[selinux-policy: 1117/3172] add userhelper
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:41:35 UTC 2010
commit 7c2f5a82ae129c5eef9611036e180eeb453aaa6a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jan 18 16:40:04 2006 +0000
add userhelper
refpolicy/Changelog | 1 +
refpolicy/policy/modules/apps/userhelper.fc | 9 +
refpolicy/policy/modules/apps/userhelper.if | 217 +++++++++++++++++++++++
refpolicy/policy/modules/apps/userhelper.te | 13 ++
refpolicy/policy/modules/kernel/corecommands.if | 100 +++++++++--
refpolicy/policy/modules/kernel/domain.if | 17 ++
refpolicy/policy/modules/services/xdm.te | 6 +-
refpolicy/policy/modules/system/authlogin.if | 38 ++++
refpolicy/policy/modules/system/init.if | 16 ++
refpolicy/policy/modules/system/userdomain.if | 134 ++++++++++++++
10 files changed, 538 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index fbe4f5c..61fef3c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,5 +1,6 @@
- Added modules:
portage
+ userhelper
usernetctl
* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
diff --git a/refpolicy/policy/modules/apps/userhelper.fc b/refpolicy/policy/modules/apps/userhelper.fc
new file mode 100644
index 0000000..0cd9dc4
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.fc
@@ -0,0 +1,9 @@
+#
+# /etc
+#
+/etc/security/console.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
new file mode 100644
index 0000000..440bf9e
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -0,0 +1,217 @@
+## <summary>SELinux utility to run a shell with a new role</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the userhelper module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for userhelper.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`userhelper_per_userdomain_template',`
+ gen_require(`
+ type userhelper_exec_t, userhelper_conf_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+ type $1_userhelper_t;
+ domain_type($1_userhelper_t)
+ domain_entry_file($1_userhelper_t,userhelper_exec_t)
+ domain_role_change_exempt($1_userhelper_t)
+ domain_obj_id_change_exempt($1_userhelper_t)
+ domain_wide_inherit_fd($1_userhelper_t)
+ domain_subj_id_change_exempt($1_userhelper_t)
+ role system_r types $1_userhelper_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:fd use;
+ allow $1_userhelper_t self:fifo_file rw_file_perms;
+ allow $1_userhelper_t self:shm create_shm_perms;
+ allow $1_userhelper_t self:sem create_sem_perms;
+ allow $1_userhelper_t self:msgq create_msgq_perms;
+ allow $1_userhelper_t self:msg { send receive };
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file r_file_perms;
+
+ #Transition to the derived domain.
+ domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
+ allow $2 $1_userhelper_t:fd use;
+ allow $1_userhelper_t $2:fd use;
+ allow $1_userhelper_t $2:fifo_file rw_file_perms;
+ allow $1_userhelper_t $2:process sigchld;
+
+ allow $1_userhelper_t self:process setexec;
+
+ allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+
+ can_exec($1_userhelper_t, userhelper_exec_t)
+
+ dontaudit $2 $1_userhelper_t:process signal;
+
+ kernel_read_all_sysctl($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
+
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t,$2)
+ corecmd_sbin_domtrans($1_userhelper_t,$2)
+
+ # Inherit descriptors from the current session.
+ domain_use_wide_inherit_fd($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_wide_inherit_fd($1_userhelper_t)
+
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
+
+ files_list_var_lib($1_userhelper_t)
+ # Write to utmp.
+ files_filetrans_pid($1_userhelper_t,initrc_var_run_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlink($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
+
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
+
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
+ selinux_get_fs_mount($1_userhelper_t)
+ selinux_validate_context($1_userhelper_t)
+ selinux_compute_access_vector($1_userhelper_t)
+ selinux_compute_create_context($1_userhelper_t)
+ selinux_compute_relabel_context($1_userhelper_t)
+ selinux_compute_user_contexts($1_userhelper_t)
+
+ # Read the devpts root directory.
+ term_list_ptys($1_userhelper_t)
+ # Relabel terminals.
+ term_relabel_all_user_ttys($1_userhelper_t)
+ term_relabel_all_user_ptys($1_userhelper_t)
+ # Access terminals.
+ term_use_all_user_ttys($1_userhelper_t)
+ term_use_all_user_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fd($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+
+ libs_use_ld_so($1_userhelper_t)
+ libs_use_shared_libs($1_userhelper_t)
+
+ miscfiles_read_localization($1_userhelper_t)
+
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+
+ userdom_use_unpriv_users_fd($1_userhelper_t)
+ # Allow $1_userhelper_t to transition to user domains.
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`rpm',`
+ # Allow transitioning to rpm_t, for up2date
+ rpm_domtrans($1_userhelper_t)
+ ')
+ ')
+
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
+ userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
+ userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+ ')
+
+
+ optional_policy(`logging',`
+ logging_send_syslog_msg($1_userhelper_t)
+ ')
+
+ optional_policy(`nis',`
+ nis_use_ypbind($1_userhelper_t)
+ ')
+
+ optional_policy(`nscd',`
+ nscd_use_socket($1_userhelper_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_userhelper_t xdm_t:fd use;
+ allow $1_userhelper_t xdm_var_run_t:dir search;
+ allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
+
+ optional_policy(`gnome-pty-helper.te',`
+ allow $1_userhelper_t gphdomain:fd use;
+ ')
+ optional_policy(`xauth', `
+ domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+ allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
+ ')
+ optional_policy(`mozilla', `
+ domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+ ')
+ # for when the network connection is killed
+ dontaudit unpriv_userdomain $1_userhelper_t:process signal;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search userhelp configuration
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search;
+')
diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te
new file mode 100644
index 0000000..22cae2e
--- /dev/null
+++ b/refpolicy/policy/modules/apps/userhelper.te
@@ -0,0 +1,13 @@
+
+policy_module(userhelper,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+files_type(userhelper_conf_t)
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index f6f09fe..8e9100a 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -242,7 +242,9 @@ interface(`corecmd_mmap_bin_files',`
########################################
## <summary>
## Execute a file in a bin directory
-## in the specified domain.
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
@@ -259,7 +261,7 @@ interface(`corecmd_mmap_bin_files',`
## </p>
## <p>
## This interface was added to handle
-## the ssh-agent policy.
+## the userhelper policy.
## </p>
## </desc>
## <param name="domain">
@@ -269,17 +271,54 @@ interface(`corecmd_mmap_bin_files',`
## The type of the new process.
## </param>
#
-interface(`corecmd_bin_domtrans',`
+interface(`corecmd_bin_spec_domtrans',`
gen_require(`
type bin_t;
- class dir search;
- class lnk_file { getattr read };
')
allow $1 bin_t:dir search;
allow $1 bin_t:lnk_file { getattr read };
- domain_auto_trans($1,bin_t,$2)
+ domain_trans($1,bin_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the new process.
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1,$2)
+ type_transition $1 bin_t:process $2;
')
########################################
@@ -541,6 +580,49 @@ interface(`corecmd_sbin_domtrans',`
########################################
## <summary>
+## Execute a file in a sbin directory
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the userhelper policy.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the new process.
+## </param>
+#
+interface(`corecmd_sbin_spec_domtrans',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file { getattr read };
+
+ domain_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
## Check if a shell is executable (DAC-wise).
## </summary>
## <param name="domain">
@@ -564,8 +646,6 @@ interface(`corecmd_check_exec_shell',`
interface(`corecmd_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
@@ -580,8 +660,6 @@ interface(`corecmd_exec_shell',`
interface(`corecmd_exec_ls',`
gen_require(`
type bin_t, ls_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
@@ -617,8 +695,6 @@ interface(`corecmd_exec_ls',`
interface(`corecmd_shell_spec_domtrans',`
gen_require(`
type bin_t, shell_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index d02815b..db68ba8 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -1074,6 +1074,23 @@ interface(`domain_mmap_all_entry_files',`
########################################
## <summary>
+## Execute an entry_type in the specified domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+# cjp: added for userhelper
+interface(`domain_entry_spec_domtrans',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ domain_trans($1,entry_type,$2)
+')
+
+########################################
+## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index b27ecd5..91f46de 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -1,5 +1,5 @@
-policy_module(xdm,1.1.0)
+policy_module(xdm,1.1.1)
########################################
#
@@ -102,6 +102,10 @@ optional_policy(`locallogin',`
locallogin_signull(xdm_t)
')
+optional_policy(`userhelper',`
+ userhelper_dontaudit_search_config(xdm_t)
+')
+
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index fca8333..21032db 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -586,6 +586,26 @@ interface(`auth_exec_pam',`
can_exec($1,pam_exec_t)
')
+########################################
+## <summary>
+## Manage var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`auth_manage_var_auth',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_auth_t:dir create_dir_perms;
+ allow $1 var_auth_t:file rw_file_perms;
+ allow $1 var_auth_t:lnk_file rw_file_perms;
+')
+
#######################################
#
# auth_read_pam_pid(domain)
@@ -638,6 +658,24 @@ interface(`auth_delete_pam_pid',`
allow $1 pam_var_run_t:file { getattr unlink };
')
+########################################
+## <summary>
+## Manage pam PID files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`auth_manage_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir create_dir_perms;
+ allow $1 pam_var_run_t:file create_file_perms;
+')
+
#######################################
#
# auth_domtrans_pam_console(domain)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index ebd5801..fe34c0b 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -873,3 +873,19 @@ interface(`init_dontaudit_rw_script_pid',`
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
+########################################
+## <summary>
+## Manage init files like utmp.
+## </summary>
+## <param name="domain">
+## Domain access allowed.
+## </param>
+#
+interface(`init_manage_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index e8fc6ce..3109ce5 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2390,6 +2390,75 @@ interface(`userdom_manage_unpriv_user_shared_mem',`
########################################
## <summary>
+## Execute bin_t in the unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_bin_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute generic sbin programs in all unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ domain_entry_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
@@ -2416,6 +2485,71 @@ interface(`userdom_shell_domtrans_sysadm',`
########################################
## <summary>
+## Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a generic sbin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_sbin_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in the sysadm domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Search the staff users home directory.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list