[refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference policy

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference policy
Date: Mon, 24 Jan 2011 15:15:07 +0100	[thread overview]
Message-ID: <4D3D896B.7060301@gmail.com> (raw)
In-Reply-To: <1295829845.3862.65.camel@tesla.lan>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
> --- refpolicy-git-18012011/policy/modules/kernel/files.if	2011-01-08 19:07:21.203735196 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/files.if	2011-01-18 23:13:49.759847386 +0100
> @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
>  
>  ########################################
>  ## <summary>
> +##      Set the attributes of the /bin directory.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_setattr_bin_dirs',`
> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	allow $1 bin_t:dir setattr;
> +')

nitpick: either use setattr_dir_perms or setattr_dirs_pattern()

> +
> +########################################
> +## <summary>
> +##      Search the content of /bin.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_search_bin',`
> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	allow $1 bin_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##      Get the attributes of files in /bin.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_getattr_bin_files',`
> +        gen_require(`
> +                type bin_t;
> +        ')
> +
> +        getattr_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Read generic files in /bin.
> +## </summary>
> +## <desc>
> +##      <p>
> +##      Allow the specified domain to read generic
> +##      files in /bin. These files are various program
> +##      files that do not have more specific SELinux types.
> +##      </p>
> +## </desc>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_read_bin_files',`
> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	allow $1 bin_t:dir list_dir_perms;
> +	read_files_pattern($1, bin_t, bin_t)
> +	read_lnk_files_pattern($1, bin_t, bin_t)
> +')

Listing bin_t directories is not strictly required to read bin files.

Also this is in the wrong place and have a wrong name: look in
corecommands instead.

> +
> +########################################
> +## <summary>
> +##      Execute generic programs in /bin in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_exec_bin_files',`
> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	allow $1 bin_t:dir list_dir_perms;
> +	exec_files_pattern($1, bin_t, bin_t)
> +	read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +

Use corecmd_exec_bin instead.

> +########################################
> +## <summary>
> +##      Read symbolic links in /bin.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`
> +	gen_require(`
> +		type bin_t;
> +	')
> +
> +	read_lnk_files_pattern($1, bin_t, bin_t)
> +')

use corecmd_read_bin_symlinks instead

> +
> +########################################
> +## <summary>
>  ##	Set the attributes of the /usr directory.
>  ## </summary>
>  ## <param name="domain">
> @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
>  
>  ########################################
>  ## <summary>
> -##	Search the content of /etc.
> +##	Search the content of /usr.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
>  ')
>  
>  ########################################
> +## <summary>
> +##      Get the attributes of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_getattr_var_log_dirs',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	getattr_dirs_pattern($1, var_t, var_log_t)
> +')

Wrong name and location. use logging_getattr_log_dirs.
do not use type directly that are not declared in this module:

files_search_var($1)

> +
> +########################################
> +## <summary>
> +##      Search the /var/log directory.
> +## </summary>
> +## <desc>
> +##      <p>
> +##      Search the /var/log directory.  This is
> +##      necessary to access files or directories under
> +##      /var/log that have a private type.  For example, a
> +##      domain accessing a private log file in the
> +##      /var/log directory:
> +##      </p>
> +##      <p>
> +##      allow mydomain_t mylogfile_t:file read_file_perms;
> +##      files_search_var_log(mydomain_t)
> +##      </p>
> +## </desc>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_search_var_log',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	search_dirs_pattern($1, var_t, var_log_t)
> +')

use logging_search_logs

> +
> +########################################
> +## <summary>
> +##      Do not audit attempts to search the
> +##      contents of /var/log.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to not audit.
> +##      </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_log',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	dontaudit $1 var_log_t:dir search_dir_perms;
> +')
> +

wrong name and module. this is a logging thing not files

> +########################################
> +## <summary>
> +##      List the contents of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_list_var_log',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	list_dirs_pattern($1, var_t, var_log_t)
> +')

wrong name and module. This is a logging thing not files

> +
> +###########################################
> +## <summary>
> +##      Read-write /var/log directories
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_rw_var_log_dirs',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	rw_dirs_pattern($1, var_log_t, var_log_t)
> +')

wrong name and module. This is a logging thing not files

Also this interface doesnt make sense.

logging_list_logs()

and as for the write, it should probably use logging_log_filetrans()

> +
> +###########################################
> +## <summary>
> +##      Append to files in the /var/log directories
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_var_log_append',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	append_files_pattern($1, var_log_t, var_log_t)
> +')

logging_append_generic_log_files (but this file probably shouldnt be a
generic log file in the first place..)

> +
> +########################################
> +## <summary>
> +##      Create objects in the /var/log directory
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <param name="file_type">
> +##      <summary>
> +##      The type of the object to be created
> +##      </summary>
> +## </param>
> +## <param name="object_class">
> +##      <summary>
> +##      The object class.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_var_log_filetrans',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	allow $1 var_t:dir search_dir_perms;
> +	filetrans_pattern($1, var_log_t, $2, $3)
> +')

use logging_log_filetrans()

> +
> +########################################
> +## <summary>
> +##      Read generic files in /var/log.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_files',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	allow $1 var_log_t:dir list_dir_perms;
> +	read_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +

use logging_read_generic_log_files()

> +########################################
> +## <summary>
> +##      Read generic symbolic links in /var/log
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_symlinks',`
> +	gen_require(`
> +		type var_t, var_log_t;
> +	')
> +
> +	read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')

logging_search_logs()

> +
> +########################################
>  ## <summary>
>  ##	Search the locks directory (/var/lock).
>  ## </summary>
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
> --- refpolicy-git-18012011/policy/modules/kernel/kernel.if	2011-01-17 19:36:10.808130722 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if	2011-01-19 18:48:36.830593580 +0100
> @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
>  
>  ########################################
>  ## <summary>
> +##      Allows to search the base
> +##      directory of sysctls.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to not audit.
> +##      </summary>
> +## </param>
> +##
> +#
> +interface(`kernel_search_sysctl',`
> +        gen_require(`
> +                type sysctl_t;
> +        ')
> +
> +        allow $1 sysctl_t:dir search;
> +')

Should not be needed.

> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts by caller to search
>  ##	the base directory of sysctls.
>  ## </summary>
> @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
>  ')
>  
>  ########################################
> +## <summary>
> +##      Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_fs_t;
> +	')
> +
> +	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
>  ## <summary>
>  ##	Read filesystem sysctls.
>  ## </summary>
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09iWsACgkQMlxVo39jgT9+jQCdGgSKrdKqTybxvkodB+vRK4gH
WiUAoKwcofCW8PYvpOm89+fxlrB2IoGG
=20Pp
-----END PGP SIGNATURE-----