[selinux-policy: 466/3172] implement direct_sysadm_daemon
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:44:58 UTC 2010
commit e5f806031684f35626f43df95bce8292abf6b9eb
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jul 7 15:25:28 2005 +0000
implement direct_sysadm_daemon
refpolicy/policy/modules/services/mta.if | 33 +++++++++--
refpolicy/policy/modules/services/ssh.te | 4 +-
refpolicy/policy/modules/system/authlogin.te | 2 +
refpolicy/policy/modules/system/init.if | 78 ++++++++++++++++++++++--
refpolicy/policy/modules/system/init.te | 6 ++
refpolicy/policy/modules/system/logging.te | 8 +--
refpolicy/policy/modules/system/userdomain.te | 6 ++
refpolicy/policy/users | 8 ++-
8 files changed, 123 insertions(+), 22 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1773fa8..219bcab 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -147,16 +147,39 @@ interface(`mta_mailserver',`
typeattribute $1 mailserver_domain;
')
-#######################################
-#
-# mta_sendmail_mailserver(domain,entrypointtype)
-#
+########################################
+## <summary>
+## Modified mailserver interface for
+## sendmail daemon use.
+## </summary>
+## <desc>
+## <p>
+## A modified MTA mail server interface for
+## the sendmail program. It's design does
+## not fit well with policy, and using the
+## regular interface causes a type_transition
+## conflict if direct running of init scripts
+## is enabled.
+## </p>
+## <p>
+## This interface should most likely only be used
+## by the sendmail policy.
+## </p>
+## </desc>
+## <param name="domain">
+## The type to be used for the mail server.
+## </param>
+## <param name="entry_point">
+## The type to be used for the domain entry point program.
+## </param>
interface(`mta_sendmail_mailserver',`
gen_require(`
+ attribute mailserver_domain;
type sendmail_exec_t;
')
- mta_mailserver($1,sendmail_exec_t)
+ init_system_domain($1,sendmail_exec_t)
+ typeattribute $1 mailserver_domain;
')
#######################################
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 8ecd0a7..661622a 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -18,7 +18,7 @@ files_type(ssh_exec_t)
type ssh_keygen_t;
type ssh_keygen_exec_t;
-init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t;
ssh_server_template(sshd)
@@ -207,6 +207,8 @@ allow ssh_keygen_t proc_t:lnk_file read;
userdom_use_sysadm_tty(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index f775741..bc9eae6 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -190,6 +190,8 @@ seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
ifdef(`direct_sysadm_daemon', `
userdom_dontaudit_use_sysadm_terms(pam_console_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 966f21b..4383272 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -1,8 +1,15 @@
## <summary>System initialization programs (init and init scripts).</summary>
########################################
-#
-# init_domain(domain,entrypointfile)
+## <summary>
+## Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+## Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+## Type of the program to be used as an entry point to this domain.
+## </param>
#
interface(`init_domain',`
gen_require(`
@@ -34,16 +41,25 @@ interface(`init_domain',`
')
########################################
-#
-# init_daemon_domain(domain,entrypointfile)
+## <summary>
+## Create a domain for long running processes
+## (daemons) which can be started by init scripts.
+## </summary>
+## <param name="domain">
+## Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+## Type of the program to be used as an entry point to this domain.
+## </param>
#
interface(`init_daemon_domain',`
gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
role system_r;
class fifo_file rw_file_perms;
class fd use;
- class process sigchld;
+ class process { noatsecure siginh rlimitinh sigchld };
')
domain_type($1)
@@ -54,10 +70,24 @@ interface(`init_daemon_domain',`
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
+ allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
+ ifdef(`direct_sysadm_daemon',`
+ domain_auto_trans(direct_run_init,$2,$1)
+
+ allow direct_run_init $1:fd use;
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+ allow $1 direct_run_init:fd use;
+ allow $1 direct_run_init:fifo_file rw_file_perms;
+ allow $1 direct_run_init:process sigchld;
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+ ')
+
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
@@ -67,8 +97,16 @@ interface(`init_daemon_domain',`
')
########################################
-#
-# init_system_domain(domain,entrypointfile)
+## <summary>
+## Create a domain for short running processes
+## which can be started by init scripts.
+## </summary>
+## <param name="domain">
+## Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+## Type of the program to be used as an entry point to this domain.
+## </param>
#
interface(`init_system_domain',`
gen_require(`
@@ -260,6 +298,32 @@ interface(`init_domtrans_script',`
')
########################################
+## <desc>
+## Start and stop daemon programs directly.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be performing this action.
+## </param>
+## <param name="terminal">
+## The type of the terminal of the user.
+## </param>
+#
+interface(`init_run_daemon',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ role system_r;
+ class chr_file rw_file_perms;
+ ')
+
+ typeattribute $1 direct_run_init;
+ role_transition $2 direct_init_entry system_r;
+ dontaudit direct_init $3:chr_file rw_file_perms;
+')
+
+########################################
#
# init_exec_script(domain)
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 70f88b3..f11db47 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -6,6 +6,12 @@ policy_module(init,1.0)
# Declarations
#
+# used for direct running of init scripts
+# by admin domains
+attribute direct_run_init;
+attribute direct_init;
+attribute direct_init_entry;
+
#
# init_t is the domain of the init process.
#
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 14eac6d..8c6312e 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -82,9 +82,7 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
-# cjp: this is questionable. it should probably
-# be a userdom_dontaudit_use_sysadm_terms(auditd_t)
-# in a direct_sysadm_daemon tunable
+# cjp: this is questionable
userdom_use_sysadm_tty(auditd_t)
ifdef(`targeted_policy', `
@@ -248,10 +246,6 @@ ifdef(`klogd.te', `', `
kernel_change_ring_buffer_level(syslogd_t)
')
-ifdef(`direct_sysadm_daemon',`
- userdom_dontaudit_use_sysadm_terms(syslogd_t)
-')
-
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
term_dontaudit_use_generic_pty(syslogd_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a3174c5..d754509 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -100,6 +100,12 @@ ifdef(`targeted_policy',`
allow sysadm_t user_home_dir_t:dir create_dir_perms;
files_create_home_dirs(sysadm_t,user_home_dir_t)
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`init.te',`
+ init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+
optional_policy(`bootloader.te',`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 76f8f53..2341ebf 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -38,7 +38,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
-gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+ gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
',`
-gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+ ifdef(`direct_sysadm_daemon',`
+ gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
+',`
+ gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+ ')
')
More information about the scm-commits
mailing list