[selinux-policy: 96/3172] fill pam and utempter authlogin policy and fix up interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:13:26 UTC 2010
commit 3ce6cb4a45e371f9063e83c23cafd9ab559ed137
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue May 3 20:23:33 2005 +0000
fill pam and utempter authlogin policy and fix up interfaces
refpolicy/policy/modules/admin/consoletype.te | 2 +-
refpolicy/policy/modules/kernel/bootloader.te | 14 +-
refpolicy/policy/modules/kernel/kernel.te | 2 +-
refpolicy/policy/modules/kernel/terminal.if | 118 ++++++++++--
refpolicy/policy/modules/system/authlogin.if | 43 ++++-
refpolicy/policy/modules/system/authlogin.te | 106 ++++++++++-
refpolicy/policy/modules/system/domain.if | 14 ++
refpolicy/policy/modules/system/files.if | 254 ++++++++++++++-----------
refpolicy/policy/modules/system/init.if | 102 +++++++---
refpolicy/policy/modules/system/init.te | 7 +-
refpolicy/policy/modules/system/locallogin.if | 14 ++
refpolicy/policy/modules/system/logging.if | 41 +++--
refpolicy/policy/modules/system/modutils.te | 2 +-
13 files changed, 519 insertions(+), 200 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 612defa..be05fd9 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -53,7 +53,7 @@ libraries_use_dynamic_loader(consoletype_t)
libraries_read_shared_libraries(consoletype_t)
optional_policy(`authlogin.te', `
-authlogin_read_pam_runtime_data(consoletype_t)
+authlogin_pam_read_runtime_data(consoletype_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 54dc5a3..35ece3c 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -26,6 +26,7 @@ files_make_file(boot_runtime_t)
type bootloader_t;
domain_make_domain(bootloader_t)
+role system_r types bootloader_t;
type bootloader_exec_t;
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
@@ -79,7 +80,7 @@ storage_raw_write_removable_device(bootloader_t)
devices_get_all_character_device_attributes(bootloader_t)
devices_set_all_block_device_attributes(bootloader_t)
devices_ignore_modify_generic_devices(bootloader_t)
-# for reading BIOS data (cjp: ?)
+# for reading BIOS data
devices_raw_read_memory(bootloader_t)
init_get_control_channel_attributes(bootloader_t)
@@ -104,11 +105,11 @@ logging_send_system_log_message(bootloader_t)
filesystem_get_persistent_filesystem_attributes(bootloader_t)
terminal_use_controlling_terminal(bootloader_t)
-terminal_get_user_terminal_attributes(bootloader_t)
+terminal_get_all_users_physical_terminal_attributes(bootloader_t)
allow bootloader_t bootloader_etc_t:file { getattr read };
-optional_policy(modutils.te,`
+optional_policy(`modutils.te',`
modutils_insmod_execute(insmod_t)
')
@@ -122,7 +123,7 @@ miscfiles_read_localization(bootloader_t)
allow bootloader_t modules_object_t:dir { getattr search read };
allow bootloader_t modules_object_t:file { getattr read };
-files_read_general_system_resources(bootloader_t)
+files_read_general_application_resources(bootloader_t)
bootloader_install_initrd(bootloader_t)
devices_get_random_data(bootloader_t)
@@ -160,7 +161,7 @@ tunable_policy(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
-')
+') dnl end distro_debian
tunable_policy(`distro_redhat', `
files_make_mountpoint(bootloader_tmp_t)
@@ -176,7 +177,7 @@ allow bootloader_t boot_runtime_t:file { read getattr unlink };
# for memlock
devices_get_zeros(bootloader_t)
allow bootloader_t self:capability ipc_lock;
-')
+') dnl end distro_redhat
ifdef(`TODO',`
@@ -184,7 +185,6 @@ ifdef(`TODO',`
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t admin_tty_type:chr_file rw_file_perms;
-role system_r types bootloader_t;
allow bootloader_t initrc_t:fifo_file { read write };
allow bootloader_t lib_t:file { getattr read };
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 2092546..352c2ec 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -160,7 +160,7 @@ allow kernel_t sysctl_kernel_t:file { getattr read };
# old base_file_read_access():
files_list_home_directories(kernel_t)
-files_read_general_shared_resources(kernel_t)
+files_read_general_application_resources(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 0640dec..4432acc 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -27,20 +27,112 @@ devices_list_device_nodes_depend
########################################
#
-# terminal_use_all_terminals(domain,[`optional'])
+# terminal_use_all_terminals(domain)
#
define(`terminal_use_all_terminals',`
-requires_block_template(terminal_use_all_terminals_depend,$2)
-devices_list_device_nodes($1,optional)
-allow $1 devpts_t:dir { getattr read search };
+requires_block_template(terminal_use_all_terminals_depend)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr search read };
allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
')
define(`terminal_use_all_terminals_depend',`
attribute ttynode, ptynode;
type console_device_t, devtty_t, devpts_t;
+class dir { getattr search read };
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_get_all_users_physical_terminal_attributes(domain)
+#
+define(`terminal_get_all_users_physical_terminal_attributes',`
+requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file getattr;
+')
+
+define(`terminal_get_all_users_physical_terminal_attributes_depend',`
+attribute ttynode;
+class chr_file getattr;
+')
+
+########################################
+#
+# terminal_use_all_users_physical_terminals(domain)
+#
+define(`terminal_use_all_users_physical_terminals',`
+requires_block_template(terminal_use_all_users_physical_terminals_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file { read write };
+')
+
+define(`terminal_use_all_users_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_ignore_use_all_users_physical_terminals(domain)
+#
+define(`terminal_ignore_use_all_users_physical_terminals',`
+requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend)
+dontaudit $1 ttynode:chr_file { read write };
+')
+
+define(`terminal_ignore_use_all_users_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_get_all_users_pseudoterminal_attributes(domain)
+#
+define(`terminal_get_all_users_pseudoterminal_attributes',`
+requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr search read };
+allow $1 ptynode:chr_file getattr;
+')
+
+define(`terminal_get_all_users_pseudoterminal_attributes_depend',`
+attribute ptynode;
+class dir { getattr search read };
+class chr_file getattr;
+')
+
+########################################
+#
+# terminal_use_all_users_pseudoterminals(domain)
+#
+define(`terminal_use_all_users_pseudoterminals',`
+requires_block_template(terminal_use_all_users_pseudoterminals_depend)
+devices_list_device_nodes($1)
+allow $1 devpts_t:dir { getattr read search };
+allow $1 ptynode:chr_file { read write };
+')
+
+define(`terminal_use_all_users_pseudoterminals_depend',`
+attribute ptynode;
+class dir { getattr search read };
+class chr_file { read write };
+')
+
+########################################
+#
+# terminal_ignore_use_all_users_pseudoterminals(domain)
+#
+define(`terminal_ignore_use_all_users_pseudoterminals',`
+requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend)
+dontaudit $1 ptynode:chr_file { read write };
+')
+
+define(`terminal_ignore_use_all_users_pseudoterminals_depend',`
+attribute ptynode;
class chr_file { read write };
-devices_list_device_nodes_depend
')
########################################
@@ -154,22 +246,6 @@ class chr_file { read write };
########################################
#
-# terminal_get_user_terminal_attributes(domain,[`optional'])
-#
-define(`terminal_get_user_terminal_attributes',`
-requires_block_template(terminal_get_user_terminal_attributes_depend,$2)
-devices_list_device_nodes($1,optional)
-allow $1 ttynode:chr_file getattr;
-')
-
-define(`terminal_get_user_terminal_attributes_depend',`
-attribute ttynode;
-class chr_file getattr;
-devices_list_device_nodes_depend
-')
-
-########################################
-#
# terminal_list_pseudoterminals(domain,[`optional'])
#
define(`terminal_list_pseudoterminals',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 3907b7b..d7982c4 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -37,7 +37,10 @@ kernel_read_system_state($1_chkpwd_t)
#can_resolve($1_chkpwd_t)
# Transition from the user domain to this domain.
-ifelse($1, system, `', `
+ifelse($1, system, `
+#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms;
+terminal_use_general_physical_terminal($1_chkpwd_t)
+', `
# Transition from the user domain to this domain.
allow $1_t chkpwd_exec_t:file { getattr read execute };
allow $1_t $1_chkpwd_t:process transition;
@@ -113,6 +116,8 @@ class process transition;
#
define(`authlogin_modify_login_records',`
requires_block_template(authlogin_modify_login_records_depend)
+files_search_system_state_data_directory($1)
+# FIXME: search var_log_t
allow $1 wtmp_t:file { getattr read write setattr };
')
@@ -127,6 +132,7 @@ class file { getattr read write setattr };
#
define(`authlogin_read_shadow_passwords',`
requires_block_template(authlogin_read_shadow_passwords_depend)
+# FIXME: read etc_t dir
allow $1 shadow_t:file { getattr read };
typeattribute $1 can_read_shadow_passwords;
')
@@ -157,6 +163,7 @@ class file { getattr read };
#
define(`authlogin_modify_shadow_passwords',`
requires_block_template(authlogin_modify_shadow_passwords_depend)
+# FIXME: read etc_t dir
allow $1 shadow_t:file { getattr read write };
typeattribute $1 can_read_shadow_passwords;
typeattribute $1 can_write_shadow_passwords;
@@ -185,16 +192,36 @@ class file { getattr read write setattr };
#######################################
#
-# authlogin_read_pam_runtime_data(domain)
+# authlogin_pam_read_runtime_data(domain)
#
-define(`authlogin_read_pam_runtime_data',`
-requires_block_template(authlogin_read_pam_runtime_data_depend)
-# FIXME: search var_t
-# FIXME: search var_run_t
+define(`authlogin_pam_read_runtime_data',`
+requires_block_template(authlogin_pam_read_runtime_data_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_run_t:dir { getattr search read };
allow $1 pam_var_run_t:file { getattr read };
')
-define(`authlogin_read_pam_runtime_data_depend',`
-type lastlog_t;
+define(`authlogin_pam_read_runtime_data_depend',`
+type pam_var_run_t;
+class dir { getattr search read };
class file { getattr read };
')
+
+#######################################
+#
+# authlogin_pam_remove_runtime_data(domain)
+#
+define(`authlogin_pam_remove_runtime_data',`
+requires_block_template(authlogin_pam_remove_runtime_data_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_run_t:dir { getattr search read write remove_name };
+allow $1 pam_var_run_t:file { getattr unlink };
+')
+
+define(`authlogin_pam_remove_runtime_data_depend',`
+type pam_var_run_t;
+class dir { getattr search read write remove_name };
+class file { getattr unlink };
+')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 6446862..e8353c0 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -25,8 +25,9 @@ domain_make_domain(pam_console_t)
type pam_console_exec_t;
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
-type pam_t;
+type pam_t; #, nscd_client_domain;
domain_make_domain(pam_t)
+role system_r types pam_t;
type pam_exec_t;
domain_make_entrypoint_file(pam_t,pam_exec_t)
@@ -47,7 +48,7 @@ attribute can_write_shadow_passwords;
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file write;
-type utempter_t;
+type utempter_t; #, nscd_client_domain;
domain_make_domain(utempter_t)
type utempter_exec_t;
@@ -58,7 +59,102 @@ logging_make_log_file(wtmp_t)
########################################
#
-# Local policy
+# PAM local policy
#
-#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-#dontaudit system_chkpwd_t privfd:fd use;
+
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+dontaudit pam_t self:capability sys_tty_config;
+
+allow pam_t self:fd use;
+allow pam_t self:fifo_file { read getattr lock ioctl write append };
+allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow pam_t self:unix_dgram_socket sendto;
+allow pam_t self:unix_stream_socket connectto;
+allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow pam_t self:msg { send receive };
+
+allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
+allow pam_t pam_var_run_t:file { getattr read unlink };
+
+allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
+
+kernel_read_system_state(pam_t)
+
+terminal_use_controlling_terminal(pam_t)
+terminal_use_all_users_physical_terminals(pam_t)
+terminal_use_all_users_pseudoterminals(pam_t)
+
+init_script_ignore_modify_runtime_data(pam_t)
+
+files_read_general_system_config(pam_t)
+files_read_runtime_data_directory(pam_t)
+
+libraries_use_dynamic_loader(pam_t)
+libraries_read_shared_libraries(pam_t)
+
+logging_send_system_log_message(pam_t)
+
+optional_policy(`locallogin.te',`
+locallogin_use_file_descriptors(pam_t)
+')
+
+ifdef(`TODO',`
+allow pam_t unpriv_userdomain:fd use;
+can_ypbind(pam_t)
+ifdef(`automount.te', `
+allow pam_t autofs_t:dir { search getattr };
+')
+
+in_user_role(pam_t)
+domain_auto_trans(userdomain, pam_exec_t, pam_t)
+ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+') dnl endif TODO
+
+########################################
+#
+# Utempter local policy
+#
+
+allow utempter_t self:capability setgid;
+allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+
+allow utempter_t wtmp_t:file { ioctl read getattr lock write append };
+
+terminal_get_all_users_physical_terminal_attributes(utempter_t)
+terminal_get_all_users_pseudoterminal_attributes(utempter_t)
+terminal_ignore_use_all_users_physical_terminals(utempter_t)
+terminal_ignore_use_all_users_pseudoterminals(utempter_t)
+
+init_script_modify_runtime_data(utempter_t)
+
+files_read_general_system_config(utempter_t)
+
+domain_use_widely_inheritable_file_descriptors(utempter_t)
+
+libraries_use_dynamic_loader(utempter_t)
+libraries_read_shared_libraries(utempter_t)
+
+logging_search_system_log_directory(utempter_t)
+
+ifdef(`TODO',`
+in_user_role(utempter_t)
+role sysadm_r types utempter_t;
+domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
+
+# dontaudit access to /dev/ptmx.
+dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
+
+# Allow utemper to write to /tmp/.xses-*
+allow utempter_t user_tmpfile:file { getattr write append };
+
+ifdef(`xdm.te', `
+allow utempter_t xdm_t:fd use;
+allow utempter_t xdm_t:fifo_file { write getattr };
+')
+
+') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index fbc39fe..c6c6c0c 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -129,6 +129,20 @@ class fd use;
########################################
#
+# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional'])
+#
+define(`domain_ignore_use_widely_inheritable_file_descriptors',`
+requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2)
+dontaudit $1 privfd:fd use;
+')
+
+define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
+attribute privfd;
+class fd use;
+')
+
+########################################
+#
# domain_all_init_domains_transition(domain,[`optional'])
#
define(`domain_all_init_domains_transition',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 439e70c..1df98c0 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -362,141 +362,125 @@ class dir { getattr search read write add_name remove_name };
########################################
#
-# files_read_general_shared_resources(domain,[`optional'])
+# files_list_home_directories(type,[`optional'])
#
-define(`files_read_general_shared_resources',`
-requires_block_template(files_read_general_shared_resources_depend,$2)
-allow $1 usr_t:dir { getattr search read };
-allow $1 usr_t:{ file lnk_file } { getattr read };
+define(`files_list_home_directories',`
+requires_block_template(files_list_home_directories_depend,$2)
+allow $1 home_root_t:dir { getattr search read };
')
-define(`files_read_general_shared_resources_depend',`
-type usr_t;
+define(`files_list_home_directories_depend',`
+type home_root_t;
class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
')
########################################
#
-# files_manage_pseudorandom_saved_seed(domain,[`optional'])
+# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
#
-define(`files_manage_pseudorandom_saved_seed',`
-requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2)
-allow $1 var_t:dir search;
-allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
-allow $1 var_lib_t:file { getattr create read write setattr unlink };
+define(`files_create_private_tmp_data',`
+requires_block_template(files_create_private_tmp_data_depend,$2)
+allow $1 tmp_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 tmp_t:file $2;
+',`
+type_transition $1 tmp_t:$3 $2;
+')
+typeattribute $1 tmpfile;
')
-define(`files_manage_pseudorandom_saved_seed_depend',`
-type usr_t;
-class dir { getattr search read write add_name remove_name };
-class file { getattr create read write setattr unlink };
+define(`files_create_private_tmp_data_depend',`
+attribute tmpfile;
+type tmp_t;
+class dir { getattr search read write add_name };
')
########################################
#
-# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional'])
+# files_remove_all_tmp_data(domain,[`optional'])
#
-define(`files_create_daemon_runtime_data',`
-requires_block_template(files_create_daemon_runtime_data_depend,$4)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 var_run_t:file $2;
-',`
-type_transition $1 var_run_t:$3 $2;
-') dnl end ifelse
-typeattribute $1 pidfile;
+define(`files_remove_all_tmp_data',`
+requires_block_template(files_remove_all_tmp_data_depend,$2)
+allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
+allow $1 tmpfile:file { getattr unlink };
+allow $1 tmpfile:lnk_file { getattr unlink };
+allow $1 tmpfile:fifo_file { getattr unlink };
+allow $1 tmpfile:sock_file { getattr unlink };
')
-define(`files_create_daemon_runtime_data_depend',`
-attribute pidfile;
-type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name };
+define(`files_remove_all_tmp_data_depend',`
+attribute tmpfile;
+class dir { getattr search read write add_name remove_name rmdir };
+class file { getattr unlink };
+class lnk_file { getattr unlink };
+class fifo_file { getattr unlink };
+class sock_file { getattr unlink };
')
########################################
#
-# files_modify_system_runtime_data(domain,[`optional'])
+# files_read_general_application_resources(domain,[`optional'])
#
-define(`files_modify_system_runtime_data',`
-requires_block_template(files_modify_system_runtime_data_depend,$2)
-allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read };
-allow $1 var_run_t:file { getattr read write };
+define(`files_read_general_application_resources',`
+requires_block_template(files_read_general_application_resources_depend,$2)
+allow $1 usr_t:dir { getattr search read };
+allow $1 usr_t:{ file lnk_file } { getattr read };
')
-define(`files_modify_system_runtime_data_depend',`
-type var_t, var_run_t;
+define(`files_read_general_application_resources_depend',`
+type usr_t;
class dir { getattr search read };
-class file { getattr read write };
+class file { getattr read };
+class lnk_file { getattr read };
')
########################################
#
-# files_remove_all_daemon_runtime_data(domain,[`optional'])
+# files_read_system_source_code(domain)
#
-define(`files_remove_all_daemon_runtime_data',`
-requires_block_template(files_remove_all_daemon_runtime_data_depend,$2)
-allow $1 var_t:dir search;
-allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
-allow $1 var_run_t:dir rmdir;
-allow $1 pidfile:dir { getattr search read write add_name remove_name };
-allow $1 pidfile:file { getattr unlink };
-allow $1 pidfile:sock_file { getattr unlink };
+define(`files_read_system_source_code',`
+requires_block_template(files_read_system_source_code_depend)
+allow $1 usr_t:dir search;
+allow $1 src_t:dir { getattr search read };
+allow $1 src_t:{ file lnk_file } { getattr read };
')
-define(`files_remove_all_daemon_runtime_data_depend',`
-attribute pidfile;
-type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name rmdir };
-class file { getattr unlink };
-class lnk_file { getattr unlink };
-class sock_file { getattr unlink };
+define(`files_read_system_source_code_depend',`
+type usr_t, src_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
')
########################################
#
-# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
+# files_search_system_state_data_directory(domain)
#
-define(`files_create_private_tmp_data',`
-requires_block_template(files_create_private_tmp_data_depend,$2)
-allow $1 tmp_t:dir { getattr search read write add_name remove_name };
-ifelse(`$3',`',`
-type_transition $1 tmp_t:file $2;
-',`
-type_transition $1 tmp_t:$3 $2;
-')
-typeattribute $1 tmpfile;
+define(`files_search_system_state_data_directory',`
+requires_block_template(files_search_system_state_data_directory_depend)
+allow $1 var_t:dir search;
')
-define(`files_create_private_tmp_data_depend',`
-attribute tmpfile;
-type etc_t;
-class dir { getattr search read write add_name };
+define(`files_search_system_state_data_directory_depend',`
+type var_t;
+class dir search;
')
########################################
#
-# files_remove_all_tmp_data(domain,[`optional'])
+# files_manage_pseudorandom_saved_seed(domain)
#
-define(`files_remove_all_tmp_data',`
-requires_block_template(files_remove_all_tmp_data_depend,$2)
-allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
-allow $1 tmpfile:file { getattr unlink };
-allow $1 tmpfile:lnk_file { getattr unlink };
-allow $1 tmpfile:fifo_file { getattr unlink };
-allow $1 tmpfile:sock_file { getattr unlink };
+define(`files_manage_pseudorandom_saved_seed',`
+requires_block_template(files_manage_pseudorandom_saved_seed_depend)
+allow $1 var_t:dir search;
+allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
+allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
-define(`files_remove_all_tmp_data_depend',`
-attribute tmpfile;
-class dir { getattr search read write add_name remove_name rmdir };
-class file { getattr unlink };
-class lnk_file { getattr unlink };
-class fifo_file { getattr unlink };
-class sock_file { getattr unlink };
+define(`files_manage_pseudorandom_saved_seed_depend',`
+type var_t, var_lib_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write setattr unlink };
')
########################################
@@ -533,50 +517,92 @@ class file { getattr unlink };
########################################
#
-# files_read_general_system_resources(domain,[`optional'])
+# files_search_runtime_data_directory(domain)
#
-define(`files_read_general_system_resources',`
-requires_block_template(files_read_general_system_resources_depend,$2)
-allow $1 usr_t:dir { getattr search read };
-allow $1 usr_t:{ file lnk_file } { getattr read };
+define(`files_search_runtime_data_directory',`
+requires_block_template(files_search_runtime_data_directory_depend)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir search;
')
-define(`files_read_general_system_resources_depend',`
-type usr_t;
-class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
+define(`files_search_runtime_data_directory_depend',`
+type var_t, var_run_t;
+class dir search;
')
########################################
#
-# files_read_system_source_code(type,[`optional'])
+# files_read_runtime_data_directory(domain)
#
-define(`files_read_system_source_code',`
-requires_block_template(files_read_system_source_code_depend,$2)
-allow $1 usr_t:dir search;
-allow $1 src_t:dir { getattr search read };
-allow $1 src_t:{ file lnk_file } { getattr read };
+define(`files_read_runtime_data_directory',`
+requires_block_template(files_read_runtime_data_directory_depend)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read };
')
-define(`files_read_system_source_code_depend',`
-type usr_t, src_t;
+define(`files_read_runtime_data_directory_depend',`
+type var_t, var_run_t;
class dir { getattr search read };
-class file { getattr read };
-class lnk_file { getattr read };
')
########################################
#
-# files_list_home_directories(type,[`optional'])
+# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
#
-define(`files_list_home_directories',`
-requires_block_template(files_list_home_directories_depend,$2)
-allow $1 home_root_t:dir { getattr search read };
+define(`files_create_daemon_runtime_data',`
+requires_block_template(files_create_daemon_runtime_data_depend)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 var_run_t:file $2;
+',`
+type_transition $1 var_run_t:$3 $2;
+') dnl end ifelse
+typeattribute $1 pidfile;
')
-define(`files_list_home_directories_depend',`
-type home_root_t;
+define(`files_create_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t, var_run_t;
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# files_modify_system_runtime_data(domain,[`optional'])
+#
+define(`files_modify_system_runtime_data',`
+requires_block_template(files_modify_system_runtime_data_depend,$2)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read };
+allow $1 var_run_t:file { getattr read write };
+')
+
+define(`files_modify_system_runtime_data_depend',`
+type var_t, var_run_t;
class dir { getattr search read };
+class file { getattr read write };
+')
+
+########################################
+#
+# files_remove_all_daemon_runtime_data(domain,[`optional'])
+#
+define(`files_remove_all_daemon_runtime_data',`
+requires_block_template(files_remove_all_daemon_runtime_data_depend,$2)
+allow $1 var_t:dir search;
+allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+allow $1 var_run_t:dir rmdir;
+allow $1 pidfile:dir { getattr search read write add_name remove_name };
+allow $1 pidfile:file { getattr unlink };
+allow $1 pidfile:sock_file { getattr unlink };
+')
+define(`files_remove_all_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t, var_run_t;
+class dir { getattr search read write add_name remove_name rmdir };
+class file { getattr unlink };
+class lnk_file { getattr unlink };
+class sock_file { getattr unlink };
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 60a3bea..47d4a83 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -2,10 +2,10 @@
########################################
#
-# init_transition(domain,[`optional'])
+# init_transition(domain)
#
define(`init_transition',`
-requires_block_template(init_transition_depend,$2)
+requires_block_template(init_transition_depend)
allow $1 init_exec_t:file { getattr read execute };
allow $1 init_t:process transition;
type_transition $1 init_exec_t:file init_t;
@@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
########################################
#
-# init_get_control_channel_attributes(domain,[`optional'])
+# init_get_control_channel_attributes(domain)
#
define(`init_get_control_channel_attributes',`
-requires_block_template(init_get_control_channel_attributes_depend,$2)
+requires_block_template(init_get_control_channel_attributes_depend)
allow $1 initctl_t:fifo_file getattr;
')
@@ -63,10 +63,10 @@ class fifo_file { read write };
########################################
#
-# init_sigchld(domain,[`optional'])
+# init_sigchld(domain)
#
define(`init_sigchld',`
-requires_block_template(init_sigchld_depend,$2)
+requires_block_template(init_sigchld_depend)
allow $1 init_t:process sigchld;
')
@@ -77,10 +77,10 @@ class process sigchld;
########################################
#
-# init_use_file_descriptors(domain,[`optional'])
+# init_use_file_descriptors(domain)
#
define(`init_use_file_descriptors',`
-requires_block_template(init_use_file_descriptors_depend,$2)
+requires_block_template(init_use_file_descriptors_depend)
allow $1 init_t:fd use;
')
@@ -91,10 +91,10 @@ class fd use;
########################################
#
-# init_ignore_use_file_descriptors(domain,[`optional'])
+# init_ignore_use_file_descriptors(domain)
#
define(`init_ignore_use_file_descriptors',`
-requires_block_template(init_ignore_use_file_descriptors_depend,$2)
+requires_block_template(init_ignore_use_file_descriptors_depend)
dontaudit $1 init_t:fd use;
')
@@ -105,10 +105,10 @@ class fd use;
########################################
#
-# init_script_transition(domain,[`optional'])
+# init_script_transition(domain)
#
define(`init_script_transition',`
-requires_block_template(init_script_transition_depend,$2)
+requires_block_template(init_script_transition_depend)
allow $1 initrc_exec_t:file { getattr read execute };
allow $1 initrc_t:process transition;
type_transition $1 initrc_exec_t:process init_t;
@@ -123,10 +123,30 @@ class process { transition noatsecure siginh rlimitinh };
########################################
#
-# init_script_use_file_descriptors(domain,[`optional'])
+# init_script_direct_admin_transition(role,domain)
+#
+define(`init_script_direct_admin_transition',`
+requires_block_template(init_script_direct_admin_transition_depend)
+allow $2 initrc_exec_t:file { getattr read execute };
+allow $2 initrc_t:process transition;
+type_transition $2 initrc_exec_t:file init_t;
+role_transition $1 initrc_exec_t system_r;
+dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`init_script_direct_admin_transition_depend',`
+type initrc_t, initrc_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+kernel_system_role_transition_depend
+')
+
+########################################
+#
+# init_script_use_file_descriptors(domain)
#
define(`init_script_use_file_descriptors',`
-requires_block_template(init_script_use_file_descriptors_depend,$2)
+requires_block_template(init_script_use_file_descriptors_depend)
allow $1 initrc_t:fd use;
')
@@ -137,10 +157,10 @@ class fd use;
########################################
#
-# init_script_use_pseudoterminal(domain,[`optional'])
+# init_script_use_pseudoterminal(domain)
#
define(`init_script_use_pseudoterminal',`
-requires_block_template(init_script_use_pseudoterminal_depend,$2)
+requires_block_template(init_script_use_pseudoterminal_depend)
allow $1 initrc_devpts_t:chr_file { read write };
')
@@ -151,20 +171,44 @@ class chr_file { read write };
########################################
#
-# init_script_direct_admin_transition(role,domain,[`optional'])
+# init_script_read_runtime_data(domain)
#
-define(`init_script_direct_admin_transition',`
-requires_block_template(init_script_direct_admin_transition_depend,$2)
-allow $2 initrc_exec_t:file { getattr read execute };
-allow $2 initrc_t:process transition;
-type_transition $2 initrc_exec_t:file init_t;
-kernel_system_role_transition($1,initrc_exec_t,optional)
-dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
+define(`init_script_read_runtime_data',`
+requires_block_template(init_script_read_runtime_data_depend)
+files_read_runtime_data_directory($1)
+allow $1 initrc_var_run_t:file { getattr read };
')
-define(`init_script_direct_admin_transition_depend',`
-type initrc_t, initrc_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
-kernel_system_role_transition_depend
+define(`init_script_read_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read };
+')
+
+########################################
+#
+# init_script_modify_runtime_data(domain)
+#
+define(`init_script_modify_runtime_data',`
+requires_block_template(init_script_modify_runtime_data_depend)
+files_read_runtime_data_directory($1)
+allow $1 initrc_var_run_t:file { getattr read write append };
+')
+
+define(`init_script_modify_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write append };
+')
+
+########################################
+#
+# init_script_ignore_modify_runtime_data(domain)
+#
+define(`init_script_ignore_modify_runtime_data',`
+requires_block_template(init_script_ignore_modify_runtime_data_depend)
+dontaudit $1 initrc_var_run_t:file { getattr read write append };
+')
+
+define(`init_script_ignore_modify_runtime_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write append };
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9c39f90..228350d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -251,7 +251,7 @@ files_read_general_system_config(initrc_t)
files_create_runtime_system_config(initrc_t)
files_manage_system_lock_files(initrc_t)
files_execute_system_config_script(initrc_t)
-files_read_general_shared_resources(initrc_t)
+files_read_general_application_resources(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t)
corecommands_execute_general_programs(initrc_t)
@@ -289,6 +289,11 @@ files_create_boot_flag(initrc_t)
bootloader_create_runtime_data(initrc_t)
')
+optional_policy(`authlogin.te',`
+authlogin_pam_read_runtime_data(initrc_t)
+authlogin_pam_remove_runtime_data(initrc_t)
+')
+
ifdef(`TODO',`
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index e121acd..e283ec2 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -17,3 +17,17 @@ type local_login_t, login_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+
+########################################
+#
+# locallogin_use_file_descriptors(domain,[`optional'])
+#
+define(`locallogin_use_file_descriptors',`
+requires_block_template(locallogin_use_file_descriptors_depend,$2)
+allow $1 local_login_t:fd use;
+')
+
+define(`locallogin_use_file_descriptors_depend',`
+type local_login_t;
+class fd use;
+')
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index ab50a27..2ed2cd6 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -2,25 +2,24 @@
#######################################
#
-# logging_make_log_file(type,[`optional'])
+# logging_make_log_file(domain)
#
define(`logging_make_log_file',`
-requires_block_template(logging_make_log_file_depend,$2)
-files_make_file($1,optional)
+requires_block_template(logging_make_log_file_depend)
+files_make_file($1)
typeattribute $1 logfile;
')
define(`logging_make_log_file_depend',`
attribute logfile;
-files_make_file_depend
')
#######################################
#
-# logging_send_system_log_message(type,[`optional'])
+# logging_send_system_log_message(domain)
#
define(`logging_send_system_log_message',`
-requires_block_template(logging_send_system_log_message_depend,$2)
+requires_block_template(logging_send_system_log_message_depend)
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
# the type of socket depends on the syslog daemon
@@ -39,10 +38,26 @@ class unix_stream_socket { create read getattr write setattr append bind connect
#######################################
#
-# logging_append_all_logs(type,[`optional'])
+# logging_search_system_log_directory(domain)
+#
+define(`logging_search_system_log_directory',`
+requires_block_template(logging_search_system_log_directory_depend)
+files_search_system_state_data_directory($1)
+allow $1 var_log_t:dir search;
+')
+
+define(`logging_search_system_log_directory_depend',`
+type var_log_t;
+class dir search;
+')
+
+#######################################
+#
+# logging_append_all_logs(domain)
#
define(`logging_append_all_logs',`
-requires_block_template(logging_append_all_logs_depend,$2)
+requires_block_template(logging_append_all_logs_depend)
+files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 logfile:file { getattr append };
')
@@ -56,10 +71,11 @@ class file { getattr append };
#######################################
#
-# logging_read_all_logs(type,[`optional'])
+# logging_read_all_logs(domain)
#
define(`logging_read_all_logs',`
-requires_block_template(logging_read_all_logs_depend,$2)
+requires_block_template(logging_read_all_logs_depend)
+files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 logfile:file { getattr read };
')
@@ -73,10 +89,11 @@ class file { getattr read };
#######################################
#
-# logging_modify_system_logs(type,[`optional'])
+# logging_modify_system_logs(domain)
#
define(`logging_modify_system_logs',`
-requires_block_template(logging_modify_system_logs_depend,$2)
+requires_block_template(logging_modify_system_logs_depend)
+files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 var_log_t:file { getattr read write append };
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 56b4ec8..2c2d346 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -72,7 +72,7 @@ filesystem_get_persistent_filesystem_attributes(insmod_t)
files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t)
-files_read_general_shared_resources(insmod_t)
+files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t)
domain_signal_all_domains(insmod_t)
More information about the scm-commits
mailing list