[selinux-policy: 66/3172] add bulk of selinux module policy, and add required interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:10:53 UTC 2010
commit ee5772e45565b633ed655adbcb896074558a1a90
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Apr 28 18:59:01 2005 +0000
add bulk of selinux module policy, and add required interfaces
refpolicy/policy/modules/kernel/devices.if | 27 ++
refpolicy/policy/modules/kernel/devices.te | 5 +-
refpolicy/policy/modules/kernel/kernel.if | 26 +-
refpolicy/policy/modules/kernel/terminal.if | 16 +
refpolicy/policy/modules/system/files.if | 44 +++-
refpolicy/policy/modules/system/init.if | 14 +
refpolicy/policy/modules/system/selinux.if | 17 +
refpolicy/policy/modules/system/selinux.te | 401 ++++++++++++++++++++++--
refpolicy/policy/modules/system/selinuxutil.if | 17 +
refpolicy/policy/modules/system/selinuxutil.te | 401 ++++++++++++++++++++++--
10 files changed, 911 insertions(+), 57 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 9fa9840..dc0f332 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -19,6 +19,33 @@ filesystem_tmpfs_associate_depend
########################################
#
+# devices_manage_all_devices_labels(type,[`optional'])
+#
+define(`devices_manage_all_devices_labels',`
+requires_block_template(devices_manage_all_devices_labels_depend,$2)
+allow $1 device_node:dir { getattr relabelfrom };
+allow $1 device_node:file { getattr relabelfrom };
+allow $1 device_node:lnk_file { getattr relabelfrom };
+allow $1 device_node:fifo_file { getattr relabelfrom };
+allow $1 device_node:sock_file { getattr relabelfrom };
+allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
+allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
+')
+
+define(`devices_manage_all_devices_labels_depend',`
+attribute device_node;
+type device_t;
+class dir { getattr relabelfrom };
+class file { getattr relabelfrom };
+class lnk_file { getattr relabelfrom };
+class fifo_file { getattr relabelfrom };
+class sock_file { getattr relabelfrom };
+class blk_file { getattr relabelfrom relabelto };
+class chr_file { getattr relabelfrom relabelto };
+')
+
+########################################
+#
# devices_list_device_nodes(type,[`optional'])
#
define(`devices_list_device_nodes',`
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 3fc8adf..e4482d1 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -11,10 +11,9 @@ attribute device_node;
#
# device_t is the type of /dev.
#
-type device_t, device_node;
-filesystem_associate(device_t)
+type device_t;
+files_make_file(device_t)
filesystem_tmpfs_associate(device_t)
-filesystem_noxattr_associate(device_t)
# Only directories and symlinks should be labeled device_t.
# If there are other files with this type, it is wrong.
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 77f4037..224daf6 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -43,14 +43,14 @@ class process share;
########################################
#
-# kernel_use_kernel_fd(domain,[`optional'])
+# kernel_use_file_descriptors(domain,[`optional'])
#
-define(`kernel_use_kernel_fd',`
-requires_block_template(kernel_use_kernel_fd_depend,$2)
+define(`kernel_use_file_descriptors',`
+requires_block_template(kernel_use_file_descriptors_depend,$2)
allow $1 kernel_t:fd use;
')
-define(`kernel_use_kernel_fd_depend',`
+define(`kernel_use_file_descriptors_depend',`
type kernel_t;
class fd use;
')
@@ -104,20 +104,18 @@ class process sigkill;
#
define(`kernel_relabel_unlabeled_object',`
requires_block_template(kernel_relabel_unlabeled_object_depend,$2)
-allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } relabelfrom;
-typeattribute $1 can_relabel;
+allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
-attribute can_relabel;
type unlabeled_t;
-class dir relabelfrom;
-class file relabelfrom;
-class lnk_file relabelfrom;
-class fifo_file relabelfrom;
-class sock_file relabelfrom;
-class chr_file relabelfrom;
-class blk_file relabelfrom;
+class dir { getattr relabelfrom };
+class file { getattr relabelfrom };
+class lnk_file { getattr relabelfrom };
+class fifo_file { getattr relabelfrom };
+class sock_file { getattr relabelfrom };
+class chr_file { getattr relabelfrom };
+class blk_file { getattr relabelfrom };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 6c741e1..64da779 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -126,6 +126,22 @@ kernel_relabeling_privilege_depend
########################################
#
+# terminal_list_pseudoterminals(domain,[`optional'])
+#
+define(`terminal_list_pseudoterminals',`
+requires_block_template(terminal_list_pseudoterminals_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 devpts_t:dir { getattr search read };
+')
+
+define(`terminal_list_pseudoterminals_depend',`
+type devpts_t;
+class dir { getattr search read };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
# terminal_ignore_list_pseudoterminals(domain,[`optional'])
#
define(`terminal_ignore_list_pseudoterminals',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 66ebcc5..53b3ac0 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -41,20 +41,60 @@ class sock_file getattr;
########################################
#
+# files_manage_all_files_labels(type,[`optional'])
+#
+define(`files_manage_all_files_labels',`
+requires_block_template(files_manage_all_files_labels_depend,$2)
+allow $1 file_type:dir { getattr relabelfrom relabelto };
+allow $1 file_type:file { getattr relabelfrom relabelto };
+allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
+allow $1 file_type:fifo_file { getattr relabelfrom relabelto };
+allow $1 file_type:sock_file { getattr relabelfrom relabelto };
+allow $1 file_type:blk_file { getattr relabelfrom };
+allow $1 file_type:chr_file { getattr relabelfrom };
+')
+
+define(`files_manage_all_files_labels_depend',`
+attribute file_type;
+class dir { relabelfrom relabelto };
+class file { relabelfrom relabelto };
+class lnk_file { relabelfrom relabelto };
+class fifo_file { relabelfrom relabelto };
+class sock_file { relabelfrom relabelto };
+class blk_file relabelfrom;
+class chr_file relabelfrom;
+')
+
+########################################
+#
# files_search_all_directories(type,[`optional'])
#
define(`files_search_all_directories',`
-requires_block_template(files_get_all_file_attributes_depend,$2)
+requires_block_template(files_search_all_directories_depend,$2)
allow $1 file_type:dir search;
')
-define(`files_get_all_file_attributes_depend',`
+define(`files_search_all_directories_depend',`
attribute file_type;
class dir search;
')
########################################
#
+# files_read_all_directories(type,[`optional'])
+#
+define(`files_read_all_directories',`
+requires_block_template(files_read_all_directories_depend,$2)
+allow $1 file_type:dir { getattr search read };
+')
+
+define(`files_read_all_directories_depend',`
+attribute file_type;
+class dir { getattr search read };
+')
+
+########################################
+#
# files_read_root_dir(domain,[`optional'])
#
define(`files_read_root_dir',`
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index b277170..2917688 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -66,6 +66,20 @@ class process { transition noatsecure siginh rlimitinh };
########################################
#
+# init_script_use_file_descriptors(domain,[`optional'])
+#
+define(`init_script_use_file_descriptors',`
+requires_block_template(init_script_use_file_descriptors_depend,$2)
+allow $1 initrc_t:fd use;
+')
+
+define(`init_script_use_file_descriptors_depend',`
+type initrc_t;
+class fd use;
+')
+
+########################################
+#
# init_script_use_pseudoterminal(domain,[`optional'])
#
define(`init_script_use_pseudoterminal',`
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 10b4112..87e5ac6 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -35,6 +35,23 @@ class file { getattr read };
########################################
#
+# selinux_read_file_contexts(domain,[`optional'])
+#
+define(`selinux_read_file_contexts',`
+requires_block_template(selinux_read_file_contexts_depend,$2)
+allow $1 selinux_config_t:dir search;
+allow $1 file_context_t:dir { getattr search read };
+allow $1 file_context_t:file { getattr read };
+')
+
+define(`selinux_read_file_contexts_depend',`
+type selinux_config_t, file_context_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
# selinux_read_binary_policy(domain,[`optional'])
#
define(`selinux_read_binary_policy',`
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 7a2fece..635d80b 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -2,12 +2,47 @@
policy_module(selinux,1.0)
+########################################
#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
+# Declarations
#
-type selinux_config_t;
-files_make_file(selinux_config_t)
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+
+type checkpolicy_t, can_write_binary_policy;
+domain_make_domain(checkpolicy_t)
+role system_r types checkpolicy_t;
+
+type checkpolicy_exec_t;
+domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_make_file(default_context_t)
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_make_file(file_context_t)
+
+type load_policy_t;
+domain_make_domain(load_policy_t)
+role system_r types load_policy_t;
+
+type load_policy_exec_t;
+domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+
+type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+domain_make_domain(newrole_t)
+
+type newrole_exec_t;
+domain_make_entrypoint_file(newrole_t,newrole_exec_t)
#
# policy_config_t is the type of /etc/security/selinux/*
@@ -16,8 +51,6 @@ files_make_file(selinux_config_t)
type policy_config_t;
files_make_file(policy_config_t)
-attribute can_write_binary_policy;
-attribute can_relabelto_binary_policy;
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -28,24 +61,354 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_make_file(policy_src_t)
+type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
+domain_make_domain(restorecon_t)
+role system_r types restorecon_t;
+
+type restorecon_exec_t;
+domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
+
#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
+# selinux_config_t is the type applied to
+# /etc/selinux/config
#
-type default_context_t;
-files_make_file(default_context_t)
+type selinux_config_t;
+files_make_file(selinux_config_t)
+type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
+domain_make_domain(setfiles_t)
+role system_r types setfiles_t;
+
+type setfiles_exec_t;
+domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
+
+########################################
#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
+# Checkpolicy local policy
#
-type file_context_t;
-files_make_file(file_context_t)
-type load_policy_t;
-domain_make_domain(load_policy_t)
+allow checkpolicy_t self:capability dac_override;
-type load_policy_exec_t;
-domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+# able to create and modify binary policy files
+allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+
+# only allow read of policy source files
+allow checkpolicy_t policy_src_t:dir { getattr search read };
+allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t selinux_config_t:dir search;
+
+filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
+
+terminal_use_console(checkpolicy_t)
+terminal_use_controlling_terminal(checkpolicy_t)
+
+init_use_file_descriptors(checkpolicy_t)
+init_script_use_pseudoterminal(checkpolicy_t)
+
+libraries_use_dynamic_loader(checkpolicy_t)
+libraries_read_shared_libraries(checkpolicy_t)
+
+ifdef(`TODO',`
+role sysadm_r types checkpolicy_t;
+domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
+
+# allow test policies to be created in src directories
+file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# directory search permissions for path to source and binary policy files
+allow checkpolicy_t root_t:dir search;
+allow checkpolicy_t etc_t:dir search;
+
+# Read the devpts root directory.
+allow checkpolicy_t devpts_t:dir r_dir_perms;
+ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
+
+# Other access
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+
+allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+can_exec(unpriv_userdomain, checkpolicy_exec_t)
+
+allow checkpolicy_t { userdomain privfd }:fd use;
+') dnl endif TODO
+
+########################################
+#
+# Load_policy local policy
+#
+
+allow load_policy_t self:capability dac_override;
+
+# only allow read of policy config files
+allow load_policy_t policy_src_t:dir search;
+allow load_policy_t policy_config_t:dir { getattr search read };
+allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+
+allow newrole_t selinux_config_t:dir { getattr read search };
+allow newrole_t selinux_config_t:file { read getattr };
+allow newrole_t selinux_config_t:lnk_file { getattr read };
+
+kernel_get_selinuxfs_mount_point(load_policy_t)
+kernel_load_selinux_policy(load_policy_t)
+kernel_set_selinux_boolean(load_policy_t)
+
+filesystem_get_persistent_filesystem_attributes(load_policy_t)
+
+terminal_use_console(load_policy_t)
+terminal_use_controlling_terminal(load_policy_t)
+terminal_list_pseudoterminals(load_policy_t)
+
+init_script_use_file_descriptors(load_policy_t)
+init_script_use_pseudoterminal(load_policy_t)
+
+libraries_use_dynamic_loader(load_policy_t)
+libraries_read_shared_libraries(load_policy_t)
+
+miscfiles_read_localization(load_policy_t)
+
+ifdef(`TODO',`
+role sysadm_r types load_policy_t;
+domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+
+# directory search permissions for path to binary policy files
+allow load_policy_t etc_t:dir search;
+
+# Other access
+allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
+
+allow load_policy_t { userdomain privfd }:fd use;
+
+allow load_policy_t sysadm_tmp_t:file { getattr write } ;
+') dnl endif TODO
+
+########################################
+#
+# Newrole local policy
+#
+
+allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
+
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow newrole_t self:process setexec;
+allow newrole_t self:fd use;
+allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:msg { send receive };
+
+allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
+allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
+allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_read_system_state(newrole_t)
+kernel_read_kernel_sysctl(newrole_t)
+kernel_get_selinuxfs_mount_point(newrole_t)
+kernel_validate_selinux_context(newrole_t)
+kernel_compute_selinux_av(newrole_t)
+kernel_compute_create(newrole_t)
+kernel_compute_relabel(newrole_t)
+kernel_compute_reachable_user_contexts(newrole_t)
+
+devices_get_pseudorandom_data(newrole_t)
+
+filesystem_get_persistent_filesystem_attributes(newrole_t)
+
+terminal_list_pseudoterminals(newrole_t)
+terminal_use_controlling_terminal(newrole_t)
+
+files_read_general_system_config(newrole_t)
+
+libraries_use_dynamic_loader(newrole_t)
+libraries_read_shared_libraries(newrole_t)
+
+miscfiles_read_localization(newrole_t)
+
+ifdef(`TODO',`
+in_user_role(newrole_t)
+role sysadm_r types newrole_t;
+
+allow newrole_t unpriv_userdomain:fd use;
+can_ypbind(newrole)
+ifdef(`automount.te', `
+allow newrole_t autofs_t:dir { search getattr };
+')
+
+# for when the user types "exec newrole" at the command line
+allow newrole_t privfd:process sigchld;
+
+# Inherit descriptors from the current session.
+allow newrole_t privfd:fd use;
+
+# Execute /sbin/pwdb_chkpwd to check the password.
+allow newrole_t sbin_t:dir r_dir_perms;
+
+# Execute shells
+allow newrole_t bin_t:dir r_dir_perms;
+allow newrole_t bin_t:lnk_file read;
+allow newrole_t shell_exec_t:file r_file_perms;
+
+# Allow newrole_t to transition to user domains.
+bool secure_mode false;
+domain_trans(newrole_t, shell_exec_t, unpriv_userdomain)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans(newrole_t, shell_exec_t, sysadm_t)
+}
+
+# Read /var.
+allow newrole_t var_t:dir r_dir_perms;
+allow newrole_t var_t:notdevfile_class_set r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow newrole_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
+
+# for some PAM modules and for cwd
+dontaudit newrole_t { home_root_t home_type }:dir search;
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain newrole_t:process signal;
+
+# Write to utmp.
+allow newrole_t var_run_t:dir r_dir_perms;
+allow newrole_t initrc_var_run_t:file rw_file_perms;
+') dnl ifdef TODO
+
+########################################
+#
+# Restorecon local policy
+#
+
+allow restorecon_t self:capability { dac_override dac_read_search fowner };
+
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_use_file_descriptors(restorecon_t)
+kernel_read_system_state(restorecon_t)
+kernel_get_selinuxfs_mount_point(restorecon_t)
+kernel_validate_selinux_context(restorecon_t)
+kernel_compute_selinux_av(restorecon_t)
+kernel_compute_create(restorecon_t)
+kernel_compute_relabel(restorecon_t)
+kernel_compute_reachable_user_contexts(restorecon_t)
+
+filesystem_get_persistent_filesystem_attributes(restorecon_t)
+
+init_use_file_descriptors(restorecon_t)
+init_script_use_pseudoterminal(restorecon_t)
+
+files_read_runtime_system_config(restorecon_t)
+files_read_general_system_config(restorecon_t)
+
+libraries_use_dynamic_loader(restorecon_t)
+libraries_read_shared_libraries(restorecon_t)
+
+logging_send_system_log_message(restorecon_t)
+
+# relabeling rules
+files_read_all_directories(restorecon_t)
+kernel_relabel_unlabeled_object(restorecon_t)
+devices_manage_all_devices_labels(restorecon_t)
+files_manage_all_files_labels(restorecon_t)
+
+ifdef(`TODO',`
+allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+
+domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
+domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
+role sysadm_r types restorecon_t;
+allow restorecon_t { userdomain privfd }:fd use;
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that restorecon can not be run!
+allow restorecon_t lib_t:file { read execute };
+
+ifdef(`distro_redhat', `
+allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+')
+
+allow restorecon_t fs_type:dir r_dir_perms;
+
+allow restorecon_t device_t:file { read write };
+allow restorecon_t kernel_t:fifo_file { read write };
+') dnl endif TODO
+
+########################################
+#
+# Setfiles local policy
+#
+
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_read_system_state(setfiles_t)
+kernel_get_selinuxfs_mount_point(setfiles_t)
+kernel_validate_selinux_context(setfiles_t)
+kernel_compute_selinux_av(setfiles_t)
+kernel_compute_create(setfiles_t)
+kernel_compute_relabel(setfiles_t)
+kernel_compute_reachable_user_contexts(setfiles_t)
+
+filesystem_get_persistent_filesystem_attributes(setfiles_t)
+
+terminal_use_controlling_terminal(setfiles_t)
+
+init_use_file_descriptors(setfiles_t)
+init_script_use_file_descriptors(setfiles_t)
+init_script_use_pseudoterminal(setfiles_t)
+
+libraries_use_dynamic_loader(setfiles_t)
+libraries_read_shared_libraries(setfiles_t)
+
+files_read_runtime_system_config(setfiles_t)
+files_read_general_system_config(setfiles_t)
+
+logging_send_system_log_message(setfiles_t)
+
+miscfiles_read_localization(setfiles_t)
+
+# relabeling rules
+files_read_all_directories(setfiles_t)
+kernel_relabel_unlabeled_object(setfiles_t)
+devices_manage_all_devices_labels(setfiles_t)
+files_manage_all_files_labels(setfiles_t)
+
+ifdef(`TODO',`
+
+allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
+
+domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
+role sysadm_r types setfiles_t;
+
+allow setfiles_t { userdomain privfd }:fd use;
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that setfiles can not be run!
+allow setfiles_t lib_t:file { read execute };
+
+allow setfiles_t unlabeled_t:dir read;
+
+allow setfiles_t fs_type:dir r_dir_perms;
-selinux_read_binary_policy(load_policy_t)
+# for config files in a home directory
+allow setfiles_t home_type:file r_file_perms;
+') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 10b4112..87e5ac6 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -35,6 +35,23 @@ class file { getattr read };
########################################
#
+# selinux_read_file_contexts(domain,[`optional'])
+#
+define(`selinux_read_file_contexts',`
+requires_block_template(selinux_read_file_contexts_depend,$2)
+allow $1 selinux_config_t:dir search;
+allow $1 file_context_t:dir { getattr search read };
+allow $1 file_context_t:file { getattr read };
+')
+
+define(`selinux_read_file_contexts_depend',`
+type selinux_config_t, file_context_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
# selinux_read_binary_policy(domain,[`optional'])
#
define(`selinux_read_binary_policy',`
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7a2fece..635d80b 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -2,12 +2,47 @@
policy_module(selinux,1.0)
+########################################
#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
+# Declarations
#
-type selinux_config_t;
-files_make_file(selinux_config_t)
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+
+type checkpolicy_t, can_write_binary_policy;
+domain_make_domain(checkpolicy_t)
+role system_r types checkpolicy_t;
+
+type checkpolicy_exec_t;
+domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_make_file(default_context_t)
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_make_file(file_context_t)
+
+type load_policy_t;
+domain_make_domain(load_policy_t)
+role system_r types load_policy_t;
+
+type load_policy_exec_t;
+domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+
+type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+domain_make_domain(newrole_t)
+
+type newrole_exec_t;
+domain_make_entrypoint_file(newrole_t,newrole_exec_t)
#
# policy_config_t is the type of /etc/security/selinux/*
@@ -16,8 +51,6 @@ files_make_file(selinux_config_t)
type policy_config_t;
files_make_file(policy_config_t)
-attribute can_write_binary_policy;
-attribute can_relabelto_binary_policy;
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -28,24 +61,354 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_make_file(policy_src_t)
+type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
+domain_make_domain(restorecon_t)
+role system_r types restorecon_t;
+
+type restorecon_exec_t;
+domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
+
#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
+# selinux_config_t is the type applied to
+# /etc/selinux/config
#
-type default_context_t;
-files_make_file(default_context_t)
+type selinux_config_t;
+files_make_file(selinux_config_t)
+type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
+domain_make_domain(setfiles_t)
+role system_r types setfiles_t;
+
+type setfiles_exec_t;
+domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
+
+########################################
#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
+# Checkpolicy local policy
#
-type file_context_t;
-files_make_file(file_context_t)
-type load_policy_t;
-domain_make_domain(load_policy_t)
+allow checkpolicy_t self:capability dac_override;
-type load_policy_exec_t;
-domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+# able to create and modify binary policy files
+allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+
+# only allow read of policy source files
+allow checkpolicy_t policy_src_t:dir { getattr search read };
+allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t selinux_config_t:dir search;
+
+filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
+
+terminal_use_console(checkpolicy_t)
+terminal_use_controlling_terminal(checkpolicy_t)
+
+init_use_file_descriptors(checkpolicy_t)
+init_script_use_pseudoterminal(checkpolicy_t)
+
+libraries_use_dynamic_loader(checkpolicy_t)
+libraries_read_shared_libraries(checkpolicy_t)
+
+ifdef(`TODO',`
+role sysadm_r types checkpolicy_t;
+domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
+
+# allow test policies to be created in src directories
+file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# directory search permissions for path to source and binary policy files
+allow checkpolicy_t root_t:dir search;
+allow checkpolicy_t etc_t:dir search;
+
+# Read the devpts root directory.
+allow checkpolicy_t devpts_t:dir r_dir_perms;
+ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
+
+# Other access
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+
+allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+can_exec(unpriv_userdomain, checkpolicy_exec_t)
+
+allow checkpolicy_t { userdomain privfd }:fd use;
+') dnl endif TODO
+
+########################################
+#
+# Load_policy local policy
+#
+
+allow load_policy_t self:capability dac_override;
+
+# only allow read of policy config files
+allow load_policy_t policy_src_t:dir search;
+allow load_policy_t policy_config_t:dir { getattr search read };
+allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+
+allow newrole_t selinux_config_t:dir { getattr read search };
+allow newrole_t selinux_config_t:file { read getattr };
+allow newrole_t selinux_config_t:lnk_file { getattr read };
+
+kernel_get_selinuxfs_mount_point(load_policy_t)
+kernel_load_selinux_policy(load_policy_t)
+kernel_set_selinux_boolean(load_policy_t)
+
+filesystem_get_persistent_filesystem_attributes(load_policy_t)
+
+terminal_use_console(load_policy_t)
+terminal_use_controlling_terminal(load_policy_t)
+terminal_list_pseudoterminals(load_policy_t)
+
+init_script_use_file_descriptors(load_policy_t)
+init_script_use_pseudoterminal(load_policy_t)
+
+libraries_use_dynamic_loader(load_policy_t)
+libraries_read_shared_libraries(load_policy_t)
+
+miscfiles_read_localization(load_policy_t)
+
+ifdef(`TODO',`
+role sysadm_r types load_policy_t;
+domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+
+# directory search permissions for path to binary policy files
+allow load_policy_t etc_t:dir search;
+
+# Other access
+allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
+
+allow load_policy_t { userdomain privfd }:fd use;
+
+allow load_policy_t sysadm_tmp_t:file { getattr write } ;
+') dnl endif TODO
+
+########################################
+#
+# Newrole local policy
+#
+
+allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
+
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow newrole_t self:process setexec;
+allow newrole_t self:fd use;
+allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:msg { send receive };
+
+allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
+allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
+allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_read_system_state(newrole_t)
+kernel_read_kernel_sysctl(newrole_t)
+kernel_get_selinuxfs_mount_point(newrole_t)
+kernel_validate_selinux_context(newrole_t)
+kernel_compute_selinux_av(newrole_t)
+kernel_compute_create(newrole_t)
+kernel_compute_relabel(newrole_t)
+kernel_compute_reachable_user_contexts(newrole_t)
+
+devices_get_pseudorandom_data(newrole_t)
+
+filesystem_get_persistent_filesystem_attributes(newrole_t)
+
+terminal_list_pseudoterminals(newrole_t)
+terminal_use_controlling_terminal(newrole_t)
+
+files_read_general_system_config(newrole_t)
+
+libraries_use_dynamic_loader(newrole_t)
+libraries_read_shared_libraries(newrole_t)
+
+miscfiles_read_localization(newrole_t)
+
+ifdef(`TODO',`
+in_user_role(newrole_t)
+role sysadm_r types newrole_t;
+
+allow newrole_t unpriv_userdomain:fd use;
+can_ypbind(newrole)
+ifdef(`automount.te', `
+allow newrole_t autofs_t:dir { search getattr };
+')
+
+# for when the user types "exec newrole" at the command line
+allow newrole_t privfd:process sigchld;
+
+# Inherit descriptors from the current session.
+allow newrole_t privfd:fd use;
+
+# Execute /sbin/pwdb_chkpwd to check the password.
+allow newrole_t sbin_t:dir r_dir_perms;
+
+# Execute shells
+allow newrole_t bin_t:dir r_dir_perms;
+allow newrole_t bin_t:lnk_file read;
+allow newrole_t shell_exec_t:file r_file_perms;
+
+# Allow newrole_t to transition to user domains.
+bool secure_mode false;
+domain_trans(newrole_t, shell_exec_t, unpriv_userdomain)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans(newrole_t, shell_exec_t, sysadm_t)
+}
+
+# Read /var.
+allow newrole_t var_t:dir r_dir_perms;
+allow newrole_t var_t:notdevfile_class_set r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow newrole_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
+
+# for some PAM modules and for cwd
+dontaudit newrole_t { home_root_t home_type }:dir search;
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain newrole_t:process signal;
+
+# Write to utmp.
+allow newrole_t var_run_t:dir r_dir_perms;
+allow newrole_t initrc_var_run_t:file rw_file_perms;
+') dnl ifdef TODO
+
+########################################
+#
+# Restorecon local policy
+#
+
+allow restorecon_t self:capability { dac_override dac_read_search fowner };
+
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_use_file_descriptors(restorecon_t)
+kernel_read_system_state(restorecon_t)
+kernel_get_selinuxfs_mount_point(restorecon_t)
+kernel_validate_selinux_context(restorecon_t)
+kernel_compute_selinux_av(restorecon_t)
+kernel_compute_create(restorecon_t)
+kernel_compute_relabel(restorecon_t)
+kernel_compute_reachable_user_contexts(restorecon_t)
+
+filesystem_get_persistent_filesystem_attributes(restorecon_t)
+
+init_use_file_descriptors(restorecon_t)
+init_script_use_pseudoterminal(restorecon_t)
+
+files_read_runtime_system_config(restorecon_t)
+files_read_general_system_config(restorecon_t)
+
+libraries_use_dynamic_loader(restorecon_t)
+libraries_read_shared_libraries(restorecon_t)
+
+logging_send_system_log_message(restorecon_t)
+
+# relabeling rules
+files_read_all_directories(restorecon_t)
+kernel_relabel_unlabeled_object(restorecon_t)
+devices_manage_all_devices_labels(restorecon_t)
+files_manage_all_files_labels(restorecon_t)
+
+ifdef(`TODO',`
+allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+
+domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
+domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
+role sysadm_r types restorecon_t;
+allow restorecon_t { userdomain privfd }:fd use;
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that restorecon can not be run!
+allow restorecon_t lib_t:file { read execute };
+
+ifdef(`distro_redhat', `
+allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+')
+
+allow restorecon_t fs_type:dir r_dir_perms;
+
+allow restorecon_t device_t:file { read write };
+allow restorecon_t kernel_t:fifo_file { read write };
+') dnl endif TODO
+
+########################################
+#
+# Setfiles local policy
+#
+
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+
+kernel_read_system_state(setfiles_t)
+kernel_get_selinuxfs_mount_point(setfiles_t)
+kernel_validate_selinux_context(setfiles_t)
+kernel_compute_selinux_av(setfiles_t)
+kernel_compute_create(setfiles_t)
+kernel_compute_relabel(setfiles_t)
+kernel_compute_reachable_user_contexts(setfiles_t)
+
+filesystem_get_persistent_filesystem_attributes(setfiles_t)
+
+terminal_use_controlling_terminal(setfiles_t)
+
+init_use_file_descriptors(setfiles_t)
+init_script_use_file_descriptors(setfiles_t)
+init_script_use_pseudoterminal(setfiles_t)
+
+libraries_use_dynamic_loader(setfiles_t)
+libraries_read_shared_libraries(setfiles_t)
+
+files_read_runtime_system_config(setfiles_t)
+files_read_general_system_config(setfiles_t)
+
+logging_send_system_log_message(setfiles_t)
+
+miscfiles_read_localization(setfiles_t)
+
+# relabeling rules
+files_read_all_directories(setfiles_t)
+kernel_relabel_unlabeled_object(setfiles_t)
+devices_manage_all_devices_labels(setfiles_t)
+files_manage_all_files_labels(setfiles_t)
+
+ifdef(`TODO',`
+
+allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
+
+domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
+role sysadm_r types setfiles_t;
+
+allow setfiles_t { userdomain privfd }:fd use;
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that setfiles can not be run!
+allow setfiles_t lib_t:file { read execute };
+
+allow setfiles_t unlabeled_t:dir read;
+
+allow setfiles_t fs_type:dir r_dir_perms;
-selinux_read_binary_policy(load_policy_t)
+# for config files in a home directory
+allow setfiles_t home_type:file r_file_perms;
+') dnl endif TODO
More information about the scm-commits
mailing list