[selinux-policy: 1154/3172] add rolemap/per-userdomain infrastructure
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:44:46 UTC 2010
commit 4ace0fa5d60903c4b1273f3f362fe8e46d82183e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 26 18:04:57 2006 +0000
add rolemap/per-userdomain infrastructure
refpolicy/Changelog | 4 ++++
refpolicy/Makefile | 19 +++++++++++++++++++
refpolicy/Rules.modular | 8 +++++---
refpolicy/Rules.monolithic | 3 ++-
refpolicy/policy/modules/apps/irc.if | 15 +++++++++------
refpolicy/policy/modules/kernel/devices.if | 2 +-
refpolicy/policy/modules/services/cron.if | 1 +
refpolicy/policy/modules/services/mta.if | 4 ++++
refpolicy/policy/modules/system/authlogin.if | 2 +-
refpolicy/policy/modules/system/userdomain.if | 9 +--------
refpolicy/policy/modules/system/userdomain.te | 15 +++++++++++----
refpolicy/policy/rolemap | 17 +++++++++++++++++
12 files changed, 75 insertions(+), 24 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index fa257c8..5b9a9b7 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,7 @@
+- Separate per-userdomain template expansion from the userdomain
+ module and add infrastructure to expand templates in the modules
+ that own the template.
+- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been
removed from these programs.
- Add ctags Make target from Thomas Bleher.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 10f513b..ae8f7a5 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
MOD_CONF := $(POLDIR)/modules.conf
TUNABLES := $(POLDIR)/tunables.conf
BOOLEANS := $(POLDIR)/booleans.conf
+ROLEMAP := $(POLDIR)/rolemap
# install paths
TOPDIR = $(DESTDIR)/etc/selinux
@@ -183,6 +184,24 @@ OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
########################################
#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
+ awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(QUIET) echo "')" >> $2
+endef
+
+########################################
+#
# Load appropriate rules
#
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 8721f54..f4bb9b0 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
#
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
- $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc
@@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
# define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
# per-userdomain templates
- $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
- $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \
+ $(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
+ $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
done
@@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
+ $(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
@test -d tmp || mkdir -p tmp
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 174bdde..7051ec0 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
tmp/generated_definitions.conf: $(ALL_TE_FILES)
# per-userdomain templates:
@test -d tmp || mkdir -p tmp
- $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+ $(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
@@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
+ $(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
index af67fcb..5ad0661 100644
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@@ -47,6 +47,9 @@ template(`irc_per_userdomain_template',`
type $1_irc_home_t;
userdom_home_file($1,$1_irc_home_t)
+
+ type $1_irc_tmp_t;
+ userdom_home_file($1,$1_irc_tmp_t)
########################################
#
@@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
# access files under /tmp
- allow $1_irc_t $1_tmp_t:dir create_dir_perms;
- allow $1_irc_t $1_tmp_t:file create_file_perms;
- allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
- allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
- files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
+ allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
+ allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
+ allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
+ allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
+ allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
+ files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5a954dc..95a559e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
#
interface(`dev_getattr_agp_dev',`
gen_require(`
- type device_t, dri_device_t;
+ type device_t, agp_device_t;
')
allow $1 device_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e42a60e..477327c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
+ type $1_crontab_t, $1_crond_t;
')
# Allow our crontab domain to unlink a user cron spool file.
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 358ae9c..3ed30bd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
## </param>
#
template(`mta_admin_template',`
+ gen_require(`
+ type $1_mail_t;
+ ')
+
ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever"
userdom_read_unpriv_user_home_files($1_mail_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 21032db..583b3c9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
allow system_chkpwd_t $2:process sigchld;
',`
gen_require(`
- type chkpwd_exec_t;
+ type $1_chkpwd_t, chkpwd_exec_t;
')
corecmd_search_bin($2)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a070ebf..10ea2a7 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -142,13 +142,6 @@ template(`base_user_template',`
allow $1_t unpriv_userdomain:fd use;
- # Instantiate derived domains for a number of programs.
- # These derived domains encode both information about the calling
- # user domain and the program, and allow us to maintain separation
- # between different instances of the program being run by different
- # user domains.
- per_userdomain_templates($1,$1_t,$1_r)
-
kernel_read_kernel_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_file($1_t)
@@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
- type $1_tmp_t;
+ type $1_tmpfs_t;
')
fs_search_tmpfs($2)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 374a6b7..3cd7f1d 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,8 +1,12 @@
-policy_module(userdomain,1.2.3)
+policy_module(userdomain,1.2.4)
gen_require(`
- role sysadm_r, staff_r, user_r, secadm_r;
+ role sysadm_r, staff_r, user_r;
+
+ ifdef(`enable_mls',`
+ role secadm_r;
+ ')
')
########################################
@@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
')
',`
admin_user_template(sysadm)
- admin_user_template(secadm)
unpriv_user_template(staff)
unpriv_user_template(user)
@@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
# only staff_r can change to sysadm_r
role_change(staff, sysadm)
- role_change(staff, secadm)
+
+ ifdef(`enable_mls',`
+ admin_user_template(secadm)
+ role_change(staff, secadm)
+ ')
# this should be tunable_policy, but
# currently type_change and RBAC allow
diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap
new file mode 100644
index 0000000..012da6c
--- /dev/null
+++ b/refpolicy/policy/rolemap
@@ -0,0 +1,17 @@
+#
+# This file contains the mappings
+# used for per-userdomain template
+# infrastructure
+#
+# Each line has: role prefix user_domain
+#
+
+ifdef(`strict_policy',`
+ user_r user user_t
+ staff_r staff staff_t
+ sysadm_r sysadm sysadm_t
+
+ ifdef(`enable_mls',`
+ secadm_r secadm secadm_t
+ ')
+')
More information about the scm-commits
mailing list