[selinux-policy: 93/3172] reorg run_init a little, and add a convert to a few new interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:13:10 UTC 2010
commit 07d6e32f4476acdaa5c0cdc9b428bb190258e8d0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 2 21:02:14 2005 +0000
reorg run_init a little, and add a convert to a few new interfaces
refpolicy/policy/modules/kernel/bootloader.te | 3 +-
refpolicy/policy/modules/kernel/devices.if | 31 ++++++++++++++
refpolicy/policy/modules/kernel/devices.te | 3 +-
refpolicy/policy/modules/kernel/kernel.if | 41 +++++++-------------
refpolicy/policy/modules/system/authlogin.if | 7 ++-
refpolicy/policy/modules/system/authlogin.te | 9 ++++
refpolicy/policy/modules/system/hotplug.te | 17 ++++----
refpolicy/policy/modules/system/init.te | 53 ++++++++++++-------------
8 files changed, 95 insertions(+), 69 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index a2c072d..54dc5a3 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -78,6 +78,7 @@ storage_raw_write_removable_device(bootloader_t)
devices_get_all_character_device_attributes(bootloader_t)
devices_set_all_block_device_attributes(bootloader_t)
+devices_ignore_modify_generic_devices(bootloader_t)
# for reading BIOS data (cjp: ?)
devices_raw_read_memory(bootloader_t)
@@ -113,8 +114,6 @@ modutils_insmod_execute(insmod_t)
miscfiles_read_localization(bootloader_t)
-devices_ignore_modify_generic_devices(bootloader_t)
-
########################################
#
# mkinitrd policy
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 127feaa..a1db745 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -76,6 +76,37 @@ class dir { getattr read search };
########################################
#
+# devices_manage_device_nodes(type,[`optional'])
+#
+define(`devices_manage_device_nodes',`
+requires_block_template(devices_manage_device_nodes_depend,$2)
+allow udev_t device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+allow udev_t device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t device_t:lnk_file { create read getattr setattr link unlink rename };
+allow udev_t device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+allow udev_t device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+# these next rules are to satisfy assertions broken by the above lines.
+# the permissions hopefully can be cut back a lot
+storage_raw_read_fixed_disk($1)
+storage_raw_write_fixed_disk($1)
+storage_read_scsi_generic($1)
+storage_write_scsi_generic($1)
+typeattribute $1 memory_raw_read;
+typeattribute $1 memory_raw_write;
+')
+
+define(`devices_manage_device_nodes_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+type device_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+')
+
+########################################
+#
# devices_ignore_modify_generic_devices(type,[`optional'])
#
define(`devices_ignore_modify_generic_devices',`
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 02ea6cd..9ec4292 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -25,7 +25,8 @@ filesystem_tmpfs_associate(cardmgr_dev_t)
# Relabelto is allowed for setfiles to function, in case
# a device node has no specific type yet, but is for some
# reason labeled with a specific type
-neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
+#cjp: want this, but udev policy breaks this
+#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
#
# zero_device_t is the type of /dev/zero.
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 31f8a16..baad0d9 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2,33 +2,6 @@
########################################
#
-# kernel_system_role_change(role,[`optional'])
-#
-define(`kernel_system_role_change',`
-requires_block_template(kernel_system_role_change_depend,$2)
-allow $1 system_r;
-')
-
-define(`kernel_system_role_change_depend',`
-role system_r;
-')
-
-########################################
-#
-# kernel_system_role_transition(role,entrypoint,[`optional'])
-#
-define(`kernel_system_role_transition',`
-requires_block_template(kernel_system_role_transition_depend,$2)
-allow $1 system_r;
-role_transition $1 $2 system_r;
-')
-
-define(`kernel_system_role_change_depend',`
-role system_r;
-')
-
-########################################
-#
# kernel_share_state(domain,[`optional'])
#
define(`kernel_share_state',`
@@ -500,6 +473,20 @@ class file getattr;
########################################
#
+# kernel_ignore_get_message_interface_attributes(domain)
+#
+define(`kernel_ignore_get_message_interface_attributes',`
+requires_block_template(kernel_ignore_get_message_interface_attributes_depend)
+dontaudit $1 proc_kmsg_t:file getattr;
+')
+
+define(`kernel_ignore_get_message_interface_attributes_depend',`
+type proc_kmsg_t, proc_t;
+class file getattr;
+')
+
+########################################
+#
# kernel_read_network_state(domain,[`optional'])
#
define(`kernel_read_network_state',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 24613b8..3907b7b 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -48,13 +48,14 @@ allow $1_t $1_chkpwd_t:process transition;
#userdomain_use_$1_terminal($1_chkpwd_t)
#userdomain_use_$1_pty($1_chkpwd_t)
-#allow $1_chkpwd_t privfd:fd use;
+domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-# Inherit and use descriptors from newrole.
-#ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
+optional_policy(`selinux.te',`
+selinux_newrole_use_file_descriptors($1_chkpwd_t)
+')
') dnl ifelse system
# for nscd
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index d9a41ac..6446862 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -19,9 +19,18 @@ logging_make_log_file(lastlog_t)
type login_exec_t;
files_make_file(login_exec_t)
+type pam_console_t;
+domain_make_domain(pam_console_t)
+
+type pam_console_exec_t;
+domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
+
type pam_t;
domain_make_domain(pam_t)
+type pam_exec_t;
+domain_make_entrypoint_file(pam_t,pam_exec_t)
+
type pam_tmp_t;
files_make_file(pam_tmp_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 64c4116..9b499e8 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -92,6 +92,12 @@ miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t)
+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(hotplug_t)
+terminal_ignore_use_general_pseudoterminal(hotplug_t)
+files_ignore_read_rootfs_file(hotplug_t)
+')
+
optional_policy(`consoletype.te',`
consoletype_transition(hotplug_t)
')
@@ -109,13 +115,10 @@ udev_transition(hotplug_t)
udev_read_database(hotplug_t)
')
-tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(hotplug_t)
-terminal_ignore_use_general_pseudoterminal(hotplug_t)
-files_ignore_read_rootfs_file(hotplug_t)
+optional_policy(`updfstab.te', `
+updfstab_transition(hotplug_t)
')
-
ifdef(`TODO',`
allow hotplug_t null_device_t:chr_file r_file_perms;
dontaudit hotplug_t unpriv_userdomain:fd use;
@@ -184,10 +187,6 @@ allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
-optional_policy(`updfstab.te', `
-domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
-')
-
optional_policy(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 1b32933..9c39f90 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -59,7 +59,7 @@ type run_init_t;
domain_make_domain(run_init_t)
type run_init_exec_t;
-files_make_file(run_init_exec_t)
+domain_make_entrypoint_file(run_init_t,run_init_exec_t)
########################################
#
@@ -192,6 +192,8 @@ kernel_read_all_sysctl(initrc_t)
kernel_modify_all_sysctl(initrc_t)
kernel_get_selinux_enforcement_mode(initrc_t)
kernel_list_usb_hardware(initrc_t)
+# for lsof which is used by alsa shutdown:
+kernel_ignore_get_message_interface_attributes(initrc_t)
filesystem_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy
@@ -367,7 +369,7 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit initrc_t proc_kmsg_t:file getattr;
+kernel_ignore_get_message_interface_attributes(initrc_t)
') dnl end TODO
#################################
@@ -378,25 +380,6 @@ dontaudit initrc_t proc_kmsg_t:file getattr;
tunable_policy(`targeted_policy',`
# targeted/unconfined stuff
',`
-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
-
-filesystem_get_persistent_filesystem_attributes(run_init_t)
-
-files_read_general_system_config(run_init_t)
-
-libraries_use_dynamic_loader(run_init_t)
-libraries_read_shared_libraries(run_init_t)
-
-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
-
-authlogin_ignore_read_shadow_passwords(run_init_t)
-
-miscfiles_read_localization(run_init_t)
-
-logging_send_system_log_message(run_init_t)
-
allow run_init_t initrc_t:process transition;
allow run_init_t initrc_exec_t:file { getattr read execute };
@@ -412,15 +395,32 @@ allow run_init_t self:fifo_file { getattr read write };
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+files_ignore_search_all_directories(run_init_t)
+
+filesystem_get_persistent_filesystem_attributes(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
+
terminal_ignore_list_pseudoterminals(run_init_t)
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-files_ignore_search_all_directories(run_init_t)
+domain_use_widely_inheritable_file_descriptors(run_init_t)
+
+corecommands_execute_general_programs(run_init_t)
+corecommands_execute_shell(run_init_t)
+
+files_read_general_system_config(run_init_t)
+
+libraries_use_dynamic_loader(run_init_t)
+libraries_read_shared_libraries(run_init_t)
+
+selinux_read_config(run_init_t)
+selinux_read_default_contexts(run_init_t)
+authlogin_ignore_read_shadow_passwords(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
@@ -440,7 +440,6 @@ domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
# for utmp
allow run_init_t admin_tty_type:chr_file rw_file_perms;
-allow run_init_t privfd:fd use;
allow run_init_t lib_t:file { getattr read };
') dnl endif targeted policy
@@ -448,6 +447,6 @@ allow run_init_t lib_t:file { getattr read };
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
-
') dnl end TODO
More information about the scm-commits
mailing list