[selinux-policy: 1006/3172] work on users
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:31:56 UTC 2010
commit ac9aa26d2e4e7ae3e7c34deba362cf2f89807042
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 29 15:49:18 2005 +0000
work on users
refpolicy/policy/modules/kernel/filesystem.if | 20 +++++-
refpolicy/policy/modules/kernel/kernel.if | 88 +++++++++++++++++++++-
refpolicy/policy/modules/services/cron.if | 1 +
refpolicy/policy/modules/services/cron.te | 2 +-
refpolicy/policy/modules/services/hal.if | 19 +++++
refpolicy/policy/modules/services/inetd.if | 17 ++++-
refpolicy/policy/modules/services/radius.te | 2 +-
refpolicy/policy/modules/system/authlogin.if | 20 +++++-
refpolicy/policy/modules/system/domain.if | 24 +++++-
refpolicy/policy/modules/system/hotplug.te | 3 +-
refpolicy/policy/modules/system/userdomain.if | 97 +++++++++----------------
refpolicy/policy/modules/system/userdomain.te | 2 +-
12 files changed, 215 insertions(+), 80 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index f12e5d4..0725f40 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2367,6 +2367,23 @@ interface(`fs_relabelfrom_all_fs',`
########################################
## <summary>
+## Get the attributes of all directories
+## with a filesystem type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_getattr_all_dirs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -2376,10 +2393,9 @@ interface(`fs_relabelfrom_all_fs',`
interface(`fs_search_all',`
gen_require(`
attribute filesystem_type;
- class dir { getattr search };
')
- allow $1 filesystem_type:dir { getattr search };
+ allow $1 filesystem_type:dir search_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 886a4ec..5510188 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1494,7 +1494,6 @@ interface(`kernel_sigchld_unlabeled',`
interface(`kernel_list_unlabeled',`
gen_require(`
type unlabeled_t;
- class dir r_dir_perms;
')
allow $1 unlabeled_t:dir r_dir_perms;
@@ -1502,6 +1501,22 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
+## Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_dontaudit_list_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Read and write unlabeled directories.
## </summary>
## <param name="domain">
@@ -1511,7 +1526,6 @@ interface(`kernel_list_unlabeled',`
interface(`kernel_rw_unlabeled_dir',`
gen_require(`
type unlabeled_t;
- class dir rw_dir_perms;
')
allow $1 unlabeled_t:dir rw_dir_perms;
@@ -1553,6 +1567,57 @@ interface(`kernel_dontaudit_read_unlabeled_file',`
########################################
## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:sock_file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
## </summary>
@@ -1563,7 +1628,6 @@ interface(`kernel_dontaudit_read_unlabeled_file',`
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
- class blk_file getattr;
')
dontaudit $1 unlabeled_t:blk_file getattr;
@@ -1580,7 +1644,6 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
interface(`kernel_use_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
- class blk_file rw_file_perms;
')
allow $1 unlabeled_t:blk_file getattr;
@@ -1588,6 +1651,23 @@ interface(`kernel_use_unlabeled_blk_dev',`
########################################
## <summary>
+## Do not audit attempts by caller to get attributes for
+## unlabeled character devices.
+## </summary>
+## <param name="domain">
+## The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:chr_file getattr;
+')
+
+########################################
+## <summary>
## Allow caller to relabel unlabeled objects.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 6777f82..ad04e4d 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -104,6 +104,7 @@ template(`cron_per_userdomain_template',`
domain_exec_all_entry_files($1_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state($1_crond_t)
+ domain_dontaudit_getattr_all_domains($1_crond_t)
files_read_usr_files($1_crond_t)
files_exec_etc_files($1_crond_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 7f106b9..c59ade9 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron, 1.0.1)
+policy_module(cron, 1.0.2)
gen_require(`
class passwd rootok;
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index 176811a..6bb4483 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -71,3 +71,22 @@ interface(`hal_dbus_send',`
allow $1 hald_t:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## hal over dbus.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`hal_dbus_chat',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+ allow hald_t $1:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index d03e202..a0dad85 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -216,9 +216,24 @@ interface(`inetd_domtrans_child',`
interface(`inetd_udp_sendto',`
gen_require(`
type inetd_t;
- class udp_socket { sendto recvfrom };
')
allow $1 inetd_t:udp_socket sendto;
allow inetd_t $1:udp_socket recvfrom;
')
+
+########################################
+## <summary>
+## Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`inetd_rw_tcp_socket',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 66574c4..e115360 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.0)
+policy_module(radius,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index ed33f9f..d64453f 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -610,6 +610,25 @@ interface(`auth_domtrans_pam_console',`
allow pam_console_t $1:process sigchld;
')
+########################################
+## <summary>
+## Search the contents of the
+## pam_console data directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`auth_search_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir search_dir_perms;
+')
+
#######################################
#
# auth_list_pam_console_data(domain)
@@ -617,7 +636,6 @@ interface(`auth_domtrans_pam_console',`
interface(`auth_list_pam_console_data',`
gen_require(`
type pam_var_console_t;
- class dir r_dir_perms;
')
files_search_var($1)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index e0b316c..d2546fa 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -530,6 +530,22 @@ interface(`domain_getattr_all_domains',`
########################################
## <summary>
+## Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
## Read the process state (/proc/pid) of all confined domains.
## </summary>
## <param name="domain">
@@ -648,15 +664,15 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:lnk_file r_file_perms;
dontaudit $1 domain:file r_file_perms;
- dontaudit $1 domain:process getattr;
+
+ # cjp: these should be removed:
+ dontaudit $1 domain:sock_file r_file_perms;
+ dontaudit $1 domain:fifo_file r_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 1928763..675d039 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug, 1.0)
+policy_module(hotplug,1.0.1)
########################################
#
@@ -87,6 +87,7 @@ corecmd_exec_ls(hotplug_t)
domain_use_wide_inherit_fd(hotplug_t)
# for ps
domain_dontaudit_read_all_domains_state(hotplug_t)
+domain_dontaudit_getattr_all_domains(hotplug_t)
files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index c2362ec..fdd932b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -142,7 +142,13 @@ template(`base_user_template',`
per_userdomain_templates($1,$1_t,$1_r)
kernel_read_kernel_sysctl($1_t)
- selinux_get_fs_mount($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+ kernel_dontaudit_getattr_unlabeled_file($1_t)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+ kernel_dontaudit_getattr_unlabeled_blk_dev($1_t)
+ kernel_dontaudit_getattr_unlabeled_chr_dev($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
@@ -180,6 +186,7 @@ template(`base_user_template',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
+ fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
# cjp: some of this probably can be removed
@@ -195,6 +202,7 @@ template(`base_user_template',`
auth_read_login_records($1_t)
auth_dontaudit_write_login_records($1_t)
+ auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -207,6 +215,7 @@ template(`base_user_template',`
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
+ domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t)
@@ -304,6 +313,11 @@ template(`base_user_template',`
term_getattr_all_user_ttys($1_t)
')
+ optional_policy(`apm',`
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_t)
+ ')
+
optional_policy(`canna',`
canna_stream_connect($1_t)
')
@@ -311,6 +325,10 @@ template(`base_user_template',`
optional_policy(`dbus',`
dbus_system_bus_client_template($1,$1_t)
+ optional_policy(`hal',`
+ hal_dbus_chat($1_t)
+ ')
+
optional_policy(`networkmanager',`
networkmanager_dbus_chat($1_t)
')
@@ -332,6 +350,9 @@ template(`base_user_template',`
optional_policy(`inetd',`
inetd_tcp_connect($1_t)
+ inetd_udp_sendto($1_t)
+ inetd_use_fd($1_t)
+ inetd_rw_tcp_socket($1_t)
')
optional_policy(`inn',`
@@ -345,7 +366,7 @@ template(`base_user_template',`
')
optional_policy(`mysql',`
- ifdef(`targeted_policy',`',`
+ ifdef(`strict_policy',`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
@@ -361,12 +382,17 @@ template(`base_user_template',`
pcmcia_read_pid($1_t)
')
+ optional_policy(`portmap',`
+ portmap_tcp_connect($1_t)
+ ')
+
optional_policy(`quota',`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`rpc',`
rpc_dontaudit_getattr_exports($1_t)
+ rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`rpm',`
@@ -374,6 +400,10 @@ template(`base_user_template',`
files_search_var_lib($1_t)
')
+ optional_policy(`samba',`
+ samba_connect_winbind($1_t)
+ ')
+
optional_policy(`squid',`
squid_use($1_t)
')
@@ -384,9 +414,6 @@ template(`base_user_template',`
')
ifdef(`TODO',`
-
- can_winbind($1_t)
-
#
# Cups daemon running as user tries to write /etc/printcap
#
@@ -395,13 +422,6 @@ template(`base_user_template',`
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
- #
- # Added to allow reading of cdrom
- #
- allow $1_t rpc_pipefs_t:dir getattr;
- allow $1_t nfsd_fs_t:dir getattr;
- allow $1_t binfmt_misc_fs_t:dir getattr;
-
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr;
@@ -412,12 +432,7 @@ template(`base_user_template',`
r_dir_file($1_t, usercanread)
- allow $1_t fs_type:dir getattr;
-
# old browser_domain():
- dontaudit $1 unlabeled_t:dir_file_class_set getattr;
- dontaudit $1 unlabeled_t:dir search;
- dontaudit $1 unlabeled_t:dir read;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
@@ -426,32 +441,6 @@ template(`base_user_template',`
can_resmgrd_connect($1_t)
- # Grant permissions to access the system DBus
- ifdef(`dbusd.te', `
- ifdef(`hald.te', `
- allow $1_t hald_t:dbus send_msg;
- allow hald_t $1_t:dbus send_msg;
- ')
- ')
-
- # Gnome pannel binds to the following
- ifdef(`cups.te', `
- allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
- ')
-
- ifdef(`inetd.te', `
- # Connect to inetd.
- inetd_tcp_connect($1_t)
- can_udp_send($1_t, inetd_t)
- can_udp_send(inetd_t, $1_t)
- # Inherit and use sockets from inetd
- inetd_use_fd($1_t)
- allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
- ')
-
- # Connect to portmap.
- ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
# Use X
x_client_domain($1, $1)
@@ -472,10 +461,7 @@ template(`base_user_template',`
')
# start read_fonts()
-
- # cjp: this macro is unconditional, though
- # its in a conditional file.
-
+ # cjp: these types come in from fontconfig
# Manipulate the global font cache
create_dir_file($1, $1_fonts_cache_t)
@@ -488,23 +474,6 @@ template(`base_user_template',`
allow $1 $2_gnome_settings_t:dir { getattr search };
')
# end read_fonts()
-
- ifdef(`rpcd.te', `
- create_dir_file($1_t, nfsd_rw_t)
- ')
-
- #
- # Allow graphical boot to check battery lifespan
- #
- ifdef(`apmd.te', `
- allow $1_t apmd_t:unix_stream_socket connectto;
- allow $1_t apmd_var_run_t:sock_file write;
- ')
-
- ifdef(`pamconsole.te', `
- allow $1_t pam_var_console_t:dir search;
- ')
-
') dnl endif TODO
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a5edddb..7156e8f 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.0.3)
+policy_module(userdomain,1.0.4)
########################################
#
More information about the scm-commits
mailing list