[selinux-policy: 490/3172] * break up files_getattr_all_files into correct interfaces * move stuff out of pcmcia into the appro

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:47:00 UTC 2010 

commit 50f6503452aeac71d69def7875e929611ba8e924
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jul 15 15:17:57 2005 +0000

    * break up files_getattr_all_files into correct interfaces
    * move stuff out of pcmcia into the appropriate modules

 refpolicy/policy/modules/kernel/devices.if    |   18 +++
 refpolicy/policy/modules/services/cron.te     |    4 +
 refpolicy/policy/modules/system/files.if      |  170 ++++++++++++++++++++++++-
 refpolicy/policy/modules/system/init.te       |    4 +
 refpolicy/policy/modules/system/modutils.te   |    4 +
 refpolicy/policy/modules/system/pcmcia.if     |   24 ++++
 refpolicy/policy/modules/system/pcmcia.te     |   30 +++--
 refpolicy/policy/modules/system/sysnetwork.te |    8 +-
 8 files changed, 244 insertions(+), 18 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5257aec..c8ea64e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -814,6 +814,24 @@ interface(`dev_rw_apm_bios',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and
+##	write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_rw_cardmgr',`
+	gen_require(`
+		type cardmgr_dev_t;
+		class chr_file { read write };
+	')
+
+	dontaudit $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+## <summary>
 ##	Read the CPU identity.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index a1dddfd..d3fbbae 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -259,7 +259,11 @@ files_exec_etc_files(system_crond_t)
 files_read_etc_files(system_crond_t)
 files_read_etc_runtime_files(system_crond_t)
 files_list_all_dirs(system_crond_t)
+files_getattr_all_dirs(system_crond_t)
 files_getattr_all_files(system_crond_t)
+files_getattr_all_symlinks(system_crond_t)
+files_getattr_all_pipes(system_crond_t)
+files_getattr_all_sockets(system_crond_t)
 files_read_usr_files(system_crond_t)
 files_read_var_files(system_crond_t)
 # for nscd:
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index c810f0f..129f475 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -105,28 +105,186 @@ interface(`files_tmpfs_file',`
 ')
 
 ########################################
+## <summary>
+##	Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-# files_getattr_all_files(domain)
+interface(`files_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir { getattr search };
+	')
+
+	allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir getattr;
+	')
+
+	dontaudit $1 file_type:dir getattr;
+')
 
+########################################
+#
+# files_getattr_all_files(domain)
+#
 interface(`files_getattr_all_files',`
 	gen_require(`
 		attribute file_type;
-		class dir { search getattr };
+		class dir search;
 		class file getattr;
-		class lnk_file getattr;
-		class fifo_file getattr;
-		class sock_file getattr;
 	')
 
-	allow $1 file_type:dir { search getattr };
+	allow $1 file_type:dir search;
 	allow $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+		class file getattr;
+	')
+
+	dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class lnk_file getattr;
+	')
+
+	allow $1 file_type:dir search;
 	allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class lnk_file getattr;
+	')
+
+	dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class fifo_file getattr;
+	')
+
+	allow $1 file_type:dir search;
 	allow $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class fifo_file getattr;
+	')
+
+	dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class sock_file getattr;
+	')
+
+	allow $1 file_type:dir search;
 	allow $1 file_type:sock_file getattr;
 ')
 
 ########################################
 ## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class sock_file getattr;
+	')
+
+	dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
 ##	Relabel all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c4a163b..23482f4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -264,7 +264,11 @@ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
 
+files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
+files_getattr_all_symlinks(initrc_t)
+files_getattr_all_pipes(initrc_t)
+files_getattr_all_sockets(initrc_t)
 files_delete_all_tmp_files(initrc_t)
 files_delete_all_locks(initrc_t)
 files_read_all_pids(initrc_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 88e9adc..1309fad 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -103,6 +103,10 @@ logging_search_logs(insmod_t)
 
 miscfiles_read_localization(insmod_t)
 
+ifdef(`hide_broken_symptoms',`
+	dev_dontaudit_rw_cardmgr(insmod_t)
+')
+
 optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index c99b813..3aefa05 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -2,6 +2,30 @@
 
 ########################################
 ## <summary>
+##	Execute cardmgr in the cardmgr domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`pcmcia_domtrans_cardmgr',`
+	gen_require(`
+		type cardmgr_t, cardmgr_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
+
+	allow $1 cardmgr_t:fd use;
+	allow cardmgr_t $1:fd use;
+	allow cardmgr_t $1:fifo_file rw_file_perms;
+	allow cardmgr_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute cardctl in the cardmgr domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 48327fe..1e14ca7 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -43,8 +43,11 @@ kernel_read_system_state(cardmgr_t)
 kernel_read_kernel_sysctl(cardmgr_t)
 kernel_list_proc(cardmgr_t)
 kernel_read_proc_symlinks(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
 
 dev_read_sysfs(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
 # for SSP
 dev_read_urand(cardmgr_t)
 
@@ -52,6 +55,7 @@ fs_getattr_all_fs(cardmgr_t)
 fs_search_auto_mountpoints(cardmgr_t)
 
 term_use_unallocated_tty(cardmgr_t)
+term_getattr_all_user_ttys(cardmgr_t)
 term_dontaudit_use_console(cardmgr_t)
 
 corecmd_exec_bin(cardmgr_t)
@@ -59,10 +63,18 @@ corecmd_exec_sbin(cardmgr_t)
 
 domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
 
 files_search_home(cardmgr_t)
 files_read_etc_runtime_files(cardmgr_t)
 files_exec_etc_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
 
 init_use_fd(cardmgr_t)
 init_use_script_pty(cardmgr_t)
@@ -116,21 +128,17 @@ file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t },
 
 # Read /proc/PID directories for all domains (for fuser).
 can_ps(cardmgr_t, domain)
-allow cardmgr_t device_type:{ chr_file blk_file } getattr;
-allow cardmgr_t ttyfile:chr_file getattr;
+
 dontaudit cardmgr_t ptyfile:chr_file getattr;
-dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
-dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
-dontaudit cardmgr_t proc_kmsg_t:file getattr;
+# cjp: these look excessive:
+dontaudit cardmgr_t domain:socket_class_set getattr;
 
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+# this goes to apm
+optional_policy(`pcmcia.te',`
+	pcmcia_domtrans_cardmgr(apmd_t)
+	pcmcia_domtrans_cardctl(apmd_t)
 ')
 
-ifdef(`hide_broken_symptoms', `
-dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
-')
 ifdef(`hald.te', `
 rw_dir_file(hald_t, cardmgr_var_run_t)
 allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 93220ec..31b6588 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -285,7 +285,13 @@ seutil_use_runinit_fd(ifconfig_t)
 userdom_use_all_user_fd(ifconfig_t)
 
 ifdef(`hide_broken_symptoms',`
-	udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+	optional_policy(`pcmcia.te',`
+		dev_dontaudit_rw_cardmgr(ifconfig_t)
+	')
+
+	optional_policy(`udev.te',`
+		udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+	')
 ')
 
 optional_policy(`nis.te',`

More information about the scm-commits mailing list