[selinux-policy: 639/3172] fixes to make base module compilable

Thu Oct 7 19:59:52 UTC 2010

commit 712566ee417a556477ea71b520b3299f2a00ceeb
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 12 15:17:39 2005 +0000

    fixes to make base module compilable

 refpolicy/Makefile                             |    4 +-
 refpolicy/Rules.modular                        |    5 +-
 refpolicy/Rules.monolithic                     |    4 +-
 refpolicy/policy/modules/kernel/kernel.if      |  229 +++++++++++++++++++++++-
 refpolicy/policy/modules/kernel/kernel.te      |   21 +--
 refpolicy/policy/modules/services/portmap.te   |    1 +
 refpolicy/policy/modules/system/hotplug.te     |    3 +-
 refpolicy/policy/modules/system/init.te        |    6 +
 refpolicy/policy/modules/system/libraries.te   |    3 +
 refpolicy/policy/modules/system/logging.te     |    1 +
 refpolicy/policy/modules/system/selinuxutil.te |    4 +
 refpolicy/policy/support/misc_macros.spt       |    8 +
 refpolicy/policy/systemuser                    |   22 +++
 refpolicy/policy/users                         |   13 +--
 14 files changed, 285 insertions(+), 39 deletions(-)
---

diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 35a5b3b..1350fa5 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -156,7 +156,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 APPDIR := $(CONTEXTPATH)
 APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans
 CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/users 
+USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
 
 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
 
@@ -178,6 +178,8 @@ MODMOD := module
 BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
 MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
 
+HOMEDIR_TEMPLATE = tmp/homedir_template
+
 ########################################
 #
 # Load appropriate rules
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index a8eef96..6c70f1f 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -13,7 +13,7 @@ BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_in
 
 BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
 BASE_TE_FILES := $(BASE_MODS)
-BASE_POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
 BASE_FC_FILES := $(BASE_MODS:.te=.fc)
 
 MOD_MODULES := $(MOD_MODS:.te=.mod)
@@ -118,7 +118,7 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
 #
 # Construct base module file contexts
 #
-$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
+$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
 ifeq ($(BASE_FC_FILES),)
 	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
 endif
@@ -150,5 +150,6 @@ clean:
 	rm -fR tmp
 	rm -f base.conf
 	rm -f *.pp
+	rm -f $(BASE_FC)
 
 .PHONY: default base modules clean
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 0833fa3..1d5c6cb 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -19,12 +19,10 @@ ALL_TE_FILES := $(ALL_MODULES)
 ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
 
 PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
 
 POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
 
-HOMEDIR_TEMPLATE = tmp/homedir_template
-
 ########################################
 #
 # default action: build policy locally
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 90eb00a..41dec5e 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -569,7 +569,7 @@ interface(`kernel_dontaudit_search_network_state',`
 		class dir search;
 	')
 
-	allow $1 proc_net_t:dir search;
+	dontaudit $1 proc_net_t:dir search;
 ')
 
 ########################################
@@ -1306,3 +1306,230 @@ interface(`kernel_unconfined',`
 
 	kernel_rw_all_sysctl($1)
 ')
+
+################################################################################
+#
+# Reversed interfaces
+#
+# The following are reversed interfaces, meaning the point of view of the caller
+# of the interface is the object (target) type, rather than the subject (source)
+# type, like all other interfaces in the policy.  These interfaces are here to
+# decouple policy from the base module, and should not be used anywhere else.
+#
+################################################################################
+
+########################################
+## <summary>
+##	Allow the kernel to send a SIGCHLD
+##	signal to the specified domain.
+## </summary>
+## <param name="domain">
+##	Domain receiving the SIGCHLD.
+## </param>
+#
+interface(`kernel_sigchld_from',`
+	gen_require(`
+		type kernel_t;
+		class process sigchld;
+	')
+
+	allow kernel_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow unlabeled processes to send a SIGCHLD
+##	signal to the specified domain.
+## </summary>
+## <param name="domain">
+##	Domain receiving the SIGCHLD.
+## </param>
+#
+interface(`kernel_sigchld_from_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+		class process sigchld;
+	')
+
+	allow unlabeled_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to search the
+##	specified directory.
+## </summary>
+## <param name="dir_type">
+##	Directory type to search.
+## </param>
+#
+interface(`kernel_search_from',`
+	gen_require(`
+		type kernel_t;
+		class dir search;
+	')
+
+	allow kernel_t $1:dir search;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to read the contents
+##	of the specified directory.
+## </summary>
+## <param name="dir_type">
+##	Directory type to list.
+## </param>
+#
+interface(`kernel_list_from',`
+	gen_require(`
+		type kernel_t;
+		class dir r_dir_perms;
+	')
+
+	allow kernel_t $1:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to read the
+##	specified file.
+## </summary>
+## <param name="dir_type">
+##	Directory type to list.
+## </param>
+#
+interface(`kernel_read_file_from',`
+	gen_require(`
+		type kernel_t;
+		class dir r_dir_perms;
+	')
+
+	allow kernel_t $1:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to search the
+##	specified directory.
+## </summary>
+## <param name="dir_type">
+##	Directory type to search.
+## </param>
+#
+interface(`kernel_search_from',`
+	gen_require(`
+		type kernel_t;
+		class dir search;
+	')
+
+	allow kernel_t $1:dir search;
+')
+
+########################################
+## <summary>
+##	Use the specified types for /lib directory
+##	and use the dynamic link/loader for automatic loading
+##	of shared libraries, and the link/loader
+##	cache.
+## </summary>
+## <param name="lib_type">
+##	The type of the lib directories.
+## </param>
+## <param name="ld_type">
+##	The type of the dynamic link/loader.
+## </param>
+## <param name="cache_type">
+##	The type of the dynamic link/loader cache.
+## </param>
+#
+interface(`kernel_use_ld_so_from',`
+	gen_require(`
+		type kernel_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+		class file rx_file_perms;
+	')
+
+	files_list_etc(kernel_t)
+	allow kernel_t $1:dir r_dir_perms;
+	allow kernel_t $1:lnk_file r_file_perms;
+	allow kernel_t $2:lnk_file r_file_perms;
+	allow kernel_t $2:file rx_file_perms;
+	allow kernel_t $3:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to load and execute
+##	functions from the specified shared libraries.
+## </summary>
+## <param name="lib_dir_type">
+##	The type of the lib directories.
+## </param>
+## <param name="shlib_type">
+##	Shared library type.
+## </param>
+#
+interface(`kernel_use_shared_libs_from',`
+	gen_require(`
+		type kernel_t;
+		class lnk_file r_file_perms;
+		class file rx_dir_perms;
+	')
+
+	allow kernel_t $1:dir r_dir_perms;
+	allow kernel_t $1:lnk_file r_file_perms;
+	allow kernel_t $2:lnk_file r_file_perms;
+	allow kernel_t $2:file rx_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow the kernel to send a syslog
+##	message to the specified domain,
+##	connecting over the specified named
+##	socket.
+## </summary>
+## <param name="socket">
+##	The type of the named socket file.
+## </param>
+## <param name="syslog_type">
+##	The domain of the syslog daemon.
+## </param>
+#
+interface(`kernel_send_syslog_msg_from',`
+	gen_require(`
+		type syslogd_t, devlog_t;
+		class lnk_file read;
+		class sock_file rw_file_perms;
+		class unix_dgram_socket sendto;
+		class unix_stream_socket connectto;
+	')
+
+	allow kernel_t $1:lnk_file read;
+	allow kernel_t $1:sock_file rw_file_perms;
+
+	# the type of socket depends on the syslog daemon
+	allow kernel_t $2:unix_dgram_socket sendto;
+	allow kernel_t $2:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Allow the kernel to send UDP network traffic
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	The type of the receiving domain.
+## </param>
+#
+interface(`kernel_udp_sendfrom',`
+	gen_require(`
+		type portmap_t;
+		class udp_socket { sendto recvfrom };
+	')
+
+	allow kernel_t $1:udp_socket sendto;
+	allow $1 kernel_t:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 8fd5ae9..94f7780 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -10,6 +10,8 @@ policy_module(kernel,1.0)
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 
+neverallow ~can_load_kernmodule self:capability sys_module;
+
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
 
@@ -190,32 +192,15 @@ corecmd_exec_bin(kernel_t)
 domain_signal_all_domains(kernel_t)
 
 files_list_root(kernel_t)
+files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
-init_sigchld(kernel_t)
-
-libs_use_ld_so(kernel_t)
-libs_use_shared_libs(kernel_t)
-
-logging_send_syslog_msg(kernel_t)
-
-seutil_read_config(kernel_t)
-seutil_read_binary_pol(kernel_t)
-
-neverallow ~can_load_kernmodule self:capability sys_module;
-
 ########################################
 #
 # Unlabeled process local policy
 #
 
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init.
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-init_sigchld(unlabeled_t)
-
 ifdef(`targeted_policy',`
 	allow unlabeled_t self:filesystem associate;
 ')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 5cc17e6..85c9c8c 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -44,6 +44,7 @@ files_create_pid(portmap_t,portmap_var_run_t)
 kernel_read_kernel_sysctl(portmap_t)
 kernel_list_proc(portmap_t)
 kernel_read_proc_symlinks(portmap_t)
+kernel_udp_sendfrom(portmap_t)
 
 corenet_tcp_sendrecv_all_if(portmap_t)
 corenet_udp_sendrecv_all_if(portmap_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 6a69a96..1beb5de 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -13,6 +13,7 @@ init_system_domain(hotplug_t,hotplug_exec_t)
 
 type hotplug_etc_t; #, usercanread;
 files_type(hotplug_etc_t)
+kernel_search_from(hotplug_etc_t)
 
 type hotplug_var_run_t;
 files_pid_file(hotplug_var_run_t)
@@ -184,8 +185,6 @@ optional_policy(`rhgb.te',`
 rhgb_domain(hotplug_t)
 ')
 
-allow kernel_t hotplug_etc_t:dir search;
-
 # for ps
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index fe82ecb..c44c2c4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -95,6 +95,12 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
+kernel_sigchld_from(init_t)
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init.
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+kernel_sigchld_from_unlabeled(init_t)
 
 dev_read_sysfs(init_t)
 
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 5b83f34..d1a0700 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -38,6 +38,9 @@ files_type(shlib_t)
 type texrel_shlib_t;
 files_type(texrel_shlib_t)
 
+kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
+kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
+
 ########################################
 #
 # ldconfig local policy
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 1625b3d..3090e0a 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -190,6 +190,7 @@ files_create_pid(syslogd_t,syslogd_var_run_t)
 
 kernel_read_kernel_sysctl(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
+kernel_send_syslog_msg_from(devlog_t,syslogd_t)
 
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 5e0db52..fb66048 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -52,6 +52,8 @@ domain_entry_file(newrole_t,newrole_exec_t)
 #
 type policy_config_t;
 files_type(policy_config_t)
+kernel_list_from(policy_config_t)
+kernel_read_file_from(policy_config_t)
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -81,6 +83,8 @@ domain_entry_file(run_init_t,run_init_exec_t)
 #
 type selinux_config_t;
 files_type(selinux_config_t)
+kernel_list_from(selinux_config_t)
+kernel_read_file_from(selinux_config_t)
 
 type setfiles_t, can_relabelto_binary_policy;
 domain_obj_id_change_exempt(setfiles_t)
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index 8b3b94c..60bb608 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -13,6 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
 
 ########################################
 #
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
+#
+define(`gen_user',`
+user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
+')
+
+########################################
+#
 # gen_con(context,sensitivity)
 #
 # Optionally put the sensitivity for the file
diff --git a/refpolicy/policy/systemuser b/refpolicy/policy/systemuser
new file mode 100644
index 0000000..ff30b50
--- /dev/null
+++ b/refpolicy/policy/systemuser
@@ -0,0 +1,22 @@
+##################################
+#
+# System User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
+#
+define(`gen_user',`
+user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
+')
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
+
+# Normal users should not be added to this file,
+# but instead added to the users file.
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index d477c41..517c9e3 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -5,19 +5,8 @@
 #
 
 #
-# gen_user(username, role_set, defaultlevel, range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
 #
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
 
 #
 # user_u is a generic user identity for Linux users who have no
