[selinux-policy: 678/3172] targeted and redhat cleanups
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:03:32 UTC 2010
commit 142e9f40ea4680effacab2bea2da1553b2845e36
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 21 14:49:41 2005 +0000
targeted and redhat cleanups
refpolicy/Changelog | 3 +
refpolicy/Makefile | 15 +-
refpolicy/policy/modules.conf.targeted_example | 493 -----------------------
refpolicy/policy/modules/admin/logrotate.te | 7 +-
refpolicy/policy/modules/admin/rpm.te | 9 +-
refpolicy/policy/modules/services/dbus.if | 17 +
refpolicy/policy/modules/services/dbus.te | 2 +-
refpolicy/policy/modules/services/sendmail.te | 3 +-
refpolicy/policy/modules/services/ssh.te | 4 +
refpolicy/policy/modules/system/corecommands.te | 6 -
refpolicy/policy/modules/system/files.if | 8 +-
refpolicy/policy/modules/system/unconfined.if | 20 +-
refpolicy/policy/modules/system/unconfined.te | 4 +-
refpolicy/policy/modules/system/userdomain.if | 11 +-
tools/regression.sh | 20 +-
15 files changed, 82 insertions(+), 540 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ff405e7..eb1fa16 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,6 @@
+- Make logrotate, sendmail, sshd, and rpm policies
+ unconfined in the targeted policy so no special
+ modules.conf is required.
- Add experimental MCS support.
- Add appconfig for MLS.
- Add equivalents for old can_resolve(), can_ldap(), and
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index e2bebb5..a03a9fd 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -27,7 +27,9 @@
#OUTPUT_POLICY = 18
# Policy Type
-# strict, targeted, strict-mls, targeted-mls
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
TYPE = strict
# Policy Name
@@ -45,6 +47,13 @@ NAME = refpolicy
# Fedora users should enable redhat.
#DISTRO = redhat
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=n
+
# Build monolithic policy. Putting n here
# will build a loadable module policy.
MONOLITHIC=y
@@ -139,6 +148,10 @@ ifeq ($(NAME),)
NAME := $(TYPE)
endif
+ifeq ($(DIRECT_INITRC),y)
+ override M4PARAM += -D direct_sysadm_daemon
+endif
+
# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 5ddfe4b..b5bc065 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -6,9 +6,10 @@ policy_module(logrotate,1.0)
# Declarations
#
-type logrotate_t; #, priv_system_role
+type logrotate_t;
domain_type(logrotate_t)
domain_obj_id_change_exempt(logrotate_t)
+domain_system_change_exempt(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
@@ -126,6 +127,10 @@ ifdef(`distro_debian', `
can_exec(logrotate_t, logrotate_exec_t)
')
+ifdef(`targeted_policy',`
+ unconfined_domain_template(logrotate_t)
+')
+
optional_policy(`acct.te',`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 1da113f..9939948 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -169,6 +169,10 @@ sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fd(rpm_t)
+ifdef(`targeted_policy',`
+ unconfined_domain_template(rpm_t)
+')
+
optional_policy(`cron.te',`
cron_system_entry(rpm_t,rpm_exec_t)
')
@@ -310,11 +314,8 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
-# this should be tunable_policy, but
-# typeattribute does not work in conditionals
-ifdef(`unlimitedRPM',`
+ifdef(`targeted_policy',`
unconfined_domain_template(rpm_t)
- unconfined_domain_template(rpm_script_t)
')
tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 07b9a03..8481397 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -220,3 +220,20 @@ interface(`dbus_send_system_bus_msg',`
allow $1 system_dbusd_t:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 5524cc8..f1438ed 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -15,7 +15,7 @@ files_type(dbusd_etc_t)
type system_dbusd_t alias dbusd_t;
type system_dbusd_exec_t;
-init_daemon_domain(system_dbusd_t,system_dbusd_exec_t)
+init_system_domain(system_dbusd_t,system_dbusd_exec_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 61e6238..0ac4b5f 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -102,7 +102,8 @@ mta_rw_aliases(sendmail_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+ unconfined_domain_template(sendmail_t)
term_dontaudit_use_unallocated_tty(sendmail_t)
term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index fe1f7c9..8935f68 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -72,6 +72,10 @@ auth_exec_pam(sshd_t)
seutil_read_config(sshd_t)
+ifdef(`targeted_policy',`
+ unconfined_domain_template(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 2d53cc0..7ee474b 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -12,12 +12,6 @@ policy_module(corecommands,1.0)
type bin_t;
files_type(bin_t)
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # macros and domains from the "strict" policy.
- typealias bin_t alias su_exec_t;
-')
-
#
# sbin_t is the type of files in the system sbin directories.
#
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 1b1028c..1b08279 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -2568,8 +2568,6 @@ interface(`files_manage_generic_spools',`
interface(`files_unconfined',`
gen_require(`
attribute file_type;
- class unix_stream_socket name_bind;
- class unix_dgram_socket name_bind;
')
# Create/access any file in a labeled filesystem;
@@ -2582,4 +2580,10 @@ interface(`files_unconfined',`
# Bind to any network address.
# cjp: need to check this, I dont think this has any effect.
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`allow_execmod',`
+ allow $1 file_type:file execmod;
+ ')
+ ')
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 59eb383..82d9f6e 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -9,6 +9,11 @@
## </param>
#
template(`unconfined_domain_template',`
+ gen_require(`
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
# Use any Linux capability.
allow $1 self:capability *;
@@ -52,6 +57,11 @@ template(`unconfined_domain_template',`
bootloader_manage_kernel_modules($1)
')
+ optional_policy(`dbus.te', `
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
+ ')
+
optional_policy(`nscd.te', `
nscd_unconfined($1)
')
@@ -67,20 +77,12 @@ template(`unconfined_domain_template',`
ifdef(`TODO',`
if (allow_execmod) {
- ifdef(`targeted_policy', `
- allow $1 file_type:file execmod;
- ', `
+ ifdef(`targeted_policy', `', `
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1 texrel_shlib_t:file execmod;
allow $1 home_type:file execmod;
')
}
-
- ifdef(`dbusd.te', `
- # Communicate via dbusd.
- allow $1 system_dbusd_t:dbus *;
- ')
-
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 80a543d..7def5d0 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,14 +25,14 @@ ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
- typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ # cjp: remove xdm_t when we get to that module
+ typealias unconfined_t alias { secadm_t sysadm_t xdm_t };
init_domtrans_script(unconfined_t)
userdom_unconfined(unconfined_t)
ifdef(`TODO',`
- #cjp: why is this needed?
ifdef(`samba.te', `samba_domain(user)')
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 721e51a..4656bb4 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -731,6 +731,10 @@ template(`unpriv_user_template', `
## </param>
#
template(`admin_user_template',`
+ gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
##############################
#
# Declarations
@@ -743,9 +747,10 @@ template(`admin_user_template',`
domain_obj_id_change_exempt($1_t)
role system_r types $1_t;
- #ifdef(`direct_sysadm_daemon', `, priv_system_role')
- #; dnl end of sysadm_t type declaration
-
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exempt($1_t)
+ ')
+
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;
diff --git a/tools/regression.sh b/tools/regression.sh
index 0979a05..db3e42b 100755
--- a/tools/regression.sh
+++ b/tools/regression.sh
@@ -1,16 +1,15 @@
#!/bin/bash
DISTROS="redhat gentoo debian suse"
-STRICT_TYPES="strict strict-mls strict-mcs"
-TARG_TYPES="targeted targeted-mls targeted-mcs"
+TYPES="strict strict-mls strict-mcs targeted targeted-mls targeted-mcs"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"
do_test() {
local OPTS=""
- for i in $STRICT_TYPES; do
- OPTS="TYPE=$i QUIET=@"
+ for i in $TYPES; do
+ OPTS="TYPE=$i QUIET=@ DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
make bare || exit 1
echo "**** Options: $OPTS ****"
@@ -19,19 +18,6 @@ do_test() {
make $OPTS file_contexts || exit 1
$SETFILES -q -c policy.$POLVER file_contexts || exit 1
done
-
- # need a specific config for targeted policy
- for i in $TARG_TYPES; do
- OPTS="TYPE=$i QUIET=@"
- [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
- make bare || exit 1
- echo "**** Options: $OPTS ****"
- cp policy/modules.conf.targeted_example policy/modules.conf
- make $OPTS conf || exit 1
- make $OPTS || exit 1
- make $OPTS file_contexts || exit 1
- $SETFILES -q -c policy.$POLVER file_contexts|| exit 1
- done
}
# first to generic test
More information about the scm-commits
mailing list