[selinux-policy: 638/3172] add first part of changes to make base module compilable
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:59:47 UTC 2010
commit 2e863f8ad083ad8f9a504df84b63f9e4fc9e44c9
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 9 20:51:54 2005 +0000
add first part of changes to make base module compilable
refpolicy/policy/constraints | 52 +++------
refpolicy/policy/modules/services/cron.if | 5 +-
refpolicy/policy/modules/services/cron.te | 1 +
refpolicy/policy/modules/services/ssh.if | 1 +
refpolicy/policy/modules/system/domain.if | 149 ++++++++++++++++++++++---
refpolicy/policy/modules/system/domain.te | 52 +++++++--
refpolicy/policy/modules/system/userdomain.if | 1 +
7 files changed, 198 insertions(+), 63 deletions(-)
---
diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
index be9b34d..101441e 100644
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@@ -1,9 +1,5 @@
#
-# Define m4 macros for the constraints
-#
-
-#
# Define the constraints
#
# constrain class_set perm_set expression ;
@@ -33,29 +29,20 @@
# SELinux process identity change constraint:
#
constrain process transition
- ( u1 == u2 or
+ ( u1 == u2
ifdef(`targeted_policy',`
- t1 == can_change_process_identity
+ or t1 == can_change_process_identity
',`
- ( t1 == can_change_process_identity and t2 == userdomain )
- ifdef(`crond.te',`
- or (
- t1 == crond_t
- and (
- t2 == user_crond_domain
- or u2 == system_u
- )
- )
- ')
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
- ifdef(`userhelper.te',`
- or (t1 == userhelperdomain)
- ')
+ or ( t1 == cron_source_domain
+ and ( t2 == cron_job_domain or u2 == system_u )
+ )
+
+ or (t1 == process_uncond_exempt)
- ifdef(`TODO',`
- or (t1 == priv_system_role and u2 == system_u )
- ') dnl end TODO
+ or (t1 == can_system_change and u2 == system_u )
')
);
@@ -63,19 +50,16 @@ ifdef(`targeted_policy',`
# SELinux process role change constraint:
#
constrain process transition
- ( r1 == r2 or
+ ( r1 == r2
+
ifdef(`targeted_policy',`
- t1 == can_change_process_role
+ or t1 == can_change_process_role
',`
- ( t1 == can_change_process_role and t2 == userdomain )
+ or ( t1 == can_change_process_role and t2 == process_user_target )
- ifdef(`crond.te',`
- or (t1 == crond_t and t2 == user_crond_domain)
- ')
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
- ifdef(`userhelper.te',`
- or (t1 == userhelperdomain)
- ')
+ or ( t1 == process_uncond_exempt )
ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',`
@@ -87,9 +71,7 @@ ifdef(`targeted_policy',`
')
')
- ifdef(`TODO',`
- or (t1 == priv_system_role and r2 == system_r )
- ') dnl end TODO
+ or (t1 == can_system_change and r2 == system_r )
')
);
@@ -97,7 +79,7 @@ ifdef(`targeted_policy',`
# SELinux dynamic transition constraint:
#
constrain process dyntransition
- ( u1 == u2 and r1 == r2);
+ ( u1 == u2 and r1 == r2 );
#
# SElinux object identity change constraint:
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e418325..44fd2c1 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -33,8 +33,9 @@ template(`cron_per_userdomain_template',`
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
- type $1_crond_t; # user_crond_domain;
- domain_type($1_crond_t);
+ type $1_crond_t;
+ domain_type($1_crond_t)
+ domain_cron_exemption_target($1_crond_t)
corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f93be50..d18945d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -17,6 +17,7 @@ type crond_t; #, privmail
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
+domain_cron_exemption_source(crond_t)
type crond_log_t;
logging_log_file(crond_log_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 4489fdc..b18be62 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -389,6 +389,7 @@ template(`ssh_per_userdomain_template',`
#
template(`ssh_server_template', `
type $1_t, ssh_server;
+ domain_type($1_t)
role system_r types $1_t;
type $1_devpts_t;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 7aab5d0..45bb6e8 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -4,8 +4,22 @@
## </required>
########################################
-#
-# domain_base_domain_type(domain)
+## <summary>
+## Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a basic domain.
+## </p>
+## <p>
+## This is primarily used for kernel threads;
+## generally the domain_type() interface is
+## more appropriate for userland processes.
+## </p>
+## </desc>
+## <param name="type">
+## Type to be used as a basic domain type.
+## </param>
#
interface(`domain_base_type',`
gen_require(`
@@ -26,19 +40,15 @@ interface(`domain_base_type',`
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
-
- # Files with domain types are currently only proc files
- # self is excepted since domains and files can have
- # the same type in SEFramework
- # cjp: perhaps this should be a conditional exception,
- # so it is excepted only on SEFramework policies
- neverallow $1 { domain -$1 }:dir ~r_dir_perms;
- neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
')
########################################
-#
-# domain_type(domain)
+## <summary>
+## Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+## Type to be used as a domain type.
+## </param>
#
interface(`domain_type',`
# start with basic domain
@@ -69,8 +79,17 @@ interface(`domain_type',`
')
########################################
-#
-# domain_entry_file(domain,entrypointfile)
+## <summary>
+## Make the specified type usable as
+## an entry point for the domain.
+## </summary>
+## <param name="domain">
+## Domain to be entered.
+## </param>
+## <param name="type">
+## Type of program used for entering
+## the domain.
+## </param>
#
interface(`domain_entry_file',`
gen_require(`
@@ -79,7 +98,10 @@ interface(`domain_entry_file',`
')
files_type($2)
+
allow $1 $2:file entrypoint;
+ allow $1 $2:file rx_file_perms;
+
typeattribute $2 entry_type;
')
@@ -159,6 +181,105 @@ interface(`domain_obj_id_change_exempt',`
')
########################################
+## <summary>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the user domains from the base module.
+## It should not be used other than on
+## user domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_user_exemption_target',`
+ gen_require(`
+ attribute process_user_target;
+ ')
+
+ typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## cron domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+ gen_require(`
+ attribute cron_source_domain;
+ ')
+
+ typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## user cron jobs.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+ gen_require(`
+ attribute cron_job_domain;
+ ')
+
+ typeattribute $1 cron_job_domain;
+')
+
+########################################
#
# domain_use_wide_inherit_fd(domain)
#
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index 2878652..efd8a4b 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -9,30 +9,58 @@ policy_module(domain,1.0)
# Mark process types as domains
attribute domain;
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility. If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
+#
# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
attribute can_change_object_identity;
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
-# enabling setcurrent breaks process tranquility. If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt; # add userhelperdomain to this one
# TODO:
# cjp: also need to except correctly for SEFramework
-#neverallow { domain unlabeled_t } file_type:process *;
-#neverallow ~{ domain unlabeled_t } *:process *;
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3fa926c..375092f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -29,6 +29,7 @@ template(`base_user_template',`
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
+ domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
More information about the scm-commits
mailing list