[selinux-policy: 496/3172] more cleanup in system
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:47:31 UTC 2010
commit a5f339f134a760c44a7d6463136b9c88902c934f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jul 18 18:31:49 2005 +0000
more cleanup in system
refpolicy/policy/modules/kernel/bootloader.te | 10 ++-
refpolicy/policy/modules/kernel/filesystem.if | 35 ++++++++++
refpolicy/policy/modules/kernel/kernel.if | 34 ++++++++++
refpolicy/policy/modules/kernel/terminal.if | 18 +++++
refpolicy/policy/modules/system/domain.if | 54 +++++++++++++---
refpolicy/policy/modules/system/init.te | 9 +++
refpolicy/policy/modules/system/ipsec.if | 88 +++++++++++++++++++++++++
refpolicy/policy/modules/system/ipsec.te | 37 ++++-------
refpolicy/policy/modules/system/logging.te | 10 ++--
refpolicy/policy/modules/system/miscfiles.te | 8 +-
refpolicy/policy/modules/system/raid.if | 28 ++++++++
refpolicy/policy/modules/system/raid.te | 20 ++++--
refpolicy/policy/modules/system/unconfined.if | 25 +++++++
refpolicy/policy/modules/system/unconfined.te | 3 -
refpolicy/policy/modules/system/userdomain.te | 14 ++++
15 files changed, 336 insertions(+), 57 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 1579c5f..eddbb0d 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -142,6 +142,7 @@ miscfiles_read_localization(bootloader_t)
seutil_read_binary_pol(bootloader_t)
seutil_read_loadpol(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
@@ -197,12 +198,13 @@ optional_policy(`rpm.te',`
rpm_rw_pipe(bootloader_t)
')
-ifdef(`TODO',`
+optional_policy(`userdomain.te',`
+ userdom_dontaudit_search_staff_home_dir(bootloader_t)
+ userdom_dontaudit_search_sysadm_home_dir(bootloader_t)
+')
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+ifdef(`TODO',`
dontaudit bootloader_t devpts_t:dir create_dir_perms;
-
ifdef(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6425337..254ad48 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1490,6 +1490,41 @@ interface(`fs_search_tmpfs',`
')
########################################
+## <summary>
+## List the contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the
+## contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ ')
+
+ dontaudit $1 tmpfs_t:dir r_dir_perms;
+')
+
+########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 789a910..b018245 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -174,6 +174,40 @@ interface(`kernel_sendto_unix_dgram_socket',`
########################################
## <summary>
+## Receive messages from kernel TCP sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_tcp_recvfrom',`
+ gen_require(`
+ type kernel_t;
+ class tcp_socket recvfrom;
+ ')
+
+ allow $1 kernel_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive messages from kernel UDP sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_udp_recvfrom',`
+ gen_require(`
+ type kernel_t;
+ class udp_socket recvfrom;
+ ')
+
+ allow $1 kernel_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
## Allows caller to load kernel modules
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 3e20842..b3a4540 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -446,6 +446,24 @@ interface(`term_getattr_unallocated_ttys',`
########################################
## <desc>
+## Do not audit attempts to get the attributes
+## of all unallocated tty device nodes.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ class chr_file getattr;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <desc>
## Set the attributes of all unallocated
## tty device nodes.
## </desc>
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 33cbc57..80135b7 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -386,10 +386,28 @@ interface(`domain_dontaudit_getattr_all_sockets',`
')
########################################
-## <desc>
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+ gen_require(`
+ attribute domain;
+ class tcp_socket getattr;
+ ')
+
+ dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
-## </desc>
+## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@@ -404,21 +422,39 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
')
########################################
-## <desc>
-## Do not audit attempts to get the attributes
-## of all domains TCP sockets.
-## </desc>
+## <summary>
+## Do not audit attempts to read or write
+## all domains UDP sockets.
+## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
-interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+interface(`domain_dontaudit_rw_all_udp_sockets',`
gen_require(`
attribute domain;
- class tcp_socket getattr;
+ class udp_socket { read write };
')
- dontaudit $1 domain:tcp_socket getattr;
+ dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains key sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ class key_socket { read write };
+ ')
+
+ dontaudit $1 domain:key_socket { read write };
')
########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 23482f4..ae54049 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -371,6 +371,11 @@ optional_policy(`hotplug.te',`
modutils_read_mods_deps(initrc_t)
')
+optional_policy(`ipsec.te',`
+ ipsec_read_config(initrc_t)
+ ipsec_manage_pid(initrc_t)
+')
+
optional_policy(`kerberos.te',`
kerberos_use(initrc_t)
')
@@ -391,6 +396,10 @@ optional_policy(`nis.te',`
nis_list_var_yp(initrc_t)
')
+optional_policy(`raid.te',`
+ raid_manage_mdadm_pid(initrc_t)
+')
+
optional_policy(`rhgb.te',`
corecmd_shell_entry_type(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if
index 023e4f6..b17231e 100644
--- a/refpolicy/policy/modules/system/ipsec.if
+++ b/refpolicy/policy/modules/system/ipsec.if
@@ -23,3 +23,91 @@ interface(`ipsec_domtrans',`
allow ipsec_t $1:fifo_file rw_file_perms;
allow ipsec_t $1:process sigchld;
')
+
+########################################
+## <summary>
+## Connect to an IPSEC unix domain stream socket.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_connectto_unix_stream_socket',`
+ gen_require(`
+ type ipsec_t;
+ class unix_stream_socket connectto;
+ ')
+
+ allow $1 ipsec_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_getattr_key_socket',`
+ gen_require(`
+ type ipsec_t;
+ class key_socket getattr;
+ ')
+
+ allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+ gen_require(`
+ type ipsec_exec_t;
+ ')
+
+ can_exec($1,ipsec_exec_t)
+')
+
+########################################
+## <summary>
+## Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_read_config',`
+ gen_require(`
+ type ipsec_conf_file_t;
+ class file r_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 ipsec_conf_file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`ipsec_manage_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_pids($1)
+ allow $1 ipsec_var_run_t:dir rw_dir_perms;
+ allow $1 ipsec_var_run_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 2d0832f..a73e707 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -21,7 +21,7 @@ type ipsec_key_file_t;
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
-type ipsec_mgmt_t; #, privlog, admin, privmodule, nscd_client_domain;
+type ipsec_mgmt_t; # admin, privmodule;
type ipsec_mgmt_exec_t;
init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
role system_r types ipsec_mgmt_t;
@@ -204,8 +204,10 @@ dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
# the default updown script wants to run route
corecmd_exec_sbin(ipsec_mgmt_t)
@@ -214,6 +216,12 @@ corecmd_exec_sbin(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
domain_use_wide_inherit_fd(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_list_all_domains_proc(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
@@ -243,32 +251,13 @@ optional_policy(`consoletype.te',`
consoletype_exec(ipsec_mgmt_t)
')
-ifdef(`TODO',`
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
-
-# suppress audit messages about unnecessary socket access
-dontaudit ipsec_mgmt_t domain:key_socket { read write };
-dontaudit ipsec_mgmt_t domain:udp_socket { read write };
-
-# allow pluto to search the root directory (not sure why, but mostly harmless)
-# Are these all really necessary?
-dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
+optional_policy(`nscd.te',`
+ nscd_use_socket(ipsec_mgmt_t)
+')
+ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
-
-# allow system administrator to use the ipsec script to look
-# at things (e.g., ipsec auto --status)
-# probably should create an ipsec_admin role for this kind of thing
-can_exec(sysadm_t, ipsec_mgmt_exec_t)
-allow sysadm_t ipsec_t:unix_stream_socket connectto;
-# for lsof
-allow sysadm_t ipsec_t:key_socket getattr;
-
-rw_dir_create_file(initrc_t, ipsec_var_run_t)
-allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 4ffffdb..269e7e7 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -239,6 +239,11 @@ files_dontaudit_search_isid_type_dir(syslogd_t)
allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`distro_suse', `
+ # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+ files_create_var_lib(syslogd_t,devlog_t,sock_file)
+')
+
ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
@@ -274,11 +279,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
')
-ifdef(`distro_suse', `
- # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
- file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
-
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index cfcc67c..61e7674 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -9,8 +9,8 @@ policy_module(miscfiles,1.0)
#
# catman_t is the type for /var/catman.
#
-type catman_t; # , tmpfile;
-files_type(catman_t)
+type catman_t;
+files_tmp_file(catman_t)
#
# cert_t is the type of files in the system certs directories.
@@ -46,5 +46,5 @@ files_type(test_file_t)
#
# for /var/{spool,lib}/texmf index files
#
-type tetex_data_t; # , tmpfile;
-files_type(tetex_data_t)
+type tetex_data_t;
+files_tmp_file(tetex_data_t)
diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if
index 434ac36..1981606 100644
--- a/refpolicy/policy/modules/system/raid.if
+++ b/refpolicy/policy/modules/system/raid.if
@@ -24,3 +24,31 @@ interface(`raid_domtrans_mdadm',`
allow mdadm_t $1:fifo_file rw_file_perms;
allow mdadm_t $1:process sigchld;
')
+
+########################################
+## <summary>
+## Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete the mdadm pid files.
+## </p>
+## <p>
+## Added for use in the init module.
+## </p>
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ class file create_file_perms;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 43bb0aa..8d28d83 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -1,6 +1,9 @@
-#DESC mdadm - Linux RAID tool
+
+policy_module(mdadm,1.0)
+
+########################################
#
-# Author: Colin Walters <walters at redhat.com>
+# Declarations
#
type mdadm_t;
@@ -11,6 +14,11 @@ role system_r types mdadm_t;
type mdadm_var_run_t;
files_pid_file(mdadm_var_run_t)
+########################################
+#
+# Local policy
+#
+
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
@@ -28,6 +36,7 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
# RAID block device access
storage_manage_fixed_disk(mdadm_t)
@@ -77,13 +86,8 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow initrc_t mdadm_var_run_t:file create_file_perms;
-
# Ignore attempts to read every device file
-dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-
-# Other random ignores
-dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
+dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
allow mdadm_t var_t:dir getattr;
') dnl TODO
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 6d49f92..d2e306e 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -99,6 +99,31 @@ interface(`unconfined_domtrans',`
')
########################################
+## <desc>
+## Execute specified programs in the unconfined domain.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to allow the unconfined domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the unconfined domain to use.
+## </param>
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ class chr_file rw_term_perms;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+ allow unconfined_t $3:chr_file rw_term_perms;
+')
+
+########################################
## <summary>
## Transition to the unconfined domain by executing a shell.
## </summary>
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 68cd0b1..48845cc 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -20,9 +20,6 @@ unconfined_domain_template(unconfined_t)
logging_send_syslog_msg(unconfined_t)
-#role sysadm_r types unconfined_t;
-#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
-
ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index dbada2c..1d6b5f0 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -122,6 +122,16 @@ ifdef(`targeted_policy',`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`ipsec.te',`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_connectto_unix_stream_socket(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_socket(sysadm_t)
+ ')
+
optional_policy(`iptables.te',`
iptables_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -176,6 +186,10 @@ ifdef(`targeted_policy',`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`unconfined.te',`
+ unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`usermanage.te',`
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
More information about the scm-commits
mailing list