##
## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
+## rules for the user's tty, pty, tmp, and tmpfs files.
##
##
-## This generally should not be used, rather the
+## This should only be used for new non login user roles, rather the
## unpriv_user_template or admin_user_template should
## be used.
##
@@ -25,7 +24,9 @@
##
#
template(`base_user_template',`
-
+ gen_require(`
+ attribute userdomain, unpriv_userdomain;
+ ')
attribute $1_file_type;
type $1_t, userdomain;
@@ -42,44 +43,17 @@
term_user_pty($1_t,$1_devpts_t)
files_type($1_devpts_t)
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
- # types for network-obtained content
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
- files_type($1_untrusted_content_t)
- files_poly_member($1_untrusted_content_t)
-
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
- files_tmp_file($1_untrusted_content_tmp_t)
-
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
##############################
#
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- ##############################
- #
# User domain Local policy
#
@@ -103,19 +77,6 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
- # execute files in the home directory
- can_exec($1_t,$1_home_t)
-
- # full control of the home directory
- allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
- allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
- type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
- files_search_home($1_t)
-
can_exec($1_t,$1_tmp_t)
# user temporary files
@@ -138,15 +99,16 @@
fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
- # Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+ allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+ term_create_pty($1_t,$1_devpts_t)
allow $1_t unpriv_userdomain:fd use;
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
kernel_read_kernel_sysctls($1_t)
kernel_read_net_sysctls($1_t)
+ kernel_read_fs_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -165,8 +127,10 @@
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
+ corenet_raw_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
@@ -193,6 +157,7 @@
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
+ fs_list_inotifyfs($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
@@ -234,6 +199,11 @@
files_dontaudit_getattr_non_security_sockets($1_t)
files_dontaudit_getattr_non_security_blk_files($1_t)
files_dontaudit_getattr_non_security_chr_files($1_t)
+ files_read_var_files($1_t)
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_ptys($1_t)
@@ -254,16 +224,88 @@
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
+ sysnet_dns_name_resolve($1_t)
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
+')
+#######################################
+##
+## The template containing rules common to unprivileged
+## users and administrative users.
+##
+##
+##
+## This template creates a user home directories,
+##
+##
+## This generally should not be used, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`base_login_user_template',`
+
+ gen_require(`
+ attribute $1_file_type;
+ attribute home_dir_type, home_type;
+ attribute untrusted_content_type;
')
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+ files_associate_tmp($1_home_t)
+ fs_associate_tmpfs($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
+
+ # types for network-obtained content
+ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+ files_type($1_untrusted_content_t)
+ files_poly_member($1_untrusted_content_t)
+
+ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+ files_tmp_file($1_untrusted_content_tmp_t)
+
+ ##############################
+ #
+ # User home directory file rules
+ #
+
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ # execute files in the home directory
+ can_exec($1_t,$1_home_t)
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+ type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+ files_search_home($1_t)
+
+ # Allow user to relabel untrusted content
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
@@ -322,6 +364,10 @@
')
optional_policy(`
+ alsa_read_rw_config($1_t)
+ ')
+
+ optional_policy(`
canna_stream_connect($1_t)
')
@@ -472,6 +518,7 @@
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
+ xserver_create_ice_tmp_sockets($1_t)
')
')
@@ -501,6 +548,7 @@
# Inherit rules for ordinary users.
base_user_template($1)
+ base_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -521,9 +569,6 @@
# Local policy
#
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
allow $1_file_type $1_home_t:filesystem associate;
@@ -535,10 +580,6 @@
allow privhome $1_home_t:sock_file create_file_perms;
allow privhome $1_home_t:fifo_file create_file_perms;
type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
-
dev_read_sysfs($1_t)
corecmd_exec_all_executables($1_t)
@@ -546,11 +587,8 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
+
files_list_home($1_t)
- files_read_usr_files($1_t)
- files_exec_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
@@ -558,8 +596,6 @@
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
@@ -748,6 +784,7 @@
# Inherit rules for ordinary users.
base_user_template($1)
+ base_login_user_template($1)
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
@@ -783,11 +820,6 @@
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -855,6 +887,7 @@
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
+ files_create_boot_flag($1_t)
init_rw_initctl($1_t)
@@ -3408,6 +3441,25 @@
########################################
##
+## Do not audit attempts to append to the sysadm
+## users home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`userdom_dontaudit_append_sysadm_home_content_files',`
+ gen_require(`
+ type sysadm_home_t;
+ ')
+
+ dontaudit $1 sysadm_home_t:file append;
+')
+
+########################################
+##
## Read files in the staff users home directory.
##
##
@@ -4128,7 +4180,7 @@
gen_require(`
type user_home_dir_t;
')
-
+ allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -4789,3 +4841,34 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
+
+########################################
+##
+## The template containing rules for changing from one role to another
+##
+##
+##
+## This should only be used for new non login user roles, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+##
+##
+##
+##
+## userdomain changing from
+##
+##
+##
+##
+## userdomain changing to
+##
+##
+#
+template(`role_change_template',`
+ allow $1_r $2_r;
+ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+ # avoid annoying messages on terminal hangup
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.4/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/userdomain.te 2006-08-02 11:32:54.000000000 -0400
@@ -56,14 +56,6 @@
# Local policy
#
-define(`role_change',`
- allow $1_r $2_r;
- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
- # avoid annoying messages on terminal hangup
- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
@@ -85,7 +77,7 @@
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
+ dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
@@ -124,34 +116,34 @@
# user role change rules:
# sysadm_r can change to user roles
- role_change(sysadm, user)
- role_change(sysadm, staff)
+ role_change_template(sysadm, user)
+ role_change_template(sysadm, staff)
# only staff_r can change to sysadm_r
- role_change(staff, sysadm)
+ role_change_template(staff, sysadm)
ifdef(`enable_mls',`
unpriv_user_template(secadm)
unpriv_user_template(auditadm)
- role_change(staff,auditadm)
- role_change(staff,secadm)
+ role_change_template(staff,auditadm)
+ role_change_template(staff,secadm)
- role_change(sysadm,secadm)
- role_change(sysadm,auditadm)
+ role_change_template(sysadm,secadm)
+ role_change_template(sysadm,auditadm)
- role_change(auditadm,secadm)
- role_change(auditadm,sysadm)
+ role_change_template(auditadm,secadm)
+ role_change_template(auditadm,sysadm)
- role_change(secadm,auditadm)
- role_change(secadm,sysadm)
+ role_change_template(secadm,auditadm)
+ role_change_template(secadm,sysadm)
')
# this should be tunable_policy, but
# currently type_change and RBAC allow
# do not work in conditionals
ifdef(`user_canbe_sysadm',`
- role_change(user,sysadm)
+ role_change_template(user,sysadm)
')
allow privhome home_root_t:dir { getattr search };
@@ -172,6 +164,8 @@
mls_process_read_up(sysadm_t)
+ term_getattr_all_user_ttys(sysadm_t)
+
init_exec(sysadm_t)
ifdef(`direct_sysadm_daemon',`
@@ -210,7 +204,9 @@
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_append_sysadm_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
', `
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
@@ -443,11 +439,11 @@
selinux_set_parameters(secadm_t)
seutil_manage_bin_policy(secadm_t)
- seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
- seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+ seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.4/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/xen.if 2006-08-02 11:32:54.000000000 -0400
@@ -127,3 +127,41 @@
allow xm_t $1:fifo_file rw_file_perms;
allow xm_t $1:process sigchld;
')
+
+
+########################################
+##
+## Inherit and use xen file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_use_fds',`
+ gen_require(`
+ type xen_t;
+ ')
+
+ allow $1 xen_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit
+## xen file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_dontaudit_use_fds',`
+ gen_require(`
+ type xen_t;
+ ')
+
+ dontaudit $1 xen_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/xen.te 2006-08-02 11:32:54.000000000 -0400
@@ -70,6 +70,8 @@
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
@@ -130,6 +132,8 @@
corenet_tcp_bind_soundd_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
@@ -144,13 +148,17 @@
files_read_kernel_img(xend_t)
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
+files_read_usr_files(xend_t)
storage_raw_read_fixed_disk(xend_t)
term_dontaudit_getattr_all_user_ptys(xend_t)
term_dontaudit_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_ptys_fs(xend_t)
init_use_fds(xend_t)
+init_use_script_ptys(xend_t)
libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)
@@ -200,6 +208,7 @@
term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)
@@ -238,10 +247,11 @@
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
-term_dontaudit_use_generic_ptys(xenstored_t)
-term_dontaudit_use_console(xenconsoled_t)
+term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)