* some policy patches
@ 2003-05-24 16:07 Tom
2003-05-24 17:55 ` Russell Coker
2003-05-24 18:18 ` Russell Coker
0 siblings, 2 replies; 9+ messages in thread
From: Tom @ 2003-05-24 16:07 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]
I have attached three diff files for policy changes. These are against
Russell's default policy, though from the file comments at least one
(xdm) is unchanged from the upstream tree.
xdm.diff contains updates to the xdm, xserver and xfs domains. Together
with my patched wdm I can boot into a graphical login and work in X,
all in enforcing mode. Accomplishing this made me very happy. :)
apm.diff contains minor updates so that acpid works (they are very
similiar in requirements, and you don't usually have both running
anyway, so a shared domain for apmd and acpid should be ok).
games.diff enables what I believe to be better games support. I have a
notebook with SELinux now and during long train trips I might want to
get some entertainment. The major change is that I have added support
for the data games want to store in the user's home directory and
updated the file context definitions (I don't want Quake3, which has
known remote holes, to be able to write to the users home dir any more
than absolutely necessary).
Using this policy, I can play Majesty in enforcing mode. I've also
tried Uplink, but it's ugly, ugly (patches itself while running. No,
I'm not joking).
Anyway - here they are. Comments welcome. If you merge them, please
drop me a short note so I can update my webpage.
--
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
[-- Attachment #2: xdm.diff --]
[-- Type: text/plain, Size: 7121 bytes --]
diff -ru default/domains/program/xdm.te current/domains/program/xdm.te
--- default/domains/program/xdm.te 2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xdm.te 2003-05-24 13:08:34.000000000 +0200
@@ -3,7 +3,7 @@
# Authors: Mark Westerman mark.westerman@westcam.com
#
# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
-#
+# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
#################################
#
@@ -11,19 +11,29 @@
#
# xdm_t is the domain of a X Display Manager process
# spawned by getty.
-# xdm_exec_t is the type of the [xgk]dm program
+# xdm_exec_t is the type of the [xgkw]dm program
#
daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
# for running xdm from init
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+
tmp_domain(xdm)
var_lib_domain(xdm)
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+# Added write access, not sure if it is required (Tom)
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
type xsession_exec_t, file_type, sysadmfile, exec_type;
+type etc_xdm_t, file_type, sysadmfile;
+
+# xdm_xserver_t needs to inherit the init file descriptors
+allow xdm_xserver_t initrc_t:fd { use };
+allow xdm_xserver_t initrc_t:fifo_file { read write };
allow xdm_t default_context_t:file { read getattr };
@@ -35,13 +45,23 @@
# for reboot
allow xdm_t initctl_t:fifo_file write;
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t etc_xdm_t:file { read };
+
#
# Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_rawio };
+
+# Use shared memory (with itself)
+allow xdm_t xdm_t:shm { create destroy read unix_read unix_write write };
# Use /dev/mem.
# Commented out by default.
#allow xdm_t memory_device_t:chr_file { execute read write };
+# wdm just asks for read access
+allow xdm_t memory_device_t:chr_file { read };
+# but xdm_xserver wants to write, too
+allow xdm_xserver_t memory_device_t:chr_file { read write };
allow xdm_t random_device_t:chr_file { getattr read };
@@ -67,7 +87,6 @@
# Access xdm log files.
file_type_auto_trans(xdm_t, var_log_t, xserver_var_log_t)
-
allow xdm_t xserver_var_log_t:file create_file_perms;
allow userdomain xdm_xserver_t:unix_stream_socket connectto;
@@ -88,7 +107,7 @@
allow xdm_t lastlog_t:file rw_file_perms;
# Ask the security server for SIDs for user sessions.
-allow xdm_t security_t:security { get_user_sids context_to_sid };
+allow xdm_t security_t:security { get_user_sids context_to_sid sid_to_context };
# Access the shared memory pseudo file system.
# Should really define a derived type for this.
@@ -111,6 +130,11 @@
allow xdm_t etc_t:lnk_file read;
allow xdm_t etc_runtime_t:file { getattr read };
+# wdm has its own config dir /etc/X11/wdm
+file_type_auto_trans(xdm_t, etc_t, etc_xdm_t);
+allow xdm_t etc_xdm_t:file create_file_perms;
+allow xdm_t etc_xdm_t:dir rw_file_perms;
+
# Signal any user domain.
allow xdm_t userdomain:process signal_perms;
@@ -143,10 +167,23 @@
dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_var_log_t:file append;
+dontaudit unpriv_userdomain xserver_var_log_t:file { write append };
+
# Access sound device.
allow xdm_t sound_device_t:chr_file { setattr getattr };
# Run the X server in a derived domain.
xserver_domain(xdm)
+
+
+#
+# When the user session comes up, it checks the wdm config dir
+# and the authfiles in /var/lib/wdm/authdir/authfiles/
+allow user_t etc_xdm_t:dir { search };
+allow user_t xdm_exec_t:file { entrypoint };
+allow user_t xdm_var_lib_t:file { read write };
+
+# Also, it inherits an fd
+allow xdm_xserver_t user_t:fd { use };
+
diff -ru default/domains/program/xfs.te current/domains/program/xfs.te
--- default/domains/program/xfs.te 2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xfs.te 2003-05-24 10:46:46.000000000 +0200
@@ -13,7 +13,15 @@
#
daemon_domain(xfs)
-tmp_domain(xfs)
+# tmp_domain(xfs)
+# for /tmp/.font-unix/fs7100
+type xfs_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
+
+allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t proc_t:file { getattr read };
+
+allow xfs_t self:process setpgid;
# Use capabilities.
allow xfs_t xfs_t:capability { setgid setuid };
@@ -21,3 +29,5 @@
# Bind to /tmp/.font-unix/fs-1.
allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
+allow xfs_t tmp_t:dir { search };
+
diff -ru default/domains/program/xserver.te current/domains/program/xserver.te
--- default/domains/program/xserver.te 2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xserver.te 2003-05-24 11:04:36.000000000 +0200
@@ -34,3 +34,7 @@
# Everything else is in the xserver_domain macro in
# macros/program/xserver_macros.te.
+# XFree86-4 wants to check if kernel is tainted
+allow xdm_xserver_t sysctl_kernel_t:dir { search };
+allow xdm_xserver_t sysctl_kernel_t:file { getattr read };
+allow xdm_xserver_t sysctl_t:dir { search };
diff -ru default/file_contexts/program/xdm.fc current/file_contexts/program/xdm.fc
--- default/file_contexts/program/xdm.fc 2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/xdm.fc 2003-05-24 11:32:37.000000000 +0200
@@ -1,11 +1,19 @@
# X Display Manager
-/usr/bin/[xgk]dm system_u:object_r:xdm_exec_t
+/usr/bin/[xgkw]dm system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/[xgkw]dm system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/wdmLogin system_u:object_r:xdm_exec_t
/usr/bin/gpe-dm system_u:object_r:xdm_exec_t
-/var/[xgk]dm(/.*)? system_u:object_r:xserver_var_log_t
-/usr/var/[xgk]dm(/.*)? system_u:object_r:xserver_var_log_t
-/var/log/kdm\.log system_u:object_r:xserver_var_log_t
+/usr/sbin/update_wdm_wmlist system_u:object_r:xdm_exec_t
+/var/[xgkw]dm(/.*)? system_u:object_r:xserver_var_log_t
+/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_var_log_t
+/var/log/[xgkw]dm\.log system_u:object_r:xserver_var_log_t
/tmp/\.X11-unix(/.*)? system_u:object_r:initrc_xserver_tmp_t
/tmp/\.X0-lock system_u:object_r:xdm_tmp_t
/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t
+/etc/X11/wdm(/.*)? system_u:object_r:etc_xdm_t
+/etc/X11/wdm/Xsetup(_0)? system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xstartup(_0)? system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xreset(_0)? system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xsession system_u:object_r:xdm_exec_t
/var/run/xdmctl system_u:object_r:xdm_var_run_t
/var/lib/kdm(/.*)? system_u:object_r:xdm_var_lib_t
[-- Attachment #3: apm.diff --]
[-- Type: text/plain, Size: 1053 bytes --]
diff -ru default/domains/program/apmd.te current/domains/program/apmd.te
--- default/domains/program/apmd.te 2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/apmd.te 2003-05-24 11:44:40.000000000 +0200
@@ -34,6 +34,12 @@
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;
+# acpid wants a socket
+allow apmd_t var_run_t:sock_file create_file_perms;
+
+# acpid also has a logfile
+log_domain(apmd)
+
# for id
allow apmd_t security_t:security sid_to_context;
diff -ru default/file_contexts/program/apmd.fc current/file_contexts/program/apmd.fc
--- default/file_contexts/program/apmd.fc 2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/apmd.fc 2003-05-24 11:38:46.000000000 +0200
@@ -1,4 +1,7 @@
# apmd
/usr/sbin/apmd system_u:object_r:apmd_exec_t
+/usr/sbin/acpid system_u:object_r:apmd_exec_t
/usr/bin/apm system_u:object_r:apm_exec_t
/var/run/apmd\.pid system_u:object_r:apmd_var_run_t
+/var/run/.acpid.socket system_u:object_r:apmd_var_run_t
+
[-- Attachment #4: games.diff --]
[-- Type: text/plain, Size: 3207 bytes --]
diff -ru default/domains/program/games.te current/domains/program/games.te
--- default/domains/program/games.te 2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/games.te 2003-05-24 13:32:04.000000000 +0200
@@ -2,6 +2,8 @@
#
# Author: Russell Coker <russell@coker.com.au>
#
+# Changes by Tom Vogt <tom@lemuria.org>
+#
# type for shared data from games
type games_data_t, file_type, sysadmfile;
@@ -14,3 +16,28 @@
# Everything else is in the x_client_domain macro in
# macros/program/x_client_macros.te.
+
+# games_t also used for games installed on the system, run by the user,
+# so holes in them won't compromise the user session
+allow user_t games_data_t:file r_file_perms;
+allow user_t games_data_t:dir r_dir_perms;
+
+# Game data stored in user home dirs
+type games_usrdata_t, file_type, sysadmfile;
+allow user_games_t user_home_t:dir { search };
+file_type_auto_trans(user_games_t, user_home_t, games_usrdata_t);
+#
+# Allow users to read and write these files
+# If we want to prevent cheating, we could take away the write
+# permissions. :)
+allow user_t games_usrdata_t:file create_file_perms;
+allow user_t games_usrdata_t:dir create_dir_perms;
+
+# Various access attempts to devices. Many games work just fine without,
+# but if yours doesn't, try to comment these out and look for which ones
+# it needs:
+dontaudit user_games_t device_t:chr_file { getattr };
+dontaudit user_games_t fixed_disk_device_t:blk_file { getattr };
+dontaudit user_games_t removable_device_t:blk_file { getattr };
+dontaudit user_games_t removable_device_t:lnk_file { read };
+
diff -ru default/file_contexts/program/games.fc current/file_contexts/program/games.fc
--- default/file_contexts/program/games.fc 2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/games.fc 2003-05-24 13:32:12.000000000 +0200
@@ -1,5 +1,15 @@
-# netscape/mozilla
-/usr/games/.* system_u:object_r:games_exec_t
+# games installed on the system
+# Most games installed in /usr/local/games don't follow FHS conventions and
+# drop the binaries in with the data - therefore, you must relabel the
+# binaries to system_u:object_r:games_exec_t manually!
+/usr/games(/.*)? system_u:object_r:games_data_t
+/usr/local/games(/.*)? system_u:object_r:games_data_t
/usr/lib/games/.* -- system_u:object_r:games_exec_t
/var/games(/.*)? system_u:object_r:games_data_t
/usr/bin/micq system_u:object_r:games_exec_t
+#
+# Some examples
+# Majesty (Fantasy RTS)
+/usr/local/games/majesty/majesty system_u:object_r:games_exec_t
+/usr/local/games/majesty/majx system_u:object_r:games_exec_t
+/usr/local/games/majesty/netmodules/libtcp_ip.so system_u:object_r:games_exec_t
diff -ru default/file_contexts/types.fc current/file_contexts/types.fc
--- default/file_contexts/types.fc 2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/types.fc 2003-05-24 12:46:13.000000000 +0200
@@ -229,7 +229,7 @@
/usr/lib/gconv/.*\.so system_u:object_r:shlib_t
/usr/share/guile/g-wrapped/.*\.so system_u:object_r:shlib_t
/usr/share/selinux(/.*)? system_u:object_r:policy_src_t
-/usr/games(/.*)? system_u:object_r:bin_t
+#/usr/games(/.*)? system_u:object_r:bin_t
#
# /usr/.*glibc.*-linux/lib
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2003-05-24 16:07 some policy patches Tom
@ 2003-05-24 17:55 ` Russell Coker
2003-05-24 21:16 ` Tom
2003-05-24 18:18 ` Russell Coker
1 sibling, 1 reply; 9+ messages in thread
From: Russell Coker @ 2003-05-24 17:55 UTC (permalink / raw)
To: Tom, SE Linux
[-- Attachment #1: Type: text/plain, Size: 3007 bytes --]
On Sun, 25 May 2003 02:07, Tom wrote:
> I have attached three diff files for policy changes. These are against
> Russell's default policy, though from the file comments at least one
> (xdm) is unchanged from the upstream tree.
>
> xdm.diff contains updates to the xdm, xserver and xfs domains. Together
> with my patched wdm I can boot into a graphical login and work in X,
> all in enforcing mode. Accomplishing this made me very happy. :)
> # Added write access, not sure if it is required (Tom)
> allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
Write access should not be required. xdm should create the file and the
xserver should just read from it.
> # xdm_xserver_t needs to inherit the init file descriptors
> allow xdm_xserver_t initrc_t:fd { use };
> allow xdm_xserver_t initrc_t:fifo_file { read write };
What happens when you put in a dontaudit rule for the file handle inheritance
instead?
I suspect that wdm is just buggy and fails to correctly set the file handle to
close-on-exec.
> -allow xdm_t self:capability { setgid setuid sys_resource kill };
> +allow xdm_t self:capability { setgid setuid sys_resource kill sys_rawio };
There's no good reason for it to need this. What happens if you put in a
dontaudit rule for sys_rawio?
> # wdm just asks for read access
> allow xdm_t memory_device_t:chr_file { read };
Bad. XDM is not something that you want to allow reading all kernel memory.
It should use /dev/random instead if you block /dev/mem.
> +# but xdm_xserver wants to write, too
> +allow xdm_xserver_t memory_device_t:chr_file { read write };
That is only if you are not using the frame-buffer. See the below snippet
from macros/program/xserver_macros.te (which is where you want to do this if
you want to support "startx" as well as an xdm).
# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;
#allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
> +allow user_t xdm_exec_t:file { entrypoint };
This is bad in several ways. Firstly it's probably good style to use
domain_trans() for such things, then people who read your policy can find
what they expect to fine. Secondly, why is an xdm_exec_t program being used?
Finally, you should not use user_t in any policy. unpriv_userdomain is one
option to use. If you start hard-coding user_t in policy then it'll be very
painful when you want to add multiple user roles!
I have attached a modified xdm.te based on your work along with the new
global_macros.te file it depends on. I didn't include much of your patch,
about half of the rest may go in but we need to determine exactly what it's
for and put some decent comments in.
X is nasty.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: xdm.te --]
[-- Type: text/plain, Size: 5482 bytes --]
#DESC XDM - X Display Manager
#
# Authors: Mark Westerman mark.westerman@westcam.com
# Russell Coker <russell@coker.com.au>
#
# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
#
# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
#
#################################
#
# Rules for the xdm_t domain.
#
# xdm_t is the domain of a X Display Manager process
# spawned by getty.
# xdm_exec_t is the type of the [xgkw]dm program
#
daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
# for running xdm from init
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
# for xdmctl
allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
tmp_domain(xdm)
var_lib_domain(xdm)
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
type xsession_exec_t, file_type, sysadmfile, exec_type;
type etc_xdm_t, file_type, sysadmfile;
allow xdm_t default_context_t:file { read getattr };
can_network(xdm_t)
allow xdm_t self:unix_stream_socket create_stream_socket_perms;
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:fifo_file rw_file_perms;
# for reboot
allow xdm_t initctl_t:fifo_file write;
# init script wants to check if it needs to update windowmanagerlist
allow initrc_t etc_xdm_t:file { getattr read };
#
# Use capabilities.
allow xdm_t self:capability { setgid setuid sys_resource kill };
# Use /dev/mem.
# Commented out by default.
#allow xdm_t memory_device_t:chr_file { execute read write };
allow xdm_t random_device_t:chr_file { getattr read };
# Transition to user domains for user sessions.
domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
# Label pid and temporary files with derived types.
rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
# Run helper programs.
can_exec_any(xdm_t)
# Access devices.
allow xdm_t apm_bios_t:chr_file { read write };
allow xdm_t dri_device_t:chr_file create_file_perms;
allow xdm_t dri_device_t:dir rw_dir_perms;
allow xdm_t agp_device_t:chr_file rw_file_perms;
allow xdm_t misc_device_t:chr_file { setattr getattr };
allow xdm_t psaux_t:chr_file { ioctl read write getattr };
allow xdm_t mouse_device_t:chr_file { ioctl read write getattr };
allow xdm_t tty_device_t:chr_file { ioctl read write setattr };
# Access xdm log files.
file_type_auto_trans(xdm_t, var_log_t, xserver_var_log_t)
allow xdm_t xserver_var_log_t:file create_file_perms;
allow xdm_t self:shm create_shm_perms;
allow userdomain xdm_xserver_t:unix_stream_socket connectto;
allow userdomain xdm_xserver_t:shm r_shm_perms;
allow userdomain xdm_xserver_t:fd use;
allow userdomain xdm_xserver_tmpfs_t:file read;
allow xdm_xserver_t userdomain:shm { unix_read unix_write read write };
ifdef(`gpm.te',
`# Talk to the console mouse server.
allow xdm_t gpmctl_t:sock_file { getattr setattr };')
# Update utmp and wtmp.
allow xdm_t initrc_var_run_t: file { read write lock };
allow xdm_t wtmp_t:file { append };
# Update lastlog.
allow xdm_t lastlog_t:file rw_file_perms;
# Ask the security server for SIDs for user sessions.
allow xdm_t security_t:security { get_user_sids context_to_sid sid_to_context };
# Access the shared memory pseudo file system.
# Should really define a derived type for this.
allow xdm_t tmpfs_t:file { read write };
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
allow xdm_t var_lib_t:file { create write unlink };
allow xdm_t var_lock_t:dir { write search add_name remove_name };
allow xdm_t var_lock_t:file { create write unlink };
# Connect to xfs.
ifdef(`xfs.te', `
allow xdm_t xfs_tmp_t:dir { search };
allow xdm_t xfs_tmp_t:sock_file { write };
can_unix_connect(xdm_t, xfs_t)')
allow xdm_t self:process { setpgid setsched };
allow xdm_t etc_t:lnk_file read;
allow xdm_t etc_runtime_t:file { getattr read };
# wdm has its own config dir /etc/X11/wdm
file_type_auto_trans(xdm_t, etc_t, etc_xdm_t, file);
# Signal any user domain.
allow xdm_t userdomain:process signal_perms;
allow xdm_t proc_t:file { getattr read };
allow xdm_t sysctl_kernel_t:dir search;
allow xdm_t sysctl_kernel_t:file read;
# Search /proc for any user domain processes.
allow xdm_t userdomain:dir r_dir_perms;
allow xdm_t userdomain:{ file lnk_file } r_file_perms;
# Allow xdm access to the user domains
allow xdm_t home_root_t:dir search;
# Do not audit denied attempts to access devices.
dontaudit xdm_t fixed_disk_device_t:blk_file rw_file_perms;
dontaudit xdm_t removable_device_t:blk_file rw_file_perms;
dontaudit xdm_t device_t:file_class_set rw_file_perms;
dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
# Do not audit denied probes of /proc.
dontaudit xdm_t domain:dir r_dir_perms;
dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
# Do not audit access to /root
dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_var_log_t:file { write append };
# Access sound device.
allow xdm_t sound_device_t:chr_file { setattr getattr };
# Run the X server in a derived domain.
xserver_domain(xdm)
[-- Attachment #3: global_macros.te --]
[-- Type: text/plain, Size: 26558 bytes --]
##############################
#
# Global macros for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Modified: Howard Holm (NSA), <hdholm@epoch.ncsc.mil>
# System V IPC added
#
#################################
#
# Macros for groups of classes and
# groups of permissions.
#
#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket }')
#
# Datagram socket classes.
#
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
#
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr }')
#
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute }')
#
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')
#
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
#
# Permissions for reading and writing files and their attributes.
#
define(`rw_file_perms', `{ ioctl read getattr lock write append }')
#
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')
#
# Permissions for linking, unlinking and renaming files.
#
define(`link_file_perms', `{ getattr link unlink rename }')
#
# Permissions for creating and using files.
#
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
#
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')
#
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
#
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
#
# Permissions for creating and using directories.
#
define(`create_dir_perms', `{ create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir }')
#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for using stream sockets.
#
define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
#
# Permissions for creating and using stream sockets.
#
define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
#################################
#
# Macros for type transition rules and
# access vector rules.
#
#
# Simple combinations for reading and writing both
# directories and files.
#
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
define(`rw_dir_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:{ file lnk_file } rw_file_perms;
')
define(`ra_dir_file', `
allow $1 $2:dir ra_dir_perms;
allow $1 $2:{ file lnk_file } ra_file_perms;
')
define(`rw_dir_create_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:{ file lnk_file } create_file_perms;
')
define(`create_dir_file', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:{ file lnk_file } create_file_perms;
')
define(`create_dir_notdevfile', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:notdevfile_class_set create_file_perms;
')
define(`create_append_log_file', `
allow $1 $2:dir { read getattr search add_name write };
allow $1 $2:file { create ioctl getattr setattr append link };
')
#################################
#
# domain_trans(parent_domain, program_type, child_domain)
#
# Permissions for transitioning to a new domain.
#
define(`domain_trans',`
#
# Allow the process to transition to the new domain.
#
allow $1 $3:process transition;
#
# Allow the process to execute the program.
#
allow $1 $2:file x_file_perms;
#
# Allow the process to reap the new domain.
#
allow $3 $1:process sigchld;
#
# Allow the new domain to inherit and use file
# descriptions from the creating process and vice versa.
#
allow $3 $1:fd use;
allow $1 $3:fd use;
#
# Allow the new domain to write back to the old domain via a pipe.
#
allow $3 $1:fifo_file rw_file_perms;
#
# Allow the new domain to read and execute the program.
#
allow $3 $2:file rx_file_perms;
#
# Allow the new domain to be entered via the program.
#
allow $3 $2:file entrypoint;
')
#################################
#
# domain_auto_trans(parent_domain, program_type, child_domain)
#
# Define a default domain transition and allow it.
#
define(`domain_auto_trans',`
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')
define(`domain_auto_trans_read',`
domain_auto_trans($1, $2, $3)
allow $1 $2:file read;
')
#################################
#
# uses_shlib(domain)
#
# Permissions for using shared libraries.
#
define(`uses_shlib',`
allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_t:file execute_no_trans;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 shlib_t:file rx_file_perms;
allow $1 shlib_t:lnk_file r_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
allow $1 usr_t:{ file lnk_file } r_file_perms;
allow $1 device_t:dir search;
allow $1 null_device_t:chr_file rw_file_perms;
')
#################################
#
# can_ptrace(domain, domain)
#
# Permissions for running ptrace (strace or gdb) on another domain
#
define(`can_ptrace',`
allow $1 $2:process ptrace;
')
#################################
#
# can_exec(domain, type)
#
# Permissions for executing programs with
# a specified type without changing domains.
#
define(`can_exec',`
allow $1 $2:file { rx_file_perms execute_no_trans };
')
#################################
#
# can_exec_any(domain)
#
# Permissions for executing a variety
# of executable types.
#
define(`can_exec_any',`
allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
uses_shlib($1)
can_exec($1, etc_t)
can_exec($1, lib_t)
can_exec($1, bin_t)
can_exec($1, sbin_t)
can_exec($1, exec_type)
')
#################################
#
# file_type_trans(domain, dir_type, file_type)
#
# Permissions for transitioning to a new file type.
#
define(`file_type_trans',`
#
# Allow the process to modify the directory.
#
allow $1 $2:dir rw_dir_perms;
#
# Allow the process to create the file.
#
ifelse(`$4', `', `
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
', `
ifelse(`$4', `dir', `
allow $1 $3:$4 create_dir_perms;
', `
allow $1 $3:$4 create_file_perms;
')dnl end if dir
')dnl end if param 4 specified
')
#################################
#
# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
#
# the object class will default to notdevfile_class_set if not specified as
# the fourth parameter
#
# Define a default file type transition and allow it.
#
define(`file_type_auto_trans',`
ifelse(`$4', `', `
file_type_trans($1,$2,$3)
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
', `
file_type_trans($1,$2,$3,$4)
type_transition $1 $2:$4 $3;
')
')
#################################
#
# can_network(domain)
#
# Permissions for accessing the network.
# See types/network.te for the network types.
# See net_contexts for security contexts for network entities.
#
define(`can_network',`
#
# Allow the domain to create and use UDP and TCP sockets.
# Other kinds of sockets must be separately authorized for use.
allow $1 self:udp_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
#
# Allow the domain to send UDP packets.
# Since the destination sockets type is unknown, the generic
# any_socket_t type is used as a placeholder.
#
allow $1 any_socket_t:udp_socket sendto;
#
# Allow the domain to send using any network interface.
# netif_type is a type attribute for all network interface types.
#
allow $1 netif_type:netif { tcp_send udp_send rawip_send };
#
# Allow packets sent by the domain to be received on any network interface.
#
allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
#
# Allow the domain to receive packets from any network interface.
# netmsg_type is a type attribute for all default message types.
#
allow $1 netmsg_type:{ udp_socket tcp_socket rawip_socket } recvfrom;
#
# Allow the domain to initiate or accept TCP connections
# on any network interface.
#
allow $1 netmsg_type:tcp_socket { connectto acceptfrom };
#
# Receive resets from the TCP reset socket.
# The TCP reset socket is labeled with the tcp_socket_t type.
#
allow $1 tcp_socket_t:tcp_socket recvfrom;
dontaudit $1 tcp_socket_t:tcp_socket connectto;
#
# Allow the domain to send to any node.
# node_type is a type attribute for all node types.
#
allow $1 node_type:node { tcp_send udp_send rawip_send };
#
# Allow packets sent by the domain to be received from any node.
#
allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
#
# Allow the domain to send NFS client requests via the socket
# created by mount.
#
allow $1 mount_t:udp_socket rw_socket_perms;
#
# Bind to the default port type.
# Other port types must be separately authorized.
#
allow $1 port_t:udp_socket name_bind;
allow $1 port_t:tcp_socket name_bind;
')
#################################
#
# can_unix_connect(client, server)
#
# Permissions for establishing a Unix stream connection.
#
define(`can_unix_connect',`
allow $1 $2:unix_stream_socket connectto;
')
#################################
#
# can_unix_send(sender, receiver)
#
# Permissions for sending Unix datagrams.
#
define(`can_unix_send',`
allow $1 $2:unix_dgram_socket sendto;
')
#################################
#
# can_tcp_connect(client, server)
#
# Permissions for establishing a TCP connection.
#
define(`can_tcp_connect',`
allow $1 $2:tcp_socket { connectto recvfrom };
allow $2 $1:tcp_socket { acceptfrom recvfrom };
allow $2 tcp_socket_t:tcp_socket { recvfrom };
allow $1 tcp_socket_t:tcp_socket { recvfrom };
')
#################################
#
# can_udp_send(sender, receiver)
#
# Permissions for sending/receiving UDP datagrams.
#
define(`can_udp_send',`
allow $1 $2:udp_socket { sendto };
allow $2 $1:udp_socket { recvfrom };
')
#################################
#
# can_sysctl(domain)
#
# Permissions for modifying sysctl parameters.
#
define(`can_sysctl',`
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_t:file { setattr rw_file_perms };
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file { setattr rw_file_perms };
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file { setattr rw_file_perms };
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file { setattr rw_file_perms };
allow $1 sysctl_net_unix_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file { setattr rw_file_perms };
allow $1 sysctl_vm_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file { setattr rw_file_perms };
allow $1 sysctl_dev_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file { setattr rw_file_perms };
allow $1 sysctl_modprobe_t:file { setattr rw_file_perms };
')
##################################
#
# base_pty_perms(domain_prefix)
#
# Base permissions used for can_create_pty() and can_create_other_pty()
#
define(`base_pty_perms', `
# Access the pty master multiplexer.
allow $1_t ptmx_t:chr_file rw_file_perms;
ifdef(`devfsd.te', `
allow $1_t device_t:filesystem getattr;
')
allow $1_t devpts_t:filesystem getattr;
# allow searching /dev/pts
allow $1_t devpts_t:dir { getattr read search };
')
##################################
#
# can_create_pty(domain_prefix, attributes)
#
# Permissions for creating ptys.
#
define(`can_create_pty',`
base_pty_perms($1)
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
# Allow the pty to be associated with the file system.
allow $1_devpts_t devpts_t:filesystem associate;
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;
# Read and write my pty files.
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
')
##################################
#
# can_create_other_pty(domain_prefix,other_domain)
#
# Permissions for creating ptys for another domain.
#
define(`can_create_other_pty',`
base_pty_perms($1)
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $2_devpts_t;
# Read and write pty files.
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
')
################################################
#
# The following macros are an attempt to start
# partitioning every_domain into finer-grained subsets
# that can be used by individual domains.
#
#
# general_domain_access(domain)
#
# Grant permissions within the domain.
# This includes permissions to processes, /proc/PID files,
# file descriptors, pipes, Unix sockets, and System V IPC objects
# labeled with the domain.
#
define(`general_domain_access',`
# Access other processes in the same domain.
allow $1 self:process *;
# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
allow $1 self:notdevfile_class_set r_file_perms;
# Access file descriptions, pipes, and sockets
# created by processes in the same domain.
allow $1 self:fd *;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
# Allow the domain to communicate with other processes in the same domain.
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# Access System V IPC objects created by processes in the same domain.
allow $1 self:sem create_sem_perms;
allow $1 self:msg { send receive };
allow $1 self:msgq create_msgq_perms;
allow $1 self:shm create_shm_perms;
')
#
# general_proc_read_access(domain)
#
# Grant read/search permissions to most of /proc, excluding
# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
# The general_domain_access macro grants access to the domain /proc/PID
# directories, but not to other domains. Only permissions to stat
# are granted for /proc/kmsg and /proc/kcore, since these files are more
# sensitive.
#
define(`general_proc_read_access',`
# Read system information files in /proc.
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_t:notdevfile_class_set r_file_perms;
# Stat /proc/kmsg and /proc/kcore.
allow $1 proc_kmsg_t:file stat_file_perms;
allow $1 proc_kcore_t:file stat_file_perms;
# Read system variables in /proc/sys.
allow $1 sysctl_modprobe_t:file r_file_perms;
allow $1 sysctl_t:file r_file_perms;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file r_file_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_net_t:file r_file_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
allow $1 sysctl_vm_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file r_file_perms;
allow $1 sysctl_dev_t:dir r_dir_perms;
')
#
# base_file_read_access(domain)
#
# Grant read/search permissions to a few system file types.
#
define(`base_file_read_access',`
# Read /.
allow $1 root_t:dir r_dir_perms;
allow $1 root_t:notdevfile_class_set r_file_perms;
# Read /home.
allow $1 home_root_t:dir r_dir_perms;
# Read /usr.
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:notdevfile_class_set r_file_perms;
# Read bin and sbin directories.
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:notdevfile_class_set r_file_perms;
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:notdevfile_class_set r_file_perms;
')
#
# general_file_read_access(domain)
#
# Grant read/search permissions to many system file types.
#
define(`general_file_read_access',`
errprint(`m4: '__file__:__line__: `Warning: general_file_read_access is deprecated.
')
# Get attributes of file systems.
allow $1 fs_type:filesystem getattr;
base_file_read_access($1)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1 readable_t:dir r_dir_perms;
allow $1 readable_t:notdevfile_class_set r_file_perms;
# Stat /...security and lost+found.
allow $1 file_labels_t:dir getattr;
allow $1 lost_found_t:dir getattr;
# Read the devpts root directory.
allow $1 devpts_t:dir r_dir_perms;
ifdef(`sshd.te',
`allow $1 sshd_devpts_t:dir r_dir_perms;')
# Read the /tmp directory and any /tmp files with the base type.
# Temporary files created at runtime will typically use derived types.
allow $1 tmp_t:dir r_dir_perms;
allow $1 tmp_t:{ file lnk_file } r_file_perms;
# Read /var.
allow $1 var_t:dir r_dir_perms;
allow $1 var_t:notdevfile_class_set r_file_perms;
# Read /var/catman.
allow $1 catman_t:dir r_dir_perms;
allow $1 catman_t:{ file lnk_file } r_file_perms;
# Read /var/lib.
allow $1 var_lib_t:dir r_dir_perms;
allow $1 var_lib_t:notdevfile_class_set r_file_perms;
allow $1 var_lib_nfs_t:dir r_dir_perms;
allow $1 var_lib_nfs_t:notdevfile_class_set r_file_perms;
ifdef(`rpm.te',
`allow $1 var_lib_rpm_t:dir r_dir_perms;
allow $1 var_lib_rpm_t:{ file lnk_file} r_file_perms;')
r_dir_file($1, tetex_data_t)
# Read /var/yp.
allow $1 var_yp_t:dir r_dir_perms;
allow $1 var_yp_t:notdevfile_class_set r_file_perms;
# Read /var/spool.
allow $1 var_spool_t:dir r_dir_perms;
allow $1 var_spool_t:notdevfile_class_set r_file_perms;
# Read /var/run, /var/lock, /var/log.
allow $1 var_run_t:dir r_dir_perms;
allow $1 var_run_t:{ file lnk_file } r_file_perms;
allow $1 var_log_t:dir r_dir_perms;
#allow $1 var_log_t:{ file lnk_file } r_file_perms;
allow $1 var_log_sa_t:dir r_dir_perms;
allow $1 var_log_sa_t:{ file lnk_file } r_file_perms;
allow $1 var_log_ksyms_t:{ file lnk_file } r_file_perms;
ifdef(`rpm.te', `allow $1 var_log_rpm_t:{ file lnk_file } r_file_perms;')
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:{ file lnk_file } r_file_perms;
# Read /var/run/utmp and /var/log/wtmp.
allow $1 initrc_var_run_t:file r_file_perms;
allow $1 wtmp_t:file r_file_perms;
# Read /boot, /boot/System.map*, and /vmlinuz*
allow $1 boot_t:dir { search getattr };
allow $1 boot_t:file getattr;
allow $1 system_map_t:{ file lnk_file } r_file_perms;
ifdef(`rpm.te', `
allow $1 boot_runtime_t:{ file lnk_file } r_file_perms;
')
allow $1 boot_t:lnk_file read;
# Read /etc.
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:notdevfile_class_set r_file_perms;
allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
allow $1 etc_aliases_t:{ file lnk_file } r_file_perms;
allow $1 etc_mail_t:dir r_dir_perms;
allow $1 etc_mail_t:{ file lnk_file } r_file_perms;
allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;
# Read /lib.
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:notdevfile_class_set r_file_perms;
# Read the linker, shared library, and executable types.
allow $1 ld_so_t:{ file lnk_file } r_file_perms;
allow $1 shlib_t:{ file lnk_file } r_file_perms;
allow $1 exec_type:{ file lnk_file } r_file_perms;
# Read man directories and files.
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:notdevfile_class_set r_file_perms;
# Read /usr/src.
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:notdevfile_class_set r_file_perms;
# Read module-related files.
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:{ file lnk_file } r_file_perms;
allow $1 modules_dep_t:{ file lnk_file } r_file_perms;
allow $1 modules_conf_t:{ file lnk_file} r_file_perms;
# Read /dev directories and any symbolic links.
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file r_file_perms;
# Read /dev/random and /dev/zero.
allow $1 random_device_t:chr_file r_file_perms;
allow $1 zero_device_t:chr_file r_file_perms;
# Read the root directory of a tmpfs filesytem and any symbolic links.
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:lnk_file r_file_perms;
# Read any symbolic links on a devfs file system.
allow $1 device_t:lnk_file r_file_perms;
# Read the root directory of a usbdevfs filesystem, and
# the devices and drivers files. Permit stating of the
# device nodes, but nothing else.
allow $1 usbdevfs_t:dir r_dir_perms;
allow $1 usbdevfs_t:{ file lnk_file } r_file_perms;
allow $1 usbdevfs_device_t:file getattr;
')
#######################
# daemon_base_domain(domain_prefix, attribs)
#
# Define a daemon domain with a base set of type declarations
# and permissions that are common to most daemons.
# attribs is the list of attributes which must start with `,' if it is not empty
#
# Author: Russell Coker <russell@coker.com.au>
#
define(`daemon_base_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role system_r types $1_t;
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
# Inherit and use descriptors from init.
allow $1_t init_t:fd use;
allow $1_t init_t:process sigchld;
allow $1_t privfd:fd use;
ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
allow $1_t self:process { signal_perms fork };
uses_shlib($1_t)
allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;
allow $1_t device_t:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t console_device_t:chr_file rw_file_perms;
allow $1_t initrc_devpts_t:chr_file rw_file_perms;
')dnl
# allow a domain to create its own files under /var/run and to create files
# in directories that are created for it. For sock_file etc you need to add
# your own rules
define(`var_run_domain', `
type $1_var_run_t alias var_run_$1_t, file_type, sysadmfile, pidfile;
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
allow $1_t $1_var_run_t:dir rw_dir_perms;
')
define(`daemon_domain', `
daemon_base_domain($1, `$2')
# Create pid file.
allow $1_t var_t:dir { getattr search };
var_run_domain($1)
allow $1_t devtty_t:chr_file rw_file_perms;
# for daemons that look at /root on startup
dontaudit $1_t sysadm_home_dir_t:dir search;
# for df
allow $1_t fs_type:filesystem getattr;
r_dir_file($1_t, locale_t)
')dnl
define(`uses_authbind',
`domain_auto_trans_read($1, authbind_exec_t, authbind_t)
allow authbind_t $1:process sigchld;
allow authbind_t $1:fd use;
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
')
# define a sub-domain, $1_t is the parent domain, $2 is the name
# of the sub-domain.
#
define(`daemon_sub_domain', `
# $1 is the parent domain (or domains), $2_t is the child domain,
# and $3 is any attributes to apply to the child
type $2_t, domain, privlog $3;
type $2_exec_t, file_type, sysadmfile, exec_type;
role system_r types $2_t;
domain_auto_trans($1, $2_exec_t, $2_t)
# Inherit and use descriptors from parent.
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;
allow $2_t self:process signal_perms;
uses_shlib($2_t)
allow $2_t { self proc_t }:dir r_dir_perms;
allow $2_t { self proc_t }:lnk_file read;
allow $2_t device_t:dir getattr;
')
define(`tmp_domain', `
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
')
define(`tmpfs_domain', `
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
# Use this type when creating tmpfs/shm objects.
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
allow $1_tmpfs_t tmpfs_t:filesystem associate;
')
define(`var_lib_domain', `
type $1_var_lib_t, file_type, sysadmfile;
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t)
')
define(`log_domain', `
type $1_log_t, file_type, sysadmfile, logfile;
file_type_auto_trans($1_t, var_log_t, $1_log_t)
')
define(`lock_domain', `
type $1_lock_t, file_type, sysadmfile, lockfile;
file_type_auto_trans($1_t, var_lock_t, $1_lock_t)
')
#######################
# application_domain(domain_prefix)
#
# Define a domain with a base set of type declarations
# and permissions that are common to simple applications.
#
# Author: Russell Coker <russell@coker.com.au>
#
define(`application_domain', `
type $1_t, domain, privlog;
type $1_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types $1_t;
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')
define(`user_application_domain', `
application_domain($1)
in_user_role($1_t)
domain_auto_trans(userdomain, $1_exec_t, $1_t)
')
define(`system_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role system_r types $1_t;
uses_shlib($1_t)
allow $1_t etc_t:dir r_dir_perms;
')
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2003-05-24 16:07 some policy patches Tom
2003-05-24 17:55 ` Russell Coker
@ 2003-05-24 18:18 ` Russell Coker
2003-05-24 21:19 ` Tom
1 sibling, 1 reply; 9+ messages in thread
From: Russell Coker @ 2003-05-24 18:18 UTC (permalink / raw)
To: Tom, SE Linux
On Sun, 25 May 2003 02:07, Tom wrote:
> I have attached three diff files for policy changes. These are against
> Russell's default policy, though from the file comments at least one
> (xdm) is unchanged from the upstream tree.
+# XFree86-4 wants to check if kernel is tainted
+allow xdm_xserver_t sysctl_kernel_t:dir { search };
+allow xdm_xserver_t sysctl_kernel_t:file { getattr read };
+allow xdm_xserver_t sysctl_t:dir { search };
Strange, it doesn't seem to do that on my system. Maybe it's some module that
you are using. In any case this is pretty harmless and should go in, but not
to xserver.te. Putting it in xserver.te breaks policy compilation for
everyone who doesn't use xdm.
I've added it to xserver_macros.te in my tree.
> apm.diff contains minor updates so that acpid works (they are very
> similiar in requirements, and you don't usually have both running
> anyway, so a shared domain for apmd and acpid should be ok).
Done that.
> games.diff enables what I believe to be better games support. I have a
Firstly, don't use an apostrophy in words such as dont. It causes problems
with m4.
For the games patch to be merged it will have to use the macros so that it can
work from user roles other than user_r.
I have put an updated policy.tgz on my web page containing the patches
discussed here and some other changes. A new Debian package will be
available in a day or two.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2003-05-24 17:55 ` Russell Coker
@ 2003-05-24 21:16 ` Tom
2003-05-25 1:57 ` Russell Coker
0 siblings, 1 reply; 9+ messages in thread
From: Tom @ 2003-05-24 21:16 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Sun, May 25, 2003 at 03:55:11AM +1000, Russell Coker wrote:
> > # Added write access, not sure if it is required (Tom)
> > allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
>
> Write access should not be required. xdm should create the file and the
> xserver should just read from it.
Thanks for this and other comments. I will investigate them and post a
cleaned-up version. I also notice that I should probably use userdomain
instead of user_t in many places.
> > # wdm just asks for read access
> > allow xdm_t memory_device_t:chr_file { read };
>
> Bad. XDM is not something that you want to allow reading all kernel memory.
> It should use /dev/random instead if you block /dev/mem.
It actually accesses /dev/mem, not /dev/kmem. Shouldn't /dev/kmem have
its own type?
> > +# but xdm_xserver wants to write, too
> > +allow xdm_xserver_t memory_device_t:chr_file { read write };
>
> That is only if you are not using the frame-buffer. See the below snippet
> from macros/program/xserver_macros.te (which is where you want to do this if
> you want to support "startx" as well as an xdm).
The framebuffer support for sis chipsets is, to put it friendly,
slightly buggy. I have not yet found a way to use it in any reasonable
way on this machine. (it works, but it's not useable)
> > +allow user_t xdm_exec_t:file { entrypoint };
>
> This is bad in several ways. Firstly it's probably good style to use
> domain_trans() for such things, then people who read your policy can find
> what they expect to fine. Secondly, why is an xdm_exec_t program being used?
wdm has several startup files in /etc/X11/wdm/ - I've labelled them
xdm_exec_t. Should they get their own type? They are, for all I can
see, executed after the domain transition has taken place.
> Finally, you should not use user_t in any policy. unpriv_userdomain is one
> option to use. If you start hard-coding user_t in policy then it'll be very
> painful when you want to add multiple user roles!
Yes, I noticed. I will fix this.
> I have attached a modified xdm.te based on your work along with the new
> global_macros.te file it depends on. I didn't include much of your patch,
> about half of the rest may go in but we need to determine exactly what it's
> for and put some decent comments in.
>
> X is nasty.
Absolutely. My goal was to get a working policy and a working graphical
login. I've done that.
Many people on this list know more about policy details, X and kernel
internals than I do, so I treasure all corrections.
--
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2003-05-24 18:18 ` Russell Coker
@ 2003-05-24 21:19 ` Tom
0 siblings, 0 replies; 9+ messages in thread
From: Tom @ 2003-05-24 21:19 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Sun, May 25, 2003 at 04:18:34AM +1000, Russell Coker wrote:
> Strange, it doesn't seem to do that on my system. Maybe it's some module that
> you are using. In any case this is pretty harmless and should go in, but not
> to xserver.te. Putting it in xserver.te breaks policy compilation for
> everyone who doesn't use xdm.
>
> I've added it to xserver_macros.te in my tree.
I would've suggested putting #ifdef's around it, or adding it to xdm.te
(I'd assume that anyone running xdm is using X :) )
> > games.diff enables what I believe to be better games support. I have a
>
> Firstly, don't use an apostrophy in words such as dont. It causes problems
> with m4.
Roger.
> For the games patch to be merged it will have to use the macros so that it can
> work from user roles other than user_r.
Yes, I will fix that. I will post an updated version tomorrow.
I also have a policy for cdrom read and write access coming. I want to
use the cd-r/w writer in my notebook, too.
--
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2003-05-24 21:16 ` Tom
@ 2003-05-25 1:57 ` Russell Coker
0 siblings, 0 replies; 9+ messages in thread
From: Russell Coker @ 2003-05-25 1:57 UTC (permalink / raw)
To: Tom; +Cc: SE Linux
On Sun, 25 May 2003 07:16, Tom wrote:
> > Bad. XDM is not something that you want to allow reading all kernel
> > memory. It should use /dev/random instead if you block /dev/mem.
>
> It actually accesses /dev/mem, not /dev/kmem. Shouldn't /dev/kmem have
> its own type?
Why? Physical RAM and kernel virtual memory are equally dangerous and give
access to the same stuff.
> > > +# but xdm_xserver wants to write, too
> > > +allow xdm_xserver_t memory_device_t:chr_file { read write };
> >
> > That is only if you are not using the frame-buffer. See the below
> > snippet from macros/program/xserver_macros.te (which is where you want to
> > do this if you want to support "startx" as well as an xdm).
>
> The framebuffer support for sis chipsets is, to put it friendly,
> slightly buggy. I have not yet found a way to use it in any reasonable
> way on this machine. (it works, but it's not useable)
In that case you have to change the xserver_macros.te accordingly. I don't
think that should be the default however, people who are using the
frame-buffer should be able to grant their X server minimal access.
> > This is bad in several ways. Firstly it's probably good style to use
> > domain_trans() for such things, then people who read your policy can find
> > what they expect to fine. Secondly, why is an xdm_exec_t program being
> > used?
>
> wdm has several startup files in /etc/X11/wdm/ - I've labelled them
> xdm_exec_t. Should they get their own type? They are, for all I can
> see, executed after the domain transition has taken place.
What about xsession_exec_t?
> Absolutely. My goal was to get a working policy and a working graphical
> login. I've done that.
That's a great start! Now we just have to work out which types of access are
really enabled, which aren't needed, which can be avoided by correct
configuration, and which require changes to the applications.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* some policy patches
@ 2005-02-03 12:50 Russell Coker
2005-02-10 15:19 ` James Carter
0 siblings, 1 reply; 9+ messages in thread
From: Russell Coker @ 2005-02-03 12:50 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 208 bytes --]
Nothing really exciting in this patch. Just some minor fixes and sorting out
some of the distro-specific stuff.
--
US IT executives rate Red Hat #1 for value
http://www.redhat.com/promo/vendor/index.html
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 20520 bytes --]
diff -ru /usr/src/se/policy/domains/program/crond.te ./domains/program/crond.te
--- /usr/src/se/policy/domains/program/crond.te 2005-01-14 22:26:51.000000000 +1100
+++ ./domains/program/crond.te 2005-02-02 07:29:28.000000000 +1100
@@ -26,6 +26,7 @@
crond_domain(system)
+allow system_crond_t proc_mdstat_t:file { getattr read };
allow system_crond_t proc_t:lnk_file read;
allow system_crond_t proc_t:filesystem getattr;
allow system_crond_t usbdevfs_t:filesystem getattr;
@@ -160,7 +161,6 @@
# /sbin/runlevel needs lock access however
dontaudit system_crond_t initrc_var_run_t:file write;
allow system_crond_t initrc_var_run_t:file { getattr read lock };
-allow initrc_t system_cron_spool_t:file { getattr read };
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
diff -ru /usr/src/se/policy/domains/program/getty.te ./domains/program/getty.te
--- /usr/src/se/policy/domains/program/getty.te 2005-01-30 06:23:21.000000000 +1100
+++ ./domains/program/getty.te 2005-01-30 13:09:22.000000000 +1100
@@ -58,4 +58,3 @@
rw_dir_create_file(getty_t, var_lock_t)
r_dir_file(getty_t, sysfs_t)
-allow getty_t initrc_devpts_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te 2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/initrc.te 2005-02-03 22:09:02.000000000 +1100
@@ -49,7 +56,7 @@
allow initrc_t usbfs_t:file getattr;
# allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld setsched setpgid setrlimit getsched };
+allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
# Can create ptys for open_init_pty
can_create_pty(initrc)
@@ -61,11 +68,13 @@
allow initrc_t var_run_t:dir { create rmdir };
ifdef(`distro_debian', `
-allow initrc_t etc_t:dir setattr;
+allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-allow initrc_var_run_t tmpfs_t:filesystem associate;
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')
allow initrc_t framebuf_device_t:chr_file r_file_perms;
diff -ru /usr/src/se/policy/domains/program/ldconfig.te ./domains/program/ldconfig.te
--- /usr/src/se/policy/domains/program/ldconfig.te 2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/ldconfig.te 2004-12-23 19:24:00.000000000 +1100
@@ -26,6 +26,7 @@
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
allow ldconfig_t userdomain:fd use;
+# unlink for when /etc/ld.so.cache is mislabeled
allow ldconfig_t etc_t:file { getattr read unlink };
allow ldconfig_t etc_t:lnk_file read;
@@ -37,12 +38,14 @@
dontaudit ldconfig_t httpd_modules_t:dir search;
')
+ifdef(`distro_suse', `
+# because of libraries in /var/lib/samba/bin
allow ldconfig_t { var_t var_lib_t }:dir search;
+')
+
allow ldconfig_t proc_t:file read;
+ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t)
')
+')dnl end hide_broken_symptoms
diff -ru /usr/src/se/policy/domains/program/login.te ./domains/program/login.te
--- /usr/src/se/policy/domains/program/login.te 2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/login.te 2005-02-03 22:15:23.000000000 +1100
@@ -73,7 +73,9 @@
# Set exec context.
can_setexec($1_login_t)
+ifdef(`automount.te', `
allow $1_login_t autofs_t:dir { search read getattr };
+')
allow $1_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) {
@@ -188,10 +185,6 @@
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
-ifdef(`hide_broken_symptoms', `
-dontaudit local_login_t init_t:fd use;
-')
-
#################################
#
# Rules for the remote_login_t domain.
diff -ru /usr/src/se/policy/domains/program/logrotate.te ./domains/program/logrotate.te
--- /usr/src/se/policy/domains/program/logrotate.te 2005-01-14 22:26:53.000000000 +1100
+++ ./domains/program/logrotate.te 2005-02-03 15:57:46.000000000 +1100
@@ -21,12 +21,14 @@
type logrotate_exec_t, file_type, sysadmfile, exec_type;
system_crond_entry(logrotate_exec_t, logrotate_t)
+allow logrotate_t cron_spool_t:dir search;
allow crond_t logrotate_var_lib_t:dir search;
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
allow logrotate_t self:unix_stream_socket create_socket_perms;
allow logrotate_t devtty_t:chr_file rw_file_perms;
ifdef(`distro_debian', `
+allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
')
@@ -49,7 +51,6 @@
# Create temporary files.
tmp_domain(logrotate)
can_exec(logrotate_t, logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# Run helper programs.
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
diff -ru /usr/src/se/policy/domains/program/ssh.te ./domains/program/ssh.te
--- /usr/src/se/policy/domains/program/ssh.te 2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/ssh.te 2005-02-03 22:21:53.000000000 +1100
@@ -73,7 +73,9 @@
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
if (use_nfs_home_dirs) {
+ifdef(`automount.te', `
allow $1_t autofs_t:dir { search getattr };
+')
allow $1_t nfs_t:dir { search getattr };
allow $1_t nfs_t:file { getattr read };
}
@@ -226,4 +228,3 @@
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-dontaudit sshd_t sysadm_tty_device_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/sulogin.te ./domains/program/sulogin.te
--- /usr/src/se/policy/domains/program/sulogin.te 2004-12-13 09:55:22.000000000 +1100
+++ ./domains/program/sulogin.te 2005-02-03 16:01:51.000000000 +1100
@@ -16,9 +16,18 @@
general_domain_access(sulogin_t)
domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
+allow sulogin_t initrc_t:process getpgid;
uses_shlib(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `
-# suse doesnt use pam with sulogin...
+define(`sulogin_no_pam', `')
+')
+ifdef(`distro_debian', `
+define(`sulogin_no_pam', `')
+')
+
+ifdef(`sulogin_no_pam', `
domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
allow sulogin_t init_t:process getpgid;
allow sulogin_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/tmpreaper.te ./domains/program/tmpreaper.te
--- /usr/src/se/policy/domains/program/tmpreaper.te 2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/tmpreaper.te 2004-11-22 03:14:43.000000000 +1100
@@ -39,4 +37,4 @@
allow tmpreaper_t catman_t:dir setattr;
')
read_locale(tmpreaper_t)
-dontaudit tmpreaper_t init_t:fd use;
+
diff -ru /usr/src/se/policy/domains/program/unused/amanda.te ./domains/program/unused/amanda.te
--- /usr/src/se/policy/domains/program/unused/amanda.te 2005-01-14 22:26:57.000000000 +1100
+++ ./domains/program/unused/amanda.te 2004-12-03 19:56:13.000000000 +1100
@@ -241,6 +241,8 @@
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+allow amanda_recover_t privfd:fd use;
+
# amrecover network and process communication
#############################################
diff -ru /usr/src/se/policy/domains/program/unused/asterisk.te ./domains/program/unused/asterisk.te
--- /usr/src/se/policy/domains/program/unused/asterisk.te 2004-12-03 19:49:22.000000000 +1100
+++ ./domains/program/unused/asterisk.te 2005-01-19 04:25:31.000000000 +1100
@@ -48,8 +48,8 @@
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
-# for /var/run/asterisk
-allow asterisk_t self:capability dac_override;
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
# for shutdown
dontaudit asterisk_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te
--- /usr/src/se/policy/domains/program/unused/backup.te 2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/backup.te 2005-01-03 01:15:13.000000000 +1100
@@ -26,7 +26,7 @@
# for SSP
allow backup_t urandom_device_t:chr_file read;
-can_network_server(backup_t)
+can_network_client(backup_t)
can_ypbind(backup_t)
uses_shlib(backup_t)
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te 2005-01-14 22:26:58.000000000 +1100
+++ ./domains/program/unused/bootloader.te 2005-02-03 15:56:03.000000000 +1100
@@ -10,7 +10,7 @@
#
# bootloader_exec_t is the type of the bootloader executable.
#
-type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
typealias bootloader_etc_t alias etc_bootloader_t;
@@ -28,8 +28,7 @@
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t { initrc_t privfd }:fd use;
-tmp_domain(bootloader, `, device_type')
-allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms;
+tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
read_locale(bootloader_t)
@@ -39,12 +38,33 @@
# for /vmlinuz sym link
allow bootloader_t root_t:lnk_file read;
+# lilo would need read access to get BIOS data
+allow bootloader_t proc_kcore_t:file getattr;
+
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
allow bootloader_t etc_t:file r_file_perms;
allow bootloader_t etc_t:lnk_file read;
+allow bootloader_t initctl_t:fifo_file getattr;
uses_shlib(bootloader_t)
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t usr_t:lnk_file read;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
allow bootloader_t device_t:lnk_file { getattr read };
# LVM2 / Device Mapper's /dev/mapper/control
@@ -52,6 +72,7 @@
ifdef(`lvm.te', `
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
r_dir_file(bootloader_t, lvm_etc_t)
')
diff -ru /usr/src/se/policy/domains/program/unused/ciped.te ./domains/program/unused/ciped.te
--- /usr/src/se/policy/domains/program/unused/ciped.te 2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/ciped.te 2005-01-03 01:27:19.000000000 +1100
@@ -7,7 +7,7 @@
type cipe_port_t, port_type;
-can_network_server(ciped_t)
+can_network_udp(ciped_t)
can_ypbind(ciped_t)
allow ciped_t cipe_port_t:udp_socket name_bind;
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te 2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/cups.te 2005-01-02 23:09:50.000000000 +1100
@@ -33,8 +33,10 @@
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
+ifdef(`usbmodules.te', `
r_dir_file(cupsd_t, usbdevfs_t)
r_dir_file(cupsd_t, usbfs_t)
+')
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
diff -ru /usr/src/se/policy/domains/program/unused/dpkg.te ./domains/program/unused/dpkg.te
--- /usr/src/se/policy/domains/program/unused/dpkg.te 2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/dpkg.te 2005-02-03 15:56:50.000000000 +1100
@@ -179,7 +179,7 @@
typealias apt_etc_t alias etc_apt_t;
type apt_rw_etc_t, file_type, sysadmfile;
typealias apt_rw_etc_t alias etc_apt_rw_t;
-tmp_domain(apt)
+tmp_domain(apt, `', `{ dir file lnk_file }')
can_exec(apt_t, apt_tmp_t)
rw_dir_create_file(apt_t, apt_rw_etc_t)
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te 2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/unused/ftpd.te 2004-12-01 14:35:19.000000000 +1100
@@ -34,7 +34,10 @@
allow system_crond_t xferlog_t:file r_file_perms;
can_exec(ftpd_t, { sbin_t shell_exec_t })
allow ftpd_t usr_t:file { getattr read };
-')
+ifdef(`logrotate.te', `
+can_exec(ftpd_t, logrotate_exec_t)
+')dnl end if logrotate.te
+')dnl end if crond.te
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
allow ftpd_t port_t:tcp_socket name_bind;
@@ -87,7 +90,9 @@
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t selinux_config_t:dir search;
+ifdef(`automount.te', `
allow ftpd_t autofs_t:dir search;
+')
allow ftpd_t self:file { getattr read };
tmp_domain(ftpd)
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te 2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/hotplug.te 2005-01-03 01:36:14.000000000 +1100
@@ -163,4 +163,4 @@
unconfined_domain(hotplug_t)
')
- allow kernel_t hotplug_etc_t:dir search;
+allow kernel_t hotplug_etc_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/inetd.te ./domains/program/unused/inetd.te
--- /usr/src/se/policy/domains/program/unused/inetd.te 2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/inetd.te 2005-02-02 00:27:43.000000000 +1100
@@ -55,6 +58,8 @@
inetd_child_domain(inetd_child)
+allow inetd_child_t proc_net_t:dir search;
+allow inetd_child_t proc_net_t:file { getattr read };
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff -ru /usr/src/se/policy/domains/program/unused/iptables.te ./domains/program/unused/iptables.te
--- /usr/src/se/policy/domains/program/unused/iptables.te 2005-01-14 22:26:59.000000000 +1100
+++ ./domains/program/unused/iptables.te 2005-01-03 01:11:29.000000000 +1100
@@ -36,7 +36,7 @@
# for iptables -L
allow iptables_t self:unix_stream_socket create_socket_perms;
-can_network_server(iptables_t)
+can_resolve(iptables_t)
can_ypbind(iptables_t)
allow iptables_t iptables_exec_t:file execute_no_trans;
diff -ru /usr/src/se/policy/domains/program/unused/lpd.te ./domains/program/unused/lpd.te
--- /usr/src/se/policy/domains/program/unused/lpd.te 2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/lpd.te 2005-02-03 22:35:34.000000000 +1100
@@ -36,7 +36,7 @@
type checkpc_t, domain, privlog;
role system_r types checkpc_t;
uses_shlib(checkpc_t)
-can_network_server(checkpc_t)
+can_network_client(checkpc_t)
can_ypbind(checkpc_t)
log_domain(checkpc)
type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff -ru /usr/src/se/policy/domains/program/unused/mdadm.te ./domains/program/unused/mdadm.te
--- /usr/src/se/policy/domains/program/unused/mdadm.te 2004-11-13 03:56:02.000000000 +1100
+++ ./domains/program/unused/mdadm.te 2005-02-03 22:36:28.000000000 +1100
@@ -27,6 +27,7 @@
# RAID block device access
allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
+allow mdadm_t device_t:lnk_file { getattr read };
# Ignore attempts to read every device file
dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
diff -ru /usr/src/se/policy/domains/program/unused/mrtg.te ./domains/program/unused/mrtg.te
--- /usr/src/se/policy/domains/program/unused/mrtg.te 2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/mrtg.te 2005-01-31 22:36:33.000000000 +1100
@@ -31,7 +31,7 @@
r_dir_file(mrtg_t, lib_t)
# Use the network.
-can_network_server(mrtg_t)
+can_network_client(mrtg_t)
can_ypbind(mrtg_t)
allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -53,7 +53,8 @@
r_dir_file(mrtg_t, snmpd_var_lib_t)
')
-allow mrtg_t proc_t:file { read getattr };
+allow mrtg_t proc_net_t:dir search;
+allow mrtg_t { proc_t proc_net_t }:file { read getattr };
dontaudit mrtg_t proc_t:file ioctl;
allow mrtg_t { var_lock_t var_lib_t }:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/named.te ./domains/program/unused/named.te
--- /usr/src/se/policy/domains/program/unused/named.te 2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/named.te 2005-02-03 22:38:57.000000000 +1100
@@ -84,7 +84,7 @@
allow named_t sysctl_kernel_t:dir r_dir_perms;
allow named_t sysctl_kernel_t:file r_file_perms;
-# Read /proc/cpuinfo.
+# Read /proc/cpuinfo and /proc/net
r_dir_file(named_t, proc_t)
r_dir_file(named_t, proc_net_t)
@@ -109,6 +109,8 @@
# for /etc/rndc.key
ifdef(`distro_redhat', `
allow { ndc_t initrc_t } named_conf_t:dir search;
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { setattr write };
')
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
@@ -153,5 +155,3 @@
')
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { write };
diff -ru /usr/src/se/policy/domains/program/unused/nessusd.te ./domains/program/unused/nessusd.te
--- /usr/src/se/policy/domains/program/unused/nessusd.te 2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nessusd.te 2005-01-03 01:29:31.000000000 +1100
@@ -22,7 +22,7 @@
#tmp_domain(nessusd)
# Use the network.
-can_network_server(nessusd_t)
+can_network(nessusd_t)
can_ypbind(nessusd_t)
allow nessusd_t self:unix_stream_socket create_socket_perms;
#allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff -ru /usr/src/se/policy/domains/program/unused/nscd.te ./domains/program/unused/nscd.te
--- /usr/src/se/policy/domains/program/unused/nscd.te 2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/nscd.te 2005-01-30 12:47:20.000000000 +1100
@@ -56,6 +56,7 @@
dontaudit nscd_t sysadm_home_dir_t:dir search;
+ifdef(`winbind.te', `
#
# Handle winbind for samba, Might only be needed for targeted policy
#
@@ -63,6 +64,7 @@
can_unix_connect(nscd_t, winbind_t)
allow nscd_t samba_var_t:dir search;
allow nscd_t winbind_var_run_t:dir { getattr search };
+')
r_dir_file(nscd_t, selinux_config_t)
can_getsecurity(nscd_t)
@@ -70,4 +72,4 @@
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+allow nscd_t urandom_device_t:chr_file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/nsd.te ./domains/program/unused/nsd.te
--- /usr/src/se/policy/domains/program/unused/nsd.te 2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nsd.te 2005-01-03 01:26:19.000000000 +1100
@@ -19,7 +19,7 @@
type nsd_crond_t, domain, privlog;
role system_r types nsd_crond_t;
uses_shlib(nsd_crond_t)
-can_network_server(nsd_crond_t)
+can_network_client(nsd_crond_t)
can_ypbind(nsd_crond_t)
allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
allow nsd_crond_t self:process { fork signal_perms };
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2005-02-03 12:50 Russell Coker
@ 2005-02-10 15:19 ` James Carter
2005-02-10 21:13 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: James Carter @ 2005-02-10 15:19 UTC (permalink / raw)
To: Russell Coker; +Cc: SE-Linux
Merged.
Except that a chunk in ssh.te and login.te reverted Dan's removal of
ifdef(`automount.te' statements. Was there a reason for this?
On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
> Nothing really exciting in this patch. Just some minor fixes and sorting out
> some of the distro-specific stuff.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: some policy patches
2005-02-10 15:19 ` James Carter
@ 2005-02-10 21:13 ` Daniel J Walsh
0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2005-02-10 21:13 UTC (permalink / raw)
To: jwcart2; +Cc: Russell Coker, SE-Linux
James Carter wrote:
>Merged.
>
>Except that a chunk in ssh.te and login.te reverted Dan's removal of
>ifdef(`automount.te' statements. Was there a reason for this?
>
>On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
>
>
>>Nothing really exciting in this patch. Just some minor fixes and sorting out
>>some of the distro-specific stuff.
>>
>>
automount.te statements break targeted policy and autofs is defined
outside of automount.te so they should not be there.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-02-10 21:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-24 16:07 some policy patches Tom
2003-05-24 17:55 ` Russell Coker
2003-05-24 21:16 ` Tom
2003-05-25 1:57 ` Russell Coker
2003-05-24 18:18 ` Russell Coker
2003-05-24 21:19 ` Tom
-- strict thread matches above, loose matches on Subject: below --
2005-02-03 12:50 Russell Coker
2005-02-10 15:19 ` James Carter
2005-02-10 21:13 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.