[selinux-policy: 45/3172] move modules_object_t back to bootloader
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:08:50 UTC 2010
commit 5f75f56066eedcde0a0efcc062e7e51252724bda
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Apr 25 21:32:09 2005 +0000
move modules_object_t back to bootloader
refpolicy/policy/modules/kernel/bootloader.if | 66 +++++++++++++++++++++++++
refpolicy/policy/modules/kernel/bootloader.te | 40 ++++++++++-----
refpolicy/policy/modules/system/modutils.if | 38 +-------------
refpolicy/policy/modules/system/modutils.te | 26 ++--------
4 files changed, 103 insertions(+), 67 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 68be1e9..d0ee49c 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -144,3 +144,69 @@ type boot_t, boot_runtime_t;
class dir { getattr search read write add_name remove_name };
class file { getattr create read write append unlink };
')
+
+########################################
+#
+# bootloader_list_kernel_modules(domain,[`optional'])
+#
+define(`bootloader_list_kernel_modules',`
+requires_block_template(bootloader_list_kernel_modules_depend,$2)
+allow $1 modules_object_t:dir { getattr search read };
+')
+
+define(`bootloader_list_kernel_modules_depend',`
+type modules_object_t;
+class dir { getattr search read };
+')
+
+########################################
+#
+# bootloader_read_kernel_modules(domain,[`optional'])
+#
+define(`bootloader_read_kernel_modules',`
+requires_block_template(bootloader_read_kernel_modules_depend,$2)
+allow $1 modules_object_t:dir { getattr search read };
+allow $1 modules_object_t:{ lnk_file file } { getattr read };
+')
+
+define(`bootloader_read_kernel_modules_depend',`
+type modules_object_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+#
+# bootloader_modify_kernel_modules(domain,[`optional'])
+#
+define(`bootloader_modify_kernel_modules',`
+requires_block_template(bootloader_modify_kernel_modules_depend,$2)
+allow $1 modules_object_t:file { getattr create read write setattr unlink };
+allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+')
+
+define(`bootloader_modify_kernel_modules_depend',`
+type modules_object_t;
+class file { getattr create read write setattr unlink };
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional'])
+#
+define(`bootloader_create_private_module_dir_entry',`
+requires_block_template(bootloader_create_private_module_dir_entry_depend,$2)
+allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 modules_object_t:file $2;
+',`
+type_transition $1 modules_object_t:$3 $2;
+') dnl end ifelse
+')
+
+define(`bootloader_create_private_module_dir_entry_depend',`
+type modules_object_t;
+class dir { getattr search read write add_name remove_name };
+')
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 68b9ab8..cebff46 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -1,10 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC
-type bootloader_t;
-domain_make_domain(bootloader_t)
-
-type bootloader_exec_t;
-domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
+attribute can_modify_kernel_modules;
#
# boot_t is the type for files in /boot
@@ -12,9 +8,20 @@ domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
type boot_t;
files_make_file(boot_t)
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
type boot_runtime_t;
files_make_file(boot_runtime_t)
+type bootloader_t;
+domain_make_domain(bootloader_t)
+
+type bootloader_exec_t;
+domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
+
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
@@ -23,12 +30,6 @@ type bootloader_etc_t alias etc_bootloader_t;
files_make_file(bootloader_etc_t)
#
-# system_map_t is for the system.map files in /boot
-#
-type system_map_t;
-files_make_file(system_map_t)
-
-#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
@@ -36,6 +37,19 @@ type bootloader_tmp_t;
files_make_file(bootloader_tmp_t)
devices_make_device_node(bootloader_tmp_t)
+# kernel modules
+type modules_object_t;
+files_make_file(modules_object_t)
+
+neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
+
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_make_file(system_map_t)
+
+
########################################
#
# bootloader local policy
@@ -92,6 +106,9 @@ devices_ignore_modify_generic_devices(bootloader_t)
# mkinitrd policy
#
+allow bootloader_t modules_object_t:dir { getattr search read };
+allow bootloader_t modules_object_t:file { getattr read };
+
files_read_general_system_resources(bootloader_t)
bootloader_install_initrd(bootloader_t)
@@ -104,7 +121,6 @@ corecommands_execute_shell(bootloader_t)
selinux_read_binary_policy(bootloader_t)
selinux_read_load_policy_binary(bootloader_t)
-modutils_read_kernel_modules(bootloader_t)
modutils_read_kernel_module_dependencies(bootloader_t)
modutils_read_kernel_module_loading_config(bootloader_t)
modutils_insmod_execute(bootloader_t)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index cb2d021..05b9501 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -2,35 +2,19 @@
########################################
#
-# modutils_read_kernel_modules(domain,[`optional'])
-#
-define(`modutils_read_kernel_modules',`
-requires_block_template(modutils_read_kernel_modules_depend,$2)
-allow $1 modules_object_t:dir { getattr search read };
-allow $1 modules_object_t:{ lnk_file file } { getattr read };
-')
-
-define(`modutils_read_kernel_modules_depend',`
-type modules_object_t;
-class dir { getattr search read };
-class lnk_file { getattr read };
-class file { getattr read };
-')
-
-########################################
-#
# modutils_read_kernel_module_dependencies(domain,[`optional'])
#
define(`modutils_read_kernel_module_dependencies',`
requires_block_template(modutils_read_kernel_module_dependencies_depend,$2)
+bootloader_list_kernel_modules($1,optional)
allow $1 modules_dep_t:file { getattr read };
-allow $1 modules_object_t:dir { getattr search read };
')
define(`modutils_read_kernel_module_dependencies_depend',`
-type modules_object_t, modules_dep_t;
+type modules_dep_t;
class file { getattr create read write setattr unlink };
class dir { search read write add_name remove_name };
+bootloader_list_kernel_modules_depend
')
########################################
@@ -49,22 +33,6 @@ class file { getattr create read write setattr unlink };
########################################
#
-# modutils_modify_kernel_modules(domain,[`optional'])
-#
-define(`modutils_modify_kernel_modules',`
-requires_block_template(modutils_modify_kernel_modules_depend,$2)
-allow $1 modules_object_t:file { getattr create read write setattr unlink };
-allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
-')
-
-define(`modutils_modify_kernel_modules_depend',`
-type modules_object_t;
-class file { getattr create read write setattr unlink };
-class dir { getattr search read write add_name remove_name };
-')
-
-########################################
-#
# modutils_insmod_transition(domain,[`optional'])
#
define(`modutils_insmod_transition',`
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 65c72cd..e6216db 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -1,12 +1,5 @@
# Copyright (C) 2005 Tresys Technology, LLC
-attribute can_modify_kernel_modules;
-neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
-
-# kernel modules
-type modules_object_t;
-files_make_file(modules_object_t)
-
# module loading config
type modules_conf_t;
files_make_file(modules_conf_t)
@@ -49,10 +42,6 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
# Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
-# read modules
-allow insmod_t modules_object_t:dir { getattr search read };
-allow insmod_t modules_object_t:file { getattr read };
-
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
@@ -68,6 +57,8 @@ kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctl(insmod_t)
+bootloader_read_kernel_modules(insmod_t)
+
terminal_use_controlling_terminal(insmod_t)
devices_write_mtrr(insmod_t)
@@ -160,22 +151,18 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
# Read conf.modules.
allow depmod_t modules_conf_t:file { getattr read };
-# Read module objects.
-allow depmod_t modules_object_t:dir { getattr search read };
-allow depmod_t modules_object_t:{ file lnk_file } { getattr read };
-
-# Create modules.dep.
-allow depmod_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write };
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-type_transition depmod_t modules_object_t:file modules_dep_t;
kernel_read_system_state(depmod_t)
+bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
+
filesystem_get_persistent_filesystem_attributes(depmod_t)
terminal_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
+bootloader_read_kernel_modules(depmod_t)
files_read_runtime_system_config(depmod_t)
files_read_general_system_config(depmod_t)
@@ -218,9 +205,8 @@ allow update_modules_t modules_dep_t:file { getattr read write };
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
-allow update_modules_t modules_object_t:dir { read getattr lock search ioctl add_name remove_name write };
+bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-type_transition update_modules_t modules_object_t:file modules_conf_t;
allow update_modules_t depmod_exec_t:file { getattr read execute };
type_transition update_modules_t depmod_exec_t:process depmod_t;
More information about the scm-commits
mailing list