + storage_raw_read_fixed_disk($1) + storage_raw_write_fixed_disk($1) + storage_read_scsi_generic($1) + storage_write_scsi_generic($1) + + typeattribute $1 memory_raw_read; + typeattribute $1 memory_raw_write; ') define(`devices_manage_device_nodes_depend',` -attribute device_node, memory_raw_read, memory_raw_write; -type device_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; -class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -class lnk_file { create read getattr setattr link unlink rename }; -class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + attribute device_node, memory_raw_read, memory_raw_write; + + type device_t; + + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + class lnk_file { create read getattr setattr link unlink rename }; + class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; ') ######################################## @@ -306,14 +311,16 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink # devices_ignore_modify_generic_devices(domain) # define(`devices_ignore_modify_generic_devices',` -requires_block_template(`$0'_depend) -dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') define(`devices_ignore_modify_generic_devices_depend',` -type device_t; -class chr_file { getattr read write ioctl }; -class blk_file { getattr read write ioctl }; + type device_t; + + class chr_file { getattr read write ioctl }; + class blk_file { getattr read write ioctl }; ') ######################################## @@ -321,15 +328,17 @@ class blk_file { getattr read write ioctl }; # devices_manage_generic_block_devices(domain) # define(`devices_manage_generic_block_devices',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write add_name remove_name }; -allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir rw_dir_perms; + allow $1 device_t:blk_file create_file_perms; ') define(`devices_manage_generic_block_devices_depend',` -type device_t; -class dir r_dir_perms; -class blk_file { create ioctl read getattr lock write setattr append link unlink rename }; + type device_t; + + class dir rw_dir_perms; + class blk_file create_file_perms; ') ######################################## @@ -337,15 +346,17 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink # devices_manage_generic_character_devices(domain) # define(`devices_manage_generic_character_devices',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write add_name remove_name }; -allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir rw_dir_perms; + allow $1 device_t:chr_file create_file_perms; ') define(`devices_manage_generic_character_devices_depend',` -type device_t; -class dir r_dir_perms; -class chr_file { create ioctl read getattr lock write setattr append link unlink rename }; + type device_t; + + class dir rw_dir_perms; + class chr_file create_file_perms; ') ######################################## @@ -353,17 +364,20 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink # devices_create_dev_entry(domain,file,objectclass(es)) # define(`devices_create_dev_entry',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write add_name remove_name }; -type_transition $1 device_t:$3 $2; -optional_policy(`distro_redhat',` -filesystem_tmpfs_associate($2) -') + requires_block_template(`$0'_depend) + + allow $1 device_t:dir rw_dir_perms; + type_transition $1 device_t:$3 $2; + + optional_policy(`distro_redhat',` + filesystem_tmpfs_associate($2) + ') ') define(`devices_set_dev_entry_depend',` -type device_t; -class dir { getattr search read write add_name remove_name }; + type device_t; + + class dir rw_dir_perms; ') ######################################## @@ -371,15 +385,17 @@ class dir { getattr search read write add_name remove_name }; # devices_get_all_block_device_attributes(domain) # define(`devices_get_all_block_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 device_node:blk_file getattr; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 device_node:blk_file getattr; ') define(`devices_get_all_block_device_attributes_depend',` -attribute device_node; -class blk_file getattr; -class dir r_dir_perms; + attribute device_node; + + class blk_file getattr; + class dir r_dir_perms; ') ######################################## @@ -387,13 +403,15 @@ class dir r_dir_perms; # devices_ignore_get_all_block_device_attributes(domain) # define(`devices_ignore_get_all_block_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_node:blk_file getattr; + requires_block_template(`$0'_depend) + + allow $1 device_node:blk_file getattr; ') define(`devices_ignore_get_all_block_device_attributes_depend',` -attribute device_node; -class blk_file getattr; + attribute device_node; + + class blk_file getattr; ') ######################################## @@ -401,15 +419,17 @@ class blk_file getattr; # devices_get_all_character_device_attributes(domain) # define(`devices_get_all_character_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 device_node:chr_file getattr; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 device_node:chr_file getattr; ') define(`devices_get_all_character_device_attributes_depend',` -attribute device_node; -class chr_file getattr; -class dir r_dir_perms; + attribute device_node; + + class chr_file getattr; + class dir r_dir_perms; ') ######################################## @@ -417,13 +437,15 @@ class dir r_dir_perms; # devices_ignore_get_all_character_device_attributes(domain) # define(`devices_ignore_get_all_character_device_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 device_node:chr_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 device_node:chr_file getattr; ') define(`devices_ignore_get_all_character_device_attributes_depend',` -attribute device_node; -class chr_file getattr; + attribute device_node; + + class chr_file getattr; ') ######################################## @@ -431,13 +453,17 @@ class chr_file getattr; # devices_set_all_block_device_attributes(domain) # define(`devices_set_all_block_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_node:blk_file setattr; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 device_node:blk_file setattr; ') define(`devices_set_all_block_device_attributes_depend',` -attribute device_node; -class blk_file setattr; + attribute device_node; + + class dir r_dir_perms; + class blk_file setattr; ') ######################################## @@ -445,13 +471,17 @@ class blk_file setattr; # devices_set_all_character_device_attributes(domain) # define(`devices_set_all_character_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_node:chr_file setattr; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 device_node:chr_file setattr; ') define(`devices_set_all_character_device_attributes_depend',` -attribute device_node; -class chr_file setattr; + attribute device_node; + + class dir r_dir_perms; + class chr_file setattr; ') ######################################## @@ -459,20 +489,23 @@ class chr_file setattr; # devices_manage_all_block_devices(domain) # define(`devices_manage_all_block_devices',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write add_name remove_name }; -allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename }; -# these next rules are to satisfy assertions broken by the above lines. -storage_raw_read_fixed_disk($1) -storage_raw_write_fixed_disk($1) -storage_read_scsi_generic($1) -storage_write_scsi_generic($1) + requires_block_template(`$0'_depend) + + allow $1 device_t:dir rw_dir_perms; + allow $1 device_node:blk_file create_file_perms; + + # these next rules are to satisfy assertions broken by the above lines. + storage_raw_read_fixed_disk($1) + storage_raw_write_fixed_disk($1) + storage_read_scsi_generic($1) + storage_write_scsi_generic($1) ') define(`devices_manage_generic_block_devices_depend',` -attribute device_node; -class dir r_dir_perms; -class blk_file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute device_node; + + class dir rw_dir_perms; + class blk_file create_file_perms; ') ######################################## @@ -480,16 +513,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink # devices_manage_all_character_devices(domain) # define(`devices_manage_all_character_devices',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write add_name remove_name }; -allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename }; -typeattribute $1 memory_raw_read, memory_raw_write; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir rw_dir_perms; + allow $1 device_node:chr_file create_file_perms; + + typeattribute $1 memory_raw_read, memory_raw_write; ') define(`devices_manage_all_character_devices_depend',` -attribute device_node, memory_raw_read, memory_raw_write; -class dir r_dir_perms; -class chr_file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute device_node, memory_raw_read, memory_raw_write; + + class dir rw_dir_perms; + class chr_file create_file_perms; ') ######################################## @@ -497,18 +533,20 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink # devices_raw_read_memory(domain) # define(`devices_raw_read_memory',` -requires_block_template(`$0'_depend) -typeattribute $1 memory_raw_read; -allow $1 device_t:dir r_dir_perms; -allow $1 memory_device_t:chr_file { getattr read ioctl }; -allow $1 self:capability sys_rawio; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 memory_device_t:chr_file r_file_perms; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_read; ') define(`devices_raw_read_memory_depend',` type device_t, memory_device_t; attribute memory_raw_read; class dir r_dir_perms; -class chr_file { getattr read ioctl }; +class chr_file r_file_perms; class capability sys_rawio; ') @@ -517,11 +555,13 @@ class capability sys_rawio; # devices_raw_write_memory(domain) # define(`devices_raw_write_memory',` -requires_block_template(`$0'_depend) -typeattribute $1 memory_raw_write; -allow $1 device_t:dir r_dir_perms; -allow $1 memory_device_t:chr_file write; -allow $1 self:capability sys_rawio; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 memory_device_t:chr_file write; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_write; ') define(`devices_raw_write_memory_depend',` @@ -537,14 +577,16 @@ class capability sys_rawio; # devices_legacy_raw_read_memory(domain) # define(`devices_legacy_raw_read_memory',` -requires_block_template(`$0'_depend) -devices_raw_read_memory($1) -allow $1 memory_device_t:chr_file execute; + requires_block_template(`$0'_depend) + + devices_raw_read_memory($1) + allow $1 memory_device_t:chr_file execute; ') define(`devices_legacy_raw_read_memory_depend',` -type device_t, memory_device_t; -class chr_file execute; + type device_t, memory_device_t; + + class chr_file execute; ') ######################################## @@ -552,14 +594,16 @@ class chr_file execute; # devices_legacy_raw_write_memory(domain) # define(`devices_legacy_raw_write_memory',` -requires_block_template(`$0'_depend) -devices_raw_write_memory($1) -allow $1 memory_device_t:chr_file execute; + requires_block_template(`$0'_depend) + + devices_raw_write_memory($1) + allow $1 memory_device_t:chr_file execute; ') define(`devices_legacy_raw_write_memory_depend',` -type device_t, memory_device_t; -class chr_file execute; + type device_t, memory_device_t; + + class chr_file execute; ') ######################################## @@ -567,15 +611,17 @@ class chr_file execute; # devices_get_random_data(domain) # define(`devices_get_random_data',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 random_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 random_device_t:chr_file r_file_perms; ') define(`devices_get_random_data_depend',` -type device_t, random_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, random_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -583,15 +629,17 @@ class chr_file { getattr read ioctl }; # devices_get_pseudorandom_data(domain) # define(`devices_get_pseudorandom_data',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 urandom_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 urandom_device_t:chr_file r_file_perms; ') define(`devices_get_pseudorandom_data_depend',` -type device_t, urandom_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, urandom_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -599,15 +647,17 @@ class chr_file { getattr read ioctl }; # devices_add_entropy(domain) # define(`devices_add_entropy',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 random_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 random_device_t:chr_file { getattr write ioctl }; ') define(`devices_add_entropy_depend',` -type device_t, random_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, random_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -615,15 +665,17 @@ class chr_file { getattr write ioctl }; # devices_set_pseudorandom_seed(domain) # define(`devices_set_pseudorandom_seed',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 urandom_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') define(`devices_set_pseudorandom_seed_depend',` -type device_t, urandom_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, urandom_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -631,15 +683,17 @@ class chr_file { getattr write ioctl }; # devices_use_dev_null(domain) # define(`devices_use_dev_null',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 null_device_t:chr_file rw_file_perms; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 null_device_t:chr_file rw_file_perms; ') define(`devices_use_dev_null_depend',` -type device_t, null_device_t; -class device_t:dir r_dir_perms; -class chr_file rw_file_perms; + type device_t, null_device_t; + + class device_t:dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -647,15 +701,17 @@ class chr_file rw_file_perms; # devices_use_dev_zero(domain) # define(`devices_use_dev_zero',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 zero_device_t:chr_file rw_file_perms; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 zero_device_t:chr_file rw_file_perms; ') define(`devices_use_dev_zero_depend',` -type device_t, zero_device_t; -class device_t:dir r_dir_perms; -class chr_file r_file_perms; + type device_t, zero_device_t; + + class device_t:dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -663,14 +719,16 @@ class chr_file r_file_perms; # devices_legacy_use_dev_zero(domain) # define(`devices_legacy_use_dev_zero',` -requires_block_template(`$0'_depend) -devices_use_dev_zero($1) -allow $1 zero_device_t:chr_file execute; + requires_block_template(`$0'_depend) + + devices_use_dev_zero($1) + allow $1 zero_device_t:chr_file execute; ') define(`devices_legacy_use_dev_zero_depend',` -type zero_device_t; -class chr_file execute; + type zero_device_t; + + class chr_file execute; ') ######################################## @@ -678,15 +736,16 @@ class chr_file execute; # devices_read_realtime_clock(domain) # define(`devices_read_realtime_clock',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 clock_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 clock_device_t:chr_file r_file_perms; ') define(`devices_read_realtime_clock_depend',` type device_t, clock_device_t; class dir r_dir_perms; -class chr_file { getattr read ioctl }; +class chr_file r_file_perms; ') ######################################## @@ -694,15 +753,17 @@ class chr_file { getattr read ioctl }; # devices_write_realtime_clock(domain) # define(`devices_write_realtime_clock',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; ') define(`devices_write_realtime_clock_depend',` -type device_t, clock_device_t; -class dir r_dir_perms; -class chr_file { setattr lock write append ioctl }; + type device_t, clock_device_t; + + class dir r_dir_perms; + class chr_file { setattr lock write append ioctl }; ') ######################################## @@ -710,8 +771,8 @@ class chr_file { setattr lock write append ioctl }; # devices_modify_realtime_clock(domain) # define(`devices_modify_realtime_clock',` -devices_read_realtime_clock($1) -devices_write_realtime_clock($1) + devices_read_realtime_clock($1) + devices_write_realtime_clock($1) ') ######################################## @@ -719,15 +780,16 @@ devices_write_realtime_clock($1) # devices_record_sound_input(domain) # define(`devices_record_sound_input',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 sound_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 sound_device_t:chr_file r_file_perms; ') define(`devices_record_sound_input_depend',` type device_t, sound_device_t; class dir r_dir_perms; -class chr_file { getattr read ioctl }; +class chr_file r_file_perms; ') ######################################## @@ -735,15 +797,17 @@ class chr_file { getattr read ioctl }; # devices_play_sound(domain) # define(`devices_play_sound',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 sound_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_play_sound_depend',` -type device_t, sound_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, sound_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -751,15 +815,17 @@ class chr_file { getattr write ioctl }; # devices_read_sound_mixer_levels(domain) # define(`devices_read_sound_mixer_levels',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 sound_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 sound_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_sound_mixer_levels_depend',` -type device_t, sound_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, sound_device_t; + + class dir r_dir_perms; + class chr_file { getattr read ioctl }; ') ######################################## @@ -767,15 +833,17 @@ class chr_file { getattr read ioctl }; # devices_write_sound_mixer_levels(domain) # define(`devices_write_sound_mixer_levels',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 sound_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_sound_mixer_levels_depend',` -type device_t, sound_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, sound_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -783,15 +851,17 @@ class chr_file { getattr write ioctl }; # devices_direct_agp_access(domain) # define(`devices_direct_agp_access',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 agp_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 agp_device_t:chr_file rw_file_perms; ') define(`devices_direct_agp_access_depend',` -type device_t, agp_device_t; -class dir r_dir_perms; -class chr_file { getattr read write ioctl }; + type device_t, agp_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -799,15 +869,17 @@ class chr_file { getattr read write ioctl }; # devices_get_direct_rendering_interface_attributes(domain) # define(`devices_get_direct_rendering_interface_attributes',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 dri_device_t:chr_file getattr; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 dri_device_t:chr_file getattr; ') define(`devices_get_direct_rendering_interface_attributes_depend',` -type device_t, dri_device_t; -class dir r_dir_perms; -class chr_file getattr; + type device_t, dri_device_t; + + class dir r_dir_perms; + class chr_file getattr; ') ######################################## @@ -815,15 +887,17 @@ class chr_file getattr; # devices_use_direct_rendering_interface(domain) # define(`devices_use_direct_rendering_interface',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 dri_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 dri_device_t:chr_file rw_file_perms; ') define(`devices_use_direct_rendering_interface_depend',` -type device_t, dri_device_t; -class dir r_dir_perms; -class chr_file { getattr read write ioctl }; + type device_t, dri_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -831,13 +905,15 @@ class chr_file { getattr read write ioctl }; # devices_ignore_use_direct_rendering_interface(domain) # define(`devices_ignore_use_direct_rendering_interface',` -requires_block_template(`$0'_depend) -dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; ') define(`devices_ignore_use_direct_rendering_interface_depend',` -type dri_device_t; -class chr_file { getattr read write ioctl }; + type dri_device_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -845,15 +921,17 @@ class chr_file { getattr read write ioctl }; # devices_read_mtrr(domain) # define(`devices_read_mtrr',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 mtrr_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 mtrr_device_t:chr_file r_file_perms; ') define(`devices_read_mtrr_depend',` -type device_t, mtrr_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, mtrr_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -861,15 +939,17 @@ class chr_file { getattr read ioctl }; # devices_write_mtrr(domain) # define(`devices_write_mtrr',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 mtrr_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_mtrr_depend',` -type device_t, mtrr_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, mtrr_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -877,15 +957,17 @@ class chr_file { getattr write ioctl }; # devices_read_framebuffer(domain) # define(`devices_read_framebuffer',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 framebuf_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 framebuf_device_t:chr_file r_file_perms; ') define(`devices_read_framebuffer_depend',` -type framebuf_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type framebuf_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -893,15 +975,17 @@ class chr_file { getattr read ioctl }; # devices_write_framebuffer(domain) # define(`devices_write_framebuffer',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 framebuf_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_framebuffer_depend',` -type device_t, framebuf_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, framebuf_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -909,15 +993,17 @@ class chr_file { getattr write ioctl }; # devices_read_lvm_control_channel(domain) # define(`devices_read_lvm_control_channel',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 lvm_control_t:chr_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 lvm_control_t:chr_file r_file_perms; ') define(`devices_read_lvm_control_channel_depend',` -type lvm_control_t; -class dir r_dir_perms; -class chr_file { ioctl read getattr lock write append }; + type device_t, lvm_control_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -925,15 +1011,17 @@ class chr_file { ioctl read getattr lock write append }; # devices_use_lvm_control_channel(domain) # define(`devices_use_lvm_control_channel',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 lvm_control_t:chr_file rw_file_perms; ') define(`devices_use_lvm_control_channel_depend',` -type lvm_control_t; -class dir r_dir_perms; -class chr_file { ioctl read getattr lock write append }; + type device_t, lvm_control_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -941,15 +1029,17 @@ class chr_file { ioctl read getattr lock write append }; # devices_remove_lvm_control_channel(domain) # define(`devices_remove_lvm_control_channel',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir { getattr search read write remove_name }; -allow $1 lvm_control_t:chr_file unlink; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir { getattr search read write remove_name }; + allow $1 lvm_control_t:chr_file unlink; ') define(`devices_remove_lvm_control_channel_depend',` -type lvm_control_t; -class dir { getattr search read write remove_name }; -class chr_file unlink; + type device_t, lvm_control_t; + + class dir { getattr search read write remove_name }; + class chr_file unlink; ') ######################################## @@ -957,15 +1047,17 @@ class chr_file unlink; # devices_read_misc(domain) # define(`devices_read_misc',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 misc_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 misc_device_t:chr_file r_file_perms; ') define(`devices_read_misc_depend',` -type device_t, misc_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, misc_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -973,15 +1065,17 @@ class chr_file { getattr read ioctl }; # devices_write_misc(domain) # define(`devices_write_misc',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 misc_device_t:chr_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 misc_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_misc_depend',` -type device_t, misc_device_t; -class dir r_dir_perms; -class chr_file { getattr write ioctl }; + type device_t, misc_device_t; + + class dir r_dir_perms; + class chr_file { getattr write ioctl }; ') ######################################## @@ -989,15 +1083,17 @@ class chr_file { getattr write ioctl }; # devices_get_mouse_input(domain) # define(`devices_get_mouse_input',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 mouse_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 mouse_device_t:chr_file r_file_perms; ') define(`devices_get_mouse_input_depend',` -type device_t, mouse_device_t; -allow $1 device_t:dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, mouse_device_t; + + allow $1 device_t:dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -1005,15 +1101,17 @@ class chr_file { getattr read ioctl }; # devices_get_input_event(domain) # define(`devices_get_input_event',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 event_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 event_device_t:chr_file r_file_perms; ') define(`devices_get_input_event_depend',` -type device_t, event_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, event_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -1021,15 +1119,17 @@ class chr_file { getattr read ioctl }; # devices_get_cpuid(domain) # define(`devices_get_cpuid',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 cpu_device_t:chr_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 cpu_device_t:chr_file r_file_perms; ') define(`devices_get_cpuid_depend',` -type device_t, cpu_device_t; -class dir r_dir_perms; -class chr_file { getattr read ioctl }; + type device_t, cpu_device_t; + + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## @@ -1037,15 +1137,17 @@ class chr_file { getattr read ioctl }; # devices_load_cpu_microcode(domain) # define(`devices_load_cpu_microcode',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 cpu_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 cpu_device_t:chr_file rw_file_perms; ') define(`devices_load_cpu_microcode_depend',` -type device_t, cpu_device_t; -class dir r_dir_perms; -class chr_file { getattr read write ioctl }; + type device_t, cpu_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -1053,15 +1155,17 @@ class chr_file { getattr read write ioctl }; # devices_use_scanner(domain) # define(`devices_use_scanner',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 scanner_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 scanner_device_t:chr_file rw_file_perms; ') define(`devices_use_scanner_depend',` -type device_t, scanner_device_t; -class dir r_dir_perms; -class chr_file { getattr read write ioctl }; + type device_t, scanner_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -1069,15 +1173,17 @@ class chr_file { getattr read write ioctl }; # devices_control_system_powermanagement(domain) # define(`devices_control_system_powermanagement',` -requires_block_template(`$0'_depend) -allow $1 device_t:dir r_dir_perms; -allow $1 power_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 device_t:dir r_dir_perms; + allow $1 power_device_t:chr_file rw_file_perms; ') define(`devices_control_system_powermanagement_depend',` -type device_t, power_device_t; -class dir r_dir_perms; -class chr_file { getattr read write ioctl }; + type device_t, power_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ## diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 069fd55..bf7e320 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -6,12 +6,13 @@ # filesystem_make_filesystem(type) # define(`filesystem_make_filesystem',` -requires_block_template(`$0'_depend) -typeattribute $1 fs_type; + requires_block_template(`$0'_depend) + + typeattribute $1 fs_type; ') define(`filesystem_make_filesystem_depend',` -attribute fs_type; + attribute fs_type; ') ######################################## @@ -19,13 +20,15 @@ attribute fs_type; # filesystem_associate(type) # define(`filesystem_associate',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem associate; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem associate; ') define(`filesystem_associate_depend',` -type fs_t; -class filesystem associate; + type fs_t; + + class filesystem associate; ') ######################################## @@ -33,19 +36,21 @@ class filesystem associate; # filesystem_noxattr_associate(type) # define(`filesystem_noxattr_associate',` -requires_block_template(`$0'_depend) -allow $1 autofs_t:filesystem associate; -allow $1 cifs_t:filesystem associate; -allow $1 dosfs_t:filesystem associate; -allow $1 iso9660_t:filesystem associate; -allow $1 nfs_t:filesystem associate; -allow $1 removable_t:filesystem associate; -allow $1 usbfs_t:filesystem associate; + requires_block_template(`$0'_depend) + + allow $1 autofs_t:filesystem associate; + allow $1 cifs_t:filesystem associate; + allow $1 dosfs_t:filesystem associate; + allow $1 iso9660_t:filesystem associate; + allow $1 nfs_t:filesystem associate; + allow $1 removable_t:filesystem associate; + allow $1 usbfs_t:filesystem associate; ') define(`filesystem_noxattr_associate_depend',` -type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t; -class filesystem associate; + type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t; + + class filesystem associate; ') ######################################## @@ -53,13 +58,15 @@ class filesystem associate; # filesystem_mount_persistent_filesystem(domain) # define(`filesystem_mount_persistent_filesystem',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem mount; ') define(`filesystem_mount_persistent_filesystem_depend',` -type fs_t; -class filesystem mount; + type fs_t; + + class filesystem mount; ') ######################################## @@ -67,13 +74,15 @@ class filesystem mount; # filesystem_remount_persistent_filesystem(domain) # define(`filesystem_remount_persistent_filesystem',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem remount; ') define(`filesystem_remount_persistent_filesystem_depend',` -type fs_t; -class filesystem remount; + type fs_t; + + class filesystem remount; ') ######################################## @@ -81,13 +90,15 @@ class filesystem remount; # filesystem_unmount_persistent_filesystem(domain) # define(`filesystem_unmount_persistent_filesystem',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem mount; ') define(`filesystem_unmount_persistent_filesystem_depend',` -type fs_t; -class filesystem unmount; + type fs_t; + + class filesystem unmount; ') ######################################## @@ -95,13 +106,15 @@ class filesystem unmount; # filesystem_get_persistent_filesystem_attributes(domain) # define(`filesystem_get_persistent_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem getattr; ') define(`filesystem_get_persistent_filesystem_attributes_depend',` -type fs_t; -class filesystem getattr; + type fs_t; + + class filesystem getattr; ') ######################################## @@ -109,13 +122,15 @@ class filesystem getattr; # filesystem_ignore_get_persistent_filesystem_attributes(domain) # define(`filesystem_ignore_get_persistent_filesystem_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 fs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 fs_t:filesystem getattr; ') define(`filesystem_ignore_get_persistent_filesystem_attributes_depend',` -type fs_t; -class filesystem getattr; + type fs_t; + + class filesystem getattr; ') ######################################## @@ -123,13 +138,15 @@ class filesystem getattr; # filesystem_relabelfrom_persistent_filesystem(domain) # define(`filesystem_relabelfrom_persistent_filesystem',` -requires_block_template(`$0'_depend) -allow $1 fs_t:filesystem relabelfrom; + requires_block_template(`$0'_depend) + + allow $1 fs_t:filesystem relabelfrom; ') define(`filesystem_relabelfrom_persistent_filesystem_depend',` -type fs_t; -class filesystem relabelfrom; + type fs_t; + + class filesystem relabelfrom; ') ######################################## @@ -137,13 +154,14 @@ class filesystem relabelfrom; # filesystem_mount_automount_filesystem(domain) # define(`filesystem_mount_automount_filesystem',` -requires_block_template(`$0'_depend) -allow $1 autofs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 autofs_t:filesystem mount; ') define(`filesystem_mount_automount_filesystem_depend',` -type autofs_t; -class filesystem mount; + type autofs_t; + class filesystem mount; ') ######################################## @@ -151,13 +169,15 @@ class filesystem mount; # filesystem_remount_automount_filesystem(domain) # define(`filesystem_remount_automount_filesystem',` -requires_block_template(`$0'_depend) -allow $1 autofs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 autofs_t:filesystem remount; ') define(`filesystem_remount_automount_filesystem_depend',` -type autofs_t; -class filesystem remount; + type autofs_t; + + class filesystem remount; ') ######################################## @@ -165,13 +185,15 @@ class filesystem remount; # filesystem_unmount_automount_filesystem(domain) # define(`filesystem_unmount_automount_filesystem',` -requires_block_template(`$0'_depend) -allow $1 autofs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 autofs_t:filesystem mount; ') define(`filesystem_unmount_automount_filesystem_depend',` -type autofs_t; -class filesystem unmount; + type autofs_t; + + class filesystem unmount; ') ######################################## @@ -179,13 +201,15 @@ class filesystem unmount; # filesystem_get_automount_filesystem_attributes(domain) # define(`filesystem_get_automount_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 autofs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 autofs_t:filesystem getattr; ') define(`filesystem_get_automount_filesystem_attributes_depend',` -type autofs_t; -class filesystem getattr; + type autofs_t; + + class filesystem getattr; ') ######################################## @@ -193,15 +217,17 @@ class filesystem getattr; # filesystem_register_binary_executable_type(domain) # define(`filesystem_register_binary_executable_type',` -requires_block_template(`$0'_depend) -allow $1 binfmt_misc_fs_t:dir { getattr search }; -allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; + requires_block_template(`$0'_depend) + + allow $1 binfmt_misc_fs_t:dir { getattr search }; + allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; ') define(`filesystem_register_binary_executable_type_depend',` -type binfmt_misc_fs_t; -class dir { getattr search }; -class file { getattr ioctl write }; + type binfmt_misc_fs_t; + + class dir { getattr search }; + class file { getattr ioctl write }; ') ######################################## @@ -209,13 +235,15 @@ class file { getattr ioctl write }; # filesystem_mount_windows_network_filesystem(domain) # define(`filesystem_mount_windows_network_filesystem',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:filesystem mount; ') define(`filesystem_mount_windows_network_filesystem_depend',` -type cifs_t; -class filesystem mount; + type cifs_t; + + class filesystem mount; ') ######################################## @@ -223,13 +251,15 @@ class filesystem mount; # filesystem_remount_windows_network_filesystem(domain) # define(`filesystem_remount_windows_network_filesystem',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:filesystem remount; ') define(`filesystem_remount_windows_network_filesystem_depend',` -type cifs_t; -class filesystem remount; + type cifs_t; + + class filesystem remount; ') ######################################## @@ -237,13 +267,15 @@ class filesystem remount; # filesystem_unmount_windows_network_filesystem(domain) # define(`filesystem_unmount_windows_network_filesystem',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:filesystem mount; ') define(`filesystem_unmount_windows_network_filesystem_depend',` -type cifs_t; -class filesystem unmount; + type cifs_t; + + class filesystem unmount; ') ######################################## @@ -251,13 +283,15 @@ class filesystem unmount; # filesystem_get_windows_network_filesystem_attributes(domain) # define(`filesystem_get_windows_network_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:filesystem getattr; ') define(`filesystem_get_windows_network_filesystem_attributes_depend',` -type cifs_t; -class filesystem getattr; + type cifs_t; + + class filesystem getattr; ') ######################################## @@ -265,15 +299,17 @@ class filesystem getattr; # filesystem_execute_windows_network_files(domain) # define(`filesystem_execute_windows_network_files',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { getattr search read }; -allow $1 cifs_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir r_dir_perms; + allow $1 cifs_t:file { getattr read execute execute_no_trans }; ') define(`filesystem_execute_windows_network_files_depend',` -type cifs_t; -class dir { getattr search read }; -class file { getattr read execute execute_no_trans }; + type cifs_t; + + class dir r_dir_perms; + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -281,13 +317,15 @@ class file { getattr read execute execute_no_trans }; # filesystem_manage_windows_network_directories(domain) # define(`filesystem_manage_windows_network_directories',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir create_file_perms; ') define(`filesystem_manage_windows_network_directories_depend',` -type cifs_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + type cifs_t; + + class dir create_file_perms; ') ######################################## @@ -295,15 +333,17 @@ class dir { create read getattr lock setattr ioctl link unlink rename search add # filesystem_manage_windows_network_files(domain) # define(`filesystem_manage_windows_network_files',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { getattr search read write add_name remove_name }; -allow $1 cifs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir rw_dir_perms; + allow $1 cifs_t:file create_file_perms; ') define(`filesystem_manage_windows_network_files_depend',` -type cifs_t; -class dir { getattr search read write add_name remove_name }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type cifs_t; + + class dir rw_dir_perms; + class file create_file_perms; ') ######################################## @@ -311,15 +351,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # filesystem_manage_windows_network_symbolic_links(domain) # define(`filesystem_manage_windows_network_symbolic_links',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { getattr search read write add_name remove_name }; -allow $1 cifs_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir rw_dir_perms; + allow $1 cifs_t:lnk_file create_lnk_perms; ') define(`filesystem_manage_windows_network_symbolic_links_depend',` -type cifs_t; -class dir { getattr search read write add_name remove_name }; -class lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; + type cifs_t; + + class dir rw_dir_perms; + class lnk_file create_lnk_perms; ') ######################################## @@ -327,15 +369,17 @@ class lnk_file { create ioctl read getattr lock write setattr append link unlink # filesystem_manage_windows_network_named_pipes(domain) # define(`filesystem_manage_windows_network_named_pipes',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { getattr search read write add_name remove_name }; -allow $1 cifs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir rw_dir_perms; + allow $1 cifs_t:fifo_file create_file_perms; ') define(`filesystem_manage_windows_network_named_pipes_depend',` -type cifs_t; -class dir { getattr search read write add_name remove_name }; -class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + type cifs_t; + + class dir rw_dir_perms; + class fifo_file create_file_perms; ') ######################################## @@ -343,15 +387,17 @@ class fifo_file { create ioctl read getattr lock write setattr append link unlin # filesystem_manage_windows_network_named_sockets(domain) # define(`filesystem_manage_windows_network_named_sockets',` -requires_block_template(`$0'_depend) -allow $1 cifs_t:dir { getattr search read write add_name remove_name }; -allow $1 cifs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 cifs_t:dir rw_file_perms; + allow $1 cifs_t:sock_file create_file_perms; ') define(`filesystem_manage_windows_network_named_sockets_depend',` -type cifs_t; -class dir { getattr search read write add_name remove_name }; -class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + type cifs_t; + + class dir rw_dir_perms; + class sock_file create_file_perms; ') ######################################## @@ -359,13 +405,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin # filesystem_mount_dos_filesystem(domain) # define(`filesystem_mount_dos_filesystem',` -requires_block_template(`$0'_depend) -allow $1 dosfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 dosfs_t:filesystem mount; ') define(`filesystem_mount_dos_filesystem_depend',` -type dosfs_t; -class filesystem mount; + type dosfs_t; + + class filesystem mount; ') ######################################## @@ -373,13 +421,15 @@ class filesystem mount; # filesystem_remount_dos_filesystem(domain) # define(`filesystem_remount_dos_filesystem',` -requires_block_template(`$0'_depend) -allow $1 dosfs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 dosfs_t:filesystem remount; ') define(`filesystem_remount_dos_filesystem_depend',` -type dosfs_t; -class filesystem remount; + type dosfs_t; + + class filesystem remount; ') ######################################## @@ -387,13 +437,15 @@ class filesystem remount; # filesystem_unmount_dos_filesystem(domain) # define(`filesystem_unmount_dos_filesystem',` -requires_block_template(`$0'_depend) -allow $1 dosfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 dosfs_t:filesystem mount; ') define(`filesystem_unmount_dos_filesystem_depend',` -type dosfs_t; -class filesystem unmount; + type dosfs_t; + + class filesystem unmount; ') ######################################## @@ -401,13 +453,15 @@ class filesystem unmount; # filesystem_get_dos_filesystem_attributes(domain) # define(`filesystem_get_dos_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 dosfs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 dosfs_t:filesystem getattr; ') define(`filesystem_get_dos_filesystem_attributes_depend',` -type dosfs_t; -class filesystem getattr; + type dosfs_t; + + class filesystem getattr; ') ######################################## @@ -415,13 +469,15 @@ class filesystem getattr; # filesystem_relabelfrom_dos_filesystem(domain) # define(`filesystem_relabelfrom_dos_filesystem',` -requires_block_template(`$0'_depend) -allow $1 dosfs_t:filesystem relabelfrom; + requires_block_template(`$0'_depend) + + allow $1 dosfs_t:filesystem relabelfrom; ') define(`filesystem_relabelfrom_dos_filesystem_depend',` -type dosfs_t; -class filesystem relabelfrom; + type dosfs_t; + + class filesystem relabelfrom; ') ######################################## @@ -429,13 +485,15 @@ class filesystem relabelfrom; # filesystem_mount_cd_filesystem(domain) # define(`filesystem_mount_cd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 iso9660_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 iso9660_t:filesystem mount; ') define(`filesystem_mount_cd_filesystem_depend',` -type iso9660_t; -class filesystem mount; + type iso9660_t; + + class filesystem mount; ') ######################################## @@ -443,13 +501,15 @@ class filesystem mount; # filesystem_remount_cd_filesystem(domain) # define(`filesystem_remount_cd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 iso9660_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 iso9660_t:filesystem remount; ') define(`filesystem_remount_cd_filesystem_depend',` -type iso9660_t; -class filesystem remount; + type iso9660_t; + + class filesystem remount; ') ######################################## @@ -457,13 +517,15 @@ class filesystem remount; # filesystem_unmount_cd_filesystem(domain) # define(`filesystem_unmount_cd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 iso9660_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 iso9660_t:filesystem mount; ') define(`filesystem_unmount_cd_filesystem_depend',` -type iso9660_t; -class filesystem unmount; + type iso9660_t; + + class filesystem unmount; ') ######################################## @@ -471,13 +533,15 @@ class filesystem unmount; # filesystem_get_cd_filesystem_attributes(domain) # define(`filesystem_get_cd_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 iso9660_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 iso9660_t:filesystem getattr; ') define(`filesystem_get_cd_filesystem_attributes_depend',` -type iso9660_t; -class filesystem getattr; + type iso9660_t; + + class filesystem getattr; ') ######################################## @@ -485,13 +549,15 @@ class filesystem getattr; # filesystem_mount_nfs_filesystem(domain) # define(`filesystem_mount_nfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:filesystem mount; ') define(`filesystem_mount_nfs_filesystem_depend',` -type nfs_t; -class filesystem mount; + type nfs_t; + + class filesystem mount; ') ######################################## @@ -499,13 +565,15 @@ class filesystem mount; # filesystem_remount_nfs_filesystem(domain) # define(`filesystem_remount_nfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:filesystem remount; ') define(`filesystem_remount_nfs_filesystem_depend',` -type nfs_t; -class filesystem remount; + type nfs_t; + + class filesystem remount; ') ######################################## @@ -513,13 +581,15 @@ class filesystem remount; # filesystem_unmount_nfs_filesystem(domain) # define(`filesystem_unmount_nfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:filesystem mount; ') define(`filesystem_unmount_nfs_filesystem_depend',` -type nfs_t; -class filesystem unmount; + type nfs_t; + + class filesystem unmount; ') ######################################## @@ -527,13 +597,15 @@ class filesystem unmount; # filesystem_get_nfs_filesystem_attributes(domain) # define(`filesystem_get_nfs_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:filesystem getattr; ') define(`filesystem_get_nfs_filesystem_attributes_depend',` -type nfs_t; -class filesystem getattr; + type nfs_t; + + class filesystem getattr; ') ######################################## @@ -541,15 +613,17 @@ class filesystem getattr; # filesystem_execute_nfs_files(domain) # define(`filesystem_execute_nfs_files',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { getattr search read }; -allow $1 nfs_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir r_dir_perms; + allow $1 nfs_t:file { getattr read execute execute_no_trans }; ') define(`filesystem_execute_nfs_files_depend',` -type nfs_t; -class dir { getattr search read }; -class file { getattr read execute execute_no_trans }; + type nfs_t; + + class dir r_dir_perms; + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -557,13 +631,15 @@ class file { getattr read execute execute_no_trans }; # filesystem_manage_nfs_directories(domain) # define(`filesystem_manage_nfs_directories',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir create_dir_perms; ') define(`filesystem_manage_nfs_directories_depend',` -type nfs_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + type nfs_t; + + class dir create_dir_perms; ') ######################################## @@ -571,15 +647,17 @@ class dir { create read getattr lock setattr ioctl link unlink rename search add # filesystem_manage_nfs_files(domain) # define(`filesystem_manage_nfs_files',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { getattr search read write add_name remove_name }; -allow $1 nfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir rw_dir_perms; + allow $1 nfs_t:file create_file_perms; ') define(`filesystem_manage_nfs_files_depend',` -type nfs_t; -class dir { getattr search read write add_name remove_name }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type nfs_t; + + class dir rw_dir_perms; + class file create_file_perms; ') ######################################## @@ -587,15 +665,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # filesystem_manage_nfs_symbolic_links(domain) # define(`filesystem_manage_nfs_symbolic_links',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { getattr search read write add_name remove_name }; -allow $1 nfs_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir rw_dir_perms; + allow $1 nfs_t:lnk_file create_lnk_perms; ') define(`filesystem_manage_nfs_symbolic_links_depend',` -type nfs_t; -class dir { getattr search read write add_name remove_name }; -class lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; + type nfs_t; + + class dir r_dir_perms; + class lnk_file create_lnk_perms; ') ######################################## @@ -603,15 +683,17 @@ class lnk_file { create ioctl read getattr lock write setattr append link unlink # filesystem_manage_nfs_named_pipes(domain) # define(`filesystem_manage_nfs_named_pipes',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { getattr search read write add_name remove_name }; -allow $1 nfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir rw_dir_perms; + allow $1 nfs_t:fifo_file create_file_perms; ') define(`filesystem_manage_nfs_named_pipes_depend',` -type nfs_t; -class dir { getattr search read write add_name remove_name }; -class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + type nfs_t; + + class dir { getattr search read write add_name remove_name }; + class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; ') ######################################## @@ -619,15 +701,17 @@ class fifo_file { create ioctl read getattr lock write setattr append link unlin # filesystem_manage_nfs_named_sockets(domain) # define(`filesystem_manage_nfs_named_sockets',` -requires_block_template(`$0'_depend) -allow $1 nfs_t:dir { getattr search read write add_name remove_name }; -allow $1 nfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 nfs_t:dir rw_dir_perms; + allow $1 nfs_t:sock_file create_file_perms; ') define(`filesystem_manage_nfs_named_sockets_depend',` -type nfs_t; -class dir { getattr search read write add_name remove_name }; -class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + type nfs_t; + + class dir rw_dir_perms; + class sock_file create_file_perms; ') ######################################## @@ -635,13 +719,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin # filesystem_mount_nfsd_filesystem(domain) # define(`filesystem_mount_nfsd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfsd_fs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 nfsd_fs_t:filesystem mount; ') define(`filesystem_mount_nfsd_filesystem_depend',` -type nfsd_fs_t; -class filesystem mount; + type nfsd_fs_t; + + class filesystem mount; ') ######################################## @@ -649,13 +735,15 @@ class filesystem mount; # filesystem_remount_nfsd_filesystem(domain) # define(`filesystem_remount_nfsd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfsd_fs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 nfsd_fs_t:filesystem remount; ') define(`filesystem_remount_nfsd_filesystem_depend',` -type nfsd_fs_t; -class filesystem remount; + type nfsd_fs_t; + + class filesystem remount; ') ######################################## @@ -663,13 +751,15 @@ class filesystem remount; # filesystem_unmount_nfsd_filesystem(domain) # define(`filesystem_unmount_nfsd_filesystem',` -requires_block_template(`$0'_depend) -allow $1 nfsd_fs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 nfsd_fs_t:filesystem mount; ') define(`filesystem_unmount_nfsd_filesystem_depend',` -type nfsd_fs_t; -class filesystem unmount; + type nfsd_fs_t; + + class filesystem unmount; ') ######################################## @@ -677,13 +767,15 @@ class filesystem unmount; # filesystem_get_nfsd_filesystem_attributes(domain) # define(`filesystem_get_nfsd_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 nfsd_fs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 nfsd_fs_t:filesystem getattr; ') define(`filesystem_get_nfsd_filesystem_attributes_depend',` -type nfsd_fs_t; -class filesystem getattr; + type nfsd_fs_t; + + class filesystem getattr; ') ######################################## @@ -691,13 +783,15 @@ class filesystem getattr; # filesystem_mount_ram_filesystem(domain) # define(`filesystem_mount_ram_filesystem',` -requires_block_template(`$0'_depend) -allow $1 ramfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 ramfs_t:filesystem mount; ') define(`filesystem_mount_ram_filesystem_depend',` -type ramfs_t; -class filesystem mount; + type ramfs_t; + + class filesystem mount; ') ######################################## @@ -705,13 +799,15 @@ class filesystem mount; # filesystem_remount_ram_filesystem(domain) # define(`filesystem_remount_ram_filesystem',` -requires_block_template(`$0'_depend) -allow $1 ramfs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 ramfs_t:filesystem remount; ') define(`filesystem_remount_ram_filesystem_depend',` -type ramfs_t; -class filesystem remount; + type ramfs_t; + + class filesystem remount; ') ######################################## @@ -719,13 +815,15 @@ class filesystem remount; # filesystem_unmount_ram_filesystem(domain) # define(`filesystem_unmount_ram_filesystem',` -requires_block_template(`$0'_depend) -allow $1 ramfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 ramfs_t:filesystem mount; ') define(`filesystem_unmount_ram_filesystem_depend',` -type ramfs_t; -class filesystem unmount; + type ramfs_t; + + class filesystem unmount; ') ######################################## @@ -733,13 +831,15 @@ class filesystem unmount; # filesystem_get_ram_filesystem_attributes(domain) # define(`filesystem_get_ram_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 ramfs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 ramfs_t:filesystem getattr; ') define(`filesystem_get_ram_filesystem_attributes_depend',` -type ramfs_t; -class filesystem getattr; + type ramfs_t; + + class filesystem getattr; ') ######################################## @@ -747,13 +847,15 @@ class filesystem getattr; # filesystem_mount_rom_filesystem(domain) # define(`filesystem_mount_rom_filesystem',` -requires_block_template(`$0'_depend) -allow $1 romfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 romfs_t:filesystem mount; ') define(`filesystem_mount_rom_filesystem_depend',` -type romfs_t; -class filesystem mount; + type romfs_t; + + class filesystem mount; ') ######################################## @@ -761,13 +863,15 @@ class filesystem mount; # filesystem_remount_rom_filesystem(domain) # define(`filesystem_remount_rom_filesystem',` -requires_block_template(`$0'_depend) -allow $1 romfs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 romfs_t:filesystem remount; ') define(`filesystem_remount_rom_filesystem_depend',` -type romfs_t; -class filesystem remount; + type romfs_t; + + class filesystem remount; ') ######################################## @@ -775,13 +879,15 @@ class filesystem remount; # filesystem_unmount_rom_filesystem(domain) # define(`filesystem_unmount_rom_filesystem',` -requires_block_template(`$0'_depend) -allow $1 romfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 romfs_t:filesystem mount; ') define(`filesystem_unmount_rom_filesystem_depend',` -type romfs_t; -class filesystem unmount; + type romfs_t; + + class filesystem unmount; ') ######################################## @@ -789,13 +895,15 @@ class filesystem unmount; # filesystem_get_rom_filesystem_attributes(domain) # define(`filesystem_get_rom_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 romfs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 romfs_t:filesystem getattr; ') define(`filesystem_get_rom_filesystem_attributes_depend',` -type romfs_t; -class filesystem getattr; + type romfs_t; + + class filesystem getattr; ') ######################################## @@ -803,13 +911,15 @@ class filesystem getattr; # filesystem_mount_rpc_pipefs_filesystem(domain) # define(`filesystem_mount_rpc_pipefs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 rpc_pipefs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 rpc_pipefs_t:filesystem mount; ') define(`filesystem_mount_rpc_pipefs_filesystem_depend',` -type rpc_pipefs_t; -class filesystem mount; + type rpc_pipefs_t; + + class filesystem mount; ') ######################################## @@ -817,13 +927,15 @@ class filesystem mount; # filesystem_remount_rpc_pipefs_filesystem(domain) # define(`filesystem_remount_rpc_pipefs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 rpc_pipefs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 rpc_pipefs_t:filesystem remount; ') define(`filesystem_remount_rpc_pipefs_filesystem_depend',` -type rpc_pipefs_t; -class filesystem remount; + type rpc_pipefs_t; + + class filesystem remount; ') ######################################## @@ -831,13 +943,15 @@ class filesystem remount; # filesystem_unmount_rpc_pipefs_filesystem(domain) # define(`filesystem_unmount_rpc_pipefs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 rpc_pipefs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 rpc_pipefs_t:filesystem mount; ') define(`filesystem_unmount_rpc_pipefs_filesystem_depend',` -type rpc_pipefs_t; -class filesystem unmount; + type rpc_pipefs_t; + + class filesystem unmount; ') ######################################## @@ -845,13 +959,15 @@ class filesystem unmount; # filesystem_get_rpc_pipefs_filesystem_attributes(domain) # define(`filesystem_get_rpc_pipefs_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 rpc_pipefs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 rpc_pipefs_t:filesystem getattr; ') define(`filesystem_get_rpc_pipefs_filesystem_attributes_depend',` -type rpc_pipefs_t; -class filesystem getattr; + type rpc_pipefs_t; + + class filesystem getattr; ') ######################################## @@ -859,13 +975,15 @@ class filesystem getattr; # filesystem_mount_tmpfs_filesystem(domain) # define(`filesystem_mount_tmpfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:filesystem mount; ') define(`filesystem_mount_tmpfs_filesystem_depend',` -type tmpfs_t; -class filesystem mount; + type tmpfs_t; + + class filesystem mount; ') ######################################## @@ -873,13 +991,15 @@ class filesystem mount; # filesystem_remount_tmpfs_filesystem(domain) # define(`filesystem_remount_tmpfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:filesystem remount; ') define(`filesystem_remount_tmpfs_filesystem_depend',` -type tmpfs_t; -class filesystem remount; + type tmpfs_t; + + class filesystem remount; ') ######################################## @@ -887,13 +1007,15 @@ class filesystem remount; # filesystem_unmount_tmpfs_filesystem(domain) # define(`filesystem_unmount_tmpfs_filesystem',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:filesystem mount; ') define(`filesystem_unmount_tmpfs_filesystem_depend',` -type tmpfs_t; -class filesystem unmount; + type tmpfs_t; + + class filesystem unmount; ') ######################################## @@ -901,13 +1023,15 @@ class filesystem unmount; # filesystem_get_tmpfs_filesystem_attributes(domain) # define(`filesystem_get_tmpfs_filesystem_attributes',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:filesystem getattr; ') define(`filesystem_get_tmpfs_filesystem_attributes_depend',` -type tmpfs_t; -class filesystem getattr; + type tmpfs_t; + + class filesystem getattr; ') ######################################## @@ -922,13 +1046,15 @@ class filesystem getattr; ## # define(`filesystem_tmpfs_associate',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:filesystem associate; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:filesystem associate; ') define(`filesystem_tmpfs_associate_depend',` -type tmpfs_t; -class filesystem associate; + type tmpfs_t; + + class filesystem associate; ') ######################################## @@ -936,20 +1062,23 @@ class filesystem associate; # filesystem_create_private_tmpfs_data(domain,derivedtype,[class]) # define(`filesystem_create_private_tmpfs_data',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read write add_name }; -ifelse(`$3',`',` -type_transition $1 tmpfs_t:file $2; -',` -type_transition $1 tmpfs_t:$3 $2; -') -allow $2 tmpfs_t:filesystem associate; + requires_block_template(`$0'_depend) + + allow $2 tmpfs_t:filesystem associate; + allow $1 tmpfs_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 tmpfs_t:file $2; + ',` + type_transition $1 tmpfs_t:$3 $2; + ') ') define(`filesystem_create_private_tmpfs_data_depend',` -type tmpfs_t; -class dir { getattr search read write add_name }; -class filesystem associate; + type tmpfs_t; + + class filesystem associate; + class dir rw_dir_perms; ') ######################################## @@ -964,15 +1093,17 @@ class filesystem associate; ## # define(`filesystem_use_tmpfs_character_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read }; -allow $1 tmpfs_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir r_dir_perms; + allow $1 tmpfs_t:chr_file rw_file_perms; ') define(`filesystem_use_tmpfs_character_devices_depend',` -type tmpfs_t; -class dir { getattr search read }; -class chr_file { getattr read write ioctl }; + type tmpfs_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -987,15 +1118,17 @@ class chr_file { getattr read write ioctl }; ## # define(`filesystem_relabel_tmpfs_character_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read }; -allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir r_dir_perms; + allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; ') define(`filesystem_relabel_tmpfs_character_devices_depend',` -type tmpfs_t; -class dir { getattr search read }; -class chr_file { getattr relabelfrom relabelto }; + type tmpfs_t; + + class dir r_dir_perms; + class chr_file { getattr relabelfrom relabelto }; ') ######################################## @@ -1010,15 +1143,17 @@ class chr_file { getattr relabelfrom relabelto }; ## # define(`filesystem_use_tmpfs_block_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read }; -allow $1 tmpfs_t:blk_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir r_dir_perms; + allow $1 tmpfs_t:blk_file rw_file_perms; ') define(`filesystem_use_tmpfs_block_devices_depend',` -type tmpfs_t; -class dir { getattr search read }; -class blk_file { getattr read write ioctl }; + type tmpfs_t; + + class dir r_dir_perms; + class blk_file rw_file_perms; ') ######################################## @@ -1033,15 +1168,17 @@ class blk_file { getattr read write ioctl }; ## # define(`filesystem_relabel_tmpfs_block_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read }; -allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir r_dir_perms; + allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; ') define(`filesystem_use_tmpfs_block_devices_depend',` -type tmpfs_t; -class dir { getattr search read }; -class blk_file { getattr relabelfrom relabelto }; + type tmpfs_t; + + class dir r_dir_perms; + class blk_file { getattr relabelfrom relabelto }; ') ######################################## @@ -1057,15 +1194,17 @@ class blk_file { getattr relabelfrom relabelto }; ## # define(`filesystem_manage_tmpfs_character_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read write add_name remove_name }; -allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir rw_dir_perms; + allow $1 tmpfs_t:chr_file create_file_perms; ') -define(`filesystem_mange_tmpfs_character_devices_depend',` -type tmpfs_t; -class dir { getattr search read write add_name remove_name }; -class chr_file { getattr read write ioctl create unlink setattr }; +define(`filesystem_manage_tmpfs_character_devices_depend',` + type tmpfs_t; + + class dir rw_dir_perms; + class chr_file create_file_perms; ') ######################################## @@ -1081,15 +1220,17 @@ class chr_file { getattr read write ioctl create unlink setattr }; ## # define(`filesystem_manage_tmpfs_block_devices',` -requires_block_template(`$0'_depend) -allow $1 tmpfs_t:dir { getattr search read write add_name remove_name }; -allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr }; + requires_block_template(`$0'_depend) + + allow $1 tmpfs_t:dir rw_dir_perms; + allow $1 tmpfs_t:blk_file create_file_perms; ') define(`filesystem_manage_tmpfs_block_devices_depend',` -type tmpfs_t; -class dir { getattr search read write add_name remove_name }; -class blk_file { getattr read write ioctl create unlink setattr }; + type tmpfs_t; + + class dir rw_dir_perms; + class blk_file create_file_perms; ') ######################################## @@ -1097,13 +1238,15 @@ class blk_file { getattr read write ioctl create unlink setattr }; # filesystem_mount_all_filesystems(type) # define(`filesystem_mount_all_filesystems',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem mount; ') define(`filesystem_mount_all_filesystems_depend',` -attribute fs_type; -class filesystem mount; + attribute fs_type; + + class filesystem mount; ') ######################################## @@ -1111,13 +1254,15 @@ class filesystem mount; # filesystem_remount_all_filesystems(type) # define(`filesystem_remount_all_filesystems',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem remount; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem remount; ') define(`filesystem_remount_all_filesystems_depend',` -attribute fs_type; -class filesystem remount; + attribute fs_type; + + class filesystem remount; ') ######################################## @@ -1125,13 +1270,15 @@ class filesystem remount; # filesystem_unmount_all_filesystems(type) # define(`filesystem_unmount_all_filesystems',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem unmount; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem unmount; ') define(`filesystem_mount_all_filesystems_depend',` -attribute fs_type; -class filesystem unmount; + attribute fs_type; + + class filesystem unmount; ') ######################################## @@ -1139,13 +1286,15 @@ class filesystem unmount; # filesystem_get_all_filesystems_attributes(type) # define(`filesystem_get_all_filesystems_attributes',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem getattr; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem getattr; ') define(`filesystem_get_all_filesystems_attributes_depend',` -attribute fs_type; -class filesystem getattr; + attribute fs_type; + + class filesystem getattr; ') ######################################## @@ -1153,13 +1302,15 @@ class filesystem getattr; # filesystem_get_all_filesystems_quotas(type) # define(`filesystem_get_all_filesystems_quotas',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem quotaget; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem quotaget; ') define(`filesystem_get_all_filesystems_quotas_depend',` -attribute fs_type; -class filesystem quotaget; + attribute fs_type; + + class filesystem quotaget; ') ######################################## @@ -1167,13 +1318,15 @@ class filesystem quotaget; # filesystem_set_all_filesystems_quotas(type) # define(`filesystem_set_all_filesystems_quotas',` -requires_block_template(`$0'_depend) -allow $1 fs_type:filesystem quotamod; + requires_block_template(`$0'_depend) + + allow $1 fs_type:filesystem quotamod; ') define(`filesystem_set_all_filesystems_quotas_depend',` -attribute fs_type; -class filesystem quotamod; + attribute fs_type; + + class filesystem quotamod; ') ######################################## @@ -1181,21 +1334,23 @@ class filesystem quotamod; # filesystem_get_all_file_attributes(type) # define(`filesystem_get_all_file_attributes',` -requires_block_template(`$0'_depend) -allow $1 fs_type:dir { search getattr }; -allow $1 fs_type:file getattr; -allow $1 fs_type:lnk_file getattr; -allow $1 fs_type:fifo_file getattr; -allow $1 fs_type:sock_file getattr; + requires_block_template(`$0'_depend) + + allow $1 fs_type:dir { search getattr }; + allow $1 fs_type:file getattr; + allow $1 fs_type:lnk_file getattr; + allow $1 fs_type:fifo_file getattr; + allow $1 fs_type:sock_file getattr; ') define(`filesystem_get_all_file_attributes_depend',` -attribute fs_type; -class dir { search getattr }; -class file getattr; -class lnk_file getattr; -class fifo_file getattr; -class sock_file getattr; + attribute fs_type; + + class dir { search getattr }; + class file getattr; + class lnk_file getattr; + class fifo_file getattr; + class sock_file getattr; ') ## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 476ed6e..a9050a2 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -9,24 +9,27 @@ # kernel_make_userland_entrypoint(domain,entrypoint) # define(`kernel_make_userland_entrypoint',` -requires_block_template(`$0'_depend) -allow kernel_t $2:file { getattr read execute }; -allow kernel_t $1:process transition; -allow $1 kernel_t:fd use; -type_transition kernel_t $2:process $1; -dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; -allow $1 kernel_t:fd use; -allow kernel_t $1:fd use; -allow kernel_t $1:fifo_file rw_file_perms; -allow $1 kernel_t:process sigchld; + requires_block_template(`$0'_depend) + + allow kernel_t $2:file { getattr read execute }; + allow kernel_t $1:process transition; + allow $1 kernel_t:fd use; + type_transition kernel_t $2:process $1; + dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; + + allow $1 kernel_t:fd use; + allow kernel_t $1:fd use; + allow kernel_t $1:fifo_file rw_file_perms; + allow $1 kernel_t:process sigchld; ') define(`kernel_make_userland_entrypoint_depend',` -type kernel_t; -class process { transition noatsecure siginh rlimitinh sigchld }; -class file { getattr read execute }; -class fifo_file rw_file_perms; -class fd use; + type kernel_t; + + class process { transition noatsecure siginh rlimitinh sigchld }; + class file { getattr read execute }; + class fifo_file rw_file_perms; + class fd use; ') ######################################## @@ -34,13 +37,15 @@ class fd use; # kernel_share_state(domain) # define(`kernel_share_state',` -requires_block_template(`$0'_depend) -allow kernel_t $1:process share; + requires_block_template(`$0'_depend) + + allow kernel_t $1:process share; ') define(`kernel_share_state_depend',` -type kernel_t; -class process share; + type kernel_t; + + class process share; ') ######################################## @@ -48,13 +53,15 @@ class process share; # kernel_use_file_descriptors(domain) # define(`kernel_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 kernel_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 kernel_t:fd use; ') define(`kernel_use_file_descriptors_depend',` -type kernel_t; -class fd use; + type kernel_t; + + class fd use; ') ######################################## @@ -62,13 +69,15 @@ class fd use; # kernel_ignore_use_file_descriptors(domain) # define(`kernel_ignore_use_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 kernel_t:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 kernel_t:fd use; ') define(`kernel_ignore_use_file_descriptors_depend',` -type kernel_t; -class fd use; + type kernel_t; + + class fd use; ') ######################################## @@ -76,13 +85,15 @@ class fd use; # kernel_make_root_filesystem_mountpoint(domain) # define(`kernel_make_root_filesystem_mountpoint',` -requires_block_template(`$0'_depend) -allow kernel_t $1:dir mounton; + requires_block_template(`$0'_depend) + + allow kernel_t $1:dir mounton; ') define(`kernel_make_root_filesystem_mountpoint_depend',` -type kernel_t; -class dir mounton; + type kernel_t; + + class dir mounton; ') ######################################## @@ -90,12 +101,13 @@ class dir mounton; # kernel_make_process_identity_change_constraint_exception(domain) # define(`kernel_make_process_identity_change_constraint_exception',` -requires_block_template(`$0'_depend) -typeattribute $1 can_change_process_identity; + requires_block_template(`$0'_depend) + + typeattribute $1 can_change_process_identity; ') define(`kernel_make_process_identity_change_constraint_exception_depend',` -attribute can_change_process_identity; + attribute can_change_process_identity; ') ######################################## @@ -103,12 +115,13 @@ attribute can_change_process_identity; # kernel_make_role_change_constraint_exception(domain) # define(`kernel_make_role_change_constraint_exception',` -requires_block_template(`$0'_depend) -typeattribute $1 can_change_process_role; + requires_block_template(`$0'_depend) + + typeattribute $1 can_change_process_role; ') define(`kernel_make_role_change_constraint_exception_depend',` -attribute can_change_process_role; + attribute can_change_process_role; ') ######################################## @@ -116,12 +129,13 @@ attribute can_change_process_role; # kernel_make_object_identity_change_constraint_exception(domain) # define(`kernel_make_object_identity_change_constraint_exception',` -requires_block_template(`$0'_depend) -typeattribute $1 can_change_object_identity; + requires_block_template(`$0'_depend) + + typeattribute $1 can_change_object_identity; ') define(`kernel_make_object_identity_change_constraint_exception_depend',` -attribute can_change_object_identity; + attribute can_change_object_identity; ') ######################################## @@ -129,14 +143,16 @@ attribute can_change_object_identity; # kernel_load_module(domain) # define(`kernel_load_module',` -requires_block_template(`$0'_depend) -allow $1 self:capability sys_module; -typeattribute $1 can_load_kernmodule; + requires_block_template(`$0'_depend) + + allow $1 self:capability sys_module; + typeattribute $1 can_load_kernmodule; ') define(`kernel_load_module_depend',` -attribute can_load_kernmodule; -class capability sys_module; + attribute can_load_kernmodule; + + class capability sys_module; ') ######################################## @@ -144,15 +160,17 @@ class capability sys_module; # kernel_get_selinux_enforcement_mode(domain) # define(`kernel_get_selinux_enforcement_mode',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read }; ') define(`kernel_get_selinux_enforcement_mode_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read }; + type security_t; + + class dir { read search getattr }; + class file { getattr read }; ') ######################################## @@ -160,20 +178,23 @@ class file { getattr read }; # kernel_set_selinux_enforcement_mode(domain) # define(`kernel_set_selinux_enforcement_mode',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setenforce; -auditallow $1 security_t:security setenforce; -typeattribute $1 can_setenforce; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security setenforce; + auditallow $1 security_t:security setenforce; + typeattribute $1 can_setenforce; ') define(`kernel_set_selinux_enforcement_mode_depend',` -type security_t; -attribute can_setenforce; -class dir { read search getattr }; -class file { getattr read write }; -class security setenforce; + type security_t; + + attribute can_setenforce; + + class dir { read search getattr }; + class file { getattr read write }; + class security setenforce; ') ######################################## @@ -181,20 +202,23 @@ class security setenforce; # kernel_load_selinux_policy(domain) # define(`kernel_load_selinux_policy',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security load_policy; -auditallow $1 security_t:security load_policy; -typeattribute $1 can_load_policy; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security load_policy; + auditallow $1 security_t:security load_policy; + typeattribute $1 can_load_policy; ') define(`kernel_load_selinux_policy_depend',` -type security_t; -attribute can_load_policy; -class dir { read search getattr }; -class file { getattr read write }; -class security load_policy; + type security_t; + + attribute can_load_policy; + + class dir { read search getattr }; + class file { getattr read write }; + class security load_policy; ') ######################################## @@ -202,24 +226,27 @@ class security load_policy; # kernel_set_selinux_boolean(domain,[booltype]) # define(`kernel_set_selinux_boolean',` -requires_block_template(`$0'_depend) -ifelse(`$2',`',` -allow $1 security_t:dir { getattr search read }; -allow $1 security_t:file { getattr read write }; -',` -allow $1 $2:dir { getattr search read }; -allow $1 $2:file { getattr read write }; -') -allow $1 security_t:dir search; -allow $1 security_t:security setbool; -auditallow $1 security_t:security setbool; + requires_block_template(`$0'_depend) + + ifelse(`$2',`',` + allow $1 security_t:dir { getattr search read }; + allow $1 security_t:file { getattr read write }; + ',` + allow $1 $2:dir { getattr search read }; + allow $1 $2:file { getattr read write }; + ') + + allow $1 security_t:dir search; + allow $1 security_t:security setbool; + auditallow $1 security_t:security setbool; ') define(`kernel_set_selinux_boolean_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security setbool; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security setbool; ') ######################################## @@ -227,20 +254,23 @@ class security setbool; # kernel_set_selinux_security_parameters(domain) # define(`kernel_set_selinux_security_parameters',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setsecparam; -auditallow $1 security_t:security setsecparam; -typeattribute $1 can_setsecparam; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security setsecparam; + auditallow $1 security_t:security setsecparam; + typeattribute $1 can_setsecparam; ') define(`kernel_set_selinux_security_parameters_depend',` -type security_t; -attribute can_setsecparam; -class dir { read search getattr }; -class file { getattr read write }; -class security setsecparam; + type security_t; + + attribute can_setsecparam; + + class dir { read search getattr }; + class file { getattr read write }; + class security setsecparam; ') ######################################## @@ -248,17 +278,19 @@ class security setsecparam; # kernel_validate_selinux_context(domain) # define(`kernel_validate_selinux_context',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security check_context; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security check_context; ') define(`kernel_validate_selinux_context_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security check_context; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security check_context; ') ######################################## @@ -266,17 +298,19 @@ class security check_context; # kernel_compute_selinux_access_vector(domain) # define(`kernel_compute_selinux_access_vector',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security compute_av; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_av; ') define(`kernel_compute_selinux_access_vector_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security compute_av; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_av; ') ######################################## @@ -284,17 +318,19 @@ class security compute_av; # kernel_compute_selinux_create_context(domain) # define(`kernel_compute_selinux_create_context',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security compute_create; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_create; ') define(`kernel_compute_selinux_create_context_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security compute_create; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_create; ') ######################################## @@ -302,17 +338,19 @@ class security compute_create; # kernel_compute_selinux_relabel_context(domain) # define(`kernel_compute_selinux_relabel_context',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security compute_relabel; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_relabel; ') define(`kernel_compute_selinux_relabel_context_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security compute_relabel; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_relabel; ') ######################################## @@ -320,17 +358,19 @@ class security compute_relabel; # kernel_compute_selinux_reachable_user_contexts(domain) # define(`kernel_compute_selinux_reachable_user_contexts',` -requires_block_template(`$0'_depend) -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security compute_user; + requires_block_template(`$0'_depend) + + allow $1 security_t:dir { read search getattr }; + allow $1 security_t:file { getattr read write }; + allow $1 security_t:security compute_user; ') define(`kernel_compute_selinux_reachable_user_contexts_depend',` -type security_t; -class dir { read search getattr }; -class file { getattr read write }; -class security compute_user; + type security_t; + + class dir { read search getattr }; + class file { getattr read write }; + class security compute_user; ') ######################################## @@ -338,13 +378,15 @@ class security compute_user; # kernel_read_ring_buffer(domain) # define(`kernel_read_ring_buffer',` -requires_block_template(`$0'_depend) -allow $1 kernel_t:system syslog_read; + requires_block_template(`$0'_depend) + + allow $1 kernel_t:system syslog_read; ') define(`kernel_read_ring_buffer_depend',` -type kernel_t; -class system syslog_read; + type kernel_t; + + class system syslog_read; ') ######################################## @@ -352,13 +394,15 @@ class system syslog_read; # kernel_ignore_read_ring_buffer(domain) # define(`kernel_ignore_read_ring_buffer',` -requires_block_template(`$0'_depend) -dontaudit $1 kernel_t:system syslog_read; + requires_block_template(`$0'_depend) + + dontaudit $1 kernel_t:system syslog_read; ') define(`kernel_ignore_read_ring_buffer_depend',` -type kernel_t; -class system syslog_read; + type kernel_t; + + class system syslog_read; ') ######################################## @@ -366,13 +410,15 @@ class system syslog_read; # kernel_change_ring_buffer_level(domain) # define(`kernel_change_ring_buffer_level',` -requires_block_template(`$0'_depend) -allow $1 kernel_t:system syslog_console; + requires_block_template(`$0'_depend) + + allow $1 kernel_t:system syslog_console; ') define(`kernel_change_ring_buffer_level_depend',` -type kernel_t; -class system syslog_console; + type kernel_t; + + class system syslog_console; ') ######################################## @@ -380,13 +426,15 @@ class system syslog_console; # kernel_clear_ring_buffer(domain) # define(`kernel_clear_ring_buffer',` -requires_block_template(`$0'_depend) -allow $1 kernel_t:system syslog_mod; + requires_block_template(`$0'_depend) + + allow $1 kernel_t:system syslog_mod; ') define(`kernel_clear_ring_buffer_depend',` -type kernel_t; -class system syslog_mod; + type kernel_t; + + class system syslog_mod; ') ######################################## @@ -394,13 +442,15 @@ class system syslog_mod; # kernel_get_sysvipc_info(domain) # define(`kernel_get_sysvipc_info',` -requires_block_template(`$0'_depend) -allow $1 kernel_t:system ipc_info; + requires_block_template(`$0'_depend) + + allow $1 kernel_t:system ipc_info; ') define(`kernel_get_sysvipc_info_depend',` -type kernel_t; -class system ipc_info; + type kernel_t; + + class system ipc_info; ') ######################################## @@ -408,18 +458,20 @@ class system ipc_info; # kernel_get_selinuxfs_mount_point(domain) # define(`kernel_get_selinuxfs_mount_point',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_t:{ file lnk_file } read; + allow $1 self:dir search; + allow $1 self:file { getattr read }; ') define(`kernel_get_selinuxfs_mount_point_depend',` -type proc_t; -class dir search; -class lnk_file read; -class file { getattr read }; + type proc_t; + + class dir search; + class lnk_file read; + class file { getattr read }; ') ######################################## @@ -427,17 +479,19 @@ class file { getattr read }; # kernel_read_system_state(domain) # define(`kernel_read_system_state',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir r_dir_perms; -allow $1 proc_t:lnk_file { getattr read }; -allow $1 proc_t:file r_file_perms; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir r_dir_perms; + allow $1 proc_t:lnk_file { getattr read }; + allow $1 proc_t:file r_file_perms; ') define(`kernel_read_system_state_depend',` -type proc_t; -class dir r_dir_perms; -class lnk_file { getattr read }; -class file r_file_perms; + type proc_t; + + class dir r_dir_perms; + class lnk_file { getattr read }; + class file r_file_perms; ') ######################################## @@ -445,13 +499,15 @@ class file r_file_perms; # kernel_ignore_read_system_state(domain) # define(`kernel_ignore_read_system_state',` -requires_block_template(`$0'_depend) -allow $1 proc_t:file read; + requires_block_template(`$0'_depend) + + allow $1 proc_t:file read; ') define(`kernel_ignore_read_system_state_depend',` -type proc_t; -class file read; + type proc_t; + + class file read; ') ####################################### @@ -459,15 +515,17 @@ class file read; # kernel_read_software_raid_state(domain) # define(`kernel_read_software_raid_state',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir { getattr search read }; -allow $1 proc_mdstat_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir { getattr search read }; + allow $1 proc_mdstat_t:file { getattr read }; ') define(`kernel_read_software_raid_state_depend',` -type proc_t, proc_mdstat_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, proc_mdstat_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -475,15 +533,17 @@ class file { getattr read }; # kernel_get_core_interface_attributes(domain) # define(`kernel_get_core_interface_attributes',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir { getattr search read }; -allow $1 proc_kcore_t:file getattr; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir { getattr search read }; + allow $1 proc_kcore_t:file getattr; ') define(`kernel_get_core_interface_attributes_depend',` -type proc_t, proc_kcore_t; -class dir { search getattr read }; -class file getattr; + type proc_t, proc_kcore_t; + + class dir { search getattr read }; + class file getattr; ') ######################################## @@ -491,13 +551,15 @@ class file getattr; # kernel_ignore_get_core_interface_attributes(domain) # define(`kernel_ignore_get_core_interface_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 proc_kcore_t:file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 proc_kcore_t:file getattr; ') define(`kernel_ignore_get_core_interface_attributes_depend',` -type proc_kcore_t; -class file getattr; + type proc_kcore_t; + + class file getattr; ') ######################################## @@ -505,17 +567,20 @@ class file getattr; # kernel_read_messages(domain) # define(`kernel_read_messages',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_kmsg_t:file { getattr read }; -typeattribute $1 can_receive_kernel_messages; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_kmsg_t:file { getattr read }; + typeattribute $1 can_receive_kernel_messages; ') define(`kernel_read_messages_depend',` -attribute can_receive_kernel_messages; -type proc_kmsg_t, proc_t; -class dir search; -class file { getattr read }; + attribute can_receive_kernel_messages; + + type proc_kmsg_t, proc_t; + + class dir search; + class file { getattr read }; ') ######################################## @@ -523,15 +588,17 @@ class file { getattr read }; # kernel_get_message_interface_attributes(domain) # define(`kernel_get_message_interface_attributes',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_kmsg_t:file getattr; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_kmsg_t:file getattr; ') define(`kernel_get_message_interface_attributes_depend',` -type proc_kmsg_t, proc_t; -class dir search; -class file getattr; + type proc_kmsg_t, proc_t; + + class dir search; + class file getattr; ') ######################################## @@ -539,13 +606,15 @@ class file getattr; # kernel_ignore_get_message_interface_attributes(domain) # define(`kernel_ignore_get_message_interface_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 proc_kmsg_t:file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 proc_kmsg_t:file getattr; ') define(`kernel_ignore_get_message_interface_attributes_depend',` -type proc_kmsg_t, proc_t; -class file getattr; + type proc_kmsg_t, proc_t; + + class file getattr; ') ######################################## @@ -553,16 +622,18 @@ class file getattr; # kernel_read_network_state(domain) # define(`kernel_read_network_state',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_net_t:dir { getattr search read }; -allow $1 proc_net_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_net_t:dir { getattr search read }; + allow $1 proc_net_t:file { getattr read }; ') define(`kernel_read_network_state_depend',` -type proc_t, proc_net_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, proc_net_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -570,13 +641,15 @@ class file { getattr read }; # kernel_ignore_search_sysctl_dir(domain) # define(`kernel_ignore_search_sysctl_dir',` -requires_block_template(`$0'_depend) -dontaudit $1 sysctl_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 sysctl_t:dir search; ') define(`kernel_ignore_search_sysctl_dir_depend',` -type sysctl_t; -class dir search; + type sysctl_t; + + class dir search; ') ######################################## @@ -584,17 +657,19 @@ class dir search; # kernel_read_device_sysctl(domain) # define(`kernel_read_device_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_dev_t:dir { getattr search read }; -allow $1 sysctl_dev_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_dev_t:dir { getattr search read }; + allow $1 sysctl_dev_t:file { getattr read }; ') define(`kernel_read_device_sysctl_depend',` -type proc_t, sysctl_t, sysctl_dev_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_dev_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -602,16 +677,18 @@ class file { getattr read }; # kernel_modify_device_sysctl(domain) # define(`kernel_modify_device_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_dev_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_dev_t:file { getattr read write }; ') define(`kernel_modify_device_sysctl_depend',` -type proc_t, sysctl_t, sysctl_dev_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_dev_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -619,16 +696,18 @@ class file { getattr read write }; # kernel_read_virtual_memory_sysctl(domain) # define(`kernel_read_virtual_memory_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_vm_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_vm_t:file { getattr read }; ') define(`kernel_read_virtual_memory_sysctl_depend',` -type proc_t, sysctl_t, sysctl_vm_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_vm_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -636,16 +715,18 @@ class file { getattr read }; # kernel_modify_virtual_memory_sysctl(domain) # define(`kernel_modify_virtual_memory_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_vm_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_vm_t:file { getattr read write }; ') define(`kernel_modify_virtual_memory_sysctl_depend',` -type proc_t, sysctl_t, sysctl_vm_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_vm_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -653,13 +734,15 @@ class file { getattr read write }; # kernel_ignore_search_network_sysctl_dir(domain) # define(`kernel_ignore_search_network_sysctl_dir',` -requires_block_template(`$0'_depend) -dontaudit $1 sysctl_net_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 sysctl_net_t:dir search; ') define(`kernel_ignore_search_network_sysctl_dir_depend',` -type sysctl_net_t; -class dir search; + type sysctl_net_t; + + class dir search; ') ######################################## @@ -667,17 +750,19 @@ class dir search; # kernel_read_network_sysctl(domain) # define(`kernel_read_network_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_net_t:dir { getattr search read }; -allow $1 sysctl_net_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_net_t:dir { getattr search read }; + allow $1 sysctl_net_t:file { getattr read }; ') define(`kernel_read_network_sysctl_depend',` -type proc_t, sysctl_t, sysctl_net_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_net_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -685,17 +770,19 @@ class file { getattr read }; # kernel_modify_network_sysctl(domain) # define(`kernel_modify_network_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_net_t:dir { getattr search read }; -allow $1 sysctl_net_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_net_t:dir { getattr search read }; + allow $1 sysctl_net_t:file { getattr read write }; ') define(`kernel_modify_network_sysctl_depend',` -type proc_t, sysctl_t, sysctl_net_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_net_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -703,17 +790,19 @@ class file { getattr read write }; # kernel_read_unix_sysctl(domain) # define(`kernel_read_unix_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_net_t:dir { getattr search read }; -allow $1 sysctl_net_unix_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_net_t:dir { getattr search read }; + allow $1 sysctl_net_unix_t:file { getattr read }; ') define(`kernel_read_net_sysctl_depend',` -type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -721,17 +810,19 @@ class file { getattr read }; # kernel_modify_unix_sysctl(domain) # define(`kernel_modify_unix_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_net_t:dir { getattr search read }; -allow $1 sysctl_net_unix_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_net_t:dir { getattr search read }; + allow $1 sysctl_net_unix_t:file { getattr read write }; ') define(`kernel_modify_net_sysctl_depend',` -type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -739,17 +830,19 @@ class file { getattr read write }; # kernel_read_hotplug_sysctl(domain) # define(`kernel_read_hotplug_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_hotplug_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_hotplug_t:file { getattr read }; ') define(`kernel_read_hotplug_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -757,17 +850,19 @@ class file { getattr read }; # kernel_modify_hotplug_sysctl(domain) # define(`kernel_modify_hotplug_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_hotplug_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_hotplug_t:file { getattr read write }; ') define(`kernel_modify_hotplug_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -775,17 +870,19 @@ class file { getattr read write }; # kernel_read_modprobe_sysctl(domain) # define(`kernel_read_modprobe_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_modprobe_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_modprobe_t:file { getattr read }; ') define(`kernel_read_modprobe_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -793,17 +890,19 @@ class file { getattr read }; # kernel_modify_modprobe_sysctl(domain) # define(`kernel_modify_modprobe_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_modprobe_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_modprobe_t:file { getattr read write }; ') define(`kernel_modify_modprobe_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -811,17 +910,19 @@ class file { getattr read write }; # kernel_read_kernel_sysctl(domain) # define(`kernel_read_kernel_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:file { getattr read }; ') define(`kernel_read_kernel_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_kernel_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -829,17 +930,19 @@ class file { getattr read }; # kernel_modify_kernel_sysctl(domain) # define(`kernel_modify_kernel_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:dir { getattr search read }; -allow $1 sysctl_kernel_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:dir { getattr search read }; + allow $1 sysctl_kernel_t:file { getattr read write }; ') define(`kernel_modify_kernel_sysctl_depend',` -type proc_t, sysctl_t, sysctl_kernel_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_kernel_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -847,17 +950,19 @@ class file { getattr read write }; # kernel_read_filesystem_sysctl(domain) # define(`kernel_read_filesystem_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_fs_t:dir { getattr search read }; -allow $1 sysctl_fs_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_fs_t:dir { getattr search read }; + allow $1 sysctl_fs_t:file { getattr read }; ') define(`kernel_read_filesystem_sysctl_depend',` -type proc_t, sysctl_t, sysctl_fs_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_t, sysctl_fs_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -865,17 +970,19 @@ class file { getattr read }; # kernel_modify_filesystem_sysctl(domain) # define(`kernel_modify_filesystem_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_t:dir { getattr search read }; -allow $1 sysctl_fs_t:dir { getattr search read }; -allow $1 sysctl_fs_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_t:dir { getattr search read }; + allow $1 sysctl_fs_t:dir { getattr search read }; + allow $1 sysctl_fs_t:file { getattr read write }; ') define(`kernel_modify_filesystem_sysctl_depend',` -type proc_t, sysctl_t, sysctl_fs_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_t, sysctl_fs_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -883,16 +990,18 @@ class file { getattr read write }; # kernel_read_irq_sysctl(domain) # define(`kernel_read_irq_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_irq_t:dir { getattr search read }; -allow $1 sysctl_irq_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_irq_t:dir { getattr search read }; + allow $1 sysctl_irq_t:file { getattr read }; ') define(`kernel_read_irq_sysctl_depend',` -type proc_t, sysctl_irq_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, sysctl_irq_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -900,16 +1009,18 @@ class file { getattr read }; # kernel_modify_irq_sysctl(domain) # define(`kernel_modify_irq_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 sysctl_irq_t:dir { getattr search read }; -allow $1 sysctl_irq_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 sysctl_irq_t:dir { getattr search read }; + allow $1 sysctl_irq_t:file { getattr read write }; ') define(`kernel_modify_irq_sysctl_depend',` -type proc_t, sysctl_irq_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, sysctl_irq_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -917,17 +1028,19 @@ class file { getattr read write }; # kernel_read_rpc_sysctl(domain) # define(`kernel_read_rpc_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_net_t:dir search; -allow $1 sysctl_rpc_t:dir { getattr search read }; -allow $1 sysctl_rpc_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_net_t:dir search; + allow $1 sysctl_rpc_t:dir { getattr search read }; + allow $1 sysctl_rpc_t:file { getattr read }; ') define(`kernel_read_rpc_sysctl_depend',` -type proc_t, proc_net_t, sysctl_rpc_t; -class dir { search getattr read }; -class file { getattr read }; + type proc_t, proc_net_t, sysctl_rpc_t; + + class dir { search getattr read }; + class file { getattr read }; ') ######################################## @@ -935,17 +1048,19 @@ class file { getattr read }; # kernel_modify_rpc_sysctl(domain) # define(`kernel_modify_rpc_sysctl',` -requires_block_template(`$0'_depend) -allow $1 proc_t:dir search; -allow $1 proc_net_t:dir search; -allow $1 sysctl_rpc_t:dir { getattr search read }; -allow $1 sysctl_rpc_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 proc_t:dir search; + allow $1 proc_net_t:dir search; + allow $1 sysctl_rpc_t:dir { getattr search read }; + allow $1 sysctl_rpc_t:file { getattr read write }; ') define(`kernel_modify_rpc_sysctl_depend',` -type proc_t, proc_net_t, sysctl_rpc_t; -class dir { search getattr read }; -class file { getattr read write }; + type proc_t, proc_net_t, sysctl_rpc_t; + + class dir { search getattr read }; + class file { getattr read write }; ') ######################################## @@ -953,30 +1068,16 @@ class file { getattr read write }; # kernel_read_all_sysctl(domain) # define(`kernel_read_all_sysctl',` -requires_block_template(`$0'_depend) -kernel_read_device_sysctl($1,optional) -kernel_read_virtual_memory_sysctl($1,optional) -kernel_read_network_sysctl($1,optional) -kernel_read_unix_sysctl($1,optional) -kernel_read_hotplug_sysctl($1,optional) -kernel_read_modprobe_sysctl($1,optional) -kernel_read_kernel_sysctl($1,optional) -kernel_read_filesystem_sysctl($1,optional) -kernel_read_irq_sysctl($1,optional) -kernel_read_rpc_sysctl($1,optional) -') - -define(`kernel_read_all_sysctl_depend',` -kernel_read_device_sysctl_depend -kernel_read_virtual_memory_sysctl_depend -kernel_read_network_sysctl_depend -kernel_read_unix_sysctl_depend -kernel_read_hotplug_sysctl_depend -kernel_read_modprobe_sysctl_depend -kernel_read_kernel_sysctl_depend -kernel_read_filesystem_sysctl_depend -kernel_read_irq_sysctl_depend -kernel_read_rpc_sysctl_depend + kernel_read_device_sysctl($1) + kernel_read_virtual_memory_sysctl($1) + kernel_read_network_sysctl($1) + kernel_read_unix_sysctl($1) + kernel_read_hotplug_sysctl($1) + kernel_read_modprobe_sysctl($1) + kernel_read_kernel_sysctl($1) + kernel_read_filesystem_sysctl($1) + kernel_read_irq_sysctl($1) + kernel_read_rpc_sysctl($1) ') ######################################## @@ -984,16 +1085,16 @@ kernel_read_rpc_sysctl_depend # kernel_modify_all_sysctl(domain) # define(`kernel_modify_all_sysctl',` -kernel_modify_device_sysctl($1) -kernel_modify_virtual_memory_sysctl($1) -kernel_modify_network_sysctl($1) -kernel_modify_unix_sysctl($1) -kernel_modify_hotplug_sysctl($1) -kernel_modify_modprobe_sysctl($1) -kernel_modify_kernel_sysctl($1) -kernel_modify_filesystem_sysctl($1) -kernel_modify_irq_sysctl($1) -kernel_modify_rpc_sysctl($1) + kernel_modify_device_sysctl($1) + kernel_modify_virtual_memory_sysctl($1) + kernel_modify_network_sysctl($1) + kernel_modify_unix_sysctl($1) + kernel_modify_hotplug_sysctl($1) + kernel_modify_modprobe_sysctl($1) + kernel_modify_kernel_sysctl($1) + kernel_modify_filesystem_sysctl($1) + kernel_modify_irq_sysctl($1) + kernel_modify_rpc_sysctl($1) ') ######################################## @@ -1008,13 +1109,15 @@ kernel_modify_rpc_sysctl($1) ## # define(`kernel_search_hardware_state_dir',` -requires_block_template(`$0'_depend) -allow $1 sysfs_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 sysfs_t:dir search; ') define(`kernel_search_hardware_state_dir_depend',` -type sysfs_t; -class dir search; + type sysfs_t; + + class dir search; ') ######################################## @@ -1022,16 +1125,18 @@ class dir search; # kernel_read_hardware_state(domain) # define(`kernel_read_hardware_state',` -requires_block_template(`$0'_depend) -allow $1 sysfs_t:dir { getattr search read }; -allow $1 sysfs_t:{ file lnk_file } { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 sysfs_t:dir { getattr search read }; + allow $1 sysfs_t:{ file lnk_file } { getattr read }; ') define(`kernel_read_hardware_state_depend',` -type sysfs_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; + type sysfs_t; + + class dir { getattr search read }; + class file { getattr read }; + class lnk_file { getattr read }; ') ######################################## @@ -1039,17 +1144,19 @@ class lnk_file { getattr read }; # kernel_modify_hardware_config_option(domain) # define(`kernel_modify_hardware_config_option',` -requires_block_template(`$0'_depend) -allow $1 sysfs_t:dir { getattr search read }; -allow $1 sysfs_t:lnk_file { getattr read }; -allow $1 sysfs_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 sysfs_t:dir { getattr search read }; + allow $1 sysfs_t:lnk_file { getattr read }; + allow $1 sysfs_t:file { getattr read write }; ') define(`kernel_modify_hardware_config_option_depend',` -type sysfs_t; -class dir { getattr search read }; -class file { getattr read write }; -class lnk_file { getattr read }; + type sysfs_t; + + class dir { getattr search read }; + class file { getattr read write }; + class lnk_file { getattr read }; ') ######################################## @@ -1064,13 +1171,15 @@ class lnk_file { getattr read }; ## # define(`kernel_kill_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process sigkill; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:process sigkill; ') define(`kernel_kill_unlabeled_process_depend',` -type unlabeled_t; -class process sigkill; + type unlabeled_t; + + class process sigkill; ') ######################################## @@ -1085,13 +1194,15 @@ class process sigkill; ## # define(`kernel_signal_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process signal; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:process signal; ') define(`kernel_signal_unlabeled_process_depend',` -type unlabeled_t; -class process signal; + type unlabeled_t; + + class process signal; ') ######################################## @@ -1106,13 +1217,15 @@ class process signal; ## # define(`kernel_signull_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process signull; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:process signull; ') define(`kernel_signull_unlabeled_process_depend',` -type unlabeled_t; -class process signull; + type unlabeled_t; + + class process signull; ') ######################################## @@ -1127,13 +1240,15 @@ class process signull; ## # define(`kernel_sigstop_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process sigstop; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:process sigstop; ') define(`kernel_sigstop_unlabeled_process_depend',` -type unlabeled_t; -class process sigstop; + type unlabeled_t; + + class process sigstop; ') ######################################## @@ -1148,13 +1263,15 @@ class process sigstop; ## # define(`kernel_sigchld_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:process sigchld; ') define(`kernel_sigchld_unlabeled_process_depend',` -type unlabeled_t; -class process sigchld; + type unlabeled_t; + + class process sigchld; ') ######################################## @@ -1162,13 +1279,15 @@ class process sigchld; # kernel_ignore_get_unlabeled_block_device_attributes(domain) # define(`kernel_ignore_get_unlabeled_block_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:blk_file getattr; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:blk_file getattr; ') define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',` -type unlabeled_t; -class process getattr; + type unlabeled_t; + + class process getattr; ') ######################################## @@ -1176,19 +1295,21 @@ class process getattr; # kernel_relabel_unlabeled_object(domain) # define(`kernel_relabel_unlabeled_object',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; + requires_block_template(`$0'_depend) + + allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; ') define(`kernel_relabel_unlabeled_object_depend',` -type unlabeled_t; -class dir { getattr relabelfrom }; -class file { getattr relabelfrom }; -class lnk_file { getattr relabelfrom }; -class fifo_file { getattr relabelfrom }; -class sock_file { getattr relabelfrom }; -class chr_file { getattr relabelfrom }; -class blk_file { getattr relabelfrom }; + type unlabeled_t; + + class dir { getattr relabelfrom }; + class file { getattr relabelfrom }; + class lnk_file { getattr relabelfrom }; + class fifo_file { getattr relabelfrom }; + class sock_file { getattr relabelfrom }; + class chr_file { getattr relabelfrom }; + class blk_file { getattr relabelfrom }; ') ######################################## @@ -1203,13 +1324,15 @@ class blk_file { getattr relabelfrom }; ## # define(`kernel_search_usb_hardware_state_dir',` -requires_block_template(`$0'_depend) -allow $1 usbfs_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 usbfs_t:dir search; ') define(`kernel_search_usb_hardware_state_dir_depend',` -type usbfs_t; -class dir search; + type usbfs_t; + + class dir search; ') ######################################## @@ -1217,17 +1340,19 @@ class dir search; # kernel_list_usb_hardware(domain) # define(`kernel_list_usb_hardware',` -requires_block_template(`$0'_depend) -allow $1 usbfs_t:dir { getattr search read }; -allow $1 usbfs_t:lnk_file { getattr read }; -allow $1 usbfs_t:file getattr; + requires_block_template(`$0'_depend) + + allow $1 usbfs_t:dir { getattr search read }; + allow $1 usbfs_t:lnk_file { getattr read }; + allow $1 usbfs_t:file getattr; ') define(`kernel_list_usb_hardware_depend',` -type usbfs_t; -class dir { getattr search read }; -class file getattr; -class lnk_file { getattr read }; + type usbfs_t; + + class dir { getattr search read }; + class file getattr; + class lnk_file { getattr read }; ') ######################################## @@ -1243,16 +1368,18 @@ class lnk_file { getattr read }; ## # define(`kernel_read_usb_hardware_state',` -requires_block_template(`$0'_depend) -allow $1 usbfs_t:dir { getattr search read }; -allow $1 usbfs_t:{ file lnk_file } { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 usbfs_t:dir { getattr search read }; + allow $1 usbfs_t:{ file lnk_file } { getattr read }; ') define(`kernel_read_usb_hardware_state_depend',` -type usbfs_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; + type usbfs_t; + + class dir { getattr search read }; + class file { getattr read }; + class lnk_file { getattr read }; ') ######################################## @@ -1260,17 +1387,19 @@ class lnk_file { getattr read }; # kernel_modify_usb_hardware_config_option(domain) # define(`kernel_modify_usb_hardware_config_option',` -requires_block_template(`$0'_depend) -allow $1 usbfs_t:dir { getattr search read }; -allow $1 usbfs_t:lnk_file { getattr read }; -allow $1 usbfs_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 usbfs_t:dir { getattr search read }; + allow $1 usbfs_t:lnk_file { getattr read }; + allow $1 usbfs_t:file { getattr read write }; ') define(`kernel_modify_usb_hardware_config_option_depend',` -type usbfs_t; -class dir { getattr search read }; -class file { getattr read write }; -class lnk_file { getattr read }; + type usbfs_t; + + class dir { getattr search read }; + class file { getattr read write }; + class lnk_file { getattr read }; ') ################################################################### @@ -1287,13 +1416,15 @@ class lnk_file { getattr read }; # kernel_sigchld_from(domain) # define(`kernel_sigchld_from',` -requires_block_template(`$0'_depend) -allow kernel_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow kernel_t $1:process sigchld; ') define(`kernel_sigchld_from_depend',` -type kernel_t; -class process sigchld; + type kernel_t; + + class process sigchld; ') ######################################## @@ -1301,13 +1432,15 @@ class process sigchld; # kernel_unlabeled_sigchld_from(domain) # define(`kernel_unlabeled_sigchld_from',` -requires_block_template(`$0'_depend) -allow unlabeled_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow unlabeled_t $1:process sigchld; ') define(`kernel_unlabeled_sigchld_from_depend',` -type unlabeled_t; -class process sigchld; + type unlabeled_t; + + class process sigchld; ') ######################################## @@ -1315,13 +1448,15 @@ class process sigchld; # kernel_read_directory_from(domain) # define(`kernel_read_directory_from',` -requires_block_template(`$0'_depend) -allow kernel_t $1:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow kernel_t $1:dir { getattr search read }; ') define(`kernel_read_directory_from_depend',` -type kernel_t; -class dir { getattr search read }; + type kernel_t; + + class dir { getattr search read }; ') ## diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 8082298..6b057d3 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -14,14 +14,16 @@ ## # define(`storage_get_fixed_disk_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 fixed_disk_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 fixed_disk_device_t:blk_file getattr; ') define(`storage_get_fixed_disk_attributes_depend',` -type fixed_disk_device_t; -class blk_file getattr; + type fixed_disk_device_t; + + class blk_file getattr; ') ######################################## @@ -37,13 +39,15 @@ class blk_file getattr; ## # define(`storage_ignore_get_fixed_disk_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 fixed_disk_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 fixed_disk_device_t:blk_file getattr; ') define(`storage_ignore_get_fixed_disk_attributes_depend',` -type fixed_disk_device_t; -class blk_file getattr; + type fixed_disk_device_t; + + class blk_file getattr; ') ######################################## @@ -59,14 +63,16 @@ class blk_file getattr; ## # define(`storage_set_fixed_disk_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 fixed_disk_device_t:blk_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 fixed_disk_device_t:blk_file setattr; ') define(`storage_set_fixed_disk_attributes_depend',` -type fixed_disk_device_t; -class blk_file setattr; + type fixed_disk_device_t; + + class blk_file setattr; ') ######################################## @@ -84,16 +90,19 @@ class blk_file setattr; ## # define(`storage_raw_read_fixed_disk',` -requires_block_template(`$0'_depend) -typeattribute $1 fixed_disk_raw_read; -devices_list_device_nodes($1) -allow $1 fixed_disk_device_t:blk_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 fixed_disk_device_t:blk_file r_file_perms; + typeattribute $1 fixed_disk_raw_read; ') define(`storage_raw_read_fixed_disk_depend',` -type fixed_disk_device_t; -attribute fixed_disk_raw_read; -class blk_file { getattr read ioctl }; + attribute fixed_disk_raw_read; + + type fixed_disk_device_t; + + class blk_file r_file_perms; ') ######################################## @@ -111,16 +120,19 @@ class blk_file { getattr read ioctl }; ## # define(`storage_raw_write_fixed_disk',` -requires_block_template(`$0'_depend) -typeattribute $1 fixed_disk_raw_write; -devices_list_device_nodes($1) -allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; + typeattribute $1 fixed_disk_raw_write; ') define(`storage_raw_write_fixed_disk_depend',` -type fixed_disk_device_t; -attribute fixed_disk_raw_write; -class blk_file { getattr write ioctl }; + attribute fixed_disk_raw_write; + + type fixed_disk_device_t; + + class blk_file { getattr write ioctl }; ') ######################################## @@ -135,12 +147,17 @@ class blk_file { getattr write ioctl }; ## # define(`storage_create_fixed_disk_dev_entry',` -requires_block_template(`$0'_depend) -devices_create_dev_entry($1,fixed_disk_device_t,blk_file) + requires_block_template(`$0'_depend) + + allow $1 fixed_disk_device_t:blk_file create_file_perms; + devices_create_dev_entry($1,fixed_disk_device_t,blk_file) + typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') define(`storage_create_fixed_disk_dev_entry_depend',` -type fixed_disk_device_t; + type fixed_disk_device_t; + + class blk_file create_file_perms; ') ######################################## @@ -155,17 +172,19 @@ type fixed_disk_device_t; ## # define(`storage_manage_fixed_disk',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename }; -typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 fixed_disk_device_t:blk_file create_file_perms; + typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') define(`storage_manage_fixed_disk_depend',` -attribute fixed_disk_raw_read; -attribute fixed_disk_raw_write; -type fixed_disk_device_t; -class blk_file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute fixed_disk_raw_read, fixed_disk_raw_write; + + type fixed_disk_device_t; + + class blk_file create_file_perms; ') ######################################## @@ -183,16 +202,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink ## # define(`storage_raw_read_lvm_volume',` -requires_block_template(`$0'_depend) -typeattribute $1 fixed_disk_raw_read; -devices_list_device_nodes($1) -allow $1 lvm_vg_t:blk_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 lvm_vg_t:blk_file r_file_perms; + typeattribute $1 fixed_disk_raw_read; ') define(`storage_raw_read_lvm_volume_depend',` -type lvm_vg_t; -attribute fixed_disk_raw_read; -class blk_file { getattr read ioctl }; + attribute fixed_disk_raw_read; + + type lvm_vg_t; + + class blk_file r_file_perms; ') ######################################## @@ -210,16 +232,19 @@ class blk_file { getattr read ioctl }; ## # define(`storage_raw_write_lvm_volume',` -requires_block_template(`$0'_depend) -typeattribute $1 fixed_disk_raw_write; -devices_list_device_nodes($1) -allow $1 lvm_vg_t:blk_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 lvm_vg_t:blk_file { getattr write ioctl }; + typeattribute $1 fixed_disk_raw_write; ') define(`storage_raw_write_lvm_volume_depend',` -type lvm_vg_t; -attribute fixed_disk_raw_write; -class blk_file { getattr write ioctl }; + attribute fixed_disk_raw_write; + + type lvm_vg_t; + + class blk_file { getattr write ioctl }; ') ######################################## @@ -238,16 +263,19 @@ class blk_file { getattr write ioctl }; ## # define(`storage_read_scsi_generic',` -requires_block_template(`$0'_depend) -typeattribute $1 scsi_generic_read; -devices_list_device_nodes($1) -allow $1 scsi_generic_device_t:blk_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 scsi_generic_device_t:blk_file r_file_perms; + typeattribute $1 scsi_generic_read; ') define(`storage_read_scsi_generic_depend',` -type scsi_generic_device_t; -attribute scsi_generic_read; -class blk_file { getattr read ioctl }; + attribute scsi_generic_read; + + type scsi_generic_device_t; + + class blk_file r_file_perms; ') ######################################## @@ -266,16 +294,19 @@ class blk_file { getattr read ioctl }; ## # define(`storage_write_scsi_generic',` -requires_block_template(`$0'_depend) -typeattribute $1 scsi_generic_write; -devices_list_device_nodes($1) -allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; + typeattribute $1 scsi_generic_write; ') define(`storage_write_scsi_generic_depend',` -type scsi_generic_device_t; -attribute scsi_generic_write; -class blk_file { getattr write ioctl }; + attribute scsi_generic_write; + + type scsi_generic_device_t; + + class blk_file { getattr write ioctl }; ') ######################################## @@ -283,14 +314,16 @@ class blk_file { getattr write ioctl }; # storage_get_scsi_generic_attributes(domain) # define(`storage_get_scsi_generic_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 scsi_generic_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 scsi_generic_device_t:blk_file getattr; ') define(`storage_get_scsi_generic_attributes_depend',` -type scsi_generic_device_t; -class blk_file getattr; + type scsi_generic_device_t; + + class blk_file getattr; ') ######################################## @@ -298,14 +331,16 @@ class blk_file getattr; # storage_set_scsi_generic_attributes(domain) # define(`storage_set_scsi_generic_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 scsi_generic_device_t:blk_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 scsi_generic_device_t:blk_file setattr; ') define(`storage_set_scsi_generic_attributes_depend',` -type scsi_generic_device_t; -class blk_file setattr; + type scsi_generic_device_t; + + class blk_file setattr; ') ######################################## @@ -321,14 +356,16 @@ class blk_file setattr; ## # define(`storage_get_removable_device_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 removable_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 removable_device_t:blk_file getattr; ') define(`storage_get_removable_device_attributes_depend',` -type removable_device_t; -class blk_file getattr; + type removable_device_t; + + class blk_file getattr; ') ######################################## @@ -344,13 +381,15 @@ class blk_file getattr; ## # define(`storage_ignore_get_removable_device_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 removable_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 removable_device_t:blk_file getattr; ') define(`storage_ignore_get_removable_device_attributes_depend',` -type removable_device_t; -class blk_file getattr; + type removable_device_t; + + class blk_file getattr; ') ######################################## @@ -358,14 +397,16 @@ class blk_file getattr; # storage_set_removable_device_attributes(domain) # define(`storage_set_removable_device_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 removable_device_t:blk_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 removable_device_t:blk_file setattr; ') define(`storage_set_removable_device_attributes_depend',` -type removable_device_t; -class blk_file setattr; + type removable_device_t; + + class blk_file setattr; ') ######################################## @@ -373,14 +414,16 @@ class blk_file setattr; # storage_raw_read_removable_device(domain) # define(`storage_raw_read_removable_device',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 removable_device_t:blk_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 removable_device_t:blk_file r_file_perms; ') define(`storage_raw_read_removable_device_depend',` -type removable_device_t; -class blk_file { getattr read ioctl }; + type removable_device_t; + + class blk_file r_file_perms; ') ######################################## @@ -388,14 +431,16 @@ class blk_file { getattr read ioctl }; # storage_raw_write_removable_device(domain) # define(`storage_raw_write_removable_device',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 removable_device_t:blk_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 removable_device_t:blk_file { getattr write ioctl }; ') define(`storage_raw_write_removable_device_depend',` -type removable_device_t; -class blk_file { getattr write ioctl }; + type removable_device_t; + + class blk_file { getattr write ioctl }; ') ######################################## @@ -403,14 +448,16 @@ class blk_file { getattr write ioctl }; # storage_read_tape_device(domain) # define(`storage_read_tape_device',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tape_device_t:blk_file { getattr read ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tape_device_t:blk_file r_file_perms; ') define(`storage_read_tape_device_depend',` -type tape_device_t; -class blk_file { getattr read ioctl }; + type tape_device_t; + + class blk_file r_file_perms; ') ######################################## @@ -418,14 +465,16 @@ class blk_file { getattr read ioctl }; # storage_write_tape_device(domain) # define(`storage_write_tape_device',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tape_device_t:blk_file { getattr write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tape_device_t:blk_file { getattr write ioctl }; ') define(`storage_write_tape_device_depend',` -type tape_device_t; -class blk_file { getattr write ioctl }; + type tape_device_t; + + class blk_file { getattr write ioctl }; ') ######################################## @@ -433,14 +482,16 @@ class blk_file { getattr write ioctl }; # storage_get_tape_device_attributes(domain) # define(`storage_get_tape_device_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tape_device_t:blk_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tape_device_t:blk_file getattr; ') define(`storage_get_tape_device_attributes_depend',` -type tape_device_t; -class blk_file getattr; + type tape_device_t; + + class blk_file getattr; ') ######################################## @@ -448,14 +499,15 @@ class blk_file getattr; # storage_set_tape_device_attributes(domain) # define(`storage_set_tape_device_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tape_device_t:blk_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tape_device_t:blk_file setattr; ') define(`storage_set_tape_device_attributes_depend',` -type tape_device_t; -class blk_file setattr; + type tape_device_t; + class blk_file setattr; ') ## diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 4f59fa7..535416b 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -6,15 +6,18 @@ # terminal_make_pseudoterminal(type) # define(`terminal_make_pseudoterminal',` -requires_block_template(`$0'_depend) -allow $1 devpts_t:filesystem associate; -typeattribute $1 ptynode; + requires_block_template(`$0'_depend) + + allow $1 devpts_t:filesystem associate; + typeattribute $1 ptynode; ') define(`terminal_make_pseudoterminal_depend',` -attribute ptynode; -type devpts_t; -class filesystem associate; + attribute ptynode; + + type devpts_t; + + class filesystem associate; ') ######################################## @@ -22,13 +25,14 @@ class filesystem associate; # terminal_make_user_pseudoterminal(domain,type) # define(`terminal_make_user_pseudoterminal',` -requires_block_template(`$0'_depend) -terminal_make_pseudoterminal($1) -type_change $1 server_ptynode:chr_file $2; + requires_block_template(`$0'_depend) + + terminal_make_pseudoterminal($1) + type_change $1 server_ptynode:chr_file $2; ') define(`terminal_make_user_pseudoterminal_depend',` -attribute server_ptynode; + attribute server_ptynode; ') ######################################## @@ -36,13 +40,14 @@ attribute server_ptynode; # terminal_make_service_pseudoterminal(type) # define(`terminal_make_service_pseudoterminal',` -requires_block_template(`$0'_depend) -terminal_make_pseudoterminal($1) -typeattribute $1 server_ptynode; + requires_block_template(`$0'_depend) + + terminal_make_pseudoterminal($1) + typeattribute $1 server_ptynode; ') define(`terminal_make_service_pseudoterminal_depend',` -attribute server_ptynode; + attribute server_ptynode; ') ######################################## @@ -50,22 +55,26 @@ attribute server_ptynode; # terminal_make_physical_terminal(domain,type) # define(`terminal_make_physical_terminal',` -requires_block_template(`$0'_depend) -typeattribute $2 ttynode; -type_change $1 tty_device_t:chr_file $2; -# Debian login is from shadow utils and does not allow resetting the perms. -# have to fix this! -tunable_policy(`distro_debian',` -type_change $1 ttyfile:chr_file $2; -') -tunable_policy(`distro_redhat',` -filesystem_tmpfs_associate($2) -') + requires_block_template(`$0'_depend) + + typeattribute $2 ttynode; + type_change $1 tty_device_t:chr_file $2; + + # Debian login is from shadow utils and does not allow resetting the perms. + # have to fix this! + tunable_policy(`distro_debian',` + type_change $1 ttyfile:chr_file $2; + ') + + tunable_policy(`distro_redhat',` + filesystem_tmpfs_associate($2) + ') ') define(`terminal_make_physical_terminal_depend',` -attribute ttynode; -type tty_device_t; + attribute ttynode; + + type tty_device_t; ') ######################################## @@ -73,20 +82,22 @@ type tty_device_t; # terminal_create_private_pseudoterminal(domain,ptytype) # define(`terminal_create_private_pseudoterminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ptmx_t:chr_file { getattr read write }; -allow $1 devpts_t:dir { getattr search read }; -allow $1 devpts_t:filesystem getattr; -dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; -type_transition $1 devpts_t:chr_file $2; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ptmx_t:chr_file { getattr read write }; + allow $1 devpts_t:dir r_dir_perms; + allow $1 devpts_t:filesystem getattr; + dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; + type_transition $1 devpts_t:chr_file $2; ') define(`terminal_create_pseudoterminal_depend',` -type ptmx_t, devpts_t; -class filesystem getattr; -class dir { getattr search read }; -class chr_file { getattr read write }; + type ptmx_t, devpts_t; + + class filesystem getattr; + class dir r_dir_perms; + class chr_file { getattr read write }; ') ######################################## @@ -94,17 +105,20 @@ class chr_file { getattr read write }; # terminal_use_all_terminals(domain) # define(`terminal_use_all_terminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devpts_t:dir r_dir_perms; -allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devpts_t:dir r_dir_perms; + allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') define(`terminal_use_all_terminals_depend',` -attribute ttynode, ptynode; -type console_device_t, devpts_t, tty_device_t; -class dir r_dir_perms; -class chr_file rw_file_perms; + attribute ttynode, ptynode; + + type console_device_t, devpts_t, tty_device_t; + + class dir r_dir_perms; + class chr_file rw_file_perms; ') ######################################## @@ -142,14 +156,16 @@ define(`terminal_use_console_depend',` ## # define(`terminal_use_console',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 console_device_t:chr_file rw_file_perms; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 console_device_t:chr_file rw_file_perms; ') define(`terminal_use_console_depend',` -type console_device_t; -class chr_file rw_file_perms; + type console_device_t; + + class chr_file rw_file_perms; ') ######################################## @@ -164,13 +180,15 @@ class chr_file rw_file_perms; ## # define(`terminal_ignore_use_console',` -requires_block_template(`$0'_depend) -dontaudit $1 console_device_t:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 console_device_t:chr_file { read write }; ') define(`terminal_ignore_use_console_depend',` -type console_device_t; -class chr_file { read write }; + type console_device_t; + + class chr_file { read write }; ') ######################################## @@ -178,15 +196,16 @@ class chr_file { read write }; # terminal_set_console_attributes(domain) # define(`terminal_set_console_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) -allow $1 console_device_t:chr_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 console_device_t:chr_file setattr; ') define(`terminal_set_console_attributes_depend',` -type console_device_t; -class chr_file setattr; -devices_list_device_nodes_depend + type console_device_t; + + class chr_file setattr; ') ######################################## @@ -194,15 +213,16 @@ devices_list_device_nodes_depend # terminal_list_pseudoterminals(domain) # define(`terminal_list_pseudoterminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devpts_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devpts_t:dir r_dir_perms; ') define(`terminal_list_pseudoterminals_depend',` -type devpts_t; -class dir { getattr search read }; -devices_list_device_nodes_depend + type devpts_t; + + class dir r_dir_perms; ') ######################################## @@ -210,13 +230,15 @@ devices_list_device_nodes_depend # terminal_ignore_list_pseudoterminals(domain) # define(`terminal_ignore_list_pseudoterminals',` -requires_block_template(`$0'_depend) -dontaudit $1 devpts_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + dontaudit $1 devpts_t:dir { getattr search read }; ') define(`terminal_ignore_list_pseudoterminals_depend',` -type devpts_t; -class dir { getattr search read }; + type devpts_t; + + class dir { getattr search read }; ') ######################################## @@ -224,14 +246,16 @@ class dir { getattr search read }; # terminal_use_general_pseudoterminal(domain) # define(`terminal_use_general_pseudoterminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devpts_t:chr_file { read write }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devpts_t:chr_file { read write }; ') define(`terminal_use_general_pseudoterminal_depend',` -type devpts_t; -class chr_file { read write }; + type devpts_t; + + class chr_file { read write }; ') ######################################## @@ -239,13 +263,15 @@ class chr_file { read write }; # terminal_ignore_use_general_pseudoterminal(domain) # define(`terminal_ignore_use_general_pseudoterminal',` -requires_block_template(`$0'_depend) -dontaudit $1 devpts_t:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 devpts_t:chr_file { read write }; ') define(`terminal_ignore_use_general_pseudoterminal_depend',` -type devpts_t; -class chr_file { read write }; + type devpts_t; + + class chr_file { read write }; ') ######################################## @@ -253,14 +279,16 @@ class chr_file { read write }; # terminal_use_controlling_terminal(domain) # define(`terminal_use_controlling_terminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devtty_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devtty_t:chr_file { getattr read write ioctl }; ') define(`terminal_use_controlling_terminal_depend',` -type devtty_t; -class chr_file { getattr read write ioctl }; + type devtty_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -268,13 +296,15 @@ class chr_file { getattr read write ioctl }; # terminal_ignore_use_pseudoterminal_multiplexer(domain) # define(`terminal_ignore_use_pseudoterminal_multiplexer',` -requires_block_template(`$0'_depend) -dontaudit $1 ptmx_t:chr_file { getattr read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 ptmx_t:chr_file { getattr read write }; ') define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',` -type ptmx_t; -class chr_file { getattr read write }; + type ptmx_t; + + class chr_file { getattr read write }; ') ######################################## @@ -282,16 +312,18 @@ class chr_file { getattr read write }; # terminal_get_all_private_pseudoterminal_attributes(domain) # define(`terminal_get_all_private_pseudoterminal_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devpts_t:dir { getattr search read }; -allow $1 ptynode:chr_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devpts_t:dir r_dir_perms; + allow $1 ptynode:chr_file getattr; ') define(`terminal_get_all_private_pseudoterminal_attributes_depend',` -attribute ptynode; -class dir { getattr search read }; -class chr_file getattr; + attribute ptynode; + + class dir r_dir_perms; + class chr_file getattr; ') ######################################## @@ -299,16 +331,18 @@ class chr_file getattr; # terminal_use_all_private_pseudoterminals(domain) # define(`terminal_use_all_private_pseudoterminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 devpts_t:dir { getattr read search }; -allow $1 ptynode:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 devpts_t:dir r_dir_perms; + allow $1 ptynode:chr_file { getattr read write ioctl }; ') define(`terminal_use_all_private_pseudoterminals_depend',` -attribute ptynode; -class dir { getattr search read }; -class chr_file { getattr read write ioctl }; + attribute ptynode; + + class dir r_dir_perms; + class chr_file { getattr read write ioctl }; ') ######################################## @@ -316,13 +350,15 @@ class chr_file { getattr read write ioctl }; # terminal_ignore_use_all_private_pseudoterminals(domain) # define(`terminal_ignore_use_all_private_pseudoterminals',` -requires_block_template(`$0'_depend) -dontaudit $1 ptynode:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 ptynode:chr_file { read write }; ') define(`terminal_ignore_use_all_private_pseudoterminals_depend',` -attribute ptynode; -class chr_file { read write }; + attribute ptynode; + + class chr_file { read write }; ') ######################################## @@ -330,14 +366,16 @@ class chr_file { read write }; # terminal_get_general_physical_terminal_attributes(domain) # define(`terminal_get_general_physical_terminal_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tty_device_t:chr_file getattr; ') define(`terminal_get_general_physical_terminal_attributes_depend',` -type tty_device_t; -class chr_file getattr; + type tty_device_t; + + class chr_file getattr; ') ######################################## @@ -345,14 +383,16 @@ class chr_file getattr; # terminal_set_general_physical_terminal_attributes(domain) # define(`terminal_set_general_physical_terminal_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tty_device_t:chr_file setattr; ') define(`terminal_set_general_physical_terminal_attributes_depend',` -type tty_device_t; -class chr_file setattr; + type tty_device_t; + + class chr_file setattr; ') ######################################## @@ -360,14 +400,16 @@ class chr_file setattr; # terminal_relabel_general_physical_terminal(domain) # define(`terminal_relabel_general_physical_terminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file { relabelfrom relabelto }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ') define(`terminal_relabel_general_physical_terminal_depend',` -type tty_device_t; -class chr_file { relabelfrom relabelto }; + type tty_device_t; + + class chr_file { relabelfrom relabelto }; ') ######################################## @@ -375,16 +417,18 @@ class chr_file { relabelfrom relabelto }; # terminal_reset_physical_terminal_labels(domain) # define(`terminal_reset_physical_terminal_labels',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file relabelfrom; -allow $1 tty_device_t:chr_file relabelto; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file relabelfrom; + allow $1 tty_device_t:chr_file relabelto; ') define(`terminal_reset_physical_terminal_labels_depend',` -attribute ttynode; -type tty_device_t; -class chr_file { relabelfrom relabelto }; + attribute ttynode; + + type tty_device_t; + class chr_file { relabelfrom relabelto }; ') ######################################## @@ -400,14 +444,16 @@ class chr_file { relabelfrom relabelto }; ## # define(`terminal_write_general_physical_terminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file { getattr write }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tty_device_t:chr_file { getattr write }; ') define(`terminal_write_general_physical_terminal_depend',` -type tty_device_t; -class chr_file { read write }; + type tty_device_t; + + class chr_file { getattr write }; ') ######################################## @@ -415,14 +461,16 @@ class chr_file { read write }; # terminal_use_general_physical_terminal(domain) # define(`terminal_use_general_physical_terminal',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 tty_device_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 tty_device_t:chr_file { getattr read write ioctl }; ') define(`terminal_use_general_physical_terminal_depend',` -type tty_device_t; -class chr_file { getattr read write ioctl }; + type tty_device_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -430,13 +478,15 @@ class chr_file { getattr read write ioctl }; # terminal_ignore_use_general_physical_terminal(domain) # define(`terminal_ignore_use_general_physical_terminal',` -requires_block_template(`$0'_depend) -dontaudit $1 tty_device_t:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 tty_device_t:chr_file { read write }; ') define(`terminal_ignore_use_general_physical_terminal_depend',` -type tty_device_t; -class chr_file { read write }; + type tty_device_t; + + class chr_file { read write }; ') ######################################## @@ -444,14 +494,16 @@ class chr_file { read write }; # terminal_get_all_private_physical_terminal_attributes(domain) # define(`terminal_get_all_private_physical_terminal_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file getattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file getattr; ') define(`terminal_get_all_private_physical_terminal_attributes_depend',` -attribute ttynode; -class chr_file getattr; + attribute ttynode; + + class chr_file getattr; ') ######################################## @@ -459,14 +511,16 @@ class chr_file getattr; # terminal_set_all_private_physical_terminal_attributes(domain) # define(`terminal_set_all_private_physical_terminal_attributes',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file setattr; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file setattr; ') define(`terminal_set_all_private_physical_terminal_attributes_depend',` -attribute ttynode; -class chr_file setattr; + attribute ttynode; + + class chr_file setattr; ') ######################################## @@ -474,13 +528,15 @@ class chr_file setattr; # terminal_ignore_get_all_private_physical_terminal_attributes(domain) # define(`terminal_ignore_get_all_private_physical_terminal_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 ttynode:chr_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 ttynode:chr_file getattr; ') define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',` -attribute ttynode; -class chr_file getattr; + attribute ttynode; + + class chr_file getattr; ') ######################################## @@ -488,14 +544,16 @@ class chr_file getattr; # terminal_relabel_all_private_physical_terminals(domain) # define(`terminal_relabel_all_private_physical_terminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file { relabelfrom relabelto }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file { relabelfrom relabelto }; ') define(`terminal_relabel_all_private_physical_terminals_depend',` -attribute ttynode; -class chr_file { relabelfrom relabelto }; + attribute ttynode; + + class chr_file { relabelfrom relabelto }; ') ######################################## @@ -511,14 +569,16 @@ class chr_file { relabelfrom relabelto }; ## # define(`terminal_write_all_private_physical_terminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file { getattr write }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file { getattr write }; ') define(`terminal_write_all_private_physical_terminals_depend',` -attribute ttynode; -class chr_file { getattr write }; + attribute ttynode; + + class chr_file { getattr write }; ') ######################################## @@ -526,14 +586,16 @@ class chr_file { getattr write }; # terminal_use_all_private_physical_terminals(domain) # define(`terminal_use_all_private_physical_terminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -allow $1 ttynode:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 ttynode:chr_file { getattr read write ioctl }; ') define(`terminal_use_all_private_physical_terminals_depend',` -attribute ttynode; -class chr_file { getattr read write ioctl }; + attribute ttynode; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -541,13 +603,15 @@ class chr_file { getattr read write ioctl }; # terminal_ignore_use_all_private_physical_terminals(domain) # define(`terminal_ignore_use_all_private_physical_terminals',` -requires_block_template(`$0'_depend) -dontaudit $1 ttynode:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 ttynode:chr_file { read write }; ') define(`terminal_ignore_use_all_private_physical_terminals_depend',` -attribute ttynode; -class chr_file { read write }; + attribute ttynode; + + class chr_file { read write }; ') ## diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 37e17e5..157d94d 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -6,215 +6,210 @@ define(`cron_per_userdomain_template',` -# Type of user crontabs once moved to cron spool. -type $1_cron_spool_t; -files_make_file($1_cron_spool_t) + # Type of user crontabs once moved to cron spool. + type $1_cron_spool_t; + files_make_file($1_cron_spool_t) + + type $1_crond_t; # user_crond_domain; + domain_make_domain($1_crond_t); + corecommands_make_shell_entrypoint($1_crond_t) + role $1_r types $1_crond_t; + + type $1_crontab_t; + domain_make_domain($1_crontab_t) + domain_make_entrypoint_file($1_crontab_t,crontab_exec_t) + role $1_r types $1_crontab_t; + + ############################## + # + # $1_crond_t local policy + # + + allow $1_crond_t self:capability dac_override; + allow $1_crond_t self:process { sigkill sigstop signull signal setsched }; + allow $1_crond_t self:fifo_file { read getattr write append }; + allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + + # The entrypoint interface is not used as this is not + # a regular entrypoint. Since crontab files are + # not directly executed, crond must ensure that + # the crontab file has a type that is appropriate + # for the domain of the user cron job. It + # performs an entrypoint permission check + # for this purpose. + allow $1_crond_t $1_cron_spool_t:file entrypoint; + + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t $1_crond_t:process transition; + dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; + allow crond_t $1_crond_t:fd use; + allow $1_crond_t crond_t:fd use; + allow $1_crond_t crond_t:fifo_file rw_file_perms; + allow $1_crond_t crond_t:process sigchld; + + kernel_read_system_state($1_crond_t) + kernel_read_kernel_sysctl($1_crond_t) + + # ps does not need to access /boot when run from cron + bootloader_ignore_search_bootloader_data_directory($1_crond_t) -type $1_crond_t; # user_crond_domain; -domain_make_domain($1_crond_t); -corecommands_make_shell_entrypoint($1_crond_t) -role $1_r types $1_crond_t; + corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t) + corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t) + corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t) + corenetwork_sendrecv_raw_on_all_nodes($1_crond_t) + corenetwork_sendrecv_udp_on_all_nodes($1_crond_t) + corenetwork_sendrecv_tcp_on_all_ports($1_crond_t) + corenetwork_sendrecv_udp_on_all_ports($1_crond_t) + corenetwork_bind_tcp_on_all_nodes($1_crond_t) + corenetwork_bind_udp_on_all_nodes($1_crond_t) -type $1_crontab_t; -domain_make_domain($1_crontab_t) -domain_make_entrypoint_file($1_crontab_t,crontab_exec_t) -role $1_r types $1_crontab_t; + devices_get_pseudorandom_data($1_crond_t) -############################## -# -# $1_crond_t local policy -# + filesystem_get_all_filesystems_attributes($1_crond_t) -allow $1_crond_t self:capability dac_override; -allow $1_crond_t self:process { sigkill sigstop signull signal setsched }; -allow $1_crond_t self:fifo_file { read getattr write append }; -allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow $1_crond_t $1_cron_spool_t:file entrypoint; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t $1_crond_t:process transition; -dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; -allow crond_t $1_crond_t:fd use; -allow $1_crond_t crond_t:fd use; -allow $1_crond_t crond_t:fifo_file rw_file_perms; -allow $1_crond_t crond_t:process sigchld; - -kernel_read_system_state($1_crond_t) -kernel_read_kernel_sysctl($1_crond_t) - -# ps does not need to access /boot when run from cron -bootloader_ignore_search_bootloader_data_directory($1_crond_t) - -corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t) -corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t) -corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t) -corenetwork_sendrecv_raw_on_all_nodes($1_crond_t) -corenetwork_sendrecv_udp_on_all_nodes($1_crond_t) -corenetwork_sendrecv_tcp_on_all_ports($1_crond_t) -corenetwork_sendrecv_udp_on_all_ports($1_crond_t) -corenetwork_bind_tcp_on_all_nodes($1_crond_t) -corenetwork_bind_udp_on_all_nodes($1_crond_t) - -devices_get_pseudorandom_data($1_crond_t) - -filesystem_get_all_filesystems_attributes($1_crond_t) - -domain_execute_all_entrypoint_programs($1_crond_t) - -files_read_general_application_resources($1_crond_t) -files_execute_system_config_script($1_crond_t) -# for nscd: -files_ignore_search_runtime_data_directory($1_crond_t) - -corecommands_execute_general_programs($1_crond_t) -corecommands_execute_system_programs($1_crond_t) - -libraries_use_dynamic_loader($1_crond_t) -libraries_use_shared_libraries($1_crond_t) -libraries_execute_library_scripts($1_crond_t) -libraries_execute_dynamic_loader($1_crond_t) - -files_read_runtime_system_config($1_crond_t) - -logging_search_system_log_directory($1_crond_t) - -selinux_read_config($1_crond_t) - -miscfiles_read_localization($1_crond_t) - -tunable_policy(`fcron_crond', ` -allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -') + domain_execute_all_entrypoint_programs($1_crond_t) -ifdef(`TODO',` -# Access user files and dirs. -allow $1_crond_t home_root_t:dir search; -file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) + files_read_general_application_resources($1_crond_t) + files_execute_system_config_script($1_crond_t) + # for nscd: + files_ignore_search_runtime_data_directory($1_crond_t) -# Run scripts in user home directory and access shared libs. -can_exec($1_crond_t, $1_home_t) + corecommands_execute_general_programs($1_crond_t) + corecommands_execute_system_programs($1_crond_t) -file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) + libraries_use_dynamic_loader($1_crond_t) + libraries_use_shared_libraries($1_crond_t) + libraries_execute_library_scripts($1_crond_t) + libraries_execute_dynamic_loader($1_crond_t) -ifdef(`mta.te', ` -domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) -allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; + files_read_runtime_system_config($1_crond_t) -# $1_mail_t should only be reading from the cron fifo not needing to write -dontaudit $1_mail_t crond_t:fifo_file write; -allow mta_user_agent $1_crond_t:fd use; -') + logging_search_system_log_directory($1_crond_t) -# This domain is granted permissions common to most domains. -can_ypbind($1_crond_t) -allow $1_crond_t var_spool_t:dir search; -allow $1_crond_t var_t:dir r_dir_perms; -allow $1_crond_t var_t:file { getattr read ioctl }; + selinux_read_config($1_crond_t) -# quiet other ps operations -dontaudit $1_crond_t domain:dir { getattr search }; -') dnl endif TODO + miscfiles_read_localization($1_crond_t) -############################## -# -# $1_crontab_t local policy -# + tunable_policy(`fcron_crond', ` + allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + ') + + ifdef(`TODO',` + # Access user files and dirs. + allow $1_crond_t home_root_t:dir search; + file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) + + # Run scripts in user home directory and access shared libs. + can_exec($1_crond_t, $1_home_t) + + file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) + + ifdef(`mta.te', ` + domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) + allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; -# for ^Z -allow $1_t $1_crontab_t:process signal; + # $1_mail_t should only be reading from the cron fifo not needing to write + dontaudit $1_mail_t crond_t:fifo_file write; + allow mta_user_agent $1_crond_t:fd use; + ') -# Allow crond to read those crontabs in cron spool. -allow crond_t $1_cron_spool_t:file { getattr read }; + # This domain is granted permissions common to most domains. + can_ypbind($1_crond_t) + allow $1_crond_t var_spool_t:dir search; + allow $1_crond_t var_t:dir r_dir_perms; + allow $1_crond_t var_t:file { getattr read ioctl }; -# dac_override is to create the file in the directory under /tmp -allow $1_crontab_t self:capability { setuid setgid chown dac_override }; -allow $1_crontab_t self:process { sigkill sigstop signull signal }; + # quiet other ps operations + dontaudit $1_crond_t domain:dir { getattr search }; + ') dnl endif TODO -# create files in /var/spool/cron -allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name }; -type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t; + ############################## + # + # $1_crontab_t local policy + # -# crontab signals crond by updating the mtime on the spooldir -allow $1_crontab_t cron_spool_t:dir setattr; + # for ^Z + allow $1_t $1_crontab_t:process signal; -allow $1_crontab_t crond_log_t:file { getattr read append }; + # Allow crond to read those crontabs in cron spool. + allow crond_t $1_cron_spool_t:file { getattr read }; -filesystem_get_persistent_filesystem_attributes($1_crontab_t) + # dac_override is to create the file in the directory under /tmp + allow $1_crontab_t self:capability { setuid setgid chown dac_override }; + allow $1_crontab_t self:process { sigkill sigstop signull signal }; -domain_use_widely_inheritable_file_descriptors($1_crontab_t) + # create files in /var/spool/cron + allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name }; + type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t; -files_read_general_system_config($1_crontab_t) + # crontab signals crond by updating the mtime on the spooldir + allow $1_crontab_t cron_spool_t:dir setattr; -libraries_use_dynamic_loader($1_crontab_t) -libraries_use_shared_libraries($1_crontab_t) + allow $1_crontab_t crond_log_t:file { getattr read append }; -logging_send_system_log_message($1_crontab_t) + filesystem_get_persistent_filesystem_attributes($1_crontab_t) -miscfiles_read_localization($1_crontab_t) + domain_use_widely_inheritable_file_descriptors($1_crontab_t) -ifdef(`TODO',` + files_read_general_system_config($1_crontab_t) -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) + libraries_use_dynamic_loader($1_crontab_t) + libraries_use_shared_libraries($1_crontab_t) -can_ps($1_t, $1_crontab_t) + logging_send_system_log_message($1_crontab_t) -dontaudit $1_crontab_t proc_t:dir search; -dontaudit $1_crontab_t selinux_config_t:dir search; -# for the checks used by crontab -u -dontaudit $1_crontab_t security_t:dir search; + miscfiles_read_localization($1_crontab_t) -# Type for temporary files. -file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) + tunable_policy(`fcron_crond', ` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + dontaudit $1_crontab_t crond_t:process signal; + ') -# Use the type when creating files in /var/spool/cron. -allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; + ifdef(`TODO',` -tunable_policy(`fcron_crond', ` -# fcron wants an instant update of a crontab change for the administrator -# also crontab does a security check for crontab -u -ifelse(`$1', `sysadm', ` -allow $1_crontab_t self:process setfscreate; -kernel_get_selinuxfs_mount_point($1_crontab_t) -', ` -dontaudit $1_crontab_t crond_t:process signal; -')dnl end ifelse -')dnl end ifdef fcron + # Transition from the user domain to the derived domain. + domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) -# Run helper programs as $1_t -allow $1_crontab_t { bin_t sbin_t }:dir search; -allow $1_crontab_t bin_t:lnk_file read; -domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) + can_ps($1_t, $1_crontab_t) -# Read user crontabs -allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; -allow $1_crontab_t $1_home_t:file r_file_perms; -dontaudit $1_crontab_t $1_home_dir_t:dir write; + dontaudit $1_crontab_t proc_t:dir search; + dontaudit $1_crontab_t selinux_config_t:dir search; + # for the checks used by crontab -u + dontaudit $1_crontab_t security_t:dir search; -# Access terminals. -allow $1_crontab_t devpts_t:dir { read search getattr }; -allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl }; -allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl }; + # Type for temporary files. + file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') + # Use the type when creating files in /var/spool/cron. + allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; -dontaudit $1_crontab_t var_run_t:dir search; -') dnl endif TODO + # Run helper programs as $1_t + allow $1_crontab_t { bin_t sbin_t }:dir search; + allow $1_crontab_t bin_t:lnk_file read; + domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) + + # Read user crontabs + allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; + allow $1_crontab_t $1_home_t:file r_file_perms; + dontaudit $1_crontab_t $1_home_dir_t:dir write; + + # Access terminals. + allow $1_crontab_t devpts_t:dir { read search getattr }; + allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl }; + allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl }; + + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') + + dontaudit $1_crontab_t var_run_t:dir search; + ') dnl endif TODO ') ######################################## @@ -223,19 +218,25 @@ dontaudit $1_crontab_t var_run_t:dir search; # define(`cron_admin_template',` - -logging_read_system_logs($1_crond_t) - -# Allow our crontab domain to unlink a user cron spool file. -#allow $1_crontab_t user_cron_spool_t:file unlink; - -# Manipulate other users crontab. -kernel_get_selinuxfs_mount_point($1_crontab_t) -kernel_validate_selinux_context($1_crontab_t) -kernel_compute_selinux_access_vector($1_crontab_t) -kernel_compute_selinux_create_context($1_crontab_t) -kernel_compute_selinux_relabel_context($1_crontab_t) -kernel_compute_selinux_reachable_user_contexts($1_crontab_t) + logging_read_system_logs($1_crond_t) + + # Allow our crontab domain to unlink a user cron spool file. + #allow $1_crontab_t user_cron_spool_t:file unlink; + + # Manipulate other users crontab. + kernel_get_selinuxfs_mount_point($1_crontab_t) + kernel_validate_selinux_context($1_crontab_t) + kernel_compute_selinux_access_vector($1_crontab_t) + kernel_compute_selinux_create_context($1_crontab_t) + kernel_compute_selinux_relabel_context($1_crontab_t) + kernel_compute_selinux_reachable_user_contexts($1_crontab_t) + + tunable_policy(`fcron_crond', ` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + allow $1_crontab_t self:process setfscreate; + kernel_get_selinuxfs_mount_point($1_crontab_t) + ') ') ######################################## @@ -243,11 +244,13 @@ kernel_compute_selinux_reachable_user_contexts($1_crontab_t) # cron_modify_log(domain) # define(`cron_modify_log',` -requires_block_template(`$0'_depend) -allow $1 crond_log_t:file { getattr read write ioctl lock append }; + requires_block_template(`$0'_depend) + + allow $1 crond_log_t:file { getattr read write ioctl lock append }; ') define(`cron_modify_log_depend',` -type crond_log_t; -class file rw_file_perms; + type crond_log_t; + + class file rw_file_perms; ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 206e35b..3c7fe1b 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -121,17 +121,17 @@ miscfiles_read_localization(crond_t) userdomain_use_all_unprivileged_users_file_descriptors(crond_t) tunable_policy(`fcron_crond', ` -allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(crond_t) -terminal_ignore_use_general_pseudoterminal(crond_t) -files_ignore_read_rootfs_file(crond_t) + terminal_ignore_use_general_physical_terminal(crond_t) + terminal_ignore_use_general_pseudoterminal(crond_t) + files_ignore_read_rootfs_file(crond_t) ') optional_policy(`udev.te', ` -udev_read_database(crond_t) + udev_read_database(crond_t) ') ifdef(`TODO',` @@ -293,15 +293,15 @@ miscfiles_manage_man_page_cache(system_crond_t) selinux_read_config(system_crond_t) if (cron_can_relabel) { -selinux_setfiles_transition(system_crond_t) + selinux_setfiles_transition(system_crond_t) } else { -kernel_get_selinuxfs_mount_point(system_crond_t) -kernel_validate_selinux_context(system_crond_t) -kernel_compute_selinux_access_vector(system_crond_t) -kernel_compute_selinux_create_context(system_crond_t) -kernel_compute_selinux_relabel_context(system_crond_t) -kernel_compute_selinux_reachable_user_contexts(system_crond_t) -selinux_read_file_contexts(system_crond_t) + kernel_get_selinuxfs_mount_point(system_crond_t) + kernel_validate_selinux_context(system_crond_t) + kernel_compute_selinux_access_vector(system_crond_t) + kernel_compute_selinux_create_context(system_crond_t) + kernel_compute_selinux_relabel_context(system_crond_t) + kernel_compute_selinux_reachable_user_contexts(system_crond_t) + selinux_read_file_contexts(system_crond_t) } ifdef(`TODO',` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 2e20c08..220ae94 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -8,133 +8,135 @@ # mta_per_userdomain_template(userdomain_prefix) # define(`mta_per_userdomain_template',` -requires_block_template(`$0'_depend) + requires_block_template(`$0'_depend) -type $1_mail_t; # , user_mail_domain, nscd_client_domain; -domain_make_domain($1_mail_t) -role $1_r types $1_mail_t; + type $1_mail_t; # , user_mail_domain, nscd_client_domain; + domain_make_domain($1_mail_t) + role $1_r types $1_mail_t; -type $1_mail_tmp_t; -files_make_temporary_file($1_mail_tmp_t) + type $1_mail_tmp_t; + files_make_temporary_file($1_mail_tmp_t) -############################## -# -# $1_mail_t local policy -# + ############################## + # + # $1_mail_t local policy + # -allow $1_mail_t self:capability { setuid setgid chown }; -allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit }; + allow $1_mail_t self:capability { setuid setgid chown }; + allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit }; -# tcp networking -allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; + # tcp networking + allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -# re-exec itself -allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; -allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; + # re-exec itself + allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans }; + allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; -# Transition from the user domain to the derived domain. -allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; -allow $1_t sendmail_exec_t:lnk_file { getattr read }; -allow $1_t $1_mail_t:process transition; -type_transition $1_t sendmail_exec_t:process $1_mail_t; -allow $1_t $1_mail_t:fd use; -allow $1_mail_t $1_t:fd use; -allow $1_mail_t $1_t:fifo_file rw_file_perms; -allow $1_mail_t $1_t:process sigchld; + # Transition from the user domain to the derived domain. + allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; + allow $1_t sendmail_exec_t:lnk_file { getattr read }; + allow $1_t $1_mail_t:process transition; + type_transition $1_t sendmail_exec_t:process $1_mail_t; + dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh }; -kernel_read_kernel_sysctl($1_mail_t) + allow $1_t $1_mail_t:fd use; + allow $1_mail_t $1_t:fd use; + allow $1_mail_t $1_t:fifo_file rw_file_perms; + allow $1_mail_t $1_t:process sigchld; -corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t) -corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t) -corenetwork_sendrecv_raw_on_all_nodes($1_mail_t) -corenetwork_sendrecv_tcp_on_all_ports($1_mail_t) -corenetwork_bind_tcp_on_all_nodes($1_mail_t) + kernel_read_kernel_sysctl($1_mail_t) -domain_use_widely_inheritable_file_descriptors($1_mail_t) + corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t) + corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t) + corenetwork_sendrecv_raw_on_all_nodes($1_mail_t) + corenetwork_sendrecv_tcp_on_all_ports($1_mail_t) + corenetwork_bind_tcp_on_all_nodes($1_mail_t) -libraries_use_dynamic_loader($1_mail_t) -libraries_use_shared_libraries($1_mail_t) + domain_use_widely_inheritable_file_descriptors($1_mail_t) -corecommands_execute_general_programs($1_mail_t) + libraries_use_dynamic_loader($1_mail_t) + libraries_use_shared_libraries($1_mail_t) -files_read_general_system_config($1_mail_t) + corecommands_execute_general_programs($1_mail_t) -logging_send_system_log_message($1_mail_t) + files_read_general_system_config($1_mail_t) -miscfiles_read_localization($1_mail_t) + logging_send_system_log_message($1_mail_t) -sysnetwork_read_network_config($1_mail_t) + miscfiles_read_localization($1_mail_t) -tunable_policy(`use_dns',` -allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t) -corenetwork_sendrecv_udp_on_all_nodes($1_mail_t) -corenetwork_bind_udp_on_all_nodes($1_mail_t) -corenetwork_sendrecv_udp_on_dns_port($1_mail_t) -') + sysnetwork_read_network_config($1_mail_t) -optional_policy(`procmail.te',` -procmail_execute($1_mail_t) -') + tunable_policy(`use_dns',` + allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t) + corenetwork_sendrecv_udp_on_all_nodes($1_mail_t) + corenetwork_bind_udp_on_all_nodes($1_mail_t) + corenetwork_sendrecv_udp_on_dns_port($1_mail_t) + ') + + optional_policy(`procmail.te',` + procmail_execute($1_mail_t) + ') -ifdef(`TODO',` + ifdef(`TODO',` -can_ypbind($1_mail_t) + can_ypbind($1_mail_t) -allow $1_mail_t device_t:dir search; -allow $1_mail_t { var_t var_spool_t }:dir search; -allow $1_mail_t sbin_t:dir search; + allow $1_mail_t device_t:dir search; + allow $1_mail_t { var_t var_spool_t }:dir search; + allow $1_mail_t sbin_t:dir search; -# It wants to check for nscd -dontaudit $1_mail_t var_run_t:dir search; + # It wants to check for nscd + dontaudit $1_mail_t var_run_t:dir search; -# For when the user wants to send mail via port 25 localhost -can_tcp_connect($1_t, mail_server_domain) + # For when the user wants to send mail via port 25 localhost + can_tcp_connect($1_t, mail_server_domain) -# Read user temporary files. -allow $1_mail_t $1_tmp_t:file r_file_perms; -dontaudit $1_mail_t $1_tmp_t:file append; -ifdef(`postfix.te', ` -# postfix seems to need write access if the file handle is opened read/write -allow $1_mail_t $1_tmp_t:file write; -')dnl end if postfix + # Read user temporary files. + allow $1_mail_t $1_tmp_t:file r_file_perms; + dontaudit $1_mail_t $1_tmp_t:file append; + ifdef(`postfix.te', ` + # postfix seems to need write access if the file handle is opened read/write + allow $1_mail_t $1_tmp_t:file write; + ') -allow mta_user_agent $1_tmp_t:file { read getattr }; + allow mta_user_agent $1_tmp_t:file { read getattr }; -# Write to the user domain tty. -allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl }; -allow mta_user_agent devpts_t:dir { read search getattr }; -allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl }; + # Write to the user domain tty. + allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl }; + allow mta_user_agent devpts_t:dir { read search getattr }; + allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl }; -allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl }; -allow $1_mail_t devpts_t:dir { read search getattr }; -allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl }; + allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl }; + allow $1_mail_t devpts_t:dir { read search getattr }; + allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl }; -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') -# Create dead.letter in user home directories. -file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) + # Create dead.letter in user home directories. + file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) -if (use_samba_home_dirs) { -rw_dir_create_file($1_mail_t, cifs_t) -} + if (use_samba_home_dirs) { + rw_dir_create_file($1_mail_t, cifs_t) + } -# if you do not want to allow dead.letter then use the following instead -#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; -#allow $1_mail_t $1_home_t:file r_file_perms; + # if you do not want to allow dead.letter then use the following instead + #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; + #allow $1_mail_t $1_home_t:file r_file_perms; -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) + # for reading .forward - maybe we need a new type for it? + # also for delivering mail to maildir + file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) -ifdef(`qmail.te', ` -allow $1_mail_t qmail_etc_t:dir search; -allow $1_mail_t qmail_etc_t:{ file lnk_file } read; -')dnl end if qmail + ifdef(`qmail.te', ` + allow $1_mail_t qmail_etc_t:dir search; + allow $1_mail_t qmail_etc_t:{ file lnk_file } read; + ') -') dnl end TODO + ') dnl end TODO ') define(`mta_per_userdomain_template_depend',` @@ -146,13 +148,14 @@ define(`mta_per_userdomain_template_depend',` # mta_make_mailserver_domain(domain,entrypointtype) # define(`mta_make_mailserver_domain',` -requires_block_template(`$0'_depend) -init_make_daemon_domain($1,$2) -typeattribute $1 mailserver_domain; + requires_block_template(`$0'_depend) + + init_make_daemon_domain($1,$2) + typeattribute $1 mailserver_domain; ') define(`mta_make_mailserver_domain_depend',` -attribute mailserver_domain; + attribute mailserver_domain; ') ####################################### @@ -160,12 +163,13 @@ attribute mailserver_domain; # mta_make_sendmail_mailserver_domain(domain,entrypointtype) # define(`mta_make_sendmail_mailserver_domain',` -requires_block_template(`$0'_depend) -mta_make_mailserver_domain($1,sendmail_exec_t) + requires_block_template(`$0'_depend) + + mta_make_mailserver_domain($1,sendmail_exec_t) ') define(`mta_make_sendmail_mailserver_domain_depend',` -type sendmail_exec_t; + type sendmail_exec_t; ') ####################################### @@ -173,25 +177,28 @@ type sendmail_exec_t; # mta_send_mail(domain) # define(`mta_send_mail',` -requires_block_template(`$0'_depend) -allow $1 sendmail_exec_t:lnk_file { getattr read }; -allow $1 sendmail_exec_t:file { getattr read execute }; -allow $1 system_mail_t:process transition; -type_transition $1 sendmail_exec_t:process system_mail_t; -dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; -allow $1 system_mail_t:fd use; -allow system_mail_t $1:fd use; -allow system_mail_t $1:fifo_file rw_file_perms; -allow system_mail_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 sendmail_exec_t:lnk_file { getattr read }; + allow $1 sendmail_exec_t:file { getattr read execute }; + allow $1 system_mail_t:process transition; + type_transition $1 sendmail_exec_t:process system_mail_t; + dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; + + allow $1 system_mail_t:fd use; + allow system_mail_t $1:fd use; + allow system_mail_t $1:fifo_file rw_file_perms; + allow system_mail_t $1:process sigchld; ') define(`mta_send_mail_depend',` -type system_mail_t, sendmail_exec_t; -class file { getattr read execute }; -class lnk_file { getattr read }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file { ioctl read getattr lock write append }; + type system_mail_t, sendmail_exec_t; + + class file { getattr read execute }; + class lnk_file { getattr read }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -199,13 +206,15 @@ class fifo_file { ioctl read getattr lock write append }; # mta_execute(domain) # define(`mta_execute',` -requires_block_template(`$0'_depend) -allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans }; ') define(`mta_execute_depend',` -type sendmail_exec_t; -class file { getattr read execute execute_no_trans }; + type sendmail_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -220,13 +229,15 @@ class file { getattr read execute execute_no_trans }; ## # define(`mta_read_mail_aliases',` -requires_block_template(`$0'_depend) -allow $1 etc_aliases_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 etc_aliases_t:file { getattr read }; ') define(`mta_read_mail_aliases_depend',` -type etc_aliases_t; -class file { getattr read }; + type etc_aliases_t; + + class file { getattr read }; ') ####################################### @@ -234,13 +245,15 @@ class file { getattr read }; # mta_modify_mail_aliases(domain) # define(`mta_modify_mail_aliases',` -requires_block_template(`$0'_depend) -allow sendmail_t etc_aliases_t:file { getattr read write append setattr }; + requires_block_template(`$0'_depend) + + allow sendmail_t etc_aliases_t:file { getattr read write append setattr }; ') define(`mta_modify_mail_aliases_depend',` -type etc_aliases_t; -class file { getattr read write append setattr }; + type etc_aliases_t; + + class file { getattr read write append setattr }; ') ####################################### @@ -248,18 +261,20 @@ class file { getattr read write append setattr }; # mta_get_mail_spool_attributes(domain) # define(`mta_get_mail_spool_attributes',` -requires_block_template(`$0'_depend) -files_search_system_spool_directory($1) -allow $1 mail_spool_t:dir r_dir_perms; -allow $1 mail_spool_t:lnk_file read; -allow $1 mail_spool_t:file getattr; + requires_block_template(`$0'_depend) + + files_search_system_spool_directory($1) + allow $1 mail_spool_t:dir r_dir_perms; + allow $1 mail_spool_t:lnk_file read; + allow $1 mail_spool_t:file getattr; ') define(`mta_get_mail_spool_attributes_depend',` -type mail_spool_t; -class dir r_dir_perms; -class file getattr; -class lnk_file read; + type mail_spool_t; + + class dir r_dir_perms; + class file getattr; + class lnk_file read; ') ####################################### @@ -267,16 +282,18 @@ class lnk_file read; # mta_modify_mail_spool(domain) # define(`mta_modify_mail_spool',` -requires_block_template(`$0'_depend) -files_search_system_spool_directory($1) -allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 mail_spool_t:file { getattr read write append setattr }; + requires_block_template(`$0'_depend) + + files_search_system_spool_directory($1) + allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 mail_spool_t:file { getattr read write append setattr }; ') define(`mta_modify_mail_spool_depend',` -type mail_spool_t; -class dir { read getattr lock search ioctl add_name remove_name write }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type mail_spool_t; + + class dir { read getattr lock search ioctl add_name remove_name write }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ####################################### @@ -284,16 +301,18 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # mta_manage_mail_spool(domain) # define(`mta_manage_mail_spool',` -requires_block_template(`$0'_depend) -files_search_system_spool_directory($1) -allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + files_search_system_spool_directory($1) + allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') define(`mta_manage_mail_spool_depend',` -type mail_spool_t; -class dir { read getattr lock search ioctl add_name remove_name write }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type mail_spool_t; + + class dir { read getattr lock search ioctl add_name remove_name write }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ####################################### @@ -301,15 +320,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # mta_manage_mail_queue(domain) # define(`mta_manage_mail_queue',` -requires_block_template(`$0'_depend) -allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') define(`mta_manage_mail_queue_depend',` -type mqueue_spool_t; -class dir { read getattr lock search ioctl add_name remove_name write }; -class file { create ioctl read getattr lock write setattr append link unlink rename } + type mqueue_spool_t; + + class dir { read getattr lock search ioctl add_name remove_name write }; + class file { create ioctl read getattr lock write setattr append link unlink rename } ') ## diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 2ed8b05..db452c5 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -83,15 +83,15 @@ miscfiles_read_localization(system_mail_t) sysnetwork_read_network_config(system_mail_t) tunable_policy(`use_dns',` -allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t) -corenetwork_sendrecv_udp_on_all_nodes(system_mail_t) -corenetwork_bind_udp_on_all_nodes(system_mail_t) -corenetwork_sendrecv_udp_on_dns_port(system_mail_t) + allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t) + corenetwork_sendrecv_udp_on_all_nodes(system_mail_t) + corenetwork_bind_udp_on_all_nodes(system_mail_t) + corenetwork_sendrecv_udp_on_dns_port(system_mail_t) ') optional_policy(`procmail.te',` -procmail_execute(system_mail_t) + procmail_execute(system_mail_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 4eb4dab..81746d7 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -89,17 +89,17 @@ mta_manage_mail_spool(sendmail_t) sysnetwork_read_network_config(sendmail_t) tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(sendmail_t) -terminal_ignore_use_general_pseudoterminal(sendmail_t) -files_ignore_read_rootfs_file(sendmail_t) + terminal_ignore_use_general_physical_terminal(sendmail_t) + terminal_ignore_use_general_pseudoterminal(sendmail_t) + files_ignore_read_rootfs_file(sendmail_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(sendmail_t) + selinux_newrole_sigchld(sendmail_t) ') optional_policy(`udev.te', ` -udev_read_database(sendmail_t) + udev_read_database(sendmail_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/audit.te b/refpolicy/policy/modules/system/audit.te index 51e33db..d720143 100644 --- a/refpolicy/policy/modules/system/audit.te +++ b/refpolicy/policy/modules/system/audit.te @@ -52,17 +52,17 @@ libraries_use_shared_libraries(auditd_t) miscfiles_read_localization(auditd_t) tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(auditd_t) -terminal_ignore_use_general_pseudoterminal(auditd_t) -files_ignore_read_rootfs_file(auditd_t) -')dnl end targeted_policy tunable + terminal_ignore_use_general_physical_terminal(auditd_t) + terminal_ignore_use_general_pseudoterminal(auditd_t) + files_ignore_read_rootfs_file(auditd_t) +') optional_policy(`selinux.te',` -selinux_newrole_sigchld(auditd_t) + selinux_newrole_sigchld(auditd_t) ') optional_policy(`udev.te', ` -udev_read_database(auditd_t) + udev_read_database(auditd_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index e7defa9..90fc4a7 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -8,87 +8,91 @@ # authlogin_per_userdomain_template(userdomain_prefix) # define(`authlogin_per_userdomain_template',` -requires_block_template(`$0'_depend) + requires_block_template(`$0'_depend) -type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; -domain_make_domain($1_chkpwd_t) -domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) -role $1_r types $1_chkpwd_t; -role $1_r types system_chkpwd_t; + type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; + domain_make_domain($1_chkpwd_t) + domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) + role $1_r types $1_chkpwd_t; + role $1_r types system_chkpwd_t; -allow $1_chkpwd_t self:capability setuid; -allow $1_chkpwd_t self:process getattr; + allow $1_chkpwd_t self:capability setuid; + allow $1_chkpwd_t self:process getattr; -files_read_general_system_config_directory($1_chkpwd_t) -allow $1_chkpwd_t shadow_t:file { getattr read }; + files_read_general_system_config_directory($1_chkpwd_t) + allow $1_chkpwd_t shadow_t:file { getattr read }; -# is_selinux_enabled -kernel_read_system_state($1_chkpwd_t) + # is_selinux_enabled + kernel_read_system_state($1_chkpwd_t) -filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t) + filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t) -domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) + domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) -libraries_use_dynamic_loader($1_chkpwd_t) -libraries_use_shared_libraries($1_chkpwd_t) + libraries_use_dynamic_loader($1_chkpwd_t) + libraries_use_shared_libraries($1_chkpwd_t) -files_read_general_system_config($1_chkpwd_t) -# for nscd -files_ignore_search_system_state_data_directory($1_chkpwd_t) + files_read_general_system_config($1_chkpwd_t) + # for nscd + files_ignore_search_system_state_data_directory($1_chkpwd_t) -logging_send_system_log_message($1_chkpwd_t) + logging_send_system_log_message($1_chkpwd_t) -miscfiles_read_localization($1_chkpwd_t) + miscfiles_read_localization($1_chkpwd_t) -selinux_read_config($1_chkpwd_t) + selinux_read_config($1_chkpwd_t) -#can_ypbind($1_chkpwd_t) -#can_kerberos($1_chkpwd_t) -#can_ldap($1_chkpwd_t) + #can_ypbind($1_chkpwd_t) + #can_kerberos($1_chkpwd_t) + #can_ldap($1_chkpwd_t) -# Transition from the user domain to this domain. -allow $1_t chkpwd_exec_t:file { getattr read execute }; -allow $1_t $1_chkpwd_t:process transition; -type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t; -allow $1_chkpwd_t $1_t:fd use; -allow $1_t $1_chkpwd_t:fd use; -allow $1_chkpwd_t $1_t:fifo_file rw_file_perms; -allow $1_chkpwd_t $1_t:process sigchld; + # Transition from the user domain to this domain. + allow $1_t chkpwd_exec_t:file { getattr read execute }; + allow $1_t $1_chkpwd_t:process transition; + type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t; + dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh }; -# Write to the user domain tty. -#userdomain_use_$1_terminal($1_chkpwd_t) -#userdomain_use_$1_pty($1_chkpwd_t) + allow $1_chkpwd_t $1_t:fd use; + allow $1_t $1_chkpwd_t:fd use; + allow $1_chkpwd_t $1_t:fifo_file rw_file_perms; + allow $1_chkpwd_t $1_t:process sigchld; -# Inherit and use descriptors from gnome-pty-helper. -#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') + # Write to the user domain tty. + #userdomain_use_$1_terminal($1_chkpwd_t) + #userdomain_use_$1_pty($1_chkpwd_t) -tunable_policy(`use_dns',` -allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t) -corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t) -corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t) -corenetwork_bind_udp_on_all_nodes($1_chkpwd_t) -corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t) -sysnetwork_read_network_config($1_chkpwd_t) -') + # Inherit and use descriptors from gnome-pty-helper. + #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') -optional_policy(`selinux.te',` -selinux_newrole_use_file_descriptors($1_chkpwd_t) -') + tunable_policy(`use_dns',` + allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t) + corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t) + corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t) + corenetwork_bind_udp_on_all_nodes($1_chkpwd_t) + corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t) + sysnetwork_read_network_config($1_chkpwd_t) + ') + + optional_policy(`selinux.te',` + selinux_newrole_use_file_descriptors($1_chkpwd_t) + ') ') dnl end authlogin_per_userdomain_template define(`authlogin_per_userdomain_template_depend',` -attribute can_read_shadow_passwords; -type chkpwd_exec_t, system_chkpwd_t, shadow_t; -class file { getattr read execute }; -class process { getattr transition sigchld }; -class capability setuid; -class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -class fd use; -class fifo_file rw_file_perms; + attribute can_read_shadow_passwords; + + type chkpwd_exec_t, system_chkpwd_t, shadow_t; + + class file { getattr read execute }; + class process { getattr transition sigchld }; + class capability setuid; + class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -96,13 +100,13 @@ class fifo_file rw_file_perms; # authlogin_make_login_program_entrypoint(domain) # define(`authlogin_make_login_program_entrypoint',` -requires_block_template(`$0'_depend) -domain_make_entrypoint_file($1,login_exec_t) + requires_block_template(`$0'_depend) + + domain_make_entrypoint_file($1,login_exec_t) ') define(`authlogin_make_login_program_entrypoint_depend',` -type login_exec_t; -domain_make_entrypoint_file_depend + type login_exec_t; ') ######################################## @@ -120,24 +124,27 @@ domain_make_entrypoint_file_depend ## # define(`authlogin_login_program_transition',` -requires_block_template(`$0'_depend) -# FIXME: search bin_t -allow $1 login_exec_t:file { getattr read execute }; -allow $1 $2:process transition; -type_transition $1 login_exec_t:process $2; -dontaudit $1 $2:process { noatsecure siginh rlimitinh }; -allow $1 $2:fd use; -allow $2 $1:fd use; -allow $2 $1:fifo_file rw_file_perms; -allow $2 $1:process sigchld; + requires_block_template(`$0'_depend) + + # FIXME: search bin_t + allow $1 login_exec_t:file { getattr read execute }; + allow $1 $2:process transition; + type_transition $1 login_exec_t:process $2; + dontaudit $1 $2:process { noatsecure siginh rlimitinh }; + + allow $1 $2:fd use; + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_file_perms; + allow $2 $1:process sigchld; ') define(`authlogin_login_program_transition_depend',` -type login_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type login_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -145,41 +152,43 @@ class fifo_file rw_file_perms; # authlogin_check_password_transition(domain) # define(`authlogin_check_password_transition',` -requires_block_template(`$0'_depend) -allow $1 chkpwd_exec_t:file { getattr read execute }; -allow $1 system_chkpwd_t:process transition; -type_transition $1 chkpwd_exec_t:process system_chkpwd_t; -allow $1 system_chkpwd_t:fd use; -allow system_chkpwd_t $1:fd use; -allow system_chkpwd_t $1:fifo_file rw_file_perms; -allow system_chkpwd_t $1:process sigchld; - -dontaudit $1 shadow_t:file { getattr read }; -#allow $1_t sbin_t:dir search; -#can_ypbind($1_t) -#can_kerberos($1_t) -#can_ldap($1_t) - -tunable_policy(`use_dns',` -allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces($1) -corenetwork_sendrecv_raw_on_all_interfaces($1) -corenetwork_sendrecv_udp_on_all_nodes($1) -corenetwork_sendrecv_raw_on_all_nodes($1) -corenetwork_bind_udp_on_all_nodes($1) -corenetwork_sendrecv_udp_on_dns_port($1) -sysnetwork_read_network_config($1) -') dnl end use_dns - -') dnl end check_password_transition + requires_block_template(`$0'_depend) + + allow $1 chkpwd_exec_t:file { getattr read execute }; + allow $1 system_chkpwd_t:process transition; + type_transition $1 chkpwd_exec_t:process system_chkpwd_t; + + allow $1 system_chkpwd_t:fd use; + allow system_chkpwd_t $1:fd use; + allow system_chkpwd_t $1:fifo_file rw_file_perms; + allow system_chkpwd_t $1:process sigchld; + + dontaudit $1 shadow_t:file { getattr read }; + #allow $1_t sbin_t:dir search; + #can_ypbind($1_t) + #can_kerberos($1_t) + #can_ldap($1_t) + + tunable_policy(`use_dns',` + allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces($1) + corenetwork_sendrecv_raw_on_all_interfaces($1) + corenetwork_sendrecv_udp_on_all_nodes($1) + corenetwork_sendrecv_raw_on_all_nodes($1) + corenetwork_bind_udp_on_all_nodes($1) + corenetwork_sendrecv_udp_on_dns_port($1) + sysnetwork_read_network_config($1) + ') +') define(`authlogin_check_password_transition_depend',` -type system_chkpwd_t, chkpwd_exec_t, shadow_t; -class file { getattr read execute }; -class process { transition sigchld }; -class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -class fd use; -class fifo_file rw_file_perms; + type system_chkpwd_t, chkpwd_exec_t, shadow_t; + + class file { getattr read execute }; + class process { transition sigchld }; + class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -187,13 +196,15 @@ class fifo_file rw_file_perms; # authlogin_ignore_get_shadow_passwords_attributes(domain) # define(`authlogin_ignore_get_shadow_passwords_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 shadow_t:file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 shadow_t:file getattr; ') define(`authlogin_ignore_get_shadow_passwords_attributes_depend',` -type shadow_t; -class file getattr; + type shadow_t; + + class file getattr; ') ####################################### @@ -201,16 +212,19 @@ class file getattr; # authlogin_read_shadow_passwords(domain) # define(`authlogin_read_shadow_passwords',` -requires_block_template(`$0'_depend) -files_read_general_system_config_directory($1) -allow $1 shadow_t:file { getattr read }; -typeattribute $1 can_read_shadow_passwords; + requires_block_template(`$0'_depend) + + files_read_general_system_config_directory($1) + allow $1 shadow_t:file { getattr read }; + typeattribute $1 can_read_shadow_passwords; ') define(`authlogin_read_shadow_passwords_depend',` -attribute can_read_shadow_passwords; -type shadow_t; -class file { getattr read }; + attribute can_read_shadow_passwords; + + type shadow_t; + + class file { getattr read }; ') ####################################### @@ -218,13 +232,15 @@ class file { getattr read }; # authlogin_ignore_read_shadow_passwords(domain) # define(`authlogin_ignore_read_shadow_passwords',` -requires_block_template(`$0'_depend) -dontaudit $1 shadow_t:file { getattr read }; + requires_block_template(`$0'_depend) + + dontaudit $1 shadow_t:file { getattr read }; ') define(`authlogin_ignore_read_shadow_passwords_depend',` -type shadow_t; -class file { getattr read }; + type shadow_t; + + class file { getattr read }; ') ####################################### @@ -232,18 +248,18 @@ class file { getattr read }; # authlogin_modify_shadow_passwords(domain) # define(`authlogin_modify_shadow_passwords',` -requires_block_template(`$0'_depend) -files_read_general_system_config_directory($1) -allow $1 shadow_t:file { getattr read write }; -typeattribute $1 can_read_shadow_passwords; -typeattribute $1 can_write_shadow_passwords; + requires_block_template(`$0'_depend) + + files_read_general_system_config_directory($1) + allow $1 shadow_t:file rw_file_perms; + typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') define(`authlogin_modify_shadow_passwords_depend',` -attribute can_read_shadow_passwords; -attribute can_write_shadow_passwords; -type shadow_t; -class file { getattr read write }; + attribute can_read_shadow_passwords, can_write_shadow_passwords; + + type shadow_t; + class file rw_file_perms; ') ####################################### @@ -251,18 +267,20 @@ class file { getattr read write }; # authlogin_manage_shadow_passwords(domain) # define(`authlogin_manage_shadow_passwords',` -requires_block_template(`$0'_depend) -files_create_private_config($1,shadow_t,file) -allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -typeattribute $1 can_read_shadow_passwords; -typeattribute $1 can_write_shadow_passwords; + requires_block_template(`$0'_depend) + + allow $1 shadow_t:file create_file_perms; + files_create_private_config($1,shadow_t,file) + + typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') define(`authlogin_manage_shadow_passwords_depend',` -attribute can_read_shadow_passwords; -attribute can_write_shadow_passwords; -type shadow_t; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute can_read_shadow_passwords, can_write_shadow_passwords; + + type shadow_t; + + class file create_file_perms; ') ####################################### @@ -270,16 +288,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # authlogin_relabel_to_shadow_passwords(domain) # define(`authlogin_relabel_to_shadow_passwords',` -requires_block_template(`$0'_depend) -files_search_general_system_config_directory($1) -allow $1 shadow_t:file relabelto; -typeattribute $1 can_relabelto_shadow_passwords; + requires_block_template(`$0'_depend) + + files_search_general_system_config_directory($1) + allow $1 shadow_t:file relabelto; + typeattribute $1 can_relabelto_shadow_passwords; ') define(`authlogin_relabel_to_shadow_passwords_depend',` -attribute can_relabelto_shadow_passwords; -type shadow_t; -class file relabelto; + attribute can_relabelto_shadow_passwords; + + type shadow_t; + + class file relabelto; ') ####################################### @@ -287,14 +308,16 @@ class file relabelto; # authlogin_modify_login_failure_records(domain) # define(`authlogin_modify_login_failure_records',` -requires_block_template(`$0'_depend) -logging_search_system_log_directory($1) -allow $1 faillog_t:file { read write append }; + requires_block_template(`$0'_depend) + + allow $1 faillog_t:file rw_file_perms; + logging_search_system_log_directory($1) ') define(`authlogin_modify_login_failure_records_depend',` -type faillog_t; -class file { read write append }; + type faillog_t; + + class file rw_file_perms; ') ####################################### @@ -302,14 +325,16 @@ class file { read write append }; # authlogin_modify_last_login_log(domain) # define(`authlogin_modify_last_login_log',` -requires_block_template(`$0'_depend) -logging_search_system_log_directory($1) -allow $1 lastlog_t:file { getattr read write setattr }; + requires_block_template(`$0'_depend) + + logging_search_system_log_directory($1) + allow $1 lastlog_t:file { getattr read write setattr }; ') define(`authlogin_modify_last_login_log_depend',` -type lastlog_t; -class file { getattr read write setattr }; + type lastlog_t; + + class file { getattr read write setattr }; ') ######################################## @@ -324,23 +349,26 @@ class file { getattr read write setattr }; ## # define(`authlogin_pam_transition',` -requires_block_template(`$0'_depend) -allow $1 pam_exec_t:file { getattr read execute }; -allow $1 pam_t:process transition; -type_transition $1 pam_exec_t:process pam_t; -dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; -allow $1 pam_t:fd use; -allow pam_t $1:fd use; -allow pam_t $1:fifo_file rw_file_perms; -allow pam_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 pam_exec_t:file { getattr read execute }; + allow $1 pam_t:process transition; + type_transition $1 pam_exec_t:process pam_t; + dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; + + allow $1 pam_t:fd use; + allow pam_t $1:fd use; + allow pam_t $1:fifo_file rw_file_perms; + allow pam_t $1:process sigchld; ') define(`authlogin_pam_transition_depend',` -type pam_t, pam_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd -class fifo_file rw_file_perms; + type pam_t, pam_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd + class fifo_file rw_file_perms; ') ######################################## @@ -361,15 +389,17 @@ class fifo_file rw_file_perms; ## # define(`authlogin_pam_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -authlogin_pam_transition($1) -role $2 types pam_t; -allow pam_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + authlogin_pam_transition($1) + role $2 types pam_t; + allow pam_t $3:chr_file { getattr read write ioctl }; ') define(`authlogin_pam_transition_add_role_use_terminal_depend',` -type pam_t; -class chr_file { getattr read write ioctl }; + type pam_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -377,13 +407,15 @@ class chr_file { getattr read write ioctl }; # authlogin_pam_execute(domain) # define(`authlogin_pam_execute',` -requires_block_template(`$0'_depend) -allow $1 pam_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 pam_exec_t:file { getattr read execute execute_no_trans }; ') define(`authlogin_pam_execute_depend',` -type pam_exec_t; -class file { getattr read execute execute_no_trans }; + type pam_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -391,17 +423,19 @@ class file { getattr read execute execute_no_trans }; # authlogin_pam_read_runtime_data(domain) # define(`authlogin_pam_read_runtime_data',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -files_search_runtime_data_directory($1) -allow $1 pam_var_run_t:dir { getattr search read }; -allow $1 pam_var_run_t:file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + files_search_runtime_data_directory($1) + allow $1 pam_var_run_t:dir { getattr search read }; + allow $1 pam_var_run_t:file { getattr read }; ') define(`authlogin_pam_read_runtime_data_depend',` -type pam_var_run_t; -class dir { getattr search read }; -class file { getattr read }; + type pam_var_run_t; + + class dir { getattr search read }; + class file { getattr read }; ') ####################################### @@ -409,17 +443,19 @@ class file { getattr read }; # authlogin_pam_remove_runtime_data(domain) # define(`authlogin_pam_remove_runtime_data',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -files_search_runtime_data_directory($1) -allow $1 pam_var_run_t:dir { getattr search read write remove_name }; -allow $1 pam_var_run_t:file { getattr unlink }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + files_search_runtime_data_directory($1) + allow $1 pam_var_run_t:dir { getattr search read write remove_name }; + allow $1 pam_var_run_t:file { getattr unlink }; ') define(`authlogin_pam_remove_runtime_data_depend',` -type pam_var_run_t; -class dir { getattr search read write remove_name }; -class file { getattr unlink }; + type pam_var_run_t; + + class dir { getattr search read write remove_name }; + class file { getattr unlink }; ') ####################################### @@ -427,23 +463,26 @@ class file { getattr unlink }; # authlogin_pam_console_transition(domain) # define(`authlogin_pam_console_transition',` -requires_block_template(`$0'_depend) -allow $1 pam_console_exec_t:file { getattr read execute }; -allow $1 pam_console_t:process transition; -type_transition $1 pam_console_exec_t:process pam_console_t; -dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; -allow $1 pam_console_t:fd use; -allow pam_console_t $1:fd use; -allow pam_console_t $1:fifo_file rw_file_perms; -allow pam_console_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 pam_console_exec_t:file { getattr read execute }; + allow $1 pam_console_t:process transition; + type_transition $1 pam_console_exec_t:process pam_console_t; + dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; + + allow $1 pam_console_t:fd use; + allow pam_console_t $1:fd use; + allow pam_console_t $1:fifo_file rw_file_perms; + allow pam_console_t $1:process sigchld; ') define(`authlogin_pam_console_transition_depend',` -type pam_console_t, pam_console_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type pam_console_t, pam_console_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -451,15 +490,17 @@ class fifo_file rw_file_perms; # authlogin_pam_console_read_runtime_data_dir(domain) # define(`authlogin_pam_console_read_runtime_data_dir',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -files_search_runtime_data_directory($1) -allow $1 pam_var_console_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + files_search_runtime_data_directory($1) + allow $1 pam_var_console_t:dir r_dir_perms; ') define(`authlogin_pam_console_read_runtime_data_dir_depend',` -type pam_var_console_t; -class dir { getattr search read }; + type pam_var_console_t; + + class dir r_dir_perms; ') ####################################### @@ -467,17 +508,19 @@ class dir { getattr search read }; # authlogin_pam_console_read_runtime_data(domain) # define(`authlogin_pam_console_read_runtime_data',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -files_search_runtime_data_directory($1) -allow $1 pam_var_console_t:dir { getattr search read }; -allow $1 pam_var_console_t:file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + files_search_runtime_data_directory($1) + allow $1 pam_var_console_t:dir r_dir_perms; + allow $1 pam_var_console_t:file r_file_perms; ') define(`authlogin_pam_console_read_runtime_data_depend',` -type pam_var_console_t; -class dir { getattr search read }; -class file { getattr read }; + type pam_var_console_t; + + class dir r_dir_perms; + class file r_file_perms; ') ####################################### @@ -485,19 +528,21 @@ class file { getattr read }; # authlogin_pam_console_manage_runtime_data(domain) # define(`authlogin_pam_console_manage_runtime_data',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -files_search_runtime_data_directory($1) -allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + files_search_runtime_data_directory($1) + allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename }; ') define(`authlogin_pam_console_manage_runtime_data_depend',` -type pam_var_console_t; -class dir { read getattr lock search ioctl add_name remove_name write }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; -class lnk_file { create read getattr setattr link unlink rename }; + type pam_var_console_t; + + class dir { read getattr lock search ioctl add_name remove_name write }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; + class lnk_file { create read getattr setattr link unlink rename }; ') ######################################## @@ -518,12 +563,13 @@ class lnk_file { create read getattr setattr link unlink rename }; # define(`authlogin_relabel_all_files_except_shadow',` -requires_block_template(`$0'_depend) -files_relabel_all_files($1,$2 -shadow_t) + requires_block_template(`$0'_depend) + + files_relabel_all_files($1,$2 -shadow_t) ') define(`authlogin_relabel_all_files_except_shadow_depend',` -type shadow_t; + type shadow_t; ') ######################################## @@ -544,12 +590,13 @@ type shadow_t; # define(`authlogin_manage_all_files_except_shadow',` -requires_block_template(`$0'_depend) -files_manage_all_files($1,$2 -shadow_t) + requires_block_template(`$0'_depend) + + files_manage_all_files($1,$2 -shadow_t) ') define(`authlogin_manage_all_files_except_shadow_depend',` -type shadow_t; + type shadow_t; ') ######################################## @@ -564,23 +611,26 @@ type shadow_t; ## # define(`authlogin_utempter_transition',` -requires_block_template(`$0'_depend) -allow $1 utempter_exec_t:file { getattr read execute }; -allow $1 utempter_t:process transition; -type_transition $1 utempter_exec_t:process utempter_t; -dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; -allow $1 utempter_t:fd use; -allow utempter_t $1:fd use; -allow utempter_t $1:fifo_file rw_file_perms; -allow utempter_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 utempter_exec_t:file { getattr read execute }; + allow $1 utempter_t:process transition; + type_transition $1 utempter_exec_t:process utempter_t; + dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; + + allow $1 utempter_t:fd use; + allow utempter_t $1:fd use; + allow utempter_t $1:fifo_file rw_file_perms; + allow utempter_t $1:process sigchld; ') define(`authlogin_utempter_transition_depend',` -type utempter_t, utempter_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type utempter_t, utempter_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -601,15 +651,17 @@ class fifo_file rw_file_perms; ## # define(`authlogin_utempter_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -authlogin_utempter_transition($1) -role $2 types utempter_t; -allow utempter_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + authlogin_utempter_transition($1) + role $2 types utempter_t; + allow utempter_t $3:chr_file { getattr read write ioctl }; ') define(`authlogin_utempter_transition_add_role_use_terminal_depend',` -type utempter_t; -class chr_file { getattr read write ioctl }; + type utempter_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -617,14 +669,16 @@ class chr_file { getattr read write ioctl }; # authlogin_read_login_records(domain) # define(`authlogin_read_login_records',` -requires_block_template(`$0'_depend) -logging_search_system_log_directory($1) -allow $1 wtmp_t:file { getattr read }; + requires_block_template(`$0'_depend) + + logging_search_system_log_directory($1) + allow $1 wtmp_t:file { getattr read }; ') define(`authlogin_read_login_records_depend',` -type wtmp_t; -class file { getattr read }; + type wtmp_t; + + class file { getattr read }; ') ####################################### @@ -632,13 +686,15 @@ class file { getattr read }; # authlogin_ignore_write_login_records(domain) # define(`authlogin_ignore_write_login_records',` -requires_block_template(`$0'_depend) -dontaudit $1 wtmp_t:file write; + requires_block_template(`$0'_depend) + + dontaudit $1 wtmp_t:file write; ') define(`authlogin_read_login_records_depend',` -type wtmp_t; -class file write; + type wtmp_t; + + class file write; ') ####################################### @@ -646,14 +702,15 @@ class file write; # authlogin_modify_login_records(domain) # define(`authlogin_modify_login_records',` -requires_block_template(`$0'_depend) -logging_search_system_log_directory($1) -allow $1 wtmp_t:file { getattr read write append setattr lock }; + requires_block_template(`$0'_depend) + + allow $1 wtmp_t:file rw_file_perms; + logging_search_system_log_directory($1) ') define(`authlogin_modify_login_records_depend',` type wtmp_t; -class file { getattr read write append setattr lock }; +class file rw_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index a6852ce..6c98d27 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -109,13 +109,13 @@ logging_send_system_log_message(pam_t) userdomain_use_all_unprivileged_users_file_descriptors(pam_t) optional_policy(`locallogin.te',` -locallogin_use_file_descriptors(pam_t) + locallogin_use_file_descriptors(pam_t) ') ifdef(`TODO',` can_ypbind(pam_t) ifdef(`automount.te', ` -allow pam_t autofs_t:dir { search getattr }; + allow pam_t autofs_t:dir { search getattr }; ') ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') @@ -171,18 +171,18 @@ selinux_read_file_contexts(pam_console_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t) tunable_policy(`direct_sysadm_daemon', ` -dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; + dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; ') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(pam_console_t) -terminal_ignore_use_general_pseudoterminal(pam_console_t) -files_ignore_read_rootfs_file(pam_console_t) + terminal_ignore_use_general_physical_terminal(pam_console_t) + terminal_ignore_use_general_pseudoterminal(pam_console_t) + files_ignore_read_rootfs_file(pam_console_t) ') optional_policy(`hotplug.te', ` -hotplug_use_file_descriptors(pam_console_t) -hotplug_ignore_search_config_directory(pam_console_t) + hotplug_use_file_descriptors(pam_console_t) + hotplug_ignore_search_config_directory(pam_console_t) ') optional_policy(`selinux.te',` @@ -190,14 +190,14 @@ selinux_newrole_sigchld(pam_console_t) ') optional_policy(`udev.te', ` -udev_read_database(pam_console_t) + udev_read_database(pam_console_t) ') ifdef(`TODO',` optional_policy(`rhgb.te', ` -allow pam_console_t rhgb_t:process sigchld; -allow pam_console_t rhgb_t:fd use; -allow pam_console_t rhgb_t:fifo_file { read write }; + allow pam_console_t rhgb_t:process sigchld; + allow pam_console_t rhgb_t:fd use; + allow pam_console_t rhgb_t:fifo_file { read write }; ') allow pam_console_t autofs_t:dir { search getattr }; @@ -215,11 +215,11 @@ scsi_generic_device_t }:chr_file { getattr setattr }; ifdef(`gpm.te', ` -allow pam_console_t gpmctl_t:sock_file { getattr setattr }; + allow pam_console_t gpmctl_t:sock_file { getattr setattr }; ') ifdef(`xdm.te', ` -allow pam_console_t xdm_var_run_t:file { getattr read }; + allow pam_console_t xdm_var_run_t:file { getattr read }; ') ') dnl endif TODO @@ -254,14 +254,14 @@ miscfiles_read_localization(system_chkpwd_t) selinux_read_config(system_chkpwd_t) tunable_policy(`use_dns',` -allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t) -corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t) -corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t) -corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t) -corenetwork_bind_udp_on_all_nodes(system_chkpwd_t) -corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t) -sysnetwork_read_network_config(system_chkpwd_t) + allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t) + corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t) + corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t) + corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t) + corenetwork_bind_udp_on_all_nodes(system_chkpwd_t) + corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t) + sysnetwork_read_network_config(system_chkpwd_t) ') ifdef(`TODO',` @@ -270,7 +270,7 @@ can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms; -') +') dnl end TODO ######################################## # diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 0cf5619..078b1e0 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -13,23 +13,26 @@ ## # define(`clock_transition',` -requires_block_template(`$0'_depend) -allow $1 hwclock_exec_t:file { getattr read execute }; -allow $1 hwclock_t:process transition; -type_transition $1 hwclock_exec_t:process hwclock_t; -dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; -allow $1 hwclock_t:fd use; -allow hwclock_t $1:fd use; -allow hwclock_t $1:fifo_file rw_file_perms; -allow hwclock_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 hwclock_exec_t:file { getattr read execute }; + allow $1 hwclock_t:process transition; + type_transition $1 hwclock_exec_t:process hwclock_t; + dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; + + allow $1 hwclock_t:fd use; + allow hwclock_t $1:fd use; + allow hwclock_t $1:fifo_file rw_file_perms; + allow hwclock_t $1:process sigchld; ') define(`clock_transition_depend',` -type hwclock_t, hwclock_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type hwclock_t, hwclock_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -51,15 +54,17 @@ class fifo_file rw_file_perms; ## # define(`clock_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -clock_transition($1) -role $2 types hwclock_t; -allow hwclock_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + clock_transition($1) + role $2 types hwclock_t; + allow hwclock_t $3:chr_file { getattr read write ioctl }; ') define(`clock_transition_add_role_use_terminal_depend',` -type hwclock_t; -class chr_file { getattr read write ioctl }; + type hwclock_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -67,13 +72,15 @@ class chr_file { getattr read write ioctl }; # clock_execute(domain) # define(`clock_execute',` -requires_block_template(`$0'_depend) -allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans }; ') define(`clock_execute_depend',` -type hwclock_exec_t; -class file { getattr read execute execute_no_trans }; + type hwclock_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -81,14 +88,16 @@ class file { getattr read execute execute_no_trans }; # clock_modify_drift_records(domain) # define(`clock_modify_drift_records',` -requires_block_template(`$0'_depend) -allow $1 adjtime_t:file { getattr read write ioctl lock append }; -files_read_general_system_config_directory($1) + requires_block_template(`$0'_depend) + + allow $1 adjtime_t:file { getattr read write ioctl lock append }; + files_read_general_system_config_directory($1) ') define(`clock_modify_drift_records_depend',` -type adjtime_t; -class file { getattr read write ioctl lock append }; + type adjtime_t; + + class file { getattr read write ioctl lock append }; ') ## diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index acd812b..51a481a 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -58,21 +58,21 @@ logging_send_system_log_message(hwclock_t) miscfiles_read_localization(hwclock_t) tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(hwclock_t) -terminal_ignore_use_general_pseudoterminal(hwclock_t) -files_ignore_read_rootfs_file(hwclock_t) + terminal_ignore_use_general_physical_terminal(hwclock_t) + terminal_ignore_use_general_pseudoterminal(hwclock_t) + files_ignore_read_rootfs_file(hwclock_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(hwclock_t) + selinux_newrole_sigchld(hwclock_t) ') optional_policy(`udev.te', ` -udev_read_database(hwclock_t) + udev_read_database(hwclock_t) ') optional_policy(`userdomain.te',` -userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t) + userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index ae7942e..0132ca7 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -9,12 +9,13 @@ # corecommands_make_shell_entrypoint(domain) # define(`corecommands_make_shell_entrypoint',` -requires_block_template(`$0'_depend) -domain_make_entrypoint_file($1,shell_exec_t) + requires_block_template(`$0'_depend) + + domain_make_entrypoint_file($1,shell_exec_t) ') define(`corecommands_make_shell_entrypoint_depend',` -type shell_exec_t; + type shell_exec_t; ') ######################################## @@ -22,13 +23,15 @@ type shell_exec_t; # corecommands_search_general_programs_directory(domain) # define(`corecommands_search_general_programs_directory',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir search; ') define(`corecommands_search_general_programs_directory_depend',` -type bin_t; -class dir search; + type bin_t; + + class dir search; ') ######################################## @@ -36,13 +39,15 @@ class dir search; # corecommands_read_general_programs_directory(domain) # define(`corecommands_read_general_programs_directory',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir { getattr search read }; ') define(`corecommands_read_general_programs_directory_depend',` -type bin_t; -class dir { getattr search read }; + type bin_t; + + class dir { getattr search read }; ') ######################################## @@ -50,17 +55,19 @@ class dir { getattr search read }; # corecommands_execute_general_programs(domain) # define(`corecommands_execute_general_programs',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; -allow $1 bin_t:lnk_file { getattr read }; -allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir { getattr search read }; + allow $1 bin_t:lnk_file { getattr read }; + allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans }; ') define(`corecommands_execute_general_programs_depend',` -type bin_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read ioctl lock execute execute_no_trans }; + type bin_t; + + class dir { getattr search read }; + class lnk_file { getattr read }; + class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -68,13 +75,15 @@ class file { getattr read ioctl lock execute execute_no_trans }; # corecommands_search_system_programs_directory(domain) # define(`corecommands_search_system_programs_directory',` -requires_block_template(`$0'_depend) -allow $1 sbin_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 sbin_t:dir search; ') define(`corecommands_search_system_programs_directory_depend',` -type sbin_t; -class dir search; + type sbin_t; + + class dir search; ') ######################################## @@ -82,13 +91,15 @@ class dir search; # corecommands_read_system_programs_directory(domain) # define(`corecommands_read_system_programs_directory',` -requires_block_template(`$0'_depend) -allow $1 sbin_t:dir r_dir_perms; + requires_block_template(`$0'_depend) + + allow $1 sbin_t:dir r_dir_perms; ') define(`corecommands_read_system_programs_directory_depend',` -type sbin_t; -class dir r_dir_perms; + type sbin_t; + + class dir r_dir_perms; ') ######################################## @@ -96,13 +107,15 @@ class dir r_dir_perms; # corecommands_ignore_get_system_programs_attributes(domain) # define(`corecommands_ignore_get_system_programs_attributes',` -requires_block_template(`$0'_depend) -allow $1 sbin_t:file getattr; + requires_block_template(`$0'_depend) + + allow $1 sbin_t:file getattr; ') define(`corecommands_ignore_get_system_programs_attributes_depend',` -type sbin_t; -class file getattr; + type sbin_t; + + class file getattr; ') ######################################## @@ -110,17 +123,19 @@ class file getattr; # corecommands_execute_system_programs(domain) # define(`corecommands_execute_system_programs',` -requires_block_template(`$0'_depend) -allow $1 sbin_t:dir { getattr search read }; -allow $1 sbin_t:lnk_file { getattr read }; -allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 sbin_t:dir { getattr search read }; + allow $1 sbin_t:lnk_file { getattr read }; + allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans }; ') define(`corecommands_execute_system_programs_depend',` -type sbin_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read ioctl lock execute execute_no_trans }; + type sbin_t; + + class dir { getattr search read }; + class lnk_file { getattr read }; + class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -128,17 +143,19 @@ class file { getattr read ioctl lock execute execute_no_trans }; # corecommands_execute_shell(domain) # define(`corecommands_execute_shell',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:lnk_file { getattr read }; -allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir r_dir_perms; + allow $1 bin_t:lnk_file { getattr read }; + allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans }; ') define(`corecommands_execute_shell_depend',` -type bin_t, shell_exec_t; -class dir r_dir_perms; -class lnk_file { getattr read }; -class file { getattr read lock ioctl execute execute_no_trans }; + type bin_t, shell_exec_t; + + class dir r_dir_perms; + class lnk_file { getattr read }; + class file { getattr read lock ioctl execute execute_no_trans }; ') ######################################## @@ -146,17 +163,19 @@ class file { getattr read lock ioctl execute execute_no_trans }; # corecommands_execute_ls(domain) # define(`corecommands_execute_ls',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:lnk_file { getattr read }; -allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir r_dir_perms; + allow $1 bin_t:lnk_file { getattr read }; + allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans }; ') define(`corecommands_execute_shell_depend',` -type bin_t, ls_exec_t; -class dir r_dir_perms; -class lnk_file { getattr read }; -class file { getattr read lock ioctl execute execute_no_trans }; + type bin_t, ls_exec_t; + + class dir r_dir_perms; + class lnk_file { getattr read }; + class file { getattr read lock ioctl execute execute_no_trans }; ') ######################################## @@ -176,26 +195,29 @@ class file { getattr read lock ioctl execute execute_no_trans }; ## # define(`corecommands_shell_explicit_transition',` -requires_block_template(`$0'_depend) -allow $1 bin_t:dir { getattr search read }; -allow $1 bin_t:lnk_file { getattr read }; -allow $1 shell_exec_t:file { getattr read execute }; -allow $1 $2:process transition; -dontaudit $1 $2:process { noatsecure siginh rlimitinh }; -allow $1 $2:fd use; -allow $2 $1:fd use; -allow $2 $1:fifo_file rw_file_perms; -allow $2 $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 bin_t:dir { getattr search read }; + allow $1 bin_t:lnk_file { getattr read }; + allow $1 shell_exec_t:file { getattr read execute }; + allow $1 $2:process transition; + dontaudit $1 $2:process { noatsecure siginh rlimitinh }; + + allow $1 $2:fd use; + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_file_perms; + allow $2 $1:process sigchld; ') define(`corecommands_shell_explicit_transition_depend',` -type bin_t, shell_exec_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type bin_t, shell_exec_t; + + class dir { getattr search read }; + class lnk_file { getattr read }; + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -213,13 +235,14 @@ class fifo_file rw_file_perms; ## # define(`corecommands_shell_transition',` -requires_block_template(`$0'_depend) -corecommands_shell_explicit_transition($1,$2) -type_transition $1 shell_exec_t:process $2; + requires_block_template(`$0'_depend) + + corecommands_shell_explicit_transition($1,$2) + type_transition $1 shell_exec_t:process $2; ') define(`corecommands_shell_transition_depend',` -type shell_exec_t; + type shell_exec_t; ') ######################################## @@ -227,16 +250,17 @@ type shell_exec_t; # corecommands_chroot(domain) # define(`corecommands_chroot',` -requires_block_template(`$0'_depend) -allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; -# could go to a generic chroot priv: -allow $1 self:capability sys_chroot; + requires_block_template(`$0'_depend) + + allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; + allow $1 self:capability sys_chroot; ') define(`corecommands_chroot_depend',` -type chroot_exec_t; -class file { getattr read execute execute_no_trans }; -class capability sys_chroot; + type chroot_exec_t; + + class file { getattr read execute execute_no_trans }; + class capability sys_chroot; ') ## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 0125416..a0368c9 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -6,24 +6,25 @@ # domain_make_base_domain(domain) # define(`domain_make_base_domain',` -requires_block_template(`$0'_depend) + requires_block_template(`$0'_depend) -# mark as a domain -typeattribute $1 domain; + # mark as a domain + typeattribute $1 domain; -# allow the domain to read its /proc/pid entries -allow $1 self:dir { getattr search read }; -allow $1 self:{ file lnk_file } { getattr read write ioctl }; + # allow the domain to read its /proc/pid entries + allow $1 self:dir { getattr search read }; + allow $1 self:{ file lnk_file } { getattr read write ioctl }; -# allow $1 to create child processes in this domain -allow $1 self:process { fork sigchld }; + # allow $1 to create child processes in this domain + allow $1 self:process { fork sigchld }; ') define(`domain_make_base_domain_depend',` -attribute domain; -class dir { getattr search read }; -class file { getattr read write ioctl }; -class lnk_file { getattr read }; + attribute domain; + + class dir { getattr search read }; + class file { getattr read write ioctl }; + class lnk_file { getattr read }; ') ######################################## @@ -31,26 +32,25 @@ class lnk_file { getattr read }; # domain_make_domain(domain) # define(`domain_make_domain',` + # start with basic domain + domain_make_base_domain($1) -# start with basic domain -domain_make_base_domain($1) - -# Use trusted objects in /dev -devices_use_dev_null($1) -devices_use_dev_zero($1) -terminal_use_controlling_terminal($1) + # Use trusted objects in /dev + devices_use_dev_null($1) + devices_use_dev_zero($1) + terminal_use_controlling_terminal($1) -# read the root directory -files_read_root_dir($1) + # read the root directory + files_read_root_dir($1) -# send init a sigchld -init_sigchld($1) + # send init a sigchld + init_sigchld($1) -# this seems highly questionable: -optional_policy(`rpm.te',` -rpm_use_file_descriptors($1) -rpm_read_pipe($1) -') + # this seems highly questionable: + optional_policy(`rpm.te',` + rpm_use_file_descriptors($1) + rpm_read_pipe($1) + ') ') ######################################## @@ -58,15 +58,17 @@ rpm_read_pipe($1) # domain_make_entrypoint_file(domain,entrypointfile) # define(`domain_make_entrypoint_file',` -requires_block_template(`$0'_depend) -allow $1 $2:file entrypoint; -files_make_file($2) -typeattribute $2 entry_type; + requires_block_template(`$0'_depend) + + files_make_file($2) + allow $1 $2:file entrypoint; + typeattribute $2 entry_type; ') define(`domain_make_entrypoint_file_depend',` -attribute entry_type; -class file entrypoint; + attribute entry_type; + + class file entrypoint; ') ######################################## @@ -74,12 +76,13 @@ class file entrypoint; # domain_make_file_descriptors_widely_inheritable(domain) # define(`domain_make_file_descriptors_widely_inheritable',` -requires_block_template(`$0'_depend) -typeattribute $1 privfd; + requires_block_template(`$0'_depend) + + typeattribute $1 privfd; ') define(`domain_make_file_descriptors_widely_inheritable_depend',` -attribute privfd; + attribute privfd; ') ######################################## @@ -87,13 +90,15 @@ attribute privfd; # domain_use_widely_inheritable_file_descriptors(domain) # define(`domain_use_widely_inheritable_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 privfd:fd use; + requires_block_template(`$0'_depend) + + allow $1 privfd:fd use; ') define(`domain_use_widely_inheritable_file_descriptors_depend',` -attribute privfd; -class fd use; + attribute privfd; + + class fd use; ') ######################################## @@ -101,13 +106,15 @@ class fd use; # domain_ignore_use_widely_inheritable_file_descriptors(domain) # define(`domain_ignore_use_widely_inheritable_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 privfd:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 privfd:fd use; ') define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',` -attribute privfd; -class fd use; + attribute privfd; + + class fd use; ') ######################################## @@ -115,13 +122,15 @@ class fd use; # domain_set_all_domains_priorities(domain) # define(`domain_set_all_domains_priorities',` -requires_block_template(`$0'_depend) -allow $1 domain:process setsched; + requires_block_template(`$0'_depend) + + allow $1 domain:process setsched; ') define(`domain_set_all_domains_priorities_depend',` -attribute domain; -class process setsched; + attribute domain; + + class process setsched; ') ######################################## @@ -136,13 +145,15 @@ class process setsched; ## # define(`domain_signal_all_domains',` -requires_block_template(`$0'_depend) -allow $1 domain:process signal; + requires_block_template(`$0'_depend) + + allow $1 domain:process signal; ') define(`domain_signal_all_domains_depend',` -attribute domain; -class process signal; + attribute domain; + + class process signal; ') ######################################## @@ -157,13 +168,15 @@ class process signal; ## # define(`domain_signull_all_domains',` -requires_block_template(`$0'_depend) -allow $1 domain:process signull; + requires_block_template(`$0'_depend) + + allow $1 domain:process signull; ') define(`domain_signull_all_domains_depend',` -attribute domain; -class process signull; + attribute domain; + + class process signull; ') ######################################## @@ -178,13 +191,15 @@ class process signull; ## # define(`domain_sigstop_all_domains',` -requires_block_template(`$0'_depend) -allow $1 domain:process sigstop; + requires_block_template(`$0'_depend) + + allow $1 domain:process sigstop; ') define(`domain_sigstop_all_domains_depend',` -attribute domain; -class process sigstop; + attribute domain; + + class process sigstop; ') ######################################## @@ -199,13 +214,15 @@ class process sigstop; ## # define(`domain_sigchld_all_domains',` -requires_block_template(`$0'_depend) -allow $1 domain:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 domain:process sigchld; ') define(`domain_sigchld_all_domains_depend',` -attribute domain; -class process sigchld; + attribute domain; + + class process sigchld; ') ######################################## @@ -220,15 +237,17 @@ class process sigchld; ## # define(`domain_kill_all_domains',` -requires_block_template(`$0'_depend) -allow $1 domain:process sigkill; -allow $1 self:capability kill; + requires_block_template(`$0'_depend) + + allow $1 domain:process sigkill; + allow $1 self:capability kill; ') define(`domain_kill_all_domains_depend',` -attribute domain; -class process sigkill; -class capability kill; + attribute domain; + + class process sigkill; + class capability kill; ') ######################################## @@ -243,24 +262,27 @@ class capability kill; ## # define(`domain_read_all_domains_process_state',` -requires_block_template(`$0'_depend) -allow $1 domain:dir { getattr search read }; -allow $1 domain:lnk_file { getattr read }; -allow $1 domain:file { getattr read }; -allow $1 domain:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 domain:process ptrace; + requires_block_template(`$0'_depend) + + allow $1 domain:dir { getattr search read }; + allow $1 domain:lnk_file { getattr read }; + allow $1 domain:file { getattr read }; + allow $1 domain:process getattr; + + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $1 domain:process ptrace; ') define(`domain_read_all_domains_process_state_depend',` -attribute domain; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read }; -class process { getattr ptrace }; + attribute domain; + + class dir { getattr search read }; + class lnk_file { getattr read }; + class file { getattr read }; + class process { getattr ptrace }; ') ######################################## @@ -276,13 +298,15 @@ class process { getattr ptrace }; ## # define(`domain_ignore_read_all_domains_process_dirs',` -requires_block_template(`$0'_depend) -dontaudit $1 domain:dir r_dir_perms; + requires_block_template(`$0'_depend) + + dontaudit $1 domain:dir r_dir_perms; ') define(`domain_ignore_read_all_domains_process_dirs_depend',` -attribute domain; -class dir r_dir_perms; + attribute domain; + + class dir r_dir_perms; ') @@ -298,13 +322,15 @@ class dir r_dir_perms; ## # define(`domain_get_all_domains_session_id',` -requires_block_template(`$0'_depend) -allow $1 domain:process getsession; + requires_block_template(`$0'_depend) + + allow $1 domain:process getsession; ') define(`domain_get_all_domains_session_id_depend',` -attribute domain; -class process getsession; + attribute domain; + + class process getsession; ') ######################################## @@ -320,13 +346,15 @@ class process getsession; ## # define(`domain_ignore_get_all_domains_udp_socket_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 domain:udp_socket getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 domain:udp_socket getattr; ') define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',` -attribute domain; -class udp_socket getattr; + attribute domain; + + class udp_socket getattr; ') ######################################## @@ -342,13 +370,15 @@ class udp_socket getattr; ## # define(`domain_ignore_get_all_domains_tcp_socket_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 domain:tcp_socket getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 domain:tcp_socket getattr; ') define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',` -attribute domain; -class tcp_socket getattr; + attribute domain; + + class tcp_socket getattr; ') ######################################## @@ -364,13 +394,15 @@ class tcp_socket getattr; ## # define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 domain:unix_dgram_socket getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 domain:unix_dgram_socket getattr; ') define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',` -attribute domain; -class unix_dgram_socket getattr; + attribute domain; + + class unix_dgram_socket getattr; ') ######################################## @@ -386,13 +418,15 @@ class unix_dgram_socket getattr; ## # define(`domain_ignore_get_all_domains_pipe_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 domain:fifo_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 domain:fifo_file getattr; ') define(`domain_ignore_get_all_domains_pipe_attributes_depend',` -attribute domain; -class fifo_file getattr; + attribute domain; + + class fifo_file getattr; ') ######################################## @@ -400,13 +434,15 @@ class fifo_file getattr; # domain_execute_all_entrypoint_programs(domain) # define(`domain_execute_all_entrypoint_programs',` -requires_block_template(`$0'_depend) -allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans }; ') define(`domain_execute_all_entrypoint_programs_depend',` -attribute entry_type; -class file { getattr read ioctl lock execute execute_no_trans }; + attribute entry_type; + + class file { getattr read ioctl lock execute execute_no_trans }; ') ######################################## @@ -414,15 +450,17 @@ class file { getattr read ioctl lock execute execute_no_trans }; # domain_read_all_entrypoint_programs(domain) # define(`domain_read_all_entrypoint_programs',` -requires_block_template(`$0'_depend) -allow $1 entry_type:lnk_file { getattr read }; -allow $1 entry_type:file r_file_perms; + requires_block_template(`$0'_depend) + + allow $1 entry_type:lnk_file { getattr read }; + allow $1 entry_type:file r_file_perms; ') define(`domain_read_all_entrypoint_programs_depend',` -attribute entry_type; -class file r_file_perms; -class lnk_file { getattr read }; + attribute entry_type; + + class file r_file_perms; + class lnk_file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 49d57d6..116f0c4 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -6,14 +6,15 @@ # files_make_file(type) # define(`files_make_file',` -requires_block_template(`$0'_depend) -typeattribute $1 file_type; -filesystem_associate($1) -filesystem_noxattr_associate($1) + requires_block_template(`$0'_depend) + + filesystem_associate($1) + filesystem_noxattr_associate($1) + typeattribute $1 file_type; ') define(`files_make_file_depend',` -attribute file_type; + attribute file_type; ') ######################################## @@ -21,13 +22,14 @@ attribute file_type; # files_make_lock_file(type) # define(`files_make_lock_file',` -requires_block_template(`$0'_depend) -files_make_file($1) -typeattribute $1 lockfile; + requires_block_template(`$0'_depend) + + files_make_file($1) + typeattribute $1 lockfile; ') define(`files_make_lock_file_depend',` -attribute lockfile; + attribute lockfile; ') ######################################## @@ -35,13 +37,14 @@ attribute lockfile; # files_make_mountpoint(type) # define(`files_make_mountpoint',` -requires_block_template(`$0'_depend) -files_make_file($1) -typeattribute $1 mountpoint; + requires_block_template(`$0'_depend) + + files_make_file($1) + typeattribute $1 mountpoint; ') define(`files_make_mountpoint_depend',` -attribute mountpoint; + attribute mountpoint; ') ######################################## @@ -49,13 +52,14 @@ attribute mountpoint; # files_make_daemon_runtime_file(type) # define(`files_make_daemon_runtime_file',` -requires_block_template(`$0'_depend) -files_make_file($1) -typeattribute $1 pidfile; + requires_block_template(`$0'_depend) + + files_make_file($1) + typeattribute $1 pidfile; ') define(`files_make_daemon_runtime_file_depend',` -attribute pidfile; + attribute pidfile; ') ######################################## @@ -63,13 +67,14 @@ attribute pidfile; # files_make_temporary_file(type) # define(`files_make_temporary_file',` -requires_block_template(`$0'_depend) -files_make_file($1) -typeattribute $1 tmpfile; + requires_block_template(`$0'_depend) + + files_make_file($1) + typeattribute $1 tmpfile; ') define(`files_make_temporary_file_depend',` -attribute tmpfile; + attribute tmpfile; ') ######################################## @@ -85,14 +90,15 @@ attribute tmpfile; ## # define(`files_make_tmpfs_file',` -requires_block_template(`$0'_depend) -files_make_file($1) -filesystem_tmpfs_associate($1) -typeattribute $1 tmpfsfile; + requires_block_template(`$0'_depend) + + files_make_file($1) + filesystem_tmpfs_associate($1) + typeattribute $1 tmpfsfile; ') define(`files_make_tmpfs_file_depend',` -attribute tmpfsfile; + attribute tmpfsfile; ') ######################################## @@ -100,21 +106,23 @@ attribute tmpfsfile; # files_get_all_file_attributes(domain) define(`files_get_all_file_attributes',` -requires_block_template(`$0'_depend) -allow $1 file_type:dir { search getattr }; -allow $1 file_type:file getattr; -allow $1 file_type:lnk_file getattr; -allow $1 file_type:fifo_file getattr; -allow $1 file_type:sock_file getattr; + requires_block_template(`$0'_depend) + + allow $1 file_type:dir { search getattr }; + allow $1 file_type:file getattr; + allow $1 file_type:lnk_file getattr; + allow $1 file_type:fifo_file getattr; + allow $1 file_type:sock_file getattr; ') define(`files_get_all_file_attributes_depend',` -attribute file_type; -class dir { search getattr }; -class file getattr; -class lnk_file getattr; -class fifo_file getattr; -class sock_file getattr; + attribute file_type; + + class dir { search getattr }; + class file getattr; + class lnk_file getattr; + class fifo_file getattr; + class sock_file getattr; ') ######################################## @@ -134,27 +142,30 @@ class sock_file getattr; ## # define(`files_relabel_all_files',` -requires_block_template(`$0'_depend) -allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; -allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; -allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; -allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; -allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto }; -allow $1 { file_type $2 }:blk_file { getattr relabelfrom }; -allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; -# satisfy the assertions: -selinux_relabelto_binary_policy($1) + requires_block_template(`$0'_depend) + + allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; + allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; + allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; + allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; + allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto }; + allow $1 { file_type $2 }:blk_file { getattr relabelfrom }; + allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; + + # satisfy the assertions: + selinux_relabelto_binary_policy($1) ') define(`files_relabel_all_files_depend',` -attribute file_type; -class dir { r_dir_perms relabelfrom relabelto }; -class file { relabelfrom relabelto }; -class lnk_file { relabelfrom relabelto }; -class fifo_file { relabelfrom relabelto }; -class sock_file { relabelfrom relabelto }; -class blk_file relabelfrom; -class chr_file relabelfrom; + attribute file_type; + + class dir { r_dir_perms relabelfrom relabelto }; + class file { relabelfrom relabelto }; + class lnk_file { relabelfrom relabelto }; + class fifo_file { relabelfrom relabelto }; + class sock_file { relabelfrom relabelto }; + class blk_file relabelfrom; + class chr_file relabelfrom; ') ######################################## @@ -174,24 +185,27 @@ class chr_file relabelfrom; ## # define(`files_manage_all_files',` -requires_block_template(`$0'_depend) -allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename }; -allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -# satisfy the assertions: -selinux_write_binary_policy($1) -bootloader_manage_kernel_modules($1) + requires_block_template(`$0'_depend) + + allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename }; + allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + + # satisfy the assertions: + selinux_write_binary_policy($1) + bootloader_manage_kernel_modules($1) ') define(`files_manage_all_files_depend',` -attribute file_type; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; -class lnk_file { create read getattr setattr link unlink rename }; -class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute file_type; + + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; + class lnk_file { create read getattr setattr link unlink rename }; + class fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; ') ######################################## @@ -199,13 +213,15 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin # files_search_all_directories(domain) # define(`files_search_all_directories',` -requires_block_template(`$0'_depend) -allow $1 file_type:dir search; + requires_block_template(`$0'_depend) + + allow $1 file_type:dir search; ') define(`files_search_all_directories_depend',` -attribute file_type; -class dir search; + attribute file_type; + + class dir search; ') ######################################## @@ -213,13 +229,15 @@ class dir search; # files_read_all_directories(domain) # define(`files_read_all_directories',` -requires_block_template(`$0'_depend) -allow $1 file_type:dir r_dir_perms; + requires_block_template(`$0'_depend) + + allow $1 file_type:dir r_dir_perms; ') define(`files_read_all_directories_depend',` -attribute file_type; -class dir r_dir_perms; + attribute file_type; + + class dir r_dir_perms; ') ######################################## @@ -227,13 +245,15 @@ class dir r_dir_perms; # files_ignore_search_all_directories(domain) # define(`files_ignore_search_all_directories',` -requires_block_template(`$0'_depend) -dontaudit $1 file_type:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 file_type:dir search; ') define(`files_ignore_search_all_directories_depend',` -attribute file_type; -class dir search; + attribute file_type; + + class dir search; ') ####################################### @@ -241,13 +261,15 @@ class dir search; # files_relabelto_all_file_type_filesystems(domain) # define(`files_relabelto_all_file_type_filesystems',` -requires_block_template(`$0'_depend) -allow $1 file_type:filesystem relabelto; + requires_block_template(`$0'_depend) + + allow $1 file_type:filesystem relabelto; ') define(`files_relabelto_all_file_type_filesystems_depend',` -attribute file_type; -filesystem relabelto; + attribute file_type; + + filesystem relabelto; ') ####################################### @@ -255,13 +277,15 @@ filesystem relabelto; # files_mount_all_file_type_filesystems(domain) # define(`files_mount_all_file_type_filesystems',` -requires_block_template(`$0'_depend) -allow $1 file_type:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 file_type:filesystem mount; ') define(`files_mount_all_file_type_filesystems_depend',` -attribute file_type; -filesystem mount; + attribute file_type; + + filesystem mount; ') ####################################### @@ -269,13 +293,15 @@ filesystem mount; # files_unmount_all_file_type_filesystems(domain) # define(`files_unmount_all_file_type_filesystems',` -requires_block_template(`$0'_depend) -allow $1 file_type:filesystem mount; + requires_block_template(`$0'_depend) + + allow $1 file_type:filesystem mount; ') define(`files_unmount_all_file_type_filesystems_depend',` -attribute file_type; -filesystem mount; + attribute file_type; + + filesystem mount; ') ######################################## @@ -283,13 +309,15 @@ filesystem mount; # files_mount_on_all_mountpoints(domain) # define(`files_mount_on_all_mountpoints',` -requires_block_template(`$0'_depend) -allow $1 mountpoint:dir { getattr search mounton }; + requires_block_template(`$0'_depend) + + allow $1 mountpoint:dir { getattr search mounton }; ') define(`files_mount_on_all_mountpoints_depend',` -attribute mountpoint; -class dir { getattr search mounton }; + attribute mountpoint; + + class dir { getattr search mounton }; ') ######################################## @@ -297,15 +325,17 @@ class dir { getattr search mounton }; # files_read_root_dir(domain) # define(`files_read_root_dir',` -requires_block_template(`$0'_depend) -allow $1 root_t:dir r_dir_perms; -allow $1 root_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 root_t:dir r_dir_perms; + allow $1 root_t:lnk_file { getattr read }; ') define(`files_read_root_dir_depend',` -type root_t; -class dir r_dir_perms; -class lnk_file { getattr read }; + type root_t; + + class dir r_dir_perms; + class lnk_file { getattr read }; ') ######################################## @@ -313,13 +343,15 @@ class lnk_file { getattr read }; # files_create_root_dir_entry(domain) # define(`files_create_root_dir_entry',` -requires_block_template(`$0'_depend) -allow $1 root_t:dir ra_dir_perms; + requires_block_template(`$0'_depend) + + allow $1 root_t:dir ra_dir_perms; ') define(`files_create_root_dir_entry_depend',` -type root_t; -class dir ra_dir_perms; + type root_t; + + class dir ra_dir_perms; ') ######################################## @@ -327,13 +359,15 @@ class dir ra_dir_perms; # files_ignore_read_rootfs_file(domain) # define(`files_ignore_read_rootfs_file',` -requires_block_template(`$0'_depend) -dontaudit $1 root_t:file read; + requires_block_template(`$0'_depend) + + dontaudit $1 root_t:file read; ') define(`files_ignore_read_rootfs_file_depend',` -type root_t; -class file read; + type root_t; + + class file read; ') ######################################## @@ -341,13 +375,15 @@ class file read; # files_ignore_modify_rootfs_file(domain) # define(`files_ignore_modify_rootfs_file',` -requires_block_template(`$0'_depend) -dontaudit $1 root_t:file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 root_t:file { read write }; ') define(`files_ignore_modify_rootfs_file_depend',` -type root_t; -class file { read write }; + type root_t; + + class file { read write }; ') ######################################## @@ -355,13 +391,15 @@ class file { read write }; # files_ignore_modify_rootfs_device(domain) # define(`files_ignore_modify_rootfs_device',` -requires_block_template(`$0'_depend) -dontaudit $1 root_t:chr_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 root_t:chr_file { read write }; ') define(`files_ignore_modify_rootfs_device_depend',` -type root_t; -class chr_file { read write }; + type root_t; + + class chr_file { read write }; ') ######################################## @@ -384,18 +422,21 @@ class chr_file { read write }; ## # define(`files_create_private_root_dir_entry',` -requires_block_template(`$0'_depend) -allow $1 root_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 root_t:file $2; -',` -type_transition $1 root_t:$3 $2; -') dnl end ifelse + requires_block_template(`$0'_depend) + + allow $1 root_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 root_t:file $2; + ',` + type_transition $1 root_t:$3 $2; + ') dnl end ifelse ') define(`files_create_private_root_dir_entry_depend',` type root_t; -class dir { getattr search read write add_name remove_name }; + +class dir rw_dir_perms; ') ######################################## @@ -403,13 +444,15 @@ class dir { getattr search read write add_name remove_name }; # files_remove_root_dir_entry(domain) # define(`files_remove_root_dir_entry',` -requires_block_template(`$0'_depend) -allow $1 root_t:dir { getattr search read write remove_name }; + requires_block_template(`$0'_depend) + + allow $1 root_t:dir { getattr search read write remove_name }; ') define(`files_remove_root_dir_entry_depend',` -type root_t; -class dir { getattr search read write remove_name }; + type root_t; + + class dir { getattr search read write remove_name }; ') ######################################## @@ -417,13 +460,15 @@ class dir { getattr search read write remove_name }; # files_unmount_root_filesystem(domain) # define(`files_unmount_root_filesystem',` -requires_block_template(`$0'_depend) -allow $1 root_t:filesystem unmount; + requires_block_template(`$0'_depend) + + allow $1 root_t:filesystem unmount; ') define(`files_unmount_root_filesystem_depend',` -type root_t; -class filesystem unmount; + type root_t; + + class filesystem unmount; ') ######################################## @@ -431,13 +476,15 @@ class filesystem unmount; # files_search_general_system_config_directory(domain) # define(`files_search_general_system_config_directory',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir search; ') define(`files_search_general_system_config_directory_depend',` -type etc_t; -class dir search; + type etc_t; + + class dir search; ') ######################################## @@ -445,13 +492,15 @@ class dir search; # files_read_general_system_config_directory(domain) # define(`files_read_general_system_config_directory',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read }; ') define(`files_read_general_system_config_directory_depend',` -type etc_t; -class dir { getattr search read }; + type etc_t; + + class dir { getattr search read }; ') ######################################## @@ -459,17 +508,19 @@ class dir { getattr search read }; # files_read_general_system_config(domain) # define(`files_read_general_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read }; -allow $1 etc_t:file { getattr read ioctl }; -allow $1 etc_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read }; + allow $1 etc_t:file { getattr read ioctl }; + allow $1 etc_t:lnk_file { getattr read }; ') define(`files_read_general_system_config_depend',` -type etc_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; + type etc_t; + + class dir { getattr search read }; + class file { getattr read }; + class lnk_file { getattr read }; ') ######################################## @@ -477,17 +528,19 @@ class lnk_file { getattr read }; # files_modify_general_system_config(domain) # define(`files_modify_general_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read }; -allow $1 etc_t:file { getattr read write ioctl }; -allow $1 etc_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read }; + allow $1 etc_t:file { getattr read write ioctl }; + allow $1 etc_t:lnk_file { getattr read }; ') define(`files_modify_general_system_config_depend',` -type etc_t; -class dir { getattr search read }; -class file { getattr read write ioctl }; -class lnk_file { getattr read }; + type etc_t; + + class dir { getattr search read }; + class file { getattr read write ioctl }; + class lnk_file { getattr read }; ') ######################################## @@ -495,17 +548,19 @@ class lnk_file { getattr read }; # files_manage_general_system_config(domain) # define(`files_manage_general_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1 etc_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 etc_t:lnk_file { getattr read }; ') define(`files_manage_general_system_config_depend',` -type etc_t; -class dir { read getattr lock search ioctl add_name remove_name write }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; -class lnk_file { getattr read }; + type etc_t; + + class dir { read getattr lock search ioctl add_name remove_name write }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; + class lnk_file { getattr read }; ') ######################################## @@ -520,15 +575,17 @@ class lnk_file { getattr read }; ## # define(`files_remove_general_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read write remove_name }; -allow $1 etc_t:file unlink; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read write remove_name }; + allow $1 etc_t:file unlink; ') define(`files_remove_general_system_config_depend',` -type etc_t; -class dir { getattr search read write remove_name }; -class file unlink; + type etc_t; + + class dir { getattr search read write remove_name }; + class file unlink; ') ######################################## @@ -536,36 +593,40 @@ class file unlink; # files_execute_system_config_script(domain) # define(`files_execute_system_config_script',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read }; -allow $1 etc_t:lnk_file { getattr read }; -allow $1 etc_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read }; + allow $1 etc_t:lnk_file { getattr read }; + allow $1 etc_t:file { getattr read execute execute_no_trans }; ') define(`files_execute_system_config_script_depend',` -type etc_t; -class dir { getattr search read }; -class lnk_file { getattr read }; -class file { getattr read execute execute_no_trans }; + type etc_t; + + class dir { getattr search read }; + class lnk_file { getattr read }; + class file { getattr read execute execute_no_trans }; ') ######################################## # -# files_create_boot_flag(type) +# files_create_boot_flag(domain) # # /halt, /.autofsck, etc # define(`files_create_boot_flag',` -requires_block_template(`$0'_depend) -allow $1 root_t:dir { getattr search read write add_name remove_name }; -allow $1 etc_runtime_t:file { create read write setattr unlink }; -type_transition $1 root_t:file etc_runtime_t; + requires_block_template(`$0'_depend) + + allow $1 root_t:dir { getattr search read write add_name remove_name }; + allow $1 etc_runtime_t:file { create read write setattr unlink }; + type_transition $1 root_t:file etc_runtime_t; ') define(`files_create_boot_flag_depend',` -type root_t, etc_runtime_t; -class dir { getattr search read write add_name }; -class file { create read write setattr }; + type root_t, etc_runtime_t; + + class dir { getattr search read write add_name }; + class file { create read write setattr }; ') ######################################## @@ -573,16 +634,18 @@ class file { create read write setattr }; # files_manage_runtime_system_config(type) # define(`files_manage_runtime_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read write add_name remove_name }; -allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock }; -type_transition $1 etc_t:file etc_runtime_t; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read write add_name remove_name }; + allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock }; + type_transition $1 etc_t:file etc_runtime_t; ') define(`files_manage_runtime_system_config_depend',` -type etc_t, etc_runtime_t; -class dir { getattr search read write add_name }; -class file { getattr create read write append setattr rename unlink unlink lock }; + type etc_t, etc_runtime_t; + + class dir { getattr search read write add_name }; + class file { getattr create read write append setattr rename unlink unlink lock }; ') ######################################## @@ -590,15 +653,17 @@ class file { getattr create read write append setattr rename unlink unlink lock # files_read_runtime_system_config(domain) # define(`files_read_runtime_system_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read }; -allow $1 etc_runtime_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir { getattr search read }; + allow $1 etc_runtime_t:file { getattr read }; ') define(`files_read_runtime_system_config_depend',` -type etc_t, etc_runtime_t; -class dir { getattr search read }; -class file { getattr read }; + type etc_t, etc_runtime_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -606,18 +671,20 @@ class file { getattr read }; # files_create_private_config(domain,privatetype,[class(es)]) # define(`files_create_private_config',` -requires_block_template(`$0'_depend) -allow $1 etc_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 etc_t:file $2; -',` -type_transition $1 etc_t:$3 $2; -') dnl end ifelse + requires_block_template(`$0'_depend) + + allow $1 etc_t:dir rw_dir_perms; + ifelse(`$3',`',` + type_transition $1 etc_t:file $2; + ',` + type_transition $1 etc_t:$3 $2; + ') ') define(`files_create_private_config_depend',` type etc_t; -class dir { getattr search read write add_name remove_name }; + +class dir rw_dir_perms; ') ######################################## @@ -625,13 +692,15 @@ class dir { getattr search read write add_name remove_name }; # files_modify_isid_type_dir(domain) # define(`files_modify_isid_type_dir',` -requires_block_template(`$0'_depend) -allow $1 file_t:dir rw_dir_perms; + requires_block_template(`$0'_depend) + + allow $1 file_t:dir rw_dir_perms; ') define(`files_modify_isid_type_dir_depend',` -type file_t; -class dir rw_dir_perms; + type file_t; + + class dir rw_dir_perms; ') ######################################## @@ -639,13 +708,15 @@ class dir rw_dir_perms; # files_ignore_get_isid_type_dir_attrib(domain) # define(`files_ignore_get_isid_type_dir_attrib',` -requires_block_template(`$0'_depend) -dontaudit $1 file_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 file_t:dir search; ') define(`files_ignore_get_isid_type_dir_attrib_depend',` -type file_t; -class dir search; + type file_t; + + class dir search; ') ######################################## @@ -653,13 +724,15 @@ class dir search; # files_ignore_search_isid_type_dir(domain) # define(`files_ignore_search_isid_type_dir',` -requires_block_template(`$0'_depend) -dontaudit $1 file_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 file_t:dir search; ') define(`files_ignore_search_isid_type_dir_depend',` -type file_t; -class dir search; + type file_t; + + class dir search; ') ######################################## @@ -674,13 +747,15 @@ class dir search; ## # define(`files_list_home_directories',` -requires_block_template(`$0'_depend) -allow $1 home_root_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 home_root_t:dir { getattr search read }; ') define(`files_list_home_directories_depend',` -type home_root_t; -class dir { getattr search read }; + type home_root_t; + + class dir { getattr search read }; ') ######################################## @@ -688,13 +763,15 @@ class dir { getattr search read }; # files_read_mnt_dir(domain) # define(`files_read_mnt_dir',` -requires_block_template(`$0'_depend) -allow $1 mnt_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 mnt_t:dir { getattr search read }; ') define(`files_read_runtime_system_config_depend',` -type mnt_t; -class dir { getattr search read }; + type mnt_t; + + class dir { getattr search read }; ') ######################################## @@ -702,18 +779,21 @@ class dir { getattr search read }; # files_create_private_tmp_data(domain,private_type,[object class(es)]) # define(`files_create_private_tmp_data',` -requires_block_template(`$0'_depend) -allow $1 tmp_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 tmp_t:file $2; -',` -type_transition $1 tmp_t:$3 $2; -') + requires_block_template(`$0'_depend) + + allow $1 tmp_t:dir { getattr search read write add_name remove_name }; + + ifelse(`$3',`',` + type_transition $1 tmp_t:file $2; + ',` + type_transition $1 tmp_t:$3 $2; + ') ') define(`files_create_private_tmp_data_depend',` -type tmp_t; -class dir { getattr search read write add_name }; + type tmp_t; + + class dir { getattr search read write add_name }; ') ######################################## @@ -721,21 +801,23 @@ class dir { getattr search read write add_name }; # files_remove_all_tmp_data(domain) # define(`files_remove_all_tmp_data',` -requires_block_template(`$0'_depend) -allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; -allow $1 tmpfile:file { getattr unlink }; -allow $1 tmpfile:lnk_file { getattr unlink }; -allow $1 tmpfile:fifo_file { getattr unlink }; -allow $1 tmpfile:sock_file { getattr unlink }; + requires_block_template(`$0'_depend) + + allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; + allow $1 tmpfile:file { getattr unlink }; + allow $1 tmpfile:lnk_file { getattr unlink }; + allow $1 tmpfile:fifo_file { getattr unlink }; + allow $1 tmpfile:sock_file { getattr unlink }; ') define(`files_remove_all_tmp_data_depend',` -attribute tmpfile; -class dir { getattr search read write add_name remove_name rmdir }; -class file { getattr unlink }; -class lnk_file { getattr unlink }; -class fifo_file { getattr unlink }; -class sock_file { getattr unlink }; + attribute tmpfile; + + class dir { getattr search read write add_name remove_name rmdir }; + class file { getattr unlink }; + class lnk_file { getattr unlink }; + class fifo_file { getattr unlink }; + class sock_file { getattr unlink }; ') ######################################## @@ -743,13 +825,15 @@ class sock_file { getattr unlink }; # files_search_general_application_resources_dir(domain) # define(`files_search_general_application_resources_dir',` -requires_block_template(`$0'_depend) -allow $1 usr_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 usr_t:dir search; ') define(`files_search_general_application_resources_dir_depend',` -type usr_t; -class dir search; + type usr_t; + + class dir search; ') ######################################## @@ -757,16 +841,18 @@ class dir search; # files_read_general_application_resources(domain) # define(`files_read_general_application_resources',` -requires_block_template(`$0'_depend) -allow $1 usr_t:dir { getattr search read }; -allow $1 usr_t:{ file lnk_file } { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 usr_t:dir { getattr search read }; + allow $1 usr_t:{ file lnk_file } { getattr read }; ') define(`files_read_general_application_resources_depend',` -type usr_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; + type usr_t; + + class dir { getattr search read }; + class file { getattr read }; + class lnk_file { getattr read }; ') ######################################## @@ -781,18 +867,20 @@ class lnk_file { getattr read }; ## # define(`files_execute_system_source_code_scripts',` -requires_block_template(`$0'_depend) -allow $1 usr_t:dir search; -allow $1 src_t:dir { getattr search read }; -allow $1 src_t:lnk_file { getattr read }; -allow $1 src_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 usr_t:dir search; + allow $1 src_t:dir { getattr search read }; + allow $1 src_t:lnk_file { getattr read }; + allow $1 src_t:file { getattr read execute execute_no_trans }; ') define(`files_read_system_source_code_depend',` -type usr_t, src_t; -class dir { getattr search read }; -class file { getattr read execute execute_no_trans }; -class lnk_file { getattr read }; + type usr_t, src_t; + + class dir { getattr search read }; + class file { getattr read execute execute_no_trans }; + class lnk_file { getattr read }; ') ######################################## @@ -800,17 +888,19 @@ class lnk_file { getattr read }; # files_read_system_source_code(domain) # define(`files_read_system_source_code',` -requires_block_template(`$0'_depend) -allow $1 usr_t:dir search; -allow $1 src_t:dir { getattr search read }; -allow $1 src_t:{ file lnk_file } { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 usr_t:dir search; + allow $1 src_t:dir { getattr search read }; + allow $1 src_t:{ file lnk_file } { getattr read }; ') define(`files_read_system_source_code_depend',` -type usr_t, src_t; -class dir { getattr search read }; -class file { getattr read }; -class lnk_file { getattr read }; + type usr_t, src_t; + + class dir { getattr search read }; + class file { getattr read }; + class lnk_file { getattr read }; ') ######################################## @@ -818,13 +908,15 @@ class lnk_file { getattr read }; # files_search_system_state_data_directory(domain) # define(`files_search_system_state_data_directory',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; ') define(`files_search_system_state_data_directory_depend',` -type var_t; -class dir search; + type var_t; + + class dir search; ') ######################################## @@ -832,13 +924,15 @@ class dir search; # files_ignore_search_system_state_data_directory(domain) # define(`files_ignore_search_system_state_data_directory',` -requires_block_template(`$0'_depend) -dontaudit $1 var_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 var_t:dir search; ') define(`files_ignore_search_system_state_data_directory_depend',` -type var_t; -class dir search; + type var_t; + + class dir search; ') ######################################## @@ -846,16 +940,18 @@ class dir search; # files_manage_pseudorandom_saved_seed(domain) # define(`files_manage_pseudorandom_saved_seed',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; -allow $1 var_lib_t:file { getattr create read write setattr unlink }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; + allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') define(`files_manage_pseudorandom_saved_seed_depend',` -type var_t, var_lib_t; -class dir { getattr search read write add_name remove_name }; -class file { getattr create read write setattr unlink }; + type var_t, var_lib_t; + + class dir { getattr search read write add_name remove_name }; + class file { getattr create read write setattr unlink }; ') ######################################## @@ -863,15 +959,17 @@ class file { getattr create read write setattr unlink }; # files_get_system_lock_file_attributes(domain) # define(`files_get_system_lock_file_attributes',` -requires_block_template(`$0'_depend) -allow $1 var_lock_t:dir { getattr search read }; -allow $1 var_lock_t:file getattr; + requires_block_template(`$0'_depend) + + allow $1 var_lock_t:dir { getattr search read }; + allow $1 var_lock_t:file getattr; ') define(`files_get_system_lock_file_attributes_depend',` -type var_lock_t; -class dir { getattr search read }; -class file getattr; + type var_lock_t; + + class dir { getattr search read }; + class file getattr; ') ######################################## @@ -879,15 +977,17 @@ class file getattr; # files_manage_system_lock_files(domain) # define(`files_manage_system_lock_files',` -requires_block_template(`$0'_depend) -allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; -allow $1 var_lock_t:file { getattr create read write setattr unlink }; + requires_block_template(`$0'_depend) + + allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; + allow $1 var_lock_t:file { getattr create read write setattr unlink }; ') define(`files_manage_system_lock_files_depend',` -type var_lock_t; -class dir { getattr search create read write setattr add_name remove_name rmdir }; -class file { getattr create read write setattr unlink }; + type var_lock_t; + + class dir { getattr search create read write setattr add_name remove_name rmdir }; + class file { getattr create read write setattr unlink }; ') ######################################## @@ -895,15 +995,17 @@ class file { getattr create read write setattr unlink }; # files_remove_all_lock_files(domain) # define(`files_remove_all_lock_files',` -requires_block_template(`$0'_depend) -allow $1 lockfile:dir { getattr search read write add_name remove_name }; -allow $1 lockfile:file { getattr unlink }; + requires_block_template(`$0'_depend) + + allow $1 lockfile:dir { getattr search read write add_name remove_name }; + allow $1 lockfile:file { getattr unlink }; ') define(`files_remove_all_lock_files_depend',` -attribute lockfile; -class dir { getattr search read write add_name remove_name }; -class file { getattr unlink }; + attribute lockfile; + + class dir { getattr search read write add_name remove_name }; + class file { getattr unlink }; ') ######################################## @@ -911,19 +1013,22 @@ class file { getattr unlink }; # files_create_private_lock_file(domain,private_type,[object class(es)]) # define(`files_create_private_lock_file',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_lock_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 var_lock_t:file $2; -',` -type_transition $1 var_lock_t:$3 $2; -') + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_lock_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 var_lock_t:file $2; + ',` + type_transition $1 var_lock_t:$3 $2; + ') ') define(`files_create_private_lock_file_depend',` -type var_t, var_lock_t; -class dir { getattr search read write add_name }; + type var_t, var_lock_t; + + class dir rw_dir_perms; ') ######################################## @@ -931,14 +1036,16 @@ class dir { getattr search read write add_name }; # files_search_runtime_data_directory(domain) # define(`files_search_runtime_data_directory',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_run_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_run_t:dir search; ') define(`files_search_runtime_data_directory_depend',` -type var_t, var_run_t; -class dir search; + type var_t, var_run_t; + + class dir search; ') ######################################## @@ -946,13 +1053,15 @@ class dir search; # files_ignore_search_runtime_data_directory(domain) # define(`files_ignore_search_runtime_data_directory',` -requires_block_template(`$0'_depend) -allow $1 var_run_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 var_run_t:dir search; ') define(`files_ignore_search_runtime_data_directory_depend',` -type var_run_t; -class dir search; + type var_run_t; + + class dir search; ') ######################################## @@ -960,14 +1069,16 @@ class dir search; # files_read_runtime_data_directory(domain) # define(`files_read_runtime_data_directory',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_run_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_run_t:dir { getattr search read }; ') define(`files_read_runtime_data_directory_depend',` -type var_t, var_run_t; -class dir { getattr search read }; + type var_t, var_run_t; + + class dir { getattr search read }; ') ######################################## @@ -975,19 +1086,22 @@ class dir { getattr search read }; # files_create_daemon_runtime_data(domain,pidfile,[object class(es)]) # define(`files_create_daemon_runtime_data',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_run_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 var_run_t:file $2; -',` -type_transition $1 var_run_t:$3 $2; -') dnl end ifelse + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_run_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 var_run_t:file $2; + ',` + type_transition $1 var_run_t:$3 $2; + ') ') define(`files_create_daemon_runtime_data_depend',` -type var_t, var_run_t; -class dir { getattr search read write add_name remove_name }; + type var_t, var_run_t; + + class dir rw_dir_perms; ') ######################################## @@ -995,16 +1109,18 @@ class dir { getattr search read write add_name remove_name }; # files_modify_system_runtime_data(domain) # define(`files_modify_system_runtime_data',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_run_t:dir { getattr search read }; -allow $1 var_run_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_run_t:dir { getattr search read }; + allow $1 var_run_t:file { getattr read write }; ') define(`files_modify_system_runtime_data_depend',` -type var_t, var_run_t; -class dir { getattr search read }; -class file { getattr read write }; + type var_t, var_run_t; + + class dir { getattr search read }; + class file { getattr read write }; ') ######################################## @@ -1020,13 +1136,15 @@ class file { getattr read write }; # define(`files_ignore_write_all_daemon_runtime_data',` -requires_block_template(`$0'_depend) -dontaudit $1 pidfile:file write; + requires_block_template(`$0'_depend) + + dontaudit $1 pidfile:file write; ') define(`files_ignore_write_all_daemon_runtime_data_depend',` -attribute pidfile; -class file write; + attribute pidfile; + + class file write; ') ######################################## @@ -1042,13 +1160,15 @@ class file write; # define(`files_ignore_ioctl_all_daemon_runtime_data',` -requires_block_template(`$0'_depend) -dontaudit $1 pidfile:file ioctl; + requires_block_template(`$0'_depend) + + dontaudit $1 pidfile:file ioctl; ') define(`files_ignore_ioctl_all_daemon_runtime_data_depend',` -attribute pidfile; -class file ioctl; + attribute pidfile; + + class file ioctl; ') ######################################## @@ -1056,17 +1176,19 @@ class file ioctl; # files_read_all_daemon_runtime_data(domain) # define(`files_read_all_daemon_runtime_data',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 pidfile:dir r_dir_perms; -allow $1 pidfile:file r_file_perms; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 pidfile:dir r_dir_perms; + allow $1 pidfile:file r_file_perms; ') define(`files_read_all_daemon_runtime_data_depend',` -attribute pidfile; -type var_t; -class dir r_dir_perms; -class file r_file_perms; + attribute pidfile; + + type var_t; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -1074,22 +1196,25 @@ class file r_file_perms; # files_remove_all_daemon_runtime_data(domain) # define(`files_remove_all_daemon_runtime_data',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; -allow $1 var_run_t:dir rmdir; -allow $1 pidfile:dir { getattr search read write add_name remove_name }; -allow $1 pidfile:file { getattr unlink }; -allow $1 pidfile:sock_file { getattr unlink }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; + allow $1 var_run_t:dir rmdir; + allow $1 pidfile:dir rw_dir_perms; + allow $1 pidfile:file { getattr unlink }; + allow $1 pidfile:sock_file { getattr unlink }; ') define(`files_remove_all_daemon_runtime_data_depend',` -attribute pidfile; -type var_t, var_run_t; -class dir { getattr search read write add_name remove_name rmdir }; -class file { getattr unlink }; -class lnk_file { getattr unlink }; -class sock_file { getattr unlink }; + attribute pidfile; + + type var_t, var_run_t; + + class dir rw_dir_perms; + class file { getattr unlink }; + class lnk_file { getattr unlink }; + class sock_file { getattr unlink }; ') ######################################## @@ -1097,14 +1222,16 @@ class sock_file { getattr unlink }; # files_search_system_spool_directory(domain) # define(`files_search_system_spool_directory',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_spool_t:dir search; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_spool_t:dir search; ') define(`files_search_system_spool_directory_depend',` -type var_t, var_spool_t; -class dir search; + type var_t, var_spool_t; + + class dir search; ') ######################################## @@ -1112,14 +1239,16 @@ class dir search; # files_read_system_spool_directory(domain) # define(`files_read_system_spool_directory',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_spool_t:dir { getattr search read }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_spool_t:dir { getattr search read }; ') define(`files_read_system_spool_directory_depend',` -type var_t, var_spool_t; -class dir { getattr search read }; + type var_t, var_spool_t; + + class dir { getattr search read }; ') ######################################## @@ -1127,16 +1256,18 @@ class dir { getattr search read }; # files_read_system_spools(domain) # define(`files_read_system_spools',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_spool_t:dir { getattr search read }; -allow $1 var_spool_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_spool_t:dir { getattr search read }; + allow $1 var_spool_t:file { getattr read }; ') define(`files_read_system_spools_depend',` -type var_t, var_spool_t; -class dir { getattr search read }; -class file { getattr read }; + type var_t, var_spool_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -1144,16 +1275,18 @@ class file { getattr read }; # files_manage_system_spools(domain) # define(`files_manage_system_spools',` -requires_block_template(`$0'_depend) -allow $1 var_t:dir search; -allow $1 var_spool_t:dir { getattr search read write add_name remove_name }; -allow $1 var_spool_t:file { getattr create read write append unlink setattr }; + requires_block_template(`$0'_depend) + + allow $1 var_t:dir search; + allow $1 var_spool_t:dir { getattr search read write add_name remove_name }; + allow $1 var_spool_t:file { getattr create read write append unlink setattr }; ') define(`files_manage_system_spools_depend',` -type var_t, var_spool_t; -class dir { getattr search read write add_name remove_name }; -class file { getattr create read write append unlink setattr }; + type var_t, var_spool_t; + + class dir { getattr search read write add_name remove_name }; + class file { getattr create read write append unlink setattr }; ') ## diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 8f7fa56..ce27732 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -4,23 +4,26 @@ # getty_transition(domain) # define(`getty_transition',` -requires_block_template(`$0'_depend) -allow $1 getty_exec_t:file { getattr read execute }; -allow $1 getty_t:process transition; -type_transition $1 getty_exec_t:process getty_t; -dontaudit $1 getty_t:process { noatsecure siginh rlimitinh }; -allow $1 getty_t:fd use; -allow getty_t $1:fd use; -allow getty_t $1:fifo_file rw_file_perms; -allow getty_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 getty_exec_t:file { getattr read execute }; + allow $1 getty_t:process transition; + type_transition $1 getty_exec_t:process getty_t; + dontaudit $1 getty_t:process { noatsecure siginh rlimitinh }; + + allow $1 getty_t:fd use; + allow getty_t $1:fd use; + allow getty_t $1:fifo_file rw_file_perms; + allow getty_t $1:process sigchld; ') define(`getty_transition_depend',` -type getty_t, getty_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type getty_t, getty_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -28,13 +31,15 @@ class fifo_file rw_file_perms; # getty_read_log_file(domain) # define(`getty_read_log_file',` -requires_block_template(`$0'_depend) -allow $1 getty_log_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 getty_log_t:file { getattr read }; ') define(`getty_read_log_file_depend',` -type getty_log_t; -class file { getattr read }; + type getty_log_t; + + class file { getattr read }; ') ####################################### @@ -42,13 +47,15 @@ class file { getattr read }; # getty_read_config_file(domain) # define(`getty_read_config_file',` -requires_block_template(`$0'_depend) -allow $1 getty_etc_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 getty_etc_t:file { getattr read }; ') define(`getty_read_config_file_depend',` -type getty_etc_t; -class file { getattr read }; + type getty_etc_t; + + class file { getattr read }; ') ####################################### @@ -56,11 +63,13 @@ class file { getattr read }; # getty_modify_config_file(domain) # define(`getty_modify_config_file',` -requires_block_template(`$0'_depend) -allow $1 getty_etc_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + allow $1 getty_etc_t:file { getattr read write }; ') define(`getty_modify_config_file_depend',` -type getty_etc_t; -class file { getattr read write }; + type getty_etc_t; + + class file { getattr read write }; ') diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index e0b3885..a1144fd 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -14,23 +14,26 @@ ## # define(`hostname_transition',` -requires_block_template(`$0'_depend) -allow $1 hostname_exec_t:file { getattr read execute }; -allow $1 hostname_t:process transition; -type_transition $1 hostname_exec_t:process hostname_t; -dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh }; -allow $1 hostname_t:fd use; -allow hostname_t $1:fd use; -allow hostname_t $1:fifo_file rw_file_perms; -allow hostname_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 hostname_exec_t:file { getattr read execute }; + allow $1 hostname_t:process transition; + type_transition $1 hostname_exec_t:process hostname_t; + dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh }; + + allow $1 hostname_t:fd use; + allow hostname_t $1:fd use; + allow hostname_t $1:fifo_file rw_file_perms; + allow hostname_t $1:process sigchld; ') define(`hostname_transition_depend',` -type hostname_t, hostname_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type hostname_t, hostname_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -53,15 +56,17 @@ class fifo_file rw_file_perms; ## # define(`hostname_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -hostname_transition($1) -role $2 types hostname_t; -allow hostname_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + hostname_transition($1) + role $2 types hostname_t; + allow hostname_t $3:chr_file { getattr read write ioctl }; ') define(`hostname_transition_add_role_use_terminal_depend',` -type hostname_t; -class chr_file { getattr read write ioctl }; + type hostname_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl }; # hostname_execute(domain) # define(`hostname_execute',` -requires_block_template(`$0'_depend) -allow $1 hostname_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 hostname_exec_t:file { getattr read execute execute_no_trans }; ') define(`hostname_execute_depend',` -type hostname_exec_t; -class file { getattr read execute execute_no_trans }; + type hostname_exec_t; + + class file { getattr read execute execute_no_trans }; ') ## diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index a519b58..4656474 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -55,36 +55,36 @@ miscfiles_read_localization(hostname_t) userdomain_use_all_users_file_descriptors(hostname_t) tunable_policy(`distro_redhat', ` -filesystem_use_tmpfs_character_devices(hostname_t) + filesystem_use_tmpfs_character_devices(hostname_t) ') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(hostname_t) -terminal_ignore_use_general_pseudoterminal(hostname_t) -files_ignore_read_rootfs_file(hostname_t) -')dnl end targeted_policy tunable + terminal_ignore_use_general_physical_terminal(hostname_t) + terminal_ignore_use_general_pseudoterminal(hostname_t) + files_ignore_read_rootfs_file(hostname_t) +') tunable_policy(`use_dns',` -allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; -corenetwork_sendrecv_udp_on_all_interfaces(hostname_t) -corenetwork_sendrecv_raw_on_all_interfaces(hostname_t) -corenetwork_sendrecv_udp_on_all_nodes(hostname_t) -corenetwork_sendrecv_raw_on_all_nodes(hostname_t) -corenetwork_bind_udp_on_all_nodes(hostname_t) -corenetwork_sendrecv_udp_on_dns_port(hostname_t) -sysnetwork_read_network_config(hostname_t) + allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + corenetwork_sendrecv_udp_on_all_interfaces(hostname_t) + corenetwork_sendrecv_raw_on_all_interfaces(hostname_t) + corenetwork_sendrecv_udp_on_all_nodes(hostname_t) + corenetwork_sendrecv_raw_on_all_nodes(hostname_t) + corenetwork_bind_udp_on_all_nodes(hostname_t) + corenetwork_sendrecv_udp_on_dns_port(hostname_t) + sysnetwork_read_network_config(hostname_t) ') optional_policy(`hotplug.te',` -hotplug_ignore_use_file_descriptors(hostname_t) + hotplug_ignore_use_file_descriptors(hostname_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(hostname_t) + selinux_newrole_sigchld(hostname_t) ') optional_policy(`udev.te', ` -udev_read_database(hostname_t) + udev_read_database(hostname_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 16244ed..dfea44f 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -9,23 +9,26 @@ # hotplug_transition(domain) # define(`hotplug_transition',` -requires_block_template(`$0'_depend) -allow $1 hotplug_exec_t:file { getattr read execute }; -allow $1 hotplug_t:process transition; -type_transition $1 hotplug_exec_t:process hotplug_t; -dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; -allow $1 hotplug_t:fd use; -allow hotplug_t $1:fd use; -allow hotplug_t $1:fifo_file rw_file_perms; -allow hotplug_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 hotplug_exec_t:file { getattr read execute }; + allow $1 hotplug_t:process transition; + type_transition $1 hotplug_exec_t:process hotplug_t; + dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; + + allow $1 hotplug_t:fd use; + allow hotplug_t $1:fd use; + allow hotplug_t $1:fifo_file rw_file_perms; + allow hotplug_t $1:process sigchld; ') define(`hotplug_transition_depend',` -type hotplug_t, hotplug_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type hotplug_t, hotplug_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -33,13 +36,15 @@ class fifo_file rw_file_perms; # hotplug_execute(domain) # define(`hotplug_execute',` -requires_block_template(`$0'_depend) -allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans }; ') define(`hotplug_execute_depend',` -type hotplug_t; -class file { getattr read execute execute_no_trans }; + type hotplug_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -47,13 +52,15 @@ class file { getattr read execute execute_no_trans }; # hotplug_use_file_descriptors(domain) # define(`hotplug_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 hotplug_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 hotplug_t:fd use; ') define(`hotplug_use_file_descriptors_depend',` -type hotplug_t; -class fd use; + type hotplug_t; + + class fd use; ') ####################################### @@ -61,13 +68,15 @@ class fd use; # hotplug_ignore_use_file_descriptors(domain) # define(`hotplug_ignore_use_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 hotplug_t:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 hotplug_t:fd use; ') define(`hotplug_ignore_use_file_descriptors_depend',` -type hotplug_t; -class fd use; + type hotplug_t; + + class fd use; ') ######################################## @@ -75,13 +84,15 @@ class fd use; # hotplug_ignore_search_config_directory(domain) # define(`hotplug_ignore_search_config_directory',` -requires_block_template(`$0'_depend) -dontaudit $1 hotplug_etc_t:dir search; + requires_block_template(`$0'_depend) + + dontaudit $1 hotplug_etc_t:dir search; ') define(`hotplug_ignore_search_config_directory_depend',` -type hotplug_etc_t; -class dir search; + type hotplug_etc_t; + + class dir search; ') ######################################## @@ -96,18 +107,20 @@ class dir search; ## # define(`hotplug_read_config',` -requires_block_template(`$0'_depend) -files_search_general_system_config_directory($1) -allow $1 hotplug_etc_t:file { read getattr lock ioctl }; -allow $1 hotplug_etc_t:dir { read getattr lock search ioctl }; -allow $1 hotplug_etc_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_general_system_config_directory($1) + allow $1 hotplug_etc_t:file { read getattr lock ioctl }; + allow $1 hotplug_etc_t:dir { read getattr lock search ioctl }; + allow $1 hotplug_etc_t:lnk_file { getattr read }; ') define(`hotplug_read_config_depend',` -type hotplug_etc_t; -class file { read getattr lock ioctl }; -class dir { read getattr lock search ioctl }; -class lnk_file { getattr read }; + type hotplug_etc_t; + + class file { read getattr lock ioctl }; + class dir { read getattr lock search ioctl }; + class lnk_file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 6d15da1..a80fa32 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -109,60 +109,60 @@ sysnetwork_read_network_config(hotplug_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) tunable_policy(`distro_redhat', ` -optional_policy(`netutils.te', ` -# for arping used for static IP addresses on PCMCIA ethernet -netutils_transition(hotplug_t) -filesystem_use_tmpfs_character_devices(hotplug_t) -') dnl endif netutils optional -files_get_system_lock_file_attributes(hotplug_t) -')dnl end distro_redhat tunable + optional_policy(`netutils.te', ` + # for arping used for static IP addresses on PCMCIA ethernet + netutils_transition(hotplug_t) + filesystem_use_tmpfs_character_devices(hotplug_t) + ') + files_get_system_lock_file_attributes(hotplug_t) +') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(hotplug_t) -terminal_ignore_use_general_pseudoterminal(hotplug_t) -files_ignore_read_rootfs_file(hotplug_t) + terminal_ignore_use_general_physical_terminal(hotplug_t) + terminal_ignore_use_general_pseudoterminal(hotplug_t) + files_ignore_read_rootfs_file(hotplug_t) ') optional_policy(`consoletype.te',` -consoletype_transition(hotplug_t) + consoletype_transition(hotplug_t) ') optional_policy(`hostname.te',` -hostname_execute(hotplug_t) + hostname_execute(hotplug_t) ') optional_policy(`iptables.te',` -iptables_transition(hotplug_t) + iptables_transition(hotplug_t) ') optional_policy(`mta.te', ` -mta_send_mail(hotplug_t) + mta_send_mail(hotplug_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(hotplug_t) + selinux_newrole_sigchld(hotplug_t) ') optional_policy(`sysnetwork.te',` -sysnetwork_ifconfig_transition(hotplug_t) + sysnetwork_ifconfig_transition(hotplug_t) ') optional_policy(`udev.te', ` -udev_transition(hotplug_t) -udev_read_database(hotplug_t) + udev_transition(hotplug_t) + udev_read_database(hotplug_t) ') optional_policy(`updfstab.te', ` -updfstab_transition(hotplug_t) + updfstab_transition(hotplug_t) ') ifdef(`TODO',` allow hotplug_t autofs_t:dir { search getattr }; dontaudit hotplug_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` -allow hotplug_t rhgb_t:process sigchld; -allow hotplug_t rhgb_t:fd use; -allow hotplug_t rhgb_t:fifo_file { read write }; + allow hotplug_t rhgb_t:process sigchld; + allow hotplug_t rhgb_t:fd use; + allow hotplug_t rhgb_t:fifo_file { read write }; ') allow kernel_t hotplug_etc_t:dir search; @@ -180,20 +180,20 @@ dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; optional_policy(`hald.te', ` -allow hotplug_t hald_t:unix_dgram_socket sendto; + allow hotplug_t hald_t:unix_dgram_socket sendto; ') # this goes to hald: optional_policy(`hotplug.te',` -allow hald_t hotplug_etc_t:dir search; -allow hald_t hotplug_etc_t:file { getattr read }; + allow hald_t hotplug_etc_t:dir search; + allow hald_t hotplug_etc_t:file { getattr read }; ') optional_policy(`fsadm.te', ` -domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) + domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) ') optional_policy(`lpd.te', ` -allow hotplug_t printer_device_t:chr_file setattr; + allow hotplug_t printer_device_t:chr_file setattr; ') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index e419b3b..8181116 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -126,23 +126,26 @@ define(`init_make_system_domain_depend',` # init_transition(domain) # define(`init_transition',` -requires_block_template(`$0'_depend) -allow $1 init_exec_t:file { getattr read execute }; -allow $1 init_t:process transition; -type_transition $1 init_exec_t:process init_t; -dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; -allow $1 init_t:fd use; -allow init_t $1:fd use; -allow init_t $1:fifo_file rw_file_perms; -allow init_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 init_exec_t:file { getattr read execute }; + allow $1 init_t:process transition; + type_transition $1 init_exec_t:process init_t; + dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; + + allow $1 init_t:fd use; + allow init_t $1:fd use; + allow init_t $1:fifo_file rw_file_perms; + allow init_t $1:process sigchld; ') define(`init_transition_depend',` -type init_t, init_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type init_t, init_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -150,13 +153,15 @@ class fifo_file rw_file_perms; # init_get_process_group(domain) # define(`init_get_process_group',` -requires_block_template(`$0'_depend) -allow $1 init_t:process getpgid; + requires_block_template(`$0'_depend) + + allow $1 init_t:process getpgid; ') define(`init_get_process_group_depend',` -type init_t; -class process getpgid; + type init_t; + + class process getpgid; ') ######################################## @@ -164,13 +169,15 @@ class process getpgid; # init_get_control_channel_attributes(domain) # define(`init_get_control_channel_attributes',` -requires_block_template(`$0'_depend) -allow $1 initctl_t:fifo_file getattr; + requires_block_template(`$0'_depend) + + allow $1 initctl_t:fifo_file getattr; ') define(`init_get_control_channel_attributes_depend',` -type initctl_t; -class fifo_file getattr; + type initctl_t; + + class fifo_file getattr; ') ######################################## @@ -178,13 +185,15 @@ class fifo_file getattr; # init_ignore_get_control_channel_attributes(domain) # define(`init_ignore_get_control_channel_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 initctl_t:fifo_file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 initctl_t:fifo_file getattr; ') define(`init_get_control_channel_attributes_depend',` -type initctl_t; -class fifo_file getattr; + type initctl_t; + + class fifo_file getattr; ') ######################################## @@ -192,14 +201,16 @@ class fifo_file getattr; # init_use_control_channel(domain) # define(`init_use_control_channel',` -requires_block_template(`$0'_depend) -allow $1 initctl_t:fifo_file { getattr read write }; -devices_list_device_nodes($1) + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + allow $1 initctl_t:fifo_file { getattr read write }; ') define(`init_use_control_channel_depend',` -type initctl_t; -class fifo_file { getattr read write }; + type initctl_t; + + class fifo_file { getattr read write }; ') ######################################## @@ -207,13 +218,15 @@ class fifo_file { getattr read write }; # init_ignore_use_control_channel(domain) # define(`init_ignore_use_control_channel',` -requires_block_template(`$0'_depend) -dontaudit $1 initctl_t:fifo_file { read write }; + requires_block_template(`$0'_depend) + + dontaudit $1 initctl_t:fifo_file { read write }; ') define(`init_ignore_use_control_channel_depend',` -type initctl_t; -class fifo_file { read write }; + type initctl_t; + + class fifo_file { read write }; ') ######################################## @@ -221,13 +234,15 @@ class fifo_file { read write }; # init_sigchld(domain) # define(`init_sigchld',` -requires_block_template(`$0'_depend) -allow $1 init_t:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 init_t:process sigchld; ') define(`init_sigchld_depend',` -type init_t; -class process sigchld; + type init_t; + + class process sigchld; ') ######################################## @@ -235,13 +250,15 @@ class process sigchld; # init_use_file_descriptors(domain) # define(`init_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 init_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 init_t:fd use; ') define(`init_use_file_descriptors_depend',` -type init_t; -class fd use; + type init_t; + + class fd use; ') ######################################## @@ -249,13 +266,15 @@ class fd use; # init_ignore_use_file_descriptors(domain) # define(`init_ignore_use_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 init_t:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 init_t:fd use; ') define(`init_ignore_use_file_descriptors_depend',` -type init_t; -class fd use; + type init_t; + + class fd use; ') ######################################## @@ -263,23 +282,26 @@ class fd use; # init_script_transition(domain) # define(`init_script_transition',` -requires_block_template(`$0'_depend) -allow $1 initrc_exec_t:file { getattr read execute }; -allow $1 initrc_t:process transition; -type_transition $1 initrc_exec_t:process init_t; -dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; -allow $1 initrc_t:fd use; -allow initrc_t $1:fd use; -allow initrc_t $1:fifo_file rw_file_perms; -allow initrc_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 initrc_exec_t:file { getattr read execute }; + allow $1 initrc_t:process transition; + type_transition $1 initrc_exec_t:process init_t; + dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; + + allow $1 initrc_t:fd use; + allow initrc_t $1:fd use; + allow initrc_t $1:fifo_file rw_file_perms; + allow initrc_t $1:process sigchld; ') define(`init_script_transition_depend',` -type initrc_t, initrc_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type initrc_t, initrc_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -287,13 +309,15 @@ class fifo_file rw_file_perms; # init_script_execute(domain) # define(`init_script_execute',` -requires_block_template(`$0'_depend) -allow $1 initrc_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 initrc_exec_t:file { getattr read execute execute_no_trans }; ') define(`init_script_execute_depend',` -type initrc_exec_t; -class file { getattr read execute execute_no_trans }; + type initrc_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -308,23 +332,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`init_script_read_process_state',` -requires_block_template(`$0'_depend) -allow $1 initrc_t:dir { search getattr read }; -allow $1 initrc_t:{ file lnk_file } { read getattr }; -allow $1 initrc_t:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 initrc_t:process ptrace; + requires_block_template(`$0'_depend) + + allow $1 initrc_t:dir { search getattr read }; + allow $1 initrc_t:{ file lnk_file } { read getattr }; + allow $1 initrc_t:process getattr; + + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $1 initrc_t:process ptrace; ') define(`init_script_read_process_state_depend',` -type initrc_t; -class dir { search getattr read }; -class file { read getattr }; -class lnk_file { read getattr }; -class process { getattr ptrace }; + type initrc_t; + + class dir { search getattr read }; + class file { read getattr }; + class lnk_file { read getattr }; + class process { getattr ptrace }; ') ######################################## @@ -332,13 +359,15 @@ class process { getattr ptrace }; # init_script_use_file_descriptors(domain) # define(`init_script_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 initrc_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 initrc_t:fd use; ') define(`init_script_use_file_descriptors_depend',` -type initrc_t; -class fd use; + type initrc_t; + + class fd use; ') ######################################## @@ -346,13 +375,15 @@ class fd use; # init_script_ignore_use_file_descriptors(domain) # define(`init_script_ignore_use_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 initrc_t:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 initrc_t:fd use; ') define(`init_script_ignore_use_file_descriptors_depend',` -type initrc_t; -class fd use; + type initrc_t; + + class fd use; ') ######################################## @@ -360,13 +391,15 @@ class fd use; # init_script_get_process_group(domain) # define(`init_script_get_process_group',` -requires_block_template(`$0'_depend) -allow $1 initrc_t:process getpgid; + requires_block_template(`$0'_depend) + + allow $1 initrc_t:process getpgid; ') define(`init_script_get_process_group_depend',` -type initrc_t; -class process getpgid; + type initrc_t; + + class process getpgid; ') ######################################## @@ -374,14 +407,16 @@ class process getpgid; # init_script_use_pseudoterminal(domain) # define(`init_script_use_pseudoterminal',` -requires_block_template(`$0'_depend) -terminal_list_pseudoterminals($1) -allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + terminal_list_pseudoterminals($1) + allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; ') define(`init_script_use_pseudoterminal_depend',` -type initrc_devpts_t; -class chr_file { getattr read write ioctl }; + type initrc_devpts_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -389,13 +424,15 @@ class chr_file { getattr read write ioctl }; # init_script_ignore_use_pseudoterminal(domain) # define(`init_script_ignore_use_pseudoterminal',` -requires_block_template(`$0'_depend) -allow $1 initrc_devpts_t:chr_file { read write ioctl }; + requires_block_template(`$0'_depend) + + allow $1 initrc_devpts_t:chr_file { read write ioctl }; ') define(`init_script_ignore_use_pseudoterminal_depend',` -type initrc_devpts_t; -class chr_file { read write ioctl }; + type initrc_devpts_t; + + class chr_file { read write ioctl }; ') ######################################## @@ -410,14 +447,16 @@ class chr_file { read write ioctl }; ## # define(`init_script_modify_temporary_data',` -requires_block_template(`$0'_depend) -# FIXME: read tmp_t -allow $1 initrc_tmp_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + # FIXME: read tmp_t + allow $1 initrc_tmp_t:file { getattr read write }; ') define(`init_script_modify_temporary_data_depend',` -type initrc_var_run_t; -class file { getattr read write }; + type initrc_var_run_t; + + class file { getattr read write }; ') ######################################## @@ -425,14 +464,16 @@ class file { getattr read write }; # init_script_read_runtime_data(domain) # define(`init_script_read_runtime_data',` -requires_block_template(`$0'_depend) -files_read_runtime_data_directory($1) -allow $1 initrc_var_run_t:file { getattr read lock }; + requires_block_template(`$0'_depend) + + files_read_runtime_data_directory($1) + allow $1 initrc_var_run_t:file { getattr read lock }; ') define(`init_script_read_runtime_data_depend',` -type initrc_var_run_t; -class file { getattr read lock }; + type initrc_var_run_t; + + class file { getattr read lock }; ') ######################################## @@ -440,13 +481,15 @@ class file { getattr read lock }; # init_script_ignore_write_runtime_data(domain) # define(`init_script_ignore_write_runtime_data',` -requires_block_template(`$0'_depend) -dontaudit $1 initrc_var_run_t:file { write lock }; + requires_block_template(`$0'_depend) + + dontaudit $1 initrc_var_run_t:file { write lock }; ') define(`init_script_ignore_write_runtime_data_depend',` -type initrc_var_run_t; -class file { write lock }; + type initrc_var_run_t; + + class file { write lock }; ') ######################################## @@ -454,14 +497,16 @@ class file { write lock }; # init_script_modify_runtime_data(domain) # define(`init_script_modify_runtime_data',` -requires_block_template(`$0'_depend) -files_read_runtime_data_directory($1) -allow $1 initrc_var_run_t:file { getattr read write append lock }; + requires_block_template(`$0'_depend) + + files_read_runtime_data_directory($1) + allow $1 initrc_var_run_t:file { getattr read write append lock }; ') define(`init_script_modify_runtime_data_depend',` -type initrc_var_run_t; -class file { getattr read write append lock }; + type initrc_var_run_t; + + class file { getattr read write append lock }; ') ######################################## @@ -469,13 +514,15 @@ class file { getattr read write append lock }; # init_script_ignore_modify_runtime_data(domain) # define(`init_script_ignore_modify_runtime_data',` -requires_block_template(`$0'_depend) -dontaudit $1 initrc_var_run_t:file { getattr read write append }; + requires_block_template(`$0'_depend) + + dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') define(`init_script_ignore_modify_runtime_data_depend',` -type initrc_var_run_t; -class file { getattr read write append }; + type initrc_var_run_t; + + class file { getattr read write append }; ') ## diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 5c06db2..fd7d663 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -13,23 +13,26 @@ ## # define(`iptables_transition',` -requires_block_template(`$0'_depend) -allow $1 iptables_exec_t:file { getattr read execute }; -allow $1 iptables_t:process transition; -type_transition $1 iptables_exec_t:process iptables_t; -dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; -allow $1 iptables_t:fd use; -allow iptables_t $1:fd use; -allow iptables_t $1:fifo_file rw_file_perms; -allow iptables_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 iptables_exec_t:file { getattr read execute }; + allow $1 iptables_t:process transition; + type_transition $1 iptables_exec_t:process iptables_t; + dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; + + allow $1 iptables_t:fd use; + allow iptables_t $1:fd use; + allow iptables_t $1:fifo_file rw_file_perms; + allow iptables_t $1:process sigchld; ') define(`iptables_transition_depend',` -type iptables_t, iptables_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type iptables_t, iptables_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -51,15 +54,17 @@ class fifo_file rw_file_perms; ## # define(`iptables_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -iptables_transition($1) -role $2 types iptables_t; -allow iptables_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + iptables_transition($1) + role $2 types iptables_t; + allow iptables_t $3:chr_file { getattr read write ioctl }; ') define(`iptables_transition_add_role_use_terminal_depend',` -type iptables_t; -class chr_file { getattr read write ioctl }; + type iptables_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl }; ## # define(`iptables_execute',` -requires_block_template(`$0'_depend) -allow $1 iptables_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 iptables_exec_t:file { getattr read execute execute_no_trans }; ') define(`iptables_execute_depend',` -type iptables_t, iptables_exec_t; -class file { getattr read execute execute_no_trans }; + type iptables_t, iptables_exec_t; + + class file { getattr read execute execute_no_trans }; ') ## diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index adfd2b2..89c8fd2 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -117,10 +117,10 @@ allow iptables_t autofs_t:dir { search getattr }; can_ypbind(iptables_t) optional_policy(`gnome-pty-helper.te',` -allow iptables_t sysadm_gph_t:fd use; + allow iptables_t sysadm_gph_t:fd use; ') optional_policy(`firstboot.te', ` -allow iptables_t firstboot_t:fifo_file write; + allow iptables_t firstboot_t:fifo_file write; ') ') dnl ifdef TODO diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index b919848..e88e065 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -13,23 +13,26 @@ ## # define(`libraries_ldconfig_transition',` -requires_block_template(`$0'_depend) -allow $1 ldconfig_exec_t:file { getattr read execute }; -allow $1 ldconfig_t:process transition; -type_transition $1 ldconfig_exec_t:process ldconfig_t; -dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; -allow $1 ldconfig_t:fd use; -allow ldconfig_t $1:fd use; -allow ldconfig_t $1:fifo_file rw_file_perms; -allow ldconfig_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 ldconfig_exec_t:file { getattr read execute }; + allow $1 ldconfig_t:process transition; + type_transition $1 ldconfig_exec_t:process ldconfig_t; + dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; + + allow $1 ldconfig_t:fd use; + allow ldconfig_t $1:fd use; + allow ldconfig_t $1:fifo_file rw_file_perms; + allow ldconfig_t $1:process sigchld; ') define(`libraries_ldconfig_transition_depend',` -type ldconfig_t, ldconfig_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type ldconfig_t, ldconfig_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -50,15 +53,17 @@ class fifo_file rw_file_perms; ## # define(`libraries_ldconfig_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -libraries_ldconfig_transition($1) -role $2 types ldconfig_t; -allow ldconfig_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + libraries_ldconfig_transition($1) + role $2 types ldconfig_t; + allow ldconfig_t $3:chr_file { getattr read write ioctl }; ') define(`libraries_ldconfig_transition_add_role_use_terminal_depend',` -type ldconfig_t; -class chr_file { getattr read write ioctl }; + type ldconfig_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -74,20 +79,22 @@ class chr_file { getattr read write ioctl }; ## # define(`libraries_use_dynamic_loader',` -requires_block_template(`$0'_depend) -files_read_general_system_config_directory($1) -allow $1 lib_t:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 ld_so_t:lnk_file r_file_perms; -allow $1 ld_so_t:file rx_file_perms; -allow $1 ld_so_cache_t:file r_file_perms; + requires_block_template(`$0'_depend) + + files_read_general_system_config_directory($1) + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:lnk_file r_file_perms; + allow $1 ld_so_t:lnk_file r_file_perms; + allow $1 ld_so_t:file rx_file_perms; + allow $1 ld_so_cache_t:file r_file_perms; ') define(`libraries_use_dynamic_loader_depend',` -type lib_t, ld_so_t, ld_so_cache_t; -class dir r_dir_perms; -class lnk_file r_file_perms; -class file rx_file_perms; + type lib_t, ld_so_t, ld_so_cache_t; + + class dir r_dir_perms; + class lnk_file r_file_perms; + class file rx_file_perms; ') ######################################## @@ -103,15 +110,17 @@ class file rx_file_perms; ## # define(`libraries_legacy_use_dynamic_loader',` -requires_block_template(`$0'_depend) -libraries_use_dynamic_loader($1) -allow $1 ld_so_t:file execmod; -allow $1 ld_so_cache_t:file execute; + requires_block_template(`$0'_depend) + + libraries_use_dynamic_loader($1) + allow $1 ld_so_t:file execmod; + allow $1 ld_so_cache_t:file execute; ') define(`libraries_legacy_use_dynamic_loader_depend',` -type ld_so_t, ld_so_cache_t; -class file { execute execmod }; + type ld_so_t, ld_so_cache_t; + + class file { execute execmod }; ') ######################################## @@ -131,18 +140,20 @@ class file { execute execmod }; ## # define(`libraries_execute_dynamic_loader',` -requires_block_template(`$0'_depend) -allow $1 lib_t:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 ld_so_t:lnk_file r_file_perms; -allow $1 ld_so_t:file { r_file_perms execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:lnk_file r_file_perms; + allow $1 ld_so_t:lnk_file r_file_perms; + allow $1 ld_so_t:file { r_file_perms execute execute_no_trans }; ') define(`libraries_execute_dynamic_loader_depend',` -type lib_t, ld_so_t; -class dir r_dir_perms; -class lnk_file r_file_perms; -class file { r_file_perms execute execute_no_trans }; + type lib_t, ld_so_t; + + class dir r_dir_perms; + class lnk_file r_file_perms; + class file { r_file_perms execute execute_no_trans }; ') ######################################## @@ -158,14 +169,16 @@ class file { r_file_perms execute execute_no_trans }; ## # define(`libraries_modify_dynamic_loader_cache',` -requires_block_template(`$0'_depend) -files_read_general_system_config_directory($1) -allow $1 ld_so_cache_t:file { getattr read write }; + requires_block_template(`$0'_depend) + + files_read_general_system_config_directory($1) + allow $1 ld_so_cache_t:file { getattr read write }; ') define(`libraries_modify_dynamic_loader_cache_depend',` -type ld_so_cache_t; -class file { getattr read write }; + type ld_so_cache_t; + + class file { getattr read write }; ') ######################################## @@ -181,16 +194,18 @@ class file { getattr read write }; ## # define(`libraries_read_library_resources',` -requires_block_template(`$0'_depend) -allow $1 lib_t:dir { getattr read search }; -allow $1 lib_t:{ file lnk_file } { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 lib_t:dir { getattr read search }; + allow $1 lib_t:{ file lnk_file } { getattr read }; ') define(`libraries_read_library_resources_depend',` -type lib_t; -class dir { getattr read search }; -class lnk_file { getattr read }; -class file { getattr read }; + type lib_t; + + class dir { getattr read search }; + class lnk_file { getattr read }; + class file { getattr read }; ') ######################################## @@ -205,17 +220,19 @@ class file { getattr read }; ## # define(`libraries_execute_library_scripts',` -requires_block_template(`$0'_depend) -allow $1 lib_t:dir { getattr read search }; -allow $1 lib_t:lnk_file { getattr read }; -allow $1 lib_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 lib_t:dir { getattr read search }; + allow $1 lib_t:lnk_file { getattr read }; + allow $1 lib_t:file { getattr read execute execute_no_trans }; ') define(`libraries_execute_library_scripts_depend',` -type lib_t; -class dir { getattr read search }; -class lnk_file { getattr read }; -class file { getattr read execute execute_no_trans }; + type lib_t; + + class dir { getattr read search }; + class lnk_file { getattr read }; + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -230,19 +247,21 @@ class file { getattr read execute execute_no_trans }; ## # define(`libraries_use_shared_libraries',` -requires_block_template(`$0'_depend) -files_search_general_application_resources_dir($1) -allow $1 lib_t:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; -allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; + requires_block_template(`$0'_depend) + + files_search_general_application_resources_dir($1) + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:lnk_file r_file_perms; + allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; + allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; ') define(`libraries_use_shared_libraries_depend',` -type lib_t, shlib_t, texrel_shlib_t; -class dir r_dir_perms; -class lnk_file r_file_perms; -class file rx_dir_perms; + type lib_t, shlib_t, texrel_shlib_t; + + class dir r_dir_perms; + class lnk_file r_file_perms; + class file rx_dir_perms; ') ######################################## @@ -258,14 +277,16 @@ class file rx_dir_perms; ## # define(`libraries_legacy_use_shared_libraries',` -requires_block_template(`$0'_depend) -libraries_use_shared_libraries($1) -allow $1 { shlib_t texrel_shlib_t }:file execmod; + requires_block_template(`$0'_depend) + + libraries_use_shared_libraries($1) + allow $1 { shlib_t texrel_shlib_t }:file execmod; ') define(`libraries_legacy_use_shared_libraries_depend',` -type shlib_t, texrel_shlib_t; -class file execmod; + type shlib_t, texrel_shlib_t; + + class file execmod; ') ## diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 4345fa8..bb73e2c 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -80,21 +80,21 @@ ifdef(`TODO',` allow ldconfig_t tmp_t:dir search; ifdef(`apache.te', ` -# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway -dontaudit ldconfig_t httpd_modules_t:dir search; + # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway + dontaudit ldconfig_t httpd_modules_t:dir search; ') allow ldconfig_t { var_t var_lib_t }:dir search; ifdef(`hide_broken_symptoms', ` -ifdef(`unconfined.te',` -dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; -') + ifdef(`unconfined.te',` + dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; + ') ') ifdef(`targeted_policy', ` -allow ldconfig_t lib_t:file r_file_perms; -unconfined_domain(ldconfig_t) + allow ldconfig_t lib_t:file r_file_perms; + unconfined_domain(ldconfig_t) ') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 4e4fbd5..66ee967 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -4,12 +4,13 @@ # locallogin_transition(domain) # define(`locallogin_transition',` -requires_block_template(`$0'_depend) -authlogin_login_program_transition($1,local_login_t) + requires_block_template(`$0'_depend) + + authlogin_login_program_transition($1,local_login_t) ') define(`locallogin_transition_depend',` -type local_login_t; + type local_login_t; ') ######################################## @@ -17,11 +18,13 @@ type local_login_t; # locallogin_use_file_descriptors(domain) # define(`locallogin_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 local_login_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 local_login_t:fd use; ') define(`locallogin_use_file_descriptors_depend',` -type local_login_t; -class fd use; + type local_login_t; + + class fd use; ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 7449aae..c296763 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -117,7 +117,7 @@ ifdef(`TODO',` can_ypbind(local_login_t) ifdef(`automount.te', ` -allow local_login_t autofs_t:dir { search getattr }; + allow local_login_t autofs_t:dir { search getattr }; ') allow local_login_t bin_t:dir r_dir_perms; @@ -125,8 +125,8 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms; allow local_login_t sbin_t:dir r_dir_perms; allow local_login_t sbin_t:notdevfile_class_set r_file_perms; if (read_default_t) { -allow local_login_t default_t:dir r_dir_perms; -allow local_login_t default_t:notdevfile_class_set r_file_perms; + allow local_login_t default_t:dir r_dir_perms; + allow local_login_t default_t:notdevfile_class_set r_file_perms; } # Read directories and files with the readable_t type. @@ -144,18 +144,18 @@ allow local_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? optional_policy(`xdm.te', ` -allow xdm_t local_login_t:process signull; + allow xdm_t local_login_t:process signull; ') ifdef(`crack.te', ` -allow local_login_t crack_db_t:file r_file_perms; + allow local_login_t crack_db_t:file r_file_perms; ') allow local_login_t mouse_device_t:chr_file { getattr setattr }; tunable_policy(`targeted_policy',` -unconfined_domain(local_login_t) -domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) + unconfined_domain(local_login_t) + domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') # Do not audit denied attempts to access devices. @@ -173,7 +173,7 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; dontaudit local_login_t mnt_t:dir r_dir_perms; optional_policy(`gpm.te',` -allow local_login_t gpmctl_t:sock_file { getattr setattr }; + allow local_login_t gpmctl_t:sock_file { getattr setattr }; ') # Allow setting of attributes on sound devices. @@ -231,21 +231,21 @@ userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`monolithic_policy',` -ifdef(`distro_suse', `define(`sulogin_no_pam')') -ifdef(`distro_debian', `define(`sulogin_no_pam')') + ifdef(`distro_suse', `define(`sulogin_no_pam')') + ifdef(`distro_debian', `define(`sulogin_no_pam')') ') dnl end monolithic_policy tunable_policy(`sulogin_no_pam', ` -allow sulogin_t self:capability sys_tty_config; -init_get_process_group(sulogin_t) + allow sulogin_t self:capability sys_tty_config; + init_get_process_group(sulogin_t) ', ` -allow sulogin_t self:process setexec; -kernel_get_selinuxfs_mount_point(sulogin_t) -kernel_validate_selinux_context(sulogin_t) -kernel_compute_selinux_access_vector(sulogin_t) -kernel_compute_selinux_create_context(sulogin_t) -kernel_compute_selinux_relabel_context(sulogin_t) -kernel_compute_selinux_reachable_user_contexts(sulogin_t) + allow sulogin_t self:process setexec; + kernel_get_selinuxfs_mount_point(sulogin_t) + kernel_validate_selinux_context(sulogin_t) + kernel_compute_selinux_access_vector(sulogin_t) + kernel_compute_selinux_create_context(sulogin_t) + kernel_compute_selinux_relabel_context(sulogin_t) + kernel_compute_selinux_reachable_user_contexts(sulogin_t) ') ifdef(`TODO',` @@ -254,7 +254,7 @@ allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; can_ypbind(sulogin_t) ifdef(`automount.te', ` -allow sulogin_t autofs_t:dir { search getattr }; + allow sulogin_t autofs_t:dir { search getattr }; ') allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 46d1f83..d2a5a14 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -6,13 +6,14 @@ # logging_make_log_file(domain) # define(`logging_make_log_file',` -requires_block_template(`$0'_depend) -files_make_file($1) -typeattribute $1 logfile; + requires_block_template(`$0'_depend) + + files_make_file($1) + typeattribute $1 logfile; ') define(`logging_make_log_file_depend',` -attribute logfile; + attribute logfile; ') ######################################## @@ -20,18 +21,21 @@ attribute logfile; # logging_create_private_log(domain,privatetype,[class(es)]) # define(`logging_create_private_log',` -requires_block_template(`$0'_depend) -allow $1 var_log_t:dir { getattr search read write add_name remove_name }; -ifelse(`$3',`',` -type_transition $1 var_log_t:file $2; -',` -type_transition $1 var_log_t:$3 $2; -') dnl end ifelse + requires_block_template(`$0'_depend) + + allow $1 var_log_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 var_log_t:file $2; + ',` + type_transition $1 var_log_t:$3 $2; + ') ') define(`logging_create_private_log_depend',` -type var_log_t; -class dir { getattr search read write add_name remove_name }; + type var_log_t; + + class dir rw_dir_perms; ') ####################################### @@ -39,23 +43,27 @@ class dir { getattr search read write add_name remove_name }; # logging_send_system_log_message(domain) # define(`logging_send_system_log_message',` -requires_block_template(`$0'_depend) -allow $1 devlog_t:lnk_file read; -allow $1 devlog_t:sock_file { ioctl read getattr lock write append }; -# the type of socket depends on the syslog daemon -allow $1 syslogd_t:unix_dgram_socket sendto; -allow $1 syslogd_t:unix_stream_socket connectto; -allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; -# cjp: this should most likely be removed: -terminal_use_console($1) + requires_block_template(`$0'_depend) + + allow $1 devlog_t:lnk_file read; + allow $1 devlog_t:sock_file { ioctl read getattr lock write append }; + + # the type of socket depends on the syslog daemon + allow $1 syslogd_t:unix_dgram_socket sendto; + allow $1 syslogd_t:unix_stream_socket connectto; + allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; + + # cjp: this should most likely be removed: + terminal_use_console($1) ') define(`logging_send_system_log_message_depend',` -type syslogd_t, devlog_t; -class sock_file { ioctl read getattr lock write append }; -class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto }; -class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto }; + type syslogd_t, devlog_t; + + class sock_file { ioctl read getattr lock write append }; + class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto }; + class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto }; ') ######################################## @@ -72,14 +80,16 @@ class unix_stream_socket { create read getattr write setattr append bind connect ## # define(`logging_search_system_log_directory',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir search; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir search; ') define(`logging_search_system_log_directory_depend',` -type var_log_t; -class dir search; + type var_log_t; + + class dir search; ') ####################################### @@ -87,13 +97,15 @@ class dir search; # logging_ignore_get_all_logs_attributes(domain) # define(`logging_ignore_get_all_logs_attributes',` -requires_block_template(`$0'_depend) -dontaudit $1 logfile:file getattr; + requires_block_template(`$0'_depend) + + dontaudit $1 logfile:file getattr; ') define(`logging_ignore_get_all_logs_attributes_depend',` -attribute logfile; -class file getattr; + attribute logfile; + + class file getattr; ') ####################################### @@ -101,17 +113,20 @@ class file getattr; # logging_append_all_logs(domain) # define(`logging_append_all_logs',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir { getattr search read }; -allow $1 logfile:file { getattr append }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir { getattr search read }; + allow $1 logfile:file { getattr append }; ') define(`logging_append_all_logs_depend',` -attribute logfile; -type var_log_t; -class dir { getattr search read }; -class file { getattr append }; + attribute logfile; + + type var_log_t; + + class dir { getattr search read }; + class file { getattr append }; ') ####################################### @@ -119,17 +134,20 @@ class file { getattr append }; # logging_read_all_logs(domain) # define(`logging_read_all_logs',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir { getattr search read }; -allow $1 logfile:file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir { getattr search read }; + allow $1 logfile:file { getattr read }; ') define(`logging_read_all_logs_depend',` -attribute logfile; -type var_log_t; -class dir { getattr search read }; -class file { getattr read }; + attribute logfile; + + type var_log_t; + + class dir { getattr search read }; + class file { getattr read }; ') ####################################### @@ -137,16 +155,18 @@ class file { getattr read }; # logging_read_system_logs(domain) # define(`logging_read_system_logs',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir { getattr search read }; -allow $1 var_log_t:file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir { getattr search read }; + allow $1 var_log_t:file { getattr read }; ') define(`logging_read_system_logs_depend',` -type var_log_t; -class dir { getattr search read }; -class file { getattr read }; + type var_log_t; + + class dir { getattr search read }; + class file { getattr read }; ') ####################################### @@ -154,16 +174,18 @@ class file { getattr read }; # logging_write_system_logs(domain) # define(`logging_write_system_logs',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir { getattr search read }; -allow $1 var_log_t:file { getattr write }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir { getattr search read }; + allow $1 var_log_t:file { getattr write }; ') define(`logging_write_system_logs_depend',` -type var_log_t; -class dir { getattr search read }; -class file { getattr write }; + type var_log_t; + + class dir { getattr search read }; + class file { getattr write }; ') ####################################### @@ -171,16 +193,18 @@ class file { getattr write }; # logging_modify_system_logs(domain) # define(`logging_modify_system_logs',` -requires_block_template(`$0'_depend) -files_search_system_state_data_directory($1) -allow $1 var_log_t:dir { getattr search read }; -allow $1 var_log_t:file { getattr read write append }; + requires_block_template(`$0'_depend) + + files_search_system_state_data_directory($1) + allow $1 var_log_t:dir { getattr search read }; + allow $1 var_log_t:file { getattr read write append }; ') define(`logging_modify_system_logs_depend',` -type var_log_t; -class dir { getattr search read }; -class file { getattr read write append }; + type var_log_t; + + class dir { getattr search read }; + class file { getattr read write append }; ') ## diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index e6caf75..fdbb76c 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -157,28 +157,28 @@ allow syslogd_t self:capability net_admin; allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; ifdef(`klogd.te', `', ` -# Allow access to /proc/kmsg for syslog-ng -kernel_read_messages(syslogd_t) -kernel_clear_ring_buffer(syslogd_t) -kernel_change_ring_buffer_level(syslogd_t) + # Allow access to /proc/kmsg for syslog-ng + kernel_read_messages(syslogd_t) + kernel_clear_ring_buffer(syslogd_t) + kernel_change_ring_buffer_level(syslogd_t) ') tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(syslogd_t) -terminal_ignore_use_general_pseudoterminal(syslogd_t) -files_ignore_read_rootfs_file(syslogd_t) + terminal_ignore_use_general_physical_terminal(syslogd_t) + terminal_ignore_use_general_pseudoterminal(syslogd_t) + files_ignore_read_rootfs_file(syslogd_t) ') optional_policy(`selinux.te',` -selinux_newrole_sigchld(syslogd_t) + selinux_newrole_sigchld(syslogd_t) ') optional_policy(`udev.te', ` -udev_read_database(syslogd_t) + udev_read_database(syslogd_t) ') optional_policy(`cron.te',` -cron_modify_log(syslogd_t) + cron_modify_log(syslogd_t) ') ifdef(`TODO',` @@ -186,17 +186,17 @@ allow syslogd_t proc_t:lnk_file read; allow syslogd_t autofs_t:dir { search getattr }; dontaudit syslogd_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` -allow syslogd_t rhgb_t:process sigchld; -allow syslogd_t rhgb_t:fd use; -allow syslogd_t rhgb_t:fifo_file { read write }; + allow syslogd_t rhgb_t:process sigchld; + allow syslogd_t rhgb_t:fd use; + allow syslogd_t rhgb_t:fifo_file { read write }; ') tunable_policy(`direct_sysadm_daemon',` -dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; + dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; ') tunable_policy(`distro_suse', ` -# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel -file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) + # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel + file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) ') # can_network is for the UDP socket @@ -206,12 +206,12 @@ can_ypbind(syslogd_t) allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; ifdef(`crond.te', ` -# for daemon re-start -allow system_crond_t syslogd_t:lnk_file read; + # for daemon re-start + allow system_crond_t syslogd_t:lnk_file read; ') ifdef(`logrotate.te', ` -allow logrotate_t syslogd_exec_t:file r_file_perms; + allow logrotate_t syslogd_exec_t:file r_file_perms; ') # diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 109a167..1c7c822 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -13,23 +13,26 @@ ## # define(`lvm_transition',` -requires_block_template(`$0'_depend) -allow $1 lvm_exec_t:file { getattr read execute }; -allow $1 lvm_t:process transition; -type_transition $1 lvm_exec_t:process lvm_t; -dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh }; -allow $1 lvm_t:fd use; -allow lvm_t $1:fd use; -allow lvm_t $1:fifo_file rw_file_perms; -allow lvm_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 lvm_exec_t:file { getattr read execute }; + allow $1 lvm_t:process transition; + type_transition $1 lvm_exec_t:process lvm_t; + dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh }; + + allow $1 lvm_t:fd use; + allow lvm_t $1:fd use; + allow lvm_t $1:fifo_file rw_file_perms; + allow lvm_t $1:process sigchld; ') define(`lvm_transition_depend',` -type lvm_t, lvm_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type lvm_t, lvm_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -50,15 +53,17 @@ class fifo_file rw_file_perms; ## # define(`lvm_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -lvm_transition($1) -role $2 types lvm_t; -allow lvm_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + lvm_transition($1) + role $2 types lvm_t; + allow lvm_t $3:chr_file { getattr read write ioctl }; ') define(`lvm_transition_add_role_use_terminal_depend',` -type lvm_t; -class chr_file { getattr read write ioctl }; + type lvm_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -73,14 +78,16 @@ class chr_file { getattr read write ioctl }; ## # define(`lvm_read_config',` -requires_block_template(`$0'_depend) -allow $1 lvm_etc_t:dir { getattr search read }; -allow $1 lvm_etc_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 lvm_etc_t:dir { getattr search read }; + allow $1 lvm_etc_t:file { getattr read }; ') define(`lvm_read_config_depend',` -type lvm_t, lvm_exec_t; -class file { getattr read }; + type lvm_t, lvm_exec_t; + + class file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index da45c58..00e3ac9 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -169,17 +169,17 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto }; dontaudit lvm_t var_run_t:dir getattr; optional_policy(`gnome-pty-helper.te', ` -allow lvm_t sysadm_gph_t:fd use; + allow lvm_t sysadm_gph_t:fd use; ') optional_policy(`gpm.te', ` -dontaudit lvm_t gpmctl_t:sock_file getattr; + dontaudit lvm_t gpmctl_t:sock_file getattr; ') optional_policy(`rhgb.te', ` -allow $1_t rhgb_t:process sigchld; -allow $1_t rhgb_t:fd use; -allow $1_t rhgb_t:fifo_file { read write }; + allow $1_t rhgb_t:process sigchld; + allow $1_t rhgb_t:fd use; + allow $1_t rhgb_t:fifo_file { read write }; ') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 668c507..63c6501 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -4,16 +4,18 @@ # miscfiles_manage_man_page_cache(domain) # define(`miscfiles_manage_man_page_cache',` -requires_block_template(`$0'_depend) -# FIXME: search var_t dir -allow $1 catman_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 catman_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + # FIXME: search var_t dir + allow $1 catman_t:dir create_dir_perms; + allow $1 catman_t:file create_file_perms; ') define(`miscfiles_manage_man_page_cache_depend',` -type catman_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type catman_t; + + class dir create_dir_perms; + class file create_file_perms; ') ######################################## @@ -21,18 +23,20 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # miscfiles_read_fonts(domain) # define(`miscfiles_read_fonts',` -requires_block_template(`$0'_depend) -# FIXME: search usr_t dir -# FIXME: search lib_t dir -# cjp: fonts can be in either of the above dirs -allow $1 fonts_t:dir { getattr read search }; -allow $1 fonts_t:file { getattr read }; + requires_block_template(`$0'_depend) + + # FIXME: search usr_t dir + # FIXME: search lib_t dir + # cjp: fonts can be in either of the above dirs + allow $1 fonts_t:dir { getattr read search }; + allow $1 fonts_t:file { getattr read }; ') define(`miscfiles_read_fonts_depend',` -type fonts_t; -class dir { getattr read search }; -class file { getattr read }; + type fonts_t; + + class dir { getattr read search }; + class file { getattr read }; ') ######################################## @@ -40,23 +44,24 @@ class file { getattr read }; # miscfiles_read_localization(domain) # define(`miscfiles_read_localization',` -requires_block_template(`$0'_depend) -# FIXME: $1 read etc_t:lnk_file here -# FIXME: $1 search usr_t:dir here + requires_block_template(`$0'_depend) -# why? -libraries_read_library_resources($1) + # FIXME: $1 read etc_t:lnk_file here + # FIXME: $1 search usr_t:dir here + allow $1 locale_t:dir { getattr read search }; + allow $1 locale_t:lnk_file { getattr read }; + allow $1 locale_t:file { getattr read }; -allow $1 locale_t:dir { getattr read search }; -allow $1 locale_t:lnk_file { getattr read }; -allow $1 locale_t:file { getattr read }; + # why? + libraries_read_library_resources($1) ') define(`miscfiles_read_localization_depend',` -type locale_t; -class dir { getattr read search }; -class lnk_file { getattr read }; -class file { getattr read }; + type locale_t; + + class dir { getattr read search }; + class lnk_file { getattr read }; + class file { getattr read }; ') ######################################## @@ -64,14 +69,16 @@ class file { getattr read }; # miscfiles_legacy_read_localization(domain) # define(`miscfiles_legacy_read_localization',` -requires_block_template(`$0'_depend) -miscfiles_read_localization($1) -allow $1 locale_t:file execute; + requires_block_template(`$0'_depend) + + miscfiles_read_localization($1) + allow $1 locale_t:file execute; ') define(`miscfiles_read_localization_depend',` -type locale_t; -class file execute; + type locale_t; + + class file execute; ') ######################################## @@ -79,16 +86,18 @@ class file execute; # miscfiles_read_man_pages(domain) # define(`miscfiles_read_man_pages',` -requires_block_template(`$0'_depend) -# FIXME: search usr_t dir -allow $1 man_t:dir { getattr read search }; -allow $1 man_t:file { getattr read }; -allow $1 man_t:lnk_file { getattr read }; + requires_block_template(`$0'_depend) + + # FIXME: search usr_t dir + allow $1 man_t:dir { getattr read search }; + allow $1 man_t:file { getattr read }; + allow $1 man_t:lnk_file { getattr read }; ') define(`miscfiles_read_man_pages_depend',` -type man_t; -class dir { getattr read search }; -class file { getattr read }; -class lnk_file { getattr read }; + type man_t; + + class dir { getattr read search }; + class file { getattr read }; + class lnk_file { getattr read }; ') diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index f806b88..d33871f 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -13,15 +13,17 @@ ## # define(`modutils_read_kernel_module_dependencies',` -requires_block_template(`$0'_depend) -bootloader_list_kernel_modules($1) -allow $1 modules_dep_t:file { getattr read }; + requires_block_template(`$0'_depend) + + bootloader_list_kernel_modules($1) + allow $1 modules_dep_t:file { getattr read }; ') define(`modutils_read_kernel_module_dependencies_depend',` -type modules_dep_t; -class file { getattr create read write setattr unlink }; -class dir { search read write add_name remove_name }; + type modules_dep_t; + + class file { getattr create read write setattr unlink }; + class dir { search read write add_name remove_name }; ') ######################################## @@ -37,13 +39,15 @@ class dir { search read write add_name remove_name }; ## # define(`modutils_read_kernel_module_loading_config',` -requires_block_template(`$0'_depend) -allow $1 modules_conf_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 modules_conf_t:file { getattr read }; ') define(`modutils_read_kernel_module_loading_config_depend',` -type modules_conf_t; -class file { getattr create read write setattr unlink }; + type modules_conf_t; + + class file { getattr create read write setattr unlink }; ') ######################################## @@ -59,23 +63,26 @@ class file { getattr create read write setattr unlink }; ## # define(`modutils_insmod_transition',` -requires_block_template(`$0'_depend) -allow $1 insmod_exec_t:file { getattr read execute }; -allow $1 insmod_t:process transition; -type_transition $1 insmod_exec_t:process insmod_t; -dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; -allow $1 insmod_t:fd use; -allow insmod_t $1:fd use; -allow insmod_t $1:fifo_file rw_file_perms; -allow insmod_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 insmod_exec_t:file { getattr read execute }; + allow $1 insmod_t:process transition; + type_transition $1 insmod_exec_t:process insmod_t; + dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; + + allow $1 insmod_t:fd use; + allow insmod_t $1:fd use; + allow insmod_t $1:fifo_file rw_file_perms; + allow insmod_t $1:process sigchld; ') define(`modutils_insmod_transition_depend',` -type insmod_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type insmod_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -99,15 +106,17 @@ class fifo_file rw_file_perms; ## # define(`modutils_insmod_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -modutils_insmod_transition($1) -role $2 types insmod_t; -allow insmod_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + modutils_insmod_transition($1) + role $2 types insmod_t; + allow insmod_t $3:chr_file { getattr read write ioctl }; ') define(`modutils_insmod_transition_add_role_use_terminal_depend',` -type insmod_t; -class chr_file { getattr read write ioctl }; + type insmod_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -115,13 +124,15 @@ class chr_file { getattr read write ioctl }; # modutils_insmod_execute(domain) # define(`modutils_insmod_execute',` -requires_block_template(`$0'_depend) -allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; ') define(`modutils_insmod_execute_depend',` -type insmod_t; -class file { getattr read execute execute_no_trans }; + type insmod_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -136,23 +147,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`modutils_depmod_transition',` -requires_block_template(`$0'_depend) -allow $1 depmod_exec_t:file { getattr read execute }; -allow $1 depmod_t:process transition; -type_transition $1 depmod_exec_t:process depmod_t; -dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh }; -allow $1 depmod_t:fd use; -allow depmod_t $1:fd use; -allow depmod_t $1:fifo_file rw_file_perms; -allow depmod_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 depmod_exec_t:file { getattr read execute }; + allow $1 depmod_t:process transition; + type_transition $1 depmod_exec_t:process depmod_t; + dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh }; + + allow $1 depmod_t:fd use; + allow depmod_t $1:fd use; + allow depmod_t $1:fifo_file rw_file_perms; + allow depmod_t $1:process sigchld; ') define(`modutils_depmod_transition_depend',` -type depmod_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type depmod_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -173,15 +187,17 @@ class fifo_file rw_file_perms; ## # define(`modutils_depmod_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -modutils_depmod_transition($1) -role $2 types insmod_t; -allow insmod_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + modutils_depmod_transition($1) + role $2 types insmod_t; + allow insmod_t $3:chr_file { getattr read write ioctl }; ') define(`modutils_depmod_transition_add_role_use_terminal_depend',` -type depmod_t; -class chr_file { getattr read write ioctl }; + type depmod_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -189,13 +205,15 @@ class chr_file { getattr read write ioctl }; # modutils_depmod_execute(domain) # define(`modutils_depmod_execute',` -requires_block_template(`$0'_depend) -allow $1 depmod_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 depmod_exec_t:file { getattr read execute execute_no_trans }; ') define(`modutils_depmod_execute_depend',` -type depmod_t; -class file { getattr read execute execute_no_trans }; + type depmod_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -210,23 +228,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`modutils_update_modules_transition',` -requires_block_template(`$0'_depend) -allow $1 update_modules_exec_t:file { getattr read execute }; -allow $1 update_modules_t:process transition; -type_transition $1 update_modules_exec_t:process update_modules_t; -dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh }; -allow $1 update_modules_t:fd use; -allow update_modules_t $1:fd use; -allow update_modules_t $1:fifo_file rw_file_perms; -allow update_modules_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 update_modules_exec_t:file { getattr read execute }; + allow $1 update_modules_t:process transition; + type_transition $1 update_modules_exec_t:process update_modules_t; + dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh }; + + allow $1 update_modules_t:fd use; + allow update_modules_t $1:fd use; + allow update_modules_t $1:fifo_file rw_file_perms; + allow update_modules_t $1:process sigchld; ') define(`modutils_update_modules_transition_depend',` -type update_modules_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh signal }; -class fd use; -class fifo_file rw_file_perms; + type update_modules_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh signal }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -247,15 +268,17 @@ class fifo_file rw_file_perms; ## # define(`modutils_update_modules_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -modutils_update_modules_transition($1) -role $2 types update_modules_t; -allow update_modules_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + modutils_update_modules_transition($1) + role $2 types update_modules_t; + allow update_modules_t $3:chr_file { getattr read write ioctl }; ') define(`modutils_update_modules_transition_add_role_use_terminal_depend',` -type update_modules_t; -class chr_file { getattr read write ioctl }; + type update_modules_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -263,13 +286,15 @@ class chr_file { getattr read write ioctl }; # modutils_update_modules_execute(domain) # define(`modutils_update_modules_execute',` -requires_block_template(`$0'_depend) -allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans }; ') define(`modutils_update_modules_execute_depend',` -type update_modules_t; -class file { getattr read execute execute_no_trans }; + type update_modules_t; + + class file { getattr read execute execute_no_trans }; ') ## diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 514f9f0..1c63c5b 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -98,7 +98,7 @@ logging_search_system_log_directory(insmod_t) miscfiles_read_localization(insmod_t) optional_policy(`mount.te',` -mount_transition(insmod_t) + mount_transition(insmod_t) ') ifdef(`TODO',` @@ -108,7 +108,7 @@ allow insmod_t apm_bios_t:chr_file { read write }; allow insmod_t sound_device_t:chr_file { read ioctl write }; ifdef(`xserver.te', ` -allow insmod_t xserver_log_t:file getattr; + allow insmod_t xserver_log_t:file getattr; ') # why is this needed? insmod cannot mounton any dir diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index cff5537..413bc8b 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -13,23 +13,26 @@ ## # define(`mount_transition',` -requires_block_template(`$0'_depend) -allow $1 mount_exec_t:file { getattr read execute }; -allow $1 mount_t:process transition; -type_transition $1 mount_exec_t:process mount_t; -dontaudit $1 mount_t:process { noatsecure siginh rlimitinh }; -allow $1 mount_t:fd use; -allow mount_t $1:fd use; -allow mount_t $1:fifo_file rw_file_perms; -allow mount_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 mount_exec_t:file { getattr read execute }; + allow $1 mount_t:process transition; + type_transition $1 mount_exec_t:process mount_t; + dontaudit $1 mount_t:process { noatsecure siginh rlimitinh }; + + allow $1 mount_t:fd use; + allow mount_t $1:fd use; + allow mount_t $1:fifo_file rw_file_perms; + allow mount_t $1:process sigchld; ') define(`mount_transition_depend',` -type mount_t, mount_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type mount_t, mount_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -52,15 +55,17 @@ class fifo_file rw_file_perms; ## # define(`mount_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -mount_transition($1) -role $2 types mount_t; -allow mount_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + mount_transition($1) + role $2 types mount_t; + allow mount_t $3:chr_file { getattr read write ioctl }; ') define(`mount_transition_add_role_use_terminal_depend',` -type mount_t; -class chr_file { getattr read write ioctl }; + type mount_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -68,13 +73,15 @@ class chr_file { getattr read write ioctl }; # mount_use_file_descriptors(domain) # define(`mount_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 mount_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 mount_t:fd use; ') define(`mount_use_file_descriptors_depend',` -type mount_t; -class fd use; + type mount_t; + + class fd use; ') ####################################### @@ -82,13 +89,15 @@ class fd use; # mount_send_nfs_client_request(domain) # define(`mount_send_nfs_client_request',` -requires_block_template(`$0'_depend) -allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown; + requires_block_template(`$0'_depend) + + allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown; ') define(`mount_send_nfs_client_request_depend',` -type mount_t; -class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + type mount_t; + + class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; ') ## diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index b9a36f6..7cf5390 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -69,37 +69,36 @@ miscfiles_read_localization(mount_t) userdomain_use_all_users_file_descriptors(mount_t) tunable_policy(`distro_redhat',` -filesystem_use_tmpfs_character_devices(mount_t) -allow mount_t tmpfs_t:dir mounton; - -optional_policy(`authlogin.te',` -authlogin_pam_console_read_runtime_data(mount_t) -# mount config by default sets fscontext=removable_t -filesystem_relabelfrom_dos_filesystem(mount_t) -') dnl end authlogin - -') dnl end distro_redhat + filesystem_use_tmpfs_character_devices(mount_t) + allow mount_t tmpfs_t:dir mounton; + + optional_policy(`authlogin.te',` + authlogin_pam_console_read_runtime_data(mount_t) + # mount config by default sets fscontext=removable_t + filesystem_relabelfrom_dos_filesystem(mount_t) + ') +') optional_policy(`portmap.te', ` -# for nfs -#can_ypbind(mount_t) -#allow portmap_t mount_t:udp_socket { sendto recvfrom }; -#allow mount_t portmap_t:udp_socket { sendto recvfrom }; -#allow mount_t rpc_pipefs_t:dir search; -corenetwork_sendrecv_tcp_on_all_interfaces(mount_t) -corenetwork_sendrecv_raw_on_all_interfaces(mount_t) -corenetwork_sendrecv_udp_on_all_interfaces(mount_t) -corenetwork_sendrecv_tcp_on_all_nodes(mount_t) -corenetwork_sendrecv_raw_on_all_nodes(mount_t) -corenetwork_sendrecv_udp_on_all_nodes(mount_t) -corenetwork_sendrecv_tcp_on_all_ports(mount_t) -corenetwork_sendrecv_udp_on_all_ports(mount_t) -corenetwork_bind_tcp_on_all_nodes(mount_t) -corenetwork_bind_udp_on_all_nodes(mount_t) -corenetwork_bind_tcp_on_general_port(mount_t) -corenetwork_bind_udp_on_general_port(mount_t) -corenetwork_bind_tcp_on_reserved_port(mount_t) -corenetwork_bind_udp_on_reserved_port(mount_t) + # for nfs + #can_ypbind(mount_t) + #allow portmap_t mount_t:udp_socket { sendto recvfrom }; + #allow mount_t portmap_t:udp_socket { sendto recvfrom }; + #allow mount_t rpc_pipefs_t:dir search; + corenetwork_sendrecv_tcp_on_all_interfaces(mount_t) + corenetwork_sendrecv_raw_on_all_interfaces(mount_t) + corenetwork_sendrecv_udp_on_all_interfaces(mount_t) + corenetwork_sendrecv_tcp_on_all_nodes(mount_t) + corenetwork_sendrecv_raw_on_all_nodes(mount_t) + corenetwork_sendrecv_udp_on_all_nodes(mount_t) + corenetwork_sendrecv_tcp_on_all_ports(mount_t) + corenetwork_sendrecv_udp_on_all_ports(mount_t) + corenetwork_bind_tcp_on_all_nodes(mount_t) + corenetwork_bind_udp_on_all_nodes(mount_t) + corenetwork_bind_tcp_on_general_port(mount_t) + corenetwork_bind_udp_on_general_port(mount_t) + corenetwork_bind_tcp_on_reserved_port(mount_t) + corenetwork_bind_udp_on_reserved_port(mount_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 39d93d2..50f71e8 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -13,23 +13,26 @@ ## # define(`selinux_checkpolicy_transition',` -requires_block_template(`$0'_depend) -allow $1 checkpolicy_exec_t:file { getattr read execute }; -allow $1 checkpolicy_t:process transition; -type_transition $1 checkpolicy_exec_t:process checkpolicy_t; -dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; -allow $1 checkpolicy_t:fd use; -allow checkpolicy_t $1:fd use; -allow checkpolicy_t $1:fifo_file rw_file_perms; -allow checkpolicy_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 checkpolicy_exec_t:file { getattr read execute }; + allow $1 checkpolicy_t:process transition; + type_transition $1 checkpolicy_exec_t:process checkpolicy_t; + dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; + + allow $1 checkpolicy_t:fd use; + allow checkpolicy_t $1:fd use; + allow checkpolicy_t $1:fifo_file rw_file_perms; + allow checkpolicy_t $1:process sigchld; ') define(`selinux_checkpolicy_transition_depend',` -type checkpolicy_t, checkpolicy_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld sigchld }; -class fd use; -class fifo_file rw_file_perms; + type checkpolicy_t, checkpolicy_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -53,15 +56,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_checkpolicy_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_checkpolicy_transition($1) -role $2 types checkpolicy_t; -allow checkpolicy_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_checkpolicy_transition($1) + role $2 types checkpolicy_t; + allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` -type checkpolicy_t; -class chr_file { getattr read write ioctl }; + type checkpolicy_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl }; # selinux_checkpolicy_execute(domain) # define(`selinux_checkpolicy_execute',` -requires_block_template(`$0'_depend) -allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_checkpolicy_execute_depend',` -type checkpolicy_exec_t; -class file { getattr read execute execute_no_trans }; + type checkpolicy_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_load_policy_transition',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read execute }; -allow $1 load_policy_t:process transition; -type_transition $1 load_policy_exec_t:process load_policy_t; -dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; -allow $1 load_policy_t:fd use; -allow load_policy_t $1:fd use; -allow load_policy_t $1:fifo_file rw_file_perms; -allow load_policy_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read execute }; + allow $1 load_policy_t:process transition; + type_transition $1 load_policy_exec_t:process load_policy_t; + dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; + + allow $1 load_policy_t:fd use; + allow load_policy_t $1:fd use; + allow load_policy_t $1:fifo_file rw_file_perms; + allow load_policy_t $1:process sigchld; ') define(`selinux_load_policy_transition_depend',` -type load_policy_t, load_policy_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type load_policy_t, load_policy_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -130,15 +140,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_load_policy_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_load_policy_transition($1) -role $2 types load_policy_t; -allow load_policy_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_load_policy_transition($1) + role $2 types load_policy_t; + allow load_policy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_load_policy_transition_add_role_use_terminal_depend',` -type load_policy_t; -class chr_file { getattr read write ioctl }; + type load_policy_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl }; # selinux_load_policy_execute(domain) # define(`selinux_load_policy_execute',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_load_policy_execute_depend',` -type load_policy_exec_t; -class file { getattr read execute execute_no_trans }; + type load_policy_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans }; # selinux_read_load_policy_binary(domain) # define(`selinux_read_load_policy_binary',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read }; ') define(`selinux_read_load_policy_binary_depend',` -type load_policy_exec_t; -class file { getattr read }; + type load_policy_exec_t; + + class file { getattr read }; ') ####################################### @@ -181,23 +197,26 @@ class file { getattr read }; ## # define(`selinux_newrole_transition',` -requires_block_template(`$0'_depend) -allow $1 newrole_exec_t:file { getattr read execute }; -allow $1 newrole_t:process transition; -type_transition $1 newrole_exec_t:process newrole_t; -dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; -allow $1 newrole_t:fd use; -allow newrole_t $1:fd use; -allow newrole_t $1:fifo_file rw_file_perms; -allow newrole_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 newrole_exec_t:file { getattr read execute }; + allow $1 newrole_t:process transition; + type_transition $1 newrole_exec_t:process newrole_t; + dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; + + allow $1 newrole_t:fd use; + allow newrole_t $1:fd use; + allow newrole_t $1:fifo_file rw_file_perms; + allow newrole_t $1:process sigchld; ') define(`selinux_newrole_transition_depend',` -type newrole_t, newrole_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type newrole_t, newrole_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -220,15 +239,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_newrole_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_newrole_transition($1) -role $2 types newrole_t; -allow newrole_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_newrole_transition($1) + role $2 types newrole_t; + allow newrole_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_newrole_transition_add_role_use_terminal_depend',` -type newrole_t; -class chr_file { getattr read write ioctl }; + type newrole_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl }; # selinux_newrole_execute(domain) # define(`selinux_newrole_execute',` -requires_block_template(`$0'_depend) -allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_newrole_execute_depend',` -type newrole_t, newrole_exec_t; -class file { getattr read execute execute_no_trans }; + type newrole_t, newrole_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_newrole_ignore_signal',` -requires_block_template(`$0'_depend) -dontaudit $1 newrole_t:process signal; + requires_block_template(`$0'_depend) + + dontaudit $1 newrole_t:process signal; ') define(`selinux_newrole_ignore_signal_depend',` -type newrole_t; -class process signal; + type newrole_t; + + class process signal; ') ####################################### @@ -272,13 +297,15 @@ class process signal; # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` -requires_block_template(`$0'_depend) -allow $1 newrole_t:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 newrole_t:process sigchld; ') define(`selinux_newrole_sigchld_depend',` -type newrole_t; -class process sigchld; + type newrole_t; + + class process sigchld; ') ####################################### @@ -286,13 +313,15 @@ class process sigchld; # selinux_newrole_use_file_descriptors(domain) # define(`selinux_newrole_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 newrole_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 newrole_t:fd use; ') define(`selinux_newrole_use_file_descriptors_depend',` -type newrole_t; -class fd use; + type newrole_t; + + class fd use; ') ####################################### @@ -307,23 +336,26 @@ class fd use; ## # define(`selinux_restorecon_transition',` -requires_block_template(`$0'_depend) -allow $1 restorecon_exec_t:file { getattr read execute }; -allow $1 restorecon_t:process transition; -type_transition $1 restorecon_exec_t:process restorecon_t; -dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; -allow $1 restorecon_t:fd use; -allow restorecon_t $1:fd use; -allow restorecon_t $1:fifo_file rw_file_perms; -allow restorecon_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 restorecon_exec_t:file { getattr read execute }; + allow $1 restorecon_t:process transition; + type_transition $1 restorecon_exec_t:process restorecon_t; + dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; + + allow $1 restorecon_t:fd use; + allow restorecon_t $1:fd use; + allow restorecon_t $1:fifo_file rw_file_perms; + allow restorecon_t $1:process sigchld; ') define(`selinux_restorecon_transition_depend',` -type restorecon_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type restorecon_t, restorecon_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -346,15 +378,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_restorecon_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_restorecon_transition($1) -role $2 types restorecon_t; -allow restorecon_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_restorecon_transition($1) + role $2 types restorecon_t; + allow restorecon_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_restorecon_transition_add_role_use_terminal_depend',` -type restorecon_t; -class chr_file { getattr read write ioctl }; + type restorecon_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_restorecon_execute_depend',` -type restorecon_t, restorecon_exec_t; -class file { getattr read execute execute_no_trans }; + type restorecon_t, restorecon_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_run_init_transition',` -requires_block_template(`$0'_depend) -allow $1 run_init_exec_t:file { getattr read execute }; -allow $1 run_init_t:process transition; -type_transition $1 run_init_exec_t:process run_init_t; -dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; -allow $1 run_init_t:fd use; -allow run_init_t $1:fd use; -allow run_init_t $1:fifo_file rw_file_perms; -allow run_init_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 run_init_exec_t:file { getattr read execute }; + allow $1 run_init_t:process transition; + type_transition $1 run_init_exec_t:process run_init_t; + dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; + + allow $1 run_init_t:fd use; + allow run_init_t $1:fd use; + allow run_init_t $1:fifo_file rw_file_perms; + allow run_init_t $1:process sigchld; ') define(`selinux_run_init_transition_depend',` -type run_init_t, run_init_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type run_init_t, run_init_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -422,15 +460,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_run_init_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_run_init_transition($1) -role $2 types run_init_t; -allow run_init_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_run_init_transition($1) + role $2 types run_init_t; + allow run_init_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_init_transition_add_role_use_terminal_depend',` -type run_init_t; -class chr_file { getattr read write ioctl }; + type run_init_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl }; # selinux_run_init_use_file_descriptors(domain) # define(`selinux_run_init_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 run_init_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 run_init_t:fd use; ') define(`selinux_run_init_use_file_descriptors_depend',` -type run_init_t; -class fd use; + type run_init_t; + + class fd use; ') ######################################## @@ -459,23 +501,26 @@ class fd use; ## # define(`selinux_setfiles_transition',` -requires_block_template(`$0'_depend) -allow $1 setfiles_exec_t:file { getattr read execute }; -allow $1 setfiles_t:process transition; -type_transition $1 setfiles_exec_t:process setfiles_t; -dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; -allow $1 setfiles_t:fd use; -allow setfiles_t $1:fd use; -allow setfiles_t $1:fifo_file rw_file_perms; -allow setfiles_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 setfiles_exec_t:file { getattr read execute }; + allow $1 setfiles_t:process transition; + type_transition $1 setfiles_exec_t:process setfiles_t; + dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; + + allow $1 setfiles_t:fd use; + allow setfiles_t $1:fd use; + allow setfiles_t $1:fifo_file rw_file_perms; + allow setfiles_t $1:process sigchld; ') define(`selinux_setfiles_transition_depend',` -type setfiles_t, setfiles_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type setfiles_t, setfiles_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -498,15 +543,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_setfiles_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_setfiles_transition($1) -role $2 types setfiles_t; -allow setfiles_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_setfiles_transition($1) + role $2 types setfiles_t; + allow setfiles_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_setfiles_transition_add_role_use_terminal_depend',` -type setfiles_t; -class chr_file { getattr read write ioctl }; + type setfiles_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl }; # selinux_setfiles_execute(domain) # define(`selinux_setfiles_execute',` -requires_block_template(`$0'_depend) -allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_setfiles_execute_depend',` -type setfiles_exec_t; -class file { getattr read execute execute_no_trans }; + type setfiles_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans }; # selinux_read_config(domain) # define(`selinux_read_config',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir { getattr search read }; -allow $1 selinux_config_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir { getattr search read }; + allow $1 selinux_config_t:file { getattr read }; ') define(`selinux_read_config_depend',` -type selinux_config_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -544,16 +595,18 @@ class file { getattr read }; # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir search; -allow $1 default_context_t:dir { getattr search read }; -allow $1 default_context_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir search; + allow $1 default_context_t:dir { getattr search read }; + allow $1 default_context_t:file { getattr read }; ') define(`selinux_read_default_contexts_depend',` -type selinux_config_t, default_context_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, default_context_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -561,16 +614,18 @@ class file { getattr read }; # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir search; -allow $1 file_context_t:dir { getattr search read }; -allow $1 file_context_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir search; + allow $1 file_context_t:dir { getattr search read }; + allow $1 file_context_t:file { getattr read }; ') define(`selinux_read_file_contexts_depend',` -type selinux_config_t, file_context_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, file_context_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -578,15 +633,17 @@ class file { getattr read }; # selinux_read_binary_policy(domain) # define(`selinux_read_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:dir { getattr search read }; -allow $1 policy_config_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:dir { getattr search read }; + allow $1 policy_config_t:file { getattr read }; ') define(`selinux_read_binary_policy_depend',` -type policy_config_t; -class dir { getattr search read }; -class file { getattr read }; + type policy_config_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -594,17 +651,20 @@ class file { getattr read }; # selinux_write_binary_policy(domain) # define(`selinux_write_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; -allow $1 policy_config_t:file { getattr create write unlink }; -typeattribute $1 can_write_binary_policy; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; + allow $1 policy_config_t:file { getattr create write unlink }; + typeattribute $1 can_write_binary_policy; ') define(`selinux_write_binary_policy_depend',` -attribute can_write_binary_policy; -type policy_config_t; -class dir { getattr search read write add_name remove_name }; -class file { getattr create write unlink }; + attribute can_write_binary_policy; + + type policy_config_t; + + class dir { getattr search read write add_name remove_name }; + class file { getattr create write unlink }; ') ######################################## @@ -619,15 +679,18 @@ class file { getattr create write unlink }; ## # define(`selinux_relabelto_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:file relabelto; -typeattribute $1 can_relabelto_binary_policy; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:file relabelto; + typeattribute $1 can_relabelto_binary_policy; ') define(`selinux_relabelto_binary_policy_depend',` -attribute can_relabelto_binary_policy; -type policy_config_t; -class file relabelto; + attribute can_relabelto_binary_policy; + + type policy_config_t; + + class file relabelto; ') ######################################## @@ -635,19 +698,21 @@ class file relabelto; # selinux_manage_binary_policy(domain) # define(`selinux_manage_binary_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_config_t:dir { getattr search read }; -allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -typeattribute $1 can_write_binary_policy; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_config_t:dir { getattr search read }; + allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + typeattribute $1 can_write_binary_policy; ') define(`selinux_manage_binary_policy_depend',` -attribute can_write_binary_policy; -type selinux_config_t, policy_config_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute can_write_binary_policy; + + type selinux_config_t, policy_config_t; + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ######################################## @@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # selinux_read_source_policy(domain) # define(`selinux_read_source_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_src_t:dir { getattr search read }; -allow $1 policy_src_t:file { getattr read }; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_src_t:dir { getattr search read }; + allow $1 policy_src_t:file { getattr read }; ') define(`selinux_read_source_policy_depend',` -type selinux_config_t, policy_src_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, policy_src_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -673,17 +740,19 @@ class file { getattr read }; # selinux_manage_source_policy(domain) # define(`selinux_manage_source_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') define(`selinux_manage_source_policy_depend',` -type selinux_config_t, policy_src_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type selinux_config_t, policy_src_t; + + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ## diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index f97e7c1..4c84ad7 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t) userdomain_use_all_users_file_descriptors(restorecon_t) optional_policy(`hotplug.te',` -hotplug_use_file_descriptors(restorecon_t) + hotplug_use_file_descriptors(restorecon_t) ') # relabeling rules @@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t) kernel_compute_selinux_reachable_user_contexts(run_init_t) tunable_policy(`targeted_policy',`',` -allow run_init_t self:process setexec; -allow run_init_t self:capability setuid; + allow run_init_t self:process setexec; + allow run_init_t self:capability setuid; -allow run_init_t self:fifo_file { getattr read write }; + allow run_init_t self:fifo_file { getattr read write }; -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_init_t self:capability { dac_override dac_read_search }; + # often the administrator runs such programs from a directory that is owned + # by a different user or has restrictive SE permissions, do not want to audit + # the failed access to the current directory + dontaudit run_init_t self:capability { dac_override dac_read_search }; -filesystem_get_persistent_filesystem_attributes(run_init_t) + filesystem_get_persistent_filesystem_attributes(run_init_t) -devices_ignore_list_device_nodes(run_init_t) + devices_ignore_list_device_nodes(run_init_t) -terminal_ignore_list_pseudoterminals(run_init_t) + terminal_ignore_list_pseudoterminals(run_init_t) -authlogin_check_password_transition(run_init_t) -authlogin_ignore_read_shadow_passwords(run_init_t) + authlogin_check_password_transition(run_init_t) + authlogin_ignore_read_shadow_passwords(run_init_t) -corecommands_execute_general_programs(run_init_t) -corecommands_execute_shell(run_init_t) + corecommands_execute_general_programs(run_init_t) + corecommands_execute_shell(run_init_t) -domain_use_widely_inheritable_file_descriptors(run_init_t) + domain_use_widely_inheritable_file_descriptors(run_init_t) -files_read_general_system_config(run_init_t) -files_ignore_search_all_directories(run_init_t) + files_read_general_system_config(run_init_t) + files_ignore_search_all_directories(run_init_t) -init_script_transition(run_init_t) -# for utmp -init_script_modify_runtime_data(run_init_t) + init_script_transition(run_init_t) + # for utmp + init_script_modify_runtime_data(run_init_t) -libraries_use_dynamic_loader(run_init_t) -libraries_use_shared_libraries(run_init_t) + libraries_use_dynamic_loader(run_init_t) + libraries_use_shared_libraries(run_init_t) -selinux_read_config(run_init_t) -selinux_read_default_contexts(run_init_t) + selinux_read_config(run_init_t) + selinux_read_default_contexts(run_init_t) -miscfiles_read_localization(run_init_t) + miscfiles_read_localization(run_init_t) -logging_send_system_log_message(run_init_t) + logging_send_system_log_message(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` tunable_policy(`distro_gentoo', ` -# Gentoo integrated run_init+open_init_pty-runscript: -domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -domain_make_entrypoint_file(run_init_t,initrc_exec_t) + # Gentoo integrated run_init+open_init_pty-runscript: + domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) + domain_make_entrypoint_file(run_init_t,initrc_exec_t) ') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 39d93d2..50f71e8 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -13,23 +13,26 @@ ## # define(`selinux_checkpolicy_transition',` -requires_block_template(`$0'_depend) -allow $1 checkpolicy_exec_t:file { getattr read execute }; -allow $1 checkpolicy_t:process transition; -type_transition $1 checkpolicy_exec_t:process checkpolicy_t; -dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; -allow $1 checkpolicy_t:fd use; -allow checkpolicy_t $1:fd use; -allow checkpolicy_t $1:fifo_file rw_file_perms; -allow checkpolicy_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 checkpolicy_exec_t:file { getattr read execute }; + allow $1 checkpolicy_t:process transition; + type_transition $1 checkpolicy_exec_t:process checkpolicy_t; + dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; + + allow $1 checkpolicy_t:fd use; + allow checkpolicy_t $1:fd use; + allow checkpolicy_t $1:fifo_file rw_file_perms; + allow checkpolicy_t $1:process sigchld; ') define(`selinux_checkpolicy_transition_depend',` -type checkpolicy_t, checkpolicy_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld sigchld }; -class fd use; -class fifo_file rw_file_perms; + type checkpolicy_t, checkpolicy_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -53,15 +56,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_checkpolicy_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_checkpolicy_transition($1) -role $2 types checkpolicy_t; -allow checkpolicy_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_checkpolicy_transition($1) + role $2 types checkpolicy_t; + allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` -type checkpolicy_t; -class chr_file { getattr read write ioctl }; + type checkpolicy_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl }; # selinux_checkpolicy_execute(domain) # define(`selinux_checkpolicy_execute',` -requires_block_template(`$0'_depend) -allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_checkpolicy_execute_depend',` -type checkpolicy_exec_t; -class file { getattr read execute execute_no_trans }; + type checkpolicy_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_load_policy_transition',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read execute }; -allow $1 load_policy_t:process transition; -type_transition $1 load_policy_exec_t:process load_policy_t; -dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; -allow $1 load_policy_t:fd use; -allow load_policy_t $1:fd use; -allow load_policy_t $1:fifo_file rw_file_perms; -allow load_policy_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read execute }; + allow $1 load_policy_t:process transition; + type_transition $1 load_policy_exec_t:process load_policy_t; + dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; + + allow $1 load_policy_t:fd use; + allow load_policy_t $1:fd use; + allow load_policy_t $1:fifo_file rw_file_perms; + allow load_policy_t $1:process sigchld; ') define(`selinux_load_policy_transition_depend',` -type load_policy_t, load_policy_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type load_policy_t, load_policy_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -130,15 +140,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_load_policy_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_load_policy_transition($1) -role $2 types load_policy_t; -allow load_policy_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_load_policy_transition($1) + role $2 types load_policy_t; + allow load_policy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_load_policy_transition_add_role_use_terminal_depend',` -type load_policy_t; -class chr_file { getattr read write ioctl }; + type load_policy_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl }; # selinux_load_policy_execute(domain) # define(`selinux_load_policy_execute',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_load_policy_execute_depend',` -type load_policy_exec_t; -class file { getattr read execute execute_no_trans }; + type load_policy_exec_t; + + class file { getattr read execute execute_no_trans }; ') ####################################### @@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans }; # selinux_read_load_policy_binary(domain) # define(`selinux_read_load_policy_binary',` -requires_block_template(`$0'_depend) -allow $1 load_policy_exec_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 load_policy_exec_t:file { getattr read }; ') define(`selinux_read_load_policy_binary_depend',` -type load_policy_exec_t; -class file { getattr read }; + type load_policy_exec_t; + + class file { getattr read }; ') ####################################### @@ -181,23 +197,26 @@ class file { getattr read }; ## # define(`selinux_newrole_transition',` -requires_block_template(`$0'_depend) -allow $1 newrole_exec_t:file { getattr read execute }; -allow $1 newrole_t:process transition; -type_transition $1 newrole_exec_t:process newrole_t; -dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; -allow $1 newrole_t:fd use; -allow newrole_t $1:fd use; -allow newrole_t $1:fifo_file rw_file_perms; -allow newrole_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 newrole_exec_t:file { getattr read execute }; + allow $1 newrole_t:process transition; + type_transition $1 newrole_exec_t:process newrole_t; + dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; + + allow $1 newrole_t:fd use; + allow newrole_t $1:fd use; + allow newrole_t $1:fifo_file rw_file_perms; + allow newrole_t $1:process sigchld; ') define(`selinux_newrole_transition_depend',` -type newrole_t, newrole_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type newrole_t, newrole_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -220,15 +239,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_newrole_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_newrole_transition($1) -role $2 types newrole_t; -allow newrole_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_newrole_transition($1) + role $2 types newrole_t; + allow newrole_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_newrole_transition_add_role_use_terminal_depend',` -type newrole_t; -class chr_file { getattr read write ioctl }; + type newrole_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl }; # selinux_newrole_execute(domain) # define(`selinux_newrole_execute',` -requires_block_template(`$0'_depend) -allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_newrole_execute_depend',` -type newrole_t, newrole_exec_t; -class file { getattr read execute execute_no_trans }; + type newrole_t, newrole_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_newrole_ignore_signal',` -requires_block_template(`$0'_depend) -dontaudit $1 newrole_t:process signal; + requires_block_template(`$0'_depend) + + dontaudit $1 newrole_t:process signal; ') define(`selinux_newrole_ignore_signal_depend',` -type newrole_t; -class process signal; + type newrole_t; + + class process signal; ') ####################################### @@ -272,13 +297,15 @@ class process signal; # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` -requires_block_template(`$0'_depend) -allow $1 newrole_t:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 newrole_t:process sigchld; ') define(`selinux_newrole_sigchld_depend',` -type newrole_t; -class process sigchld; + type newrole_t; + + class process sigchld; ') ####################################### @@ -286,13 +313,15 @@ class process sigchld; # selinux_newrole_use_file_descriptors(domain) # define(`selinux_newrole_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 newrole_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 newrole_t:fd use; ') define(`selinux_newrole_use_file_descriptors_depend',` -type newrole_t; -class fd use; + type newrole_t; + + class fd use; ') ####################################### @@ -307,23 +336,26 @@ class fd use; ## # define(`selinux_restorecon_transition',` -requires_block_template(`$0'_depend) -allow $1 restorecon_exec_t:file { getattr read execute }; -allow $1 restorecon_t:process transition; -type_transition $1 restorecon_exec_t:process restorecon_t; -dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; -allow $1 restorecon_t:fd use; -allow restorecon_t $1:fd use; -allow restorecon_t $1:fifo_file rw_file_perms; -allow restorecon_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 restorecon_exec_t:file { getattr read execute }; + allow $1 restorecon_t:process transition; + type_transition $1 restorecon_exec_t:process restorecon_t; + dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; + + allow $1 restorecon_t:fd use; + allow restorecon_t $1:fd use; + allow restorecon_t $1:fifo_file rw_file_perms; + allow restorecon_t $1:process sigchld; ') define(`selinux_restorecon_transition_depend',` -type restorecon_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type restorecon_t, restorecon_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -346,15 +378,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_restorecon_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_restorecon_transition($1) -role $2 types restorecon_t; -allow restorecon_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_restorecon_transition($1) + role $2 types restorecon_t; + allow restorecon_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_restorecon_transition_add_role_use_terminal_depend',` -type restorecon_t; -class chr_file { getattr read write ioctl }; + type restorecon_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_restorecon_execute_depend',` -type restorecon_t, restorecon_exec_t; -class file { getattr read execute execute_no_trans }; + type restorecon_t, restorecon_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans }; ## # define(`selinux_run_init_transition',` -requires_block_template(`$0'_depend) -allow $1 run_init_exec_t:file { getattr read execute }; -allow $1 run_init_t:process transition; -type_transition $1 run_init_exec_t:process run_init_t; -dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; -allow $1 run_init_t:fd use; -allow run_init_t $1:fd use; -allow run_init_t $1:fifo_file rw_file_perms; -allow run_init_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 run_init_exec_t:file { getattr read execute }; + allow $1 run_init_t:process transition; + type_transition $1 run_init_exec_t:process run_init_t; + dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; + + allow $1 run_init_t:fd use; + allow run_init_t $1:fd use; + allow run_init_t $1:fifo_file rw_file_perms; + allow run_init_t $1:process sigchld; ') define(`selinux_run_init_transition_depend',` -type run_init_t, run_init_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type run_init_t, run_init_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -422,15 +460,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_run_init_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_run_init_transition($1) -role $2 types run_init_t; -allow run_init_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_run_init_transition($1) + role $2 types run_init_t; + allow run_init_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_init_transition_add_role_use_terminal_depend',` -type run_init_t; -class chr_file { getattr read write ioctl }; + type run_init_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl }; # selinux_run_init_use_file_descriptors(domain) # define(`selinux_run_init_use_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 run_init_t:fd use; + requires_block_template(`$0'_depend) + + allow $1 run_init_t:fd use; ') define(`selinux_run_init_use_file_descriptors_depend',` -type run_init_t; -class fd use; + type run_init_t; + + class fd use; ') ######################################## @@ -459,23 +501,26 @@ class fd use; ## # define(`selinux_setfiles_transition',` -requires_block_template(`$0'_depend) -allow $1 setfiles_exec_t:file { getattr read execute }; -allow $1 setfiles_t:process transition; -type_transition $1 setfiles_exec_t:process setfiles_t; -dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; -allow $1 setfiles_t:fd use; -allow setfiles_t $1:fd use; -allow setfiles_t $1:fifo_file rw_file_perms; -allow setfiles_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 setfiles_exec_t:file { getattr read execute }; + allow $1 setfiles_t:process transition; + type_transition $1 setfiles_exec_t:process setfiles_t; + dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; + + allow $1 setfiles_t:fd use; + allow setfiles_t $1:fd use; + allow setfiles_t $1:fifo_file rw_file_perms; + allow setfiles_t $1:process sigchld; ') define(`selinux_setfiles_transition_depend',` -type setfiles_t, setfiles_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type setfiles_t, setfiles_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -498,15 +543,17 @@ class fifo_file rw_file_perms; ## # define(`selinux_setfiles_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -selinux_setfiles_transition($1) -role $2 types setfiles_t; -allow setfiles_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + selinux_setfiles_transition($1) + role $2 types setfiles_t; + allow setfiles_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_setfiles_transition_add_role_use_terminal_depend',` -type setfiles_t; -class chr_file { getattr read write ioctl }; + type setfiles_t; + + class chr_file { getattr read write ioctl }; ') ####################################### @@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl }; # selinux_setfiles_execute(domain) # define(`selinux_setfiles_execute',` -requires_block_template(`$0'_depend) -allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; + requires_block_template(`$0'_depend) + + allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; ') define(`selinux_setfiles_execute_depend',` -type setfiles_exec_t; -class file { getattr read execute execute_no_trans }; + type setfiles_exec_t; + + class file { getattr read execute execute_no_trans }; ') ######################################## @@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans }; # selinux_read_config(domain) # define(`selinux_read_config',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir { getattr search read }; -allow $1 selinux_config_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir { getattr search read }; + allow $1 selinux_config_t:file { getattr read }; ') define(`selinux_read_config_depend',` -type selinux_config_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -544,16 +595,18 @@ class file { getattr read }; # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir search; -allow $1 default_context_t:dir { getattr search read }; -allow $1 default_context_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir search; + allow $1 default_context_t:dir { getattr search read }; + allow $1 default_context_t:file { getattr read }; ') define(`selinux_read_default_contexts_depend',` -type selinux_config_t, default_context_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, default_context_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -561,16 +614,18 @@ class file { getattr read }; # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` -requires_block_template(`$0'_depend) -allow $1 selinux_config_t:dir search; -allow $1 file_context_t:dir { getattr search read }; -allow $1 file_context_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 selinux_config_t:dir search; + allow $1 file_context_t:dir { getattr search read }; + allow $1 file_context_t:file { getattr read }; ') define(`selinux_read_file_contexts_depend',` -type selinux_config_t, file_context_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, file_context_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -578,15 +633,17 @@ class file { getattr read }; # selinux_read_binary_policy(domain) # define(`selinux_read_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:dir { getattr search read }; -allow $1 policy_config_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:dir { getattr search read }; + allow $1 policy_config_t:file { getattr read }; ') define(`selinux_read_binary_policy_depend',` -type policy_config_t; -class dir { getattr search read }; -class file { getattr read }; + type policy_config_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -594,17 +651,20 @@ class file { getattr read }; # selinux_write_binary_policy(domain) # define(`selinux_write_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; -allow $1 policy_config_t:file { getattr create write unlink }; -typeattribute $1 can_write_binary_policy; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; + allow $1 policy_config_t:file { getattr create write unlink }; + typeattribute $1 can_write_binary_policy; ') define(`selinux_write_binary_policy_depend',` -attribute can_write_binary_policy; -type policy_config_t; -class dir { getattr search read write add_name remove_name }; -class file { getattr create write unlink }; + attribute can_write_binary_policy; + + type policy_config_t; + + class dir { getattr search read write add_name remove_name }; + class file { getattr create write unlink }; ') ######################################## @@ -619,15 +679,18 @@ class file { getattr create write unlink }; ## # define(`selinux_relabelto_binary_policy',` -requires_block_template(`$0'_depend) -allow $1 policy_config_t:file relabelto; -typeattribute $1 can_relabelto_binary_policy; + requires_block_template(`$0'_depend) + + allow $1 policy_config_t:file relabelto; + typeattribute $1 can_relabelto_binary_policy; ') define(`selinux_relabelto_binary_policy_depend',` -attribute can_relabelto_binary_policy; -type policy_config_t; -class file relabelto; + attribute can_relabelto_binary_policy; + + type policy_config_t; + + class file relabelto; ') ######################################## @@ -635,19 +698,21 @@ class file relabelto; # selinux_manage_binary_policy(domain) # define(`selinux_manage_binary_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_config_t:dir { getattr search read }; -allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -typeattribute $1 can_write_binary_policy; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_config_t:dir { getattr search read }; + allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + typeattribute $1 can_write_binary_policy; ') define(`selinux_manage_binary_policy_depend',` -attribute can_write_binary_policy; -type selinux_config_t, policy_config_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + attribute can_write_binary_policy; + + type selinux_config_t, policy_config_t; + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ######################################## @@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # selinux_read_source_policy(domain) # define(`selinux_read_source_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_src_t:dir { getattr search read }; -allow $1 policy_src_t:file { getattr read }; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_src_t:dir { getattr search read }; + allow $1 policy_src_t:file { getattr read }; ') define(`selinux_read_source_policy_depend',` -type selinux_config_t, policy_src_t; -class dir { getattr search read }; -class file { getattr read }; + type selinux_config_t, policy_src_t; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -673,17 +740,19 @@ class file { getattr read }; # selinux_manage_source_policy(domain) # define(`selinux_manage_source_policy',` -requires_block_template(`$0'_depend) -# FIXME: search etc_t:dir -allow $1 selinux_config_t:dir search; -allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + requires_block_template(`$0'_depend) + + # FIXME: search etc_t:dir + allow $1 selinux_config_t:dir search; + allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') define(`selinux_manage_source_policy_depend',` -type selinux_config_t, policy_src_t; -class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -class file { create ioctl read getattr lock write setattr append link unlink rename }; + type selinux_config_t, policy_src_t; + + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + class file { create ioctl read getattr lock write setattr append link unlink rename }; ') ## diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index f97e7c1..4c84ad7 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t) userdomain_use_all_users_file_descriptors(restorecon_t) optional_policy(`hotplug.te',` -hotplug_use_file_descriptors(restorecon_t) + hotplug_use_file_descriptors(restorecon_t) ') # relabeling rules @@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t) kernel_compute_selinux_reachable_user_contexts(run_init_t) tunable_policy(`targeted_policy',`',` -allow run_init_t self:process setexec; -allow run_init_t self:capability setuid; + allow run_init_t self:process setexec; + allow run_init_t self:capability setuid; -allow run_init_t self:fifo_file { getattr read write }; + allow run_init_t self:fifo_file { getattr read write }; -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_init_t self:capability { dac_override dac_read_search }; + # often the administrator runs such programs from a directory that is owned + # by a different user or has restrictive SE permissions, do not want to audit + # the failed access to the current directory + dontaudit run_init_t self:capability { dac_override dac_read_search }; -filesystem_get_persistent_filesystem_attributes(run_init_t) + filesystem_get_persistent_filesystem_attributes(run_init_t) -devices_ignore_list_device_nodes(run_init_t) + devices_ignore_list_device_nodes(run_init_t) -terminal_ignore_list_pseudoterminals(run_init_t) + terminal_ignore_list_pseudoterminals(run_init_t) -authlogin_check_password_transition(run_init_t) -authlogin_ignore_read_shadow_passwords(run_init_t) + authlogin_check_password_transition(run_init_t) + authlogin_ignore_read_shadow_passwords(run_init_t) -corecommands_execute_general_programs(run_init_t) -corecommands_execute_shell(run_init_t) + corecommands_execute_general_programs(run_init_t) + corecommands_execute_shell(run_init_t) -domain_use_widely_inheritable_file_descriptors(run_init_t) + domain_use_widely_inheritable_file_descriptors(run_init_t) -files_read_general_system_config(run_init_t) -files_ignore_search_all_directories(run_init_t) + files_read_general_system_config(run_init_t) + files_ignore_search_all_directories(run_init_t) -init_script_transition(run_init_t) -# for utmp -init_script_modify_runtime_data(run_init_t) + init_script_transition(run_init_t) + # for utmp + init_script_modify_runtime_data(run_init_t) -libraries_use_dynamic_loader(run_init_t) -libraries_use_shared_libraries(run_init_t) + libraries_use_dynamic_loader(run_init_t) + libraries_use_shared_libraries(run_init_t) -selinux_read_config(run_init_t) -selinux_read_default_contexts(run_init_t) + selinux_read_config(run_init_t) + selinux_read_default_contexts(run_init_t) -miscfiles_read_localization(run_init_t) + miscfiles_read_localization(run_init_t) -logging_send_system_log_message(run_init_t) + logging_send_system_log_message(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` tunable_policy(`distro_gentoo', ` -# Gentoo integrated run_init+open_init_pty-runscript: -domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -domain_make_entrypoint_file(run_init_t,initrc_exec_t) + # Gentoo integrated run_init+open_init_pty-runscript: + domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) + domain_make_entrypoint_file(run_init_t,initrc_exec_t) ') ') dnl end TODO diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index d0647af..ad35f94 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -6,23 +6,26 @@ # sysnetwork_dhcpc_transition(domain) # define(`sysnetwork_dhcpc_transition',` -requires_block_template(`$0'_depend) -allow $1 dhcpc_exec_t:file { getattr read execute }; -allow $1 dhcpc_t:process transition; -type_transition $1 dhcpc_exec_t:process dhcpc_t; -dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; -allow $1 dhcpc_t:fd use; -allow dhcpc_t $1:fd use; -allow dhcpc_t $1:fifo_file rw_file_perms; -allow dhcpc_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 dhcpc_exec_t:file { getattr read execute }; + allow $1 dhcpc_t:process transition; + type_transition $1 dhcpc_exec_t:process dhcpc_t; + dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; + + allow $1 dhcpc_t:fd use; + allow dhcpc_t $1:fd use; + allow dhcpc_t $1:fifo_file rw_file_perms; + allow dhcpc_t $1:process sigchld; ') define(`sysnetwork_dhcpc_transition_depend',` -type dhcpc_t, dhcpc_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type dhcpc_t, dhcpc_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ####################################### @@ -37,23 +40,26 @@ class fifo_file rw_file_perms; ## # define(`sysnetwork_ifconfig_transition',` -requires_block_template(`$0'_depend) -allow $1 ifconfig_exec_t:file { getattr read execute }; -allow $1 ifconfig_t:process transition; -type_transition $1 ifconfig_exec_t:process ifconfig_t; -dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; -allow $1 ifconfig_t:fd use; -allow ifconfig_t $1:fd use; -allow ifconfig_t $1:fifo_file rw_file_perms; -allow ifconfig_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 ifconfig_exec_t:file { getattr read execute }; + allow $1 ifconfig_t:process transition; + type_transition $1 ifconfig_exec_t:process ifconfig_t; + dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; + + allow $1 ifconfig_t:fd use; + allow ifconfig_t $1:fd use; + allow ifconfig_t $1:fifo_file rw_file_perms; + allow ifconfig_t $1:process sigchld; ') define(`sysnetwork_ifconfig_transition_depend',` -type ifconfig_t, ifconfig_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type ifconfig_t, ifconfig_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -76,15 +82,17 @@ class fifo_file rw_file_perms; ## # define(`sysnetwork_ifconfig_transition_add_role_use_terminal',` -requires_block_template(`$0'_depend) -sysnetwork_ifconfig_transition($1) -role $2 types ifconfig_t; -allow ifconfig_t $3:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + sysnetwork_ifconfig_transition($1) + role $2 types ifconfig_t; + allow ifconfig_t $3:chr_file { getattr read write ioctl }; ') define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` -type ifconfig_t; -class chr_file { getattr read write ioctl }; + type ifconfig_t; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -92,14 +100,16 @@ class chr_file { getattr read write ioctl }; # sysnetwork_read_network_config(domain) # define(`sysnetwork_read_network_config',` -requires_block_template(`$0'_depend) -files_search_general_system_config_directory($1) -allow $1 net_conf_t:file { getattr read }; + requires_block_template(`$0'_depend) + + files_search_general_system_config_directory($1) + allow $1 net_conf_t:file { getattr read }; ') define(`sysnetwork_read_network_config_depend',` -type net_conf_t; -class file { getattr read }; + type net_conf_t; + + class file { getattr read }; ') ## diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 490b1d6..2beaa00 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -4,23 +4,26 @@ # udev_transition(domain) # define(`udev_transition',` -requires_block_template(`$0'_depend) -allow $1 udev_exec_t:file { getattr read execute }; -allow $1 udev_t:process transition; -type_transition $1 udev_exec_t:process udev_t; -dontaudit $1 udev_t:process { noatsecure siginh rlimitinh }; -allow $1 udev_t:fd use; -allow udev_t $1:fd use; -allow udev_t $1:fifo_file rw_file_perms; -allow udev_t $1:process sigchld; + requires_block_template(`$0'_depend) + + allow $1 udev_exec_t:file { getattr read execute }; + allow $1 udev_t:process transition; + type_transition $1 udev_exec_t:process udev_t; + dontaudit $1 udev_t:process { noatsecure siginh rlimitinh }; + + allow $1 udev_t:fd use; + allow udev_t $1:fd use; + allow udev_t $1:fifo_file rw_file_perms; + allow udev_t $1:process sigchld; ') define(`udev_transition_depend',` -type udev_t, udev_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh sigchld }; -class fd use; -class fifo_file rw_file_perms; + type udev_t, udev_exec_t; + + class file { getattr read execute }; + class process { transition noatsecure siginh rlimitinh sigchld }; + class fd use; + class fifo_file rw_file_perms; ') ######################################## @@ -28,13 +31,15 @@ class fifo_file rw_file_perms; # udev_read_database(domain) # define(`udev_read_database',` -requires_block_template(`$0'_depend) -allow $1 udev_tdb_t:file { getattr read }; + requires_block_template(`$0'_depend) + + allow $1 udev_tdb_t:file { getattr read }; ') define(`udev_read_database_depend',` -type udev_tdb_t; -class file { getattr read }; + type udev_tdb_t; + + class file { getattr read }; ') ######################################## @@ -42,11 +47,13 @@ class file { getattr read }; # udev_modify_database(domain) # define(`udev_modify_database',` -requires_block_template(`$0'_depend) -allow $1 udev_tdb_t:file { getattr read write append }; + requires_block_template(`$0'_depend) + + allow $1 udev_tdb_t:file { getattr read write append }; ') define(`udev_modify_database_depend',` -type udev_tdb_t; -class file { getattr read write append }; + type udev_tdb_t; + + class file { getattr read write append }; ') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 296e03c..b12a556 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -114,28 +114,28 @@ selinux_restorecon_transition(udev_t) sysnetwork_ifconfig_transition(udev_t) tunable_policy(`distro_redhat',` -filesystem_manage_tmpfs_block_devices(udev_t) -filesystem_manage_tmpfs_character_devices(udev_t) + filesystem_manage_tmpfs_block_devices(udev_t) + filesystem_manage_tmpfs_character_devices(udev_t) -# for arping used for static IP addresses on PCMCIA ethernet -netutils_transition(udev_t) + # for arping used for static IP addresses on PCMCIA ethernet + netutils_transition(udev_t) ') dnl end ifdef distro_redhat optional_policy(`authlogin.te',` -authlogin_pam_console_read_runtime_data(udev_t) -authlogin_pam_console_transition(udev_t) + authlogin_pam_console_read_runtime_data(udev_t) + authlogin_pam_console_transition(udev_t) ') optional_policy(`consoletype.te',` -consoletype_execute(udev_t) + consoletype_execute(udev_t) ') optional_policy(`hotplug.te',` -hotplug_read_config(udev_t) + hotplug_read_config(udev_t) ') optional_policy(`sysnetwork.te',` -sysnetwork_dhcpc_transition(udev_t) + sysnetwork_dhcpc_transition(udev_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index a0568ab..549520a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -9,390 +9,390 @@ define(`base_user_domain',` -attribute $1_file_type; - -type $1_t, userdomain; -domain_make_domain($1_t) -corecommands_make_shell_entrypoint($1_t) -role $1_r types $1_t; -allow system_r $1_r; - -# user pseudoterminal -type $1_devpts_t; -terminal_make_user_pseudoterminal($1_t,$1_devpts_t) - -# type for contents of home directory -type $1_home_t, $1_file_type, home_type; -files_make_file($1_home_t) - -# type of home directory -type $1_home_dir_t, home_dir_type, home_type; -files_make_file($1_home_t) - -type $1_tmp_t, $1_file_type; -files_make_temporary_file($1_tmp_t) - -type $1_tmpfs_t; -files_make_tmpfs_file($1_tmpfs_t) - -type $1_tty_device_t; -terminal_make_physical_terminal($1_t,$1_tty_device_t) - -############################## -# -# Local policy -# - -allow $1_t self:capability { setgid chown fowner }; -dontaudit $1_t self:capability { sys_nice fsetid }; -allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; -allow $1_t self:process { ptrace setfscreate }; -allow $1_t self:fd use; -allow $1_t self:fifo_file { read getattr lock ioctl write append }; -allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; -allow $1_t self:unix_dgram_socket sendto; -allow $1_t self:unix_stream_socket connectto; -allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; -allow $1_t self:msg { send receive }; -dontaudit $1_t self:socket create; -# Irrelevant until we have labeled networking. -#allow $1_t self:udp_socket { sendto recvfrom }; - -# evolution and gnome-session try to create a netlink socket -dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - -# execute files in the home directory -allow $1_t $1_home_t:file { getattr read execute execute_no_trans }; - -# full control of the home directory -allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto }; -allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; -allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; -allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; - -allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans }; - -# Bind to a Unix domain socket in /tmp. -# cjp: this is combination is not checked and should be removed -allow $1_t $1_tmp_t:unix_stream_socket name_bind; - -allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; - -allow $1_t unpriv_userdomain:fd use; - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -per_userdomain_templates($1) - -kernel_read_kernel_sysctl($1_t) -kernel_get_selinuxfs_mount_point($1_t) -# Very permissive allowing every domain to see every type: -kernel_get_sysvipc_info($1_t) -# Find CDROM devices: -kernel_read_device_sysctl($1_t) -# GNOME checks for usb and other devices: -kernel_modify_usb_hardware_config_option($1_t) - -corenetwork_sendrecv_tcp_on_all_interfaces($1_t) -corenetwork_sendrecv_raw_on_all_interfaces($1_t) -corenetwork_sendrecv_udp_on_all_interfaces($1_t) -corenetwork_sendrecv_tcp_on_all_nodes($1_t) -corenetwork_sendrecv_raw_on_all_nodes($1_t) -corenetwork_sendrecv_udp_on_all_nodes($1_t) -corenetwork_sendrecv_tcp_on_all_ports($1_t) -corenetwork_sendrecv_udp_on_all_ports($1_t) -corenetwork_bind_tcp_on_all_nodes($1_t) -corenetwork_bind_udp_on_all_nodes($1_t) -# allow port_t name binding for UDP because it is not very usable otherwise -corenetwork_bind_udp_on_general_port($1_t) - -devices_get_input_event($1_t) -devices_read_misc($1_t) -devices_write_misc($1_t) -devices_play_sound($1_t) -devices_record_sound_input($1_t) -devices_read_sound_mixer_levels($1_t) -devices_write_sound_mixer_levels($1_t) -devices_get_random_data($1_t) -devices_get_pseudorandom_data($1_t) -# open office is looking for the following -devices_get_direct_rendering_interface_attributes($1_t) -devices_ignore_use_direct_rendering_interface($1_t) - -filesystem_get_all_filesystems_quotas($1_t) -filesystem_get_all_filesystems_attributes($1_t) - -# for eject -storage_get_fixed_disk_attributes($1_t) - -authlogin_read_login_records($1_t) -authlogin_ignore_write_login_records($1_t) -authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - -corecommands_execute_general_programs($1_t) -corecommands_execute_system_programs($1_t) -corecommands_execute_ls($1_t) - -domain_execute_all_entrypoint_programs($1_t) -domain_use_widely_inheritable_file_descriptors($1_t) - -files_execute_system_config_script($1_t) -files_read_system_source_code($1_t) - -# Caused by su - init scripts -init_script_ignore_use_pseudoterminal($1_t) - -libraries_use_dynamic_loader($1_t) -libraries_use_shared_libraries($1_t) -libraries_execute_dynamic_loader($1_t) -libraries_execute_library_scripts($1_t) - -logging_ignore_get_all_logs_attributes($1_t) - -miscfiles_read_localization($1_t) -miscfiles_manage_man_page_cache($1_t) - -selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - -mta_modify_mail_spool($1_t) - -if (allow_execmem) { -# Allow loading DSOs that require executable stack. -allow $1_t self:process execmem; -} - -if (use_nfs_home_dirs) { -filesystem_manage_nfs_directories($1_t) -filesystem_manage_nfs_files($1_t) -filesystem_manage_nfs_symbolic_links($1_t) -filesystem_manage_nfs_named_sockets($1_t) -filesystem_manage_nfs_named_pipes($1_t) -filesystem_execute_nfs_files($1_t) -} - -if (use_samba_home_dirs) { -filesystem_manage_windows_network_directories($1_t) -filesystem_manage_windows_network_files($1_t) -filesystem_manage_windows_network_symbolic_links($1_t) -filesystem_manage_windows_network_named_sockets($1_t) -filesystem_manage_windows_network_named_pipes($1_t) -filesystem_execute_windows_network_files($1_t) -} - -if (user_direct_mouse) { -devices_get_mouse_input($1_t) -} - -if (user_ttyfile_stat) { -terminal_get_all_private_physical_terminal_attributes($1_t) -} - -optional_policy(`usermanage.te',` -usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -') - -ifdef(`TODO',` - -# When the user domain runs ps, there will be a number of access -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit $1_t domain:dir r_dir_perms; -dontaudit $1_t domain:notdevfile_class_set r_file_perms; -dontaudit $1_t domain:process { getattr getsession }; -# -# Cups daemon running as user tries to write /etc/printcap -# -dontaudit $1_t usr_t:file setattr; - -# Access the power device. -allow $1_t power_device_t:chr_file { getattr read write ioctl }; - -# Check to see if cdrom is mounted -allow $1_t mnt_t:dir { getattr search }; - -# -# Added to allow reading of cdrom -# -allow $1_t rpc_pipefs_t:dir getattr; -allow $1_t nfsd_fs_t:dir getattr; -allow $1_t binfmt_misc_fs_t:dir getattr; - -# /initrd is left mounted, various programs try to look at it -dontaudit $1_t ramfs_t:dir getattr; - -if (read_default_t) { -allow $1_t default_t:dir r_dir_perms; -allow $1_t default_t:notdevfile_class_set r_file_perms; -} - -# -# Running ifconfig as a user generates the following -# -dontaudit $1_t sysctl_net_t:dir search; - -dontaudit $1_t default_context_t:dir search; - -r_dir_file($1_t, usercanread) - -can_ypbind($1_t) - -if (allow_execmod) { -# Allow text relocations on system shared libraries, e.g. libGL. -allow $1_t texrel_shlib_t:file execmod; -} - -allow $1_t fs_type:dir getattr; - -# old "file_browse_domain": -# Regular files/directories that are not security sensitive -dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; -dontaudit $1_t file_type - secure_file_type:dir { read search }; -# /dev -dontaudit $1_t dev_fs:dir_file_class_set getattr; -dontaudit $1_t dev_fs:dir { read search }; -# /proc -dontaudit $1_t sysctl_t:dir_file_class_set getattr; -dontaudit $1_t proc_fs:dir { read search }; - -allow $1_t autofs_t:dir { search getattr }; - -can_exec($1_t, { removable_t noexattrfile } ) -if (user_rw_noexattrfile) { -create_dir_file($1_t, noexattrfile) -create_dir_file($1_t, removable_t) -# Write floppies -allow $1_t removable_device_t:blk_file rw_file_perms; -allow $1_t usbtty_device_t:chr_file write; -} else { -r_dir_file($1_t, noexattrfile) -r_dir_file($1_t, removable_t) -allow $1_t removable_device_t:blk_file r_file_perms; -} -allow $1_t usbtty_device_t:chr_file read; - -can_exec($1_t, noexattrfile) - -# for running TeX programs -r_dir_file($1_t, tetex_data_t) -can_exec($1_t, tetex_data_t) - -# Run programs developed by other users in the same domain. - -can_resmgrd_connect($1_t) - -can_ypbind($1_t) - -allow $1_t var_lock_t:dir search; - -# Grant permissions to access the system DBus -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -can_network_server_tcp($1_dbusd_t) -allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; - -allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_client($1, $1) -allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_domain($1) -ifdef(`hald.te', ` -allow $1_t hald_t:dbus send_msg; -allow hald_t $1_t:dbus send_msg; -') dnl end ifdef hald.te -') dnl end ifdef dbus.te - -# Gnome pannel binds to the following -ifdef(`cups.te', ` -allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; -') - -# Connect to inetd. -ifdef(`inetd.te', ` -can_tcp_connect($1_t, inetd_t) -can_udp_send($1_t, inetd_t) -can_udp_send(inetd_t, $1_t) -') - -# Connect to portmap. -ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') - -# Inherit and use sockets from inetd -ifdef(`inetd.te', ` -allow $1_t inetd_t:fd use; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') - -ifdef(`xserver.te', ` -# for /tmp/.ICE-unix -file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) -allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; -') - -ifdef(`xdm.te', ` -# Connect to the X server run by the X Display Manager. -can_unix_connect($1_t, xdm_t) -allow $1_t xdm_tmp_t:sock_file rw_file_perms; -allow $1_t xdm_tmp_t:dir r_dir_perms; -allow $1_t xdm_tmp_t:file { getattr read }; -allow $1_t xdm_xserver_tmp_t:sock_file { read write }; -allow $1_t xdm_xserver_tmp_t:dir search; -allow $1_t xdm_xserver_t:unix_stream_socket connectto; -# certain apps want to read xdm.pid file -r_dir_file($1_t, xdm_var_run_t) -allow $1_t xdm_var_lib_t:file { getattr read }; -allow xdm_t $1_home_dir_t:dir getattr; -ifdef(`xauth.te', ` -file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) -') - -# for shared memory -allow xdm_xserver_t $1_tmpfs_t:file { read write }; - -')dnl end ifdef xdm.te - -ifdef(`rpcd.te', ` -create_dir_file($1_t, nfsd_rw_t) -') - -ifdef(`cardmgr.te', ` -# to allow monitoring of pcmcia status -allow $1_t cardmgr_var_run_t:file { getattr read }; -') - -# -# Allow graphical boot to check battery lifespan -# -ifdef(`apmd.te', ` -allow $1_t apmd_t:unix_stream_socket connectto; -allow $1_t apmd_var_run_t:sock_file write; -') - -ifdef(`automount.te', ` -allow $1_t autofs_t:dir { search getattr }; -') - -ifdef(`pamconsole.te', ` -allow $1_t pam_var_console_t:dir search; -') - -') dnl endif TODO + attribute $1_file_type; + + type $1_t, userdomain; + domain_make_domain($1_t) + corecommands_make_shell_entrypoint($1_t) + role $1_r types $1_t; + allow system_r $1_r; + + # user pseudoterminal + type $1_devpts_t; + terminal_make_user_pseudoterminal($1_t,$1_devpts_t) + + # type for contents of home directory + type $1_home_t, $1_file_type, home_type; + files_make_file($1_home_t) + + # type of home directory + type $1_home_dir_t, home_dir_type, home_type; + files_make_file($1_home_t) + + type $1_tmp_t, $1_file_type; + files_make_temporary_file($1_tmp_t) + + type $1_tmpfs_t; + files_make_tmpfs_file($1_tmpfs_t) + + type $1_tty_device_t; + terminal_make_physical_terminal($1_t,$1_tty_device_t) + + ############################## + # + # Local policy + # + + allow $1_t self:capability { setgid chown fowner }; + dontaudit $1_t self:capability { sys_nice fsetid }; + allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; + allow $1_t self:process { ptrace setfscreate }; + allow $1_t self:fd use; + allow $1_t self:fifo_file { read getattr lock ioctl write append }; + allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; + allow $1_t self:unix_dgram_socket sendto; + allow $1_t self:unix_stream_socket connectto; + allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; + allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; + allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; + allow $1_t self:msg { send receive }; + dontaudit $1_t self:socket create; + # Irrelevant until we have labeled networking. + #allow $1_t self:udp_socket { sendto recvfrom }; + + # evolution and gnome-session try to create a netlink socket + dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + + # execute files in the home directory + allow $1_t $1_home_t:file { getattr read execute execute_no_trans }; + + # full control of the home directory + allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto }; + allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; + + allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans }; + + # Bind to a Unix domain socket in /tmp. + # cjp: this is combination is not checked and should be removed + allow $1_t $1_tmp_t:unix_stream_socket name_bind; + + allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; + + allow $1_t unpriv_userdomain:fd use; + + # Instantiate derived domains for a number of programs. + # These derived domains encode both information about the calling + # user domain and the program, and allow us to maintain separation + # between different instances of the program being run by different + # user domains. + per_userdomain_templates($1) + + kernel_read_kernel_sysctl($1_t) + kernel_get_selinuxfs_mount_point($1_t) + # Very permissive allowing every domain to see every type: + kernel_get_sysvipc_info($1_t) + # Find CDROM devices: + kernel_read_device_sysctl($1_t) + # GNOME checks for usb and other devices: + kernel_modify_usb_hardware_config_option($1_t) + + corenetwork_sendrecv_tcp_on_all_interfaces($1_t) + corenetwork_sendrecv_raw_on_all_interfaces($1_t) + corenetwork_sendrecv_udp_on_all_interfaces($1_t) + corenetwork_sendrecv_tcp_on_all_nodes($1_t) + corenetwork_sendrecv_raw_on_all_nodes($1_t) + corenetwork_sendrecv_udp_on_all_nodes($1_t) + corenetwork_sendrecv_tcp_on_all_ports($1_t) + corenetwork_sendrecv_udp_on_all_ports($1_t) + corenetwork_bind_tcp_on_all_nodes($1_t) + corenetwork_bind_udp_on_all_nodes($1_t) + # allow port_t name binding for UDP because it is not very usable otherwise + corenetwork_bind_udp_on_general_port($1_t) + + devices_get_input_event($1_t) + devices_read_misc($1_t) + devices_write_misc($1_t) + devices_play_sound($1_t) + devices_record_sound_input($1_t) + devices_read_sound_mixer_levels($1_t) + devices_write_sound_mixer_levels($1_t) + devices_get_random_data($1_t) + devices_get_pseudorandom_data($1_t) + # open office is looking for the following + devices_get_direct_rendering_interface_attributes($1_t) + devices_ignore_use_direct_rendering_interface($1_t) + + filesystem_get_all_filesystems_quotas($1_t) + filesystem_get_all_filesystems_attributes($1_t) + + # for eject + storage_get_fixed_disk_attributes($1_t) + + authlogin_read_login_records($1_t) + authlogin_ignore_write_login_records($1_t) + authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + + corecommands_execute_general_programs($1_t) + corecommands_execute_system_programs($1_t) + corecommands_execute_ls($1_t) + + domain_execute_all_entrypoint_programs($1_t) + domain_use_widely_inheritable_file_descriptors($1_t) + + files_execute_system_config_script($1_t) + files_read_system_source_code($1_t) + + # Caused by su - init scripts + init_script_ignore_use_pseudoterminal($1_t) + + libraries_use_dynamic_loader($1_t) + libraries_use_shared_libraries($1_t) + libraries_execute_dynamic_loader($1_t) + libraries_execute_library_scripts($1_t) + + logging_ignore_get_all_logs_attributes($1_t) + + miscfiles_read_localization($1_t) + miscfiles_manage_man_page_cache($1_t) + + selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + + mta_modify_mail_spool($1_t) + + if (allow_execmem) { + # Allow loading DSOs that require executable stack. + allow $1_t self:process execmem; + } + + if (use_nfs_home_dirs) { + filesystem_manage_nfs_directories($1_t) + filesystem_manage_nfs_files($1_t) + filesystem_manage_nfs_symbolic_links($1_t) + filesystem_manage_nfs_named_sockets($1_t) + filesystem_manage_nfs_named_pipes($1_t) + filesystem_execute_nfs_files($1_t) + } + + if (use_samba_home_dirs) { + filesystem_manage_windows_network_directories($1_t) + filesystem_manage_windows_network_files($1_t) + filesystem_manage_windows_network_symbolic_links($1_t) + filesystem_manage_windows_network_named_sockets($1_t) + filesystem_manage_windows_network_named_pipes($1_t) + filesystem_execute_windows_network_files($1_t) + } + + if (user_direct_mouse) { + devices_get_mouse_input($1_t) + } + + if (user_ttyfile_stat) { + terminal_get_all_private_physical_terminal_attributes($1_t) + } + + optional_policy(`usermanage.te',` + usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + ') + + ifdef(`TODO',` + + # When the user domain runs ps, there will be a number of access + # denials when ps tries to search /proc. Do not audit these denials. + dontaudit $1_t domain:dir r_dir_perms; + dontaudit $1_t domain:notdevfile_class_set r_file_perms; + dontaudit $1_t domain:process { getattr getsession }; + # + # Cups daemon running as user tries to write /etc/printcap + # + dontaudit $1_t usr_t:file setattr; + + # Access the power device. + allow $1_t power_device_t:chr_file { getattr read write ioctl }; + + # Check to see if cdrom is mounted + allow $1_t mnt_t:dir { getattr search }; + + # + # Added to allow reading of cdrom + # + allow $1_t rpc_pipefs_t:dir getattr; + allow $1_t nfsd_fs_t:dir getattr; + allow $1_t binfmt_misc_fs_t:dir getattr; + + # /initrd is left mounted, various programs try to look at it + dontaudit $1_t ramfs_t:dir getattr; + + if (read_default_t) { + allow $1_t default_t:dir r_dir_perms; + allow $1_t default_t:notdevfile_class_set r_file_perms; + } + + # + # Running ifconfig as a user generates the following + # + dontaudit $1_t sysctl_net_t:dir search; + + dontaudit $1_t default_context_t:dir search; + + r_dir_file($1_t, usercanread) + + can_ypbind($1_t) + + if (allow_execmod) { + # Allow text relocations on system shared libraries, e.g. libGL. + allow $1_t texrel_shlib_t:file execmod; + } + + allow $1_t fs_type:dir getattr; + + # old "file_browse_domain": + # Regular files/directories that are not security sensitive + dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; + dontaudit $1_t file_type - secure_file_type:dir { read search }; + # /dev + dontaudit $1_t dev_fs:dir_file_class_set getattr; + dontaudit $1_t dev_fs:dir { read search }; + # /proc + dontaudit $1_t sysctl_t:dir_file_class_set getattr; + dontaudit $1_t proc_fs:dir { read search }; + + allow $1_t autofs_t:dir { search getattr }; + + can_exec($1_t, { removable_t noexattrfile } ) + if (user_rw_noexattrfile) { + create_dir_file($1_t, noexattrfile) + create_dir_file($1_t, removable_t) + # Write floppies + allow $1_t removable_device_t:blk_file rw_file_perms; + allow $1_t usbtty_device_t:chr_file write; + } else { + r_dir_file($1_t, noexattrfile) + r_dir_file($1_t, removable_t) + allow $1_t removable_device_t:blk_file r_file_perms; + } + allow $1_t usbtty_device_t:chr_file read; + + can_exec($1_t, noexattrfile) + + # for running TeX programs + r_dir_file($1_t, tetex_data_t) + can_exec($1_t, tetex_data_t) + + # Run programs developed by other users in the same domain. + + can_resmgrd_connect($1_t) + + can_ypbind($1_t) + + allow $1_t var_lock_t:dir search; + + # Grant permissions to access the system DBus + ifdef(`dbusd.te', ` + dbusd_client(system, $1) + can_network_server_tcp($1_dbusd_t) + allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; + + allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; + dbusd_client($1, $1) + allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; + dbusd_domain($1) + ifdef(`hald.te', ` + allow $1_t hald_t:dbus send_msg; + allow hald_t $1_t:dbus send_msg; + ') + ') + + # Gnome pannel binds to the following + ifdef(`cups.te', ` + allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; + ') + + # Connect to inetd. + ifdef(`inetd.te', ` + can_tcp_connect($1_t, inetd_t) + can_udp_send($1_t, inetd_t) + can_udp_send(inetd_t, $1_t) + ') + + # Connect to portmap. + ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') + + # Inherit and use sockets from inetd + ifdef(`inetd.te', ` + allow $1_t inetd_t:fd use; + allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; + ') + + ifdef(`xserver.te', ` + # for /tmp/.ICE-unix + file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) + allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; + ') + + ifdef(`xdm.te', ` + # Connect to the X server run by the X Display Manager. + can_unix_connect($1_t, xdm_t) + allow $1_t xdm_tmp_t:sock_file rw_file_perms; + allow $1_t xdm_tmp_t:dir r_dir_perms; + allow $1_t xdm_tmp_t:file { getattr read }; + allow $1_t xdm_xserver_tmp_t:sock_file { read write }; + allow $1_t xdm_xserver_tmp_t:dir search; + allow $1_t xdm_xserver_t:unix_stream_socket connectto; + # certain apps want to read xdm.pid file + r_dir_file($1_t, xdm_var_run_t) + allow $1_t xdm_var_lib_t:file { getattr read }; + allow xdm_t $1_home_dir_t:dir getattr; + ifdef(`xauth.te', ` + file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) + ') + + # for shared memory + allow xdm_xserver_t $1_tmpfs_t:file { read write }; + + ') + + ifdef(`rpcd.te', ` + create_dir_file($1_t, nfsd_rw_t) + ') + + ifdef(`cardmgr.te', ` + # to allow monitoring of pcmcia status + allow $1_t cardmgr_var_run_t:file { getattr read }; + ') + + # + # Allow graphical boot to check battery lifespan + # + ifdef(`apmd.te', ` + allow $1_t apmd_t:unix_stream_socket connectto; + allow $1_t apmd_var_run_t:sock_file write; + ') + + ifdef(`automount.te', ` + allow $1_t autofs_t:dir { search getattr }; + ') + + ifdef(`pamconsole.te', ` + allow $1_t pam_var_console_t:dir search; + ') + + ') dnl endif TODO ')dnl end base_user_domain macro @@ -402,201 +402,200 @@ allow $1_t pam_var_console_t:dir search; # define(`user_domain_template', ` + ############################## + # + # Declarations + # -############################## -# -# Declarations -# - -# Inherit rules for ordinary users. -base_user_domain($1) + # Inherit rules for ordinary users. + base_user_domain($1) -typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; -domain_make_file_descriptors_widely_inheritable($1_t) + typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; + domain_make_file_descriptors_widely_inheritable($1_t) -#typeattribute $1_devpts_t userpty_type, user_tty_type; -#typeattribute $1_home_dir_t user_home_dir_type; -#typeattribute $1_home_t user_home_type; + #typeattribute $1_devpts_t userpty_type, user_tty_type; + #typeattribute $1_home_dir_t user_home_dir_type; + #typeattribute $1_home_t user_home_type; -#typeattribute $1_tmp_t, user_tmpfile; + #typeattribute $1_tmp_t, user_tmpfile; -#typeattribute $1_tty_device_t user_tty_type; + #typeattribute $1_tty_device_t user_tty_type; -############################## -# -# Local policy -# - -allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -terminal_create_private_pseudoterminal($1_t,$1_devpts_t) - -# Rules used to associate a homedir as a mountpoint -allow $1_home_t self:filesystem associate; -allow $1_file_type $1_home_t:filesystem associate; - -# user temporary files -allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename }; -allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file }) - -# privileged home directory writers -allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename }; -allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; - -kernel_read_system_state($1_t) -kernel_read_network_state($1_t) -kernel_read_hardware_state($1_t) - -# cjp: why? -bootloader_read_kernel_symbol_table($1_t) - -# port access is audited even if dac would not have allowed it, so dontaudit it here -corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t) - -files_read_general_system_config($1_t) -files_list_home_directories($1_t) -files_read_general_application_resources($1_t) - -init_script_read_runtime_data($1_t) -# The library functions always try to open read-write first, -# then fall back to read-only if it fails. -init_script_ignore_write_runtime_data($1_t) -# Stop warnings about access to /dev/console -init_ignore_use_file_descriptors($1_t) -init_script_ignore_use_file_descriptors($1_t) - -miscfiles_read_man_pages($1_t) - -selinux_read_config($1_t) -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -selinux_checkpolicy_execute($1_t) - -if (user_dmesg) { -kernel_read_ring_buffer($1_t) -} else { -kernel_ignore_read_ring_buffer($1_t) -} - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -if (user_tcp_server) { -corenetwork_bind_tcp_on_general_port($1_t) -} - -# for running depmod as part of the kernel packaging process -optional_policy(`modutils.te',` -modutils_read_kernel_module_loading_config($1_t) -') - -optional_policy(`selinux.te',` -# for when the network connection is killed -selinux_newrole_ignore_signal($1_t) -') - -# Need the following rule to allow users to run vpnc -optional_policy(`xserver.te', ` -corenetwork_bind_tcp_on_xserver_port($1_t) -') - -ifdef(`TODO',` - -dontaudit $1_t boot_t:lnk_file read; -dontaudit $1_t boot_t:file read; - -can_kerberos($1_t) - -# do not audit read on disk devices -dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; - -ifdef(`xdm.te', ` -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -# -# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp -# -dontaudit xdm_t $1_home_t:file rw_file_perms; -')dnl end ifdef xdm.te - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -')dnl end ifdef ftpd - -if (read_default_t) { -allow $1 default_t:dir r_dir_perms; -allow $1 default_t:notdevfile_class_set r_file_perms; -} - -can_exec($1_t, usr_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_t readable_t:dir r_dir_perms; -allow $1_t readable_t:notdevfile_class_set r_file_perms; - -# Stat lost+found. -allow $1_t lost_found_t:dir getattr; - -# Read /var, /var/spool, /var/run. -allow $1_t var_t:dir r_dir_perms; -allow $1_t var_t:notdevfile_class_set r_file_perms; -allow $1_t var_spool_t:dir r_dir_perms; -allow $1_t var_spool_t:notdevfile_class_set r_file_perms; -allow $1_t var_run_t:dir r_dir_perms; -allow $1_t var_run_t:{ file lnk_file } r_file_perms; -allow $1_t var_lib_t:dir r_dir_perms; -allow $1_t var_lib_t:file { getattr read }; - -# Allow users to rw usb devices -if (user_rw_usb) { -rw_dir_create_file($1_t,usbdevfs_t) -} else { -r_dir_file($1_t,usbdevfs_t) -} - -# Do not audit write denials to /etc/ld.so.cache. -dontaudit $1_t ld_so_cache_t:file write; - -dontaudit $1_t sysadm_home_t:file { read append }; - -ifdef(`syslogd.te', ` -# Some programs that are left in $1_t will try to connect -# to syslogd, but we do not want to let them generate log messages. -# Do not audit. -dontaudit $1_t devlog_t:sock_file { read write }; -dontaudit $1_t syslogd_t:unix_dgram_socket sendto; -') - -allow $1_t initrc_t:fifo_file write; - -ifdef(`user_can_mount', ` -# -# Allow users to mount file systems like floppies and cdrom -# -mount_domain($1, $1_mount, `, fs_domain') -r_dir_file($1_t, mnt_t) -allow $1_mount_t device_t:lnk_file read; -allow $1_mount_t removable_device_t:blk_file read; -allow $1_mount_t iso9660_t:filesystem relabelfrom; -allow $1_mount_t removable_t:filesystem { mount relabelto }; -allow $1_mount_t removable_t:dir mounton; -ifdef(`xdm.te', ` -allow $1_mount_t xdm_t:fd use; -allow $1_mount_t xdm_t:fifo_file { read write }; -') -') - -') dnl end TODO + ############################## + # + # Local policy + # + + allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + terminal_create_private_pseudoterminal($1_t,$1_devpts_t) + + # Rules used to associate a homedir as a mountpoint + allow $1_home_t self:filesystem associate; + allow $1_file_type $1_home_t:filesystem associate; + + # user temporary files + allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file }) + + # privileged home directory writers + allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename }; + allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t; + + kernel_read_system_state($1_t) + kernel_read_network_state($1_t) + kernel_read_hardware_state($1_t) + + # cjp: why? + bootloader_read_kernel_symbol_table($1_t) + + # port access is audited even if dac would not have allowed it, so dontaudit it here + corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t) + + files_read_general_system_config($1_t) + files_list_home_directories($1_t) + files_read_general_application_resources($1_t) + + init_script_read_runtime_data($1_t) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. + init_script_ignore_write_runtime_data($1_t) + # Stop warnings about access to /dev/console + init_ignore_use_file_descriptors($1_t) + init_script_ignore_use_file_descriptors($1_t) + + miscfiles_read_man_pages($1_t) + + selinux_read_config($1_t) + # Allow users to execute checkpolicy without a domain transition + # so it can be used without privilege to write real binary policy file + selinux_checkpolicy_execute($1_t) + + if (user_dmesg) { + kernel_read_ring_buffer($1_t) + } else { + kernel_ignore_read_ring_buffer($1_t) + } + + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols + if (user_tcp_server) { + corenetwork_bind_tcp_on_general_port($1_t) + } + + # for running depmod as part of the kernel packaging process + optional_policy(`modutils.te',` + modutils_read_kernel_module_loading_config($1_t) + ') + + optional_policy(`selinux.te',` + # for when the network connection is killed + selinux_newrole_ignore_signal($1_t) + ') + + # Need the following rule to allow users to run vpnc + optional_policy(`xserver.te', ` + corenetwork_bind_tcp_on_xserver_port($1_t) + ') + + ifdef(`TODO',` + + dontaudit $1_t boot_t:lnk_file read; + dontaudit $1_t boot_t:file read; + + can_kerberos($1_t) + + # do not audit read on disk devices + dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; + + ifdef(`xdm.te', ` + allow xdm_t $1_home_t:lnk_file read; + allow xdm_t $1_home_t:dir search; + # + # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp + # + dontaudit xdm_t $1_home_t:file rw_file_perms; + ') + + ifdef(`ftpd.te', ` + if (ftp_home_dir) { + file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) + } + ') + + if (read_default_t) { + allow $1 default_t:dir r_dir_perms; + allow $1 default_t:notdevfile_class_set r_file_perms; + } + + can_exec($1_t, usr_t) + + # Read directories and files with the readable_t type. + # This type is a general type for "world"-readable files. + allow $1_t readable_t:dir r_dir_perms; + allow $1_t readable_t:notdevfile_class_set r_file_perms; + + # Stat lost+found. + allow $1_t lost_found_t:dir getattr; + + # Read /var, /var/spool, /var/run. + allow $1_t var_t:dir r_dir_perms; + allow $1_t var_t:notdevfile_class_set r_file_perms; + allow $1_t var_spool_t:dir r_dir_perms; + allow $1_t var_spool_t:notdevfile_class_set r_file_perms; + allow $1_t var_run_t:dir r_dir_perms; + allow $1_t var_run_t:{ file lnk_file } r_file_perms; + allow $1_t var_lib_t:dir r_dir_perms; + allow $1_t var_lib_t:file { getattr read }; + + # Allow users to rw usb devices + if (user_rw_usb) { + rw_dir_create_file($1_t,usbdevfs_t) + } else { + r_dir_file($1_t,usbdevfs_t) + } + + # Do not audit write denials to /etc/ld.so.cache. + dontaudit $1_t ld_so_cache_t:file write; + + dontaudit $1_t sysadm_home_t:file { read append }; + + ifdef(`syslogd.te', ` + # Some programs that are left in $1_t will try to connect + # to syslogd, but we do not want to let them generate log messages. + # Do not audit. + dontaudit $1_t devlog_t:sock_file { read write }; + dontaudit $1_t syslogd_t:unix_dgram_socket sendto; + ') + + allow $1_t initrc_t:fifo_file write; + + ifdef(`user_can_mount', ` + # + # Allow users to mount file systems like floppies and cdrom + # + mount_domain($1, $1_mount, `, fs_domain') + r_dir_file($1_t, mnt_t) + allow $1_mount_t device_t:lnk_file read; + allow $1_mount_t removable_device_t:blk_file read; + allow $1_mount_t iso9660_t:filesystem relabelfrom; + allow $1_mount_t removable_t:filesystem { mount relabelto }; + allow $1_mount_t removable_t:dir mounton; + ifdef(`xdm.te', ` + allow $1_mount_t xdm_t:fd use; + allow $1_mount_t xdm_t:fifo_file { read write }; + ') + ') + + ') dnl end TODO ') ######################################## @@ -604,208 +603,207 @@ allow $1_mount_t xdm_t:fifo_file { read write }; # Admin domain template # define(`admin_domain_template',` + ############################## + # + # Declarations + # + + # Inherit rules for ordinary users. + base_user_domain($1) + + typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; + kernel_make_object_identity_change_constraint_exception($1_t) + role system_r types $1_t; + + #ifdef(`direct_sysadm_daemon', `, priv_system_role') + #; dnl end of sysadm_t type declaration + + typeattribute $1_devpts_t admin_terminal; + + typeattribute $1_tty_device_t admin_terminal; + + ############################## + # + # $1_t local policy + # + + allow $1_t self:capability ~sys_module; + allow $1_t self:process { setexec setfscreate }; + + # Set password information for other users. + allow $1_t self:passwd { passwd chfn chsh }; + + # Skip authentication when pam_rootok is specified. + allow $1_t self:passwd rootok; + + # Manipulate other users crontab. + allow $1_t self:passwd crontab; + + # for the administrator to run TCP servers directly + allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; + + allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + terminal_create_private_pseudoterminal($1_t,$1_devpts_t) + + allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; + allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file }) + + kernel_read_system_state($1_t) + kernel_read_network_state($1_t) + kernel_read_software_raid_state($1_t) + kernel_get_core_interface_attributes($1_t) + kernel_get_message_interface_attributes($1_t) + kernel_change_ring_buffer_level($1_t) + kernel_clear_ring_buffer($1_t) + kernel_read_ring_buffer($1_t) + kernel_get_sysvipc_info($1_t) + kernel_modify_all_sysctl($1_t) + kernel_set_selinux_enforcement_mode($1_t) + kernel_set_selinux_boolean($1_t) + kernel_set_selinux_security_parameters($1_t) + # Get security policy decisions: + kernel_get_selinuxfs_mount_point($1_t) + kernel_validate_selinux_context($1_t) + kernel_compute_selinux_access_vector($1_t) + kernel_compute_selinux_create_context($1_t) + kernel_compute_selinux_relabel_context($1_t) + kernel_compute_selinux_reachable_user_contexts($1_t) + # signal unlabeled processes: + kernel_kill_unlabeled_process($1_t) + kernel_signal_unlabeled_process($1_t) + kernel_sigstop_unlabeled_process($1_t) + kernel_signull_unlabeled_process($1_t) + kernel_sigchld_unlabeled_process($1_t) + + corenetwork_bind_tcp_on_general_port($1_t) + + devices_get_generic_block_device_attributes($1_t) + devices_get_generic_character_device_attributes($1_t) + devices_get_all_block_device_attributes($1_t) + devices_get_all_character_device_attributes($1_t) + + filesystem_get_all_filesystems_attributes($1_t) + filesystem_set_all_filesystems_quotas($1_t) + + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) + + terminal_use_console($1_t) + terminal_use_general_physical_terminal($1_t) + terminal_use_all_private_pseudoterminals($1_t) + terminal_use_all_private_physical_terminals($1_t) + + # Manage almost all files + authlogin_manage_all_files_except_shadow($1_t) + # Relabel almost all files + authlogin_relabel_all_files_except_shadow($1_t) + + domain_set_all_domains_priorities($1_t) + domain_read_all_domains_process_state($1_t) + # signal all domains: + domain_kill_all_domains($1_t) + domain_signal_all_domains($1_t) + domain_signull_all_domains($1_t) + domain_sigstop_all_domains($1_t) + domain_sigstop_all_domains($1_t) + domain_sigchld_all_domains($1_t) + + files_execute_system_source_code_scripts($1_t) + + init_use_control_channel($1_t) + + logging_send_system_log_message($1_t) + + modutils_insmod_transition($1_t) + + selinux_read_config($1_t) + # The following rule is temporary until such time that a complete + # policy management infrastructure is in place so that an administrator + # cannot directly manipulate policy files with arbitrary programs. + selinux_manage_source_policy($1_t) + # Violates the goal of limiting write access to checkpolicy. + # But presently necessary for installing the file_contexts file. + selinux_manage_binary_policy($1_t) + + optional_policy(`cron.te',` + cron_admin_template($1) + ') + + ifdef(`TODO',` + + # Let admin stat the shadow file. + allow $1_t shadow_t:file getattr; + + # for lsof + allow $1_t mtrr_device_t:file getattr; + + allow $1_t serial_device:chr_file setattr; + + # allow setting up tunnels + allow $1_t tun_tap_device_t:chr_file rw_file_perms; + + allow $1_t ptyfile:chr_file getattr; + + # Run programs from staff home directories. + # Not ideal, but typical if users want to login as both sysadm_t or staff_t. + can_exec($1_t, staff_home_t) + + # Run admin programs that require different permissions in their own domain. + # These rules were moved into the appropriate program domain file. + + ifdef(`startx.te', ` + ifdef(`xserver.te', ` + # Create files in /tmp/.X11-unix with our X servers derived + # tmp type rather than user_xserver_tmp_t. + file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) + ') + ') + + ifdef(`xdm.te', ` + ifdef(`xauth.te', ` + if (xdm_sysadm_login) { + allow xdm_t $1_home_t:lnk_file read; + allow xdm_t $1_home_t:dir search; + } + allow $1_t xdm_t:fifo_file rw_file_perms; + ') + ') + + # + # A user who is authorized for sysadm_t may nonetheless have + # a home directory labeled with user_home_t if the user is expected + # to login in either user_t or sysadm_t. Hence, the derived domains + # for programs need to be able to access user_home_t. + # -############################## -# -# Declarations -# - -# Inherit rules for ordinary users. -base_user_domain($1) - -typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; -kernel_make_object_identity_change_constraint_exception($1_t) -role system_r types $1_t; - -#ifdef(`direct_sysadm_daemon', `, priv_system_role') -#; dnl end of sysadm_t type declaration - -typeattribute $1_devpts_t admin_terminal; - -typeattribute $1_tty_device_t admin_terminal; - -############################## -# -# $1_t local policy -# - -allow $1_t self:capability ~sys_module; -allow $1_t self:process { setexec setfscreate }; - -# Set password information for other users. -allow $1_t self:passwd { passwd chfn chsh }; - -# Skip authentication when pam_rootok is specified. -allow $1_t self:passwd rootok; - -# Manipulate other users crontab. -allow $1_t self:passwd crontab; - -# for the administrator to run TCP servers directly -allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; - -allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -terminal_create_private_pseudoterminal($1_t,$1_devpts_t) - -allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file }) - -kernel_read_system_state($1_t) -kernel_read_network_state($1_t) -kernel_read_software_raid_state($1_t) -kernel_get_core_interface_attributes($1_t) -kernel_get_message_interface_attributes($1_t) -kernel_change_ring_buffer_level($1_t) -kernel_clear_ring_buffer($1_t) -kernel_read_ring_buffer($1_t) -kernel_get_sysvipc_info($1_t) -kernel_modify_all_sysctl($1_t) -kernel_set_selinux_enforcement_mode($1_t) -kernel_set_selinux_boolean($1_t) -kernel_set_selinux_security_parameters($1_t) -# Get security policy decisions: -kernel_get_selinuxfs_mount_point($1_t) -kernel_validate_selinux_context($1_t) -kernel_compute_selinux_access_vector($1_t) -kernel_compute_selinux_create_context($1_t) -kernel_compute_selinux_relabel_context($1_t) -kernel_compute_selinux_reachable_user_contexts($1_t) -# signal unlabeled processes: -kernel_kill_unlabeled_process($1_t) -kernel_signal_unlabeled_process($1_t) -kernel_sigstop_unlabeled_process($1_t) -kernel_signull_unlabeled_process($1_t) -kernel_sigchld_unlabeled_process($1_t) - -corenetwork_bind_tcp_on_general_port($1_t) - -devices_get_generic_block_device_attributes($1_t) -devices_get_generic_character_device_attributes($1_t) -devices_get_all_block_device_attributes($1_t) -devices_get_all_character_device_attributes($1_t) - -filesystem_get_all_filesystems_attributes($1_t) -filesystem_set_all_filesystems_quotas($1_t) - -storage_raw_read_removable_device($1_t) -storage_raw_write_removable_device($1_t) - -terminal_use_console($1_t) -terminal_use_general_physical_terminal($1_t) -terminal_use_all_private_pseudoterminals($1_t) -terminal_use_all_private_physical_terminals($1_t) - -# Manage almost all files -authlogin_manage_all_files_except_shadow($1_t) -# Relabel almost all files -authlogin_relabel_all_files_except_shadow($1_t) - -domain_set_all_domains_priorities($1_t) -domain_read_all_domains_process_state($1_t) -# signal all domains: -domain_kill_all_domains($1_t) -domain_signal_all_domains($1_t) -domain_signull_all_domains($1_t) -domain_sigstop_all_domains($1_t) -domain_sigstop_all_domains($1_t) -domain_sigchld_all_domains($1_t) - -files_execute_system_source_code_scripts($1_t) - -init_use_control_channel($1_t) - -logging_send_system_log_message($1_t) - -modutils_insmod_transition($1_t) - -selinux_read_config($1_t) -# The following rule is temporary until such time that a complete -# policy management infrastructure is in place so that an administrator -# cannot directly manipulate policy files with arbitrary programs. -selinux_manage_source_policy($1_t) -# Violates the goal of limiting write access to checkpolicy. -# But presently necessary for installing the file_contexts file. -selinux_manage_binary_policy($1_t) - -optional_policy(`cron.te',` -cron_admin_template($1) -') - -ifdef(`TODO',` - -# Let admin stat the shadow file. -allow $1_t shadow_t:file getattr; - -# for lsof -allow $1_t mtrr_device_t:file getattr; - -allow $1_t serial_device:chr_file setattr; + # Allow our gph domain to write to .xsession-errors. + ifdef(`gnome-pty-helper.te', ` + allow $1_gph_t user_home_dir_type:dir rw_dir_perms; + allow $1_gph_t user_home_type:file create_file_perms; + ') -# allow setting up tunnels -allow $1_t tun_tap_device_t:chr_file rw_file_perms; + # for the administrator to run TCP servers directly + allow $1_t kernel_t:tcp_socket recvfrom; -allow $1_t ptyfile:chr_file getattr; + # Connect data port to ftpd. + ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') -# Run programs from staff home directories. -# Not ideal, but typical if users want to login as both sysadm_t or staff_t. -can_exec($1_t, staff_home_t) + # Connect second port to rshd. + ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') + + # Allow MAKEDEV to work + allow $1_t device_t:dir rw_dir_perms; + allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; + allow $1_t device_t:lnk_file { create read }; -# Run admin programs that require different permissions in their own domain. -# These rules were moved into the appropriate program domain file. - -ifdef(`startx.te', ` -ifdef(`xserver.te', ` -# Create files in /tmp/.X11-unix with our X servers derived -# tmp type rather than user_xserver_tmp_t. -file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) -')dnl end xserver.te -')dnl end startx.te - -ifdef(`xdm.te', ` -ifdef(`xauth.te', ` -if (xdm_sysadm_login) { -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -} -allow $1_t xdm_t:fifo_file rw_file_perms; -')dnl end ifdef xauth.te -')dnl end ifdef xdm.te - -# -# A user who is authorized for sysadm_t may nonetheless have -# a home directory labeled with user_home_t if the user is expected -# to login in either user_t or sysadm_t. Hence, the derived domains -# for programs need to be able to access user_home_t. -# - -# Allow our gph domain to write to .xsession-errors. -ifdef(`gnome-pty-helper.te', ` -allow $1_gph_t user_home_dir_type:dir rw_dir_perms; -allow $1_gph_t user_home_type:file create_file_perms; -') - -# for the administrator to run TCP servers directly -allow $1_t kernel_t:tcp_socket recvfrom; - -# Connect data port to ftpd. -ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') - -# Connect second port to rshd. -ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') - -# Allow MAKEDEV to work -allow $1_t device_t:dir rw_dir_perms; -allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; -allow $1_t device_t:lnk_file { create read }; - -# for lsof -allow $1_t domain:socket_class_set getattr; -allow $1_t eventpollfs_t:file getattr; -') dnl endif TODO + # for lsof + allow $1_t domain:socket_class_set getattr; + allow $1_t eventpollfs_t:file getattr; + ') dnl endif TODO ') ######################################## @@ -822,12 +820,12 @@ allow $1_t eventpollfs_t:file getattr; ## # define(`userdomain_all_users_explicit_transition',` -requires_block_template(`$0'_depend) -corecommands_shell_explicit_transition($1,userdomain) + requires_block_template(`$0'_depend) + corecommands_shell_explicit_transition($1,userdomain) ') define(`userdomain_all_users_explicit_transition_depend',` -type sysadm_t; + type sysadm_t; ') ######################################## @@ -842,12 +840,13 @@ type sysadm_t; ## # define(`userdomain_sysadm_shell_transition',` -requires_block_template(`$0'_depend) -corecommands_shell_transition($1,sysadm_t) + requires_block_template(`$0'_depend) + + corecommands_shell_transition($1,sysadm_t) ') define(`userdomain_sysadm_shell_transition_depend',` -type sysadm_t; + type sysadm_t; ') ######################################## @@ -863,15 +862,17 @@ type sysadm_t; ## # define(`userdomain_use_admin_terminals',` -requires_block_template(`$0'_depend) -devices_list_device_nodes($1) -terminal_list_pseudoterminals($1) -allow $1 admin_terminal:chr_file { getattr read write ioctl }; + requires_block_template(`$0'_depend) + + devices_list_device_nodes($1) + terminal_list_pseudoterminals($1) + allow $1 admin_terminal:chr_file { getattr read write ioctl }; ') define(`userdomain_use_admin_terminals_depend',` -attribute admin_terminal; -class chr_file { getattr read write ioctl }; + attribute admin_terminal; + + class chr_file { getattr read write ioctl }; ') ######################################## @@ -886,14 +887,16 @@ class chr_file { getattr read write ioctl }; ## # define(`userdomain_search_all_users_home_dirs',` -requires_block_template(`$0'_depend) -files_list_home_directories($1) -allow $1 { home_dir_type home_type }:dir search; + requires_block_template(`$0'_depend) + + files_list_home_directories($1) + allow $1 { home_dir_type home_type }:dir search; ') define(`userdomain_search_all_users_home_dirs_depend',` -attribute home_dir_type, home_type; -class dir search; + attribute home_dir_type, home_type; + + class dir search; ') ######################################## @@ -908,16 +911,18 @@ class dir search; ## # define(`userdomain_read_all_users_data',` -requires_block_template(`$0'_depend) -files_list_home_directories($1) -allow $1 home_type:dir { getattr search read }; -allow $1 home_type:file { getattr read }; + requires_block_template(`$0'_depend) + + files_list_home_directories($1) + allow $1 home_type:dir { getattr search read }; + allow $1 home_type:file { getattr read }; ') define(`userdomain_read_all_users_data_depend',` -attribute home_type; -class dir { getattr search read }; -class file { getattr read }; + attribute home_type; + + class dir { getattr search read }; + class file { getattr read }; ') ######################################## @@ -932,13 +937,15 @@ class file { getattr read }; ## # define(`userdomain_use_all_users_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 userdomain:fd use; + requires_block_template(`$0'_depend) + + allow $1 userdomain:fd use; ') define(`userdomain_use_all_users_file_descriptors_depend',` -attribute userdomain; -class fd use; + attribute userdomain; + + class fd use; ') ######################################## @@ -953,13 +960,15 @@ class fd use; ## # define(`userdomain_signal_all_userdomains',` -requires_block_template(`$0'_depend) -allow $1 userdomain:process signal; + requires_block_template(`$0'_depend) + + allow $1 userdomain:process signal; ') define(`userdomain_signal_all_userdomains_depend',` -attribute userdomain; -class process signal; + attribute userdomain; + + class process signal; ') ######################################## @@ -974,13 +983,15 @@ class process signal; ## # define(`userdomain_use_all_unprivileged_users_file_descriptors',` -requires_block_template(`$0'_depend) -allow $1 unpriv_userdomain:fd use; + requires_block_template(`$0'_depend) + + allow $1 unpriv_userdomain:fd use; ') define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` -attribute unpriv_userdomain; -class fd use; + attribute unpriv_userdomain; + + class fd use; ') ######################################## @@ -996,13 +1007,15 @@ class fd use; ## # define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',` -requires_block_template(`$0'_depend) -dontaudit $1 unpriv_userdomain:fd use; + requires_block_template(`$0'_depend) + + dontaudit $1 unpriv_userdomain:fd use; ') define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',` -attribute unpriv_userdomain; -class fd use; + attribute unpriv_userdomain; + + class fd use; ') ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 52b9c73..9aae29c 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -85,11 +85,11 @@ user_domain_template(user) # user role change rules: define(`role_change',` -allow $1_r $2_r; -type_change $2_t $1_devpts_t:chr_file $2_devpts_t; -type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; -# avoid annoying messages on terminal hangup -dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; + allow $1_r $2_r; + type_change $2_t $1_devpts_t:chr_file $2_devpts_t; + type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; + # avoid annoying messages on terminal hangup + dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; ') # sysadm_r can change to user roles @@ -100,7 +100,7 @@ role_change(sysadm, staff) role_change(staff, sysadm) tunable_policy(`user_canbe_sysadm',` -role_change(user,sysadm) + role_change(user,sysadm) ') ifdef(`TODO',` @@ -119,58 +119,58 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) allow sysadm_t userdomain:fd use; optional_policy(`bootloader.te',` -bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`clock.te',` -clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`hostname.te',` -hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`iptables.te',` -iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`libraries.te',` -libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`lvm.te',` -lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`modutils.te',` -modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`mount.te',` -mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`rpm.te',` -rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`selinux.te',` -selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -optional_policy(`targeted_policy',`',` -selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -') + selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + optional_policy(`targeted_policy',`',` + selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + ') ') optional_policy(`sysnetwork.te',` -sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`usermanage.te',` -usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) -usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) + usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ')