diff -ruN /tmp/policy/Makefile policy/Makefile --- /tmp/policy/Makefile 2002-09-10 00:01:30.000000000 +0200 +++ policy/Makefile 2002-08-31 17:33:36.000000000 +0200 @@ -23,7 +23,6 @@ POLICYVER := policy.$(shell $(CHECKPOLICY) -V) INSTALLDIR = /etc/security/selinux LOADPATH = $(INSTALLDIR)/$(POLICYVER) -INITRDLOADPATH = $(INSTALLDIR)/initrd-$(POLICYVER) SRCINSTALLDIR = $(INSTALLDIR)/src POLICYCONF = $(SRCINSTALLDIR)/policy.conf @@ -35,71 +34,68 @@ POLICYFILES += rbac users constraints POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts -INITRDPOLICYFILES = $(subst all.te,initrd_all.te,$(POLICYFILES)) +INITRDPOLICYFILES = $(subst users, initrd-domains/users,$(subst all.te,initrd_all.te,$(POLICYFILES))) FC = file_contexts/file_contexts FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) - -policy: $(POLICYVER) - -$(POLICYVER): tmp policy.conf $(CHECKPOLICY) - $(CHECKPOLICY) -o $@ policy.conf - -tmp: - mkdir tmp - -initrd-$(POLICYVER): tmp initrd-policy.conf $(CHECKPOLICY) - $(CHECKPOLICY) -o tmp/$@ initrd-policy.conf - gzip -c tmp/$@ > $@ - -initrd-policy: initrd-$(POLICYVER) - install: $(LOADPATH) -install-initrd: $(INITRDLOADPATH) +install-initrd: $(LOADPATH).initrd $(LOADPATH): $(POLICYCONF) $(CHECKPOLICY) mkdir -p $(INSTALLDIR) - $(CHECKPOLICY) -o $@ $(POLICYCONF) + $(CHECKPOLICY) -o tmp/pol $(POLICYCONF) + gzip -9 < tmp/pol > $@ + rm tmp/pol # Note: Can't use install, so not sure how to deal with mode, user, and group # other than by default. -$(INITRDLOADPATH): initrd-$(POLICYVER) +$(LOADPATH).initrd: $(POLICYCONF).initrd $(CHECKPOLICY) mkdir -p $(INSTALLDIR) - install -m 644 -o root -g root initrd-$(POLICYVER) $(INITRDLOADPATH) + $(CHECKPOLICY) -o tmp/pol.initrd $(POLICYCONF).initrd + gzip -9 < tmp/pol.initrd > $@ + rm tmp/pol.initrd +# Note: Can't use install, so not sure how to deal with mode, user, and group +# other than by default. $(POLICYCONF): policy.conf mkdir -p $(SRCINSTALLDIR) install -m 644 -o root -g root policy.conf $@ +$(POLICYCONF).initrd: policy.conf.initrd + mkdir -p $(SRCINSTALLDIR) + install -m 644 -o root -g root policy.conf.initrd $@ + reload tmp/load: $(LOADPATH) $(BINDIR)/load_policy $(LOADPATH) touch tmp/load load: tmp/load -policy.conf: tmp $(POLICYFILES) +policy.conf: $(POLICYFILES) + mkdir -p tmp m4 -Imacros -s $(POLICYFILES) > policy.conf install-src: mkdir -p $(SRCINSTALLDIR)/policy cp -R . $(SRCINSTALLDIR)/policy -initrd-policy.conf: $(INITRDPOLICYFILES) - m4 -Imacros -s $(INITRDPOLICYFILES) > initrd-policy.conf +policy.conf.initrd: $(INITRDPOLICYFILES) + m4 -Imacros -s $(INITRDPOLICYFILES) > $@ ALLTEFILES := attrib.te tmp/program_used_flags.te tmp/all_macros.te tmp/all_types.te tmp/all_domains.te assert.te tmp/all.te: $(ALLTEFILES) cat $^ > $@ -INITRDALLTEFILES = $(subst all_domains.te,all_initrd_domains.te,$(subst program_used_flags.te,initrd_program_used_flags.te,$(POLICYFILES))) +INITRD_ALLTEFILES := attrib.te tmp/initrd_program_used_flags.te tmp/all_macros.te tmp/all_types.te tmp/all_initrd_domains.te assert.te -tmp/initrd_all.te: $(INITRDALLTEFILES) +tmp/initrd_all.te: $(INITRD_ALLTEFILES) cat $^ > $@ tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program + mkdir -p tmp ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@ tmp/initrd_program_used_flags.te: $(wildcard initrd-domains/*.te) initrd-domains @@ -130,8 +126,7 @@ cat $(FCFILES) > $@ clean: - rm -f $(POLICYVER) policy.conf - rm -f initrd-$(POLICYVER) initrd-policy.conf + rm -f policy.conf policy.conf.initrd rm -f tmp/* rm -f $(FC) diff -ruN /tmp/policy/assert.te policy/assert.te --- /tmp/policy/assert.te 2002-08-23 21:04:27.000000000 +0200 +++ policy/assert.te 2002-08-29 00:32:49.000000000 +0200 @@ -70,7 +70,7 @@ # neverallow ~{ initrc_t admin kernel_t insmod_t } sysctl_t:file { write append }; neverallow ~{ initrc_t admin } sysctl_fs_t:file { write append }; -neverallow ~{ initrc_t admin kernel_t kmod_t insmod_t } sysctl_kernel_t:file { write append }; +neverallow ~{ init_t initrc_t admin kernel_t kmod_t insmod_t } sysctl_kernel_t:file { write append }; neverallow ~{ initrc_t admin } sysctl_net_t:file { write append }; neverallow ~{ initrc_t admin } sysctl_net_unix_t:file { write append }; neverallow ~{ initrc_t admin } sysctl_vm_t:file { write append }; @@ -89,8 +89,8 @@ ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', `assert_execute($1) assert_execute(shift($@))')') -assert_execute(getty, klogd) - +ifdef(`getty.te', `assert_execute(getty)') +assert_execute(klogd) ifdef(`atd.te', `assert_execute(atd)') ifdef(`tcpd.te', `assert_execute(tcpd)') ifdef(`portmap.te', `assert_execute(portmap)') @@ -101,8 +101,10 @@ ifdef(`xfs.te', `assert_execute(xfs)') ifdef(`gpm.te', `assert_execute(gpm)') +ifdef(`login.te', ` neverallow { local_login_t remote_login_t } ~login_exec_t:file entrypoint; neverallow { local_login_t remote_login_t } ~ld_so_t:file execute_no_trans; +') # # Verify that the passwd domain can only be entered by its diff -ruN /tmp/policy/domains/program/init.te policy/domains/program/init.te --- /tmp/policy/domains/program/init.te 2002-09-09 19:54:11.000000000 +0200 +++ policy/domains/program/init.te 2002-09-10 00:10:38.000000000 +0200 @@ -36,6 +36,11 @@ # Run init. can_exec(init_t, init_exec_t) +# Run chroot from initrd scripts. +ifdef(`chroot.te', ` +can_exec(init_t, chroot_exec_t) +') + # Create /dev/initctl. file_type_auto_trans(init_t, device_t, initctl_t) @@ -88,3 +93,6 @@ # reparented to init, so we need these type transition rules. # # These rules have been moved to the individual target domain .te files. + +# for initrd pivot_root seems to access this +dontaudit init_t file_labels_t:dir { search }; diff -ruN /tmp/policy/genfs_contexts policy/genfs_contexts --- /tmp/policy/genfs_contexts 2002-09-09 19:54:04.000000000 +0200 +++ policy/genfs_contexts 2002-08-29 00:35:11.000000000 +0200 @@ -88,7 +88,9 @@ genfscon devfs /ppp system_u:object_r:ppp_device_t genfscon devfs /fb -c system_u:object_r:framebuf_device_t genfscon devfs /initctl system_u:object_r:initctl_t +ifdef(`syslog.te', ` genfscon devfs /log system_u:object_r:devlog_t +') genfscon devfs /misc/psaux system_u:object_r:mouse_device_t genfscon devfs /misc/nvram system_u:object_r:memory_device_t genfscon devfs /input/mouse system_u:object_r:mouse_device_t @@ -111,4 +113,24 @@ genfscon autofs / system_u:object_r:autofs_t ') -# FLASK +# romfs +genfscon romfs / system_u:object_r:root_t +genfscon romfs /bin system_u:object_r:bin_t +genfscon romfs /bin/mount system_u:object_r:mount_exec_t +genfscon romfs /bin/umount system_u:object_r:mount_exec_t +genfscon romfs /bin/ash system_u:object_r:shell_exec_t +genfscon romfs /etc system_u:object_r:etc_t +genfscon romfs /lib system_u:object_r:lib_t +genfscon romfs /lib/ld-linux.so.2 system_u:object_r:ld_so_t +genfscon romfs /lib/libc.so.6 system_u:object_r:shlib_t +genfscon romfs /lib/modules system_u:object_r:modules_object_t +genfscon romfs /linuxrc system_u:object_r:init_exec_t +genfscon romfs /linuxrc.conf system_u:object_r:etc_t +genfscon romfs /loadmodules system_u:object_r:shell_exec_t +genfscon romfs /sbin system_u:object_r:sbin_t +genfscon romfs /sbin/init system_u:object_r:init_exec_t +genfscon romfs /sbin/insmod system_u:object_r:insmod_exec_t +genfscon romfs /sbin/modprobe system_u:object_r:insmod_exec_t +genfscon romfs /scripts system_u:object_r:sbin_t +genfscon romfs /tmp system_u:object_r:tmp_t +genfscon romfs /usr system_u:object_r:sbin_t